Activity for IBM's TPM 2.0 TSS
-
yanqzhan posted a comment on merge request #2
@kagoldman hi, could you take a look at this MR again? considering elmarco's latest answers. Thanks!
-
Ken Goldman committed [6bf34b] on Git
certificates: Add new Nuvoton certificates
-
elmarco posted a comment on merge request #2
How will the TSS be different after this patch set? What does it do. It installs the regressions tests on the system. Is this trying to run the TSS regression test against a TPM? To test the TSS? To test the TPM? Is it creating dependencies? The tests don't run by themself, they need to be run by the user (or some automated tool). If you're trying to test a TPM install, the TSS regression test coverage is incomplete. TCG has a more complete test suite available to TCG members. swtpm is tested against...
-
I'm still blocked at the same questions. How will the TSS be different after this patch set? What does it do. Is this trying to run the TSS regression test against a TPM? To test the TSS? To test the TPM? Is it creating dependencies? If you're trying to test a TPM install, the TSS regression test coverage is incomplete. TCG has a more complete test suite available to TCG members.
-
Since swtpm v0.10, it can run against the installed imbtpm20tss regression tests (see https://github.com/stefanberger/swtpm/commit/603396664f830c273581d3b364ed7139b8293639) I updated the patch series to add more comments. Let me know if something is unclear or could be improved. thanks
-
What SW TPM runs the TSS regression tests? I don't know of any, and I don't know why a TPM would do this. If a TSS wants to run its tests against a SW TPM, it can do so. I don't know what this patch is doing. I also worry about applying a patch that has no comments and which I don't understand. This is security software - I am cautious.
-
Hi @kagoldman, happy new year! can you check this series again? thanks
-
Hi @kagoldman , can I do something to make progress? thanks
-
IBM's TPM 2.0 TSS released /ibmtss2.4.1.tar.gz
-
-
-
utils: Update Changelog, etc. to 2.4.1
-
Bernhard M. Wiedemann posted a comment on ticket #49
I tested https://github.com/kgoldman/ibmtss/commit/3a17ac01bea73d3568272d61b895a16a0bd85440 and it indeed fixed this issue. Thanks a lot for the fast update.
-
tests fail after 2026-02-20
-
I pushed new certificates to master. I'll tag it after complete testing. Can you test it?
-
regtest: Commented the procedure to create CA certificates.
-
utils: Changed response code for X509 errors.
-
certs: Issue new self signed test EK CA certificates.
-
Thank you so much for this! The issue is that the regression test suite includes a test CA to issue test EK certificates. The CA root certificate was generated in 2016 with a 10 year lifetime, thus invalid in 2026. Note that it's not specific to Suse, and does not affect the operation of the TSS, only the regression test. I will issue a new certificate for the next release. What is the priority for this? Is it a blocker?
-
tests fail after 2026-02-20
-
utils: Update .so version to 2.4
-
tss: Commit changelog and autotools version update
-
tss: Update documentation, accept all tracked changes.
-
ekutils: Add support for multiple intermediate CA certificates
-
utils: Add support for EK intermediate certificates.
-
utils: Add const to verifyEcSignatureFromEvpPubKey input message.
-
ima: Update IMA extend to handle multiple hash algorithms.
-
regtest: Update Windows testevent for hash algorithms
-
utils: imaextend digest algorithm updates
-
ima: Update for sha256 event log
-
utils: Add local support for sha-256 IMA library
-
@kagoldman do you have further questions? thanks
-
swtpm runs the TSS regression tests against its emulator. They are the tests we need to have installed as done by this series. Tests shouldn't need to modify or install system certificates. Currently they don't run anyway since they need "/home/kgold/tss2/utils/certificates/". See also "utils/reg.sh: skip rootcerts checks if /home/kgold missing" patch. The use case is clear: allow distributions to run TSS regression tests against swtpm. And you shouldn't worry about distribution policies, about what...
-
What does 'from installation mean'? What are 'the tests'? Do you mean the TSS regression test scripts? Are you trying to test the TPM using the TSS regression tests? Or testing the TSS using the TPM? In the past, the distros did not want the regression tests installed. Or the sample policies and certificates. Has something changed? Is installing the certificates a security hole? Where are you proposing to install them? The code has no comments. The autotools code is fragile, and I don't want to break...
-
The goal is to run the tests from installation. Currently, the tests are not installed. This is what this series achieves: install tests and make them usable from swtpm test suite. 'swtpm currently fetch the sources of ibmtss': it literally fetches and compile the source from git: https://github.com/stefanberger/swtpm/blob/master/tests/test_tpm2_ibmtss2#L54 this is not allowed by distributions builder.
-
The regression test can run after installation. Is there a bug that prevents this for you? What do you mean by 'swtpm currently fetch the sources of ibmtss'. swtpm is a separate project. ' swtpm test coverage under distributions is currently lacking the TSS test suite.' - The documentation explains why the TSS test suite is not a TPM test suite. 'and then run the swtpm tests' What are these swtpm tests? The TCG maintains a TPM test suite, entirely separate from any TSS. I still do not understand...
-
@kagoldman I missed your reply.. sourceforge isn't very good at notifying me by mail it seems. Perhaps @me is necessary. Sure, I can document better what the patches do. They are quite simple and self-explanatory in general. The whole purpose is to run the TSS & swtpm tests not within the project source tree, but when installed. Tests can then be packaged and run more easily by users. "distros can't easily vendor extra software": swtpm currently fetch the sources of ibmtss, and patches it during...
-
-
dnf: Update tss2.spec to v2.3.2
-
doc: Move documentation for no deprecated algorithms.
-
Merge branch 'master' of github.ibm.com:linux-integrity/tpm2
-
rpm: Add specfile for tag 2.3.1
-
tss: Remove reference to engine.h
-
Update Changelog for 2.3.1.
-
The code has no comments, and there are no patch descriptions for the patches. Since the autotools code was contributed, I cannot accept changes unless they are clear. The regression tests can already be run before or after installation, so the purpose of the patches is unclear. "distros can't easily vendor extra software" is unclear. What extra software, and what vendor? utils/reg.sh: skip rootcerts checks if /home/kgold missing looks odd. Why would the /home/kgold directory be hard coded.
-
Install tests and make them usable from swtpm
-
-
Merge branch 'master' of github.ibm.com:linux-integrity/tpm2
-
Merge branch 'master' of github.ibm.com:linux-integrity/tpm2
-
Windows: Add policycapability to VS project
-
windows: Add VS project files for policycapability, policyparameters
-
windows: Add VS project files for policycapability, policyparameters
-
windows: Update visual studio project files for Openssl 3.2
-
Merge branch 'master' of github.ibm.com:linux-integrity/tpm2
-
windows: Remove readme.txt from policyauthvalue project
-
In all of the methods, there is no corresponding TPM 'save' command to simply read a private key. However, the key starts outside the TPM, and it's up to the outside software to determine whether the key can be moved to another TPM or back to the host - based on the policy. If you want a key that is guaranteed to never be outside the TPM, the TPM has to generate it.
-
jv posted a comment on discussion General Discussion
Thanks, Ken. Just to make sure I'm clear on what you're saying... In using any of these methods, I want to make sure that the original private key does not exit the TPM into say a client like OpenSSL.
-
There are several ways, in order of complexity, but there's sample code for each: loadexternal. This requires the plaintext key available on each system every time. See testsign.sh for an example. import. This wraps the plaintext key to a parent. It's locked to that TPM parent, but you can import it to multiple target TPMs. Each target first gets the plaintext key. See testrsa.sh for an example using the 'importpem' program. duplicate. This wraps the key at a (perhaps single) source, then duplicates...
-
Hi all, Let's say that I have a key pair that is created external to a TPM. The private portion of the pair is to be distributed to a number of TPMs. Is there a way to distribute that private key outside of key wrapping (i.e. distributing the private key such that it becomes locked within the TPM, never to see the light of day)? Thanks.
-
regtest: Add policycapability regression test
-
regtest: Add policyparameters Windows tests
-
regtest: Add policyparameters regression tests
-
tss: Roll revision to 2.3.0
-
tss: Fix typo in TSS_TPMA_NV_Print
-
tss: First release of policyparameters and policycapability
-
version: Roll the version to 2.2.0
-
utils: Add VS project for Nuvoton commands
-
doc: Add html conversion of ibmtss.docx
-
tss: ifdef out deprecated functions
-
Merge branch 'next'
-
utils12: Add extern to tssUtilsVerbose for Debian
-
regtest: Add userWithAuth CLEAR to unseal tests
-
Merge branch 'master' of github.ibm.com:linux-integrity/tpm2
-
regtest: Fix testrsa for openssl 1.1.1 pkcs1
-
doc: Minor updateto documentation
-
Merge branch 'next' of github.ibm.com:linux-integrity/tpm2
-
utils: Add support for loadexternal schemes.
-
Merge branch 'master' of github.ibm.com:linux-integrity/tpm2
-
regtest: Add bits parameter to initial RSA decryption key
-
utils: Accept curveID from caller.
-
Merge branch 'master' of github.ibm.com:linux-integrity/tpm2
-
Merge branch 'next' of github.ibm.com:linux-integrity/tpm2
-
-
-
CPC posted a comment on discussion General Discussion
sorry Ken the issue was i was not doing TSS_Delete() after failure of load.
-
yes Ken I am running as root ,/dev/tpm0 exists , on each function I am invoking this func() these variables func() { some... if ((rc = TSS_Create(pOpenTpm))) return rc; if ((rc = TSS_SetProperty(pOpenTpm, TPM_INTERFACE_TYPE, "dev"))) return rc; if ((rc = TSS_SetProperty(pOpenTpm, TPM_DEVICE, "/dev/tpm0"))) return rc; if ((rc = TSS_SetProperty(pOpenTpm, TPM_ENCRYPT_SESSIONS, "1"))) return rc; if ((rc = TSS_SetProperty(pOpenTpm,TPM_DATA_DIR,sztpmDir.c_str()))) return rc; } after Intergity check fails...
-
This is Raspian, Linux-like, right? TSS_RC_NO_CONNECTION means that the TSS could not connect to the device driver. Does /dev/tpm0 exist? Is it read/write by your process? Is the env variable set to connect to the device driver? /dev/tpm0 or /dev/tpmrm0? getcapability -v will give a trace. It will tell us where the TSS is trying to connect. (In general, use -v to debug.)
-
Hello Ken, we are using HW TPM device driver.
-
Trying to load the child is one test. Another: readpublic -v can be used to read the 'Name' of the key. If the key is the same, the Name will be the same.
-
TPM_RC_INTEGRITY seems right, the wrong parent key cannot correctly the child key being loaded. The no connection sounds like the TPM stopped. are you using a HW TPM device driver or the SW TPM socket interface?
-
I see these actions when I do "load" with different keys - TPM_RC_INTEGRITY - integrity check failed and immediately ,i check if TPM is active or not it is responding to my queries and createprimary responds. but next query I use getcabaility and it says TSS_RC_NO_CONNECTION - Failure connecting to lower.
-
Thanks for the Reply Ken, I am doing a (evcit) owner Hierarchy hardcoded key name 81100000 , in all my TPM devices. And how to do this test? If the parent storage key at 81100000 is different on the two machines ?
-
If the parent storage key at 81100000 is different on the two machines, the key will not load. That's the only way I know of to test. The lock (dictionary attack protection) is based on the authorization of the parent. If the parent password (looks like empty) is the same on both machines, it will not trigger lockout protection. Parents typically have noDA set, so even a bad password won't trigger lockout.
-
Please find the right word , "integrity check" -ipu tpmpub.bin -ipr tpmpriv.bin of these two components, if it fails then TPM should not lock itself .
-
Hello Ken, I am on experiment facing a issue, I have TPM and SD card on Server1 and I replace the SD card in server 2 which has TPM , I store some create command components on SD cards. Example: ./create -hp 81100000 -bl -if sea.bin -opr tpmpriv.bin -opu tpmpub.bin == stored on SD card ./load -hp 81100000 -ipu tpmpub.bin -ipr tpmpriv.bin ./unseal -ha 80000002 -of sec_out.bin How to detect if the tpmpub.bin and tpmpriv.bin does not belongs to this TPM, any light way to check using IBM TSS commands,...
-
Hello Ken, I am on experiment facing a issue, I have TPM and SD card on Server1 and I replace the SD card in server 2 which has TPM , I store some create command components stay on SD cards. Example: ./create -hp 81100000 -bl -if sea.bin -opr tpmpriv.bin -opu tpmpub.bin == stored on SD card ./load -hp 81100000 -ipu tpmpub.bin -ipr tpmpriv.bin ./unseal -ha 80000002 -of sec_out.bin How to detect if the tpmpub.bin and tpmpriv.bin does not belongs to this TPM, any light way to check using IBM TSS commands,...
-
[regtests] wrong RSA decryption key size
-
Will fix in next release. Regression testing will take some work.
-
Correct, will fix in next release. Regression testing will take some work. The curve is only used for duplication and salting. The child is protected by the symmetric AES key, not the ECC key.
-
asymPublicTemplate: ECC storage key curveID is hardcoded
1 >
