All of lore.kernel.org
 help / color / mirror / Atom feed
* [tpm2] Re: seal with external public EK
@ 2022-08-31 21:32 David Challener
  0 siblings, 0 replies; 2+ messages in thread
From: David Challener @ 2022-08-31 21:32 UTC (permalink / raw)
  To: tpm2

[-- Attachment #1: Type: text/plain, Size: 2386 bytes --]

I have always wondered what the purpose of doing the encryption/decryption
on the TPM is. It may keep the key out of view, but it never keeps the
encrypted DATA out of view. (Presuming good practices are followed so the
key is only used once.) So the decrypted doc is going to be available on
both devices. Devices can encrypt/decrypt much faster than a TPM that can
do the encryption/decryption.
So what is the reason you want to do that?

On Wed, Aug 31, 2022 at 10:32 AM Gadacz, Henry <
henry.gadacz(a)sit.fraunhofer.de> wrote:

> Hello everyone,
>
>
>
> I want to encrypt a larger file on TPM A and decrypt it on TPM B. To share
> a symmetric key for that I have TPM B’s public endorsement keys on TPM A.
> The EK of TPM B is created and persisted as followed:
>
> tpm2_createek -P endPW -w ownerPW -c $EK_HANDLE -G rsa
>
>
>
> The public part is exported with:
>
> pm2_readpublic -c $EK_HANDLE -o B_EK.pem -f pem
>
>
>
> On TPM A I load the public EK key of TPM B:
>
> tpm2_loadexternal -C o -G rsa -u B_EK.pem -c B_EK.ctx
>
>
>
> To seal random data that is used as symmetric key to the TPM B EK I tried:
>
> tpm2_getrandom --hex 32 | tpm2_create -C B_EK.ctx -i- -u
> A_transportKey_pub.seal -r A_transportKey_priv.seal
>
>
>
> But I always get the following error:
>
> WARNING:esys:src/tss2-esys/api/Esys_Create.c:399:Esys_Create_Finish()
> Received TPM Error
>
> ERROR:esys:src/tss2-esys/api/Esys_Create.c:134:Esys_Create() Esys Finish
> ErrorCode (0x0000012f)
>
> ERROR: Esys_Create(0x12F) - tpm:error(2.0): authValue or authPolicy is not
> available for selected entity
>
> ERROR: Unable to run tpm2_create
>
>
>
> Why is an authValue or authPolicy required? I created the EK without
> authorization value or policy.
>
>
>
> I want to use the sealing method instead of tpm2_rsaencrypt to be able to
> process the symmetric key inside TPM B when doing the decryption and don’t
> need to store a file with the symmetric key on the disk.
>
>
>
> Any help on what’s the problem or other suggestions to solve this task are
> really appreciated.
>
>
>
> Best Regards,
>
> Henry
>
>
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>

[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 3931 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread
* [tpm2] Re: seal with external public EK
@ 2022-09-01 14:54 Roberts, William C
  0 siblings, 0 replies; 2+ messages in thread
From: Roberts, William C @ 2022-09-01 14:54 UTC (permalink / raw)
  To: tpm2

[-- Attachment #1: Type: text/plain, Size: 3882 bytes --]

On Wed, 2022-08-31 at 14:32 +0000, Gadacz, Henry wrote:
> Hello everyone,
>  
> I want to encrypt a larger file on TPM A and decrypt it on TPM B. To
> share a symmetric key for that I have TPM B’s public endorsement keys
> on TPM A. The EK of TPM B is created and persisted as followed:
> tpm2_createek -P endPW -w ownerPW -c $EK_HANDLE -G rsa
>  
> The public part is exported with:
> pm2_readpublic -c $EK_HANDLE -o B_EK.pem -f pem
>  
> On TPM A I load the public EK key of TPM B:
> tpm2_loadexternal -C o -G rsa -u B_EK.pem -c B_EK.ctx
>  
> To seal random data that is used as symmetric key to the TPM B EK I
> tried:
> tpm2_getrandom --hex 32 | tpm2_create -C B_EK.ctx -i- -u
> A_transportKey_pub.seal -r A_transportKey_priv.seal
>  
> But I always get the following error:
> WARNING:esys:src/tss2-esys/api/Esys_Create.c:399:Esys_Create_Finish() 
> Received TPM Error
> ERROR:esys:src/tss2-esys/api/Esys_Create.c:134:Esys_Create() Esys
> Finish ErrorCode (0x0000012f)
> ERROR: Esys_Create(0x12F) - tpm:error(2.0): authValue or authPolicy
> is not available for selected entity
> ERROR: Unable to run tpm2_create
>  
> Why is an authValue or authPolicy required? I created the EK without
> authorization value or policy.

TL;DR Seal and Unseal the key using an encrypted session and use
tpm2_duplicate to move keys between TPMs.

Becuase the authValue is always checked, even if it's empty. The
associated authValue is stored in the private portion of the object and
only the public portion is loaded. Thus you cannot use any commands
that require authValue.

To move a key, you duplicate command:
tpm2_duplicate(1)  -  This tool duplicates a loaded object so that it
may be used in a different hierarchy.  The new parent key for the
       duplicate may be on the same or different TPM or TPM_RH_NULL.

>  
> I want to use the sealing method instead of tpm2_rsaencrypt to be
> able to process the symmetric key inside TPM B when doing the
> decryption and don’t need to store a file with the symmetric key on
> the disk.
>  
> Any help on what’s the problem or other suggestions to solve this
> task are really appreciated.

Generally folks seal and unseal a bulk encryption key to the TPM and
then perform the bulk crypto, ie AES or equivilent, within their
application. The primary reason for this is performance, the TPM is
dirt slow.

The second thing to consider is your threat model:

Compromised Bus:
In this scenario the attacker can see traffic on the bus, so unless you
enable a encrypted session, the attacker can see the clear text so the
crypto operation does nothing. In this case unsealing the key WITHIN an
encrypted session ensures that the attacker did not see your key and
your safe.

Compromised Kernel:
In this scenario an attacker can see bytes to and from the TPM through
the kernel driver as well as peer into your address space. In this
scenario we consider using the TPM for bulk encryption and unsealing.
When using the TPM the attacker can see the clear text coming back from
the TPM. Even when using an encrypted session the attacker could peer
into your process and get the decrypted data or just jack the session
key. To protect yourself in a compromised kernel you need some type of
sandboxing feature to protect the process from the operating system.
Think of things like TEEs.

In most Threat Models, folks consider the "Compromised Bus" scenario
and this is how your disk is decrypted when using the TPM. Although not
always within in encrypted session unfortunately. Work is being done on
this front.

>  
> Best Regards,
> Henry
>  
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-09-01 14:54 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-31 21:32 [tpm2] Re: seal with external public EK David Challener
2022-09-01 14:54 Roberts, William C

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.