trustedjava-support

Re: [Trustedjava-support] How to set SRK secret to TSS_WELL_KNOWN_SECRET

[Mudassar A. <mud...@ho...>]

Hi again,

I am running following code (the same in jTpmTools) to take ownership but 
get "TPM ownership command is disabled". I have checked all windows group 
policies to make sure that takeownership command is allowed. Still unable to 
set SRK to WELL KNOWN SECRET.

note: I am not using jTpmTools because I could not run it even after placing 
all jars in ext_lib folder (which is another issue)

Regards.

Mudassar.

package test;

import iaik.tc.tss.api.constants.tpm.TcTpmErrors;
import iaik.tc.tss.api.constants.tsp.TcTssConstants;
import iaik.tc.tss.api.exceptions.common.TcTssException;
import iaik.tc.tss.api.exceptions.tcs.TcTpmException;
import iaik.tc.tss.api.structs.common.TcBlobData;
import iaik.tc.tss.api.structs.tsp.TcTssKmKeyinfo2;
import iaik.tc.tss.api.structs.tsp.TcUuidFactory;
import iaik.tc.tss.api.tspi.TcIContext;
import iaik.tc.tss.api.tspi.TcIPolicy;
import iaik.tc.tss.api.tspi.TcIRsaKey;
import iaik.tc.tss.api.tspi.TcITpm;
import iaik.tc.tss.api.tspi.TcTssContextFactory;
import iaik.tc.utils.logging.Log;
import iaik.tc.utils.misc.Utils;

public class MainTakeOwnership {

    /**
     * @param args
     */
    public static void main(String[] args) {
        // TODO Auto-generated method stub
        try {

            TcIContext context_ = new 
TcTssContextFactory().newContextObject();
            context_.connect();

            TcITpm tpm = context_.getTpmObject();

            TcIPolicy tpmPolicy = 
context_.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);

            TcBlobData ownerSecret = TcBlobData.newString("ownersecret");
            tpmPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, 
ownerSecret);
            tpmPolicy.assignToObject(tpm);


            TcIRsaKey srk = 
context_.createRsaKeyObject(TcTssConstants.TSS_KEY_TSP_SRK);


            srk.setAttribUint32(TcTssConstants.TSS_TSPATTRIB_KEY_INFO,
                    TcTssConstants.TSS_TSPATTRIB_KEYINFO_AUTHDATAUSAGE, 
Utils
                            .booleanToByte(true));

            TcIPolicy srkPolicy = 
context_.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
            TcBlobData srkSecret = 
TcBlobData.newByteArray(TcTssConstants.TSS_WELL_KNOWN_SECRET);
            srkPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_SHA1, 
srkSecret);
            srkPolicy.assignToObject(srk);
            tpm.takeOwnership(srk, null);

        } catch (TcTpmException e) {
            if (e.getErrCode() == TcTpmErrors.TPM_E_OWNER_SET) {
                // this will happen in most cases
                System.out.println("TPM ownership already taken");
            } else if (e.getErrCode() == TcTpmErrors.TPM_E_DISABLED_CMD) {
                // this will happen in some cases
                System.out.println("TPM ownership command is disabled");
            } else if (e.getErrCode() == TcTpmErrors.TPM_E_DISABLED) {
                // this will happen in some cases
                System.out.println("TPM is disabled");
            } else {
                if (true) e.printStackTrace();
                System.out.println("takeOwnership failed");
            }
        } catch (TcTssException e) {
            if (true) e.printStackTrace();
            System.out.println("takeOwnership failed");
        }
    }
}







-----Original Message----- 
From: Mudassar Aslam
Sent: Wednesday, March 09, 2011 12:39 PM
To: tru...@li...
Subject: How to set SRK secret to TSS_WELL_KNOWN_SECRET


Hi

I have initialized my tpm using tpm.msc utility in windows 7. It allowed me
to set owner password. But I could not find any way to create/set SRK. I
tried to execute take ownership code but it says "TPM ownership command is
disabled". I have tried to list tpm keys using

context_.getRegisteredKeysByUuid(null,TcTssConstants.TSS_PS_TYPE_SYSTEM);

but I get null since SRK is not registered. How can I set SRK to
TSS_WLL_KNOWN_SECRET?

Regards.

Mudassar. 

Re: [Trustedjava-support] How to set SRK secret to TSS_WELL_KNOWN_SECRET

[Ronald T. <ron...@ia...>]

Hi,

First of all, the SRK is (after taking ownership) always (!) loaded in
the TPM.
You can get a handle to it with

TcIRsaKey srk = context_.createRsaKeyObject(TcTssConstants.TSS_KEY_TSP_SRK);

which is exactly what getKeyByUuid() does in case of the SRK UUID anyway.

The problem with your code seems to be the TSS_SECRET_MODE_NONE in the
migration policy of the key you create.
This mode is not supported in jTSS (see documentation). Workaround is to
us the well known secret here too.

Have a nice weekend,
Ronald



On 03/11/2011 03:04 PM, Mudassar Aslam wrote:
>  Hi
>
>  SRK secret is one thing, I am actually unable to load srk instance using
>  context. Is it possible to load SRK even if it is not registered in system
>  PS (this is where I think take_ownership is required)?
>
>  Well, I tried to create another key with SRK being its parent key. I used
>  following code but get error "No secret set for this policy object" when I
>  call createKey(srk, null). Obviously because SRK is not registered.
>
>
>
>  /*KEY CREATION*/
>
>               //Parent key SRK
>               TcIRsaKey srk =
>  context.getKeyByUuid(TcTssConstants.TSS_PS_TYPE_SYSTEM,TcUuidFactory.getInstance().getUuidSRK());
>               TcIPolicy srkPolicy =
>  context.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
>               srkPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_SHA1,
>  TcBlobData.newByteArray(TcTssConstants.TSS_WELL_KNOWN_SECRET) );
>               srkPolicy.assignToObject(srk);
>
>
>               /*Binding Key*/
>               //    Create an empty binding key object
>               long keyAttributes =      TcTssConstants.TSS_KEY_SIZE_2048 |
>                                    TcTssConstants.TSS_KEY_TYPE_BIND |
>                                    TcTssConstants.TSS_KEY_VOLATILE |
>                                    TcTssConstants.TSS_KEY_NOT_MIGRATABLE |
>                                    TcTssConstants.TSS_KEY_NO_AUTHORIZATION;
>  //default
>
>               TcIRsaKey bindKey = context.createRsaKeyObject(keyAttributes);
>
>               // Bind key usage policy
>               TcIPolicy bindKeyPolicy =
>  context.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
>               bindKeyPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN,
>  Define.BIND_KEY_SECRET);
>               bindKeyPolicy.assignToObject(bindKey);
>
>               // Bind key migration policy (just to avoid popup)
>               TcIPolicy bindKeyMigrationPolicy =
>  context.createPolicyObject(TcTssConstants.TSS_POLICY_MIGRATION);
>               bindKeyMigrationPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_NONE,
>  null);
>               bindKeyMigrationPolicy.assignToObject(bindKey);
>
>               //Parent key SRK
>               bindKey.createKey(srk, null);
>
>
>  Regards.
>  Mudassar.
>
>
>  ------------------------------------------------------------------------------
>  Colocation vs. Managed Hosting
>  A question and answer guide to determining the best fit
>  for your organization - today and in the future.
>  http://p.sf.net/sfu/internap-sfd2d
>  _______________________________________________
>  Trustedjava-support mailing list
>  Tru...@li...
>  https://lists.sourceforge.net/lists/listinfo/trustedjava-support


-- 
Dipl.-Ing. Ronald Tögl          phone +43 316/873-5502
Secure and Correct Systems      fax   +43 316/873-5520
IAIK                            ron...@ia...
Graz University of Technology   http://www.iaik.tugraz.at

Re: [Trustedjava-support] How to set SRK secret to TSS_WELL_KNOWN_SECRET

[Ronald T. <ron...@ia...>]

Hi!

The authentication secret to the SRK should already have been set to the 
well known secret at key creation by the Windows tool.
Have you actually tried to use the SRK yet?

Regards,
Ronald



On 03/11/2011 12:22 PM, Mudassar Aslam wrote:
> Hi again,
>
> I am running following code (the same in jTpmTools) to take ownership but
> get "TPM ownership command is disabled". I have checked all windows group
> policies to make sure that takeownership command is allowed. Still unable to
> set SRK to WELL KNOWN SECRET.
>
> note: I am not using jTpmTools because I could not run it even after placing
> all jars in ext_lib folder (which is another issue)
>
> Regards.
>
> Mudassar.
>
> package test;
>
> import iaik.tc.tss.api.constants.tpm.TcTpmErrors;
> import iaik.tc.tss.api.constants.tsp.TcTssConstants;
> import iaik.tc.tss.api.exceptions.common.TcTssException;
> import iaik.tc.tss.api.exceptions.tcs.TcTpmException;
> import iaik.tc.tss.api.structs.common.TcBlobData;
> import iaik.tc.tss.api.structs.tsp.TcTssKmKeyinfo2;
> import iaik.tc.tss.api.structs.tsp.TcUuidFactory;
> import iaik.tc.tss.api.tspi.TcIContext;
> import iaik.tc.tss.api.tspi.TcIPolicy;
> import iaik.tc.tss.api.tspi.TcIRsaKey;
> import iaik.tc.tss.api.tspi.TcITpm;
> import iaik.tc.tss.api.tspi.TcTssContextFactory;
> import iaik.tc.utils.logging.Log;
> import iaik.tc.utils.misc.Utils;
>
> public class MainTakeOwnership {
>
>      /**
>       * @param args
>       */
>      public static void main(String[] args) {
>          // TODO Auto-generated method stub
>          try {
>
>              TcIContext context_ = new
> TcTssContextFactory().newContextObject();
>              context_.connect();
>
>              TcITpm tpm = context_.getTpmObject();
>
>              TcIPolicy tpmPolicy =
> context_.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
>
>              TcBlobData ownerSecret = TcBlobData.newString("ownersecret");
>              tpmPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN,
> ownerSecret);
>              tpmPolicy.assignToObject(tpm);
>
>
>              TcIRsaKey srk =
> context_.createRsaKeyObject(TcTssConstants.TSS_KEY_TSP_SRK);
>
>
>              srk.setAttribUint32(TcTssConstants.TSS_TSPATTRIB_KEY_INFO,
>                      TcTssConstants.TSS_TSPATTRIB_KEYINFO_AUTHDATAUSAGE,
> Utils
>                              .booleanToByte(true));
>
>              TcIPolicy srkPolicy =
> context_.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
>              TcBlobData srkSecret =
> TcBlobData.newByteArray(TcTssConstants.TSS_WELL_KNOWN_SECRET);
>              srkPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_SHA1,
> srkSecret);
>              srkPolicy.assignToObject(srk);
>              tpm.takeOwnership(srk, null);
>
>          } catch (TcTpmException e) {
>              if (e.getErrCode() == TcTpmErrors.TPM_E_OWNER_SET) {
>                  // this will happen in most cases
>                  System.out.println("TPM ownership already taken");
>              } else if (e.getErrCode() == TcTpmErrors.TPM_E_DISABLED_CMD) {
>                  // this will happen in some cases
>                  System.out.println("TPM ownership command is disabled");
>              } else if (e.getErrCode() == TcTpmErrors.TPM_E_DISABLED) {
>                  // this will happen in some cases
>                  System.out.println("TPM is disabled");
>              } else {
>                  if (true) e.printStackTrace();
>                  System.out.println("takeOwnership failed");
>              }
>          } catch (TcTssException e) {
>              if (true) e.printStackTrace();
>              System.out.println("takeOwnership failed");
>          }
>      }
> }
>
>
>
>
>
>
>
> -----Original Message-----
> From: Mudassar Aslam
> Sent: Wednesday, March 09, 2011 12:39 PM
> To: tru...@li...
> Subject: How to set SRK secret to TSS_WELL_KNOWN_SECRET
>
>
> Hi
>
> I have initialized my tpm using tpm.msc utility in windows 7. It allowed me
> to set owner password. But I could not find any way to create/set SRK. I
> tried to execute take ownership code but it says "TPM ownership command is
> disabled". I have tried to list tpm keys using
>
> context_.getRegisteredKeysByUuid(null,TcTssConstants.TSS_PS_TYPE_SYSTEM);
>
> but I get null since SRK is not registered. How can I set SRK to
> TSS_WLL_KNOWN_SECRET?
>
> Regards.
>
> Mudassar.
>
>

-- 
Dipl.-Ing. Ronald Tögl          phone +43 316/873-5502
Secure and Correct Systems      fax   +43 316/873-5520
IAIK                            ron...@ia...
Graz University of Technology   http://www.iaik.tugraz.at