[tpm2] Re: TPM for SSH authentication

[tpm2] Re: TPM for SSH authentication

[scott.r.eisele]

[-- Attachment #1: Type: text/plain, Size: 224 bytes --]

Thanks for pointing me to that resource. It turned out that the command I thought was failing was still storing the key. The message about the error with Fapi_List() is still present but doesn't seem to impact this use case.

[tpm2] Re: TPM for SSH authentication

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 3485 bytes --]

The tpm2-pkcs11 project supports two backends:
  - The original backend (sqlite3)
  - The FAPI backend (file system stores)

Their is a document describing how to set up SSH using the original backend:
https://github.com/tpm2-software/tpm2-pkcs11/blob/master/docs/SSH.md

If you really want to use the FAPI backend, you need to get tss2_provision to work, not exactly sure what the error is there.
But perhaps others will know.


________________________________
From: scott.r.eisele(a)gmail.com <scott.r.eisele(a)gmail.com>
Sent: Monday, July 19, 2021 10:36 PM
To: tpm2(a)lists.01.org <tpm2(a)lists.01.org>
Subject: [tpm2] TPM for SSH authentication

Hi everyone!
I'm trying to use a TPM to secure ssh keys, following the example here: https://incenp.org/notes/2020/tpm-based-ssh-key.html
First, is this a standard way to secure ssh keys? Or is there another method that is preferred?

Assuming this method is acceptable, I made it to the point of extracting the public key from the PKCS11 token but ran into an issue.

$ ssh-keygen -vvv -D /usr/local/lib/libtpm2_pkcs11.so > tpm2key1.pub
WARNING:fapi:src/tss2-fapi/api/Fapi_List.c:226:Fapi_List_Finish() Profile of path not provisioned: /HS/SRK
ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:81:Fapi_List() ErrorCode (0x00060034) Entities_List
ERROR: Listing FAPI token objects failed.
debug1: provider /usr/local/lib/libtpm2_pkcs11.so: manufacturerID <tpm2-software.github.io> cryptokiVersion 2.40 libraryDescription <TPM2.0 Cryptoki> libraryVersion 0.0
debug1: provider /usr/local/lib/libtpm2_pkcs11.so slot 0: label <firstToken> manufacturerID <Infineon> model <SLB9670> serial <000000000000000> flags 0x40d
debug1: have 1 keys
debug2: pkcs11_register_provider: ignoring uninitialised token in provider /usr/local/lib/libtpm2_pkcs11.so slot 1
debug1: pkcs11_k11_free: parent 0xaaaaf0703630 ptr 0xaaaaf06ed350 idx 1
debug1: pkcs11_provider_unref: 0xaaaaf0692300 refcount 2
debug1: pkcs11_provider_finalize: 0xaaaaf0692300 refcount 1 valid 1
debug1: pkcs11_provider_unref: 0xaaaaf0692300 refcount 1

I then tried running Fapi_List() directly:

$ sudo tss2_list
WARNING:fapi:src/tss2-fapi/api/Fapi_List.c:216:Fapi_List_Finish() Path not found:
ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:81:Fapi_List() ErrorCode (0x00060034) Entities_List
Fapi_List(0x60034) - fapi:Provisioning was not executed.

And assumed that provisioning was required. So I attempted that:

$ sudo tss2_provision
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:520:Fapi_Provision_Finish() ErrorCode (0x0006000b) SRK persistent handle already defined
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:168:Fapi_Provision() ErrorCode (0x0006000b) Provision
Fapi_Provision(0x6000B) - fapi:A parameter has a bad value

At this point, I'm at a loss as to what the state of the TPM is and how to properly provision it and establish the Storage Hierarchy.
I've looked at https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf
but it's not clear to me how to apply it.

Any help would be great. Thanks!

My platform configuration is:
raspberry pi 3b+
Infineon OPTIGA™ TPM SLx 9670
ubuntu 20.04
tpm2-tss-3.1.0
tpm2-tools-5.1.1
tpm2-abrmd-2.4.0
tpm2-pkcs11-1.6.0
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org
To unsubscribe send an email to tpm2-leave(a)lists.01.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 5547 bytes --]

[tpm2] Re: TPM for SSH authentication

[Anthony Arrascue]

[-- Attachment #1: Type: text/plain, Size: 3534 bytes --]

Hi Scott,

Yes, if you are searching how to re-provision your TPM take a look at this thread (for an older version of the tools though):
https://lists.01.org/hyperkitty/list/tpm2(a)lists.01.org/thread/4LVFPEUGMA5GMQJCZV5N7GW7WMEDYCRO/

I sketched some steps and other users pointed other ways of doing it.

I hope this helps.

Best, 
Anthony


> -----Original Message-----
> From: scott.r.eisele(a)gmail.com <scott.r.eisele(a)gmail.com>
> Sent: Tuesday, 20 July 2021 05:36
> To: tpm2(a)lists.01.org
> Subject: [tpm2] TPM for SSH authentication
> 
> Hi everyone!
> I'm trying to use a TPM to secure ssh keys, following the example here:
> https://incenp.org/notes/2020/tpm-based-ssh-key.html
> First, is this a standard way to secure ssh keys? Or is there another method
> that is preferred?
> 
> Assuming this method is acceptable, I made it to the point of extracting the
> public key from the PKCS11 token but ran into an issue.
> 
> $ ssh-keygen -vvv -D /usr/local/lib/libtpm2_pkcs11.so > tpm2key1.pub
> WARNING:fapi:src/tss2-fapi/api/Fapi_List.c:226:Fapi_List_Finish() Profile of
> path not provisioned: /HS/SRK
> ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:81:Fapi_List() ErrorCode
> (0x00060034) Entities_List
> ERROR: Listing FAPI token objects failed.
> debug1: provider /usr/local/lib/libtpm2_pkcs11.so: manufacturerID <tpm2-
> software.github.io> cryptokiVersion 2.40 libraryDescription <TPM2.0
> Cryptoki> libraryVersion 0.0
> debug1: provider /usr/local/lib/libtpm2_pkcs11.so slot 0: label <firstToken>
> manufacturerID <Infineon> model <SLB9670> serial <000000000000000> flags
> 0x40d
> debug1: have 1 keys
> debug2: pkcs11_register_provider: ignoring uninitialised token in provider
> /usr/local/lib/libtpm2_pkcs11.so slot 1
> debug1: pkcs11_k11_free: parent 0xaaaaf0703630 ptr 0xaaaaf06ed350 idx 1
> debug1: pkcs11_provider_unref: 0xaaaaf0692300 refcount 2
> debug1: pkcs11_provider_finalize: 0xaaaaf0692300 refcount 1 valid 1
> debug1: pkcs11_provider_unref: 0xaaaaf0692300 refcount 1
> 
> I then tried running Fapi_List() directly:
> 
> $ sudo tss2_list
> WARNING:fapi:src/tss2-fapi/api/Fapi_List.c:216:Fapi_List_Finish() Path not
> found:
> ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:81:Fapi_List() ErrorCode
> (0x00060034) Entities_List
> Fapi_List(0x60034) - fapi:Provisioning was not executed.
> 
> And assumed that provisioning was required. So I attempted that:
> 
> $ sudo tss2_provision
> ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:520:Fapi_Provision_Finish()
> ErrorCode (0x0006000b) SRK persistent handle already defined
> ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:168:Fapi_Provision() ErrorCode
> (0x0006000b) Provision
> Fapi_Provision(0x6000B) - fapi:A parameter has a bad value
> 
> At this point, I'm at a loss as to what the state of the TPM is and how to
> properly provision it and establish the Storage Hierarchy.
> I've looked at https://trustedcomputinggroup.org/wp-
> content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf
> but it's not clear to me how to apply it.
> 
> Any help would be great. Thanks!
> 
> My platform configuration is:
> raspberry pi 3b+
> Infineon OPTIGA™ TPM SLx 9670
> ubuntu 20.04
> tpm2-tss-3.1.0
> tpm2-tools-5.1.1
> tpm2-abrmd-2.4.0
> tpm2-pkcs11-1.6.0
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s