[tpm2] Re: Approaching 100 hours of troubleshooting

[tpm2] Re: Approaching 100 hours of troubleshooting

[Frederick Gotham]

[-- Attachment #1: Type: text/plain, Size: 4798 bytes --]

By the way I'm searching the web for a TPM2 chip that can do symmetric
encryption but I haven't found one yet. Do you know of one? I sent an
email to Infineon to ask them.



On 11/25/19, Fuchs, Andreas <andreas.fuchs(a)sit.fraunhofer.de> wrote:
> No, the TPM will not do AES encryption on a key you load in with
> a custom mode.
>
> You can store up to 100 bytes into such a "KeyedHash" object, which
> is basically an object for arbitrary data, that the TPM will AES encrypt
> using the parent key.
> With TPM2_Unseal this data gets decrypted.
>
> The cipher mode used is CFP I think, but not sure.
> ________________________________________
> From: Frederick Gotham [cauldwell.thomas(a)gmail.com]
> Sent: Monday, November 25, 2019 11:12
> To: Fuchs, Andreas
> Cc: Zhu, Bing; tpm2(a)lists.01.org
> Subject: Re: [tpm2] Re: Approaching 100 hours of troubleshooting
>
> Thank you for this, Andreas.
>
> You wrote at the end "Or you can create a KeyedHash object and call
> Unseal, but that's limited to approx 100 bytes. So you can use a key
> from there."
>
> 100 bytes is adequate for my needs. Is it possible to load a 128-bit
> AES key into the TPM2 hardware in order to encrypt or decrypt
> approximately 35 bytes of data ? By the way I also need to load the
> 128-Bit IV.
>
> My chip is the TPM 2.0 Infineon SLB96XX 1.2 / 2.0. My BIOS tells me
> that the Vendor is IFX, and the firmware is 5.62.
>
>
> On 11/25/19, Fuchs, Andreas <andreas.fuchs(a)sit.fraunhofer.de> wrote:
>> Yes, 99% of TPM2 chips do not support the TPM2_EncryptDecrypt function,
>> i.e. they do not support symmetric "bulk" encryption.
>>
>> The reason for this is political (import export customs etc).
>>
>> You can either use asymmetric encryption/decryption using RSA_En/Decrypt
>> or ECC with ECC_KeyGen or ECC_ZGen.
>> Or you can create a KeyedHash object and call Unseal, but that's limited
>> to
>> approx 100 bytes. So you can use a key from there.
>>
>>
>> ________________________________
>> From: Frederick Gotham [cauldwell.thomas(a)gmail.com]
>> Sent: Monday, November 25, 2019 10:39
>> To: Zhu, Bing
>> Cc: tpm2(a)lists.01.org
>> Subject: [tpm2] Re: Approaching 100 hours of troubleshooting
>>
>> When I try to run the test script "encryptdecrypt.sh", I get the following
>> output:
>>
>> WARN: Command EncryptDecrypt is not supported by your device,
>> skipping...
>>
>> Anyone got any idea what would cause this?
>>
>>
>> On Sun, Nov 24, 2019 at 3:11 PM Zhu, Bing
>> <bing.zhu(a)intel.com<mailto:bing.zhu(a)intel.com>> wrote:
>>>>> I see one about fTPM but I'm not sure what it does.
>> Firmware-based TPM, google Intel Platform Trust Technology (PTT) to know
>> more details.
>>
>> From: Frederick Gotham
>> <cauldwell.thomas(a)gmail.com<mailto:cauldwell.thomas(a)gmail.com>>
>> Sent: Sunday, November 24, 2019 02:07 AM
>> To: tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
>> Subject: [tpm2] Approaching 100 hours of troubleshooting
>>
>> Hi
>>
>> I'm trying to get the TPM2 working in embedded Linux, and I've been
>> troubleshooting for nearly two weeks now.
>>
>> I thought it would be a good idea to get the latest releases of the
>> following packages:
>>
>>     tpm2-tss
>>     tpm2-tools
>>     tpm2-tss-engine
>>
>> And also the latest commit of: tpm2-pkcs11
>>
>> All I have succeeded in doing so far is getting random numbers from the
>> TPM2
>> chip. I haven't be able to store (or retrieve) keys, nor have I been able
>> to
>> encrypt or decrypt data.
>>
>> The first problem I'm having is that the command line options for the
>> tools
>> (and also scripts) have been changed several times. Every time I try to
>> follow an example I find on the web, I get "unrecognised option -C".
>>
>> In order to try follow examples I find online, I have repeatedly upgraded
>> and downgraded my versions of the packages, sometimes even mixing old
>> tools
>> with new tools (sometimes even rewinding to an historical commit in Github
>> between official releases).
>>
>> Can someone please suggest what are the best stable versions of these
>> packages for working with embedded Linux?
>>
>> Another thing:
>> When my device boots up, I can go into the BIOS where I see a lot of
>> options
>> for Trusted Platform. I'm not exactly sure what these options actually do.
>> Can someone advise me which settings in particular to watch out for? I see
>> one about fTPM but I'm not sure what it does.
>> _______________________________________________
>> tpm2 mailing list -- tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
>> To unsubscribe send an email to
>> tpm2-leave(a)lists.01.org<mailto:tpm2-leave(a)lists.01.org>
>> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>>
>

[tpm2] Re: Approaching 100 hours of troubleshooting

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 2244 bytes --]



> -----Original Message-----
> From: Frederick Gotham [mailto:cauldwell.thomas(a)gmail.com]
> Sent: Saturday, November 23, 2019 12:07 PM
> To: tpm2(a)lists.01.org
> Subject: [tpm2] Approaching 100 hours of troubleshooting
> 
> Hi
> 
> I'm trying to get the TPM2 working in embedded Linux, and I've been
> troubleshooting for nearly two weeks now.
> 
> I thought it would be a good idea to get the latest releases of the following
> packages:
> 
>     tpm2-tss
>     tpm2-tools
>     tpm2-tss-engine
> 
> And also the latest commit of: tpm2-pkcs11
> 
> All I have succeeded in doing so far is getting random numbers from the TPM2
> chip. I haven't be able to store (or retrieve) keys, nor have I been able to encrypt
> or decrypt data.
> 
> The first problem I'm having is that the command line options for the tools (and
> also scripts) have been changed several times. Every time I try to follow an
> example I find on the web, I get "unrecognised option -C".

4.0+ will be stable interface moving forward. However, 
our man pages should be the up-to-date examples. For encrypting and decrypting
a simple example can be found in the manpage:

https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_encryptdecrypt.1.md

> 
> In order to try follow examples I find online, I have repeatedly upgraded and
> downgraded my versions of the packages, sometimes even mixing old tools with
> new tools (sometimes even rewinding to an historical commit in Github between
> official releases).

Yeah don't do that. Stay on tpm2-tools >= 4.0. 3.X is pretty much EOL. See the dependency matrix
Link below for recommended versions.

> 
> Can someone please suggest what are the best stable versions of these packages
> for working with embedded Linux?

tpm2-tools: 4.0
tpm2-tss: >= 2.3.1
tpm2-abrmd : >= 2.2.0

https://github.com/tpm2-software/tpm2-tools/wiki/Dependency-Matrix



> 
> Another thing:
> When my device boots up, I can go into the BIOS where I see a lot of options for
> Trusted Platform. I'm not exactly sure what these options actually do. Can
> someone advise me which settings in particular to watch out for? I see one about
> fTPM but I'm not sure what it does.

[tpm2] Re: Approaching 100 hours of troubleshooting

[Fuchs, Andreas]

[-- Attachment #1: Type: text/plain, Size: 5188 bytes --]

Frankly, no, I don't know one.
99% was my attempt to say; I haven't seen any and don't think there are
but cannot be sure...
________________________________________
From: Frederick Gotham [cauldwell.thomas(a)gmail.com]
Sent: Monday, November 25, 2019 13:04
To: Fuchs, Andreas
Cc: Zhu, Bing; tpm2(a)lists.01.org
Subject: Re: [tpm2] Re: Approaching 100 hours of troubleshooting

By the way I'm searching the web for a TPM2 chip that can do symmetric
encryption but I haven't found one yet. Do you know of one? I sent an
email to Infineon to ask them.



On 11/25/19, Fuchs, Andreas <andreas.fuchs(a)sit.fraunhofer.de> wrote:
> No, the TPM will not do AES encryption on a key you load in with
> a custom mode.
>
> You can store up to 100 bytes into such a "KeyedHash" object, which
> is basically an object for arbitrary data, that the TPM will AES encrypt
> using the parent key.
> With TPM2_Unseal this data gets decrypted.
>
> The cipher mode used is CFP I think, but not sure.
> ________________________________________
> From: Frederick Gotham [cauldwell.thomas(a)gmail.com]
> Sent: Monday, November 25, 2019 11:12
> To: Fuchs, Andreas
> Cc: Zhu, Bing; tpm2(a)lists.01.org
> Subject: Re: [tpm2] Re: Approaching 100 hours of troubleshooting
>
> Thank you for this, Andreas.
>
> You wrote at the end "Or you can create a KeyedHash object and call
> Unseal, but that's limited to approx 100 bytes. So you can use a key
> from there."
>
> 100 bytes is adequate for my needs. Is it possible to load a 128-bit
> AES key into the TPM2 hardware in order to encrypt or decrypt
> approximately 35 bytes of data ? By the way I also need to load the
> 128-Bit IV.
>
> My chip is the TPM 2.0 Infineon SLB96XX 1.2 / 2.0. My BIOS tells me
> that the Vendor is IFX, and the firmware is 5.62.
>
>
> On 11/25/19, Fuchs, Andreas <andreas.fuchs(a)sit.fraunhofer.de> wrote:
>> Yes, 99% of TPM2 chips do not support the TPM2_EncryptDecrypt function,
>> i.e. they do not support symmetric "bulk" encryption.
>>
>> The reason for this is political (import export customs etc).
>>
>> You can either use asymmetric encryption/decryption using RSA_En/Decrypt
>> or ECC with ECC_KeyGen or ECC_ZGen.
>> Or you can create a KeyedHash object and call Unseal, but that's limited
>> to
>> approx 100 bytes. So you can use a key from there.
>>
>>
>> ________________________________
>> From: Frederick Gotham [cauldwell.thomas(a)gmail.com]
>> Sent: Monday, November 25, 2019 10:39
>> To: Zhu, Bing
>> Cc: tpm2(a)lists.01.org
>> Subject: [tpm2] Re: Approaching 100 hours of troubleshooting
>>
>> When I try to run the test script "encryptdecrypt.sh", I get the following
>> output:
>>
>> WARN: Command EncryptDecrypt is not supported by your device,
>> skipping...
>>
>> Anyone got any idea what would cause this?
>>
>>
>> On Sun, Nov 24, 2019 at 3:11 PM Zhu, Bing
>> <bing.zhu(a)intel.com<mailto:bing.zhu(a)intel.com>> wrote:
>>>>> I see one about fTPM but I'm not sure what it does.
>> Firmware-based TPM, google Intel Platform Trust Technology (PTT) to know
>> more details.
>>
>> From: Frederick Gotham
>> <cauldwell.thomas(a)gmail.com<mailto:cauldwell.thomas(a)gmail.com>>
>> Sent: Sunday, November 24, 2019 02:07 AM
>> To: tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
>> Subject: [tpm2] Approaching 100 hours of troubleshooting
>>
>> Hi
>>
>> I'm trying to get the TPM2 working in embedded Linux, and I've been
>> troubleshooting for nearly two weeks now.
>>
>> I thought it would be a good idea to get the latest releases of the
>> following packages:
>>
>>     tpm2-tss
>>     tpm2-tools
>>     tpm2-tss-engine
>>
>> And also the latest commit of: tpm2-pkcs11
>>
>> All I have succeeded in doing so far is getting random numbers from the
>> TPM2
>> chip. I haven't be able to store (or retrieve) keys, nor have I been able
>> to
>> encrypt or decrypt data.
>>
>> The first problem I'm having is that the command line options for the
>> tools
>> (and also scripts) have been changed several times. Every time I try to
>> follow an example I find on the web, I get "unrecognised option -C".
>>
>> In order to try follow examples I find online, I have repeatedly upgraded
>> and downgraded my versions of the packages, sometimes even mixing old
>> tools
>> with new tools (sometimes even rewinding to an historical commit in Github
>> between official releases).
>>
>> Can someone please suggest what are the best stable versions of these
>> packages for working with embedded Linux?
>>
>> Another thing:
>> When my device boots up, I can go into the BIOS where I see a lot of
>> options
>> for Trusted Platform. I'm not exactly sure what these options actually do.
>> Can someone advise me which settings in particular to watch out for? I see
>> one about fTPM but I'm not sure what it does.
>> _______________________________________________
>> tpm2 mailing list -- tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
>> To unsubscribe send an email to
>> tpm2-leave(a)lists.01.org<mailto:tpm2-leave(a)lists.01.org>
>> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>>
>

[tpm2] Re: Approaching 100 hours of troubleshooting

[Frederick Gotham]

[-- Attachment #1: Type: text/plain, Size: 4820 bytes --]

You said 99% of TPM2 chips can't do symmetric bulk encryption.

With regard to the other 1%, can those chips do symmetric bulk
encryption whereby I can load a 128-Bit AES key and IV into the chip?

On 11/25/19, Fuchs, Andreas <andreas.fuchs(a)sit.fraunhofer.de> wrote:
> No, the TPM will not do AES encryption on a key you load in with
> a custom mode.
>
> You can store up to 100 bytes into such a "KeyedHash" object, which
> is basically an object for arbitrary data, that the TPM will AES encrypt
> using the parent key.
> With TPM2_Unseal this data gets decrypted.
>
> The cipher mode used is CFP I think, but not sure.
> ________________________________________
> From: Frederick Gotham [cauldwell.thomas(a)gmail.com]
> Sent: Monday, November 25, 2019 11:12
> To: Fuchs, Andreas
> Cc: Zhu, Bing; tpm2(a)lists.01.org
> Subject: Re: [tpm2] Re: Approaching 100 hours of troubleshooting
>
> Thank you for this, Andreas.
>
> You wrote at the end "Or you can create a KeyedHash object and call
> Unseal, but that's limited to approx 100 bytes. So you can use a key
> from there."
>
> 100 bytes is adequate for my needs. Is it possible to load a 128-bit
> AES key into the TPM2 hardware in order to encrypt or decrypt
> approximately 35 bytes of data ? By the way I also need to load the
> 128-Bit IV.
>
> My chip is the TPM 2.0 Infineon SLB96XX 1.2 / 2.0. My BIOS tells me
> that the Vendor is IFX, and the firmware is 5.62.
>
>
> On 11/25/19, Fuchs, Andreas <andreas.fuchs(a)sit.fraunhofer.de> wrote:
>> Yes, 99% of TPM2 chips do not support the TPM2_EncryptDecrypt function,
>> i.e. they do not support symmetric "bulk" encryption.
>>
>> The reason for this is political (import export customs etc).
>>
>> You can either use asymmetric encryption/decryption using RSA_En/Decrypt
>> or ECC with ECC_KeyGen or ECC_ZGen.
>> Or you can create a KeyedHash object and call Unseal, but that's limited
>> to
>> approx 100 bytes. So you can use a key from there.
>>
>>
>> ________________________________
>> From: Frederick Gotham [cauldwell.thomas(a)gmail.com]
>> Sent: Monday, November 25, 2019 10:39
>> To: Zhu, Bing
>> Cc: tpm2(a)lists.01.org
>> Subject: [tpm2] Re: Approaching 100 hours of troubleshooting
>>
>> When I try to run the test script "encryptdecrypt.sh", I get the following
>> output:
>>
>> WARN: Command EncryptDecrypt is not supported by your device,
>> skipping...
>>
>> Anyone got any idea what would cause this?
>>
>>
>> On Sun, Nov 24, 2019 at 3:11 PM Zhu, Bing
>> <bing.zhu(a)intel.com<mailto:bing.zhu(a)intel.com>> wrote:
>>>>> I see one about fTPM but I'm not sure what it does.
>> Firmware-based TPM, google Intel Platform Trust Technology (PTT) to know
>> more details.
>>
>> From: Frederick Gotham
>> <cauldwell.thomas(a)gmail.com<mailto:cauldwell.thomas(a)gmail.com>>
>> Sent: Sunday, November 24, 2019 02:07 AM
>> To: tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
>> Subject: [tpm2] Approaching 100 hours of troubleshooting
>>
>> Hi
>>
>> I'm trying to get the TPM2 working in embedded Linux, and I've been
>> troubleshooting for nearly two weeks now.
>>
>> I thought it would be a good idea to get the latest releases of the
>> following packages:
>>
>>     tpm2-tss
>>     tpm2-tools
>>     tpm2-tss-engine
>>
>> And also the latest commit of: tpm2-pkcs11
>>
>> All I have succeeded in doing so far is getting random numbers from the
>> TPM2
>> chip. I haven't be able to store (or retrieve) keys, nor have I been able
>> to
>> encrypt or decrypt data.
>>
>> The first problem I'm having is that the command line options for the
>> tools
>> (and also scripts) have been changed several times. Every time I try to
>> follow an example I find on the web, I get "unrecognised option -C".
>>
>> In order to try follow examples I find online, I have repeatedly upgraded
>> and downgraded my versions of the packages, sometimes even mixing old
>> tools
>> with new tools (sometimes even rewinding to an historical commit in Github
>> between official releases).
>>
>> Can someone please suggest what are the best stable versions of these
>> packages for working with embedded Linux?
>>
>> Another thing:
>> When my device boots up, I can go into the BIOS where I see a lot of
>> options
>> for Trusted Platform. I'm not exactly sure what these options actually do.
>> Can someone advise me which settings in particular to watch out for? I see
>> one about fTPM but I'm not sure what it does.
>> _______________________________________________
>> tpm2 mailing list -- tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
>> To unsubscribe send an email to
>> tpm2-leave(a)lists.01.org<mailto:tpm2-leave(a)lists.01.org>
>> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>>
>

[tpm2] Re: Approaching 100 hours of troubleshooting

[Fuchs, Andreas]

[-- Attachment #1: Type: text/plain, Size: 4384 bytes --]

No, the TPM will not do AES encryption on a key you load in with
a custom mode.

You can store up to 100 bytes into such a "KeyedHash" object, which
is basically an object for arbitrary data, that the TPM will AES encrypt
using the parent key.
With TPM2_Unseal this data gets decrypted.

The cipher mode used is CFP I think, but not sure.
________________________________________
From: Frederick Gotham [cauldwell.thomas(a)gmail.com]
Sent: Monday, November 25, 2019 11:12
To: Fuchs, Andreas
Cc: Zhu, Bing; tpm2(a)lists.01.org
Subject: Re: [tpm2] Re: Approaching 100 hours of troubleshooting

Thank you for this, Andreas.

You wrote at the end "Or you can create a KeyedHash object and call
Unseal, but that's limited to approx 100 bytes. So you can use a key
from there."

100 bytes is adequate for my needs. Is it possible to load a 128-bit
AES key into the TPM2 hardware in order to encrypt or decrypt
approximately 35 bytes of data ? By the way I also need to load the
128-Bit IV.

My chip is the TPM 2.0 Infineon SLB96XX 1.2 / 2.0. My BIOS tells me
that the Vendor is IFX, and the firmware is 5.62.


On 11/25/19, Fuchs, Andreas <andreas.fuchs(a)sit.fraunhofer.de> wrote:
> Yes, 99% of TPM2 chips do not support the TPM2_EncryptDecrypt function,
> i.e. they do not support symmetric "bulk" encryption.
>
> The reason for this is political (import export customs etc).
>
> You can either use asymmetric encryption/decryption using RSA_En/Decrypt
> or ECC with ECC_KeyGen or ECC_ZGen.
> Or you can create a KeyedHash object and call Unseal, but that's limited to
> approx 100 bytes. So you can use a key from there.
>
>
> ________________________________
> From: Frederick Gotham [cauldwell.thomas(a)gmail.com]
> Sent: Monday, November 25, 2019 10:39
> To: Zhu, Bing
> Cc: tpm2(a)lists.01.org
> Subject: [tpm2] Re: Approaching 100 hours of troubleshooting
>
> When I try to run the test script "encryptdecrypt.sh", I get the following
> output:
>
> WARN: Command EncryptDecrypt is not supported by your device,
> skipping...
>
> Anyone got any idea what would cause this?
>
>
> On Sun, Nov 24, 2019 at 3:11 PM Zhu, Bing
> <bing.zhu(a)intel.com<mailto:bing.zhu(a)intel.com>> wrote:
>>>> I see one about fTPM but I'm not sure what it does.
> Firmware-based TPM, google Intel Platform Trust Technology (PTT) to know
> more details.
>
> From: Frederick Gotham
> <cauldwell.thomas(a)gmail.com<mailto:cauldwell.thomas(a)gmail.com>>
> Sent: Sunday, November 24, 2019 02:07 AM
> To: tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
> Subject: [tpm2] Approaching 100 hours of troubleshooting
>
> Hi
>
> I'm trying to get the TPM2 working in embedded Linux, and I've been
> troubleshooting for nearly two weeks now.
>
> I thought it would be a good idea to get the latest releases of the
> following packages:
>
>     tpm2-tss
>     tpm2-tools
>     tpm2-tss-engine
>
> And also the latest commit of: tpm2-pkcs11
>
> All I have succeeded in doing so far is getting random numbers from the TPM2
> chip. I haven't be able to store (or retrieve) keys, nor have I been able to
> encrypt or decrypt data.
>
> The first problem I'm having is that the command line options for the tools
> (and also scripts) have been changed several times. Every time I try to
> follow an example I find on the web, I get "unrecognised option -C".
>
> In order to try follow examples I find online, I have repeatedly upgraded
> and downgraded my versions of the packages, sometimes even mixing old tools
> with new tools (sometimes even rewinding to an historical commit in Github
> between official releases).
>
> Can someone please suggest what are the best stable versions of these
> packages for working with embedded Linux?
>
> Another thing:
> When my device boots up, I can go into the BIOS where I see a lot of options
> for Trusted Platform. I'm not exactly sure what these options actually do.
> Can someone advise me which settings in particular to watch out for? I see
> one about fTPM but I'm not sure what it does.
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
> To unsubscribe send an email to
> tpm2-leave(a)lists.01.org<mailto:tpm2-leave(a)lists.01.org>
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>

[tpm2] Re: Approaching 100 hours of troubleshooting

[Frederick Gotham]

[-- Attachment #1: Type: text/plain, Size: 3774 bytes --]

Thank you for this, Andreas.

You wrote at the end "Or you can create a KeyedHash object and call
Unseal, but that's limited to approx 100 bytes. So you can use a key
from there."

100 bytes is adequate for my needs. Is it possible to load a 128-bit
AES key into the TPM2 hardware in order to encrypt or decrypt
approximately 35 bytes of data ? By the way I also need to load the
128-Bit IV.

My chip is the TPM 2.0 Infineon SLB96XX 1.2 / 2.0. My BIOS tells me
that the Vendor is IFX, and the firmware is 5.62.


On 11/25/19, Fuchs, Andreas <andreas.fuchs(a)sit.fraunhofer.de> wrote:
> Yes, 99% of TPM2 chips do not support the TPM2_EncryptDecrypt function,
> i.e. they do not support symmetric "bulk" encryption.
>
> The reason for this is political (import export customs etc).
>
> You can either use asymmetric encryption/decryption using RSA_En/Decrypt
> or ECC with ECC_KeyGen or ECC_ZGen.
> Or you can create a KeyedHash object and call Unseal, but that's limited to
> approx 100 bytes. So you can use a key from there.
>
>
> ________________________________
> From: Frederick Gotham [cauldwell.thomas(a)gmail.com]
> Sent: Monday, November 25, 2019 10:39
> To: Zhu, Bing
> Cc: tpm2(a)lists.01.org
> Subject: [tpm2] Re: Approaching 100 hours of troubleshooting
>
> When I try to run the test script "encryptdecrypt.sh", I get the following
> output:
>
> WARN: Command EncryptDecrypt is not supported by your device,
> skipping...
>
> Anyone got any idea what would cause this?
>
>
> On Sun, Nov 24, 2019 at 3:11 PM Zhu, Bing
> <bing.zhu(a)intel.com<mailto:bing.zhu(a)intel.com>> wrote:
>>>> I see one about fTPM but I'm not sure what it does.
> Firmware-based TPM, google Intel Platform Trust Technology (PTT) to know
> more details.
>
> From: Frederick Gotham
> <cauldwell.thomas(a)gmail.com<mailto:cauldwell.thomas(a)gmail.com>>
> Sent: Sunday, November 24, 2019 02:07 AM
> To: tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
> Subject: [tpm2] Approaching 100 hours of troubleshooting
>
> Hi
>
> I'm trying to get the TPM2 working in embedded Linux, and I've been
> troubleshooting for nearly two weeks now.
>
> I thought it would be a good idea to get the latest releases of the
> following packages:
>
>     tpm2-tss
>     tpm2-tools
>     tpm2-tss-engine
>
> And also the latest commit of: tpm2-pkcs11
>
> All I have succeeded in doing so far is getting random numbers from the TPM2
> chip. I haven't be able to store (or retrieve) keys, nor have I been able to
> encrypt or decrypt data.
>
> The first problem I'm having is that the command line options for the tools
> (and also scripts) have been changed several times. Every time I try to
> follow an example I find on the web, I get "unrecognised option -C".
>
> In order to try follow examples I find online, I have repeatedly upgraded
> and downgraded my versions of the packages, sometimes even mixing old tools
> with new tools (sometimes even rewinding to an historical commit in Github
> between official releases).
>
> Can someone please suggest what are the best stable versions of these
> packages for working with embedded Linux?
>
> Another thing:
> When my device boots up, I can go into the BIOS where I see a lot of options
> for Trusted Platform. I'm not exactly sure what these options actually do.
> Can someone advise me which settings in particular to watch out for? I see
> one about fTPM but I'm not sure what it does.
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
> To unsubscribe send an email to
> tpm2-leave(a)lists.01.org<mailto:tpm2-leave(a)lists.01.org>
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>

[tpm2] Re: Approaching 100 hours of troubleshooting

[Fuchs, Andreas]

[-- Attachment #1: Type: text/plain, Size: 3021 bytes --]

Yes, 99% of TPM2 chips do not support the TPM2_EncryptDecrypt function,
i.e. they do not support symmetric "bulk" encryption.

The reason for this is political (import export customs etc).

You can either use asymmetric encryption/decryption using RSA_En/Decrypt
or ECC with ECC_KeyGen or ECC_ZGen.
Or you can create a KeyedHash object and call Unseal, but that's limited to
approx 100 bytes. So you can use a key from there.


________________________________
From: Frederick Gotham [cauldwell.thomas(a)gmail.com]
Sent: Monday, November 25, 2019 10:39
To: Zhu, Bing
Cc: tpm2(a)lists.01.org
Subject: [tpm2] Re: Approaching 100 hours of troubleshooting

When I try to run the test script "encryptdecrypt.sh", I get the following output:

WARN: Command EncryptDecrypt is not supported by your device,     skipping...

Anyone got any idea what would cause this?


On Sun, Nov 24, 2019 at 3:11 PM Zhu, Bing <bing.zhu(a)intel.com<mailto:bing.zhu(a)intel.com>> wrote:
>>> I see one about fTPM but I'm not sure what it does.
Firmware-based TPM, google Intel Platform Trust Technology (PTT) to know more details.

From: Frederick Gotham <cauldwell.thomas(a)gmail.com<mailto:cauldwell.thomas(a)gmail.com>>
Sent: Sunday, November 24, 2019 02:07 AM
To: tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
Subject: [tpm2] Approaching 100 hours of troubleshooting

Hi

I'm trying to get the TPM2 working in embedded Linux, and I've been troubleshooting for nearly two weeks now.

I thought it would be a good idea to get the latest releases of the following packages:

    tpm2-tss
    tpm2-tools
    tpm2-tss-engine

And also the latest commit of: tpm2-pkcs11

All I have succeeded in doing so far is getting random numbers from the TPM2 chip. I haven't be able to store (or retrieve) keys, nor have I been able to encrypt or decrypt data.

The first problem I'm having is that the command line options for the tools (and also scripts) have been changed several times. Every time I try to follow an example I find on the web, I get "unrecognised option -C".

In order to try follow examples I find online, I have repeatedly upgraded and downgraded my versions of the packages, sometimes even mixing old tools with new tools (sometimes even rewinding to an historical commit in Github between official releases).

Can someone please suggest what are the best stable versions of these packages for working with embedded Linux?

Another thing:
When my device boots up, I can go into the BIOS where I see a lot of options for Trusted Platform. I'm not exactly sure what these options actually do. Can someone advise me which settings in particular to watch out for? I see one about fTPM but I'm not sure what it does.
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
To unsubscribe send an email to tpm2-leave(a)lists.01.org<mailto:tpm2-leave(a)lists.01.org>
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 6506 bytes --]

[tpm2] Re: Approaching 100 hours of troubleshooting

[Frederick Gotham]

[-- Attachment #1: Type: text/plain, Size: 2379 bytes --]

When I try to run the test script "encryptdecrypt.sh", I get the following
output:

WARN: Command EncryptDecrypt is not supported by your device,
skipping...

Anyone got any idea what would cause this?


On Sun, Nov 24, 2019 at 3:11 PM Zhu, Bing <bing.zhu(a)intel.com> wrote:

> >>> I see one about fTPM but I'm not sure what it does.
>
> Firmware-based TPM, google Intel Platform Trust Technology (PTT) to know
> more details.
>
>
>
> *From:* Frederick Gotham <cauldwell.thomas(a)gmail.com>
> *Sent:* Sunday, November 24, 2019 02:07 AM
> *To:* tpm2(a)lists.01.org
> *Subject:* [tpm2] Approaching 100 hours of troubleshooting
>
>
>
> Hi
>
>
>
> I'm trying to get the TPM2 working in embedded Linux, and I've been
> troubleshooting for nearly two weeks now.
>
>
>
> I thought it would be a good idea to get the latest releases of the
> following packages:
>
>
>
>     tpm2-tss
>
>     tpm2-tools
>
>     tpm2-tss-engine
>
>
>
> And also the latest commit of: tpm2-pkcs11
>
>
>
> All I have succeeded in doing so far is getting random numbers from the
> TPM2 chip. I haven't be able to store (or retrieve) keys, nor have I been
> able to encrypt or decrypt data.
>
>
>
> The first problem I'm having is that the command line options for the
> tools (and also scripts) have been changed several times. Every time I try
> to follow an example I find on the web, I get "unrecognised option -C".
>
>
>
> In order to try follow examples I find online, I have repeatedly upgraded
> and downgraded my versions of the packages, sometimes even mixing old tools
> with new tools (sometimes even rewinding to an historical commit in Github
> between official releases).
>
>
>
> Can someone please suggest what are the best stable versions of these
> packages for working with embedded Linux?
>
>
>
> Another thing:
>
> When my device boots up, I can go into the BIOS where I see a lot of
> options for Trusted Platform. I'm not exactly sure what these options
> actually do. Can someone advise me which settings in particular to watch
> out for? I see one about fTPM but I'm not sure what it does.
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 4939 bytes --]

[tpm2] Re: Approaching 100 hours of troubleshooting

[Zhu, Bing]

[-- Attachment #1: Type: text/plain, Size: 1701 bytes --]

>>> I see one about fTPM but I'm not sure what it does.
Firmware-based TPM, google Intel Platform Trust Technology (PTT) to know more details.

From: Frederick Gotham <cauldwell.thomas(a)gmail.com>
Sent: Sunday, November 24, 2019 02:07 AM
To: tpm2(a)lists.01.org
Subject: [tpm2] Approaching 100 hours of troubleshooting

Hi

I'm trying to get the TPM2 working in embedded Linux, and I've been troubleshooting for nearly two weeks now.

I thought it would be a good idea to get the latest releases of the following packages:

    tpm2-tss
    tpm2-tools
    tpm2-tss-engine

And also the latest commit of: tpm2-pkcs11

All I have succeeded in doing so far is getting random numbers from the TPM2 chip. I haven't be able to store (or retrieve) keys, nor have I been able to encrypt or decrypt data.

The first problem I'm having is that the command line options for the tools (and also scripts) have been changed several times. Every time I try to follow an example I find on the web, I get "unrecognised option -C".

In order to try follow examples I find online, I have repeatedly upgraded and downgraded my versions of the packages, sometimes even mixing old tools with new tools (sometimes even rewinding to an historical commit in Github between official releases).

Can someone please suggest what are the best stable versions of these packages for working with embedded Linux?

Another thing:
When my device boots up, I can go into the BIOS where I see a lot of options for Trusted Platform. I'm not exactly sure what these options actually do. Can someone advise me which settings in particular to watch out for? I see one about fTPM but I'm not sure what it does.

[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 5829 bytes --]