[tpm2] Re: Relating tpm2_createprimary, Primary Seeds, and tpm2_clear

[tpm2] Re: Relating tpm2_createprimary, Primary Seeds, and tpm2_clear

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 5608 bytes --]



> -----Original Message-----
> From: Rowan Moul [mailto:lists(a)rowan.moul.ca]
> Sent: Wednesday, April 1, 2020 7:17 PM
> To: John S <sedigj(a)gmail.com>
> Cc: tpm2(a)lists.01.org
> Subject: [tpm2] Re: Relating tpm2_createprimary, Primary Seeds, and tpm2_clear
> 
> 
> Your quotes look fine to me.
> 
> 
> 	This appears to be confirmation that these commands are Not present on
> my TPM:
> 	$ tpm2_getcap commands|grep eps
> 	$ tpm2_getcap commands|grep pps
> 
> I’m not sure of the exact implementation that tpm2-tools uses. It’s possible that
> the tool name doesn’t match the internal command used, but this one is best left
> to the experts.

You should be able to add -I to that grep, it will be output as:
TPM2_CC_ChangeEPS
TPM2_CC_ChangePPS

> 
> 
> 	Thanks, do you have a link? I could not find this thread yet after
> searching. Also, is there a good reason to use the unique data in addition to being
> extra cautious? Maybe this is addressed in the thread.
> 
> As for the unique field. I can’t say if it’s better or worse to use it or not. However
> if you don’t use it, anyone with access to your TPM can re-generate your primary
> key (assuming they know what other options you chose). Once they have your
> Primary Key, they have everything under it too.

Anything that's input to the CreatePrimary command, will control the generated key. So any input
that varies changes the key.

If you set the auth value, that will also provide uniqueness. The policy value will too, but that can
be read out by anyone. You can assume that your template for key generation is known, with the
exception of:
1. secrets used to auth via policy
2. password (private portion of the object anyways)

If someone creates a primary key, they will be able to load objects under the primary object
IFF they have auth. So even if they know your full template and policy hash (all public info)
The policy controls whether or not they can load subordinate objects. As load requires parent
object authorization. So they won't be able to load them if they don't know the authorization to
the object.

The unique field shouldn't be considered a security feature. It's merely so you could create
different primary keys with *almost* the same template/input parameters. You would vary
the unique field.

To protect a primary key from unauthorized use, set proper authorization (period).

> The thread I referred to is mostly about some awkward formatting required. It
> got split into two because I didn’t reply all correctly The context:
> https://lists.01.org/hyperkitty/list/tpm2(a)lists.01.org/thread/B5HVVKDH4PVGOU
> CT6WPCHRYHB35LMDBW/
> <https://lists.01.org/hyperkitty/list/tpm2(a)lists.01.org/thread/B5HVVKDH4PVGO
> UCT6WPCHRYHB35LMDBW/>
> The useful part:
> https://lists.01.org/hyperkitty/list/tpm2(a)lists.01.org/thread/5YDZRV63LCGX6BZ
> QXRW6S6F77PSS5JU5/
> 
> 
> 
> 
> 	Regarding Platform authorization value - should I expect this is controlled
> by BIOS or OS?
> 	Sounds like I can at least clear it via the BIOS, I'll check.
> 
> See section on startup initialization (and read the stuff before that for context)
> https://link.springer.com/chapter/10.1007/978-1-4302-6584-9_19
> 
> You cannot clear the platform auth as it is set on each boot, so clearing it is
> minimally useful. You can’t do anything with it unless the one who set it gives you
> this option (the bios/platform manufacturer). This can be frustrating if like me
> you have a TPM 2.0 with only sha1 PCR’s allocated despite supporting sha256.
> (If this is incorrect, someone please tell me how so I can re-allocate my PCRs!)
> 
> Rowan
> 
> 
> 	On Apr 1, 2020, at 15:59, John S <sedigj(a)gmail.com> wrote:
> 
> 
> 
> 	Thank you both for a prompt reply yesterday.
> 
> 	From what you contributed yesterday, I understand tpm2_clear will clear
> the Owner seed/hierarchy, and that the functionality to perform the clear on the
> Owner hierarchy can be disabled.
> 
> 
> 
> 		Platform and Endorsement seeds generally are stable, but the
> command set
> 
> 
> 		Does allow for ChangeEPS and ChangeSPS commands. But I don't
> think I have
> 
> 
> 		ever seen a production TPM support this, but be aware that it
> exists.
> 
> 
> 	This appears to be confirmation that these commands are Not present on
> my TPM:
> 	$ tpm2_getcap commands|grep eps
> 	$ tpm2_getcap commands|grep pps
> 
> 	I read in another discussion that it sounds like this means that platform
> and endorsement seeds would effectively be unchangeable in my case.
> 	https://lists.01.org/hyperkitty/list/tpm2(a)lists.01.org/thread/5KE3W6QLY
> H3N76K753VNQSX6CPJMH7KJ/
> 
> 
> 
> 
> 		Also on the note of re-generating primary keys, you may find my
> previous thread about the
> 
> 
> 		unique data option in tpm2_createprimary helpful if you want to
> use unique data in
> 
> 
> 		addition to the seed.
> 
> 
> 	Thanks, do you have a link? I could not find this thread yet after
> searching. Also, is there a good reason to use the unique data in addition to being
> extra cautious? Maybe this is addressed in the thread.
> 
> 	Regarding Platform authorization value - should I expect this is controlled
> by BIOS or OS?
> 	Sounds like I can at least clear it via the BIOS, I'll check.
> 	_______________________________________________
> 	tpm2 mailing list -- tpm2(a)lists.01.org
> 	To unsubscribe send an email to tpm2-leave(a)lists.01.org
> 	%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> 

[tpm2] Re: Relating tpm2_createprimary, Primary Seeds, and tpm2_clear

[Florian.Schreiner]

[-- Attachment #1: Type: text/plain, Size: 4457 bytes --]

For Infineon, the TPM with firmware versions FW 7.8x, e.g. FW 7.85 (see www.infineon.com/tpm<http://www.infineon.com/tpm>), support the Change_EPS/PPS commands.

Florian


From: Rowan Moul <lists(a)rowan.moul.ca>
Sent: Donnerstag, 2. April 2020 02:17
To: John S <sedigj(a)gmail.com>
Cc: tpm2(a)lists.01.org
Subject: [tpm2] Re: Relating tpm2_createprimary, Primary Seeds, and tpm2_clear

Caution: This e-mail originated outside Infineon Technologies. Do not click on links or open attachments unless you validate it is safe<http://iweb.infineon.com/en-US/Support/security/CDC/pse/Pages/pce.aspx>.



Your quotes look fine to me.

This appears to be confirmation that these commands are Not present on my TPM:
$ tpm2_getcap commands|grep eps
$ tpm2_getcap commands|grep pps
I’m not sure of the exact implementation that tpm2-tools uses. It’s possible that the tool name doesn’t match the internal command used, but this one is best left to the experts.

Thanks, do you have a link? I could not find this thread yet after searching. Also, is there a good reason to use the unique data in addition to being extra cautious? Maybe this is addressed in the thread.
As for the unique field. I can’t say if it’s better or worse to use it or not. However if you don’t use it, anyone with access to your TPM can re-generate your primary key (assuming they know what other options you chose). Once they have your Primary Key, they have everything under it too.
The thread I referred to is mostly about some awkward formatting required. It got split into two because I didn’t reply all correctly
The context: https://lists.01.org/hyperkitty/list/tpm2(a)lists.01.org/thread/B5HVVKDH4PVGOUCT6WPCHRYHB35LMDBW/<https://lists.01.org/hyperkitty/list/tpm2(a)lists.01.org/thread/B5HVVKDH4PVGOUCT6WPCHRYHB35LMDBW/>
The useful part: https://lists.01.org/hyperkitty/list/tpm2(a)lists.01.org/thread/5YDZRV63LCGX6BZQXRW6S6F77PSS5JU5/

Regarding Platform authorization value - should I expect this is controlled by BIOS or OS?
Sounds like I can at least clear it via the BIOS, I'll check.
See section on startup initialization (and read the stuff before that for context)
https://link.springer.com/chapter/10.1007/978-1-4302-6584-9_19

You cannot clear the platform auth as it is set on each boot, so clearing it is minimally useful. You can’t do anything with it unless the one who set it gives you this option (the bios/platform manufacturer). This can be frustrating if like me you have a TPM 2.0 with only sha1 PCR’s allocated despite supporting sha256.
(If this is incorrect, someone please tell me how so I can re-allocate my PCRs!)

Rowan


On Apr 1, 2020, at 15:59, John S <sedigj(a)gmail.com<mailto:sedigj(a)gmail.com>> wrote:
Thank you both for a prompt reply yesterday.

From what you contributed yesterday, I understand tpm2_clear will clear the Owner seed/hierarchy, and that the functionality to perform the clear on the Owner hierarchy can be disabled.


Platform and Endorsement seeds generally are stable, but the command set
Does allow for ChangeEPS and ChangeSPS commands. But I don't think I have
ever seen a production TPM support this, but be aware that it exists.
This appears to be confirmation that these commands are Not present on my TPM:
$ tpm2_getcap commands|grep eps
$ tpm2_getcap commands|grep pps

I read in another discussion that it sounds like this means that platform and endorsement seeds would effectively be unchangeable in my case.
https://lists.01.org/hyperkitty/list/tpm2(a)lists.01.org/thread/5KE3W6QLYH3N76K753VNQSX6CPJMH7KJ/



Also on the note of re-generating primary keys, you may find my previous thread about the
unique data option in tpm2_createprimary helpful if you want to use unique data in
addition to the seed.
Thanks, do you have a link? I could not find this thread yet after searching. Also, is there a good reason to use the unique data in addition to being extra cautious? Maybe this is addressed in the thread.

Regarding Platform authorization value - should I expect this is controlled by BIOS or OS?
Sounds like I can at least clear it via the BIOS, I'll check.
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
To unsubscribe send an email to tpm2-leave(a)lists.01.org<mailto:tpm2-leave(a)lists.01.org>
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 11037 bytes --]

[tpm2] Re: Relating tpm2_createprimary, Primary Seeds, and tpm2_clear

[Rowan Moul]

[-- Attachment #1: Type: text/plain, Size: 3731 bytes --]


Your quotes look fine to me.

> This appears to be confirmation that these commands are Not present on my TPM:
> $ tpm2_getcap commands|grep eps
> $ tpm2_getcap commands|grep pps

I’m not sure of the exact implementation that tpm2-tools uses. It’s possible that the tool name doesn’t match the internal command used, but this one is best left to the experts.

> Thanks, do you have a link? I could not find this thread yet after searching. Also, is there a good reason to use the unique data in addition to being extra cautious? Maybe this is addressed in the thread.

As for the unique field. I can’t say if it’s better or worse to use it or not. However if you don’t use it, anyone with access to your TPM can re-generate your primary key (assuming they know what other options you chose). Once they have your Primary Key, they have everything under it too. 
The thread I referred to is mostly about some awkward formatting required. It got split into two because I didn’t reply all correctly
The context: https://lists.01.org/hyperkitty/list/tpm2(a)lists.01.org/thread/B5HVVKDH4PVGOUCT6WPCHRYHB35LMDBW/
The useful part: https://lists.01.org/hyperkitty/list/tpm2(a)lists.01.org/thread/5YDZRV63LCGX6BZQXRW6S6F77PSS5JU5/


> Regarding Platform authorization value - should I expect this is controlled by BIOS or OS?
> Sounds like I can at least clear it via the BIOS, I'll check.
See section on startup initialization (and read the stuff before that for context)
https://link.springer.com/chapter/10.1007/978-1-4302-6584-9_19

You cannot clear the platform auth as it is set on each boot, so clearing it is minimally useful. You can’t do anything with it unless the one who set it gives you this option (the bios/platform manufacturer). This can be frustrating if like me you have a TPM 2.0 with only sha1 PCR’s allocated despite supporting sha256.
(If this is incorrect, someone please tell me how so I can re-allocate my PCRs!)

Rowan

>> On Apr 1, 2020, at 15:59, John S <sedigj(a)gmail.com> wrote:
> Thank you both for a prompt reply yesterday.
> 
> From what you contributed yesterday, I understand tpm2_clear will clear the Owner seed/hierarchy, and that the functionality to perform the clear on the Owner hierarchy can be disabled.
> 
>> Platform and Endorsement seeds generally are stable, but the command set
>> Does allow for ChangeEPS and ChangeSPS commands. But I don't think I have
>> ever seen a production TPM support this, but be aware that it exists.
> This appears to be confirmation that these commands are Not present on my TPM:
> $ tpm2_getcap commands|grep eps
> $ tpm2_getcap commands|grep pps
> 
> I read in another discussion that it sounds like this means that platform and endorsement seeds would effectively be unchangeable in my case.
> https://lists.01.org/hyperkitty/list/tpm2(a)lists.01.org/thread/5KE3W6QLYH3N76K753VNQSX6CPJMH7KJ/
> 
> 
>> Also on the note of re-generating primary keys, you may find my previous thread about the
>> unique data option in tpm2_createprimary helpful if you want to use unique data in
>> addition to the seed.
> Thanks, do you have a link? I could not find this thread yet after searching. Also, is there a good reason to use the unique data in addition to being extra cautious? Maybe this is addressed in the thread.
> 
> Regarding Platform authorization value - should I expect this is controlled by BIOS or OS?
> Sounds like I can at least clear it via the BIOS, I'll check.
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 5352 bytes --]

[tpm2] Re: Relating tpm2_createprimary, Primary Seeds, and tpm2_clear

[John S]

[-- Attachment #1: Type: text/plain, Size: 491 bytes --]

Looks like my quotes didn't go as expected.

The first:
"Platform and Endorsement seeds generally are stable, but the command set
Does allow for ChangeEPS and ChangeSPS commands. But I don't think I have
ever seen a production TPM support this, but be aware that it exists."

The 2nd:
"Also on the note of re-generating primary keys, you may find my previous thread about the
unique data option in tpm2_createprimary helpful if you want to use unique data in
addition to the seed."

[tpm2] Re: Relating tpm2_createprimary, Primary Seeds, and tpm2_clear

[John S]

[-- Attachment #1: Type: text/plain, Size: 1417 bytes --]

Thank you both for a prompt reply yesterday.

From what you contributed yesterday, I understand tpm2_clear will clear the Owner seed/hierarchy, and that the functionality to perform the clear on the Owner hierarchy can be disabled.

>Platform and Endorsement seeds generally are stable, but the command set
>Does allow for ChangeEPS and ChangeSPS commands. But I don't think I have
>ever seen a production TPM support this, but be aware that it exists.
This appears to be confirmation that these commands are Not present on my TPM:
$ tpm2_getcap commands|grep eps
$ tpm2_getcap commands|grep pps

I read in another discussion that it sounds like this means that platform and endorsement seeds would effectively be unchangeable in my case.
https://lists.01.org/hyperkitty/list/tpm2(a)lists.01.org/thread/5KE3W6QLYH3N76K753VNQSX6CPJMH7KJ/


>Also on the note of re-generating primary keys, you may find my previous thread about the
>unique data option in tpm2_createprimary helpful if you want to use unique data in
>addition to the seed.
Thanks, do you have a link? I could not find this thread yet after searching. Also, is there a good reason to use the unique data in addition to being extra cautious? Maybe this is addressed in the thread.

Regarding Platform authorization value - should I expect this is controlled by BIOS or OS?
Sounds like I can at least clear it via the BIOS, I'll check.

[tpm2] Re: Relating tpm2_createprimary, Primary Seeds, and tpm2_clear

[Rowan Moul]

[-- Attachment #1: Type: text/plain, Size: 5561 bytes --]

Thanks for the corrections. I’ve only actually used the Owner Hierarchy myself, I guess it makes sense that the endorsement hierarchy is a little different.


Rowan

> On Mar 31, 2020, at 11:47, Roberts, William C <william.c.roberts(a)intel.com> wrote:
> 
> 
> 
>> -----Original Message-----
>> From: Rowan Moul [mailto:lists(a)rowan.moul.ca]
>> Sent: Tuesday, March 31, 2020 12:40 PM
>> To: John S <sedigj(a)gmail.com>
>> Cc: tpm2(a)lists.01.org
>> Subject: [tpm2] Re: Relating tpm2_createprimary, Primary Seeds, and tpm2_clear
>> 
>> Hi John,
>> 
>> There’s a mention in that book, in the Key management Chapter in the Key
>> generation section that a TPM_CLEAR command will reset the seeds. I’m not sure
> 
> Not seeds (plural), tpm2_clear only resets the Owner seed aka Storage Primary Seed (SPS).
> 
>> if it is mentioned elsewhere. Of course it is also in the spec sheets if you can find
>> it.
>> The man page for tpm2_clear alludes to it too, but could probably stand to be
>> more explicit (it says all objects under hierarchies will be lost).
> 
> That sounds like it should be upfront, bolded, and corrected that it rolls the SPS.
> So only Owner Hierarchy objects are lost.
> 
>> 
>> So no, the seeds are not permanent forever. Just until cleared.
> 
> Platform and Endorsement seeds generally are stable, but the command set
> Does allow for ChangeEPS and ChangeSPS commands. But I don't think I have
> ever seen a production TPM support this, but be aware that it exists.
> 
>> tpm2_clear can be authorized in one of two ways: the Platform Hierarchy
>> authorization value, or the Dictionary Attack lockout reset authorization value.
>> The platform authorization should be set by the BIOS/Firmware on each boot (as
>> it is cleared on every shutdown of the TPM) so you don’t have access to this
>> normally, though most BIOS interfaces should have a menu option to invoke a
>> clear using this value. The dictionary attack lockout defaults to an empty string
>> authorization value, so functionally anyone can clear until you set this. As such, it
>> is a good idea to set this authorization value if you want to rely on being able to
>> re-generate primary keys. If you forget what you set it to later, invoking clear
>> (with the platform auth via BIOS menu) will reset it.
> 
> You can even disable it with tpm2_clearcontrol.
> 
>> Also on the note of re-generating primary keys, you may find my previous thread
>> about the unique data option in tpm2_createprimary helpful if you want to use
>> unique data in addition to the seed.
>> 
>> 
>> Rowan
>> 
>>>> On Mar 31, 2020, at 09:56, John S <sedigj(a)gmail.com> wrote:
>>> 
>>> Hi, have been playing around with tpm2 tools and tss engine for openssl for
>> awhile.
>>> Also reading Practical Guide to TPM 2.0.
>>> 
>>> I have found all the resources in the tpm2-tools readme and wiki and beyond
>> quite helping in getting started.
>>> 
>>> The book (chapter 10) talks about the primary seeds for the hierarchy, and how
>> any amount of key hierarchies can be extended from the primary keys. Primary
>> keys are derived from the primary seeds. My understanding is that the seeds are
>> unique and permanent in the tpm hardware.
>>> 
>>> I was anticipating that tpm2_createprimary could be used to get back to the
>> primary key (given the same inputs/template) no matter what data is cleared or
>> erased.
>>> 
>>> Running tpm2_createprimary twice yields same result as evidence by the rsa
>> value, as expected.
>>> 
>>> But running:
>>> tpm2_createprimary
>>> tpm2_clear
>>> tpm2_createprimary
>>> 
>>> yields a totally different key, as can be seen from the resulting rsa value.
>>> This is also consistent with the manpage of tpm2_clear:
>>> "Clears lockout, endorsement and owner hierarchy authorization values." and
>> "NOTE: All objects created under the respective hierarchies are lost."
>>> 
>>> This makes tpm2_clear seem like an exceptionally dangerous command, if I run
>> it once (inadvertently perhaps), I've now destroyed all use of all keys ever
>> created on the system. Yet, based on what I thought I understood about the
>> primary seeds, I'd always be able to derive back to a key value.
>>> 
>>> So, what I am I missing?
>>> Feel free to link in references.
>>> 
>>> A side question:
>>> I am unable to create a primary Platform key (owner, endorsement, and null
>> work). Looks like authorization is expected.
>>> Is this an expected result based on how the TPM is configured from the
>>> chip vendor? In this case Infineon Here is the output:
>>> $ tpm2_createprimary -C p -c platform_primary.ctx
>>> WARNING:esys:src/tss2-esys/api/Esys_CreatePrimary.c:393:Esys_CreatePri
>>> mary_Finish() Received TPM Error
>>> ERROR:esys:src/tss2-esys/api/Esys_CreatePrimary.c:135:Esys_CreatePrima
>>> ry() Esys Finish ErrorCode (0x000009a2)
>>> ERROR: Esys_CreatePrimary(0x9A2) - tpm:session(1):authorization
>>> failure without DA implications
>>> ERROR: Unable to run tpm2_createprimary
>>> 
>>> Thanks,
>>> -John
>>> _______________________________________________
>>> tpm2 mailing list -- tpm2(a)lists.01.org To unsubscribe send an email to
>>> tpm2-leave(a)lists.01.org
>>> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>> _______________________________________________
>> tpm2 mailing list -- tpm2(a)lists.01.org
>> To unsubscribe send an email to tpm2-leave(a)lists.01.org
>> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[tpm2] Re: Relating tpm2_createprimary, Primary Seeds, and tpm2_clear

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 5196 bytes --]



> -----Original Message-----
> From: Rowan Moul [mailto:lists(a)rowan.moul.ca]
> Sent: Tuesday, March 31, 2020 12:40 PM
> To: John S <sedigj(a)gmail.com>
> Cc: tpm2(a)lists.01.org
> Subject: [tpm2] Re: Relating tpm2_createprimary, Primary Seeds, and tpm2_clear
> 
> Hi John,
> 
> There’s a mention in that book, in the Key management Chapter in the Key
> generation section that a TPM_CLEAR command will reset the seeds. I’m not sure

Not seeds (plural), tpm2_clear only resets the Owner seed aka Storage Primary Seed (SPS).

> if it is mentioned elsewhere. Of course it is also in the spec sheets if you can find
> it.
> The man page for tpm2_clear alludes to it too, but could probably stand to be
> more explicit (it says all objects under hierarchies will be lost).

That sounds like it should be upfront, bolded, and corrected that it rolls the SPS.
So only Owner Hierarchy objects are lost.

> 
> So no, the seeds are not permanent forever. Just until cleared.

Platform and Endorsement seeds generally are stable, but the command set
Does allow for ChangeEPS and ChangeSPS commands. But I don't think I have
ever seen a production TPM support this, but be aware that it exists.

> tpm2_clear can be authorized in one of two ways: the Platform Hierarchy
> authorization value, or the Dictionary Attack lockout reset authorization value.
> The platform authorization should be set by the BIOS/Firmware on each boot (as
> it is cleared on every shutdown of the TPM) so you don’t have access to this
> normally, though most BIOS interfaces should have a menu option to invoke a
> clear using this value. The dictionary attack lockout defaults to an empty string
> authorization value, so functionally anyone can clear until you set this. As such, it
> is a good idea to set this authorization value if you want to rely on being able to
> re-generate primary keys. If you forget what you set it to later, invoking clear
> (with the platform auth via BIOS menu) will reset it.

You can even disable it with tpm2_clearcontrol.

> Also on the note of re-generating primary keys, you may find my previous thread
> about the unique data option in tpm2_createprimary helpful if you want to use
> unique data in addition to the seed.
> 
> 
> Rowan
> 
> > On Mar 31, 2020, at 09:56, John S <sedigj(a)gmail.com> wrote:
> >
> > Hi, have been playing around with tpm2 tools and tss engine for openssl for
> awhile.
> > Also reading Practical Guide to TPM 2.0.
> >
> > I have found all the resources in the tpm2-tools readme and wiki and beyond
> quite helping in getting started.
> >
> > The book (chapter 10) talks about the primary seeds for the hierarchy, and how
> any amount of key hierarchies can be extended from the primary keys. Primary
> keys are derived from the primary seeds. My understanding is that the seeds are
> unique and permanent in the tpm hardware.
> >
> > I was anticipating that tpm2_createprimary could be used to get back to the
> primary key (given the same inputs/template) no matter what data is cleared or
> erased.
> >
> > Running tpm2_createprimary twice yields same result as evidence by the rsa
> value, as expected.
> >
> > But running:
> > tpm2_createprimary
> > tpm2_clear
> > tpm2_createprimary
> >
> > yields a totally different key, as can be seen from the resulting rsa value.
> > This is also consistent with the manpage of tpm2_clear:
> > "Clears lockout, endorsement and owner hierarchy authorization values." and
> "NOTE: All objects created under the respective hierarchies are lost."
> >
> > This makes tpm2_clear seem like an exceptionally dangerous command, if I run
> it once (inadvertently perhaps), I've now destroyed all use of all keys ever
> created on the system. Yet, based on what I thought I understood about the
> primary seeds, I'd always be able to derive back to a key value.
> >
> > So, what I am I missing?
> > Feel free to link in references.
> >
> > A side question:
> > I am unable to create a primary Platform key (owner, endorsement, and null
> work). Looks like authorization is expected.
> > Is this an expected result based on how the TPM is configured from the
> > chip vendor? In this case Infineon Here is the output:
> > $ tpm2_createprimary -C p -c platform_primary.ctx
> > WARNING:esys:src/tss2-esys/api/Esys_CreatePrimary.c:393:Esys_CreatePri
> > mary_Finish() Received TPM Error
> > ERROR:esys:src/tss2-esys/api/Esys_CreatePrimary.c:135:Esys_CreatePrima
> > ry() Esys Finish ErrorCode (0x000009a2)
> > ERROR: Esys_CreatePrimary(0x9A2) - tpm:session(1):authorization
> > failure without DA implications
> > ERROR: Unable to run tpm2_createprimary
> >
> > Thanks,
> > -John
> > _______________________________________________
> > tpm2 mailing list -- tpm2(a)lists.01.org To unsubscribe send an email to
> > tpm2-leave(a)lists.01.org
> > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[tpm2] Re: Relating tpm2_createprimary, Primary Seeds, and tpm2_clear

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 3480 bytes --]



> -----Original Message-----
> From: John S [mailto:sedigj(a)gmail.com]
> Sent: Tuesday, March 31, 2020 10:58 AM
> To: tpm2(a)lists.01.org
> Subject: [tpm2] Relating tpm2_createprimary, Primary Seeds, and tpm2_clear
> 
> Hi, have been playing around with tpm2 tools and tss engine for openssl for
> awhile.
> Also reading Practical Guide to TPM 2.0.
> 
> I have found all the resources in the tpm2-tools readme and wiki and beyond
> quite helping in getting started.
> 
> The book (chapter 10) talks about the primary seeds for the hierarchy, and how
> any amount of key hierarchies can be extended from the primary keys. Primary
> keys are derived from the primary seeds. My understanding is that the seeds are
> unique and permanent in the tpm hardware.

In practice yes, but be aware that the command set does allow for changeEPS and changePPS
To change the Endorsement and Platform seeds. Tpm2_clear changes the owner or
Storage Primary Seed (SPS).

> 
> I was anticipating that tpm2_createprimary could be used to get back to the
> primary key (given the same inputs/template) no matter what data is cleared or
> erased.
> 
> Running tpm2_createprimary twice yields same result as evidence by the rsa
> value, as expected.
> 
> But running:
> tpm2_createprimary
> tpm2_clear
> tpm2_createprimary
> 
> yields a totally different key, as can be seen from the resulting rsa value.
> This is also consistent with the manpage of tpm2_clear:
> "Clears lockout, endorsement and owner hierarchy authorization values." and
> "NOTE: All objects created under the respective hierarchies are lost."
> 
> This makes tpm2_clear seem like an exceptionally dangerous command, if I run it
> once (inadvertently perhaps), I've now destroyed all use of all keys ever created
> on the system. Yet, based on what I thought I understood about the primary
> seeds, I'd always be able to derive back to a key value.
> 
> So, what I am I missing?
> Feel free to link in references.

Clear rolls the primary seed (SPS) which is the Owner Hierarchy seed.

Generally you would a password/auth on Owner hiearchy, so you wouldn't just arbitrarily
Issue that command. And you can disable that command all together with TPM2_ClearControl
Or the tools command tpm2_clearcontrol.

https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-Commands-01.38.pdf


> 
> A side question:
> I am unable to create a primary Platform key (owner, endorsement, and null
> work). Looks like authorization is expected.
> Is this an expected result based on how the TPM is configured from the chip
> vendor? In this case Infineon Here is the output:
> $ tpm2_createprimary -C p -c platform_primary.ctx
> WARNING:esys:src/tss2-
> esys/api/Esys_CreatePrimary.c:393:Esys_CreatePrimary_Finish() Received TPM
> Error
> ERROR:esys:src/tss2-esys/api/Esys_CreatePrimary.c:135:Esys_CreatePrimary()
> Esys Finish ErrorCode (0x000009a2)
> ERROR: Esys_CreatePrimary(0x9A2) - tpm:session(1):authorization failure
> without DA implications
> ERROR: Unable to run tpm2_createprimary

IIRC/IIUC the platform hierarchy has a password enabled by the firmware/OS at
boot. So that auth failure would be expected.

> 
> Thanks,
> -John
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[tpm2] Re: Relating tpm2_createprimary, Primary Seeds, and tpm2_clear

[Rowan Moul]

[-- Attachment #1: Type: text/plain, Size: 4005 bytes --]

Hi John,

There’s a mention in that book, in the Key management Chapter in the Key generation section that a TPM_CLEAR command will reset the seeds. I’m not sure if it is mentioned elsewhere. Of course it is also in the spec sheets if you can find it.
The man page for tpm2_clear alludes to it too, but could probably stand to be more explicit (it says all objects under hierarchies will be lost).

So no, the seeds are not permanent forever. Just until cleared.
tpm2_clear can be authorized in one of two ways: the Platform Hierarchy authorization value, or the Dictionary Attack lockout reset authorization value. The platform authorization should be set by the BIOS/Firmware on each boot (as it is cleared on every shutdown of the TPM) so you don’t have access to this normally, though most BIOS interfaces should have a menu option to invoke a clear using this value. The dictionary attack lockout defaults to an empty string authorization value, so functionally anyone can clear until you set this. As such, it is a good idea to set this authorization value if you want to rely on being able to re-generate primary keys. If you forget what you set it to later, invoking clear (with the platform auth via BIOS menu) will reset it.
Also on the note of re-generating primary keys, you may find my previous thread about the unique data option in tpm2_createprimary helpful if you want to use unique data in addition to the seed.


Rowan

> On Mar 31, 2020, at 09:56, John S <sedigj(a)gmail.com> wrote:
> 
> Hi, have been playing around with tpm2 tools and tss engine for openssl for awhile.
> Also reading Practical Guide to TPM 2.0.
> 
> I have found all the resources in the tpm2-tools readme and wiki and beyond quite helping in getting started.
> 
> The book (chapter 10) talks about the primary seeds for the hierarchy, and how any amount of key hierarchies can be extended from the primary keys. Primary keys are derived from the primary seeds. My understanding is that the seeds are unique and permanent in the tpm hardware.
> 
> I was anticipating that tpm2_createprimary could be used to get back to the primary key (given the same inputs/template) no matter what data is cleared or erased. 
> 
> Running tpm2_createprimary twice yields same result as evidence by the rsa value, as expected.
> 
> But running:
> tpm2_createprimary
> tpm2_clear
> tpm2_createprimary
> 
> yields a totally different key, as can be seen from the resulting rsa value.
> This is also consistent with the manpage of tpm2_clear:
> "Clears lockout, endorsement and owner hierarchy authorization values." and "NOTE: All objects created under the respective hierarchies are lost."
> 
> This makes tpm2_clear seem like an exceptionally dangerous command, if I run it once (inadvertently perhaps), I've now destroyed all use of all keys ever created on the system. Yet, based on what I thought I understood about the primary seeds, I'd always be able to derive back to a key value.
> 
> So, what I am I missing?
> Feel free to link in references.
> 
> A side question:
> I am unable to create a primary Platform key (owner, endorsement, and null work). Looks like authorization is expected.
> Is this an expected result based on how the TPM is configured from the chip vendor? In this case Infineon
> Here is the output:
> $ tpm2_createprimary -C p -c platform_primary.ctx
> WARNING:esys:src/tss2-esys/api/Esys_CreatePrimary.c:393:Esys_CreatePrimary_Finish() Received TPM Error
> ERROR:esys:src/tss2-esys/api/Esys_CreatePrimary.c:135:Esys_CreatePrimary() Esys Finish ErrorCode (0x000009a2)
> ERROR: Esys_CreatePrimary(0x9A2) - tpm:session(1):authorization failure without DA implications
> ERROR: Unable to run tpm2_createprimary
> 
> Thanks,
> -John
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s