* [tpm2] clevis with tpm-tools 2.1.0 (tpm2_create proper use for tpm2_unseal compatibility)
@ 2018-05-03 10:44 Peter Magnusson
0 siblings, 0 replies; 4+ messages in thread
From: Peter Magnusson @ 2018-05-03 10:44 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 7477 bytes --]
Hi,
I'm trying to get clevis 9 working with Ubuntu18 tpm-tools 2.1.0, but
clevis decrypt (tpm2_unseal) fail. l suspect the obj_attr values feed
to tpm2_create in clevis-encrypt-tpm2 might be root cause, but I
haven't succeeded in making sense of it.
A diff on clevis-encrypt-tpm2 is included in the end of this mail.
Any helpful pointers on what appropriate change of clevis-encrypt
would be appreciated.
echo hi | clevis encrypt tpm2 '{}' | clevis decrypt
tpm2_createprimary -A o --halg 0xB --kalg 0x23 -C ...primary.context
-T device -d /dev/tpmrm0
nameAlg = 0x000b
type = 0x0023
contextFile = ...primary.context
CreatePrimary Succeed ! Handle: 0x80ffffff
tpm2_load -T device -d /dev/tpmrm0 -c ...primary.context -u ...jwk.pub
-r ...jwk.priv -C ...load.context -n ...name.structure
contextParentFile = ...primary.context
contextFile = ...load.context
Load succ.
LoadedHandle: 0x80fffffe
tpm2_unseal -T device -d /dev/tpmrm0 -c ...load.context -o -
ERROR: Sys_Unseal failed. Error Code: 0x12f
Unsealing jwk from TPM failed!
diff ~/gits/clevis/src/clevis-encrypt-tpm2 /usr/local/bin/clevis-encrypt-tpm2
25c25,30
< alg_create_key="keyedhash"
---
>
> #*****************************************************
> #alg_create_key="keyedhash"
> alg_create_key=0x8
> #*****************************************************
>
27c32,56
< obj_attr="fixedtpm|fixedparent|sensitivedataorigin|noda|adminwithpolicy"
---
>
> #*****************************************************
> #obj_attr="fixedtpm|fixedparent|sensitivedataorigin|noda|adminwithpolicy"
> #obj_attr=0x4B2 #0x00000002 + 0x00000010 + 0x00000020 + 0x00000400 + 0x00000080 -- error 0x2d2: incompatible scheme
> #obj_attr=0x4A2 #0x00000002 + 0x00000020 + 0x00000400 + 0x00000080 -- error 0x2c2: inconsistent attributes
> #obj_attr=0x492 #0x00000002 + 0x00000010 + 0x00000020 + 0x00000400 + 0x00000080 -- error 0x1c2: inconsistent attributes
> #obj_attr=0x432 #0x00000002 + 0x00000010 + 0x00000020 + 0x00000400 -- error 0x2d2
> obj_attr=0x404B2
> #define TPMA_OBJECT_RESERVED1_MASK 0x00000001 /* shall be zero */
> #define TPMA_OBJECT_FIXEDTPM 0x00000002 /* SET 1 The hierarchy of the object as indicated by its Qualified Name may not change. CLEAR 0 The hierarchy of the object may change as a result of this object or an ancestor key being duplicated for use in another hierarchy. */
> #define TPMA_OBJECT_STCLEAR 0x00000004 /* SET 1 Previously saved contexts of this object may not be loaded after StartupCLEAR. CLEAR 0 Saved contexts of this object may be used after a ShutdownSTATE and subsequent Startup. */
> #define TPMA_OBJECT_RESERVED2_MASK 0x00000008 /* shall be zero */
> #define TPMA_OBJECT_FIXEDPARENT 0x00000010 /* SET 1 The parent of the object may not change. CLEAR 0 The parent of the object may change as the result of a TPM2_Duplicate of the object. */
> #define TPMA_OBJECT_SENSITIVEDATAORIGIN 0x00000020 /* SET 1 Indicates that when the object was created with TPM2_Create or TPM2_CreatePrimary the TPM generated all of the sensitive data other than the authValue. CLEAR 0 A portion of the sensitive data other than the authValue was provided by the caller. */
> #define TPMA_OBJECT_USERWITHAUTH 0x00000040 /* SET 1 Approval of USER role actions with this object may be with an HMAC session or with a password using the authValue of the object or a policy session. CLEAR 0 Approval of USER role actions with this object may only be done with a policy session. */
> #define TPMA_OBJECT_ADMINWITHPOLICY 0x00000080 /* SET 1 Approval of ADMIN role actions with this object may only be done with a policy session. CLEAR 0 Approval of ADMIN role actions with this object may be with an HMAC session or with a password using the authValue of the object or a policy session. */
> #define TPMA_OBJECT_RESERVED3_MASK 0x00000300 /* shall be zero */
> #define TPMA_OBJECT_NODA 0x00000400 /* SET 1 The object is not subject to dictionary attack protections. CLEAR 0 The object is subject to dictionary attack protections. */
> #define TPMA_OBJECT_ENCRYPTEDDUPLICATION 0x00000800 /* SET 1 If the object is duplicated then symmetricAlg shall not be TPM2_ALG_NULL and newParentHandle shall not be TPM2_RH_NULL. CLEAR 0 The object may be duplicated without an inner wrapper on the private portion of the object and the new parent may be TPM2_RH_NULL. */
> #define TPMA_OBJECT_RESERVED4_MASK 0x0000F000 /* shall be zero */
> #define TPMA_OBJECT_RESTRICTED 0x00010000 /* SET 1 Key usage is restricted to manipulate structures of known format the parent of this key shall have restricted SET. CLEAR 0 Key usage is not restricted to use on special formats. */
> #define TPMA_OBJECT_DECRYPT 0x00020000 /* SET 1 The private portion of the key may be used to decrypt. CLEAR 0 The private portion of the key may not be used to decrypt. */
> #define TPMA_OBJECT_SIGN_ENCRYPT 0x00040000 /* SET 1 For a symmetric cipher object the private portion of the key may be used to encrypt. For other objects the private portion of the key may be used to sign. CLEAR 0 The private portion of the key may not be used to sign or encrypt. */
> #define TPMA_OBJECT_RESERVED5_MASK 0xFFF80000 /* shall be zero */
> #*****************************************************
102c131,161
< if ! tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C
$TMP/primary.context; then
---
> #if ! tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C $TMP/primary.context; then
> #************************************************************
> case $hash in
> sha1)
> __hash='0x4'
> ;;
> sha256)
> __hash='0xB'
> ;;
> sha384)
> __hash='0xC'
> ;;
> *)
> echo "*** hash converter failed...****" >&2
> exit 1;
> esac
> case $key in
> rsa)
> __key='0x1'
> ;;
> ecc)
> __key='0x23'
> ;;
> *)
> echo "*** key converter failed...****" >&2
> exit 1;
> esac
>
> #echo tpm2_createprimary -A "$auth" --halg "$__hash" --kalg "$__key" -C $TMP/primary.context -T $TPM2TOOLS_TCTI_NAME -d $TPM2TOOLS_DEVICE_FILE
> if ! tpm2_createprimary -A "$auth" --halg "$__hash" --kalg "$__key" -C $TMP/primary.context -T $TPM2TOOLS_TCTI_NAME -d $TPM2TOOLS_DEVICE_FILE >/dev/null; then
> #************************************************************
128,129c187,191
< if ! tpm2_create -Q -g "$hash" -G "$alg_create_key" -c
$TMP/primary.context -u $TMP/jwk.pub \
< -r $TMP/jwk.priv -A "$obj_attr" $policy_options -I- <<< "$jwk"; then
---
> #if ! tpm2_create -Q -g "$hash" -G "$alg_create_key" -c $TMP/primary.context -u $TMP/jwk.pub \
> # -r $TMP/jwk.priv -A "$obj_attr" $policy_options -I- <<< "$jwk"; then
> #echo tpm2_create -A "$obj_attr" -g "$__hash" -G "$alg_create_key" -c $TMP/primary.context --opu $TMP/jwk.pub --opr $TMP/jwk.priv $policy_options -T $TPM2TOOLS_TCTI_NAME -d $TPM2TOOLS_DEVICE_FILE >&2
> if ! tpm2_create -A "$obj_attr" -g "$__hash" -G "$alg_create_key" -c $TMP/primary.context --opu $TMP/jwk.pub --opr $TMP/jwk.priv $policy_options -T $TPM2TOOLS_TCTI_NAME -d $TPM2TOOLS_DEVICE_FILE <<< "$jwk" >/dev/null; then
> #if ! tpm2_create -A "$obj_attr" -g "$__hash" -G "$alg_create_key" -c $TMP/primary.context --opu $TMP/jwk.pub --opr $TMP/jwk.priv $policy_options -T $TPM2TOOLS_TCTI_NAME -d $TPM2TOOLS_DEVICE_FILE <<< "$jwk"; then
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [tpm2] clevis with tpm-tools 2.1.0 (tpm2_create proper use for tpm2_unseal compatibility)
@ 2018-05-04 12:16 Javier Martinez Canillas
0 siblings, 0 replies; 4+ messages in thread
From: Javier Martinez Canillas @ 2018-05-04 12:16 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 585 bytes --]
Hi Peter,
On 05/04/2018 12:38 PM, Peter Magnusson wrote:
> thanks, that worked out very well!
>
I'm glad it worked.
> echo hi | clevis encrypt tpm2 '{}' | clevis decrypt
> hi
>
> Also needed to build dracut, clevis from source to resolve some (Ubuntu
> specific?) problems,
Since you are using Ubuntu, you may be interested in this PR for clevis
that allows it to be used with initramfs-tools instead of dracut:
https://github.com/latchset/clevis/pull/35
Best regards
--
Javier Martinez Canillas
Software Engineer - Desktop Hardware Enablement
Red Hat
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [tpm2] clevis with tpm-tools 2.1.0 (tpm2_create proper use for tpm2_unseal compatibility)
@ 2018-05-04 10:38 Peter Magnusson
0 siblings, 0 replies; 4+ messages in thread
From: Peter Magnusson @ 2018-05-04 10:38 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 3371 bytes --]
thanks, that worked out very well!
echo hi | clevis encrypt tpm2 '{}' | clevis decrypt
hi
Also needed to build dracut, clevis from source to resolve some (Ubuntu
specific?) problems,
TAG_TPM2_TSS=1.4.0
TAG_TPM2_ABRMD=1.3.1
TAG_TPM2_TOOLS=3.0.4
TAG_DRACUT=047
TAG_CLEVIS=v9
And dracut needed:
/usr/lib/dracut/dracut.conf.d/crc32c.conf: add_drivers=" crc32_pclmul "
On Thu, May 3, 2018 at 5:01 PM Javier Martinez Canillas <javierm(a)redhat.com>
wrote:
> [adding back the mailing list since I dropped it by mistake]
> On 05/03/2018 04:50 PM, Peter Magnusson wrote:
> > Thanks!
> >
> > Any particular tag that you would recommend building the tools from, or
is
> > master:head the way to go?
> >
> I would recommend the latest stable versions. So that would be the
following:
> tpm2-tools 3.0.4
> tpm2-tss 1.4.0
> tpm2-abrmd 1.3.1
> The problem with master is that it's still a moving target. As mentioned
in the
> clevis issue, I'll propose a patch to make the tpm2 pin to support
tpm2-tools 4
> as soon as this is released.
> > //P
> > On Thu, May 3, 2018 at 2:56 PM Javier Martinez Canillas <
javierm(a)redhat.com>
> > wrote:
> >
> >> Hi Peter,
> >
> >> On 05/03/2018 12:44 PM, Peter Magnusson wrote:
> >>> Hi,
> >>>
> >>> I'm trying to get clevis 9 working with Ubuntu18 tpm-tools 2.1.0, but
> >>> clevis decrypt (tpm2_unseal) fail. l suspect the obj_attr values feed
> >
> >> I don't think that's going to work. The reason why I started
contributing
> >> to this project was because the 2.X unseal support wasn't really
working.
> >
> >> The problem is that some TPM2.0 commands require an authorization
session
> >> (if the tag is TPM_ST_SESSIONS), and this is the case for the
TPM2_Unseal
> >> command but support for this isn't supported in the 2.X release.
> >
> >> So you need at the very least the following commits that landed in 3.X:
> >
> >> 287eeb92555a tpm2_unseal: use build_policy() from tpm2 policy instead
> > open coding it
> >> 5435e1d79662 tpm2_unseal: add support to unseal an object using a PCR
> > policy for auth
> >> 141974c84508 tools: don't use relative path for tpm2_util.h header
include
> >> b8a442325361 tpm2_unseal: Adding support for session handle input for
> > policy based authorization
> >> 1b3efb759117 tpm2_unseal: don't copy optarg variable for context item
file
> >> 8aa7f644386d tpm2_unseal: allow to write unsealed data to the standard
> > output
> >> 2cd3feaff067 tpm2_unseal: don't copy the optarg variable for the output
> > file option
> >> df751ae5bea0 tpm2_unseal: fix unsealed data object serialization
> >
> >> More information is on the issue I opened at the time and the
follow-up:
> >
> >> https://github.com/tpm2-software/tpm2-tools/issues/313
> >> https://github.com/tpm2-software/tpm2-tools/issues/510
> >
> >>>
> >>> tpm2_unseal -T device -d /dev/tpmrm0 -c ...load.context -o -
> >>> ERROR: Sys_Unseal failed. Error Code: 0x12f
> >>> Unsealing jwk from TPM failed!
> >
> >> $ tpm2_rc_decode 0x12f
> >> tpm:error(2.0): authValue or authPolicy is not available for selected
> > entity
> >
> >> You can see that's the issue I mentioned above about the missing
> >> authorization session.
> >
> Best regards,
> --
> Javier Martinez Canillas
> Software Engineer - Desktop Hardware Enablement
> Red Hat
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [tpm2] clevis with tpm-tools 2.1.0 (tpm2_create proper use for tpm2_unseal compatibility)
@ 2018-05-03 15:01 Javier Martinez Canillas
0 siblings, 0 replies; 4+ messages in thread
From: Javier Martinez Canillas @ 2018-05-03 15:01 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 2759 bytes --]
[adding back the mailing list since I dropped it by mistake]
On 05/03/2018 04:50 PM, Peter Magnusson wrote:
> Thanks!
>
> Any particular tag that you would recommend building the tools from, or is
> master:head the way to go?
>
I would recommend the latest stable versions. So that would be the following:
tpm2-tools 3.0.4
tpm2-tss 1.4.0
tpm2-abrmd 1.3.1
The problem with master is that it's still a moving target. As mentioned in the
clevis issue, I'll propose a patch to make the tpm2 pin to support tpm2-tools 4
as soon as this is released.
> //P
> On Thu, May 3, 2018 at 2:56 PM Javier Martinez Canillas <javierm(a)redhat.com>
> wrote:
>
>> Hi Peter,
>
>> On 05/03/2018 12:44 PM, Peter Magnusson wrote:
>>> Hi,
>>>
>>> I'm trying to get clevis 9 working with Ubuntu18 tpm-tools 2.1.0, but
>>> clevis decrypt (tpm2_unseal) fail. l suspect the obj_attr values feed
>
>> I don't think that's going to work. The reason why I started contributing
>> to this project was because the 2.X unseal support wasn't really working.
>
>> The problem is that some TPM2.0 commands require an authorization session
>> (if the tag is TPM_ST_SESSIONS), and this is the case for the TPM2_Unseal
>> command but support for this isn't supported in the 2.X release.
>
>> So you need at the very least the following commits that landed in 3.X:
>
>> 287eeb92555a tpm2_unseal: use build_policy() from tpm2 policy instead
> open coding it
>> 5435e1d79662 tpm2_unseal: add support to unseal an object using a PCR
> policy for auth
>> 141974c84508 tools: don't use relative path for tpm2_util.h header include
>> b8a442325361 tpm2_unseal: Adding support for session handle input for
> policy based authorization
>> 1b3efb759117 tpm2_unseal: don't copy optarg variable for context item file
>> 8aa7f644386d tpm2_unseal: allow to write unsealed data to the standard
> output
>> 2cd3feaff067 tpm2_unseal: don't copy the optarg variable for the output
> file option
>> df751ae5bea0 tpm2_unseal: fix unsealed data object serialization
>
>> More information is on the issue I opened at the time and the follow-up:
>
>> https://github.com/tpm2-software/tpm2-tools/issues/313
>> https://github.com/tpm2-software/tpm2-tools/issues/510
>
>>>
>>> tpm2_unseal -T device -d /dev/tpmrm0 -c ...load.context -o -
>>> ERROR: Sys_Unseal failed. Error Code: 0x12f
>>> Unsealing jwk from TPM failed!
>
>> $ tpm2_rc_decode 0x12f
>> tpm:error(2.0): authValue or authPolicy is not available for selected
> entity
>
>> You can see that's the issue I mentioned above about the missing
>> authorization session.
>
Best regards,
--
Javier Martinez Canillas
Software Engineer - Desktop Hardware Enablement
Red Hat
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-05-04 12:16 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-05-03 10:44 [tpm2] clevis with tpm-tools 2.1.0 (tpm2_create proper use for tpm2_unseal compatibility) Peter Magnusson
2018-05-03 15:01 Javier Martinez Canillas
2018-05-04 10:38 Peter Magnusson
2018-05-04 12:16 Javier Martinez Canillas
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.