tpm2-tools
tpm2-tools copied to clipboard
tpm2-software
Issue with setting up a sealed object, protected via pcr policy, and accessed over an encrypted session
Hello,
I have the following use-case. Create a sealed secret that is accessed only when a TPM PCR policy is met. Additionally, I want to have an authenticated and encrypted communication with the TPM. Please find below the TPM commands, software versions, setup, and issues.
Output of uname -a: Linux Ubuntu-beaver 5.4.0-144-generic
Output of tpm2 -v: tool="tpm2" version="5.5-4-g90534beb" tctis="libtss2-tctildr" tcti-default=tcti-abrmd
TPM: IBMTss virtual TPM with tpm2-abrmd
Issue: sealed secret is visible on the network communication when performing tpm2_unseal. I expected the sealed secret to be visible only at application level, not in the tpm to application communication.
Question: Is it possible to have the tpm2_startauthsession encrypt the communication between the application and tpm?
Commands:
tpm2_createprimary -C e -g sha256 -G ecc -c primary.ctx
tpm2_pcrread -o pcr.dat "sha1:0,1,2,3"
tpm2_startauthsession -S session.dat #-G aes -g sha256
tpm2_policypcr -S session.dat -l "sha1:0,1,2,3" -f pcr.dat -L policy.dat
tpm2_flushcontext session.dat
tpm2_create -Q -u key.pub -r key.priv -C primary.ctx -L policy.dat -i- <<< "secret"
tpm2_load -C primary.ctx -u key.pub -r key.priv -n unseal.key.name -c unseal.key.ctx
tpm2_startauthsession --policy-session -S session.dat -c primary.ctx -G aes -g sha256
tpm2_policypcr -S session.dat -l "sha1:0,1,2,3" -f pcr.dat -L policy.dat
tpm2_unseal -psession:session.dat -c unseal.key.ctx
tpm2_flushcontext session.dat
At one point I also tried to run:
tpm2_create -Q -C primary.ctx -Gaes128 -u session.key.pub -r session.key.priv -L policy.dat
tpm2_load -C primary.ctx -u session.key.pub -r session.key.priv -c session.key.ctx
to create a aes key that could be used in the session. This was executed before:
tpm2_startauthsession --policy-session -S session.dat -c primary.ctx -G aes -g sha256
Thank you! Teri
Follow-up. There is a related known issue here 2569 on tpm2-tss. But this is on FAPI, not on ESAPI. Any toughts?
@terilenard with ESAPI you have to create a policy session with activated parameter encryption FAPI uses ESAPI for this purpose. At:
https://github.com/JuergenReppSIT/tpm2-tss/blob/8e6aca9ce03c67cec7f3e6c01946d7398f816260/src/tss2-fapi/ifapi_policyutil_execute.c#L97
you can see how how FAPI does it. the SRK is here used as tpm key for the session. The example implements a state machine with the ESAPI async functions. You could create a simpler version (without context->state) with the ESAPI one call functions.
@terilenard with ESAPI you have to create a policy session with activated parameter encryption FAPI uses ESAPI for this purpose. At: https://github.com/JuergenReppSIT/tpm2-tss/blob/8e6aca9ce03c67cec7f3e6c01946d7398f816260/src/tss2-fapi/ifapi_policyutil_execute.c#L97 you can see how how FAPI does it. the SRK is here used as tpm key for the session. The example implements a state machine with the ESAPI async functions. You could create a simpler version (without
context->state) with the ESAPI one call functions.
Your help is much appreciated! Thank you for pointing me in the right direction.
Has the issue been resolved? Noticing that I2C bus sniffing attacks are becoming more straightforward to execute (for instance https://www.tomshardware.com/pc-components/cpus/youtuber-breaks-bitlocker-encryption-in-less-than-43-seconds-with-sub-dollar10-raspberry-pi-pico), I think it would be appreciated to add information to the wiki on the proper configuration of command parameter encryption.
Has the issue been resolved? Noticing that I2C bus sniffing attacks are becoming more straightforward to execute (for instance https://www.tomshardware.com/pc-components/cpus/youtuber-breaks-bitlocker-encryption-in-less-than-43-seconds-with-sub-dollar10-raspberry-pi-pico), I think it would be appreciated to add information to the wiki on the proper configuration of command parameter encryption.
Hello, I think the issue was solved on the C library on #2569.