Activity for IBM's Software TPM 2.0

  • Ken Goldman Ken Goldman committed [2cb5b0] on Git

    Update the license for several files.

  • Ken Goldman Ken Goldman committed [c9cdd0] on Git

    tpm: Update to OpenSSL 3.6

  • Ken Goldman Ken Goldman committed [3e3bcd] on Git

    Merge branch 'master' of github.ibm.com:kgoldman/ibmswtpm2

  • Ken Goldman Ken Goldman committed [88f21d] on Git

    tpm2: stable-0.7: Fix for VRT0009

  • Ken Goldman Ken Goldman committed [a9aa06] on Git

    tpm2: Avoid NULL pointer access in case allocation fails

  • Ken Goldman Ken Goldman committed [4421b4] on Git

    Merge branch 'next' of github.ibm.com:kgoldman/ibmswtpm2

  • Ken Goldman Ken Goldman committed [6eb851] on Git

    tpm2: Initialize eccPublic before passing to TPMS_ECC_POINT_Unmarshal (Coverity)

  • Ken Goldman Ken Goldman committed [6f0ec3] on Git

    tpm2: Address a possible unsigned integer underflow (Coverity)

  • Ken Goldman Ken Goldman committed [c68d6d] on Git

    tpm2: Filter bad input values to avoid underflow in FindNthSetBit (Coverity)

  • Ken Goldman Ken Goldman committed [817b89] on Git

    Merge branch 'master' of github.ibm.com:kgoldman/ibmswtpm2

  • Ken Goldman Ken Goldman committed [57fc29] on Git

    Merge branch 'next' of github.ibm.com:kgoldman/ibmswtpm2

  • Ken Goldman Ken Goldman committed [be8f59] on Git

    Merge branch 'master' of github.ibm.com:kgoldman/ibmswtpm2

  • Ken Goldman Ken Goldman committed [b259de] on Git

    fix compilation issue in aix

  • Ken Goldman Ken Goldman committed [7f35eb] on Git

    Fix masking-out of unneeded bits in TpmMath_GetRandomBits

  • Ken Goldman Ken Goldman committed [431535] on Git

    apply AWS-LC patch

  • Ken Goldman Ken Goldman committed [e0642d] on Git

    rev180: Use CRYPT_CURVE_FREE to free CTX and G

  • Ken Goldman Ken Goldman committed [678440] on Git

    tpm: Object: clear out sensitive area if on load if not provided

  • Ken Goldman Ken Goldman committed [27904a] on Git

    tpm2: Initialize a whole OBJECT before using it

  • Ken Goldman Ken Goldman committed [720ed4] on Git

    tpm: Update to OpenSSL 3.5

  • Ken Goldman Ken Goldman committed [8eff3d] on Git

    fix compilation issue in aix

  • Virender Virender posted a comment on discussion General Discussion

    Thank you for your quick guidance. I mistook Wmissing and Werror as error.

  • Ken Goldman Ken Goldman posted a comment on discussion General Discussion

    I don't see any errors. It looks like the build completed. BTW, you do not have to be root to build the software.

  • Virender Virender posted a comment on discussion General Discussion

    Hi Ken, In my attempt to install tpm 2.0 on ubuntu 22.04 in virtualbox, I am getting the following errors: root@virender-VirtualBox:/home/virender/ibmtpm1682/src# make /usr/bin/gcc -Wall -Wmissing-declarations -Wmissing-prototypes -Wnested-externs -Werror -Wsign-compare -Wno-deprecated-declarations -c -ggdb -O0 -DTPM_POSIX -D_POSIX_ -DTPM_NUVOTON -DUSE_BIT_FIELD_STRUCTURES=NO ACTCommands.c -o ACTCommands.o /usr/bin/gcc -Wall -Wmissing-declarations -Wmissing-prototypes -Wnested-externs -Werror -Wsign-compare...

  • Ken Goldman Ken Goldman committed [f27b51] on Git

    Update to openssl 3.4

  • Ken Goldman Ken Goldman posted a comment on discussion General Discussion

    Is the issue the phrase "All Rights Reserved"? IANAL, but my understanding is that this is obsolete but OK. E.g., it's in the Linux kernel at LICENSES/preferred/BSD-3-Clause. If this is a real issue blocking your use case, can you perhaps have your legal team contact me?

  • txtsd txtsd posted a comment on discussion General Discussion

    Nothing additional is needed, but the contents of the file have to make sense. So the file that exists has (c) Copyright IBM Corporation 2016. and All rights reserved. which are not BSD-3-Clause. Do you know if they supersede (or how they supplement) the BSD license? We could end up with an SPDX string like BSD-3-Clause OR LicenseRef-IBMfoobar

  • Ken Goldman Ken Goldman posted a comment on discussion General Discussion

    Isn't that already there? There is a LICENSE file. Do I need something additional, like 'SPDX=something'?

  • txtsd txtsd posted a comment on discussion General Discussion

    Yes, just create a LICENSE in the root dir with the contents/text of the BSD-3-Clause: https://spdx.org/licenses/BSD-3-Clause.html

  • Ken Goldman Ken Goldman posted a comment on discussion General Discussion

    I believe that this is BSD-3-Clause. If you agree, is there a file or other place that I should add it?

  • txtsd txtsd posted a comment on discussion General Discussion

    The SPDX License list can be found here: https://spdx.org/licenses/

  • CPC CPC modified a comment on discussion General Discussion

    For first time I can use load and push my data 48 bytes inside the TPM, later I will delete the handles deliberately , then i want to recover my data after my hardware reboot. 1)./createprimary -hi o -ecc nistp256 -pwdp test1 .2)/create -hp <primary_handle> -opu sealed_data.pub -opr sealed_data.priv -pwdp test1 .3)/load -hp <primary_handle> -ipu sealed_data.pub -ipr sealed_data.priv -pwdp test1 -c sealed_data.ctx 4)./evictcontrol -hi o -ho <handle_from_load> -hp 0x81010001 5)rm sealed_data.pub sealed_data.priv...

  • CPC CPC posted a comment on discussion General Discussion

    For first time I can use load and push my data 48 bytes inside the TPM, later I will delete the handles deliberately , then i want to recover my data after my hardware reboot. 1)./createprimary -hi o -ecc nistp256 -pwdp test1 .2)/create -hp <primary_handle> -opu sealed_data.pub -opr sealed_data.priv -pwdp test1 .3)/load -hp <primary_handle> -ipu sealed_data.pub -ipr sealed_data.priv -pwdp test1 -c sealed_data.ctx 4)./evictcontrol -hi o -ho <handle_from_load> -hp 0x81010001 5)rm sealed_data.pub sealed_data.priv...

  • Ken Goldman Ken Goldman posted a comment on discussion General Discussion

    TPM_PT_HR_PERSISTENT_AVAIL gives a minimum, but a TPM is permitted to return 1 even when more can fit. The reason it's an estimate is that a small sealed blob with no authorization takes up less space than an RSA 4096 key with a SHA-384 policy and a long password.

  • CPC CPC posted a comment on discussion General Discussion

    Thanks Ken, any way to check how may slots remining using getcapability and push the sealed data using evcitcontrol command example , If I am not wrong I have clean the data back using same evcitcontrol.

  • Ken Goldman Ken Goldman posted a comment on discussion General Discussion

    Sealed data is an object, and can be persisted using evictcontrol. However, there are very few TPM slots, so it's better to store the blob externally and back it up like you back up any other data.

  • CPC CPC posted a comment on discussion General Discussion

    How to persist the sealed data?

  • Ken Goldman Ken Goldman posted a comment on discussion General Discussion

    I don't think so. The TPM is resource constrained. It's designed so that minimal state is on the TPM and other data is stored externally, protected by the TPM. Back up the sealed data. Persist the sealed data, but there are only about 7 persistent slots. You can fill them all.

  • CPC CPC posted a comment on discussion General Discussion

    Hello Ken, I have these below commands , I want to understand how we can get back the sea.bin if , I delete my tpmpub.bin and tpmpriv.bin. 1) ./createprimary -hi o -pwdp test1 -ecc nistp256 2) ./evictcontrol -hi o -ho 80000000 -hp 81200000 3) ./create -hp 81200000 -bl -if sea.bin -opr tpmpriv.bin -opu tpmpub.bin 4) ./load -hp 81200000 -ipu tpmpub.bin -ipr tpmpriv.bin 5) ./unseal -ha 80000002 -of sec_out.bin Please let me know, I accidently delete my tpmpriv.bin and tpmpriv.bin, is there way to get...

  • Ken Goldman Ken Goldman committed [89a4cb] on Git

    src/BnToOsslMath.h: fix build with openssl 3.3.x

  • Tomasz Maczkowski Tomasz Maczkowski posted a comment on discussion General Discussion

    Thank you for your response, Ken. It looks like it is working from the latest master.

  • Ken Goldman Ken Goldman posted a comment on discussion General Discussion

    Could you try the latest master, or the latest tagged commit? I think this was fixed.

  • Tomasz Maczkowski Tomasz Maczkowski posted a comment on discussion General Discussion

    During compilation of the project against OpenSSL 3.2.1 following compilation errors occur: In file included from BnValues.h:324, from Global.h:80, from Tpm.h:78, from AuditCommands.c:62: TpmToOsslMath.h:79:5: error: #error Untested OpenSSL version 79 | # error Untested OpenSSL version | ^~~~~ Are there any plans to simulate TPM using recent versions of OpenSSL (e.g. 3.2.1)?

  • Ken Goldman Ken Goldman modified a comment on a wiki page

    For big endian machines, build with BIG_ENDIAN_TPM=YES The download is a compressed tarball. Evidently, some versions of gnu tar for Windows aren't built to handle compressed files. If the untar fails, try this: > gzip -d ibmtpmnnn.tar.gz # unzip > tar xvf ibmtpmnnn.tar # untar Any TPM needs TPM2_Startup as its first command. A BIOS supporting a hardware TPM 2.0 will send this command. Otherwise, see the IBM TSS "startup" sample. ** For future changes notes, see the ChangeLog. ** **Build 1682 includes...

  • Ken Goldman Ken Goldman committed [d40025] on Git

    Merge branch 'master' of github.ibm.com:kgoldman/ibmswtpm2

  • Ken Goldman Ken Goldman committed [d47972] on Git

    TcpServerPosix fails to build with gcc7 due to uninitialized value warning

  • Ken Goldman Ken Goldman committed [a1537c] on Git

    Merge branch 'next'

  • Ken Goldman Ken Goldman committed [cc8dfa] on Git

    TcpServerPosix: Fix use of uninitialized value.

  • Ken Goldman Ken Goldman committed [a23c41] on Git

    README.md: Update ibmtss project URL

  • Ken Goldman Ken Goldman committed [dcd6c8] on Git

    README.md: Update ibmtss project URL

  • Ken Goldman Ken Goldman committed [54deb0] on Git

    tpm: Update VS project to openssl 3.2

  • Ken Goldman Ken Goldman committed [c37c74] on Git

    tpm: Minor updates from rev 180 to rev 183

  • Ken Goldman Ken Goldman committed [e6ed61] on Git

    tpm: Fix gcc 8.3.1 compiler errors

  • Ken Goldman Ken Goldman committed [fb6817] on Git

    rev180: Rearrange order of TPMI_ECC_CURVE_P_UNMARSHAL in unmarshalArray

  • Ken Goldman Ken Goldman committed [ebe82a] on Git

    tpm: Increment supported openssl to 3.2.x

  • Ken Goldman Ken Goldman committed [596a7a] on Git

    tpm: Update based on comliance test results

  • Ken Goldman Ken Goldman committed [b62782] on Git

    tpm: Complete command tracing

  • Ken Goldman Ken Goldman committed [377488] on Git

    tpm: Delete accidentally commited tmp.c tmp.h

  • Ken Goldman Ken Goldman committed [f325a0] on Git

    tpm: Add SetCap stub implementation

  • Ken Goldman Ken Goldman committed [cee47a] on Git

    tpm: add protector around big endian define.

  • Ken Goldman Ken Goldman committed [448dd8] on Git

    Merge branch 'rev180' of github.ibm.com:kgoldman/ibmswtpm2 into rev180

  • Ken Goldman Ken Goldman committed [6e4907] on Git

    tpm: Add include headers for Linux port

  • Ken Goldman Ken Goldman committed [c62660] on Git

    tpm: Use size_t as index, not a signed type.

  • Ken Goldman Ken Goldman committed [a555d8] on Git

    tpm: Replace these files with rev 180 spec versions.

  • Ken Goldman Ken Goldman committed [525bb8] on Git

    tpm: Add TPMI_RH_NV_EXP_INDEX_Unmarshalfunction prototype.

  • Ken Goldman Ken Goldman committed [06cb52] on Git

    tpm: Add void to functions.

  • Ken Goldman Ken Goldman committed [d86307] on Git

    tpm: Add static to local functions.

  • Ken Goldman Ken Goldman committed [3e5517] on Git

    tpm: Fix case sensitive file names for Linux port

  • Ken Goldman Ken Goldman committed [88be70] on Git

    tpm: Change case for NVDynamic include

  • Ken Goldman Ken Goldman committed [39d8be] on Git

    tpm: Updates to rev 180

  • Ken Goldman Ken Goldman committed [3669c7] on Git

    tpm: Add explanation for not checking on load if fixedTPM

  • Ken Goldman Ken Goldman committed [48e0e2] on Git

    tpm: Update .gitignore for visual studio and debug outputs

  • Ken Goldman Ken Goldman posted a comment on discussion General Discussion

    That makes sense, so GetPrivateKeyFromTPM() doesn't actually get the private key. Are we done, or is there more to the question? Note that this is a TPM project. If you have questions about the OpenSSL provider, there's surely a better forum.

  • Andrew Pearce Andrew Pearce posted a comment on discussion General Discussion

    This code doesn't extract the private key. It give me a reference to where the key is stored so that OpenSSL can use it. Code explanation: Opening a Store Context: The OSSL_STORE_open_ex function opens a store context for a specified URI, which in this case is a TPM handle. This is a reference to where the key is stored, not the key itself. The store context is an abstraction that allows OpenSSL to access keys and other objects in a variety of locations in a uniform manner. Reading the Key: The code...

  • Andrew Pearce Andrew Pearce posted a comment on discussion General Discussion

    I thought so too, but the OpenSSL API allows me to get the private key from the TPM and print it: Key Type: EC -----BEGIN TSS2 PRIVATE KEY----- M .... .... 8sA -----END TSS2 PRIVATE KEY----- Perhaps the attributes need to be set when I create to key to stop this. I will look at TPM2_Sign.

  • Ken Goldman Ken Goldman posted a comment on discussion General Discussion

    There is no command to get a private key from a TPM. The goal of the TPM is to protect the private key. The TPM has a TPM2_Sign function that will sign a digest using a key on the TPM.

  • Andrew Pearce Andrew Pearce posted a comment on discussion General Discussion

    This code works but I retrieves the private key from the TPM. Can I achieve the same result without extracting the private key? EVP_PKEY * GetPrivateKeyFromTPM(void) { OSSL_STORE_CTX *storeCtx = NULL; storeCtx = OSSL_STORE_open_ex("handle:0x81005020", tpm2_libctx,"?provider=tpm2", NULL, NULL, NULL,NULL, NULL); while (!OSSL_STORE_eof(storeCtx)) { OSSL_STORE_INFO *info = OSSL_STORE_load(storeCtx); switch (OSSL_STORE_INFO_get_type(info)) { case OSSL_STORE_INFO_PKEY: EVP_PKEY *TPMpkey = OSSL_STORE_INFO_get1_PKEY(info);...

  • Andrew Pearce Andrew Pearce posted a comment on discussion General Discussion

    Is it possible to implement the functionality shown in the bash script below from a C++ application, possibly using an OpenSSL provider obtained using: OSSL_PROVIDER * tpm2_provider = OSSL_PROVIDER_load(NULL, "tpm2"); or by another method, possibly the TPM2 API directly? Create CSR using TPM-resident private key openssl req -provider tpm2 -provider default -propquery '?provider=tpm2' -new -key handle:$TPMHandle -config openssl.conf -reqexts v3_req -out device.csr Can the private key remain in the...

  • Ken Goldman Ken Goldman posted a comment on discussion General Discussion

    The error "TPM not initialized by TPM2_Startup" usually means that you did not send a TPM2_Startup command. Normally "startup' with no parameters is OK. See the TSS documentation 4.1 TPM Simulator. See the TPM library spec Part 1. 12.2.3 Startup State.

  • Vijayakumar Vijayakumar modified a comment on discussion General Discussion

    Hi ben, I have followed the steps provided in the README. but I am getting below error while running pcrread executable, Build steps ran: git clone https://github.com/kgoldman/ibmtss.git cd ibmtss/ autoreconf -i ./configure --prefix=${HOME}/local --disable-hwtpm --disable-tpm-1.2 --enable-debug make clean make make install cd utils ./pcrread -ha 10 ./pcrread -ha 10 pcrread: failed, rc 00000100 TPM_RC_INITIALIZE - TPM not initialized by TPM2_Startup or already initialized Simulator log: root@myvm:/home/ami/vijay/ibm#...

  • Vijayakumar Vijayakumar posted a comment on discussion General Discussion

    Hi ben, I have followed the steps provided in the README. but I am getting below error while running pcrread executable, ./pcrread -ha 10 pcrread: failed, rc 00000100 TPM_RC_INITIALIZE - TPM not initialized by TPM2_Startup or already initialized Simulator log: root@myvm:/home/ami/vijay/ibm# service tpm-server status ● tpm-server.service - TPM2.0 Simulator Server daemon Loaded: loaded (/lib/systemd/system/tpm-server.service; disabled; vendor preset: enabled) Active: active (running) since Tue 2023-10-03...

  • Ken Goldman Ken Goldman modified a comment on discussion General Discussion

    The command line utilities are in a directory called utils. See the README for details. Or the docx/html documentation. The utilities default to connecting to the simulator, but the documentation explains how to change that at build, start, or runtime.

  • Ken Goldman Ken Goldman posted a comment on discussion General Discussion

    The command line utilities are in a directory called utils. See the README for details. Or the docx/html documentation.,

  • Vijayakumar Vijayakumar posted a comment on discussion General Discussion

    https://github.com/kgoldman/ibmtss/tree/master/demo I can see only some .php files. Could you please point out in the code, how you are making connection to your tpm simulator?

  • Ken Goldman Ken Goldman posted a comment on discussion General Discussion

    https://sourceforge.net/projects/ibmtpm20tss/ or https://github.com/kgoldman/ibmtss Demo scripts, command line programs, and sample C code.

  • Ken Goldman Ken Goldman posted a comment on discussion General Discussion

    This project only supports the IBM TPM, not google or salrashid. For sample command line programs, see https://github.com/kgoldman/ibmtss, which supports both the /dev and socket interfaces. Code in 3 steps: * look at the sample scripts in regtests, find one that is close to your application * adapt the script to your application * cut and paste from the command line samples to create your application in C

  • Vijayakumar Vijayakumar posted a comment on discussion General Discussion

    hi Ken, What do you mean by utilities here? Where can I get the demo codes?

  • Vijayakumar Vijayakumar modified a comment on discussion General Discussion

    I have built and installed this tpm 2.0 simulator in my ubuntu VM. it runs fine and able to run tpm2 commands like tpm2_pcrread and all. Am trying to write a sample application which performs same tpm2 commands. I have found many samples from, https://github.com/google/go-tpm/tree/main/examples and https://github.com/salrashid123/tpm2 But these samples are trying to access /dev/tpm0 file which we don't have in our simluator case as it is a network socket. I just tried replacing the file handle(handle...

  • Vijayakumar Vijayakumar posted a comment on discussion General Discussion

    I have built and installed this tpm 2.0 simulator in my ubuntu VM. it runs fine and able to run tpm2 commands like tpm2_pcrread and all. Am trying to write a sample application which performs same tpm2 commands. I have found many samples from, https://github.com/google/go-tpm/tree/main/examples and https://github.com/salrashid123/tpm2 But these samples are trying to access /dev/tpm0 file which we don't have in our simluator case as it is a network socket. I just tried replacing the file handle(handle...

  • Ken Goldman Ken Goldman committed [82bf1a] on Git

    tpm: Update RSA area to rev 164.

  • Ken Goldman Ken Goldman committed [84a9e0] on Git

    tpm: Check command size for int32 overflow.

  • Ken Goldman Ken Goldman posted a comment on ticket #14

    I don't see anything in the TPM specification that says the TPM will reset on a timeout. Even the old proposal you found does not say that. This would actually be bad - the TPM should never reset unless the platform also reboots. We expect that a typical use would be that the timeout affects a TPM pin which would reset the platform (not just the TPM)

  • Ahmad B. Usman Ahmad B. Usman modified a comment on ticket #14

    Hello Ken Goldman, If I understand correctly, the commands in the library [1] will not have any effects in either the HW or emulated TPM2 ? What I am exactly trying to achieve is take advantage of the TPM2_ACT_SetTimeout command. And as specified in [2] is to set a timer which countdown from +x second to zero periodically, for the TPM 2 to reset. If this command wont trigger anything, how could possibly I can achieve the same goal using different method. Best regards, /Ahmad [1]. https://sourceforge.net/projects/ibmtpm20tss/...

  • Ahmad B. Usman Ahmad B. Usman posted a comment on ticket #14

    Hello Ken Goldman, If I understand correctly, the commands in the library [1] will not have any effects in either the HW or emulated TPM2 ? What I am exactly trying to achieve is take advantage of the TPM2_ACT_SetTimeout command. And as specified in [2] is to set timer which countdown for +x second to zero periodically, for the TPM 2 to reset. If this command wont trigger anything, how could possibly I can achieve the same goal using different method. Best regards, /Ahmad [1]. https://sourceforge.net/projects/ibmtpm20tss/...

  • Ken Goldman Ken Goldman posted a comment on ticket #14

    I haven't added a command line utility to the IBM TSS yet. Is there an application for it? AFAIK: The SW TPM doesn't have any GPIO, so nothing will happen when it triggers. HW TPMs don't implement it. Let me know if I'm wrong, and I will add a command line program.

  • Ahmad B. Usman Ahmad B. Usman posted a comment on ticket #14

    Hello Ken and Tadeusze, Can you kindly show a way to run this command: TPM2 ACT SetTimeout, should we run in the terminal similar to tpm2_pcrread ? I would like to follow the the reference below: https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM_ACTCommand_v1r3_pubrev.pdf thanks in advance

  • Ken Goldman Ken Goldman posted a comment on discussion General Discussion

    Please check the documentation ibmtss.doc section Running the TPM Let me know if anything is unclear.

  • Anunaya Choudhary Anunaya Choudhary posted a comment on discussion General Discussion

    Thank you for the reply Ken we were able to install the software using the command. Now if you could tell us the steps to run the software on ubuntu it would be really helpful

  • Anunaya Choudhary Anunaya Choudhary posted a comment on discussion General Discussion

    Thank you for the reply Ken we were able to install the software using the command. Now if you could tell us the steps to run the software on ubuntu it would be really helpful

  • Ken Goldman Ken Goldman committed [5452af] on Git

    tpm: Update documantation to openssl 3.1 and 64-bit

  • Ken Goldman Ken Goldman committed [15501b] on Git

    tpm: Add support for OpenSSL 3.1.x

1 >
MongoDB Logo MongoDB