IBM's Software TPM 2.0 Activity
Status: Beta
Brought to you by:
kagoldman
Activity for IBM's Software TPM 2.0
-
Ken Goldman committed [2cb5b0] on Git
Update the license for several files.
-
tpm: Update to OpenSSL 3.6
-
Merge branch 'master' of github.ibm.com:kgoldman/ibmswtpm2
-
tpm2: stable-0.7: Fix for VRT0009
-
tpm2: Avoid NULL pointer access in case allocation fails
-
Merge branch 'next' of github.ibm.com:kgoldman/ibmswtpm2
-
tpm2: Initialize eccPublic before passing to TPMS_ECC_POINT_Unmarshal (Coverity)
-
tpm2: Address a possible unsigned integer underflow (Coverity)
-
tpm2: Filter bad input values to avoid underflow in FindNthSetBit (Coverity)
-
Merge branch 'master' of github.ibm.com:kgoldman/ibmswtpm2
-
Merge branch 'next' of github.ibm.com:kgoldman/ibmswtpm2
-
Merge branch 'master' of github.ibm.com:kgoldman/ibmswtpm2
-
fix compilation issue in aix
-
Fix masking-out of unneeded bits in TpmMath_GetRandomBits
-
apply AWS-LC patch
-
rev180: Use CRYPT_CURVE_FREE to free CTX and G
-
tpm: Object: clear out sensitive area if on load if not provided
-
tpm2: Initialize a whole OBJECT before using it
-
tpm: Update to OpenSSL 3.5
-
fix compilation issue in aix
-
Virender posted a comment on discussion General Discussion
Thank you for your quick guidance. I mistook Wmissing and Werror as error.
-
I don't see any errors. It looks like the build completed. BTW, you do not have to be root to build the software.
-
Hi Ken, In my attempt to install tpm 2.0 on ubuntu 22.04 in virtualbox, I am getting the following errors: root@virender-VirtualBox:/home/virender/ibmtpm1682/src# make /usr/bin/gcc -Wall -Wmissing-declarations -Wmissing-prototypes -Wnested-externs -Werror -Wsign-compare -Wno-deprecated-declarations -c -ggdb -O0 -DTPM_POSIX -D_POSIX_ -DTPM_NUVOTON -DUSE_BIT_FIELD_STRUCTURES=NO ACTCommands.c -o ACTCommands.o /usr/bin/gcc -Wall -Wmissing-declarations -Wmissing-prototypes -Wnested-externs -Werror -Wsign-compare...
-
Update to openssl 3.4
-
Is the issue the phrase "All Rights Reserved"? IANAL, but my understanding is that this is obsolete but OK. E.g., it's in the Linux kernel at LICENSES/preferred/BSD-3-Clause. If this is a real issue blocking your use case, can you perhaps have your legal team contact me?
-
txtsd posted a comment on discussion General Discussion
Nothing additional is needed, but the contents of the file have to make sense. So the file that exists has (c) Copyright IBM Corporation 2016. and All rights reserved. which are not BSD-3-Clause. Do you know if they supersede (or how they supplement) the BSD license? We could end up with an SPDX string like BSD-3-Clause OR LicenseRef-IBMfoobar
-
Isn't that already there? There is a LICENSE file. Do I need something additional, like 'SPDX=something'?
-
Yes, just create a LICENSE in the root dir with the contents/text of the BSD-3-Clause: https://spdx.org/licenses/BSD-3-Clause.html
-
I believe that this is BSD-3-Clause. If you agree, is there a file or other place that I should add it?
-
The SPDX License list can be found here: https://spdx.org/licenses/
-
CPC modified a comment on discussion General Discussion
For first time I can use load and push my data 48 bytes inside the TPM, later I will delete the handles deliberately , then i want to recover my data after my hardware reboot. 1)./createprimary -hi o -ecc nistp256 -pwdp test1 .2)/create -hp <primary_handle> -opu sealed_data.pub -opr sealed_data.priv -pwdp test1 .3)/load -hp <primary_handle> -ipu sealed_data.pub -ipr sealed_data.priv -pwdp test1 -c sealed_data.ctx 4)./evictcontrol -hi o -ho <handle_from_load> -hp 0x81010001 5)rm sealed_data.pub sealed_data.priv...
-
For first time I can use load and push my data 48 bytes inside the TPM, later I will delete the handles deliberately , then i want to recover my data after my hardware reboot. 1)./createprimary -hi o -ecc nistp256 -pwdp test1 .2)/create -hp <primary_handle> -opu sealed_data.pub -opr sealed_data.priv -pwdp test1 .3)/load -hp <primary_handle> -ipu sealed_data.pub -ipr sealed_data.priv -pwdp test1 -c sealed_data.ctx 4)./evictcontrol -hi o -ho <handle_from_load> -hp 0x81010001 5)rm sealed_data.pub sealed_data.priv...
-
TPM_PT_HR_PERSISTENT_AVAIL gives a minimum, but a TPM is permitted to return 1 even when more can fit. The reason it's an estimate is that a small sealed blob with no authorization takes up less space than an RSA 4096 key with a SHA-384 policy and a long password.
-
Thanks Ken, any way to check how may slots remining using getcapability and push the sealed data using evcitcontrol command example , If I am not wrong I have clean the data back using same evcitcontrol.
-
Sealed data is an object, and can be persisted using evictcontrol. However, there are very few TPM slots, so it's better to store the blob externally and back it up like you back up any other data.
-
How to persist the sealed data?
-
I don't think so. The TPM is resource constrained. It's designed so that minimal state is on the TPM and other data is stored externally, protected by the TPM. Back up the sealed data. Persist the sealed data, but there are only about 7 persistent slots. You can fill them all.
-
Hello Ken, I have these below commands , I want to understand how we can get back the sea.bin if , I delete my tpmpub.bin and tpmpriv.bin. 1) ./createprimary -hi o -pwdp test1 -ecc nistp256 2) ./evictcontrol -hi o -ho 80000000 -hp 81200000 3) ./create -hp 81200000 -bl -if sea.bin -opr tpmpriv.bin -opu tpmpub.bin 4) ./load -hp 81200000 -ipu tpmpub.bin -ipr tpmpriv.bin 5) ./unseal -ha 80000002 -of sec_out.bin Please let me know, I accidently delete my tpmpriv.bin and tpmpriv.bin, is there way to get...
-
src/BnToOsslMath.h: fix build with openssl 3.3.x
-
Tomasz Maczkowski posted a comment on discussion General Discussion
Thank you for your response, Ken. It looks like it is working from the latest master.
-
Could you try the latest master, or the latest tagged commit? I think this was fixed.
-
During compilation of the project against OpenSSL 3.2.1 following compilation errors occur: In file included from BnValues.h:324, from Global.h:80, from Tpm.h:78, from AuditCommands.c:62: TpmToOsslMath.h:79:5: error: #error Untested OpenSSL version 79 | # error Untested OpenSSL version | ^~~~~ Are there any plans to simulate TPM using recent versions of OpenSSL (e.g. 3.2.1)?
-
For big endian machines, build with BIG_ENDIAN_TPM=YES The download is a compressed tarball. Evidently, some versions of gnu tar for Windows aren't built to handle compressed files. If the untar fails, try this: > gzip -d ibmtpmnnn.tar.gz # unzip > tar xvf ibmtpmnnn.tar # untar Any TPM needs TPM2_Startup as its first command. A BIOS supporting a hardware TPM 2.0 will send this command. Otherwise, see the IBM TSS "startup" sample. ** For future changes notes, see the ChangeLog. ** **Build 1682 includes...
-
Merge branch 'master' of github.ibm.com:kgoldman/ibmswtpm2
-
TcpServerPosix fails to build with gcc7 due to uninitialized value warning
-
Merge branch 'next'
-
TcpServerPosix: Fix use of uninitialized value.
-
README.md: Update ibmtss project URL
-
README.md: Update ibmtss project URL
-
tpm: Update VS project to openssl 3.2
-
tpm: Minor updates from rev 180 to rev 183
-
tpm: Fix gcc 8.3.1 compiler errors
-
rev180: Rearrange order of TPMI_ECC_CURVE_P_UNMARSHAL in unmarshalArray
-
tpm: Increment supported openssl to 3.2.x
-
tpm: Update based on comliance test results
-
tpm: Complete command tracing
-
tpm: Delete accidentally commited tmp.c tmp.h
-
tpm: Add SetCap stub implementation
-
tpm: add protector around big endian define.
-
Merge branch 'rev180' of github.ibm.com:kgoldman/ibmswtpm2 into rev180
-
tpm: Add include headers for Linux port
-
tpm: Use size_t as index, not a signed type.
-
tpm: Replace these files with rev 180 spec versions.
-
tpm: Add TPMI_RH_NV_EXP_INDEX_Unmarshalfunction prototype.
-
tpm: Add void to functions.
-
tpm: Add static to local functions.
-
tpm: Fix case sensitive file names for Linux port
-
tpm: Change case for NVDynamic include
-
tpm: Updates to rev 180
-
tpm: Add explanation for not checking on load if fixedTPM
-
tpm: Update .gitignore for visual studio and debug outputs
-
That makes sense, so GetPrivateKeyFromTPM() doesn't actually get the private key. Are we done, or is there more to the question? Note that this is a TPM project. If you have questions about the OpenSSL provider, there's surely a better forum.
-
Andrew Pearce posted a comment on discussion General Discussion
This code doesn't extract the private key. It give me a reference to where the key is stored so that OpenSSL can use it. Code explanation: Opening a Store Context: The OSSL_STORE_open_ex function opens a store context for a specified URI, which in this case is a TPM handle. This is a reference to where the key is stored, not the key itself. The store context is an abstraction that allows OpenSSL to access keys and other objects in a variety of locations in a uniform manner. Reading the Key: The code...
-
I thought so too, but the OpenSSL API allows me to get the private key from the TPM and print it: Key Type: EC -----BEGIN TSS2 PRIVATE KEY----- M .... .... 8sA -----END TSS2 PRIVATE KEY----- Perhaps the attributes need to be set when I create to key to stop this. I will look at TPM2_Sign.
-
There is no command to get a private key from a TPM. The goal of the TPM is to protect the private key. The TPM has a TPM2_Sign function that will sign a digest using a key on the TPM.
-
This code works but I retrieves the private key from the TPM. Can I achieve the same result without extracting the private key? EVP_PKEY * GetPrivateKeyFromTPM(void) { OSSL_STORE_CTX *storeCtx = NULL; storeCtx = OSSL_STORE_open_ex("handle:0x81005020", tpm2_libctx,"?provider=tpm2", NULL, NULL, NULL,NULL, NULL); while (!OSSL_STORE_eof(storeCtx)) { OSSL_STORE_INFO *info = OSSL_STORE_load(storeCtx); switch (OSSL_STORE_INFO_get_type(info)) { case OSSL_STORE_INFO_PKEY: EVP_PKEY *TPMpkey = OSSL_STORE_INFO_get1_PKEY(info);...
-
Is it possible to implement the functionality shown in the bash script below from a C++ application, possibly using an OpenSSL provider obtained using: OSSL_PROVIDER * tpm2_provider = OSSL_PROVIDER_load(NULL, "tpm2"); or by another method, possibly the TPM2 API directly? Create CSR using TPM-resident private key openssl req -provider tpm2 -provider default -propquery '?provider=tpm2' -new -key handle:$TPMHandle -config openssl.conf -reqexts v3_req -out device.csr Can the private key remain in the...
-
The error "TPM not initialized by TPM2_Startup" usually means that you did not send a TPM2_Startup command. Normally "startup' with no parameters is OK. See the TSS documentation 4.1 TPM Simulator. See the TPM library spec Part 1. 12.2.3 Startup State.
-
Vijayakumar modified a comment on discussion General Discussion
Hi ben, I have followed the steps provided in the README. but I am getting below error while running pcrread executable, Build steps ran: git clone https://github.com/kgoldman/ibmtss.git cd ibmtss/ autoreconf -i ./configure --prefix=${HOME}/local --disable-hwtpm --disable-tpm-1.2 --enable-debug make clean make make install cd utils ./pcrread -ha 10 ./pcrread -ha 10 pcrread: failed, rc 00000100 TPM_RC_INITIALIZE - TPM not initialized by TPM2_Startup or already initialized Simulator log: root@myvm:/home/ami/vijay/ibm#...
-
Hi ben, I have followed the steps provided in the README. but I am getting below error while running pcrread executable, ./pcrread -ha 10 pcrread: failed, rc 00000100 TPM_RC_INITIALIZE - TPM not initialized by TPM2_Startup or already initialized Simulator log: root@myvm:/home/ami/vijay/ibm# service tpm-server status ● tpm-server.service - TPM2.0 Simulator Server daemon Loaded: loaded (/lib/systemd/system/tpm-server.service; disabled; vendor preset: enabled) Active: active (running) since Tue 2023-10-03...
-
The command line utilities are in a directory called utils. See the README for details. Or the docx/html documentation. The utilities default to connecting to the simulator, but the documentation explains how to change that at build, start, or runtime.
-
The command line utilities are in a directory called utils. See the README for details. Or the docx/html documentation.,
-
https://github.com/kgoldman/ibmtss/tree/master/demo I can see only some .php files. Could you please point out in the code, how you are making connection to your tpm simulator?
-
https://sourceforge.net/projects/ibmtpm20tss/ or https://github.com/kgoldman/ibmtss Demo scripts, command line programs, and sample C code.
-
This project only supports the IBM TPM, not google or salrashid. For sample command line programs, see https://github.com/kgoldman/ibmtss, which supports both the /dev and socket interfaces. Code in 3 steps: * look at the sample scripts in regtests, find one that is close to your application * adapt the script to your application * cut and paste from the command line samples to create your application in C
-
hi Ken, What do you mean by utilities here? Where can I get the demo codes?
-
I have built and installed this tpm 2.0 simulator in my ubuntu VM. it runs fine and able to run tpm2 commands like tpm2_pcrread and all. Am trying to write a sample application which performs same tpm2 commands. I have found many samples from, https://github.com/google/go-tpm/tree/main/examples and https://github.com/salrashid123/tpm2 But these samples are trying to access /dev/tpm0 file which we don't have in our simluator case as it is a network socket. I just tried replacing the file handle(handle...
-
I have built and installed this tpm 2.0 simulator in my ubuntu VM. it runs fine and able to run tpm2 commands like tpm2_pcrread and all. Am trying to write a sample application which performs same tpm2 commands. I have found many samples from, https://github.com/google/go-tpm/tree/main/examples and https://github.com/salrashid123/tpm2 But these samples are trying to access /dev/tpm0 file which we don't have in our simluator case as it is a network socket. I just tried replacing the file handle(handle...
-
tpm: Update RSA area to rev 164.
-
tpm: Check command size for int32 overflow.
-
I don't see anything in the TPM specification that says the TPM will reset on a timeout. Even the old proposal you found does not say that. This would actually be bad - the TPM should never reset unless the platform also reboots. We expect that a typical use would be that the timeout affects a TPM pin which would reset the platform (not just the TPM)
-
Ahmad B. Usman modified a comment on ticket #14
Hello Ken Goldman, If I understand correctly, the commands in the library [1] will not have any effects in either the HW or emulated TPM2 ? What I am exactly trying to achieve is take advantage of the TPM2_ACT_SetTimeout command. And as specified in [2] is to set a timer which countdown from +x second to zero periodically, for the TPM 2 to reset. If this command wont trigger anything, how could possibly I can achieve the same goal using different method. Best regards, /Ahmad [1]. https://sourceforge.net/projects/ibmtpm20tss/...
-
Hello Ken Goldman, If I understand correctly, the commands in the library [1] will not have any effects in either the HW or emulated TPM2 ? What I am exactly trying to achieve is take advantage of the TPM2_ACT_SetTimeout command. And as specified in [2] is to set timer which countdown for +x second to zero periodically, for the TPM 2 to reset. If this command wont trigger anything, how could possibly I can achieve the same goal using different method. Best regards, /Ahmad [1]. https://sourceforge.net/projects/ibmtpm20tss/...
-
I haven't added a command line utility to the IBM TSS yet. Is there an application for it? AFAIK: The SW TPM doesn't have any GPIO, so nothing will happen when it triggers. HW TPMs don't implement it. Let me know if I'm wrong, and I will add a command line program.
-
Hello Ken and Tadeusze, Can you kindly show a way to run this command: TPM2 ACT SetTimeout, should we run in the terminal similar to tpm2_pcrread ? I would like to follow the the reference below: https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM_ACTCommand_v1r3_pubrev.pdf thanks in advance
-
Please check the documentation ibmtss.doc section Running the TPM Let me know if anything is unclear.
-
Anunaya Choudhary posted a comment on discussion General Discussion
Thank you for the reply Ken we were able to install the software using the command. Now if you could tell us the steps to run the software on ubuntu it would be really helpful
-
Thank you for the reply Ken we were able to install the software using the command. Now if you could tell us the steps to run the software on ubuntu it would be really helpful
-
tpm: Update documantation to openssl 3.1 and 64-bit
-
tpm: Add support for OpenSSL 3.1.x
1 >
