Discussion:
[TrouSerS-users] Sealing NVRAM to PCR > 15?
Jan Schermer
2016-05-09 11:35:52 UTC
Permalink
Hello,
I want to seal data (a passphrase) to PCR >15.

# tpm_nvdefine -i 1 -s 6 p -r 18 -w 18 --permissions="AUTHWRITE" -z
Cannot seal NVRAM area to PCR > 15

Why is this not possible? I want to seal to Intel TXT generated PCRs and this doesn't sound right... should I recompile with this check commented out and try?

How to get around it? Do I have to use tpm_sealdata (for example) which does not have this limitation but requires a blob and a SRK? I'd like to avoid that if at all possible.

In case I need to use tpm_sealdata, how much is system.data going to differ between various systems and when? Will a simple one work for this one purpose assuming I don't have more keys than the default one?

Thanks

Jan
Jan Schermer
2016-05-09 12:06:41 UTC
Permalink
... so I changed the check from PCR > 15 to PCR >19 and it works as intended
e.g. I can read that index only with the correct PCR, not with other...

Is there a real reason behind this or is it from the time when TPMs only had 16 PCRs and the last one was for debug? Should it be bumped to PCR > 23 now?

Jan
Post by Jan Schermer
Hello,
I want to seal data (a passphrase) to PCR >15.
# tpm_nvdefine -i 1 -s 6 p -r 18 -w 18 --permissions="AUTHWRITE" -z
Cannot seal NVRAM area to PCR > 15
Why is this not possible? I want to seal to Intel TXT generated PCRs and this doesn't sound right... should I recompile with this check commented out and try?
How to get around it? Do I have to use tpm_sealdata (for example) which does not have this limitation but requires a blob and a SRK? I'd like to avoid that if at all possible.
In case I need to use tpm_sealdata, how much is system.data going to differ between various systems and when? Will a simple one work for this one purpose assuming I don't have more keys than the default one?
Thanks
Jan
Ken Goldman
2016-05-09 20:25:17 UTC
Permalink
Hello, I want to seal data (a passphrase) to PCR >15.
# tpm_nvdefine -i 1 -s 6 p -r 18 -w 18 --permissions="AUTHWRITE" -z
Cannot seal NVRAM area to PCR > 15
Why is this not possible? I want to seal to Intel TXT generated PCRs
and this doesn't sound right... should I recompile with this check
commented out and try?
Are there any code comments that explain why PCR > 15 is being rejected?

The only rationale I can think of is that this is left over from TPM
1.1b, which I recall only had 16 PCRs.
Jan Schermer
2016-05-09 21:09:04 UTC
Permalink
I think you're right.
But it's surprising because anyone using Intel TXT would need this (assuming they don't go tpm_sealdata way or some custom app...)

Anyway I patched it, tried it, works fine (tpm_nvinfo displays the right info and I tested all scenarios I could think of that could be broken).

Some devs around that can make the change upstream, or should I resend to -tech?

Jan
Post by Ken Goldman
Hello, I want to seal data (a passphrase) to PCR >15.
# tpm_nvdefine -i 1 -s 6 p -r 18 -w 18 --permissions="AUTHWRITE" -z
Cannot seal NVRAM area to PCR > 15
Why is this not possible? I want to seal to Intel TXT generated PCRs
and this doesn't sound right... should I recompile with this check
commented out and try?
Are there any code comments that explain why PCR > 15 is being rejected?
The only rationale I can think of is that this is left over from TPM
1.1b, which I recall only had 16 PCRs.
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
TrouSerS-users mailing list
https://lists.sourceforge.net/lists/listinfo/trousers-users
Hon Ching Lo
2016-05-11 19:45:57 UTC
Permalink
Hi Jan,

If you had patches, please send to TrouSerS-tech for review and submission.


Thanks,
Vicky
Post by Jan Schermer
I think you're right.
But it's surprising because anyone using Intel TXT would need this
(assuming they don't go tpm_sealdata way or some custom app...)
Anyway I patched it, tried it, works fine (tpm_nvinfo displays the right
info and I tested all scenarios I could think of that could be broken).
Some devs around that can make the change upstream, or should I resend to -tech?
Jan
Post by Ken Goldman
Hello, I want to seal data (a passphrase) to PCR >15.
# tpm_nvdefine -i 1 -s 6 p -r 18 -w 18 --permissions="AUTHWRITE" -z
Cannot seal NVRAM area to PCR > 15
Why is this not possible? I want to seal to Intel TXT generated PCRs
and this doesn't sound right... should I recompile with this check
commented out and try?
Are there any code comments that explain why PCR > 15 is being rejected?
The only rationale I can think of is that this is left over from TPM
1.1b, which I recall only had 16 PCRs.
------------------------------------------------------------------------------
Post by Ken Goldman
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data
untouched!
Post by Ken Goldman
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
TrouSerS-users mailing list
https://lists.sourceforge.net/lists/listinfo/trousers-users
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
TrouSerS-users mailing list
https://lists.sourceforge.net/lists/listinfo/trousers-users
Loading...