Hi Phani,
I don’t know the error code in particular, but the messages say, that you triggered the DA Lockout the security mechanism. This mechanism is implemented to block Dictionary Attacks (DA),
which are used by attackers to try out as many passwords as possible in a short amount of time. Dictionaries with typical passwords improve the efficiency of those attacks.
The TPM blocks this with a lockout, i.e. if you have tried to many false authorizations in a short period of time, the TPM blocks any further requests until a time runs out. The time
increases as more false authorizations are being executed.
Therefore it seems you triggeded the DA lockout with this timeout in the first runs and later on the TPM reports, that it is still in the DA Lockout.
A recovery method is that you let the TPM powered and wait for the timeout to be over. After that the TPM should work normally.
There are commands available where you can read the amount of time the timeout still takes. There are also commands that allow to reset the DA Lockout using the DA Lockout Auth, so that
you don’t need to wait for the timeout. The DA Lockout Auth is for example the password of the admin.
As you are using the Simulator, there should be also a simple method to erase the persistent data stored in the simulator as it provides no security.
Best,
Florian
Infineon Technologies AG
Security Architect
IFAG DSS ESS TCE
Office: +49 89 234 21833
Mobile: +49 (160) 90105611
Fax: +49 (89) 234 152183300
Florian.Schreiner@infineon.com
81726 Munich
Germany
www.infineon.com
Discoveries
Facebook
Twitter
LinkedIn
Part of your life. Part of tomorrow.
Infineon Technologies AG
Chairman of the Supervisory Board: Dr. Wolfgang Eder
Management Board: Dr. Reinhard Ploss (CEO), Dr. Helmut Gassel, Jochen Hanebeck, Dr. Sven Schneider
Registered Office: Neubiberg
Commercial Register: München HRB 126492
This e-mail and any attachments are confidential. They are intended solely for the attention and use of the named addressee(s). If you are not the named
addressee(s) you must not use, disclose, retain or reproduce all or any part of the information contained in this e-mail or any attachments. Any unauthorized use or disclosure may be unlawful. If you have received this e-mail by mistake, please inform the
sender immediately and delete it and all copies from your system and destroy any hard copies of it.
From: Phani Srinivas <phani.srinivas@in.abb.com>
Sent: Donnerstag, 6. August 2020 15:17
To: tpm2@lists.01.org
Subject: [tpm2] Debugging tpm2 tools based of FAPI
Caution: This e-mail originated outside Infineon Technologies. Do not click on links or open attachments unless you
validate it is safe. |
Hello All,
I was successful in making the FAPI integration tests work and tried out some of the scenarios in creating the keys and perform the key operations
But when I used the tools based out of FAPI, I see the following errors
export TPM20TEST_TCTI=mssim:host=127.0.0.1,port=2321
root@edgesec101:/home/edgesec100/phaniWS/tpm2_tools/tpm2-tools/tools/fapi#
./tss2_provision
WARNING:tcti:src/tss2-tcti/tcti-device.c:186:tcti_device_receive() The underlying IPC mechanism does not support asynchronous I/O. The 'timeout' parameter is set to TSS2_TCTI_TIMEOUT_BLOCK
WARNING:esys:src/tss2-esys/api/Esys_DictionaryAttackParameters.c:310:Esys_DictionaryAttackParameters_Finish() Received TPM Error
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:277:Fapi_Provision_Finish() ErrorCode (0x0000098e) DictionaryAttackParameters_Finish
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:120:Fapi_Provision() ErrorCode (0x0000098e) Provision
Fapi_Provision(0x98E) - tpm:session(1):the authorization HMAC check failed and DA counter incremented
And later I have removed the NVChip created in simulator dir, and ran again I see a different error
./tss2_provision
WARNING:tcti:src/tss2-tcti/tcti-device.c:186:tcti_device_receive() The underlying IPC mechanism does not support asynchronous I/O. The 'timeout' parameter is set to TSS2_TCTI_TIMEOUT_BLOCK
WARNING:esys:src/tss2-esys/api/Esys_DictionaryAttackParameters.c:310:Esys_DictionaryAttackParameters_Finish() Received TPM Error
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:277:Fapi_Provision_Finish() ErrorCode (0x00000921) DictionaryAttackParameters_Finish
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:120:Fapi_Provision() ErrorCode (0x00000921) Provision
Fapi_Provision(0x921) - tpm:warn(2.0): authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode
Couldn’t get from the documentation any pre-requisites to follow to make the tpm2 tools based out of fapi to make them work.
I see some RM configuration to be done, but not successful in my trials, any suggestions how the environment shall be set up to make the tpm2 tools based out of fapi to work.
Regards
Phani Srinivas S
R&D Prinicipal Engineer ABB