Russ

Would you mind sharing your 1.2 solution? (Also - Ken and others to thank; I’m just a script jockey if that.). Thanks!!! Sent from my iPhone On Sep 19, 2020, at 6:31 PM, Andrew Stevens stevens94@users.sourceforge.net wrote:  Russ, just wanted to thank you for posting your seal+unseal scripts. They work unaltered on Ubuntu 18.04. I have much simpler seal+unseal code for TPM 1.2, and tried for days to get it working similarly on TPM 2.0. But it's far more complicated for 2.0. Thanks for solving the...

I am trying to seal/unseal data to the TPM, and cobbled together a sequence of commands to do what I want. TL;DR: solution and scripts posted here. After a long and protracted debug session on the hardware TPM where it refused to unseal my data, I installed the software TPM and ran the sequence against that, and it worked. (Earlier, I found that I have success with /dev/tpm0, and not with /dev/tpmrm0, so I rebuilt the commands to not support the resource manager. For this present issue, I've tried...

Hello, I'm struggling trying to get seal/unseal, and really anything dealing with the hardware TPM, to work. I'm on Fedora 31. TL;DR: solution and scripts posted here. I've searched documentation looking for how to use the hardware TPM (2.0), and I can only find ways to compile it into the system. I can't find mention of what environment variables are supported, only that there are environment variables. As a result, can you point me to a general introductory guide on how to use this with the hardware...

I've been down a long road trying to seal / unseal secrets to a set of PCRs, persistently (unseals following a poweroff/restart), with the additional issue of using the Integrity Measurement Architecture (IMA) with the ima_tcb policy. If you aren't familiar, the IMA TCB policy measures all files executed by root, as well as all files read by root on specific filesystems. The challenge is that when starting the policypcr in an auth session, any changes to the tpmUpdateCounter - a thing that counts...

I might have misunderstood you. Is the PCR update counter value used like an extra PCR, meaning that the value that it was set to at the time of seal must be the same value that is present at the time of the policy PCR session that precedes the unseal? Or is the counter simply there to ensure that the unsealed operation takes place immediately after the policy PCR session begins, and that this counter value has absolutely nothing to do with how the blob is sealed in the first place? If it is the...

Come to think of it, what security purpose does the PCR event counter serve? I’m thinking that when I go to seal my blob, I can do a bunch of random reads and executes to set the counter value kind of high. Later, when I reboot, I can do the same thing to make the values line up, and then attempt to do an unseal. The PCR values are the real thing - the counter just gets in the way. Sent from my iPhone On Dec 16, 2019, at 3:58 PM, Russ docfink@users.sourceforge.net wrote:  That is my guess, too....

DISREGARD THIS MESSAGE BELOW - it's not the answer, just another piece of evidence to the real culprit, IMA (further below). *** Problem "solved" - somehow, booting Fedora 31 into multiuser/graphical mode affects /dev/tpm0. If I reboot, catch the Grub menu, change the line to "linux ... init=/bin/bash -l" and boot into a single user mode, I can seal/unseal to /dev/tpm0 just fine. (Warning: /dev/tpmrm0, the resource manager, does not permit unsealing, and therefore should be avoided in Fedora 31 -...

That is my guess, too. Since your reply, I booted into my "single user" but let IMA run. The counter is indeed incrementing. I repeatedly ran my scripts, and I could see the counter incrementing from 1242, 1246, 1250, ... at some point getting to 1300-some and continuing. I read the TPM spec, so it's just going to be this way. Is there a way you can think of that I can use IMA, but not have this problem? I started using IMA because Trusted Grub (or rather grub 2.04 which has uploaded some tgrub measurement...