See the README: Provision the SW TPM 2.0 with EK certificates
ok, will check the EK certificate, thanks!
I know the RSA EK cerificate problem, however I use the template you provided, still can not enroll. Note: This is the SWTPM environment registered to its own server.
TPM2_NV_ReadPublic 01 c0 00 02 is trying to read the RSA EK certificate from the TPM. My guess is that you didn't provision that TPM with an EK certificate.
Hello Ken, I got a problem that enroll error, it can not send enrollment command to server, could u help to look the case? thanks!
The server processes requests serially - one at a time. However, each step of a multi-step transaction uses a new connection, so client requests can interleave.
That should be OK. I include Infineon CA certificates.
I send clientenroll.log and serverenroll.log to you
I will try to look the EK ca root certificates problem. In addition, does two machines need to open the server at the same time?
I send clientenroll.log and serverenroll.log to yo
I will try to look the EK ca root certificates problem. In addition, does two machines need to open the server at the same time? Ken Goldman kagoldman@users.sourceforge.net於 2023年12月5日 週二,上午12:41寫道: I don't think it's a TPM version issue. The server is trying to read a list of EK CA root certificates and fails. I think there is something wrong with the file. Maybe it's empty. clientenroll error and serverenroll error https://sourceforge.net/p/ibmtpm20acs/discussion/general/thread/39ec613178/?limit=25#2b5f/fd0c...
I don't think it's a TPM version issue. The server is trying to read a list of EK CA root certificates and fails. I think there is something wrong with the file. Maybe it's empty.
I send clientenroll.log and serverenroll.log to you Davis Chen poil123456456@users.sourceforge.net 於 2023年12月4日 週一 下午11:39寫道: I use the Type of the Hardware is OPTIGA SLB9670 TPM2.0 clientenroll error and serverenroll error https://sourceforge.net/p/ibmtpm20acs/discussion/general/thread/39ec613178/?limit=25#2e00 Sent from sourceforge.net because you indicated interest in https://sourceforge.net/p/ibmtpm20acs/discussion/general/ To unsubscribe from further messages, please visit https://sourcefor...
I use the Type of the Hardware is OPTIGA SLB9670 TPM2.0
Hello Ken, I have sent a email to you about the serverlog and clientlog. I think this is a version problem. Do you suffer any related problems on TPM Hardware communicating to SW TPM? Best regard Davis Chen
There's something odd in the trace. " getcastore: error opening ca root certificate file" should print the file name. What is the root CA file name? Are the contents a full pathname of CA certificates? Is -root specified correctly? This is a server side error. It needs the EK CA certificates to walk the EK certificate chain. If this doesn't help, email me the server log using -v or even -vv.
Hi kagoldman, I have tried the ACS on embedded system , always found the error as below. I don't understand why the error is exist. Could you help me to fix the issue error: mysql_query: mysql_query failed process enroll request: new host is not in db (error is expected) validateekcertificate: build the ek certificate root certificate store getcastore: error opening ca root certificate file getcastore: check the fully rooted path. best regard Davis Chen
Hi kagoldman, I have tried 2 week for the ACS, always found the error as below. I don't understand why the error is exist. Could you help me to fix the issue error: mysql_query: mysql_query failed process enroll request: new host is not in db (error is expected) validateekcertificate: build the ek certificate root certificate store getcastore: error opening ca root certificate file getcastore: check the fully rooted path. best regard Davis Chen
If the ACS project is not in the same directory as the TSS and utilities. libibmtss.so, libibmtssutils.so and possibly libibmtssutils12 have to be in the library path. Revision 1658 This revision was driven by the UEFI parser. The client sends EV_NO_ACTION events, since they can affect PCR 0. The server similarly processes EV_NO_ACTION events. The server propagates the first informative event, since a future UEFI parser potentially needs the pre-OS event log version. Revision 1630 This revision improves...
Oh, thanks. I have never noticed this file before. The file does exist, and it works well.
There should be a second file called binary-runtime-measurements.
Hi Ken, If I want to use an hardware tpm2.0, where should I get the 'imasig.log'? I notice the 'imasig.log' is a bytecode file, but the '/sys/kernel/security/ima/ascii_runtime_measurements' generated by the IMA is Plaintext, and it seems can't be resolved by server. How can I get the test 'imasig.log' from my machine? Regards, Hamming
In general, yes, mutual authentication would be good. Of course, that move the problem to enrolling TLS keys. The code already sends quotes to the server. If an attacker can intercept messages, it can do DoS attacks. However, it never gets client private keys. Usually, the client doesn't get its keys. They stay on the TPM/ If the EK could sign, it could certify the AK. It could even be the AK. But the EK cannot sign. Thus, the activatecredential API.
Hi ken, setup: client(with tpm) and server(no tpm) I understand the protocol implementation. I understand the make_creadential and activate_credential. For this even the server needs to have the tpm to do the make_credential. Maybe use s/w tpm for this to not redo the code. My requirement for now and future are: 1. client auth. (server should be sure it is talking to the valid client) (current) 2. Send any tpm quotes from the client to server (future) I have the following questions wrt protocol:...
Hi ken, setup: client(with tpm) and server(no tpm) I understand the protocol implementation. I understand the make_creadential and activate_credential. For this even the server needs to have the tpm to do the make_credential. Maybe use s/w tpm for this to not redo the code. My requirement for now and future are: 1. client auth. (server should be sure it is talking to the valid client) (current) 2. Send any tpm quotes from the client to server (future) I have the following questions wrt protocol:...
Hi ken, setup: client(with tpm) and server(no tpm) I understand the protocol implementation. I understand the make_creadential and activate_credential. For this even the server needs to have the tpm to do the make_credential. Maybe use s/w tpm for this to not redo the code. My requirement for now and future are: 1. client auth. (server should be sure it is talking to the valid client) (current) 2. Send any tpm quotes from the client to server (future) I have the following questions wrt protocol:...
If the ACS project is not in the same directory as the TSS and utilities. libibmtss.so, libibmtssutils.so and possibly libibmtssutils12 have to be in the library path. Revision 1630 This revision improves the quote performance. It reconstructs the PCRs in the first pass from the event logs rather than using the client supplied values. This is enabled by a new IMA guarantee that the event append - extend is atomic even in a multithreaded case. Revision 1470 This revision has a few minor changes. Separates...
Correct. The epilogue in the documentation explains your observation.
Thanks for the answer. I understand, it makes sense. I have an other question about provisoning process. In the case of the communication is encrypted with client/server authentication, is it really necessary for the server to send the AK certificate to the client ? I understood that this certificate can be useful if we have more than one verifier (send this certificate to other verifiers). But if you have only one verifier, what is the goal of this step ? Thanks, Thomas
Regarding the communication: I think client authentication is the minimum requirement. Otherwise an attacker could send false attesations claiming to be another client. An encrypted channel is better, since PCR values could be considered privacy sensitive - revealing the software running on the client. I'm not qualified to decide between ssh and IPSec. My guess is that it's generally better to close the session at the end of each attestation. A verifier may be supporting 1000's of attestors, and...
Hi, I tested your sample Attestation Client Server, it works well !! Everything needed to deploy and understand it can be found in your documentation, thanks a lot !! Now i'm trying to write a production application based on you code. And i have some questions about the peaces of code to rewrite to match as much as possible the TCG specifications. About server client authentication and encrypted communication , do you think ssh tunneling is enough for authentication, or something "bigger" like VPN/IPSec...
If the ACS project is not in the same directory as the TSS and utilities. libibmtss.so, libibmtssutils.so and possibly libibmtssutils12 have to be in the library path. Revision 1470 This revision has a few minor changes. Separates the client code into two parts for ZPower VM support Increases the size of the DB column storing the IMA and BIOS raw event text. Adds support for client big endian event log at the client and server Changes the html header for certificates to Content-Type:text/plain since...
That's what I suspected. The ACS project includes a CA key and the README has instructions for creating a test EK certificate. See the section: SW TPM Provisioning -> Provision the SW TPM with EK certificates. You can, of course, use a different CA signing key. If so, you have to add it to the server trusted root CA list. For test, it's easier to use the test key that comes with the project. Bonus: Running the TSS regression test rolls the EPS, so you get a new EK and need a new EK certificate. Otherwise,...
I am using the IBM SW TPM. And I think I understand what I did wrong. I did not sign the EK certificate for my client with one of the root CAs.
Apologies for being unclear. At the moment the server and clients are on different ubuntu VMs that can ping eachother. It seems when I issue the clientenroll command from client the server does receive it put sends back an error response. The complete output on the client is as follows: ./clientenroll -alg ec -ho server -vv -ho 192.168.163.136 -co akeccert.pem TSS_Command_PreProcessor: Input parameters capability TPM_CAP_TPM_PROPERTIES property 00000105 propertyCount 1 TSS_Execute20: Command 0000017a...
client and clientenroll have been tested with both a fully qualified domain name and a dotted decimal IP address. What precisely does "I get no connection" mean? Does the client not parse the IP address, doesn't resolve a FQDN, etc. What does -vv show. Does "on different machines" mean that it works when the server is on the same machine? If so, my first guess would be that your server has a firewall and isn't permitting the client to connect. Check your firewall settings.
From the code comments: "verifyCertificate() verifies a certificate (typically an EK certificate against the root CA certificate (typically the TPM vendor CA certificate chain)" My first guess is that the EK certificate for your client TPM has not been signed by one of the root CA's that you specified when you ran the server. Thus, the server does not trust the client TPM. Are you using a HW TPM? Which vendor? A SW TPM? What CA key did you use to create the EK certificate? Running the server with...
When my server and client are on different machines, I get no connection to the server. The -ho flag does not accept an IP address. Can you please help me understand how to correctly use this flag so that it points to the server?
Hi, I am trying to understand how clientenroll works. I have a server configured and running according to the readme. I send a clientenroll command from the same machine and get the following error: ERROR: SQ_FetchRow: returned no rows verifyCertificate: Error in X509_verify_cert verifying certificate INFO: JS_ObjectSerialize: { "error":"000b007a" } In the code the processEnrollRequest() function seems to merely read a row from the database, not create it. Where does the creation happen? Regards,...
I think the problem is that my server and client are on different machines. The -ho flag does not accept an IP address. Can you please help me understand how to correctly use this flag so that it points to the server?
Hi, I am trying to understand how clientenroll works. I have a server configured and running according to the readme. I send a clientenroll command from a different machine and get the following error: ERROR: SQ_FetchRow: returned no rows verifyCertificate: Error in X509_verify_cert verifying certificate INFO: JS_ObjectSerialize: { "error":"000b007a" } In the code the processEnrollRequest() function seems to merely read a row from the database, not create it. Where does the creation happen? Regards,...
Understood. Thanks a lot for taking out the time to answer.
The question about imakey.der seems to have disappeared. I'll answer anyway. At the server -imakey specifies the IMA keys that are used to verify the IMA file signatures. The one IBM ACS ships is a test key that goes with the test IMA log imasig.log. A real application would use one or more trusted keys. IMA is not IBM ACS specific. IMA is part of the Linux kernel security subsystem. It supports file signing and post-OS attestation. Whether the attestation protocol uses IMA is application specific....
Correct. I'll fix the README. Thanks.
Hey, I have a follow up question that is a bit related to this thread. I noticed that you have an imakey.der in the ACS directory but the readme makes no mention of whether it is possible to update it or not. Secondly, I am a bit confused as to whether IMA support is ibmacs-specific or is it needed in the attestation protocol under TSS? I ask because server expects a imacert, which makes me believe that the attestation protocol requires this, but I can't seem to find any reference to it in the TSS...
Hey, I have a follow up question that is a bit related to this thread. I noticed that you have an imakey.der in the ACS directory but the readme makes no mention of whether it is possible to update it or not. Secondly, I am a bit confused as to whether IMA support is ibmacs-specific or is it needed in the attestation protocol under TSS? I ask because server expects a imacert, which makes me believe that the attestation protocol requires this, but I can't seem to find any reference to it in the TSS...
It is building fine now if I build for TPM2. I have not really tried doing it for tpm1/2 but I think if you left out the instructions of building ibmtssutils12 then ACS would fail to build because it needs those files. In any case, TPM2 support is what I was looking for and ACS is building fine now. Thanks a lot for your support.
Sorry once again. I'm in the process of updating the IMA support to handle custom templates and one line leaked out. Try the new on I just uploaded. I tested in on a new machine.
Hi, So I cleaned up everthing and started over again. I compiled tss and utils12 for TPM1 and TPM2. I then tried to build acs as follows: make -f makefiletpmc /usr/bin/gcc -Wall -W -Wmissing-declarations -Wmissing-prototypes -Wnested-externs -c -ggdb -O0 -DUNIX -DTPM_POSIX -I../utils -DTPM_TPM20 -I../utils12 -DUNIX -DTPM_POSIX -DTPM_TPM12 -DTPM_NV_DISK -DTPM_V12 -DTPM_AES -DTPM_TPM12 server.c server.c: In function ‘processImaEntryPass2’: server.c:4056:26: error: ‘IMA_FORMAT_IMA_SIG’ undeclared (first...
This is a mystery. Are did you remove the old files before you untarred? Can you past the commands that lead to this error - not just the error message. You may have guessed that libtssutils12 are helper function for TPM 1.2. However, clientenroll is for TPM 2.0, and it should not depend on the TPM 1.2 functions. What I see is: clientenroll depends on LNLIBS LNLIBS needs LIBTSS and LIBTSSUTILS The other possibility is that you're trying to build for TPM 2.0 and TPM 1.2. I see that I left out the...
Thanks. But now I am getting the following error: /usr/bin/ld: cannot find -libmtssutils12 collect2: error: ld returned 1 exit status makefile-common:78: recipe for target 'clientenroll' failed make: *** [clientenroll] Error 1 In the make file I can see: LIBTSS = ibmtss LIBTSSUTILS = ibmtssutils LIBTSSUTILS12 = ibmtssutils12 I can find ibmtss folder in ../tpm2/utils but not the other two. Regards
Just uploaded. And I'm getting the email now!
If the ACS project is not in the same directory as the TSS and utilities. libibmtss.so, libibmtssutils.so and possibly libibmtssutils12 have to be in the library path. Revision 1362 This revision matches the newer IBM TSS releases, which renames the include directory and library at the request of a Linux distro. Minor changes: Changed over to the newer marshal functions that use unsigned sizes and the allowNull flag. client -bt generates a well formed date for the SQL insert Revision 1242 This is...
If the ACS project is not in the same directory as the TSS and utilities. libibmtss.so, libibmtssutils.so and possibly libibmtssutils12 have to be in the library path. Revision 1362 This revision matches the newer IBM TSS releases, which renames the include directory and library at the request of a Linux distro. Minor changes: Changed over to the newer marshal functions that use unsigned sizes and the allowNull flag. client -bt generates a well formed date for the SQL insert Revision 1242 This is...
Ok thanks a lot. Waiting for the new version.
It looks like the ACS project was not updated since one of the Linux distros asked for some TSS directory name changes. I have an updated version here, so give me a day to retest it and I'll upload a version that should work with the latest TSS. Sorry for the confusion.
Hi, I am having trouble understanding the correct directory structure required to successfully build. I am trying to follow the following instructions from the readme: The makefiles and these instructions assume that the TSS is built in ../utils. If not, adjust accordingly. When the TSS is installed in /usr/lib as part of a distribution, this becomes unnecessary. 1 - If using a SW TPM https://sourceforge.net/projects/ibmswtpm2/ > cd .../tpm2/src > make 2 - TSS and utilities: creates libtss.so https://sourceforge.net/projects/ibmtpm20tss/...
If the ACS project is not in the same directory as the TSS and utilities. libibmtss.so has to be in the library path. Revision 1242 This is a significant update. The project supports TPM 1.2 in addition to TPM 2.0. The enrollment protcol does not issue the AK certificate until after the client has answered the server challenge. Previously, it returned it encrypted. The BIOS event log is not resent if the BIOS PCRs did not change. Removed json and php calls to deprecated functions. The server supports...
Hello, Thank you
Hello, I am trying to start the attestation client. I use SW IBM TPM2.0. I can not run the client because I do not have the Attestation Keys: "akrsapub.bin" and "akrsapriv.bin". Should I use IBM TPM2.0 TSS utils to generate them or I can generate them manually for testing with openssl command? Thank you
Hello, I am trying to start the attestation client. I use SW IBM TPM2.0. I can not run the client because I do not have the public/private x509 keys: "akrsapub.bin" and "akrsapriv.bin". In which format should I generate them - I tried with openssl req -new -x509 -key ak_priv.pem -out ak_pub.pem -days 1825 but it does not seem to work. Thank you
The intent is that the ACS project be in the same directory as the TSS and utilities....
The intent is that the ACS project be in the same directory as the TSS and utilities....
The intent is that the ACS project be in the same directory as the TSS and utilities....
I certainly agree. However, the larger issue is that I didn't make it clear what...
Different database support