I've been working to clean up the tpm2-tcti-uefi build / repo (https://github.com/flihp/tpm2-tcti-uefi) now that we have better control over the compilation flags in the tpm2-tss build. The tpm2-tss submodule and all of the custom build logic has now been removed and I've got travis-ci building the example UEFI executables using libtss2-mu and libtss2-sys built using the appropriate autotools mechanisms (config.site: https://github.com/flihp/tpm2-tcti-uefi/blob/master/.travis.yml#L33). Currently I'm adding some details to the documentation and working on a set of instructions for testing the example UEFI application under qemu using the OVMF firmware.
While I'm finishing up the docs I wanted to get a message out to the list to solicit input from anyone interested in this work. If you have a few spare cycles I'd appreciate input on the repo as it stands now as well as any opinions on including this repo in the tpm2-software github org since this is my goal once the docs are done.
as a little pre-christmas thing I've done a reimplementation of mjg's tpm-totp but for TPM2.0
Also I've split up the project into a library and a wrapping executable to make GUIs easier to implement.
Please consider to test it and give any feedback (especially also positive feedback) so we can move this from
my personal namespace over into the github.com/tpm2-software namespace and make it an "official" project.
P.S. There are still 4 TODOs inside the code, but those are basically "future features".
Thanks a lot,
I'm on Debian testing (tpm2-abrmd version 2.0.3, tpm2-tools 3.1.3, kernel
v4.19.8) and no matter how i play with environment variables i can't get the
tpm2_xxx to talk to the abrm daemon. Since this kernel has builtin RM i assume
there might be a collision between the userspace and kernel implementations.
I ran into this issue as my script's 'tpm2_load' runs out of memory (error
0x902). Running "tpm2-abrmd -f --allow-root" doesn't complain but:
# tpm2_takeownership -c
ERROR:tcti:src/tss2-tcti/tcti-device.c:319:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: Device or resource busy
ERROR: tcti init allocation routine failed for library: "device" options: "(null)"
ERROR: Could not load tcti, got: "device"
How do i tell tpm2_xxx to use the userspace daemon instead of /dev/tpm0?
I'd like to apologize if this has been answered before. If that's the case
please point me to the corresponding thread.
I am currently having problems to unseal a secret from the tpm.
I hope that you can detect the issue in my instructions below :)
The versions that I am using are the following:
1. Tpm2-tss 2.0.0
2. Tpm2-abrmd 2.0.0
3. Tpm2-tools 3.1.0
The platform I am using is a Compulab Fitlet2 device (Intel Atom x5-E3950 Apollo Lake), with Fedora 28 and Linux kernel 4.19.x.
In this case, the device support firmware tpm, and it is enabled in the BIOS (fTPM)
So, after installing the tpm2 stack from github releases, I am sealing a secret with the following commands:
# Create a random secret to be saved in the TPM
tpm2_getrandom 32 --output key.bin
# I use a pcr policy on sha1 banks 0 and 1, this gets the pcr state
tpm2_pcrlist --sel-list sha1:0,1 --output pcr_state.bin
# Create a policy with those PCR
tpm2_createpolicy --policy-pcr --set-list sha1:0,1 \
# Create a primary object with endorsement hierarchy
tpm2_createprimary --hierarchy e --halg sha1 --kalg rsa --context primary.context
# Create an object to be loaded in the TPM
tpm2_create --halg sha256 --kalg keyedhash --pubfile key.pub --privfile key.priv \
--context-parent primary.context --policy-file policy.bin \
--object-attributes "fixedtpm|fixedparent|noda|adminwithpolicy" --in-file key.bin
# Load the object in the TPM
tpm2_load --context-parent primary.context --pubfile key.pub --privfile key.priv \
# Persist the object in the TPM
tpm2_evictcontrol --auth o --context load.context --persistent 0x81010002
# Check if the object is persisted, looks good
persistent-handle:0x81010002 key-alg:keyedhash hash-alg:sha256 object-attr:fixedtpm|fixedparent|noda|adminwithpolicy
# Unseal the object, works!
tpm2_unseal --item 0x81010002 --set-list sha1:0,1 > compare_key.bin
# Compare original and unsealed objects, the match :)
diff compare_key.bin key.bin
# After this initial setup, I reboot the device, and try to unseal the secret again
# After reboot, open a terminal an do
tpm2_unseal --item 0x81010002 --set-list sha1:0,1 > compare_disk_key.bin
ERROR: Sys_Unseal failed. Error Code: 0x99d
ERROR: Unseal failed!
ERROR: Unable to run tpm2_unseal
# Use tpm2_rc_decode to decode the error message 0x99d, it is a policy check error!
description: Error produced by the TPM
format 1 error code
description: a policy check failed
# I checked the PCR 0,1, and they have the same values as at the moment to seal the object.
# So I don't understand why I am having a "TPM2_RC_POLICY_FAIL" error.
# I tried the same process several times, and each time I end up in the same error state.
Is there something I am missing here?
Is something additional I need to do to satisfy the policy to unseal the data?
Any help is appreciated!
Thank you in advance.
I am trying to create a primary key using Esys_CreatePrimary. The code
works without any issues when trying on the simulator, but fails when
trying on a hardware TPM using /dev/tpm0
The error I am getting is:
Received TPM Error
Esys Finish ErrorCode (0x000001c2)
Can someone point out why I am getting this error? So far I am unable to
pinpoint the problem.