[tpm2] facilitating BIOS update with seamless PCR policy change

[tpm2] facilitating BIOS update with seamless PCR policy change

[Petko Manolov]

[-- Attachment #1: Type: text/plain, Size: 477 bytes --]

	Hello guys,

I'm trying to devise a way to change the PCR policy used to seal certain key 
into TPM2 in case of BIOS change.  So far i've run into this article (along with 
the references it suggests):

	https://github.com/tpm2-software/tpm2-tss/issues/487

However, i did not find a definitive answer there.  Could someone please 
elaborate or point me in the right direction i can read more about how to 
authorize the new PCR policy?


thanks a bunch,
Petko

Re: [tpm2] facilitating BIOS update with seamless PCR policy change

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 1438 bytes --]

You can't change an existing objects policy AFAIK. So if you have objects sealed to PCR
state and PCR state changes, you're out of luck. Imran, that statement is correct right?

You need to use policyauthorize when you build a new policy for an object, which
Pretty much means, any policy signed by X is ok. Thus when PCR state changes, you
Just sign a new PCR policy.

See this test for an example of usage:
https://github.com/tpm2-software/tpm2-tools/blob/master/test/integration/tests/tcti/abrmd/policyauthorize.sh

Bill

> -----Original Message-----
> From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of Petko Manolov
> Sent: Friday, January 4, 2019 10:21 AM
> To: tpm2(a)lists.01.org
> Subject: [tpm2] facilitating BIOS update with seamless PCR policy change
> 
> 	Hello guys,
> 
> I'm trying to devise a way to change the PCR policy used to seal certain key into
> TPM2 in case of BIOS change.  So far i've run into this article (along with the
> references it suggests):
> 
> 	https://github.com/tpm2-software/tpm2-tss/issues/487
> 
> However, i did not find a definitive answer there.  Could someone please
> elaborate or point me in the right direction i can read more about how to
> authorize the new PCR policy?
> 
> 
> thanks a bunch,
> Petko
> _______________________________________________
> tpm2 mailing list
> tpm2(a)lists.01.org
> https://lists.01.org/mailman/listinfo/tpm2

Re: [tpm2] facilitating BIOS update with seamless PCR policy change

[Petko Manolov]

[-- Attachment #1: Type: text/plain, Size: 1934 bytes --]

On 19-01-04 21:50:13, Roberts, William C wrote:
> You can't change an existing objects policy AFAIK. So if you have objects 
> sealed to PCR state and PCR state changes, you're out of luck. Imran, that 
> statement is correct right?

This is not how i read "Non-Brittle PCRs (New in 2.0)" paragraph in "A Practical 
Guide to TPM2" book, page 34.

> You need to use policyauthorize when you build a new policy for an object, 
> which Pretty much means, any policy signed by X is ok. Thus when PCR state 
> changes, you Just sign a new PCR policy.

I really hope it is "policy signed by X _and_ these new PCR values" else it 
makes no sense to use PCR values as policy, isn't it?

> See this test for an example of usage:
> https://github.com/tpm2-software/tpm2-tools/blob/master/test/integration/tests/tcti/abrmd/policyauthorize.sh

Thanks for the reference.  I guess i'll be back with more questions after i 
digest the above example.


cheers,
Petko


> > -----Original Message-----
> > From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of Petko Manolov
> > Sent: Friday, January 4, 2019 10:21 AM
> > To: tpm2(a)lists.01.org
> > Subject: [tpm2] facilitating BIOS update with seamless PCR policy change
> > 
> > 	Hello guys,
> > 
> > I'm trying to devise a way to change the PCR policy used to seal certain key into
> > TPM2 in case of BIOS change.  So far i've run into this article (along with the
> > references it suggests):
> > 
> > 	https://github.com/tpm2-software/tpm2-tss/issues/487
> > 
> > However, i did not find a definitive answer there.  Could someone please
> > elaborate or point me in the right direction i can read more about how to
> > authorize the new PCR policy?
> > 
> > 
> > thanks a bunch,
> > Petko
> > _______________________________________________
> > tpm2 mailing list
> > tpm2(a)lists.01.org
> > https://lists.01.org/mailman/listinfo/tpm2
> 

Re: [tpm2] facilitating BIOS update with seamless PCR policy change

[Desai, Imran]

[-- Attachment #1: Type: text/plain, Size: 1693 bytes --]

Correct. 

On 1/4/19, 2:50 PM, "Roberts, William C" <william.c.roberts(a)intel.com> wrote:

    You can't change an existing objects policy AFAIK. So if you have objects sealed to PCR
    state and PCR state changes, you're out of luck. Imran, that statement is correct right?
    
    You need to use policyauthorize when you build a new policy for an object, which
    Pretty much means, any policy signed by X is ok. Thus when PCR state changes, you
    Just sign a new PCR policy.
    
    See this test for an example of usage:
    https://github.com/tpm2-software/tpm2-tools/blob/master/test/integration/tests/tcti/abrmd/policyauthorize.sh
    
    Bill
    
    > -----Original Message-----
    > From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of Petko Manolov
    > Sent: Friday, January 4, 2019 10:21 AM
    > To: tpm2(a)lists.01.org
    > Subject: [tpm2] facilitating BIOS update with seamless PCR policy change
    > 
    > 	Hello guys,
    > 
    > I'm trying to devise a way to change the PCR policy used to seal certain key into
    > TPM2 in case of BIOS change.  So far i've run into this article (along with the
    > references it suggests):
    > 
    > 	https://github.com/tpm2-software/tpm2-tss/issues/487
    > 
    > However, i did not find a definitive answer there.  Could someone please
    > elaborate or point me in the right direction i can read more about how to
    > authorize the new PCR policy?
    > 
    > 
    > thanks a bunch,
    > Petko
    > _______________________________________________
    > tpm2 mailing list
    > tpm2(a)lists.01.org
    > https://lists.01.org/mailman/listinfo/tpm2
    

Re: [tpm2] facilitating BIOS update with seamless PCR policy change

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 3154 bytes --]



> -----Original Message-----
> From: Petko Manolov [mailto:sti(a)nucleusys.com]
> Sent: Saturday, January 5, 2019 10:43 AM
> To: Roberts, William C <william.c.roberts(a)intel.com>
> Cc: tpm2(a)lists.01.org; Desai, Imran <imran.desai(a)intel.com>
> Subject: Re: [tpm2] facilitating BIOS update with seamless PCR policy change
> 
> On 19-01-04 21:50:13, Roberts, William C wrote:
> > You can't change an existing objects policy AFAIK. So if you have
> > objects sealed to PCR state and PCR state changes, you're out of luck.
> > Imran, that statement is correct right?
> 
> This is not how i read "Non-Brittle PCRs (New in 2.0)" paragraph in "A Practical
> Guide to TPM2" book, page 34.

I quote, "In the TPM 2.0 specification, you can seal things to a PCR value approved by a
particular signer instead of to a particular PCR value"

That's what can be done with the policyauthorize command. In general that command says
Any policy signed with key X is a valid policy. So you can mutate the policy as needed and
Resign it. Whatever events are required to satisfy the policy, are policy specific. You're
Policy could be PCR specific, in which case you could:
1. make a PCR policy to specific PCR values and update policy with system changes
2. make a PCR policy specific to a set of PCR values via policy OR statements
    Option 2 could allow rollback attacks


> 
> > You need to use policyauthorize when you build a new policy for an
> > object, which Pretty much means, any policy signed by X is ok. Thus
> > when PCR state changes, you Just sign a new PCR policy.
> 
> I really hope it is "policy signed by X _and_ these new PCR values" else it makes
> no sense to use PCR values as policy, isn't it?

It's literally policy signed by X, the contents of the policy are mutable at that point.

> 
> > See this test for an example of usage:
> > https://github.com/tpm2-software/tpm2-tools/blob/master/test/integrati
> > on/tests/tcti/abrmd/policyauthorize.sh
> 
> Thanks for the reference.  I guess i'll be back with more questions after i digest
> the above example.
> 
> 
> cheers,
> Petko
> 
> 
> > > -----Original Message-----
> > > From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of Petko Manolov
> > > Sent: Friday, January 4, 2019 10:21 AM
> > > To: tpm2(a)lists.01.org
> > > Subject: [tpm2] facilitating BIOS update with seamless PCR policy change
> > >
> > > 	Hello guys,
> > >
> > > I'm trying to devise a way to change the PCR policy used to seal certain key
> into
> > > TPM2 in case of BIOS change.  So far i've run into this article (along with the
> > > references it suggests):
> > >
> > > 	https://github.com/tpm2-software/tpm2-tss/issues/487
> > >
> > > However, i did not find a definitive answer there.  Could someone please
> > > elaborate or point me in the right direction i can read more about how to
> > > authorize the new PCR policy?
> > >
> > >
> > > thanks a bunch,
> > > Petko
> > > _______________________________________________
> > > tpm2 mailing list
> > > tpm2(a)lists.01.org
> > > https://lists.01.org/mailman/listinfo/tpm2
> >

Re: [tpm2] facilitating BIOS update with seamless PCR policy change

[Petko Manolov]

[-- Attachment #1: Type: text/plain, Size: 2192 bytes --]

	Hello again,

I managed to get authorized PCR policies to work for me.  The attached script 
works fine on my thinkpad and on rpi3 with Infineon's SLB9670 SPI TPM2.

However, i stumbled upon a problem with an fTPM implementation in a very recent 
AMI BIOS.  Everything seems to be working properly, until i get tpm2_unseal to 
give me the error below.  The tpm2-tools is built with at-the-time tip of git 
commit id:

	872076e1b31f22b18391c6761d47575a93891cd7

tpm2_unseal -v:

	tool="tpm2_unseal" version="3.0.2-858-g88956e75" tctis="dynamic" tcti-default=tabrmd dlclose=enabled

tpm-tss is v2.1.0 and tpm-abrmd is v2.0.3.  Unfortunately the error message does 
not mean much for me so any help will be greatly appreciated.


thanks,
Petko



---

Generating RSA private key, 2048 bit long modulus
..............................+++++
...........................................+++++
e is 65537 (0x10001)
writing RSA key
transient-context: signing_key.ctx
name: 0x000b5e069ba4b591842c25155d812f635970dabe7cee663aff121088940f88e2da80
Signing authority created
sha256:
  0 : 0x647992CBC9EEBF49D367559D870620C324B1A4307EB2A6166F1ACEC0DC186AEA
  1 : 0x519B03509291B643DA7FEC4407FFC47C1C18AF706A611ECA1C159D4608342338
  2 : 0x369BB94CEB4A1DF8E76720141B64C57EC70E6C620F07B27E335E70AD2DDC25DB
  3 : 0x369BB94CEB4A1DF8E76720141B64C57EC70E6C620F07B27E335E70AD2DDC25DB
session-context: session.ctx
policy-digest: 0x22035897291FE4681D7800685BFC5C73EBCBB88C7A579AB20C2E345A9815FDFE
pcr policy created
policy is signed
session-context: session.ctx
45a41a53c9f74f09b72151af6ffdd199fe1129eff2b749b8e481b6b21f2281f1
policy authorized
sealing object created
session-context: session.ctx
45a41a53c9f74f09b72151af6ffdd199fe1129eff2b749b8e481b6b21f2281f1
WARNING:esys:../tpm2-tss/src/tss2-esys/api/Esys_Unseal.c:295:Esys_Unseal_Finish() Received TPM Error
ERROR:esys:../tpm2-tss/src/tss2-esys/api/Esys_Unseal.c:101:Esys_Unseal() Esys Finish ErrorCode (0x0000008f)
ERROR: Esys_Unseal(0x8F) - tpm:handle(unk):invalid nonce size or nonce value mismatch
ERROR: Unseal failed!
ERROR: Unable to run tpm2_unseal
cat: unsealed: No such file or directory
the end

[-- Attachment #2: policy_auth.sh --]
[-- Type: application/x-sh, Size: 1941 bytes --]

Re: [tpm2] facilitating BIOS update with seamless PCR policy change

[Petko Manolov]

[-- Attachment #1: Type: text/plain, Size: 4542 bytes --]

I am sorry that this didn't go through because of the attached script.  I'm 
embedding it to this email so i'd like to apologize about the bloat.

---

#!/bin/bash

source common.sh

#   Create a signing authority
openssl genrsa -out signing_key_private.pem 2048
openssl rsa -in signing_key_private.pem -out signing_key_public.pem -pubout
tpm2_loadexternal -G rsa -a o -u signing_key_public.pem -o signing_key.ctx \
	-n signing_key.name

echo "Signing authority created"

#   Create a policy to be authorized like a pcr policy:
tpm2_pcrlist -L $PCRS -o pcrs.sha256
tpm2_startauthsession -S session.ctx
tpm2_policypcr -S session.ctx -L $PCRS -F pcrs.sha256 -f pcr.policy
tpm2_flushcontext -S session.ctx
rm -f session.ctx

echo "pcr policy created"

#   Sign the policy
openssl dgst -sha256 -sign signing_key_private.pem -out pcr.signature pcr.policy

echo "policy is signed"

#   Authorize the policy in the policy digest:
tpm2_startauthsession -S session.ctx
tpm2_policyauthorize -S session.ctx -o authorized.policy -f pcr.policy \
	-n signing_key.name
tpm2_flushcontext -S session.ctx
rm -f session.ctx

echo "policy authorized"

#   Create a TPM object like a sealing object with the authorized policy
#   based authentication:
echo "secret to seal 123" > secret_file
tpm2_createprimary -Q -a o -g sha256 -G rsa -o prim.ctx
tpm2_create -Q -g sha256 -u sealing_pubkey.pub -r sealing_prikey.pub \
	-I secret_file -C prim.ctx -L authorized.policy

echo "sealing object created"

#   Satisfy policy and unseal the secret:
tpm2_verifysignature -c signing_key.ctx -G sha256 -m pcr.policy \
	-s pcr.signature -t verification.tkt -f rsassa
tpm2_startauthsession -a -S session.ctx
tpm2_policypcr -Q -S session.ctx -L $PCRS -f pcr.policy
tpm2_policyauthorize -S session.ctx -o authorized.policy -f pcr.policy \
	-n signing_key.name -t verification.tkt
tpm2_load -Q -C prim.ctx -u sealing_pubkey.pub -r sealing_prikey.pub \
	-o sealing_key.ctx
tpm2_unseal -p "session:session.ctx" -c sealing_key.ctx -o unsealed
cat unsealed
tpm2_flushcontext -S session.ctx
rm -f session.ctx unsealed

echo "the end"

---


thanks,
Petko


On 19-02-18 09:48:37, Petko Manolov wrote:
> 	Hello again,
> 
> I managed to get authorized PCR policies to work for me.  The attached script 
> works fine on my thinkpad and on rpi3 with Infineon's SLB9670 SPI TPM2.
> 
> However, i stumbled upon a problem with an fTPM implementation in a very recent 
> AMI BIOS.  Everything seems to be working properly, until i get tpm2_unseal to 
> give me the error below.  The tpm2-tools is built with at-the-time tip of git 
> commit id:
> 
> 	872076e1b31f22b18391c6761d47575a93891cd7
> 
> tpm2_unseal -v:
> 
> 	tool="tpm2_unseal" version="3.0.2-858-g88956e75" tctis="dynamic" tcti-default=tabrmd dlclose=enabled
> 
> tpm-tss is v2.1.0 and tpm-abrmd is v2.0.3.  Unfortunately the error message does 
> not mean much for me so any help will be greatly appreciated.
> 
> 
> thanks,
> Petko
> 
> 
> 
> ---
> 
> Generating RSA private key, 2048 bit long modulus
> ..............................+++++
> ...........................................+++++
> e is 65537 (0x10001)
> writing RSA key
> transient-context: signing_key.ctx
> name: 0x000b5e069ba4b591842c25155d812f635970dabe7cee663aff121088940f88e2da80
> Signing authority created
> sha256:
>   0 : 0x647992CBC9EEBF49D367559D870620C324B1A4307EB2A6166F1ACEC0DC186AEA
>   1 : 0x519B03509291B643DA7FEC4407FFC47C1C18AF706A611ECA1C159D4608342338
>   2 : 0x369BB94CEB4A1DF8E76720141B64C57EC70E6C620F07B27E335E70AD2DDC25DB
>   3 : 0x369BB94CEB4A1DF8E76720141B64C57EC70E6C620F07B27E335E70AD2DDC25DB
> session-context: session.ctx
> policy-digest: 0x22035897291FE4681D7800685BFC5C73EBCBB88C7A579AB20C2E345A9815FDFE
> pcr policy created
> policy is signed
> session-context: session.ctx
> 45a41a53c9f74f09b72151af6ffdd199fe1129eff2b749b8e481b6b21f2281f1
> policy authorized
> sealing object created
> session-context: session.ctx
> 45a41a53c9f74f09b72151af6ffdd199fe1129eff2b749b8e481b6b21f2281f1
> WARNING:esys:../tpm2-tss/src/tss2-esys/api/Esys_Unseal.c:295:Esys_Unseal_Finish() Received TPM Error
> ERROR:esys:../tpm2-tss/src/tss2-esys/api/Esys_Unseal.c:101:Esys_Unseal() Esys Finish ErrorCode (0x0000008f)
> ERROR: Esys_Unseal(0x8F) - tpm:handle(unk):invalid nonce size or nonce value mismatch
> ERROR: Unseal failed!
> ERROR: Unable to run tpm2_unseal
> cat: unsealed: No such file or directory
> the end

Re: [tpm2] facilitating BIOS update with seamless PCR policy change

[Petko Manolov]

[-- Attachment #1: Type: text/plain, Size: 5579 bytes --]

	Hello,

Just FYI - another fTPM is giving me the same error:

WARNING:esys:src/tss2-esys/api/Esys_Unseal.c:295:Esys_Unseal_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Unseal.c:101:Esys_Unseal() Esys Finish ErrorCode (0x0000008f)
ERROR: Esys_Unseal(0x8F) - tpm:handle(unk):invalid nonce size or nonce value mismatch
ERROR: Unseal failed!
ERROR: Unable to run tpm2_unseal

The machine is LENOVO P310, BIOS FWKT97A 11/08/2018, Sunrise Point-H chipset.  
Could you please give me some pointers as to how this could be worked around?


thanks,
Petko


On 19-02-18 10:20:26, Petko Manolov wrote:
> I am sorry that this didn't go through because of the attached script.  I'm 
> embedding it to this email so i'd like to apologize about the bloat.
> 
> ---
> 
> #!/bin/bash
> 
> source common.sh
> 
> #   Create a signing authority
> openssl genrsa -out signing_key_private.pem 2048
> openssl rsa -in signing_key_private.pem -out signing_key_public.pem -pubout
> tpm2_loadexternal -G rsa -a o -u signing_key_public.pem -o signing_key.ctx \
> 	-n signing_key.name
> 
> echo "Signing authority created"
> 
> #   Create a policy to be authorized like a pcr policy:
> tpm2_pcrlist -L $PCRS -o pcrs.sha256
> tpm2_startauthsession -S session.ctx
> tpm2_policypcr -S session.ctx -L $PCRS -F pcrs.sha256 -f pcr.policy
> tpm2_flushcontext -S session.ctx
> rm -f session.ctx
> 
> echo "pcr policy created"
> 
> #   Sign the policy
> openssl dgst -sha256 -sign signing_key_private.pem -out pcr.signature pcr.policy
> 
> echo "policy is signed"
> 
> #   Authorize the policy in the policy digest:
> tpm2_startauthsession -S session.ctx
> tpm2_policyauthorize -S session.ctx -o authorized.policy -f pcr.policy \
> 	-n signing_key.name
> tpm2_flushcontext -S session.ctx
> rm -f session.ctx
> 
> echo "policy authorized"
> 
> #   Create a TPM object like a sealing object with the authorized policy
> #   based authentication:
> echo "secret to seal 123" > secret_file
> tpm2_createprimary -Q -a o -g sha256 -G rsa -o prim.ctx
> tpm2_create -Q -g sha256 -u sealing_pubkey.pub -r sealing_prikey.pub \
> 	-I secret_file -C prim.ctx -L authorized.policy
> 
> echo "sealing object created"
> 
> #   Satisfy policy and unseal the secret:
> tpm2_verifysignature -c signing_key.ctx -G sha256 -m pcr.policy \
> 	-s pcr.signature -t verification.tkt -f rsassa
> tpm2_startauthsession -a -S session.ctx
> tpm2_policypcr -Q -S session.ctx -L $PCRS -f pcr.policy
> tpm2_policyauthorize -S session.ctx -o authorized.policy -f pcr.policy \
> 	-n signing_key.name -t verification.tkt
> tpm2_load -Q -C prim.ctx -u sealing_pubkey.pub -r sealing_prikey.pub \
> 	-o sealing_key.ctx
> tpm2_unseal -p "session:session.ctx" -c sealing_key.ctx -o unsealed
> cat unsealed
> tpm2_flushcontext -S session.ctx
> rm -f session.ctx unsealed
> 
> echo "the end"
> 
> ---
> 
> 
> thanks,
> Petko
> 
> 
> On 19-02-18 09:48:37, Petko Manolov wrote:
> > 	Hello again,
> > 
> > I managed to get authorized PCR policies to work for me.  The attached script 
> > works fine on my thinkpad and on rpi3 with Infineon's SLB9670 SPI TPM2.
> > 
> > However, i stumbled upon a problem with an fTPM implementation in a very recent 
> > AMI BIOS.  Everything seems to be working properly, until i get tpm2_unseal to 
> > give me the error below.  The tpm2-tools is built with at-the-time tip of git 
> > commit id:
> > 
> > 	872076e1b31f22b18391c6761d47575a93891cd7
> > 
> > tpm2_unseal -v:
> > 
> > 	tool="tpm2_unseal" version="3.0.2-858-g88956e75" tctis="dynamic" tcti-default=tabrmd dlclose=enabled
> > 
> > tpm-tss is v2.1.0 and tpm-abrmd is v2.0.3.  Unfortunately the error message does 
> > not mean much for me so any help will be greatly appreciated.
> > 
> > 
> > thanks,
> > Petko
> > 
> > 
> > 
> > ---
> > 
> > Generating RSA private key, 2048 bit long modulus
> > ..............................+++++
> > ...........................................+++++
> > e is 65537 (0x10001)
> > writing RSA key
> > transient-context: signing_key.ctx
> > name: 0x000b5e069ba4b591842c25155d812f635970dabe7cee663aff121088940f88e2da80
> > Signing authority created
> > sha256:
> >   0 : 0x647992CBC9EEBF49D367559D870620C324B1A4307EB2A6166F1ACEC0DC186AEA
> >   1 : 0x519B03509291B643DA7FEC4407FFC47C1C18AF706A611ECA1C159D4608342338
> >   2 : 0x369BB94CEB4A1DF8E76720141B64C57EC70E6C620F07B27E335E70AD2DDC25DB
> >   3 : 0x369BB94CEB4A1DF8E76720141B64C57EC70E6C620F07B27E335E70AD2DDC25DB
> > session-context: session.ctx
> > policy-digest: 0x22035897291FE4681D7800685BFC5C73EBCBB88C7A579AB20C2E345A9815FDFE
> > pcr policy created
> > policy is signed
> > session-context: session.ctx
> > 45a41a53c9f74f09b72151af6ffdd199fe1129eff2b749b8e481b6b21f2281f1
> > policy authorized
> > sealing object created
> > session-context: session.ctx
> > 45a41a53c9f74f09b72151af6ffdd199fe1129eff2b749b8e481b6b21f2281f1
> > WARNING:esys:../tpm2-tss/src/tss2-esys/api/Esys_Unseal.c:295:Esys_Unseal_Finish() Received TPM Error
> > ERROR:esys:../tpm2-tss/src/tss2-esys/api/Esys_Unseal.c:101:Esys_Unseal() Esys Finish ErrorCode (0x0000008f)
> > ERROR: Esys_Unseal(0x8F) - tpm:handle(unk):invalid nonce size or nonce value mismatch
> > ERROR: Unseal failed!
> > ERROR: Unable to run tpm2_unseal
> > cat: unsealed: No such file or directory
> > the end
> 
> 
> _______________________________________________
> tpm2 mailing list
> tpm2(a)lists.01.org
> https://lists.01.org/mailman/listinfo/tpm2
> 

Re: [tpm2] facilitating BIOS update with seamless PCR policy change

[Petko Manolov]

[-- Attachment #1: Type: text/plain, Size: 6386 bytes --]

	Hi,

Yet another update: the same script works fine on dTPM, regardless of the type 
of PCR bank used - sha1 or sha256.

I am currently trying to debug Esys_Unseal(0x8F) - invalid nonce size or nonce 
value mismatch problem.  Any suggestions where shall i start looking at?


thanks,
Petko


On 19-02-20 15:05:33, Petko Manolov wrote:
> 	Hello,
> 
> Just FYI - another fTPM is giving me the same error:
> 
> WARNING:esys:src/tss2-esys/api/Esys_Unseal.c:295:Esys_Unseal_Finish() Received TPM Error
> ERROR:esys:src/tss2-esys/api/Esys_Unseal.c:101:Esys_Unseal() Esys Finish ErrorCode (0x0000008f)
> ERROR: Esys_Unseal(0x8F) - tpm:handle(unk):invalid nonce size or nonce value mismatch
> ERROR: Unseal failed!
> ERROR: Unable to run tpm2_unseal
> 
> The machine is LENOVO P310, BIOS FWKT97A 11/08/2018, Sunrise Point-H chipset.  
> Could you please give me some pointers as to how this could be worked around?
> 
> 
> thanks,
> Petko
> 
> 
> On 19-02-18 10:20:26, Petko Manolov wrote:
> > I am sorry that this didn't go through because of the attached script.  I'm 
> > embedding it to this email so i'd like to apologize about the bloat.
> > 
> > ---
> > 
> > #!/bin/bash
> > 
> > source common.sh
> > 
> > #   Create a signing authority
> > openssl genrsa -out signing_key_private.pem 2048
> > openssl rsa -in signing_key_private.pem -out signing_key_public.pem -pubout
> > tpm2_loadexternal -G rsa -a o -u signing_key_public.pem -o signing_key.ctx \
> > 	-n signing_key.name
> > 
> > echo "Signing authority created"
> > 
> > #   Create a policy to be authorized like a pcr policy:
> > tpm2_pcrlist -L $PCRS -o pcrs.sha256
> > tpm2_startauthsession -S session.ctx
> > tpm2_policypcr -S session.ctx -L $PCRS -F pcrs.sha256 -f pcr.policy
> > tpm2_flushcontext -S session.ctx
> > rm -f session.ctx
> > 
> > echo "pcr policy created"
> > 
> > #   Sign the policy
> > openssl dgst -sha256 -sign signing_key_private.pem -out pcr.signature pcr.policy
> > 
> > echo "policy is signed"
> > 
> > #   Authorize the policy in the policy digest:
> > tpm2_startauthsession -S session.ctx
> > tpm2_policyauthorize -S session.ctx -o authorized.policy -f pcr.policy \
> > 	-n signing_key.name
> > tpm2_flushcontext -S session.ctx
> > rm -f session.ctx
> > 
> > echo "policy authorized"
> > 
> > #   Create a TPM object like a sealing object with the authorized policy
> > #   based authentication:
> > echo "secret to seal 123" > secret_file
> > tpm2_createprimary -Q -a o -g sha256 -G rsa -o prim.ctx
> > tpm2_create -Q -g sha256 -u sealing_pubkey.pub -r sealing_prikey.pub \
> > 	-I secret_file -C prim.ctx -L authorized.policy
> > 
> > echo "sealing object created"
> > 
> > #   Satisfy policy and unseal the secret:
> > tpm2_verifysignature -c signing_key.ctx -G sha256 -m pcr.policy \
> > 	-s pcr.signature -t verification.tkt -f rsassa
> > tpm2_startauthsession -a -S session.ctx
> > tpm2_policypcr -Q -S session.ctx -L $PCRS -f pcr.policy
> > tpm2_policyauthorize -S session.ctx -o authorized.policy -f pcr.policy \
> > 	-n signing_key.name -t verification.tkt
> > tpm2_load -Q -C prim.ctx -u sealing_pubkey.pub -r sealing_prikey.pub \
> > 	-o sealing_key.ctx
> > tpm2_unseal -p "session:session.ctx" -c sealing_key.ctx -o unsealed
> > cat unsealed
> > tpm2_flushcontext -S session.ctx
> > rm -f session.ctx unsealed
> > 
> > echo "the end"
> > 
> > ---
> > 
> > 
> > thanks,
> > Petko
> > 
> > 
> > On 19-02-18 09:48:37, Petko Manolov wrote:
> > > 	Hello again,
> > > 
> > > I managed to get authorized PCR policies to work for me.  The attached script 
> > > works fine on my thinkpad and on rpi3 with Infineon's SLB9670 SPI TPM2.
> > > 
> > > However, i stumbled upon a problem with an fTPM implementation in a very recent 
> > > AMI BIOS.  Everything seems to be working properly, until i get tpm2_unseal to 
> > > give me the error below.  The tpm2-tools is built with at-the-time tip of git 
> > > commit id:
> > > 
> > > 	872076e1b31f22b18391c6761d47575a93891cd7
> > > 
> > > tpm2_unseal -v:
> > > 
> > > 	tool="tpm2_unseal" version="3.0.2-858-g88956e75" tctis="dynamic" tcti-default=tabrmd dlclose=enabled
> > > 
> > > tpm-tss is v2.1.0 and tpm-abrmd is v2.0.3.  Unfortunately the error message does 
> > > not mean much for me so any help will be greatly appreciated.
> > > 
> > > 
> > > thanks,
> > > Petko
> > > 
> > > 
> > > 
> > > ---
> > > 
> > > Generating RSA private key, 2048 bit long modulus
> > > ..............................+++++
> > > ...........................................+++++
> > > e is 65537 (0x10001)
> > > writing RSA key
> > > transient-context: signing_key.ctx
> > > name: 0x000b5e069ba4b591842c25155d812f635970dabe7cee663aff121088940f88e2da80
> > > Signing authority created
> > > sha256:
> > >   0 : 0x647992CBC9EEBF49D367559D870620C324B1A4307EB2A6166F1ACEC0DC186AEA
> > >   1 : 0x519B03509291B643DA7FEC4407FFC47C1C18AF706A611ECA1C159D4608342338
> > >   2 : 0x369BB94CEB4A1DF8E76720141B64C57EC70E6C620F07B27E335E70AD2DDC25DB
> > >   3 : 0x369BB94CEB4A1DF8E76720141B64C57EC70E6C620F07B27E335E70AD2DDC25DB
> > > session-context: session.ctx
> > > policy-digest: 0x22035897291FE4681D7800685BFC5C73EBCBB88C7A579AB20C2E345A9815FDFE
> > > pcr policy created
> > > policy is signed
> > > session-context: session.ctx
> > > 45a41a53c9f74f09b72151af6ffdd199fe1129eff2b749b8e481b6b21f2281f1
> > > policy authorized
> > > sealing object created
> > > session-context: session.ctx
> > > 45a41a53c9f74f09b72151af6ffdd199fe1129eff2b749b8e481b6b21f2281f1
> > > WARNING:esys:../tpm2-tss/src/tss2-esys/api/Esys_Unseal.c:295:Esys_Unseal_Finish() Received TPM Error
> > > ERROR:esys:../tpm2-tss/src/tss2-esys/api/Esys_Unseal.c:101:Esys_Unseal() Esys Finish ErrorCode (0x0000008f)
> > > ERROR: Esys_Unseal(0x8F) - tpm:handle(unk):invalid nonce size or nonce value mismatch
> > > ERROR: Unseal failed!
> > > ERROR: Unable to run tpm2_unseal
> > > cat: unsealed: No such file or directory
> > > the end
> > 
> > 
> > _______________________________________________
> > tpm2 mailing list
> > tpm2(a)lists.01.org
> > https://lists.01.org/mailman/listinfo/tpm2
> > 
> _______________________________________________
> tpm2 mailing list
> tpm2(a)lists.01.org
> https://lists.01.org/mailman/listinfo/tpm2
>