Re: [tpm2] TPM2 changing the DictionaryAttackParamaters

Re: [tpm2] TPM2 changing the DictionaryAttackParamaters

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 2252 bytes --]

Ah you're going to device directly, maybe you need to issue a tpm_startup.

Can you replicate this with the simulator and step debug the simulator, often times
that's how I solve these things.

> -----Original Message-----
> From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of Litjes, Christian
> Sent: Thursday, August 30, 2018 1:18 AM
> To: tpm2(a)lists.01.org
> Subject: [tpm2] TPM2 changing the DictionaryAttackParamaters
> 
> Hi everyone,
> 
> 
> 
> I'm trying to setup a system with the cryptfs2 and tpm2-tooling which is currently
> working but I'd like to change the DictionaryAttackParamater recovery time.
> 
> 
> 
> I've tried the following (scenario 1)
> 
> Reset TPM from the bios
> 
> Tmp2_takeownership -T "device" -L "1234567890"
> 
> Tpm2_dictionarylockout -s -n 32 -l 86400 -t 5 -p "1234567890"
> 
> I get a warning: the command may require writing of NV and NV is not current
> accessible.
> 
> If I check the settings with:
> 
> Tpm2_getcap -c properties-variable
> 
> I notice they are not changed
> 
> 
> 
> Reset TPM from the bios
> 
> Tpm2_dictionarylockout -s -n 32 -l 86400 -t 5 -p "1234567890"
> 
> Tpm2_getcap -c properties-variable
> 
> Values are written
> 
> Tmp2_takeownership -T "device" -L "1234567890"
> 
> Tpm2_getcap -c properties-variable
> 
> Settings are reset to default
> 
> 
> 
> What would I need to do to get the first scenario to work? I know I'm combining
> tools from 2.x with master. But that's because the cryptfs tooling is dependent on
> 2.x.
> 
> How can I unlock the NV, I've found tpm2_release but I've got no clue what to
> release.
> 
> 
> 
> Kind Regards,
> 
> Christian Litjes
> 
> 
> ________________________________
> 
> The information contained in this message may be confidential and legally
> protected under applicable law. The message is intended solely for the
> addressee(s). If you are not the intended recipient, you are hereby notified that
> any use, forwarding, dissemination, or reproduction of this message is strictly
> prohibited and may be unlawful. If you are not the intended recipient, please
> contact the sender by return e-mail and destroy all copies of the original
> message.

Re: [tpm2] TPM2 changing the DictionaryAttackParamaters

[Litjes, Christian]

[-- Attachment #1: Type: text/plain, Size: 3372 bytes --]

Hi Robert,

We figured out what was wrong. Without the simulator though ^^.
tpm2_takeownership -T "device" -L "pass" was used instead of what it should have been: tpm2_takeownership -T "device" -l "pass"

After this change we could use:
tpm2_dictionarylockout -s -n 32 -l 86400 -t 5 -p "pass"

And saw the values change and the stuck.

Kind Regards,
Christian Litjes


-----Original Message-----
From: Roberts, William C <william.c.roberts(a)intel.com>
Sent: woensdag 5 september 2018 21:54
To: Litjes, Christian <christian.litjes(a)philips.com>; tpm2(a)lists.01.org
Subject: RE: TPM2 changing the DictionaryAttackParamaters

Ah you're going to device directly, maybe you need to issue a tpm_startup.

Can you replicate this with the simulator and step debug the simulator, often times that's how I solve these things.

> -----Original Message-----
> From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of Litjes,
> Christian
> Sent: Thursday, August 30, 2018 1:18 AM
> To: tpm2(a)lists.01.org
> Subject: [tpm2] TPM2 changing the DictionaryAttackParamaters
>
> Hi everyone,
>
>
>
> I'm trying to setup a system with the cryptfs2 and tpm2-tooling which
> is currently working but I'd like to change the DictionaryAttackParamater recovery time.
>
>
>
> I've tried the following (scenario 1)
>
> Reset TPM from the bios
>
> Tmp2_takeownership -T "device" -L "1234567890"
>
> Tpm2_dictionarylockout -s -n 32 -l 86400 -t 5 -p "1234567890"
>
> I get a warning: the command may require writing of NV and NV is not
> current accessible.
>
> If I check the settings with:
>
> Tpm2_getcap -c properties-variable
>
> I notice they are not changed
>
>
>
> Reset TPM from the bios
>
> Tpm2_dictionarylockout -s -n 32 -l 86400 -t 5 -p "1234567890"
>
> Tpm2_getcap -c properties-variable
>
> Values are written
>
> Tmp2_takeownership -T "device" -L "1234567890"
>
> Tpm2_getcap -c properties-variable
>
> Settings are reset to default
>
>
>
> What would I need to do to get the first scenario to work? I know I'm
> combining tools from 2.x with master. But that's because the cryptfs
> tooling is dependent on 2.x.
>
> How can I unlock the NV, I've found tpm2_release but I've got no clue
> what to release.
>
>
>
> Kind Regards,
>
> Christian Litjes
>
>
> ________________________________
>
> The information contained in this message may be confidential and
> legally protected under applicable law. The message is intended solely
> for the addressee(s). If you are not the intended recipient, you are
> hereby notified that any use, forwarding, dissemination, or
> reproduction of this message is strictly prohibited and may be
> unlawful. If you are not the intended recipient, please contact the
> sender by return e-mail and destroy all copies of the original message.


________________________________
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.

[tpm2] TPM2 changing the DictionaryAttackParamaters

[Litjes, Christian]

[-- Attachment #1: Type: text/plain, Size: 1652 bytes --]

Hi everyone,



I'm trying to setup a system with the cryptfs2 and tpm2-tooling which is currently working but I'd like to change the DictionaryAttackParamater recovery time.



I've tried the following (scenario 1)

Reset TPM from the bios

Tmp2_takeownership -T "device" -L "1234567890"

Tpm2_dictionarylockout -s -n 32 -l 86400 -t 5 -p "1234567890"

I get a warning: the command may require writing of NV and NV is not current accessible.

If I check the settings with:

Tpm2_getcap -c properties-variable

I notice they are not changed



Reset TPM from the bios

Tpm2_dictionarylockout -s -n 32 -l 86400 -t 5 -p "1234567890"

Tpm2_getcap -c properties-variable

Values are written

Tmp2_takeownership -T "device" -L "1234567890"

Tpm2_getcap -c properties-variable

Settings are reset to default



What would I need to do to get the first scenario to work? I know I'm combining tools from 2.x with master. But that's because the cryptfs tooling is dependent on 2.x.

How can I unlock the NV, I've found tpm2_release but I've got no clue what to release.



Kind Regards,

Christian Litjes

________________________________
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.

[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 4739 bytes --]