The source repository for the Trusted Platform Module (TPM2.0) tools based on tpm2-software/tpm2-tss
Readthedocs for information on installation, man-pages and more.
The source repository for the Trusted Platform Module (TPM2.0) tools
Home Page: https://tpm2-software.github.io
The source repository for the Trusted Platform Module (TPM2.0) tools based on tpm2-software/tpm2-tss
Readthedocs for information on installation, man-pages and more.
Is there any way to decipher the error codes that get thrown by the commands? I am tryng to use tpm2_nvdefine and am getting a 0x14b error, but I have no idea what this means.
Is there any way to use these tools without running the resourcemgr? I can't seem to find any way to do so.
I was trying to test the tpm2.0 tools with test_all.sh
after it was successfully installed.
I got some error which confuesed me. Which patameter or environment is wrong? It seems to be referred by #8.
test_tpm2_unseal.sh pass
EK create succ.. Handle: 0x80000006
EvictControl EK persistent succ.
Flush transient EK succ.
StartAuthSessionWithParams succ.......
Tss2_Sys_PolicySecret succ.......
TPM2_Create succ.......
StartAuthSessionWithParams succ.......
Tss2_Sys_PolicySecret succ.......
Name of loaded key:
00 0b 97 5c 93 cb fe 8e 58 10 c1 f9 22 75 85 16
dc 8f b1 02 f1 f3 3d 90 cd 2d ce 03 8f da ee c0
92 f9
Loaded key handle: 80000006
EvictControl: Make AK persistent succ.
Flush transient AK succ.
getpubak successfully!
akparse fail, pelase check the environment or parameters!
test_tpm2_akparse.sh Fail, press any key to continue....
I tested this tool yesterday well.
However, newly cloned source tree today makes following build error
g++: error: ../tss/sysapi/libtpm.a: No such file or directory
Makefile:721: recipe for target 'tpm2_listpcrs' failed
make[1]: *** [tpm2_listpcrs] Error 1
make[1]: Leaving directory '/home/debian/tpm/tpm2.0-tools/sapi-tools'
Makefile:356: recipe for target 'all-recursive' failed
make: *** [all-recursive] Error 1
Using tpm2_create returns "incorrect port number", but none of the other commands seem to have this problem. I have checked the .cpp file and it appears that all is as it should be. Also, using the -port argument to specify the resourcemgr port has no effect.
A simple macro to detect the existence / version of the TSS headers would go a long way to making our build more friendly. Better to get a configure time error saying "install this other package" instead of producing compile errors that say "file not found".
Without below 4 head files installed, tpm2.0-tools can't pass build.
endianConv.h
sys_api_marshalUnmarshal.h
sysapi_util.h
tcti_util.h
The TSS repo is in the throws of refactoring their headers. We need to assess the impact to the tools repo. I've already identified some breakage in our use of the TSS2_TCTI_DRIVER_INFO structure which is not part of the TSS spec. This structure was mistakenly distributed by the TSS and will not be visible in the headers / libraries after tpm2-software/tpm2-tss#108 is merged. Undoubtedly there are more.
Use ac_check_lib for the socket TCTI library just like we do the tss2 library. This is currently blocked by an upstream bug: tpm2-software/tpm2-tss#126
Resolving #3 will fix much of this. Still though there are bits of the tools that reference source files that aren't exposed as libraries. Specifically the use of code from the SAPI test programs here:
https://github.com/01org/tpm2.0-tools/blob/master/sapi-tools/Makefile.am#L75
https://github.com/01org/tpm2.0-tools/blob/master/sapi-tools/Makefile.am#L58
is very strange and unfriendly to packaging. If these source files are useful to code outside of the sapi tree they need to be exposed as a library.
As below,tpm2_getpublicak occur TPM error (0xc2800) during the load process.**
tpm2_getpubak -E 0x8101000b -k 0x8101000c -g 0x0001 -D 0x000B -s 0x0014 -f ak_pub.out -n ak_name_pub.out
StartAuthSessionWithParams succ.......
Tss2_Sys_PolicySecret succ.......
TPM2_Create succ.......
StartAuthSessionWithParams succ.......
Tss2_Sys_PolicySecret succ.......
......TPM2_Load Error. TPM Error:0xc2800......
if define a nv index with size larger than 1024, and make a nv.data content file with all zero and with the same size, then use tpm2_nvwrite to write the file content into the nv index, then read the bytes after 1024 out, all bytes after 1024 are all FFs.
$ tpm2_sign -c context_load_out_6 -g 0x00B -m secret.data -s sign.f1
contextKeyFile = context_load_out_6
halg = 0x000b
Compute message hash failed !
The latest commit I was able to build with succesfully is tpm2-software/tpm2-tss@78180e1
diff --git a/src/tpm2_getmanufec.cpp b/src/tpm2_getmanufec.cpp
index 3fef315..082e913 100644
--- a/src/tpm2_getmanufec.cpp
+++ b/src/tpm2_getmanufec.cpp
@@ -288,8 +288,12 @@ char *Base64Encode(const unsigned char* buffer)
BIO_free_all(bio);
char *b64text = (*bufferPtr).data;
for (int i = 0; i < strlen(b64text); i++)
+ {
if (b64text[i] == '+')
b64text[i] = '-';
+ if (b64text[i] == '/')
+ b64text[i] = '_';
+ }
CURL *curl = curl_easy_init();
if (curl)
{
The header in the TSS2 repo that exposes these values is a non-standard header and it will go away soon. We need to get them from elsewhere, ideally from the TCTI headers that are implementation specific.
I am a little confused about how to use tpm2_create to seal a key to the PCRs. I see that I can pass in a policy file, but how do I create a policy file that defines which PCR(s) I wish to seal the data to? Also, what would this policy file look like?
So far, tools can only use resourcemgr TCTI implementation. It would be a good direction to enhance it to be able to use other existing TCTI implementation such as device TCTI, simulator TCTI, etc, and also make it configurable. Further, it will even better to make the TCTI choices extensible without code change.
The socket TCTI from TPM2.0-TSS declares these functions but it doesn't provide them (undefined symbols). When that's resolved upstream tpm2-software/tpm2-tss#112 we can safely remove them from the tpm2.0-tools source code.
tpm2_verifysignature fail with error coed 0x2cb when load a key context created by tpm2_loadexternal.
tpm2_verifysignature -c context_loadexternal_out_6 -g 0x000B -m secret.data -s sign.f1 -t tickt_verify_sign.out
contextKeyFile = context_loadexternal_out_6
halg = 0x000b
VerifySignature: using the input signature file as sig structure!
TPM2_VerifySignature TESTS:
VerifySignature: computing message hash succeeded!
msgHash(hex type):
26 34 c3 09 7f 98 e3 68 65 f0 c5 72 00 9c 4f fd 73 31 6b c8 b8 8c cf e8 d1 96 af 35 f4 6e 23 94
tpm2_verifysignature failed, error code: 0x2cb
Currently the tpm2.0-tools build clones the TPM2.0-TSS sources directly, compiles them, and then statically links against a now missing library. The better long term solution to decouple these builds is to have the tpm2.0-tools treat the TPM2.0-TSS libraries and headers like any others on the build system.
This is the ideal solution to #1. Likely we'll do a work around first and then get to this.
new tool tpm2_nvreadlock fail both on simulator and PTT tpm, as below:
tpm2_nvread -x 0x1500018 -a 0x40000001 -s 32 -o 0
The size of data:32
64 6a 38 36 30 43 44 0a ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fftpm2_nvreadlock -x 0x1500018 -a 0x40000001
Failed to lock NVRAM area at index 0x1500018 (22020120).Error:0x282
Need follow http://www.trustedcomputinggroup.org/files/static_page_files/7CAA5687-1A4B-B294-D04080D058E86C5F/Credential_Profile_EK_V2.0_R14_published.pdf to make sure able to reproduce the EK used for creating EK certificate.
BTW, the EK profile requires the access authentication for the EK should go via policy session(userWithAuth = 0, adminWithPolicy = 1), which requires additional changes to tpm2_getpubak to access ek.
Can we do this? The concern might be that the resourcemgr error was not documented in TCG spec and no exported and installed into the system include directory.
Man file can make user easily get help on how to run the command.
This is just to keep things simple and to avoid a number of problems with parallel make invocation. Basically, just best practices and my pedantry :)
Currently there is no 'install' build target. This means the the binaries created by the build must be run from the build tree. This will block any packaging work.
I'm trying to bring the tpm2.0-tools up to speed with the changes that are being made to the sapi code. I got the following error while testing:
This bank can not be read, tpm error 0x100
Is this a known error? I get this error for the code at the HEAD of the master branch.
When building with LDFLAGS=-Wl,--as-needed
, it fails at linking stage:
libtool: link: g++ -DSAPI_CLIENT -I. -g -O2 -Wl,--as-needed -o src/tpm2_listpcrs src/tpm2_listpcrs.o -ltss2 -ltctisocket src/libcommon.a
src/libcommon.a(common.o): In function `InitTctiResMgrContext':
/tmp/yaourt-tmp-hexchain/aur-tpm2.0-tools-git/src/tpm2.0-tools/src/common.c:224: undefined reference to `InitSocketTcti'
/tmp/yaourt-tmp-hexchain/aur-tpm2.0-tools-git/src/tpm2.0-tools/src/common.c:232: undefined reference to `InitSocketTcti'
src/libcommon.a(common.o): In function `Cleanup':
/tmp/yaourt-tmp-hexchain/aur-tpm2.0-tools-git/src/tpm2.0-tools/src/common.c:250: undefined reference to `PlatformCommand'
src/libcommon.a(common.o): In function `TeardownTctiResMgrContext':
/tmp/yaourt-tmp-hexchain/aur-tpm2.0-tools-git/src/tpm2.0-tools/src/common.c:243: undefined reference to `TeardownSocketTcti'
src/libcommon.a(common.o): In function `prepareTest':
/tmp/yaourt-tmp-hexchain/aur-tpm2.0-tools-git/src/tpm2.0-tools/src/common.c:287: undefined reference to `PlatformCommand'
/tmp/yaourt-tmp-hexchain/aur-tpm2.0-tools-git/src/tpm2.0-tools/src/common.c:288: undefined reference to `PlatformCommand'
src/libcommon.a(common.o): In function `TeardownTctiResMgrContext':
/tmp/yaourt-tmp-hexchain/aur-tpm2.0-tools-git/src/tpm2.0-tools/src/common.c:243: undefined reference to `TeardownSocketTcti'
/tmp/yaourt-tmp-hexchain/aur-tpm2.0-tools-git/src/tpm2.0-tools/src/common.c:243: undefined reference to `TeardownSocketTcti'
collect2: error: ld returned 1 exit status
Makefile:813: recipe for target 'src/tpm2_listpcrs' failed
make: *** [src/tpm2_listpcrs] Error 1
I guess this is a question for @gwei3 directly. Just wondering why all of the sources are in .cpp files, compiled with g++ but AFAIK we don't actually use any C++ features (no STL, no classes etc). I'm sure there's a reason but since this is my first pass over the code it's not readily apparent.
Apologies in advance for the n00b question :)
Need fixes.
to setup measured boot, TBoot is employed to my host.
TBoot: https://sourceforge.net/projects/tboot/
However, after booting with TBoot, TPM utilities do not work at all.
Any idea about it?
Thanks
youngwha
Bank/Algorithm: TPM_ALG_SHA1(0x0004)
This bank can not be read, tpm error 0xc010c
Bank/Algorithm: TPM_ALG_SHA256(0x000b)
This bank can not be read, tpm error 0xc010c
Bank/Algorithm: TPM_ALG_SHA384(0x000c)
This bank can not be read, tpm error 0xc010c
Bank/Algorithm: TPM_ALG_SHA512(0x000d)
This bank can not be read, tpm error 0xc010c
Bank/Algorithm: TPM_ALG_SM3_256(0x0012)
This bank can not be read, tpm error 0xc010c
Just mimic the example in configure.ac for the tss2 headers.
The last round of PRs added a new tool and a new dependency on libcurl. This needs to be documented in the INSTALL file.
We shouldn't be building and linking in code from the SAPI source tree directly.
Is there any way I can use the currently implemented tools to seal a key to the pcr state? From looking at the tools, it seems as though "tpm2_create" seals data, but how can I base this on the state of the pcrs?
Some similar failure happened on tpm2_sign, but already fixed since 4b4cbea
We should be linking against whatever version of the SAPI library is installed.
Hi,
thanks for writing and maintaining these tools.
It would be great if you could improve the manual providing some "real-file" example involving multiple TPM2 commands and external tools?
For instance, I was thinking about signing something with the TPM and verifying it with OpenSSL or encrypt something using OpenSSL and using the TPM to decrypt it.
Thanks!
Hi,
As I was planning to add some additional tools in order to be possible to use i.e. policy authentization I have read almost full TCG spec and I discovered that current version of tools allow just the user authentication mode.
It would require a lot of work to implement features I needed for my project so I was looking for some solution and I have found this:
https://sourceforge.net/projects/ibmtpm20tss/
It is almost complete implementation of the TCG spec. Althoug it is not ideal (as it does not support ie. threading) it allow to use policy authentication and many other features.
Take look on it.
Regards,
Franta
In reviewing PR #92 from @theopolis in the TPM2.0-TSS repo I was surprised that this issue didn't surface when we starting linking against libtpm2sapi / libtpm2tcti. Turns out the tpm2.0-tools build pulls headers directly from the TPM2.0-TSS tree that it checks out by putting them on the search path for gcc. So basically we're building against headers and linking against libraries from different locations. This is a disaster waiting to happen :(
I don't know that there's an easy fix here. Every one of the TPM tools builds and links against code from the 'common' and 'test' directories from the TSS repo. This means simply changing the gcc search path won't solve the problem. This will likely require coordinated work across the repos including some cleanup of my past mistakes in the TPM2.0-TSS build / include approach.
More issues to come in this cleanup in both repos.
Same as #41
Hi
I have a little problem with TPM usage, hopefully somebody can help me.
a) When I issue the tpm2_listpcrs, all pcrs are set to zero (except 17-22 which are set to FF FF...)
I would expect that at least few PCRs would be set by BIOS during the boot process. Am I right or do I understand the concept in a wrong way?
b) can somebody help me to setup the policy for reading of the NV Index? I would like to allow access to the data just in case the PCRs will be valid (will match the values previously measured during the boot process). Can I achieve this with TPM2 tools or do I need to write some additional tools? Currently, I am able to write/read the data to/from NV with the owner account and lock it for further reads but I need to be sure the value can be released from TPM just in case the platform is still trustworthy.
Thanks in advance
Fis
Add test scripts for each tool to make the testing easier and also serve as a good usage reference for users.
See https://www.gnu.org/software/autoconf/manual/autoconf-2.66/html_node/Libraries.html
This is the "right way" to pull in these dependencies.
What is the URL for use with tpm2_getmanufec for an Intel TPM?
Remove the dependency on the resourcemgr.h file from the TPM2.0-TSS repo. This file is included but nothing from it is used.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.