Ken, I ran an automated test to perform 45,000 iterations of the following and it succeeded without issue. 1. TPM_GetRandom () 2. TPM_SealCurrPCR () 3. TPM_Unseal () 4. Compare the plain text random data against the unsealed data. Right now we can't replicate this issue in a development environment so I'm going to run some different tests, log more information in our release environment and try some of your other suggestions.
Ken, When I return next week, I'll set up a test to get a true failing percentage.
So 99% isn't really 99%? It's important to know the number - 1/256 is a pointer to the problem. Can you just run a loop in one failing platform like I did?
Ken and Stefan, I will look at the -v option or some other way to log more information so I can compare successful and unsuccessful operations. I don't know if we can get a true percentage of how often this is occurring. We have hundreds of engineers using our Windows 10 implementation on their target hardware and we'd need to set up some type of framework to record all operations. That's not a viable option at the moment. I don't have access to a Linux box but I can probably get a Windows environment...
That's a hint. Could you gather more statistics? Could it be working 99.6% of the time.? A crypto operation that fails 1 in 256 times is often a bignum issue, where it fails when the upper byte is 0x00. I can run a createkey / loadkey / seal / unseal loop 1000's of times without error. That doesn't explain the ERR_BADRESPONSETAG, but it may provide a clue. As Stefan recommended, perhaps run your application on Linux with a SW TPM to see if it's the TPM, the library, or the application. And post the...
Do you have a script or program that triggers this issue? If so, could you run this program in a Linux environment that doesn't have the changes you have made to see whether it triggers the error there as well. Otherwise it may be helpful to crank up the logging on the client and server sides and see what's happening there. Is maybe the connection breaking when this happens? This is from tpmutil.c after TPM_Send around line 1181. This seems to be the only place where such an error tag may originate...
All commands are working and we've only encountered this issue with sealing maybe 4 or 5 times. 99% of the time, sealing works as expected. And we haven't encountered any other issues with other commands yet. Thanks Ken, I'll investigate the -v option. Correction: We have seen this same error with unsealing as well. I wasn't able to see a TPM log for an unsealing failure until now and it's also throwing ERR_BADRESPONSETAG. 99% of the time, both sealing and unsealing are working.
All commands are working and we've only encountered this issue with sealing maybe 4 or 5 times. 99% of the time, sealing works as expected. And we haven't encountered any other issues with other commands yet. Thanks Ken, I'll investigate the -v option.
I think I understand the setup now. I forwarded the thread to someone who was more familiar with that piece of the code. Also: When you say "sometimes", do some commands work but the seal always fails, or does the seal sometimes succeed and sometimes fail? I recall that the utilities all have a -v option that traces the command and response packet. Assuming that works in your setup, can you trace a success and failure case. We can see what's different.
Ken, This is our environment: 1. Windows 10 IoT RS5 1809 running in an embedded environment. 2. Hardware TPM chip (SLB9670VQ1.2) with firmware 6.43. 3. Our custom TPM management code that leverages libtpm version 4769 (no TPM proxy), OpenSSL 1.0.2, Windows TBS service and the Windows TPM driver. Our TPM management code uses the RNG, sealing and unsealing functionality of the TPM. We leverage libtpm and Windows TBS like so: 1. We initialize libtpm with TPM_LOWLEVEL_TRANSPORT_TCP_SOCKET (TPM_LowLevel_Transport_Init...
Ken, This is our environment: 1. Windows 10 IoT RS5 1809 running in an embedded environment. 2. Hardware TPM chip (SLB9670VQ1.2) with firmware 6.43. 3. Our custom TPM management code that leverages libtpm version 4769 (no TPM proxy), OpenSSL 1.0.2, Windows TBS service and the Windows TPM driver. Our TPM management code uses the RNG, sealing and unsealing functionality of the TPM. We leverage libtpm and Windows TBS like so: 1. We initialize libtpm with TPM_LOWLEVEL_TRANSPORT_TCP_SOCKET (TPM_LowLevel_Transport_Init...
Ken, This is our environment: 1. Windows 10 IoT RS5 1809 running in an embedded environment. 2. Hardware TPM chip (SLB9670VQ1.2) with firmware 6.43. 3. Our custom TPM management code that leverages libtpm version 4769 (no TPM proxy), OpenSSL 1.0.2, Windows TBS service and the Windows TPM driver. Our TPM management code uses the RNG, sealing and unsealing functionality of the TPM. We leverage libtpm and Windows TBS like so: 1. We initialize libtpm with TPM_LOWLEVEL_TRANSPORT_TCP_SOCKET (TPM_LowLevel_Transport_Init...
Can you decribe your environment? You say 'TPM chip', but you're using a socket transport, which implies a SW TPM. Are you running a transport session? What command? Those utilities are quite old. If you're using Windows 10 to a HW TPM, there will be some porting of the device driver interface. It is likely that openssl 1.1.1 porting is needed. They were meant for experimenting, not product code. The code comments imply that some HW TPM had a quirk in Quote, but the code doesn't refer to Quote and...
Any ideas on why this occurs or how to resolve it? I've looked in tpmutil.c where this error is thrown but the comments only seem to indicate that it's a bad response from the TPM chip. "Bad tag in response message" is the string associated with this error. We're on Windows 10 using TPM 1.2 and using TPM_LOWLEVEL_TRANSPORT_TCP_SOCKET.
A few questions to start: Is WINPORTS the same as Atul Khare, or is this a new topic using an old thread? This thread was about openssl 1.1. Is that your issue? When you say "we do not know how to tar files", are you asking for tar instructions? What was the error? The name WINPORTS implies that you are using Windows. Is that correct? And for more specfic items. You imply that there is a directory issue. What exactly is the issue? You imply that there is a build issue. However, you did not indicate...
Second screenshot
There are a lot of issues with this project. We have just downloaded tpm4769tar.gz and when trying to untar it, all files and folder appear at the same folder level. It seems we do not know how to tar files! After that, we ran: autogen script. Again, more unnecessary issues. Please, FIX these issues and upload a new release so we can test it again.
From the Summary" page: "tpm4769 is the latest version, with TPM side support for OpenSSL 1.1." There are currently no plans to port the host side. The host side software is for education, prototyping, and the regression test. Use Trousers (the TSS) for applications.
Perhaps, the easiest recourse is to install OpenSSL 1.1.0c in another folder and compile against it. Since the .configure doesn't have an obvious option to specify alternative versions of OpenSSL, is the best method to edit the .Plo files that seem to point to the specific OpenSSL folder?
1) Ubuntu Bionic (18.04) 2) OpenSSL 1.1.0g 2 Nov 2017 3) The one generated by comp-unixio.sh 4) hmac.c: In function ‘TSS_rawhmac’: 5) hmac.c:384:13: error: storage size of ‘hmac’ isn’t known >HMAC_CTX hmac; 6) gcc (Ubuntu 7.3.0-27ubuntu1~18.04) 7.3.0 7) https://www.openssl.org/docs/man1.1.0/man3/HMAC_Init.html The cause of the errors for #5 have already been documented in #7. Are there plans to support OpenSSL 1.1.x with the changes documented in the release notes? Note that it's mutually imcompatible...
That version of the README is an svn tag for that one file. Tarball 4769 is the correct, latest TPM. It builds and runs with OpenSSL 1.1.0c., and probably any 1.1.x. A few questions: What OS? What version of OpenSSL? What makefile? What file is failing to compile? What is the failing compile command? What is the compiler error? and What release notes?
I downloaded tpm4769tar.gz (SHA1: ca99a3ccd3e41cdd9983086a9b944023b6049bbc), and per the release notes, it has support for OpenSSL 1.1. However: 1) The README indicates that it's still version 4760 $Id: README 4760 2015-12-25 16:14:13Z kgoldman $ 2) The release doesn't compile with OpenSSL 1.1 (errors in hmac.c), etc. Did I do something wrong or is the archive incorrect?
Yes, it is. We are considering Infineon and ST Electronics chips with I2C interface (Linux can handle it) that are announced to be compatible for embedded systems. Our platform has different needs than a PC or conventional server. For instance, there is no BIOS and physical presence is not suitable for us. About software, we plan to use existing API and/or utilities (Trousers). Our priority is to use java API to let our software to manage security right away. If this isn't possible for any reason,...
Is your "tpm chips in an embedded system" a standard commercial HW TPM? If so, it will usually be a PC Client TPM. Thus, that's the way you want to build the SW TPM. If you don't, you'll have to debug "it works with the SW TPM and fails when I use HW" errors. :-( The PCCLIENT macro is a marker for someone who might be using a different platform TPM (e.g., automotive, mobile phone). It tells the developer where to modify the code.
Thank You very much for your quick response, About the main specification, I plan to use tpm chips in an embedded system with I2C interface and the firmware version is 1.2 revision 116. AFAIK the main specification is the one compliant with this version. So I wanted to test my software with your software TPM using main specification to avoid problems. If this is not needed at all, then I'll compile with the PC Client spec. Following your indication, I'll done so for the firsts tests on the development...
The code does implement the main specification. First point: Be aware that, if you don't compile it as a PC Client, you will get a SW TPM that does not correspond at a HW TPM that you will ever see in a computer. Is that what you want? Second point: You are correct that there is a bug for non PC Client builds. I added a test at startup - that the TPM state is using the same TPM build as when it was stored. Thus, TPM_PCCLIENT should be a #if boolean value, not a #ifdef yes/no. The changes I think...
Hello, I've compiled the tpm_server successfully trying several options out of the provided makefiles, but I can't compile without TPM_PCCLIENT macro in order to obtain a binary compliant with main specification. I've tried with next CCFLAGS in the makefile: CCFLAGS = -Wall -W -Wmissing-declarations -Wmissing-prototypes -Wnested-externs -c -ggdb \ -DTPM_NV_DISK -DTPM_V12 -O0 -DTPM_AES -DTPM_POSIX -DTPM_UNIX_DOMAIN_SOCKET -DTPM_PCCLIENT \ -DTPM_ENABLE_ACTIVATE -DTPM_PP_CMD_ENABLE This is the error...
Respected Ken Goldman, Sincere thanks for the reply. I will work as per your suggestions and let you know the progress. Thanks & Regards Harshad
The warnings are correct on your 32-bit machine. We can handle this one of two ways. You can modify the code to cast the parameter being printed to an unsigned long. If attachments work here, try this modified code. They're just debug trace statements, which do not affect the test utilities, and certainly don't affect the TPM itself.
Respected Madam / Sir, I am getting compilation errors while trying o build tpm client. My system information : model name : Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz MemTotal: 8164048 kB OS : Ubuntu Linux administrator 3.13.0-108-generic #155-Ubuntu SMP Wed Jan 11 16:57:06 UTC 2017 i686 i686 i686 GNU/Linux gcc version 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.4) The tar files are downloaded from https://sourceforge.net/projects/ibmswtpm/files/ The details given below : tpm4769tar.gz .libs/ima.o ima.c: In...
This project layers on top of mine. https://github.com/stefanberger/libtpms/tree/tpm2-preview.rev146
Dear Ken, I would like to compile the TPM emulator in Linux for character device usage, i.e., an enty to appear at /dev/tpmX. No matter what I try I cannot get this setup to work. Can you please let me know which configuration should I use during the build process for this? Thanks.
Does this really cause "Authentication fails" (the subject of the thread)? Or is this a new issue? Assuming it's a new issue, RSA_generate_key() is deprecated, meaning that it's not recommended for new code. However, it's acceptable for existing code. I think the fix is to either use the supplied makefile, which does not have -Wdeprecated-declarations. accept the warning port to RSA_generate_key_ex() I would use (1).
Hello again The tpm run succesfully on my VM and I need to do the same process on raspberry pi. However, when I run "make --file=makefile-ts" in tpm file it shows the following error tpm_crypto.c: In function ‘TPM_RSAGenerateKeyPair’: tpm_crypto.c:362:9: warning: ‘RSA_generate_key’ is deprecated [-Wdeprecated-declarations] rsa = RSA_generate_key(num_bits, e, NULL, NULL); /* freed @1 */ ^~~ In file included from /usr/include/openssl/asn1.h:15:0, from /usr/include/openssl/rsa.h:16, from /usr/include/openssl/engine.h:24,...
1 - Please send me the complete sequence, starting with a new TPM (delete the old state). It's hard to guess at the problem from just one step. 2 - A guess is that you didn't supply the correct password for the parent of the key you're trying to create. 3- Please email me a complete TPM trace. Generally, the TPM trace will explain the problem. kgoldman@us.ibm.cm
Hello Ken, I faced same issue where the ./createkey command returns: "Error Authentication failed (Incorrect Password) from TPM_CreateWrapKey" Is the sequence of the code right? Best regards,
The readSRKPub flag is for privacy, because reading a platform unique value can be a privacy concern. When TRUE, the SRK can be read using GetPubKey. That is, only the typically well know SRK auth is needed, so anyone can read it. When FALSE, the OwnerReadInternalPub command must be used, which requires ownerAuth. I think that the default state is TPM vendor specific. The state can be changed with SetCapability.
Hi Ken, I am getting error as : "Failed to Tspi_Key_GetPubKey" and error code: Invalid keyhandle. when i debugged, the tpm logs shows: TPM_Process_GetPubKey: Error, keyHandle is TPM_KH_SRK and readSRKPub is FALSE This error is from file tpm_storage.c and what is "tpm_state->tpm_permanent_flags.readSRKPub" ? how to make it true ? what is it significance? Any idea on why i am getting this error? Thanks, Syed Mahaboob
It's better to ask specific trousers questions on the trousers mailing list. Without taking ownership, there will not be an SRK. Does TspiPolicySetSecret() require an SRK? The SW TPM does extensive debug tracing. Search for the string Error. It should give clues.
Hi Ken, I am refering to : http://ibmswtpm.sourceforge.net/tpm_tss.html for running tpm and trousers. Only difference is i am not executing the : ./tpm_takeownership on my Android board. The function :TspiPolicySetSecret is failing. Is running ./tpm_takeownership mandatory?? I am not setting any owner/srk password. Any idea on this? Thanks, Syed
Hi Ken, I have not modified any files, just updated (added -fPIE -pie) LDFLAGS environmental variable before doing ./configure. Steps are as follows: export ARCH=arm64 export PATH=/home/syed/DAP/64bit/bin/:$PATH export CROSS_COMPILE=/home/syed/DAP/64bit/bin/aarch64-linux-android-gcc export CC="aarch64-linux-android-gcc" export LD="aarch64-linux-android-ld" export CFLAGS="-I/home/syed/Downloads/android_openssl/openssl-1.0.1f/include -g3 -O0" export LDFLAGS="-g3 -O0 -L/home/syed/Downloads/android_openssl/openssl-1.0.1f...
Please tell me exactly which files you modified and how. I'll add them to the source and put a note on the wiki.
Hi Ken, ITS WORKING NOW. I tried exactly that experiment on the weekend and found out that it's not just related to tpmbios code, this problem occurs elsewhere. So i added -fPIE -pie flag as the LDFLAGS and compiled for Android N, it works. Its kind of weird but i think while cross-compiling for Platform Android >5.0, you must add these parameters. Thanks a lot for your help and time, much appreciated, Thanks It was nice interacting with you.
The experiments you did seem to say that use_transp is set up correctly. I'd still like to know whether the address of use_transp->open is the same as the address of TPM_OpenClientSocket. The ABCD experiment seems to say that the structure is set up correctly. However, the my_use says you can't call any function by pointer. Can you step through in a debugger and see if it crashes on the call to TPM_OpenClientSocket or within the function? Could you do a much simpler experiment, just a hello world...
Hi Ken, I checked the addresses by adding prints. in tpm_util_sock.c==The address of socket_transport=0x5555599410 in tpmutil.c lowlevel_transport_set address new_tp=0x5555599410 IN TPM_SEND address of sockfd=0x7fcd83c9e8 IN TPM_SEND address of use_transp=0x5555599410 IN TPM_SEND address of use_transp->open=0x40f8fc As you can see, its looks good till here, one observation is when i try to call open function i.e use_transp->open, it crashes, so i added simple string in tpmutil_sock.c static struct...
You are in the right area. use_transp->open() should call TPM_OpenClientSocket. If it does not, I wonder if the structure tpm_transport is not getting initialized correctly. The .open member should be TPM_OpenClientSocket. Before the call, print the two pointers and see if they match. TPM_LowLevel_Transport_Init() should set up the structure. Perhaps trace it and see if it calls TPM_LowLevel_TransportSocket_Set or whether it expects some other interface.
Hi Ken Goldman, I tried debugging and adding prints to tpmutil.c and tpmutil_sock.c files. I found that segmentation fault occurs in TPM_Send function when we call "rc =use_transp->open(&sock_fd);" This is some how causing some issue because after this there are no further prints. I have added prints in tpmutil_sock.c at "static uint32_t TPM_OpenClientSocket(int *sock_fd)", but these prints are not printed. Hence when we execute "rc =use_transp->open(&sock_fd);" in tpmutil.c , its getting crash....
Does the TPM side trace show anything interesting? Any initialization errors? Try running tpmbios -v. Does the verbose trace help. Can you bisect the problem - run the TPM on one platform and the tpmbios command on another? If the traces don't help, I think you'll have to step through in a debugger. This is old and well used code, so it's unlikely that there's a bug.
Hi , I have cross compiled tpm code and libtpm to run on Android os. I am able to run tpm_server on board but when i tried running tpmbios command, it fails i.e segmentation faults.The TPM_Startup is failing. LOGS: tpmbios[2774]: unhandled level 1 translation fault (11) at 0x0040f7fc, esr 0x83000005 [ 5301.023572] pgd = ffffffc05468f000 [ 5301.025946] [0040f7fc] pgd=0000000000000000, pud=0000000000000000 Please help me with some suggestions. I want to run TPM using TCP/IP sockets
A few high level comments first: You don't encrypt with your private key. Someone...
Hello Ken, I am using TPM 1.2 - tpm4720 version, and would want to use the utilities...
I don't think the proxy has a setting for the TPM side. It connects to the Windows...
Hello, Please let me ask additional question. on linux enviroment, device setting...
Can you post the error message from the make?
Hello, again. I want to tpm_proxy on windows10 but cant build well because error...
Try the makefile.mak in the win7 directory.
Hello. I want to use tpm_proxy on windows. But I cant build it well. (I can build...
Hello. I appreciate your advise. I can execute the test suite on HW TPM in both environment....
There are two possibilities: Recompile. See the README, around this line: comp-chardev.sh...
Hello. I want to use this test suite with Hardware TPM like below. test suite <---...
Hi All, I've gotten the software TPM up and running as a UNIX socket and I've created...
Home
Home
Home