* [tpm2] Re: Re-provision TPM
@ 2021-06-30 10:44 Anthony Arrascue
0 siblings, 0 replies; 6+ messages in thread
From: Anthony Arrascue @ 2021-06-30 10:44 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 4327 bytes --]
Hi Luke,
Thank you. You are right. I should start reading the changelog more often. I have already faced problems in the past with different versions of the tools.
You made me noticed it would have been useful to mention the versions of the tools I was using in my example:
TPM2-TSS v. 2.4.x
TPM2-TOOLS v. 4.X
Best,
Anthony
From: @rubynerd <x(a)rubynerd.net>
Sent: Wednesday, 30 June 2021 12:18
To: Anthony Arrascue <AArrascue(a)neuroloop.de>
Cc: tpm2(a)lists.01.org
Subject: Re: [tpm2] Re: Re-provision TPM
Hi Anthony,
I'm also new to the tpm2-tools project, and whilst I cannot advise on most of the asks in your email, I can confirm the tpm2_takeownership command was changed to tpm2_changeauth, which offers similar functionality.
Further information is available in the changelog: https://github.com/tpm2-software/tpm2-tools/blame/master/doc/CHANGELOG.md#L867-L872
There's quite a bit of movement between what's currently in source control and the snippets floating around on StackOverflow, the changelog is a really good resource for reconciling these. One thing to note: if you're building this from source, the commands have changed from "tpm2_commandname" to "tpm2 commandname", which was another pitfall I fell into during my explorations.
Regarding the specifics of EKs and the differences/functionality of the APIs themselves, I'm afraid I'm woefully out of my depth!
Hope this helps,
Luke
On Wed, Jun 30, 2021 at 11:07 AM Anthony Arrascue <AArrascue(a)neuroloop.de<mailto:AArrascue(a)neuroloop.de>> wrote:
A way of re-provisioning (on a different OS image) that worked for me is the following:
tpm2_startup
#This clears the persistent storage
tpm2_clear
#To change profile from ECC to RSA
sed -i 's/"profile_name": "P_ECCP256SHA256"/"profile_name": "P_RSA2048SHA256"/g' /usr/local/etc/tpm2-tss/fapi-config.json
#Delete existing keystores
rm -rf ~/.local/share/tpm2-tss/user/keystore
rm -rf /usr/local/var/lib/tpm2-tss/system/keystore
#Before we provision we need to generate an EK
tpm2_createprimary -C e -g sha256 -G rsa -c endorsementprimary.ctx
tpm2_create -C endorsementprimary.ctx -g sha256 -G rsa -u rsak.pub -r rsak.priv
tpm2_load -C endorsementprimary.ctx -u rsak.pub -r rsak.priv -n rsak.name<http://rsak.name> -c rsak.ctx
tpm2_evictcontrol -c rsak.ctx 0x81010001
tss2_provision
Without the tpm2_createprimary I would get an error when I use tss2_provision (something like “key cannot be signed”. I cannot remember the error message, but it contained the word EK).
Some questions that came to my mind:
1. Can all of this be done using only Fapi (no tpm2 commands)
2. Why is generating an EK required for provisioning? (which documentation describes this step)
3. Previous versions of the tpm2-tools had also a tpm2_takeownership. What happened with it and how to provision with owner’s authorization?
Thank you very much for your comments.
Best,
Anthony
From: Anthony Arrascue
Sent: Tuesday, 1 June 2021 19:18
To: 'tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>' <tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>>
Subject: Re-provision TPM
Hello,
I am learning about the TSS and TPM techonologies.
I have provisioned the TPM with the default settings, which means I am now using the ECC profile (P_ECCP256SHA256).
However, encryption was a requirement I needed to fulfill. I just didn't know that ECC encryption is currently not supported and now I realize RSA would be a better fit for me.
So here is my question:
* I see there is another profile in /usr/local/etc/tpm2-tss/fapi-profiles, namely P_RSA2048SHA256.json. Is there a way I can encrypt using the RSA profile instead of the ECC one? I tried to re-run tss2_provision, after setting it in fapi-config.json, but it seems this is not the way to proceed. I get the message that the TPM has been already provisioned. What is the correct way of "changing" profile? Is it even possible or do I need to reset the TPM?
Thank you for your help.
Anthony Arrascue
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
To unsubscribe send an email to tpm2-leave(a)lists.01.org<mailto:tpm2-leave(a)lists.01.org>
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 22211 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* [tpm2] Re: Re-provision TPM
@ 2022-02-17 7:37 analystcode
0 siblings, 0 replies; 6+ messages in thread
From: analystcode @ 2022-02-17 7:37 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 43 bytes --]
Above steps worked like a charm!
Thank you
^ permalink raw reply [flat|nested] 6+ messages in thread
* [tpm2] Re: Re-provision TPM
@ 2021-06-30 20:57 Steven Clark
0 siblings, 0 replies; 6+ messages in thread
From: Steven Clark @ 2021-06-30 20:57 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 412 bytes --]
On Linux one of the absolute worst-case options to nuke a TPM and start
over is to use the sysfs PPI interface to the TPM:
Issue a clear request like:
echo 5 > /sys/class/tpm/tpm0/ppi/request
and reboot. You then confirm that you really do want the BIOS to wipe the
TPM and it's done. If something has set auths and you don't know what it
is, this a pretty decent last resort if you've got the support.
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 461 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* [tpm2] Re: Re-provision TPM
@ 2021-06-30 15:03 Dimitar Tomov
0 siblings, 0 replies; 6+ messages in thread
From: Dimitar Tomov @ 2021-06-30 15:03 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 5032 bytes --]
Hi Luke, Hi Anthony,
The functionality differs a bit between tpm2_changeauth(TPM 2.0) and tpm2_takeownership (TPM 1.2)
TPM2_ChangeAuth helps to change the authorization of the hierarchies. You would be most interested in changing the auth of the OWNER hierarchy, where typically user keys are created. While the EK lives under the Endorsement Hierarchy that comes with more constrains.
About provisioning and EK, our developer's community has made a tutorial on Github here - https://github.com/tpm2dev/tpm.dev.tutorials/tree/master/Enrollment
Endorsement key and hierarchy described here - https://github.com/tpm2dev/tpm.dev.tutorials/tree/master/Intro#key-hierarchies
If you don't find some information in the tutorials, please feel free to open an issue on Github, just make sure it is on the right repo :) It is completely driven by developers.
Dimi Tomov
--
Founder of TPM.dev
________________________________
From: @rubynerd <x(a)rubynerd.net>
Sent: Wednesday, June 30, 2021 1:17 PM
To: Anthony Arrascue <AArrascue(a)neuroloop.de>
Cc: tpm2(a)lists.01.org <tpm2(a)lists.01.org>
Subject: [tpm2] Re: Re-provision TPM
Hi Anthony,
I'm also new to the tpm2-tools project, and whilst I cannot advise on most of the asks in your email, I can confirm the tpm2_takeownership command was changed to tpm2_changeauth, which offers similar functionality.
Further information is available in the changelog: https://github.com/tpm2-software/tpm2-tools/blame/master/doc/CHANGELOG.md#L867-L872
There's quite a bit of movement between what's currently in source control and the snippets floating around on StackOverflow, the changelog is a really good resource for reconciling these. One thing to note: if you're building this from source, the commands have changed from "tpm2_commandname" to "tpm2 commandname", which was another pitfall I fell into during my explorations.
Regarding the specifics of EKs and the differences/functionality of the APIs themselves, I'm afraid I'm woefully out of my depth!
Hope this helps,
Luke
On Wed, Jun 30, 2021 at 11:07 AM Anthony Arrascue <AArrascue(a)neuroloop.de<mailto:AArrascue(a)neuroloop.de>> wrote:
A way of re-provisioning (on a different OS image) that worked for me is the following:
tpm2_startup
#This clears the persistent storage
tpm2_clear
#To change profile from ECC to RSA
sed -i 's/"profile_name": "P_ECCP256SHA256"/"profile_name": "P_RSA2048SHA256"/g' /usr/local/etc/tpm2-tss/fapi-config.json
#Delete existing keystores
rm -rf ~/.local/share/tpm2-tss/user/keystore
rm -rf /usr/local/var/lib/tpm2-tss/system/keystore
#Before we provision we need to generate an EK
tpm2_createprimary -C e -g sha256 -G rsa -c endorsementprimary.ctx
tpm2_create -C endorsementprimary.ctx -g sha256 -G rsa -u rsak.pub -r rsak.priv
tpm2_load -C endorsementprimary.ctx -u rsak.pub -r rsak.priv -n rsak.name<http://rsak.name> -c rsak.ctx
tpm2_evictcontrol -c rsak.ctx 0x81010001
tss2_provision
Without the tpm2_createprimary I would get an error when I use tss2_provision (something like “key cannot be signed”. I cannot remember the error message, but it contained the word EK).
Some questions that came to my mind:
1. Can all of this be done using only Fapi (no tpm2 commands)
2. Why is generating an EK required for provisioning? (which documentation describes this step)
3. Previous versions of the tpm2-tools had also a tpm2_takeownership. What happened with it and how to provision with owner’s authorization?
Thank you very much for your comments.
Best,
Anthony
From: Anthony Arrascue
Sent: Tuesday, 1 June 2021 19:18
To: 'tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>' <tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>>
Subject: Re-provision TPM
Hello,
I am learning about the TSS and TPM techonologies.
I have provisioned the TPM with the default settings, which means I am now using the ECC profile (P_ECCP256SHA256).
However, encryption was a requirement I needed to fulfill. I just didn't know that ECC encryption is currently not supported and now I realize RSA would be a better fit for me.
So here is my question:
* I see there is another profile in /usr/local/etc/tpm2-tss/fapi-profiles, namely P_RSA2048SHA256.json. Is there a way I can encrypt using the RSA profile instead of the ECC one? I tried to re-run tss2_provision, after setting it in fapi-config.json, but it seems this is not the way to proceed. I get the message that the TPM has been already provisioned. What is the correct way of "changing" profile? Is it even possible or do I need to reset the TPM?
Thank you for your help.
Anthony Arrascue
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
To unsubscribe send an email to tpm2-leave(a)lists.01.org<mailto:tpm2-leave(a)lists.01.org>
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 14191 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* [tpm2] Re: Re-provision TPM
@ 2021-06-30 10:17 at rubynerd
0 siblings, 0 replies; 6+ messages in thread
From: at rubynerd @ 2021-06-30 10:17 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 3968 bytes --]
Hi Anthony,
I'm also new to the tpm2-tools project, and whilst I cannot advise on most
of the asks in your email, I can confirm the tpm2_takeownership command was
changed to tpm2_changeauth, which offers similar functionality.
Further information is available in the changelog:
https://github.com/tpm2-software/tpm2-tools/blame/master/doc/CHANGELOG.md#L867-L872
There's quite a bit of movement between what's currently in source control
and the snippets floating around on StackOverflow, the changelog is a
really good resource for reconciling these. One thing to note: if you're
building this from source, the commands have changed from
"tpm2_commandname" to "tpm2 commandname", which was another pitfall I fell
into during my explorations.
Regarding the specifics of EKs and the differences/functionality of the
APIs themselves, I'm afraid I'm woefully out of my depth!
Hope this helps,
Luke
On Wed, Jun 30, 2021 at 11:07 AM Anthony Arrascue <AArrascue(a)neuroloop.de>
wrote:
> A way of re-provisioning (on a different OS image) that worked for me is
> the following:
>
>
>
> *tpm2_startup*
>
> #This clears the persistent storage
>
> *tpm2_clear*
>
> #To change profile from ECC to RSA
>
> *sed -i 's/"profile_name": "P_ECCP256SHA256"/"profile_name":
> "P_RSA2048SHA256"/g' /usr/local/etc/tpm2-tss/fapi-config.json*
>
> #Delete existing keystores
>
> *rm -rf ~/.local/share/tpm2-tss/user/keystore*
>
> *rm -rf /usr/local/var/lib/tpm2-tss/system/keystore*
>
> #Before we provision we need to generate an EK
>
> *tpm2_createprimary -C e -g sha256 -G rsa -c endorsementprimary.ctx *
>
> *tpm2_create -C endorsementprimary.ctx -g sha256 -G rsa -u rsak.pub -r
> rsak.priv*
>
> *tpm2_load -C endorsementprimary.ctx -u rsak.pub -r rsak.priv -n rsak.name
> <http://rsak.name> -c rsak.ctx*
>
> *tpm2_evictcontrol -c rsak.ctx 0x81010001*
>
> *tss2_provision*
>
>
>
> Without the tpm2_createprimary I would get an error when I use
> tss2_provision (something like “key cannot be signed”. I cannot remember
> the error message, but it contained the word EK).
>
>
>
> Some questions that came to my mind:
>
> 1. Can all of this be done using only Fapi (no tpm2 commands)
> 2. Why is generating an EK required for provisioning? (which
> documentation describes this step)
> 3. Previous versions of the tpm2-tools had also a *tpm2_takeownership*.
> What happened with it and how to provision with owner’s authorization?
>
>
>
> Thank you very much for your comments.
>
> Best,
>
> Anthony
>
>
>
>
>
>
>
>
>
>
>
> *From:* Anthony Arrascue
> *Sent:* Tuesday, 1 June 2021 19:18
> *To:* 'tpm2(a)lists.01.org' <tpm2(a)lists.01.org>
> *Subject:* Re-provision TPM
>
>
>
> Hello,
>
>
>
> I am learning about the TSS and TPM techonologies.
> I have provisioned the TPM with the default settings, which means I am now
> using the ECC profile (P_ECCP256SHA256).
>
> However, encryption was a requirement I needed to fulfill. I just didn't
> know that ECC encryption is currently not supported and now I realize RSA
> would be a better fit for me.
>
> So here is my question:
>
> - I see there is another profile in
> /usr/local/etc/tpm2-tss/fapi-profiles, namely P_RSA2048SHA256.json. Is
> there a way I can encrypt using the RSA profile instead of the ECC one? I
> tried to re-run tss2_provision, after setting it in fapi-config.json, but
> it seems this is not the way to proceed. I get the message that the TPM has
> been already provisioned. What is the correct way of "changing" profile? Is
> it even possible or do I need to reset the TPM?
>
> Thank you for your help.
>
> Anthony Arrascue
>
>
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 8730 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* [tpm2] Re: Re-provision TPM
@ 2021-06-30 10:07 Anthony Arrascue
0 siblings, 0 replies; 6+ messages in thread
From: Anthony Arrascue @ 2021-06-30 10:07 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 2423 bytes --]
A way of re-provisioning (on a different OS image) that worked for me is the following:
tpm2_startup
#This clears the persistent storage
tpm2_clear
#To change profile from ECC to RSA
sed -i 's/"profile_name": "P_ECCP256SHA256"/"profile_name": "P_RSA2048SHA256"/g' /usr/local/etc/tpm2-tss/fapi-config.json
#Delete existing keystores
rm -rf ~/.local/share/tpm2-tss/user/keystore
rm -rf /usr/local/var/lib/tpm2-tss/system/keystore
#Before we provision we need to generate an EK
tpm2_createprimary -C e -g sha256 -G rsa -c endorsementprimary.ctx
tpm2_create -C endorsementprimary.ctx -g sha256 -G rsa -u rsak.pub -r rsak.priv
tpm2_load -C endorsementprimary.ctx -u rsak.pub -r rsak.priv -n rsak.name -c rsak.ctx
tpm2_evictcontrol -c rsak.ctx 0x81010001
tss2_provision
Without the tpm2_createprimary I would get an error when I use tss2_provision (something like “key cannot be signed”. I cannot remember the error message, but it contained the word EK).
Some questions that came to my mind:
1. Can all of this be done using only Fapi (no tpm2 commands)
2. Why is generating an EK required for provisioning? (which documentation describes this step)
3. Previous versions of the tpm2-tools had also a tpm2_takeownership. What happened with it and how to provision with owner’s authorization?
Thank you very much for your comments.
Best,
Anthony
From: Anthony Arrascue
Sent: Tuesday, 1 June 2021 19:18
To: 'tpm2(a)lists.01.org' <tpm2(a)lists.01.org>
Subject: Re-provision TPM
Hello,
I am learning about the TSS and TPM techonologies.
I have provisioned the TPM with the default settings, which means I am now using the ECC profile (P_ECCP256SHA256).
However, encryption was a requirement I needed to fulfill. I just didn't know that ECC encryption is currently not supported and now I realize RSA would be a better fit for me.
So here is my question:
* I see there is another profile in /usr/local/etc/tpm2-tss/fapi-profiles, namely P_RSA2048SHA256.json. Is there a way I can encrypt using the RSA profile instead of the ECC one? I tried to re-run tss2_provision, after setting it in fapi-config.json, but it seems this is not the way to proceed. I get the message that the TPM has been already provisioned. What is the correct way of "changing" profile? Is it even possible or do I need to reset the TPM?
Thank you for your help.
Anthony Arrascue
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 14077 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-02-17 7:37 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-30 10:44 [tpm2] Re: Re-provision TPM Anthony Arrascue
-- strict thread matches above, loose matches on Subject: below --
2022-02-17 7:37 analystcode
2021-06-30 20:57 Steven Clark
2021-06-30 15:03 Dimitar Tomov
2021-06-30 10:17 at rubynerd
2021-06-30 10:07 Anthony Arrascue
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.