From: Phani Srinivas <phani.srinivas at in.abb.com>
To: tpm2@lists.01.org
Subject: [tpm2] Re: Debugging tpm2 tools based of FAPI
Date: Fri, 07 Aug 2020 05:48:59 +0000 [thread overview]
Message-ID: < <AM6PR06MB4947DFE0BA7ACE546FA2CF66A6490@AM6PR06MB4947.eurprd06.prod.outlook.com> (raw)
In-Reply-To: b7890dcf4a3b4f9ebe3927ecf1303c19@infineon.com
[-- Attachment #1: Type: text/plain, Size: 8454 bytes --]
Hello Florian,
I am using the simulator(mssim config) and removing the persistent data(NVChip), But it seems of no help, I see the following error after the clean up
WARNING:tcti:src/tss2-tcti/tcti-device.c:186:tcti_device_receive() The underlying IPC mechanism does not support asynchronous I/O. The 'timeout' parameter is set to TSS2_TCTI_TIMEOUT_BLOCK
WARNING:esys:src/tss2-esys/api/Esys_DictionaryAttackParameters.c:310:Esys_DictionaryAttackParameters_Finish() Received TPM Error
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:277:Fapi_Provision_Finish() ErrorCode (0x00000921) DictionaryAttackParameters_Finish
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:120:Fapi_Provision() ErrorCode (0x00000921) Provision
Fapi_Provision(0x921) - tpm:warn(2.0): authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode
Do you have any preliminary steps to run the tools based out FAPI implementation before running the tool as mentioned in the man pages.
Regards
Phani Srinivas S
From: Florian.Schreiner(a)infineon.com <Florian.Schreiner(a)infineon.com>
Sent: Thursday, August 6, 2020 7:03 PM
To: Phani Srinivas <phani.srinivas(a)in.abb.com>; tpm2(a)lists.01.org
Subject: RE: Debugging tpm2 tools based of FAPI
This email originated from outside of your organization. Please do not click on links or open attachments unless you recognize the sender and know the content is safe.
Hi Phani,
I don't know the error code in particular, but the messages say, that you triggered the DA Lockout the security mechanism. This mechanism is implemented to block Dictionary Attacks (DA), which are used by attackers to try out as many passwords as possible in a short amount of time. Dictionaries with typical passwords improve the efficiency of those attacks.
The TPM blocks this with a lockout, i.e. if you have tried to many false authorizations in a short period of time, the TPM blocks any further requests until a time runs out. The time increases as more false authorizations are being executed.
Therefore it seems you triggeded the DA lockout with this timeout in the first runs and later on the TPM reports, that it is still in the DA Lockout.
A recovery method is that you let the TPM powered and wait for the timeout to be over. After that the TPM should work normally.
There are commands available where you can read the amount of time the timeout still takes. There are also commands that allow to reset the DA Lockout using the DA Lockout Auth, so that you don't need to wait for the timeout. The DA Lockout Auth is for example the password of the admin.
As you are using the Simulator, there should be also a simple method to erase the persistent data stored in the simulator as it provides no security.
Best,
Florian
Infineon Technologies AG
Security Architect
IFAG DSS ESS TCE
Office: +49 89 234 21833
Mobile: +49 (160) 90105611
Fax: +49 (89) 234 152183300
Florian.Schreiner(a)infineon.com<mailto:Florian.Schreiner(a)infineon.com>
81726 Munich
Germany
www.infineon.com<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.infineon.com%2F&data=02%7C01%7Cphani.srinivas%40in.abb.com%7C12961500dc424f98b1c808d83a0d444e%7C372ee9e09ce04033a64ac07073a91ecd%7C0%7C0%7C637323175947726463&sdata=Osl%2BIrH2Qe348sg5VrANKlOzQgwJqIXW3g7eqEflfzA%3D&reserved=0> Discoveries<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.infineon.com%2Fdiscoveries&data=02%7C01%7Cphani.srinivas%40in.abb.com%7C12961500dc424f98b1c808d83a0d444e%7C372ee9e09ce04033a64ac07073a91ecd%7C0%7C0%7C637323175947736458&sdata=UwfEkQGq3MNH%2FfJPETUmrUy7XPgdsfh54RBkszD7mUQ%3D&reserved=0> Facebook<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2Finfineon&data=02%7C01%7Cphani.srinivas%40in.abb.com%7C12961500dc424f98b1c808d83a0d444e%7C372ee9e09ce04033a64ac07073a91ecd%7C0%7C0%7C637323175947736458&sdata=6KOKOWyZ7KmtWiUFmKDSxdLI3jQjB%2FdkjKKasYr87e0%3D&reserved=0> Twitter<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FInfineon&data=02%7C01%7Cphani.srinivas%40in.abb.com%7C12961500dc424f98b1c808d83a0d444e%7C372ee9e09ce04033a64ac07073a91ecd%7C0%7C0%7C637323175947746457&sdata=rNeTalOXzsvSM0mmRxpKhbtOVJv9va09fSBDoEQiTKY%3D&reserved=0> LinkedIn<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fcompany%2Finfineon-technologies&data=02%7C01%7Cphani.srinivas%40in.abb.com%7C12961500dc424f98b1c808d83a0d444e%7C372ee9e09ce04033a64ac07073a91ecd%7C0%7C0%7C637323175947756449&sdata=fYJiCOiRvTYH4tNUD%2FvRs0Lk32O6PoUFnQjKuwfUXqk%3D&reserved=0>
Part of your life. Part of tomorrow.
Infineon Technologies AG
Chairman of the Supervisory Board: Dr. Wolfgang Eder
Management Board: Dr. Reinhard Ploss (CEO), Dr. Helmut Gassel, Jochen Hanebeck, Dr. Sven Schneider
Registered Office: Neubiberg
Commercial Register: München HRB 126492
This e-mail and any attachments are confidential. They are intended solely for the attention and use of the named addressee(s). If you are not the named addressee(s) you must not use, disclose, retain or reproduce all or any part of the information contained in this e-mail or any attachments. Any unauthorized use or disclosure may be unlawful. If you have received this e-mail by mistake, please inform the sender immediately and delete it and all copies from your system and destroy any hard copies of it.
From: Phani Srinivas <phani.srinivas(a)in.abb.com<mailto:phani.srinivas(a)in.abb.com>>
Sent: Donnerstag, 6. August 2020 15:17
To: tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
Subject: [tpm2] Debugging tpm2 tools based of FAPI
Caution: This e-mail originated outside Infineon Technologies. Do not click on links or open attachments unless you validate it is safe<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fiweb.infineon.com%2Fen-US%2FSupport%2Fsecurity%2FCDC%2Fpse%2FPages%2Fpce.aspx&data=02%7C01%7Cphani.srinivas%40in.abb.com%7C12961500dc424f98b1c808d83a0d444e%7C372ee9e09ce04033a64ac07073a91ecd%7C0%7C0%7C637323175947756449&sdata=wbWAU1ydy0FbazsnrrzwPJ%2F7D%2FzxPiTh80ffFr0up98%3D&reserved=0>.
Hello All,
I was successful in making the FAPI integration tests work and tried out some of the scenarios in creating the keys and perform the key operations
But when I used the tools based out of FAPI, I see the following errors
export TPM20TEST_TCTI=mssim:host=127.0.0.1,port=2321
root(a)edgesec101:/home/edgesec100/phaniWS/tpm2_tools/tpm2-tools/tools/fapi# ./tss2_provision
WARNING:tcti:src/tss2-tcti/tcti-device.c:186:tcti_device_receive() The underlying IPC mechanism does not support asynchronous I/O. The 'timeout' parameter is set to TSS2_TCTI_TIMEOUT_BLOCK
WARNING:esys:src/tss2-esys/api/Esys_DictionaryAttackParameters.c:310:Esys_DictionaryAttackParameters_Finish() Received TPM Error
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:277:Fapi_Provision_Finish() ErrorCode (0x0000098e) DictionaryAttackParameters_Finish
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:120:Fapi_Provision() ErrorCode (0x0000098e) Provision
Fapi_Provision(0x98E) - tpm:session(1):the authorization HMAC check failed and DA counter incremented
And later I have removed the NVChip created in simulator dir, and ran again I see a different error
./tss2_provision
WARNING:tcti:src/tss2-tcti/tcti-device.c:186:tcti_device_receive() The underlying IPC mechanism does not support asynchronous I/O. The 'timeout' parameter is set to TSS2_TCTI_TIMEOUT_BLOCK
WARNING:esys:src/tss2-esys/api/Esys_DictionaryAttackParameters.c:310:Esys_DictionaryAttackParameters_Finish() Received TPM Error
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:277:Fapi_Provision_Finish() ErrorCode (0x00000921) DictionaryAttackParameters_Finish
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:120:Fapi_Provision() ErrorCode (0x00000921) Provision
Fapi_Provision(0x921) - tpm:warn(2.0): authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode
Couldn't get from the documentation any pre-requisites to follow to make the tpm2 tools based out of fapi to make them work.
I see some RM configuration to be done, but not successful in my trials, any suggestions how the environment shall be set up to make the tpm2 tools based out of fapi to work.
Regards
Phani Srinivas S
R&D Prinicipal Engineer ABB
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 21545 bytes --]
next reply other threads:[~2020-08-07 5:48 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-07 5:48 Phani Srinivas [this message]
-- strict thread matches above, loose matches on Subject: below --
2020-08-11 10:02 [tpm2] Re: Debugging tpm2 tools based of FAPI Florian.Schreiner
2020-08-06 13:33 Florian.Schreiner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=' <AM6PR06MB4947DFE0BA7ACE546FA2CF66A6490@AM6PR06MB4947.eurprd06.prod.outlook.com' \
--to=tpm2@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.