Activity for jv
-
jv posted a comment on discussion General Discussion
Thanks, Ken. Just to make sure I'm clear on what you're saying... In using any of these methods, I want to make sure that the original private key does not exit the TPM into say a client like OpenSSL.
-
Hi all, Let's say that I have a key pair that is created external to a TPM. The private portion of the pair is to be distributed to a number of TPMs. Is there a way to distribute that private key outside of key wrapping (i.e. distributing the private key such that it becomes locked within the TPM, never to see the light of day)? Thanks.
-
Good guess. I don't recall the owner password being set to something non-empty. I cleared the TPM and things are working as expected. I'm using the nvread from Ubuntu 18.04.3. If I leave off the -of, I get no output. Thanks for the help.
-
Hi, My goal is to create two ordinary NV locations using platform authorization. Both locations need to allow platform read and write access. One location needs to be readable by everyone and the other location needs to be writable by everyone. I started like this for the globally readable location: tssnvdefinespace -hi p -ha 01000010 -sz 500 +at rst +at ppw +at ppr +at wd +at or +at ar +at aw and wrote its content. I then set a random platform password. Finally, I attempted to read it using owner...
-
Hi, I'm using ibmtss1470. I'm executing the following: $ tssgetrandom -by 10 -nz -of /dev/stdout|xxd 00000000: e721 08bc 80ae 428d 465f 00 .!....B.F_. Notice the zero-byte at the very end even though -nz is specified. Is the "noZeros" check in getrandom.c perhaps turned around? if ((rc == 0) && (outFilename != NULL)) { rc = TSS_File_WriteBinaryFile(randomBuffer, bytesRequested + (noZeros ? 1 : 0), outFilename); } Thanks.
-
Hi, I'm using ibmtss1470. I'm seeing the above error when executing the following on a real TPM: $ tsscreateprimary -hi p -ecc nistp256 -st Handle 80000000 $ tssflushcontext -ha 80000000 flushcontext: failed, rc 000b0091 TSS_RC_NO_OBJECTPUBLIC_SLOT - TSS context has no object public slot for handle The operation seems to work, but the error code is causing a problem with various tools. The package was configured as follows: ./configure --disable-tpm-1.2 --prefix=$(pwd)/rootfs/usr --disable-rmtpm...
-
I think rollback is okay. The content of the NVRAM index will be a root-of-trust certificate. The reason for replacement will likely be because of updated expiration dates in the certificate. If somebody puts an old ROT cert. back into the index, it simply renders some portion of the platform unusable -- which is okay. As long as attacker can't insert their own ROT -- which is prevented by the signing...
-
While I can appreciate the flexibility and power here, my required implementation will be a minor miracle to achieve -- with next to no feedback as to source of error. :-)
-
you want the signer to authorize writing specific new data content to the NV index. That's correct. cpHashA will include... When you say include (and what I read from the spec.), I assume this means essentially the raw encoding of the TPM2_NV_Write command? If so, is there a way to have TSS help with this encoding? Note that the Name changes after the first write. Understood. This actually creates an interesting problem in my scenario. In that scenario, an off-line server is doing this signing. That...
-
You probably want to sign something Yeah, this is where things get more complicated and perhaps underspecified by me. The real goal here would be for the TPM NVRAM index content to be signed. Ideally, this signed content would be fed to the TPM. If the TPM successfully verifies the signature, the TPM would write the content to the target index.
-
Hi, I want an NVRAM index that has unrestricted read access with write access restricted based on a signature. I do not want the signature to include a nonce from the TPM as the signing key will be unique per platform containing the TPM. In reading the 2.0 spec., it seems that creation of such a policy is possible using PolicySigned. The "Practical Guide" seems to indicate that the nonce is required for PolicySigned and PolicyAuthorize would be a better choice. Which policy is the "correct" choice,...
-
I was very deliberate about using a RAM-based file in the example as it's protected via normal file permissions. A rouge process can run as the app user and have full access to it. Writing the app code space will be much more difficult because of MMU protections on the code space (read/execute), data space (read/write) and secure boot where all code is assumed to be signed prior to launching.
-
I'm most interested in case #2. Assume the app. is a script that will use an OpenSSL TPM2 engine to perform some crypto using the public key. The script reads the public key out of TPM NV and stores it in a RAM-based file, /run/blotzo.tmp. At this point, the script becomes waylaid by the scheduler just long enough for a rogue process to overwrite /run/blotzo.tmp with a bogus public key. Now, our script is scheduled and issues its OpenSSL command to perform some crypto using the compromised public...
-
Appreciate the response. if we don't trust the application to move the key from NV to an object slot, we can't trust it to do the signature verification either. It could ignore the TPM and just return success. While we can trust the application as compiled, there may be other rogue code running on the box. Granted it may be a small window, but that rogue code could swap in its own public key prior to the application loading the key into the object slot.
-
One reason for storing public keys in the TPM is "locking down" roots of trust. Pulling a trusted public key out of the TPM into memory makes the key vulnerable -- even if it's ultimately loaded back into the TPM for crypto munging. I'll be interested to hear the results of your conversations...
-
Unless I read this incorrectly, the scenario in question should be allowed. From page 330: The obvious solution is to store the key in the TPM. This public key can be loaded using the TPM2_LoadExternal command and then made persistent using the TPM2_EvictControl command. Now commands that are used to update the firmware can use the certified TPM2_VerifySignature command to verify that the new firmware is indeed signed by the manufacturer before it’s loaded. Writing cryptographic code isn’t easy to...
1