[tpm2] Re: Sample applications

[at rubynerd <x at rubynerd.net>]

[-- Attachment #1: Type: text/plain, Size: 7531 bytes --]

Hi both,

Thank you for your responses — I appreciate your time. My apologies for the
delay in response, I've been on-call for the past week and the shift picked
up at the end.

I've started to read through the specification, but it is quite meaty. I
initially shied away from reading it because I assumed it was for
implementers of TPMs (i.e. TPM manufacturers) and not for
application implementation, but that doesn't seem to be the case. I'm
working my way through it, but as this isn't my day job right now it's
quite slow going.

Bill — thank you for the code examples: it's actually the best explainer
I've seen for how to use the different components of tpm2-tools together.
Your example is almost exactly what I need, but I'm looking to keep the
private key hidden & unavailable to the host, and also send the public key
& corresponding attestation statement to a remote server, so the remote
server can validate the attestation statement, then encrypt the secrets it
needs to deliver to the host. The remote server can — if my understanding
of TPMs is correct! — deliver the encrypted secrets to the host with the
relatively secure understanding that only that host can decrypt them.

I'm pretty confident it's possible to prototype the above with both
tpm2-tools and your explanation above, and I'll continue when I get a
little bit of free time.

Concerning TSS: does TSS operate at a higher or lower level than the tools
presented in tpm2-tools? I assumed that because tpm2-tools was compiled
against tpm2-tss, it was a lower level API, but if it's possible to do what
I'm looking to do in less steps, it seems like it should be higher? I
didn't notice any executables produced when I compiled it for tpm2-tools,
but I can check again.

Because a command I was looking to use (I think "getekcertificate") wasn't
present in the Ubuntu packaged tpm2-tools, I compiled the latest version
from source, but the end result is one executable linked against several
object files ("tpm2_getekcertificate" has become "tpm2 getekcertificate"),
which added another layer of confusion because the commands above don't
necessarily work as documented via StackOverflow.

Once again, thank you so much for the assistance with navigation, I really
appreciate it. Whilst my C skills are suboptimal at best, I am more than
happy to contribute documentation upstream if there is interest.

Thanks,
Luke

On Fri, Jun 18, 2021 at 5:20 PM Roberts, William C <
william.c.roberts(a)intel.com> wrote:

> Some tpm2-tools support --format=pem​. Make sure you're on a 4.0+
> version. If you're on master,
> you can even get the pem file during creation time. I am going to provide
> what you can do with tpm2-tools,
> however, there are also tools that start with tss2 prefix that use a
> higher level API called FAPI. Those tools
> might do what you want with far less steps then the tpm2 prefixed tools. I
> CC'd Andreas Fuchs so he can
> advise on those tools.
>
> # versions >= 4.0
> tpm2_createprimary -c primary.ctx
> tpm2_readpublic --format=pem -o key.pem -c primary.ctx
>
> head key.pem
> -----BEGIN PUBLIC KEY-----
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtFeWoma5eS7x7XjR1QWp
> <snip>
>
> # master
> tpm2_createprimary -c primary.ctx --format=pem -o key.pem
>
> For keys created with tpm2_create, you can use the readpublic option or
> use tpm2_print
> # readpublic example
> tpm2_create -C primary.ctx -u key.pub -r key.priv
> tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx
> tpm2_readpublic --format=pem -o key.pem -c key.ctx
>
> # print example
> tpm2 print --type TPM2B_PUBLIC --format=pem key.pub
> -----BEGIN PUBLIC KEY-----
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwEDts9Y64CGuHPjT/8nC
> <snip>
>
> For the other portion of your question is "encrypting application secrets"
> to the TPM.
>
> Thier's a few ways you could do this, but I would suggest using the
> sealing function.
> It creates a TPM protected object but instead of it containing a key the
> tpm knows
> how to use, it contains free form userdata, like the application secretes,
> or if those
> are too large to store in the TPM, an AES key to wrap those with.
>
> I would choose sealing first, it's the simplest. For AES wrapping I would
> pick
> AES 256 GCM but the key type and mode is up to you.
>
> To seal a secret, one would use tpm2_create with the -i option:
>
> # read secret from stdin with -i -, or use -i <file> to read from a file.
> tpm2_create -C primary.ctx -i- -u key.pub -r key.priv <<< 'MY SECRET'
>
> # load
> tpm2 load -C primary.ctx -u key.pub -r key.priv -c key.ctx
>
> # unseal secret from TPM
> tpm2 unseal -c key.ctx
> MY SECRET
>
> # for wrapping a secret with an AES Key, just make 'MY SECRET' an AES key
> and use
> openssl commands. Examples can be found here:
> https://wiki.openssl.org/index.php/Enc
>
>
> You can set passwords and policies on TPM objects as you see fit, and we
> can help
> you craft a policy.
>
> The man pages for the tools should have examples, you can just view the
> markdown on
> the github wiki as well:
>
> https://github.com/tpm2-software/tpm2-tools/tree/master/man
>
>
> There are also examples in the test directory.
>
> Bill
> ------------------------------
> *From:* Steven Clark <davolfman(a)gmail.com>
> *Sent:* Wednesday, June 16, 2021 8:33 PM
> *To:* @rubynerd <x(a)rubynerd.net>
> *Cc:* tpm2 <tpm2(a)lists.01.org>
> *Subject:* [tpm2] Re: Sample applications
>
> On Wed, Jun 16, 2021 at 3:12 PM @rubynerd <x(a)rubynerd.net> wrote:
> >
> > Hi all,
> >
> > I'm looking to build an application which creates a key on a TPM & uses
> the TPM to decrypt some application initialisation secrets delivered to the
> application via a control-plane, which verifies the key the TPM will use is
> on a TPM.
> >
> > I'm struggling to find any sample applications/explanations/cookbooks
> for tmp2-tools to prototype out how this would work — in fact, I can't find
> an explainer of how to convert a key from "tss" format to PEM format. Is
> there something I've missed, or is there a sample TPM application or
> something kicking about I can refer to? I'm aware there are specification
> PDF's, but these are unapproachable to someone with attention-span
> disabilities.
> >
> > Thanks,
> > Luke
> > _______________________________________________
> > tpm2 mailing list -- tpm2(a)lists.01.org
> > To unsubscribe send an email to tpm2-leave(a)lists.01.org
> > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>
> With tpm2-tools it's pretty easy if you've got a remotely up to date
> version.  Most of the tools that need to interact with outside keys
> natively support the SSL key types.  So you just interact with them on
> the command line.
>
> If you want to actually program using the ESAPI and use outside key
> formats my recommendation would be get comfortable reading the
> structure definitions in the TPM2 specs (sometimes assisted by the
> actual header files from the TSS), the ESAPI spec, and the OpenSSL API
> man pages and learn to tear a key down into low level structures in
> one API to reassemble in the other format.  The math is still the same
> after all.
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>

[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 11237 bytes --]