TPM_PT_HR_PERSISTENT_AVAIL gives a minimum, but a TPM is permitted to return 1 even when more can fit. The reason it's an estimate is that a small sealed blob with no authorization takes up less space than an RSA 4096 key with a SHA-384 policy and a long password.
Sealed data is an object, and can be persisted using evictcontrol. However, there are very few TPM slots, so it's better to store the blob externally and back it up like you back up any other data.
I don't think so. The TPM is resource constrained. It's designed so that minimal state is on the TPM and other data is stored externally, protected by the TPM. Back up the sealed data. Persist the sealed data, but there are only about 7 persistent slots. You can fill them all.
What does 'from installation mean'? What are 'the tests'? Do you mean the TSS regression test scripts? Are you trying to test the TPM using the TSS regression tests? Or testing the TSS using the TPM? In the past, the distros did not want the regression tests installed. Or the sample policies and certificates. Has something changed? Is installing the certificates a security hole? Where are you proposing to install them? The code has no comments. The autotools code is fragile, and I don't want to break...
The regression test can run after installation. Is there a bug that prevents this for you? What do you mean by 'swtpm currently fetch the sources of ibmtss'. swtpm is a separate project. ' swtpm test coverage under distributions is currently lacking the TSS test suite.' - The documentation explains why the TSS test suite is not a TPM test suite. 'and then run the swtpm tests' What are these swtpm tests? The TCG maintains a TPM test suite, entirely separate from any TSS. I still do not understand...
dnf: Update tss2.spec to v2.3.2
doc: Move documentation for no deprecated algorithms.
Merge branch 'master' of github.ibm.com:linux-integrity/tpm2
rpm: Add specfile for tag 2.3.1
tss: Remove reference to engine.h
Update Changelog for 2.3.1.
The code has no comments, and there are no patch descriptions for the patches. Since the autotools code was contributed, I cannot accept changes unless they are clear. The regression tests can already be run before or after installation, so the purpose of the patches is unclear. "distros can't easily vendor extra software" is unclear. What extra software, and what vendor? utils/reg.sh: skip rootcerts checks if /home/kgold missing looks odd. Why would the /home/kgold directory be hard coded.
src/BnToOsslMath.h: fix build with openssl 3.3.x
Could you try the latest master, or the latest tagged commit? I think this was fixed.
For big endian machines, build with BIG_ENDIAN_TPM=YES The download is a compressed tarball. Evidently, some versions of gnu tar for Windows aren't built to handle compressed files. If the untar fails, try this: > gzip -d ibmtpmnnn.tar.gz # unzip > tar xvf ibmtpmnnn.tar # untar Any TPM needs TPM2_Startup as its first command. A BIOS supporting a hardware TPM 2.0 will send this command. Otherwise, see the IBM TSS "startup" sample. ** For future changes notes, see the ChangeLog. ** **Build 1682 includes...
Merge branch 'master' of github.ibm.com:linux-integrity/tpm2
Merge branch 'master' of github.ibm.com:linux-integrity/tpm2
Windows: Add policycapability to VS project
windows: Add VS project files for policycapability, policyparameters
windows: Add VS project files for policycapability, policyparameters
windows: Update visual studio project files for Openssl 3.2
Merge branch 'master' of github.ibm.com:linux-integrity/tpm2
windows: Remove readme.txt from policyauthvalue project
In all of the methods, there is no corresponding TPM 'save' command to simply read a private key. However, the key starts outside the TPM, and it's up to the outside software to determine whether the key can be moved to another TPM or back to the host - based on the policy. If you want a key that is guaranteed to never be outside the TPM, the TPM has to generate it.
There are several ways, in order of complexity, but there's sample code for each: loadexternal. This requires the plaintext key available on each system every time. See testsign.sh for an example. import. This wraps the plaintext key to a parent. It's locked to that TPM parent, but you can import it to multiple target TPMs. Each target first gets the plaintext key. See testrsa.sh for an example using the 'importpem' program. duplicate. This wraps the key at a (perhaps single) source, then duplicates...
Merge branch 'master' of github.ibm.com:kgoldman/ibmswtpm2
TcpServerPosix fails to build with gcc7 due to uninitialized value warning
Merge branch 'next'
TcpServerPosix: Fix use of uninitialized value.
README.md: Update ibmtss project URL
README.md: Update ibmtss project URL
tpm: Update VS project to openssl 3.2
tpm: Minor updates from rev 180 to rev 183
tpm: Fix gcc 8.3.1 compiler errors
rev180: Rearrange order of TPMI_ECC_CURVE_P_UNMARSHAL in unmarshalArray
tpm: Increment supported openssl to 3.2.x
tpm: Update based on comliance test results
tpm: Complete command tracing
tpm: Delete accidentally commited tmp.c tmp.h
tpm: Add SetCap stub implementation
tpm: add protector around big endian define.
Merge branch 'rev180' of github.ibm.com:kgoldman/ibmswtpm2 into rev180
tpm: Add include headers for Linux port
tpm: Use size_t as index, not a signed type.
tpm: Replace these files with rev 180 spec versions.
tpm: Add TPMI_RH_NV_EXP_INDEX_Unmarshalfunction prototype.
tpm: Add void to functions.
tpm: Fix case sensitive file names for Linux port
tpm: Add static to local functions.
tpm: Change case for NVDynamic include
tpm: Update .gitignore for visual studio and debug outputs
tpm: Updates to rev 180
tpm: Add explanation for not checking on load if fixedTPM
regtest: Add policycapability regression test
regtest: Add policyparameters Windows tests
regtest: Add policyparameters regression tests
tss: Roll revision to 2.3.0
tss: Fix typo in TSS_TPMA_NV_Print
tss: First release of policyparameters and policycapability
That makes sense, so GetPrivateKeyFromTPM() doesn't actually get the private key. Are we done, or is there more to the question? Note that this is a TPM project. If you have questions about the OpenSSL provider, there's surely a better forum.
There is no command to get a private key from a TPM. The goal of the TPM is to protect the private key. The TPM has a TPM2_Sign function that will sign a digest using a key on the TPM.
See the README: Provision the SW TPM 2.0 with EK certificates
TPM2_NV_ReadPublic 01 c0 00 02 is trying to read the RSA EK certificate from the TPM. My guess is that you didn't provision that TPM with an EK certificate.
version: Roll the version to 2.2.0
utils: Add VS project for Nuvoton commands
doc: Add html conversion of ibmtss.docx
tss: ifdef out deprecated functions
Merge branch 'next'
utils12: Add extern to tssUtilsVerbose for Debian
regtest: Add userWithAuth CLEAR to unseal tests
Merge branch 'master' of github.ibm.com:linux-integrity/tpm2
regtest: Fix testrsa for openssl 1.1.1 pkcs1
doc: Minor updateto documentation
Merge branch 'next' of github.ibm.com:linux-integrity/tpm2
utils: Add support for loadexternal schemes.
Merge branch 'master' of github.ibm.com:linux-integrity/tpm2
regtest: Add bits parameter to initial RSA decryption key
utils: Accept curveID from caller.
Merge branch 'master' of github.ibm.com:linux-integrity/tpm2
Merge branch 'next' of github.ibm.com:linux-integrity/tpm2