There's an unfortunate confusion in naming here. The tpm2-tss project is a set of libraries which contain all levels of the C API, including the low level SAPI, the low-level-with-sane-defaults-and implementations ESAPI, and the high-level FAPI. The tpm2-tools project is a set of high-level command line tools. Tools beginning with tpm2 are based mostly on the ESAPI though they used to be SAPI. The TPM commands that the SAPI and ESAPI functions ape start with tpm2. Tools beginning with tss2 are based on the FAPI library functions for some reason, maybe to ape the older IBM implementation? Any tool has significantly more helper code than the TSS C library and even the tpm2 commands are pretty high level. The model of the ESAPI/tpm2 commands makes storing objects in the tpm rather than on disk more straightforward or possible at all. But managing that is difficult which is why it's discouraged. On Mon, Jun 21, 2021, 3:17 PM @rubynerd wrote: > Hi both, > > Thank you for your responses — I appreciate your time. My apologies for > the delay in response, I've been on-call for the past week and the shift > picked up at the end. > > I've started to read through the specification, but it is quite meaty. I > initially shied away from reading it because I assumed it was for > implementers of TPMs (i.e. TPM manufacturers) and not for > application implementation, but that doesn't seem to be the case. I'm > working my way through it, but as this isn't my day job right now it's > quite slow going. > > Bill — thank you for the code examples: it's actually the best explainer > I've seen for how to use the different components of tpm2-tools together. > Your example is almost exactly what I need, but I'm looking to keep the > private key hidden & unavailable to the host, and also send the public key > & corresponding attestation statement to a remote server, so the remote > server can validate the attestation statement, then encrypt the secrets it > needs to deliver to the host. The remote server can — if my understanding > of TPMs is correct! — deliver the encrypted secrets to the host with the > relatively secure understanding that only that host can decrypt them. > > I'm pretty confident it's possible to prototype the above with both > tpm2-tools and your explanation above, and I'll continue when I get a > little bit of free time. > > Concerning TSS: does TSS operate at a higher or lower level than the tools > presented in tpm2-tools? I assumed that because tpm2-tools was compiled > against tpm2-tss, it was a lower level API, but if it's possible to do what > I'm looking to do in less steps, it seems like it should be higher? I > didn't notice any executables produced when I compiled it for tpm2-tools, > but I can check again. > > Because a command I was looking to use (I think "getekcertificate") wasn't > present in the Ubuntu packaged tpm2-tools, I compiled the latest version > from source, but the end result is one executable linked against several > object files ("tpm2_getekcertificate" has become "tpm2 getekcertificate"), > which added another layer of confusion because the commands above don't > necessarily work as documented via StackOverflow. > > Once again, thank you so much for the assistance with navigation, I really > appreciate it. Whilst my C skills are suboptimal at best, I am more than > happy to contribute documentation upstream if there is interest. > > Thanks, > Luke > > On Fri, Jun 18, 2021 at 5:20 PM Roberts, William C < > william.c.roberts(a)intel.com> wrote: > >> Some tpm2-tools support --format=pem​. Make sure you're on a 4.0+ >> version. If you're on master, >> you can even get the pem file during creation time. I am going to provide >> what you can do with tpm2-tools, >> however, there are also tools that start with tss2 prefix that use a >> higher level API called FAPI. Those tools >> might do what you want with far less steps then the tpm2 prefixed tools. >> I CC'd Andreas Fuchs so he can >> advise on those tools. >> >> # versions >= 4.0 >> tpm2_createprimary -c primary.ctx >> tpm2_readpublic --format=pem -o key.pem -c primary.ctx >> >> head key.pem >> -----BEGIN PUBLIC KEY----- >> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtFeWoma5eS7x7XjR1QWp >> >> >> # master >> tpm2_createprimary -c primary.ctx --format=pem -o key.pem >> >> For keys created with tpm2_create, you can use the readpublic option or >> use tpm2_print >> # readpublic example >> tpm2_create -C primary.ctx -u key.pub -r key.priv >> tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx >> tpm2_readpublic --format=pem -o key.pem -c key.ctx >> >> # print example >> tpm2 print --type TPM2B_PUBLIC --format=pem key.pub >> -----BEGIN PUBLIC KEY----- >> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwEDts9Y64CGuHPjT/8nC >> >> >> For the other portion of your question is "encrypting application >> secrets" to the TPM. >> >> Thier's a few ways you could do this, but I would suggest using the >> sealing function. >> It creates a TPM protected object but instead of it containing a key the >> tpm knows >> how to use, it contains free form userdata, like the application >> secretes, or if those >> are too large to store in the TPM, an AES key to wrap those with. >> >> I would choose sealing first, it's the simplest. For AES wrapping I would >> pick >> AES 256 GCM but the key type and mode is up to you. >> >> To seal a secret, one would use tpm2_create with the -i option: >> >> # read secret from stdin with -i -, or use -i to read from a file. >> tpm2_create -C primary.ctx -i- -u key.pub -r key.priv <<< 'MY SECRET' >> >> # load >> tpm2 load -C primary.ctx -u key.pub -r key.priv -c key.ctx >> >> # unseal secret from TPM >> tpm2 unseal -c key.ctx >> MY SECRET >> >> # for wrapping a secret with an AES Key, just make 'MY SECRET' an AES key >> and use >> openssl commands. Examples can be found here: >> https://wiki.openssl.org/index.php/Enc >> >> >> You can set passwords and policies on TPM objects as you see fit, and we >> can help >> you craft a policy. >> >> The man pages for the tools should have examples, you can just view the >> markdown on >> the github wiki as well: >> >> https://github.com/tpm2-software/tpm2-tools/tree/master/man >> >> >> There are also examples in the test directory. >> >> Bill >> ------------------------------ >> *From:* Steven Clark >> *Sent:* Wednesday, June 16, 2021 8:33 PM >> *To:* @rubynerd >> *Cc:* tpm2 >> *Subject:* [tpm2] Re: Sample applications >> >> On Wed, Jun 16, 2021 at 3:12 PM @rubynerd wrote: >> > >> > Hi all, >> > >> > I'm looking to build an application which creates a key on a TPM & uses >> the TPM to decrypt some application initialisation secrets delivered to the >> application via a control-plane, which verifies the key the TPM will use is >> on a TPM. >> > >> > I'm struggling to find any sample applications/explanations/cookbooks >> for tmp2-tools to prototype out how this would work — in fact, I can't find >> an explainer of how to convert a key from "tss" format to PEM format. Is >> there something I've missed, or is there a sample TPM application or >> something kicking about I can refer to? I'm aware there are specification >> PDF's, but these are unapproachable to someone with attention-span >> disabilities. >> > >> > Thanks, >> > Luke >> > _______________________________________________ >> > tpm2 mailing list -- tpm2(a)lists.01.org >> > To unsubscribe send an email to tpm2-leave(a)lists.01.org >> > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s >> >> With tpm2-tools it's pretty easy if you've got a remotely up to date >> version. Most of the tools that need to interact with outside keys >> natively support the SSL key types. So you just interact with them on >> the command line. >> >> If you want to actually program using the ESAPI and use outside key >> formats my recommendation would be get comfortable reading the >> structure definitions in the TPM2 specs (sometimes assisted by the >> actual header files from the TSS), the ESAPI spec, and the OpenSSL API >> man pages and learn to tear a key down into low level structures in >> one API to reassemble in the other format. The math is still the same >> after all. >> _______________________________________________ >> tpm2 mailing list -- tpm2(a)lists.01.org >> To unsubscribe send an email to tpm2-leave(a)lists.01.org >> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s >> >