* [tpm2] Re: Remote Attestation With Tpm2 Tools
@ 2020-09-07 8:36 Steffen Schwebel
0 siblings, 0 replies; 2+ messages in thread
From: Steffen Schwebel @ 2020-09-07 8:36 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 3814 bytes --]
Hello,
not something I can help you with I'm afraid.
Just wondering if you know about keylime project https://keylime.dev/
They seem to be the guys to ask in regards to remote attestation.
regards,
Steffen
On 9/6/20 7:54 AM, Hanson Char wrote:
> I just managed to get the 3 scripts provided at
>
> https://tpm2-software.github.io/2020/06/12/Remote-Attestation-With-tpm2-tools.html#scripts-for-implementation-of-the-simple-attestation-framework
>
> to work with the latest tpm2-tss (built from the latest master
> branches) in Ubuntu 20.04 (x86-64 with Infineon TPM SLB9670) so I
> thought I would share some of what I've found.
>
> 1. For the Infineon TPM device SLB9670, I realized the version of the
> TPM firmware needed to be upgraded (e.g. to the latest version
> 7.85.4555.0). The tpm2_create command in the script would fail when
> executed against the TPM firmware version 7.63.3353.0.
>
> 2. The three scripts need to be in their individual directories. For
> example:
>
> ├── DN
> │ └── device_node.sh
> ├── PCA
> │ └── private_ca.sh
> └── SP
> └── service_provider.sh
>
> 3. I needed to modify the specific golden PCR value, and the location
> of pcr.bin in service_provider.sh. In particular:
>
> diff --git a/SP/service_provider.sh b/SP/service_provider.sh
> index a0b40ec..b6433d6 100755
> --- a/SP/service_provider.sh
> +++ b/SP/service_provider.sh
> @@ -13,7 +13,8 @@ device_service_request=0
>
> # Attestation Data
> GOLDEN_PCR_SELECTION="sha1:0,1,2+sha256:0,1,2"
> -GOLDEN_PCR="59bf9091f4cbbd2a8796bfe086a501c57226c42739dcf8ad323e7493ad51e38f"
> +#
> GOLDEN_PCR="59bf9091f4cbbd2a8796bfe086a501c57226c42739dcf8ad323e7493ad51e38f"
> +GOLDEN_PCR="c7b544e0359614c896ed32b0fd7fad43c32ba7e19d4b613cdbda162f784b5781"
>
> # Service Data
> SERVICE_CONTENT="Hello world!"
> @@ -175,7 +176,7 @@ system_software_state_validation() {
> software_status_string="Attestation quote signature validation"
> tpm2_checkquote --public d_s_service_aik.pub --qualification
> "$NONCE" \
> --message attestation_quote.dat --signature
> attestation_quote.signature \
> - --pcr pcr.bin -Q
> + --pcr ../DN/pcr.bin -Q
> retval=$?
> rm -f attestation_quote.signature
> if [ $retval == 1 ];then
>
> Hope this helps anyone who may try to run the scripts.
>
> Meanwhile, I wonder how the sequence diagram and the scripts may
> differ when privacy is not a concern; and would appreciate any
> pointers or hints.
>
> Regards,
> Hanson
>
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
--
Steffen Schwebel
Mail: s.schwebel(a)uvensys.de
uvensys GmbH
Firmensitz und Sitz der Gesellschaft:
uvensys GmbH
Schorbachstraße 11
35510 Butzbach
HRB: AG Friedberg, 7780
USt-Id: DE282879294
Geschäftsführer:
Dr. Thomas Licht, t.licht(a)uvensys.de
Volker Lieder, v.lieder(a)uvensys.de
Mail: info(a)uvensys.de
Internet: www.uvensys.de
Durchwahl: 06403 789 36 22
Hotline: 06403 789 36 88
Zentrale: 06403 789 36 00
Fax: 06403 789 36 99
==========================================================
Jegliche Stellungnahmen und Meinungen dieser E-Mail sind
alleine die des Autors und nicht notwendigerweise die der
Firma. Falls erforderlich, können Sie eine gesonderte
schriftliche Bestätigung anfordern.
Any views or opinions presented in this email are solely
those of the author and do not necessarily represent those
of the company. If verification is required please request
a hard-copy version.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* [tpm2] Re: Remote Attestation With Tpm2 Tools
@ 2020-09-08 14:53 Roberts, William C
0 siblings, 0 replies; 2+ messages in thread
From: Roberts, William C @ 2020-09-08 14:53 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 3390 bytes --]
> -----Original Message-----
> From: Hanson Char <hanson.char(a)gmail.com>
> Sent: Sunday, September 6, 2020 12:55 AM
> To: tpm2(a)lists.01.org
> Subject: [tpm2] Remote Attestation With Tpm2 Tools
>
> I just managed to get the 3 scripts provided at
>
> https://tpm2-software.github.io/2020/06/12/Remote-Attestation-With-tpm2-
> tools.html#scripts-for-implementation-of-the-simple-attestation-framework
>
> to work with the latest tpm2-tss (built from the latest master branches) in
> Ubuntu 20.04 (x86-64 with Infineon TPM SLB9670) so I thought I would share
> some of what I've found.
>
> 1. For the Infineon TPM device SLB9670, I realized the version of the TPM
> firmware needed to be upgraded (e.g. to the latest version 7.85.4555.0). The
> tpm2_create command in the script would fail when executed against the TPM
> firmware version 7.63.3353.0.
>
> 2. The three scripts need to be in their individual directories. For example:
>
> ├── DN
> │ └── device_node.sh
> ├── PCA
> │ └── private_ca.sh
> └── SP
> └── service_provider.sh
>
>
> 3. I needed to modify the specific golden PCR value, and the location of pcr.bin in
> service_provider.sh. In particular:
>
> diff --git a/SP/service_provider.sh b/SP/service_provider.sh index
> a0b40ec..b6433d6 100755
> --- a/SP/service_provider.sh
> +++ b/SP/service_provider.sh
> @@ -13,7 +13,8 @@ device_service_request=0
>
> # Attestation Data
> GOLDEN_PCR_SELECTION="sha1:0,1,2+sha256:0,1,2"
> -
> GOLDEN_PCR="59bf9091f4cbbd2a8796bfe086a501c57226c42739dcf8ad323e7493a
> d51e38f"
> +#
> GOLDEN_PCR="59bf9091f4cbbd2a8796bfe086a501c57226c42739dcf8ad323e7493a
> d51e38f"
> +GOLDEN_PCR="c7b544e0359614c896ed32b0fd7fad43c32ba7e19d4b613cdbda16
> 2f784b5781"
>
> # Service Data
> SERVICE_CONTENT="Hello world!"
> @@ -175,7 +176,7 @@ system_software_state_validation() {
> software_status_string="Attestation quote signature validation"
> tpm2_checkquote --public d_s_service_aik.pub --qualification "$NONCE" \
> --message attestation_quote.dat --signature attestation_quote.signature \
> - --pcr pcr.bin -Q
> + --pcr ../DN/pcr.bin -Q
> retval=$?
> rm -f attestation_quote.signature
> if [ $retval == 1 ];then
>
>
>
> Hope this helps anyone who may try to run the scripts.
>
> Meanwhile, I wonder how the sequence diagram and the scripts may differ when
> privacy is not a concern; and would appreciate any pointers or hints.
Yeah you can skip the whole makecredential and activate credential parts, and you could just
sign the quote with a fixed AIK (Attestation Identity Key). That would remove annonimity, but
you would know that key is the TPM by:
1. Knowing on the server side receiving the quote that this public key is valid known to a TPM.
2. Using TPM2_Cerfify to certify that the key with name X is loaded into the TPM, and you trust
Its parents and that name. The name of the signing key for the quote is in the attestation data.
So you could certify the key is in the TPM using the certify command and another known public key,
Like the endorsement key, and then verify the public structure is consistent with your expected
template through the name.
1 is the easier solution.
>
> Regards,
> Hanson
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-09-08 14:53 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-07 8:36 [tpm2] Re: Remote Attestation With Tpm2 Tools Steffen Schwebel
2020-09-08 14:53 Roberts, William C
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.