microsoft / ms-tpm-20-ref Goto Github PK
View Code? Open in Web Editor NEWReference implementation of the TCG Trusted Platform Module 2.0 specification.
License: Other
Reference implementation of the TCG Trusted Platform Module 2.0 specification.
License: Other
The indentation in this block of code is misleading: https://github.com/Microsoft/ms-tpm-20-ref/blob/master/TPMCmd/Platform/src/NVMem.c#L208
The call to 'fclose' immediately follows a conditional and is indented in such a way as to lead the reader to believe it is within the scope of the conditional. The conditional however is immediately followed by a ';' on the same line which makes it a no-op and causes the call to 'fclose' to happen regardless of the result of the test. Removing this ';' will get you the intended behavior.
Apologies for not sending a patch but I'm still barred from doing so on account of the CCLA.
Reproduce:
msbuild TPMCmd\simulator.sln /p:Configuration=WolfRelease
Reason:
Inconsistency in function declaration of MathLibraryCompatibilityCheck()
.
In TpmToWolfMath_fp.h
and TpmToWolfMath.c
void
MathLibraryCompatibilityCheck(
void
);
But in SupportLibraryFunctionPrototypes_fp.h
and Manufacture.c
expects
BOOL
MathLibraryCompatibilityCheck(
void
);
No one updated the submodule reference to WolfSSL since 1b35000. That version 4.6.0 has some open CVEs, I didn't check if they would apply, but I did check if 5.6.3 works as well - and it seems so. Anyone willing to push that? I would, but there is a "Contribution Limitation Agreement" in place here, and that is a bit in imbalance to such simple changes (although I may have a second one, see https://groups.google.com/d/msgid/isar-users/424e2519-2dfa-5379-a16e-ca505e6135fe%40siemens.com).
latest source build is failing in linux:
TPMCmd]# make
gcc -DPACKAGE_NAME=\"ms-tpm-20-ref\" -DPACKAGE_TARNAME=\"ms-tpm-20-ref\" -DPACKAGE_VERSION=\"0.1\" -DPACKAGE_STRING=\"ms-tpm-20-ref\ 0.1\" -DPACKAGE_BUGREPORT=\"https://github.com/microsoft/ms-tpm-20-ref/issues\" -DPACKAGE_URL=\"https://github.com/microsoft/ms-tpm-20-ref\" -DPACKAGE=\"ms-tpm-20-ref\" -DVERSION=\"0.1\" -DHAVE_PTHREAD_PRIO_INHERIT=1 -DHAVE_PTHREAD=1 -DHASH_LIB=Ossl -DSYM_LIB=Ossl -DMATH_LIB=Ossl -I. -std=gnu11 -Werror -Wall -Wformat-security -fstack-protector-all -fPIC -Wno-error=empty-body -Wno-error=expansion-to-defined -Wno-error=parentheses -Wno-error=pointer-to-int-cast -Wno-error=missing-braces -Wno-error=unused-result -I ./Platform/include -I ./Platform/include/prototypes -I ./tpm/include -I ./tpm/include/prototypes -I ./Simulator/include -I ./Simulator/include/prototypes -pthread -g -O2 -MT Simulator/src/tpm2_simulator-TPMCmdp.o -MD -MP -MF Simulator/src/.deps/tpm2_simulator-TPMCmdp.Tpo -c -o Simulator/src/tpm2_simulator-TPMCmdp.o `test -f 'Simulator/src/TPMCmdp.c' || echo './'`Simulator/src/TPMCmdp.c
mv -f Simulator/src/.deps/tpm2_simulator-TPMCmdp.Tpo Simulator/src/.deps/tpm2_simulator-TPMCmdp.Po
gcc -DPACKAGE_NAME=\"ms-tpm-20-ref\" -DPACKAGE_TARNAME=\"ms-tpm-20-ref\" -DPACKAGE_VERSION=\"0.1\" -DPACKAGE_STRING=\"ms-tpm-20-ref\ 0.1\" -DPACKAGE_BUGREPORT=\"https://github.com/microsoft/ms-tpm-20-ref/issues\" -DPACKAGE_URL=\"https://github.com/microsoft/ms-tpm-20-ref\" -DPACKAGE=\"ms-tpm-20-ref\" -DVERSION=\"0.1\" -DHAVE_PTHREAD_PRIO_INHERIT=1 -DHAVE_PTHREAD=1 -DHASH_LIB=Ossl -DSYM_LIB=Ossl -DMATH_LIB=Ossl -I. -std=gnu11 -Werror -Wall -Wformat-security -fstack-protector-all -fPIC -Wno-error=empty-body -Wno-error=expansion-to-defined -Wno-error=parentheses -Wno-error=pointer-to-int-cast -Wno-error=missing-braces -Wno-error=unused-result -I ./Platform/include -I ./Platform/include/prototypes -I ./tpm/include -I ./tpm/include/prototypes -I ./Simulator/include -I ./Simulator/include/prototypes -pthread -g -O2 -MT Simulator/src/tpm2_simulator-TPMCmds.o -MD -MP -MF Simulator/src/.deps/tpm2_simulator-TPMCmds.Tpo -c -o Simulator/src/tpm2_simulator-TPMCmds.o `test -f 'Simulator/src/TPMCmds.c' || echo './'`Simulator/src/TPMCmds.c
mv -f Simulator/src/.deps/tpm2_simulator-TPMCmds.Tpo Simulator/src/.deps/tpm2_simulator-TPMCmds.Po
gcc -DPACKAGE_NAME=\"ms-tpm-20-ref\" -DPACKAGE_TARNAME=\"ms-tpm-20-ref\" -DPACKAGE_VERSION=\"0.1\" -DPACKAGE_STRING=\"ms-tpm-20-ref\ 0.1\" -DPACKAGE_BUGREPORT=\"https://github.com/microsoft/ms-tpm-20-ref/issues\" -DPACKAGE_URL=\"https://github.com/microsoft/ms-tpm-20-ref\" -DPACKAGE=\"ms-tpm-20-ref\" -DVERSION=\"0.1\" -DHAVE_PTHREAD_PRIO_INHERIT=1 -DHAVE_PTHREAD=1 -DHASH_LIB=Ossl -DSYM_LIB=Ossl -DMATH_LIB=Ossl -I. -std=gnu11 -Werror -Wall -Wformat-security -fstack-protector-all -fPIC -Wno-error=empty-body -Wno-error=expansion-to-defined -Wno-error=parentheses -Wno-error=pointer-to-int-cast -Wno-error=missing-braces -Wno-error=unused-result -I ./Platform/include -I ./Platform/include/prototypes -I ./tpm/include -I ./tpm/include/prototypes -I ./Simulator/include -I ./Simulator/include/prototypes -pthread -g -O2 -MT Simulator/src/tpm2_simulator-TcpServer.o -MD -MP -MF Simulator/src/.deps/tpm2_simulator-TcpServer.Tpo -c -o Simulator/src/tpm2_simulator-TcpServer.o `test -f 'Simulator/src/TcpServer.c' || echo './'`Simulator/src/TcpServer.c
Simulator/src/TcpServer.c:565:6: error: conflicting types for ‘ReadVarBytes’
bool ReadVarBytes(SOCKET s, char* buffer, uint32_t* BytesReceived, uint32_t MaxLen)
^~~~~~~~~~~~
In file included from Simulator/src/TcpServer.c:75:
./Simulator/include/prototypes/Simulator_fp.h:96:6: note: previous declaration of ‘ReadVarBytes’ was here
bool ReadVarBytes(SOCKET s, char* buffer, uint32_t* BytesReceived, int MaxLen);
^~~~~~~~~~~~
make: *** [Makefile:5497: Simulator/src/tpm2_simulator-TcpServer.o] Error 1
Fix this in your source. I have fixed myself this locally, built and generated tpm2-simulator
by running
make install-exec
when running this executable,
root@host:/usr/local/bin# ./tpm2-simulator
LIBRARY_COMPATIBILITY_CHECK is ON
TPM command server listening on port 2321
Platform server listening on port 2322
My question here is, as it is Linux machine and running this simulator on linux, will this simulator create /dev/tpm0 and /dev/tpmrm0 files to run and work with tpm2 commands??
I don't see these files created. How is this simulator working and how to confirm this??
in one terminal I have run this executable and opened another terminal and ran, tpm2_pcrread command which has to show pcr data,
tpm2_pcrread
ERROR:tcti:src/tss2-tcti/tcti-device.c:439:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpmrm0: No such file or directory
WARNING:tcti:src/tss2-tcti/tctildr.c:62:tcti_from_init() TCTI init for function 0x7fabcab22fb0 failed with a000a
WARNING:tcti:src/tss2-tcti/tctildr.c:92:tcti_from_info() Could not initialize TCTI named: tcti-device
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:150:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0
ERROR:tcti:src/tss2-tcti/tcti-device.c:439:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: No such file or directory
WARNING:tcti:src/tss2-tcti/tctildr.c:62:tcti_from_init() TCTI init for function 0x7fabcab22fb0 failed with a000a
WARNING:tcti:src/tss2-tcti/tctildr.c:92:tcti_from_info() Could not initialize TCTI named: tcti-device
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:150:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0
WARNING:esys:src/tss2-esys/api/Esys_GetCapability.c:303:Esys_GetCapability_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_GetCapability.c:107:Esys_GetCapability() Esys Finish ErrorCode (0x00000100)
ERROR: Esys_GetCapability(0x100) - tpm:error(2.0): TPM not initialized by TPM2_Startup or already initialized
ERROR: Unable to run tpm2_pcrread
it fails because there is no /dev/tpm0 file. But in server log,
root@ubuntu-20-04-cnskc-testing:/usr/local/bin# ./tpm2-simulator
LIBRARY_COMPATIBILITY_CHECK is ON
TPM command server listening on port 2321
Platform server listening on port 2322
**Client accepted
Client accepted**
Platform server listening on port 2322
TPM command server listening on port 2321
Getting messages like, Client accepted.
I try to enable ALG_SHA512
, but I got compile error.
error: use of undeclared identifier 'tpmHashStateImport_SHA512'
Could you see if this definition is correct? Thanks.
There are two copies of TPM.vcxproj.filters under TPMCmd/tpm that differ only by the case of the filename:
TPM.vcxproj.filters
Tpm.vcxproj.filters
This causes issues for people who have cloned the repo into a non-case-sensitive file system. Git will always say the file has been modified and will not let you switch branches. One of them needs to be removed.
hi all,
My question is if fTPM needs a secure real time clock for it to be able to work?
Thank you!
In Implementation.h
line :
#define AES_MAX_KEY_SIZE ((AES_MAX_KEY_SIZE_BITS + 7) / 8)
should be:
#define AES_MAX_KEY_SIZE AES_MAX_KEY_SIZE_BITS
Otherwise it doesn't work with wolfcrypt. I tried to fix locally. and seems to work.
From your README:
If you do not disable SM{2,3,4} algorithms support either while building OpenSSL or in the simulator (see the Linux section below), the build may fail because of missing SM{2,3,4}.h headers, which is the result of an apparent bug/misconfiguration in the OpenSSL build tree/scrips. In this case you may also need to copy over the SM{2,3,4}.h headers from OpenSSL’s include/crypt folder.
I am a maintainer of OpenSSL and stumbled across this text while investigating an issue for one of our users.
The sm2/sm3/sm4 header files are considered internal to OpenSSL and are deliberately not installed (i.e. it is not a bug or misconfiguration as stated in the text above). Applications should not be using them directly. They may be modified at any time by any patch release of OpenSSL and internal structure sizes and members could be changed, as well as function signatures etc.
Applications wishing to use SM2/SM3/SM4 support should be using the "EVP" APIs instead of the functions declared in these internal headers.
If the TPM 2.0 reference implementation is relying on these header files remaining stable then it is liable to break at any point with a future release of OpenSSL.
The commits merged in #8 add the configuration required to build the simulator on a Linux platform. The microsoft github project however needs to be configured to build it for pull requests etc. Enabling this is not something I can do with a PR though. The owner of the project must login to travis-ci.org (this can be done using your github credentials) and enable the configuration. If you feel this is something worth doing I'm happy to help however I can.
Mac OS X build
./bootstrap
./configure
make
./tpm2-simulator
Why I run test cases return
../../vendor/github.com/google/go-tpm-tools/simulator/internal/internal_cgo.go:44:11: fatal error: 'Platform.h' file not found
#include "Platform.h"
^~~~~~~~~~~~
1 error generated.
If you couldn't tell from #8 and #22 I'm a big fan of continuous integration. Figured we can give windows the same treatment given to Linux by using AppVeyor. I've some experience here on account of the tpm2-software project and our support of both Linux and Windows for our TSS2. We use appveyor for our CI on windows and have had pretty good results.
It seems we need
--- a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk
+++ b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk
@@ -56,3 +56,5 @@ srcs-y += wolf_symlink/wolfcrypt/src/tfm.c
srcs-y += wolf_symlink/wolfcrypt/src/wolfmath.c
srcs-y += wolf_symlink/wolfcrypt/src/des3.c
srcs-y += wolf_symlink/wolfcrypt/src/random.c
+
+$(srcs-y): wolf_symlink
to fix sporadic build failures on larger build machines, see also https://groups.google.com/d/msgid/isar-users/424e2519-2dfa-5379-a16e-ca505e6135fe%40siemens.com.
This is more to help others as I can't open a PR before I figured out how to deal with https://opensource.microsoft.com/cla/ on the Siemens side (CLAs are complex to handle, and this process here is seems to be even more complex).
Hi ,I feel that the DFStart function has two lines of code implementation that may be wrong, the following shows the code
I think the destination parameter of the memcpy function should be dfState->buf, not dfState->iv[0], because the init variable stores inputLength and seedsize. If you copy it to dfState->iv[0], the initial value of dfState->iv[0] will be overwritten. According to the description in step 4 in section 10.3.2 in SP800-90A, the value should be stored in dfState->buf and used as the input parameter of the BCC calculation. In addition, memcpy contains 8 bytes.,so I think dfState->content should be equal to 8, not equal to 4 in the source code.is it a historical error or the current implementation is designed in this way?
In addition, part 4 of the TPM library specification implements only part of Block_Cipher_df (I think steps 10-15 are missing). I would like to ask why the complete DF function is not implemented according to section 10.3.2 (Block_Cipher_df) in SP800-90A.
My understanding is that (when started) the tpm-simulator does not have a manufacturer's endorsement key. This is a problem for me in that I can't simulate hardware devices (ex. Infineon TPM2) where the EK is present at nvindex 0x1c00002.
Are there any instructions on how to use openssl and tpm2-tools (tss) to prepare the tpm-simulator with a manufacture's endorsement key? The only thing I have found is at https://google.github.io/tpm-js/#pg_certificates.
The table-driven marshalling code is not type-safe: it accepts void *
pointers for the data to be marshalled, which is extremely error-prone. This can be solved by using static inline
functions instead of #define
macros. These functions will be inlined by the compiler and therefore have no run-time overhead.
I cannot fix this as the code generator is not publically available.
PR #8 is currently blocked by the Microsoft CLA bot. This conflicts with data in #7. Would it be possible to get info on CLA requirements in your documentation for contributors / contributions (aka CONTRIBUTING.md). This will help contributors like myself in planning since I need approval from my employer before I contribute to projects and a CLA is like a 10x multiplier on the complexity of this process. Knowing this in advance will save us a lot of time.
TPM2_LoadExternal explicitly checked the authPolicy size in 1.16 and this was dropped in 1.38. I have not been able to find an errata relating to it.
PublicAttributesValidation checks this, but is only called is the private area is loaded here.
Is this an intentional change?
hi all,
reading the TpmProfile.h, I found that: NV_MEMORY_SIZE is defined to 16 Kilobytes, is there a particular reason for choosing this size (and not 12/20 KB for example)?
as I've read here:
https://trustedcomputinggroup.org/wp-content/uploads/PC-Client-Specific-Platform-TPM-Profile-for-TPM-2p0-v1p05p_r14_pub.pdf
they do mention the 3834 Bytes without taking into consideration storage of any other persistent object, data or code that requires or consumes non-volatile memory. an older spec mentioned: 6962 bytes.
(https://trustedcomputinggroup.org/wp-content/uploads/TCG_PC_Client_Platform_TPM_Profile_PTP_2.0_r1.03_v22.pdf)
Thank you!
Some C/C++ systems (like Bazel) can optimize C/C++ builds using the fact that most headers don't have content that changes based on how it is included in a file. They can then use precompiled headers or more advanced methods to speed up building.
However, libtpm
makes frequent use of a pattern where the symbols defined before including a header significantly change it's content. This makes this optimization impossible for a good deal of the library making building slower than it needs to be.
Most of the uses can be easily eliminated. The only one that would be tricky is Global.h
, which nicely avoids duplication between Global.h
and Global.c
.
I discovered this issue experimentally working with policyNV in another repository. Filing this issue to create an issue number to reference from test code, which I will point at in a follow-on comment to this issue.
TPM 2.0 Spec, Rev1.59 Part 3, § 23.9.1 "PolicyNV" says:
The signed arithmetic operations are performed using twos-compliment.
As seen here in the implementation of this helper used by PolicyNV:
ms-tpm-20-ref/TPMCmd/tpm/src/support/MathOnByteBuffers.c
Lines 104 to 109 in d7a7c20
SignedCompareB returns the negative of the comparison of the two values if both are negative. This is how signed-magnitude arithmetic works, but not how twos-complement works.
An example in 16-bit twos-complement:
SignedCompare(0xffff, 0xfffe)
as-is will return 0 - UnsignedCompareB(0xffff, 0xfffe)
, which is -1, which is incorrect (indicating 0xffff < 0xfffe, which is not true in unsigned arithmetic or signed twos-complement arithmetic).
I think SignedCompareB(a, b)
should simply return UnsignedCompareB(a, b)
if the sign bits are the same.
I've just noticed that the PRs I've created have an automated check performed: "license/cla — All CLA requirements met." There's a link in this text to https://msght/
but attempts to follow this link result in an error: ERR_CONNECTION_REFUSED
.
Can you provide details on what the CLA is?
$ ./configure
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether the compiler supports GNU C... yes
checking whether gcc accepts -g... yes
checking for gcc option to enable C11 features... none needed
checking whether gcc understands -c and -o together... yes
checking whether ln -s works... yes
checking for ranlib... ranlib
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a race-free mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports the include directive... yes (GNU style)
checking whether make supports nested variables... yes
checking dependency style of gcc... gcc3
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for libcrypto... yes
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking for a sed that does not truncate output... /usr/bin/sed
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking whether gcc is Clang... no
checking whether pthreads work with "-pthread" and "-lpthread"... yes
checking for joinable pthread attribute... PTHREAD_CREATE_JOINABLE
checking whether more special flags are required for pthreads... no
checking for PTHREAD_PRIO_INHERIT... yes
checking whether C compiler accepts -std=gnu11... ./configure: line 5914: ${ax_cv_check_cflags_ _________Wall__Werror ______std_gnu11+y}: bad substitution
the autoreconf are obtained from sudo apt-get install
Hey all!
I'm building fTPM with OP-TEE on Qemu. Following the instructions, I got to build the solution but the driver didn't load. I got the following on my Normal World shell:
Starting tee-supplicant: OK
Starting network: OK
Starting network (udhcpc): OK
Starting tpm2-abrmd: device driver not loaded, skipping.
What am I missing?
p.s: I see no evidence of the TA being loaded in the secure world.
Thanks in advance!
It looks like lack of something like .clang-format specification or other formatter creates number of issues with trailing whitespaces, newlines, etc. Does it make sense to include .clang-format which would enforce formatting? Probably need some tuning to make changes to existing code minimal.
There are important files that Microsoft projects should all have that are not present in this repository. A pull request has been opened to add the missing file(s). When the pr is merged this issue will be closed automatically.
Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.
TA_DEV_KIT_DIR=/home/jordanrh/scalys/lsdk/build/optee/export-ta_arm64 \
TA_CPU=cortex-a53 CROSS_COMPILE=aarch64-linux-gnu- \
make -C ms-tpm-20-ref/Samples/ARM32-FirmwareTPM/optee_ta/fTPM \
O=/home/jordanrh/scalys/lsdk/build/fTPM
make[1]: Entering directory '/home/jordanrh/scalys/lsdk/ms-tpm-20-ref/Samples/ARM32-FirmwareTPM/optee_ta/fTPM'
CC /home/jordanrh/scalys/lsdk/build/fTPM/platform/AdminPPI.o
CC /home/jordanrh/scalys/lsdk/build/fTPM/platform/Cancel.o
CC /home/jordanrh/scalys/lsdk/build/fTPM/platform/Clock.o
CC /home/jordanrh/scalys/lsdk/build/fTPM/platform/Entropy.o
CC /home/jordanrh/scalys/lsdk/build/fTPM/platform/LocalityPlat.o
CC /home/jordanrh/scalys/lsdk/build/fTPM/platform/NvAdmin.o
CC /home/jordanrh/scalys/lsdk/build/fTPM/platform/NVMem.o
CC /home/jordanrh/scalys/lsdk/build/fTPM/platform/PowerPlat.o
CC /home/jordanrh/scalys/lsdk/build/fTPM/platform/PlatformData.o
CC /home/jordanrh/scalys/lsdk/build/fTPM/platform/PPPlat.o
CC /home/jordanrh/scalys/lsdk/build/fTPM/platform/RunCommand.o
CC /home/jordanrh/scalys/lsdk/build/fTPM/platform/Unique.o
CC /home/jordanrh/scalys/lsdk/build/fTPM/platform/EPS.o
CC /home/jordanrh/scalys/lsdk/build/fTPM/reference/RuntimeSupport.o
CC /home/jordanrh/scalys/lsdk/build/fTPM/fTPM.o
CC /home/jordanrh/scalys/lsdk/build/fTPM/./lib/wolf/wolf_symlink/wolfcrypt/src/aes.o
CC /home/jordanrh/scalys/lsdk/build/fTPM/./lib/wolf/wolf_symlink/wolfcrypt/src/asn.o
CC /home/jordanrh/scalys/lsdk/build/fTPM/./lib/wolf/wolf_symlink/wolfcrypt/src/ecc.o
CC /home/jordanrh/scalys/lsdk/build/fTPM/./lib/wolf/wolf_symlink/wolfcrypt/src/integer.o
CC /home/jordanrh/scalys/lsdk/build/fTPM/./lib/wolf/wolf_symlink/wolfcrypt/src/memory.o
CC /home/jordanrh/scalys/lsdk/build/fTPM/./lib/wolf/wolf_symlink/wolfcrypt/src/sha.o
CC /home/jordanrh/scalys/lsdk/build/fTPM/./lib/wolf/wolf_symlink/wolfcrypt/src/sha256.o
CC /home/jordanrh/scalys/lsdk/build/fTPM/./lib/wolf/wolf_symlink/wolfcrypt/src/sha512.o
CC /home/jordanrh/scalys/lsdk/build/fTPM/./lib/wolf/wolf_symlink/wolfcrypt/src/tfm.o
CC /home/jordanrh/scalys/lsdk/build/fTPM/./lib/wolf/wolf_symlink/wolfcrypt/src/wolfmath.o
CC /home/jordanrh/scalys/lsdk/build/fTPM/./lib/wolf/wolf_symlink/wolfcrypt/src/des3.o
CC /home/jordanrh/scalys/lsdk/build/fTPM/./lib/wolf/wolf_symlink/wolfcrypt/src/random.o
CC /home/jordanrh/scalys/lsdk/build/fTPM/./lib/tpm/tpm_symlink/TPMCmd/tpm/src/command/Asymmetric/ECC_Parameters.o
In file included from ./lib/tpm/tpm_symlink/TPMCmd/tpm/include/Global.h:79:0,
from ./lib/tpm/tpm_symlink/TPMCmd/tpm/include/Tpm.h:46,
from lib/tpm/tpm_symlink/TPMCmd/tpm/src/command/Asymmetric/ECC_Parameters.c:35:
./lib/tpm/tpm_symlink/TPMCmd/tpm/include/TpmTypes.h:1643:36: error: ‘RSA_PRIVATE_SIZE’ undeclared here (not in a function)
BYTE buffer[RSA_PRIVATE_SIZE];
^~~~~~~~~~~~~~~~
./lib/tpm/tpm_symlink/TPMCmd/tpm/include/TpmTypes.h:1850:36: error: ‘PRIVATE_VENDOR_SPECIFIC_BYTES’ undeclared here (not in a function)
BYTE buffer[PRIVATE_VENDOR_SPECIFIC_BYTES];
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from ./lib/tpm/tpm_symlink/TPMCmd/tpm/include/Global.h:85:0,
from ./lib/tpm/tpm_symlink/TPMCmd/tpm/include/Tpm.h:46,
from lib/tpm/tpm_symlink/TPMCmd/tpm/src/command/Asymmetric/ECC_Parameters.c:35:
./lib/tpm/tpm_symlink/TPMCmd/tpm/include/CryptRand.h:57:53: error: division by zero in #if
#define DRBG_IV_SIZE_BITS (AES_MAX_BLOCK_SIZE * 8)
^
./lib/tpm/tpm_symlink/TPMCmd/tpm/include/CryptRand.h:71:27: note: in expansion of macro ‘DRBG_IV_SIZE_BITS’
#if (DRBG_KEY_SIZE_BITS % DRBG_IV_SIZE_BITS) != 0
^~~~~~~~~~~~~~~~~
In file included from ./lib/tpm/tpm_symlink/TPMCmd/tpm/include/Global.h:82:0,
from ./lib/tpm/tpm_symlink/TPMCmd/tpm/include/Tpm.h:46,
from lib/tpm/tpm_symlink/TPMCmd/tpm/src/command/Asymmetric/ECC_Parameters.c:35:
./lib/tpm/tpm_symlink/TPMCmd/tpm/include/CryptRand.h:56:33: error: ‘AES_MAX_KEY_SIZE_BITS’ undeclared here (not in a function)
#define DRBG_KEY_SIZE_BITS AES_MAX_KEY_SIZE_BITS
^
./lib/tpm/tpm_symlink/TPMCmd/tpm/include/BnValues.h:70:31: note: in definition of macro ‘RADIX_DIV’
#define RADIX_DIV(x) ((x) >> RADIX_LOG2)
^
./lib/tpm/tpm_symlink/TPMCmd/tpm/include/CryptRand.h:82:34: note: in expansion of macro ‘BITS_TO_CRYPT_WORDS’
#define DRBG_KEY_SIZE_WORDS (BITS_TO_CRYPT_WORDS(DRBG_KEY_SIZE_BITS))
^~~~~~~~~~~~~~~~~~~
./lib/tpm/tpm_symlink/TPMCmd/tpm/include/CryptRand.h:82:54: note: in expansion of macro ‘DRBG_KEY_SIZE_BITS’
#define DRBG_KEY_SIZE_WORDS (BITS_TO_CRYPT_WORDS(DRBG_KEY_SIZE_BITS))
^~~~~~~~~~~~~~~~~~
./lib/tpm/tpm_symlink/TPMCmd/tpm/include/CryptRand.h:83:34: note: in expansion of macro ‘DRBG_KEY_SIZE_WORDS’
#define DRBG_KEY_SIZE_BYTES (DRBG_KEY_SIZE_WORDS * RADIX_BYTES)
^~~~~~~~~~~~~~~~~~~
./lib/tpm/tpm_symlink/TPMCmd/tpm/include/CryptRand.h:94:27: note: in expansion of macro ‘DRBG_KEY_SIZE_BYTES’
BYTE bytes[DRBG_KEY_SIZE_BYTES];
^~~~~~~~~~~~~~~~~~~
./lib/tpm/tpm_symlink/TPMCmd/tpm/include/CryptRand.h:57:34: error: ‘AES_MAX_BLOCK_SIZE’ undeclared here (not in a function)
#define DRBG_IV_SIZE_BITS (AES_MAX_BLOCK_SIZE * 8)
^
./lib/tpm/tpm_symlink/TPMCmd/tpm/include/BnValues.h:70:31: note: in definition of macro ‘RADIX_DIV’
#define RADIX_DIV(x) ((x) >> RADIX_LOG2)
^
./lib/tpm/tpm_symlink/TPMCmd/tpm/include/CryptRand.h:85:34: note: in expansion of macro ‘BITS_TO_CRYPT_WORDS’
#define DRBG_IV_SIZE_WORDS (BITS_TO_CRYPT_WORDS(DRBG_IV_SIZE_BITS))
^~~~~~~~~~~~~~~~~~~
./lib/tpm/tpm_symlink/TPMCmd/tpm/include/CryptRand.h:85:54: note: in expansion of macro ‘DRBG_IV_SIZE_BITS’
#define DRBG_IV_SIZE_WORDS (BITS_TO_CRYPT_WORDS(DRBG_IV_SIZE_BITS))
^~~~~~~~~~~~~~~~~
./lib/tpm/tpm_symlink/TPMCmd/tpm/include/CryptRand.h:86:34: note: in expansion of macro ‘DRBG_IV_SIZE_WORDS’
#define DRBG_IV_SIZE_BYTES (DRBG_IV_SIZE_WORDS * RADIX_BYTES)
^~~~~~~~~~~~~~~~~~
./lib/tpm/tpm_symlink/TPMCmd/tpm/include/CryptRand.h:100:27: note: in expansion of macro ‘DRBG_IV_SIZE_BYTES’
BYTE bytes[DRBG_IV_SIZE_BYTES];
^~~~~~~~~~~~~~~~~~
/home/jordanrh/scalys/lsdk/build/optee/export-ta_arm64/mk/compile.mk:146: recipe for target '/home/jordanrh/scalys/lsdk/build/fTPM/./lib/tpm/tpm_symlink/TPMCmd/tpm/src/command/Asymmetric/ECC_Parameters.o' failed
make[1]: *** [/home/jordanrh/scalys/lsdk/build/fTPM/./lib/tpm/tpm_symlink/TPMCmd/tpm/src/command/Asymmetric/ECC_Parameters.o] Error 1
make[1]: Leaving directory '/home/jordanrh/scalys/lsdk/ms-tpm-20-ref/Samples/ARM32-FirmwareTPM/optee_ta/fTPM'
Makefile:328: recipe for target 'ftpm' failed
make: *** [ftpm] Error 2
Hi, I am unable to restore the TPM state when I restart a MS TPM instance, as the NVChip
data file is always overwritten by the tpm_server
command. This can be easily tested by persisting any data in the NVRAM and try access the handles after the restart. Am I missing something here?
EDIT: Regarding this issue, I see that the main body in TPMCmd/Simulator/src/TPMCmds.c always runs the TPM_Manufacture() function when you startup the tpm_server.
Does this mean that the platform is manufactured again at each start-up then? Does this imply that the states in NVChip are never restored ?
When building with GCC 10, compilation fails with the following (fatal, due to -Werror
) warning:
tpm/src/subsystem/NvDynamic.c: In function ‘NvNextByType’:
tpm/src/subsystem/NvDynamic.c:148:17: error: ‘nvHandle’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
148 | *handle = nvHandle;
| ~~~~~~~~^~~~~~~~~~
cc1: all warnings being treated as errors
This might be a false positive and is probably easily fixed by initialising nvHandle
in l. 138, but I am not sure what a safe initial value for doing so would be.
Compiling on windows failed, because i haven't found a compatible libcrypto. Can you please point me to a version that is known to work?
Also compiling on Ubuntu 19.10 failed:
gcc -std=gnu11 -Werror -Wall -Wformat-security -fstack-protector-all -fPIC -Wno-error=empty-body -Wno-error=expansion-to-defined -Wno-error=parentheses -Wno-error=pointer-to-int-cast -Wno-error=missing-braces -Wno-error=unused-result -I ./Platform/include -I ./Platform/include/prototypes -I ./tpm/include -I ./tpm/include/prototypes -I ./Simulator/include -I ./Simulator/include/prototypes -pthread -g -O2 -o Simulator/src/tpm2-simulator Simulator/src/tpm2_simulator-TPMCmdp.o Simulator/src/tpm2_simulator-TPMCmds.o Simulator/src/tpm2_simulator-TcpServer.o Platform/src/libplatform.a tpm/src/libtpm.a Platform/src/libplatform.a -lcrypto
/usr/bin/ld: tpm/src/libtpm.a(libtpm_a-CryptSym.o): in function `CryptSymmetricEncrypt':
/home/marek/git/ms-tpm-20-ref/TPMCmd/tpm/src/crypt/CryptSym.c:190: undefined reference to `SM4_set_key'
/usr/bin/ld: /home/marek/git/ms-tpm-20-ref/TPMCmd/tpm/src/crypt/CryptSym.c:190: undefined reference to `SM4_encrypt'
/usr/bin/ld: tpm/src/libtpm.a(libtpm_a-CryptSym.o): in function `CryptSymmetricDecrypt':
/home/marek/git/ms-tpm-20-ref/TPMCmd/tpm/src/crypt/CryptSym.c:363: undefined reference to `SM4_set_key'
/usr/bin/ld: /home/marek/git/ms-tpm-20-ref/TPMCmd/tpm/src/crypt/CryptSym.c:363: undefined reference to `SM4_encrypt'
/usr/bin/ld: /home/marek/git/ms-tpm-20-ref/TPMCmd/tpm/src/crypt/CryptSym.c:358: undefined reference to `SM4_set_key'
/usr/bin/ld: /home/marek/git/ms-tpm-20-ref/TPMCmd/tpm/src/crypt/CryptSym.c:358: undefined reference to `SM4_decrypt'
/usr/bin/ld: tpm/src/libtpm.a(libtpm_a-CryptHash.o):/home/marek/git/ms-tpm-20-ref/TPMCmd/tpm/src/crypt/CryptHash.c:62: undefined reference to `sm3_init'
/usr/bin/ld: tpm/src/libtpm.a(libtpm_a-CryptHash.o):(.data.rel.ro+0x8): undefined reference to `sm3_update'
/usr/bin/ld: tpm/src/libtpm.a(libtpm_a-CryptHash.o):(.data.rel.ro+0x10): undefined reference to `sm3_final'
/usr/bin/ld: tpm/src/libtpm.a(libtpm_a-CryptCmac.o): in function `CryptCmacData':
/home/marek/git/ms-tpm-20-ref/TPMCmd/tpm/src/crypt/CryptCmac.c:104: undefined reference to `SM4_set_key'
/usr/bin/ld: /home/marek/git/ms-tpm-20-ref/TPMCmd/tpm/src/crypt/CryptCmac.c:104: undefined reference to `SM4_encrypt'
/usr/bin/ld: tpm/src/libtpm.a(libtpm_a-CryptCmac.o): in function `CryptCmacEnd':
/home/marek/git/ms-tpm-20-ref/TPMCmd/tpm/src/crypt/CryptCmac.c:144: undefined reference to `SM4_set_key'
/usr/bin/ld: /home/marek/git/ms-tpm-20-ref/TPMCmd/tpm/src/crypt/CryptCmac.c:144: undefined reference to `SM4_encrypt'
collect2: error: ld returned 1 exit status
make: *** [Makefile:2174: Simulator/src/tpm2-simulator] Fehler 1
Hello,
We are working on using this stack with the STM32L476.
Are there any information available on how it was tested? We have found some
VCOM Windows application only so far.
Is this example designed to work with the general purpose tooling (like the tpm2-tools on Linux)?
We have build and flashed the sample and have the /dev/ttyACM0 device in Linux, which we would
expect would work as a replacement for the /dev/tpm0 character device.
This works a little different, though, it seems. We have noticed that the STM32
example expects more data than what simply comes from the tpm2-tools (for example
the tpm2_startup command). There are additional headers added in the Windows VCOM
application as well.
Some of it is described here: http://lpntpm.lpnplant.io/issues/#protocol-analysis-early-conclusions
There are some more reports from our last work there, as well.
Generally, it would be great if we could get some more information on what we should expect
to work in this STM32 sample and how it can be used.
Thanks,
I have integrated ftpm TA in OPENSTLINUX distro and I can see the TA in the image /lib/optee_armtz folder. I am interested in getting tpm_event_log for which MACRO (MEASURED_BOOT) should be enable. So I want to know in what way I can enable the macro in my yocto recipe. Below is the recipe I am using.
SUMMARY = "OPTEE fTPM Microsoft TA"
DESCRIPTION = "TCG reference implementation of the TPM 2.0 Specification."
HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/"
#COMPATIBLE_MACHINE ?= "invalid"
#COMPATIBLE_MACHINE:qemuarm64 = "qemuarm64"
#COMPATIBLE_MACHINE:qemuarm64-secureboot = "qemuarm64"
#COMPATIBLE_MACHINE:qemu-generic-arm64 = "qemu-generic-arm64"
#FIXME - doesn't currently work with clang
TOOLCHAIN = "gcc"
inherit deploy python3native
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=5a3925ece0806073ae9ebbb08ff6f11e"
DEPENDS = "python3-pyelftools-native optee-os-stm32mp python3-cryptography-native "
DEPENDS += "python3-pycryptodomex-native"
FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896"
SRC_URI = "gitsm://github.com/Microsoft/ms-tpm-20-ref;branch=master;protocol=https
file://0001-add-enum-to-ta-flags.patch"
SRCREV = "d638536d0fe01acd5e39ffa1bd100b3da82d92c7"
S = "${WORKDIR}/git"
OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}"
TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta"
#TA_DEV_KIT_DIR = "/home/eaton/edge-linux-yocto/build-openstlinuxweston-stm32mp1/tmp-glibc/work/stm32mp1-ostl-linux-gnueabi/st-image-userfs/1.0-r0/recipe-sysroot/usr/include/optee/export-user_ta"
EXTRA_OEMAKE += '
CFG_FTPM_USE_WOLF=y
CFG_TA_DEBUG=y
CFG_TEE_TA_LOG_LEVEL=4
TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR}
TA_CROSS_COMPILE=${TARGET_PREFIX}
CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST} -I${WORKDIR}/optee-os-stm32mp"
'
EXTRA_OEMAKE:append:aarch64:qemuall = "
CFG_ARM64_ta_arm64=y
"
export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
PARALLEL_MAKE = ""
do_compile() {
# The internal ${CC} includes the correct -mcpu option
sed -i 's/-mcpu=$(TA_CPU)//' Samples/ARM32-FirmwareTPM/optee_ta/fTPM/sub.mk
# there's also a secure variable storage TA called authvars
cd ${S}/Samples/ARM32-FirmwareTPM/optee_ta
oe_runmake
}
do_install () {
mkdir -p ${D}/${nonarch_base_libdir}/optee_armtz
install -D -p -m 0644 ${S}/Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/${FTPM_UUID}.ta ${D}/${nonarch_base_libdir}/optee_armtz/
install -D -p -m 0644 ${S}/Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/${FTPM_UUID}.stripped.elf ${D}/${nonarch_base_libdir}/optee_armtz/
}
do_deploy () {
install -d ${DEPLOYDIR}/optee
install -D -p -m 0644 ${S}/Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/${FTPM_UUID}.stripped.elf ${DEPLOYDIR}/optee/
}
addtask deploy before do_build after do_install
FILES:${PN} += "
${nonarch_base_libdir}/optee_armtz/${FTPM_UUID}.ta
${nonarch_base_libdir}/optee_armtz/${FTPM_UUID}.stripped.elf
"
PACKAGE_ARCH = "${MACHINE_ARCH}"
INSANE_SKIP:${PN} += "ldflags"
I've been working up a few patches to enable use of this code on Linux. Currently I have done enough to get a functional daemon running with test cases from https://github.com/tpm2-software/tpm2-tss.git working as expected. I'm only able to do so when building for a 32bit host though. 64bit builds produce a binary just fine but it hangs when handling commands and I wanted to check to see if 64bit builds are intended to work at all before I spend time debugging this.
My intention is to submit this work as a PR once I've cleaned it up a bit and sorted out this issue with the 64bit builds.
Thanks.
Cloning with Git for Windows generates a warning about the case of filenames. As a result, there is only one simulator.vcxproj on Windows, but two on Linux, and it's not obvious that the clone results are actually correct.
git clone https://github.com/microsoft/ms-tpm-20-ref.git
Cloning into 'ms-tpm-20-ref'...
remote: Enumerating objects: 32, done.
remote: Counting objects: 100% (32/32), done.
remote: Compressing objects: 100% (22/22), done.
remote: Total 4465 (delta 9), reused 17 (delta 9), pack-reused 4433R
Receiving objects: 100% (4465/4465), 6.36 MiB | 25.32 MiB/s, done.
Resolving deltas: 100% (3422/3422), done.
Checking out files: 100% (771/771), done.
warning: the following paths have collided (e.g. case-sensitive paths
on a case-insensitive filesystem) and only one from the same
colliding group is in the working tree:
'TPMCmd/Simulator/simulator.vcxproj'
'TPMCmd/simulator/simulator.vcxproj'
Hello,
while reading the fTPM article I read about "Cooperative Checkpointing". I'm wondering if it's implemented in the code and where?
also, why not to use the "yielding SMCs" mentioned here: https://optee.readthedocs.io/en/latest/architecture/core.html#normal-world-invokes-op-tee-os-using-smc
for fTPM services? won't this solve the issue "Cooperative Checkpointing" is trying to solve (long time in secure world while interrupts are masked for normal world)?
on the effects of interrupts on "yielding SMCs": https://trustedfirmware-a.readthedocs.io/en/latest/components/exception-handling.html#effect-on-smc-calls
Thank you!
Consistent with community expecations and github guidance, the default branch of microsoft/ms-tpm-20-ref has been changed from master
to main
. This will not update a user's local environment. The following commands can be used to update your local environment to match:
git branch -m master main
git fetch origin
git branch -u origin/main main
git remote set-head origin -a
We have OP-TEE and the fTPM TA set up on our development board. The fTPM works as long as there is no persistent storage present in the REE filesystem, so either if
tee
directory is deletedThe first time the fTPM is started it will create storage objects:
D/TA: TA_CreateEntryPoint:151 Entry Point
D/TA: _plat__NVEnable:381 _plat__NVEnable()
D/TA: _plat__NvInitFromStorage:132 _plat__NvInitFromStorage()
I/TA: Created fTPM storage object, i: 0x0, s: 0x200, id: 0x54504d00, h:0x98ba0
I/TA: Created fTPM storage object, i: 0x1, s: 0x200, id: 0x54504d01, h:0x98ba0
I/TA: Created fTPM storage object, i: 0x2, s: 0x200, id: 0x54504d02, h:0x98ba0
I/TA: Created fTPM storage object, i: 0x3, s: 0x200, id: 0x54504d03, h:0x98ba0
I/TA: Created fTPM storage object, i: 0x4, s: 0x200, id: 0x54504d04, h:0x98ba0
I/TA: Created fTPM storage object, i: 0x5, s: 0x200, id: 0x54504d05, h:0x98ba0
I/TA: Created fTPM storage object, i: 0x6, s: 0x200, id: 0x54504d06, h:0x98ba0
I/TA: Created fTPM storage object, i: 0x7, s: 0x200, id: 0x54504d07, h:0x98ba0
I/TA: Created fTPM storage object, i: 0x8, s: 0x200, id: 0x54504d08, h:0x98ba0
I/TA: Created fTPM storage object, i: 0x9, s: 0x200, id: 0x54504d09, h:0x98ba0
I/TA: Created fTPM storage object, i: 0xa, s: 0x200, id: 0x54504d0a, h:0x98ba0
I/TA: Created fTPM storage object, i: 0xb, s: 0x200, id: 0x54504d0b, h:0x98ba0
I/TA: Created fTPM storage object, i: 0xc, s: 0x200, id: 0x54504d0c, h:0x98ba0
I/TA: Created fTPM storage object, i: 0xd, s: 0x200, id: 0x54504d0d, h:0x98ba0
I/TA: Created fTPM storage object, i: 0xe, s: 0x200, id: 0x54504d0e, h:0x98ba0
I/TA: Created fTPM storage object, i: 0xf, s: 0x200, id: 0x54504d0f, h:0x98ba0
I/TA: Created fTPM storage object, i: 0x10, s: 0x200, id: 0x54504d10, h:0x98ba0
I/TA: Created fTPM storage object, i: 0x11, s: 0x200, id: 0x54504d11, h:0x98ba0
I/TA: Created fTPM storage object, i: 0x12, s: 0x200, id: 0x54504d12, h:0x98ba0
I/TA: Created fTPM storage object, i: 0x13, s: 0x200, id: 0x54504d13, h:0x98ba0
I/TA: Created fTPM storage object, i: 0x14, s: 0x200, id: 0x54504d14, h:0x98ba0
I/TA: Created fTPM storage object, i: 0x15, s: 0x200, id: 0x54504d15, h:0x98ba0
I/TA: Created fTPM storage object, i: 0x16, s: 0x200, id: 0x54504d16, h:0x98ba0
I/TA: Created fTPM storage object, i: 0x17, s: 0x200, id: 0x54504d17, h:0x98ba0
I/TA: Created fTPM storage object, i: 0x18, s: 0x200, id: 0x54504d18, h:0x98ba0
I/TA: Created fTPM storage object, i: 0x19, s: 0x200, id: 0x54504d19, h:0x98ba0
I/TA: Created fTPM storage object, i: 0x1a, s: 0x200, id: 0x54504d1a, h:0x98ba0
I/TA: Created fTPM storage object, i: 0x1b, s: 0x200, id: 0x54504d1b, h:0x98ba0
I/TA: Created fTPM storage object, i: 0x1c, s: 0x200, id: 0x54504d1c, h:0x98ba0
I/TA: Created fTPM storage object, i: 0x1d, s: 0x200, id: 0x54504d1d, h:0x98ba0
I/TA: Created fTPM storage object, i: 0x1e, s: 0x200, id: 0x54504d1e, h:0x98ba0
I/TA: Created fTPM storage object, i: 0x1f, s: 0x200, id: 0x54504d1f, h:0x98ba0
I/TA: Created fTPM storage object, i: 0x20, s: 0x200, id: 0x54504d20, h:0x98ba0
D/TA: TA_CreateEntryPoint:173 NVEnable Complete
D/TA: TA_CreateEntryPoint:180 TPM_Manufacture
Size of OBJECT = 1204
Size of components in TPMT_SENSITIVE = 744
TPMI_ALG_PUBLIC 2
TPM2B_AUTH 50
TPM2B_DIGEST 50
TPMU_SENSITIVE_COMPOSITE 642
MAX_CONTEXT_SIZE can be reduced to 1264 (1344)
D/TA: _plat__NvWriteBack:292 bMap: 0xffffffff
D/TA: _plat__NVEnable:381 _plat__NVEnable()
D/TA: TA_CreateEntryPoint:192 Init Complete
D/TA: TA_CreateEntryPoint:215 No TPM state present
D/TA: _plat__NvWriteBack:292 bMap: 0x2
D/TA: fTPM_Submit_Command:382 Success, RS: 0xa
D/TA: fTPM_Submit_Command:382 Success, RS: 0x1b
D/TA: fTPM_Submit_Command:382 Success, RS: 0x1e7
D/TA: fTPM_Submit_Command:382 Success, RS: 0x25
tpm2-tools work as expected.
If the system is rebooted or reset from this state, the fTPM will reliably panic when trying to open the persistent storage objects:
D/TA: TA_CreateEntryPoint:151 Entry Point
D/TA: _plat__NVEnable:381 _plat__NVEnable()
D/TA: _plat__NvInitFromStorage:132 _plat__NvInitFromStorage()
I/TA: Read fTPM storage object, i: 0x0, s: 0x200, id: 0x54504d00, h:0x98ba0
I/TA: Read fTPM storage object, i: 0x0, s: 0x200, id: 0x54504d01, h:0x0
D/TA: _plat__NvInitFromStorage:172 Failed to open fTPM storage object
E/TC:? 0
E/TC:? 0 TA panicked with code 0xffff0007
E/LD: Status of TA bc50d971-d4c9-42c4-82cb-343fb7f37896
E/LD: arch: aarch64
E/LD: region 0: va 0x40005000 pa 0x9ea01000 size 0x002000 flags rw-s (ldelf)
E/LD: region 1: va 0x40007000 pa 0x9ea03000 size 0x009000 flags r-xs (ldelf)
E/LD: region 2: va 0x40010000 pa 0x9ea0c000 size 0x001000 flags rw-s (ldelf)
E/LD: region 3: va 0x40011000 pa 0x9ea0d000 size 0x004000 flags rw-s (ldelf)
E/LD: region 4: va 0x40015000 pa 0x9ea11000 size 0x001000 flags r--s
E/LD: region 5: va 0x40016000 pa 0x9eb2c000 size 0x011000 flags rw-s (stack)
E/LD: region 6: va 0x40077000 pa 0x00001000 size 0x07b000 flags r-xs [0]
E/LD: region 7: va 0x400f2000 pa 0x0007c000 size 0x09f000 flags rw-s [0]
E/LD: [0] bc50d971-d4c9-42c4-82cb-343fb7f37896 @ 0x40077000
E/LD: Call stack:
E/LD: 0x400c8b24
E/LD: 0x4007a620
E/LD: 0x400c8984
E/TC:? 0 ldelf_dump_ftrace:336 ldelf stack is inaccessible!
E/TC:? 0 tee_ta_open_session:743 Failed. Return error 0xffff3024
The OP-TEE storage tests pass and example applications also work as expected.
We are using the latest version (e9fc7b8).
Any help is greatly appreciated.
Many questions can be answered by the TPM 2.0 specifications, which can be found here:
https://trustedcomputinggroup.org/resource/tpm-library-specification/
Based on my interpretation of this code block:
ms-tpm-20-ref/TPMCmd/tpm/src/command/Session/StartAuthSession.c
Lines 80 to 108 in 5847c02
An interposer sitting on the bus between the CPU and the TPM could extract the decrypted salt value from the TPM decryption. Assuming the authValue
is empty or known, an interposer on the bus could decrypt any encrypted traffic during an encrypted session, as the symmetric encryption key is derived from the KDFa of the sessionKey.
OpenSSL added support for SM2, 3 and 4 in the latest 1.1.1 release. Are there any plans to support these in the simulator?
It fails with an error "Unable to determine RADIX_BITS from compiler environment."
It is due to the architecture flags are not present correctly for gcc
Even after disabling deprecation errors the build still fails in the bignum code.
Hello,
actually main problem is we interfaced slb 9670(tpm-2.0) with 16 bit msp430 controller which does not support linux kernel or any OS.
now our task is to store a 100 byes of data in NV memory, without any authorisation technique, as simple as possible.
please guide me in that way.
slb 9670 is interfaced with msp430 controller through SPI protocol.
I able to read device id , version id of slb9670 , so spi communication is working fine with our controller .
what is packet format to be send with our data , i am not able to understand the TCG documents .
theoretically iam able to understand we have to do nvdefinespace , nvwrite ,nvread .. internaly what is the format i have to be send not able to understand
can you please guide me , or share any code snippet .
sorry if i trouble you or any irrelevant questions.
Regards,
Manoj,
mail : [email protected]
+91-9063249308
The TPM sources used by all the samples, and especially the simulator in TPMCmd, have these telltale lines:
/*(Auto-generated) * Created by TpmStructures; Version 4.4 Mar 26, 2019 * Date: Mar 6, 2020 Time: 01:50:09PM */
Is the source for this TpmStructures
script/binary available? I presume based on this discussion that the generator parses the TPM 2.0 specification itself to generate code.
Equivalent work is in TSS.MSR/TssCodeGen, but that doesn't seem to generate C source code (like is seen in this repository), but rather equivalent structures in higher-level languages.
TpmScripts seems likely, but the repository is empty; there are references to it in this repository's gitignore, too.
Hi, together with my organization we are planning to create a universal opensource TPM 2.0 hardware module. We would like to use the stm32 sample as a reference point but ran into some problems.
I've checked out a specific commit that adds samples for Nucleo (f8a1c48).
This method allowed me to ignore (for now) other errors that appear when building a project from the master branch.
I thought, that maybe I'm using the wrong toolchain version, so I switched back to GCC 4.8 and tried a different Atollic version as well as the new successor - STM32CubeIDE, but with no luck. The same error remains also for an old Windows Atollic version.
I wonder how the project was developed because I was unable to build it in any way. Fixing minor bugs involving missing includes and the small fixes in the preprocessor defines, I have come to a point that is hard for me to go through.
Curent issue seems to be related to the macro located in CryptEccData.c:86 file
# define ECC_ENTRY(val, x) (bigNum)&##val##_##x
that triggers this specific error message.
arm-none-eabi-gcc -c "/home/acwiek/git/ms-tpm-20-ref/TPMCmd/tpm/src/crypt/CryptEccMain.c" -mcpu=cortex-m4 -std=gnu11 -g3 '-D__weak=__attribute__((weak))' '-D__packed=__attribute__((__packed__))' -DUSE_HAL_DRIVER -DSTM32L476xx -DWOLFSSL_USER_SETTINGS -DUSE_WOLFCRYPT -c -I../Inc -I../Drivers/STM32L4xx_HAL_Driver/Inc -I../Drivers/STM32L4xx_HAL_Driver/Inc/Legacy -I../Middlewares/ST/STM32_USB_Device_Library/Core/Inc -I../Middlewares/ST/STM32_USB_Device_Library/Class/CDC/Inc -I../Drivers/CMSIS/Device/ST/STM32L4xx/Include -I../Drivers/CMSIS/Include -I../../Shared/TPMDevice/include -I../../Shared/Platform/Include -I../../Shared/Platform/Include/prototypes -I../../../../external/wolfssl -I../../../../TPMCmd/tpm/include -I../../../../TPMCmd/tpm/include/prototypes -I"/home/acwiek/git/ms-tpm-20-ref/Samples/Nucleo-TPM/Shared/Platform/include/prototypes" -I"/home/acwiek/git/ms-tpm-20-ref/Samples/Nucleo-TPM/Shared/Platform/include" -O0 -ffunction-sections -fdata-sections -Wall -fstack-usage -MMD -MP -MF"Middlewares/TPMCmd/crypt/CryptEccMain.d" -MT"Middlewares/TPMCmd/crypt/CryptEccMain.o" --specs=nano.specs -mfpu=fpv4-sp-d16 -mfloat-abi=hard -mthumb -o "Middlewares/TPMCmd/crypt/CryptEccMain.o"
/home/acwiek/git/ms-tpm-20-ref/TPMCmd/tpm/src/crypt/CryptEccData.c:86:39: error: pasting "&" and "NIST_P256" does not give a valid preprocessing token
86 | # define ECC_ENTRY(val, x) (bigNum)&##val##_##x
| ^
We have high hopes for this project and think it will enrich the open-source community, so we would appreciate any help from you.
While GpMacros.h defines TPM_FAIL_RETURN as correct type to be used for NO_LONGJMP implementation (like embedded), both TpmFail() and _plat__Fail() aren't using this macro and define NORETURN void
causing compilation errors.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.