Hi Phani,

 

I don’t know the error code in particular, but the messages say, that you triggered the DA Lockout the security mechanism. This mechanism is implemented to block Dictionary Attacks (DA), which are used by attackers to try out as many passwords as possible in a short amount of time. Dictionaries with typical passwords improve the efficiency of those attacks.

The TPM blocks this with a lockout, i.e. if you have tried to many false authorizations in a short period of time, the TPM  blocks any further requests until a time runs out. The time increases as more false authorizations are being executed.

 

Therefore it seems you triggeded the DA lockout with this timeout in the first runs and later on the TPM reports, that it is still in the DA Lockout.

A recovery method is that you let the TPM powered and wait for the timeout to be over. After that the TPM should work normally.

There are commands available where you can read the amount of time the timeout still takes. There are also commands that allow to reset the DA Lockout using the DA Lockout Auth, so that you don’t need to wait for the timeout. The DA Lockout Auth is for example the password of the admin.

 

As you are using the Simulator, there should be also a simple method to erase the persistent data stored in the simulator as it provides no security.

 

Best,

Florian

 

 

Infineon Technologies AG

Security Architect

IFAG DSS ESS TCE

Office: +49 89 234 21833

Mobile: +49 (160) 90105611

Fax: +49 (89) 234 152183300

Florian.Schreiner@infineon.com

 

81726 Munich

Germany

 

www.infineon.com  Discoveries  Facebook  Twitter  LinkedIn

 

Part of your life. Part of tomorrow.

 

Infineon Technologies AG

Chairman of the Supervisory Board: Dr. Wolfgang Eder

Management Board: Dr. Reinhard Ploss (CEO), Dr. Helmut Gassel, Jochen Hanebeck, Dr. Sven Schneider

Registered Office: Neubiberg

Commercial Register: München HRB 126492

 

This e-mail and any attachments are confidential. They are intended solely for the attention and use of the named addressee(s). If you are not the named addressee(s) you must not use, disclose, retain or reproduce all or any part of the information contained in this e-mail or any attachments. Any unauthorized use or disclosure may be unlawful. If you have received this e-mail by mistake, please inform the sender immediately and delete it and all copies from your system and destroy any hard copies of it.

 

From: Phani Srinivas <phani.srinivas@in.abb.com>
Sent: Donnerstag, 6. August 2020 15:17
To: tpm2@lists.01.org
Subject: [tpm2] Debugging tpm2 tools based of FAPI

 

Caution: This e-mail originated outside Infineon Technologies. Do not click on links or open attachments unless you validate it is safe.

 

Hello All,

 

I was successful in making the FAPI integration tests  work and tried out some of the scenarios in creating the keys and perform the key operations

 

But when I used the tools based out of FAPI, I see the following errors

 

export TPM20TEST_TCTI=mssim:host=127.0.0.1,port=2321

root@edgesec101:/home/edgesec100/phaniWS/tpm2_tools/tpm2-tools/tools/fapi# ./tss2_provision

WARNING:tcti:src/tss2-tcti/tcti-device.c:186:tcti_device_receive() The underlying IPC mechanism does not support asynchronous I/O. The 'timeout' parameter is set to TSS2_TCTI_TIMEOUT_BLOCK

WARNING:esys:src/tss2-esys/api/Esys_DictionaryAttackParameters.c:310:Esys_DictionaryAttackParameters_Finish() Received TPM Error

ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:277:Fapi_Provision_Finish() ErrorCode (0x0000098e) DictionaryAttackParameters_Finish

ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:120:Fapi_Provision() ErrorCode (0x0000098e) Provision

Fapi_Provision(0x98E) - tpm:session(1):the authorization HMAC check failed and DA counter incremented

 

And later I have  removed the NVChip created in simulator dir, and ran again I see a different error

 

./tss2_provision

WARNING:tcti:src/tss2-tcti/tcti-device.c:186:tcti_device_receive() The underlying IPC mechanism does not support asynchronous I/O. The 'timeout' parameter is set to TSS2_TCTI_TIMEOUT_BLOCK

WARNING:esys:src/tss2-esys/api/Esys_DictionaryAttackParameters.c:310:Esys_DictionaryAttackParameters_Finish() Received TPM Error

ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:277:Fapi_Provision_Finish() ErrorCode (0x00000921) DictionaryAttackParameters_Finish

ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:120:Fapi_Provision() ErrorCode (0x00000921) Provision

Fapi_Provision(0x921) - tpm:warn(2.0): authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode

 

 

Couldn’t get from the documentation any pre-requisites to follow to make the tpm2 tools based out of  fapi  to make them work.

 

I see some RM configuration to be done, but not successful in my trials, any suggestions how the environment shall be set up to make the tpm2 tools based out of fapi to work.

 

 

Regards

Phani Srinivas S

R&D Prinicipal Engineer ABB