Activity for Ken Goldman
-
Ken Goldman posted a comment on discussion General Discussion
TPM_PT_HR_PERSISTENT_AVAIL gives a minimum, but a TPM is permitted to return 1 even when more can fit. The reason it's an estimate is that a small sealed blob with no authorization takes up less space than an RSA 4096 key with a SHA-384 policy and a long password.
-
Sealed data is an object, and can be persisted using evictcontrol. However, there are very few TPM slots, so it's better to store the blob externally and back it up like you back up any other data.
-
I don't think so. The TPM is resource constrained. It's designed so that minimal state is on the TPM and other data is stored externally, protected by the TPM. Back up the sealed data. Persist the sealed data, but there are only about 7 persistent slots. You can fill them all.
-
What does 'from installation mean'? What are 'the tests'? Do you mean the TSS regression test scripts? Are you trying to test the TPM using the TSS regression tests? Or testing the TSS using the TPM? In the past, the distros did not want the regression tests installed. Or the sample policies and certificates. Has something changed? Is installing the certificates a security hole? Where are you proposing to install them? The code has no comments. The autotools code is fragile, and I don't want to break...
-
The regression test can run after installation. Is there a bug that prevents this for you? What do you mean by 'swtpm currently fetch the sources of ibmtss'. swtpm is a separate project. ' swtpm test coverage under distributions is currently lacking the TSS test suite.' - The documentation explains why the TSS test suite is not a TPM test suite. 'and then run the swtpm tests' What are these swtpm tests? The TCG maintains a TPM test suite, entirely separate from any TSS. I still do not understand...
-
dnf: Update tss2.spec to v2.3.2
-
doc: Move documentation for no deprecated algorithms.
-
Merge branch 'master' of github.ibm.com:linux-integrity/tpm2
-
rpm: Add specfile for tag 2.3.1
-
tss: Remove reference to engine.h
-
Update Changelog for 2.3.1.
-
The code has no comments, and there are no patch descriptions for the patches. Since the autotools code was contributed, I cannot accept changes unless they are clear. The regression tests can already be run before or after installation, so the purpose of the patches is unclear. "distros can't easily vendor extra software" is unclear. What extra software, and what vendor? utils/reg.sh: skip rootcerts checks if /home/kgold missing looks odd. Why would the /home/kgold directory be hard coded.
-
src/BnToOsslMath.h: fix build with openssl 3.3.x
-
Could you try the latest master, or the latest tagged commit? I think this was fixed.
-
For big endian machines, build with BIG_ENDIAN_TPM=YES The download is a compressed tarball. Evidently, some versions of gnu tar for Windows aren't built to handle compressed files. If the untar fails, try this: > gzip -d ibmtpmnnn.tar.gz # unzip > tar xvf ibmtpmnnn.tar # untar Any TPM needs TPM2_Startup as its first command. A BIOS supporting a hardware TPM 2.0 will send this command. Otherwise, see the IBM TSS "startup" sample. ** For future changes notes, see the ChangeLog. ** **Build 1682 includes...
-
Merge branch 'master' of github.ibm.com:linux-integrity/tpm2
-
Merge branch 'master' of github.ibm.com:linux-integrity/tpm2
-
Windows: Add policycapability to VS project
-
windows: Add VS project files for policycapability, policyparameters
-
windows: Add VS project files for policycapability, policyparameters
-
windows: Update visual studio project files for Openssl 3.2
-
Merge branch 'master' of github.ibm.com:linux-integrity/tpm2
-
windows: Remove readme.txt from policyauthvalue project
-
In all of the methods, there is no corresponding TPM 'save' command to simply read a private key. However, the key starts outside the TPM, and it's up to the outside software to determine whether the key can be moved to another TPM or back to the host - based on the policy. If you want a key that is guaranteed to never be outside the TPM, the TPM has to generate it.
-
There are several ways, in order of complexity, but there's sample code for each: loadexternal. This requires the plaintext key available on each system every time. See testsign.sh for an example. import. This wraps the plaintext key to a parent. It's locked to that TPM parent, but you can import it to multiple target TPMs. Each target first gets the plaintext key. See testrsa.sh for an example using the 'importpem' program. duplicate. This wraps the key at a (perhaps single) source, then duplicates...
-
Merge branch 'master' of github.ibm.com:kgoldman/ibmswtpm2
-
TcpServerPosix fails to build with gcc7 due to uninitialized value warning
-
Merge branch 'next'
-
TcpServerPosix: Fix use of uninitialized value.
-
README.md: Update ibmtss project URL
-
README.md: Update ibmtss project URL
-
tpm: Update VS project to openssl 3.2
-
tpm: Minor updates from rev 180 to rev 183
-
tpm: Fix gcc 8.3.1 compiler errors
-
rev180: Rearrange order of TPMI_ECC_CURVE_P_UNMARSHAL in unmarshalArray
-
tpm: Increment supported openssl to 3.2.x
-
tpm: Update based on comliance test results
-
tpm: Complete command tracing
-
tpm: Delete accidentally commited tmp.c tmp.h
-
tpm: Add SetCap stub implementation
-
tpm: add protector around big endian define.
-
Merge branch 'rev180' of github.ibm.com:kgoldman/ibmswtpm2 into rev180
-
tpm: Add include headers for Linux port
-
tpm: Use size_t as index, not a signed type.
-
tpm: Replace these files with rev 180 spec versions.
-
tpm: Add TPMI_RH_NV_EXP_INDEX_Unmarshalfunction prototype.
-
tpm: Add void to functions.
-
tpm: Fix case sensitive file names for Linux port
-
tpm: Add static to local functions.
-
tpm: Change case for NVDynamic include
-
tpm: Update .gitignore for visual studio and debug outputs
-
tpm: Updates to rev 180
-
tpm: Add explanation for not checking on load if fixedTPM
-
regtest: Add policycapability regression test
-
regtest: Add policyparameters Windows tests
-
regtest: Add policyparameters regression tests
-
tss: Roll revision to 2.3.0
-
tss: Fix typo in TSS_TPMA_NV_Print
-
tss: First release of policyparameters and policycapability
-
That makes sense, so GetPrivateKeyFromTPM() doesn't actually get the private key. Are we done, or is there more to the question? Note that this is a TPM project. If you have questions about the OpenSSL provider, there's surely a better forum.
-
There is no command to get a private key from a TPM. The goal of the TPM is to protect the private key. The TPM has a TPM2_Sign function that will sign a digest using a key on the TPM.
-
See the README: Provision the SW TPM 2.0 with EK certificates
-
TPM2_NV_ReadPublic 01 c0 00 02 is trying to read the RSA EK certificate from the TPM. My guess is that you didn't provision that TPM with an EK certificate.
-
version: Roll the version to 2.2.0
-
utils: Add VS project for Nuvoton commands
-
doc: Add html conversion of ibmtss.docx
-
tss: ifdef out deprecated functions
-
Merge branch 'next'
-
utils12: Add extern to tssUtilsVerbose for Debian
-
regtest: Add userWithAuth CLEAR to unseal tests
-
Merge branch 'master' of github.ibm.com:linux-integrity/tpm2
-
regtest: Fix testrsa for openssl 1.1.1 pkcs1
-
doc: Minor updateto documentation
-
Merge branch 'next' of github.ibm.com:linux-integrity/tpm2
-
utils: Add support for loadexternal schemes.
-
Merge branch 'master' of github.ibm.com:linux-integrity/tpm2
-
regtest: Add bits parameter to initial RSA decryption key
-
utils: Accept curveID from caller.
-
Merge branch 'master' of github.ibm.com:linux-integrity/tpm2
-
Merge branch 'next' of github.ibm.com:linux-integrity/tpm2
1 >