Discussion:
[TrouSerS-users] Registration of AIK and effects on PCRs
Bill Martin
2015-01-12 21:24:51 UTC
Permalink
I am using trouSerS 0.3.10 and have an Infineon TPM running 1.2 on an embedded Linux system.

I have a system where I use tpm-luks scripts to retrieve a LUKS key from TPM NVRAM and decrypt the root partition (while running in initramfs). This uses the tpm_nvread command. On top of this I added code to create a AIK, unregister any previous AIK (into a throwaway key handle), and register the new AIK. Also I have another program to activate the AIK (first loading the AIK by UUID then call the Tspi_TPM_ActivateIdentity command.

This works well...

Until I reboot the computer with this TPM. The tpm_nvread command complains it cannot decrypt the file. It's that message about PCR does not match or something.

It seems I have to do a pkill -9 tcsd and then a tcsd -f & prior to rebooting so that the tpm_nvread succeeds.

I wonder if anyone can explain why this is necessary. The PCRs don't seem to be changed. Somehow I suspect the AIK creation does something funny with the PCRs.

thanks

Bill
Ken Goldman
2015-01-18 20:01:41 UTC
Permalink
On 1/12/2015 4:24 PM, Bill Martin wrote:
> I am using trouSerS 0.3.10 and have an Infineon TPM running 1.2 on an
> embedded Linux system.
>
> I have a system where I use tpm-luks scripts to retrieve a LUKS key
> from TPM NVRAM and decrypt the root partition (while running in
> initramfs). This uses the tpm_nvread command. On top of this I added
> code to create a AIK, unregister any previous AIK (into a throwaway
> key handle), and register the new AIK. Also I have another program to
> activate the AIK (first loading the AIK by UUID then call the
> Tspi_TPM_ActivateIdentity command.
>
> This works well...
>
> Until I reboot the computer with this TPM. The tpm_nvread command
> complains it cannot decrypt the file. It's that message about PCR
> does not match or something.

At the TPM layer, there is no tpm_nvread command. Can you translate
your command sequence into the TPM commands.

An NV read will not decrypt a file. It might go as far as reading the
decryption key from NV, although there might be some levels of
indirection there as well.
>
> It seems I have to do a pkill -9 tcsd and then a tcsd -f & prior to
> rebooting so that the tpm_nvread succeeds.

It would be helpful to know the NV read error return.

It would also be helpful to have a dump of the NV public area to see
what the read authorizations are.

>
> I wonder if anyone can explain why this is necessary. The PCRs don't
> seem to be changed. Somehow I suspect the AIK creation does something
> funny with the PCRs.

Have you actually read the PCRs during the failing case and success case?

A typical AIK creation should not affect PCRs.
Bill Martin
2015-01-20 18:20:19 UTC
Permalink
Hmmm.

I'm looking at

TCG PC CLient Specific Implementation Specification for Conventional BIOS

version 1.21 Errata
Feb 24, 2012 for TPM Family 1.2; Level 2


In the TCG spec section 3.3.3.2 on the topic of PCR[1] I see a passage:

"CMOS and NVRAM data measured into PCR[1] is placed in the event data field. The expected size of the data is very small. Any data that is security-sensitive, contains dynamic boot data or is dynamic (like the real-time clock) should be omitted. The NVRAM data is the host platform NVRAM data, not the TPM
NVRAM."

Is the /usr/local/var/lib/tpm/system.data in host platform NVRAM?
________________________________________
From: Bill Martin
Sent: Tuesday, January 20, 2015 9:43 AM
To: Ken Goldman
Subject: RE: [TrouSerS-users] Registration of AIK and effects on PCRs

Hi Ken,

I double-checked this in fact by rebooting a couple times successfully pulling the key out of NVRAM after a prior reboot failure.




I dumped the PCRs, them did the tpm_nvread attempt, which failed, then typed reboot,

then on the monitor connected to the system when coming up in intramfs I got the NVRAM password prompt, entered it, and it succeeded in retrieving the key.
I don't have that screen dump since I had the direct login in initramfs.

Strange.

And a few minutes later I went through the attestation process and found PCR-01 is affected somehow! I don't know how the trousers functions affect PCR-01.
But that explains why I could not do the tpm_nvread after attestation:

And then I see that PCR-01 somehow gets affected when I run Trousers functions that log into the TPM, create the identity key, unregister the old identity key in a throw-away object,
then register the newly created identity key that is based on the new object.

So I logged in remotely and dumped the PCRs again, then had to start Trousers because the tpm_nvread failed at the command line after losing in.

here is the listing: I X'd out the key in the listing below for security reasons...


ssh ***@192.168.9.83
***@192.168.9.83's password:
Last login: Tue Jan 20 08:48:15 2015
[***@localhost ~]# cat /sys/class/misc/tpm0/device/pcrs
PCR-00: D8 9D 4A 29 AC D6 97 30 43 46 2D B4 04 82 CF 07 DB 07 08 65
PCR-01: 7C 93 5D CA 5A D4 33 F2 4F A5 AA C3 38 89 94 D2 42 08 C4 DD
PCR-02: 0D F7 05 75 E8 74 4B E9 42 9A 91 EE 89 89 9D A0 E0 B0 88 EC
PCR-03: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75
PCR-04: CB 59 D5 FA E3 20 67 7F 6D B4 C4 FE 26 E9 E7 2E B6 B2 AB 7D
PCR-05: 1F F9 5E BD F5 B7 D8 97 97 AD E1 9A 5A A8 75 3D 55 6F 21 C9
PCR-06: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75
PCR-07: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75
PCR-08: 27 D4 2B E2 80 32 CF AD 2C A9 DD 52 79 DD FC 70 AA 78 E1 FA
PCR-09: 64 2C 78 4E 63 B4 67 82 F8 36 25 A8 AC 0E 8D 68 10 9A FA 3B
PCR-10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-12: 52 3B 57 4B AC A8 C1 DD 37 DF 60 02 18 CC 00 A9 36 01 FA 1F
PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-14: 1F 20 CB 56 37 D5 42 96 A0 51 49 19 96 AA 3C D5 7B 7A E1 80
PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[***@localhost ~]# tpm_nvread -i 7 -p
Enter NVRAM access password:
Tspi_NV_ReadValue failed: 0x00000018 - layer=tpm, code=0018 (24), Wrong PCR value
Tspi_Context_CloseObject failed: 0x00003126 - layer=tsp, code=0126 (294), Invalid handle
[***@localhost ~]# reboot

Broadcast message from ***@localhost.localdomain
(/dev/pts/0) at 9:03 ...

The system is going down for reboot NOW!
[***@localhost ~]# Connection to 192.168.9.83 closed by remote host.
Connection to 192.168.9.83 closed.
Bills-MacBook-Pro-3:Downloads billmartin$ ssh ***@192.168.9.83
***@192.168.9.83's password:
Permission denied, please try again.
***@192.168.9.83's password:
Last login: Tue Jan 20 09:02:57 2015 from 192.168.60.65
[***@localhost ~]# !cat
cat /sys/class/misc/tpm0/device/pcrs
PCR-00: D8 9D 4A 29 AC D6 97 30 43 46 2D B4 04 82 CF 07 DB 07 08 65
PCR-01: AD 2F E0 4A 35 11 B4 E8 37 00 9E 1F 93 D9 E9 F8 A0 F2 BD 8A
PCR-02: 0D F7 05 75 E8 74 4B E9 42 9A 91 EE 89 89 9D A0 E0 B0 88 EC
PCR-03: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75
PCR-04: CB 59 D5 FA E3 20 67 7F 6D B4 C4 FE 26 E9 E7 2E B6 B2 AB 7D
PCR-05: 1F F9 5E BD F5 B7 D8 97 97 AD E1 9A 5A A8 75 3D 55 6F 21 C9
PCR-06: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75
PCR-07: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75
PCR-08: 27 D4 2B E2 80 32 CF AD 2C A9 DD 52 79 DD FC 70 AA 78 E1 FA
PCR-09: 64 2C 78 4E 63 B4 67 82 F8 36 25 A8 AC 0E 8D 68 10 9A FA 3B
PCR-10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-12: 52 3B 57 4B AC A8 C1 DD 37 DF 60 02 18 CC 00 A9 36 01 FA 1F
PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-14: 1F 20 CB 56 37 D5 42 96 A0 51 49 19 96 AA 3C D5 7B 7A E1 80
PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[***@localhost ~]# !tp
tpm_nvread -i 7 -p
Tspi_Context_Connect failed: 0x00003011 - layer=tsp, code=0011 (17), Communication failure
[***@localhost ~]# tcsd -f &
[1] 2308
[***@localhost ~]# TCSD TDDL ioctl: (25) Inappropriate ioctl for device
TCSD TDDL Falling back to Read/Write device support.
TCSD trousers 0.3.10: TCSD up and running.

[***@localhost ~]# !tp
tpm_nvread -i 7 -p
Enter NVRAM access password:

00000000 XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX ........
00000010 XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX ........

Here is the result of tpm_nvinfo for that index

[***@localhost ~]# tpm_nvinfo -i 7
NVRAM index : 0x00000007 (7)
PCR read selection:
PCRs : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 12, 14
Localities : ALL
Hash : 5455b57226dce3f41220f5c45128596bd1ecad31
PCR write selection:
Localities : ALL
Permissions : 0x00040004 (AUTHREAD|AUTHWRITE)
bReadSTClear : FALSE
bWriteSTClear : FALSE
bWriteDefine : FALSE
Size : 32 (0x20)


And after I run the identity program that creates a AIK, PCR-01 gets modified:

./identity "justALabelIdentityKey" outkeyblobfile outcertfile outidentityfilename
Retrieving PCA certificate...
labelString is justALabelIdentityKey
outblobfilename is outkeyblobfile
Generating identity key...
Endorsement size is 1948
pcPlatformCredentialSize is 0
pcConformanceCredentialSize is 0
pcIdentityBindingSize is 256
wrote out testblob. size is 2576
symkey size is 16
symkey algId is 6
0Xdd 0X86 0X46 0X9b 0X40 0X80 0X1c 0Xa1 0Xb0 0Xdf 0X 1 0Xca 0Xff 0Xde 0Xe9 0X87
result is 0x0
ulTCPAIdentityReqLength is 2876 identityReqPtr addres is 0x11130a0
hTPM is 0xc0000004 hSrk is 0xc0000005 hPCAKey is 0xc000000a, labelLen is 44
hIdentKey is 0xc0000008 tssSymAlg is 37
rgbIdentityLabelData is 0x11128b0End of Identity Proof Creation
Success!
[***@localhost getCert_dir]# !cat
cat /sys/class/misc/tpm0/device/pcrs
PCR-00: D8 9D 4A 29 AC D6 97 30 43 46 2D B4 04 82 CF 07 DB 07 08 65
PCR-01: AD 2F E0 4A 35 11 B4 E8 37 00 9E 1F 93 D9 E9 F8 A0 F2 BD 8A
PCR-02: 0D F7 05 75 E8 74 4B E9 42 9A 91 EE 89 89 9D A0 E0 B0 88 EC
PCR-03: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75
PCR-04: CB 59 D5 FA E3 20 67 7F 6D B4 C4 FE 26 E9 E7 2E B6 B2 AB 7D
PCR-05: 1F F9 5E BD F5 B7 D8 97 97 AD E1 9A 5A A8 75 3D 55 6F 21 C9
PCR-06: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75
PCR-07: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75
PCR-08: 27 D4 2B E2 80 32 CF AD 2C A9 DD 52 79 DD FC 70 AA 78 E1 FA
PCR-09: 64 2C 78 4E 63 B4 67 82 F8 36 25 A8 AC 0E 8D 68 10 9A FA 3B
PCR-10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-12: 52 3B 57 4B AC A8 C1 DD 37 DF 60 02 18 CC 00 A9 36 01 FA 1F
PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-14: 1F 20 CB 56 37 D5 42 96 A0 51 49 19 96 AA 3C D5 7B 7A E1 80
PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

In my identity.c code I have the following sequence

result = Tspi_TPM_CollateIdentityRequest(hTPM, hSRK, hPCAKey, labelLen,
rgbIdentityLabelData,
hIdentKey, TSS_ALG_AES,
&ulTCPAIdentityReqLength,
&rgbTCPAIdentityReq);
if (result != TSS_SUCCESS){
printf ("Error 0x%x on Tspi_TPM_CollateIdentityRequest\n", result);
exit(result);
}


printf("End of Identity Proof Creation\n");
result = Tspi_Context_UnregisterKey(hContext, TSS_PS_TYPE_SYSTEM, AIK_UUID, &hIdentKey2);
if (result != TSS_SUCCESS)
{
printf("Tspi_Context_UnregisterKey failed [%s]\n",
Trspi_Error_String(result));
exit(result);
}
result = Tspi_Context_RegisterKey(hContext, hIdentKey,
TSS_PS_TYPE_SYSTEM,
AIK_UUID,
TSS_PS_TYPE_SYSTEM,
SRK_UUID);
if (result != TSS_SUCCESS)

{
printf("Tspi_Context_RegisterKey failed [%s]\n",
Trspi_Error_String(result));
exit(result);
}














________________________________________
From: Ken Goldman [***@us.ibm.com]
Sent: Sunday, January 18, 2015 12:01 PM
To: trousers-***@lists.sourceforge.net
Subject: Re: [TrouSerS-users] Registration of AIK and effects on PCRs

On 1/12/2015 4:24 PM, Bill Martin wrote:
> I am using trouSerS 0.3.10 and have an Infineon TPM running 1.2 on an
> embedded Linux system.
>
> I have a system where I use tpm-luks scripts to retrieve a LUKS key
> from TPM NVRAM and decrypt the root partition (while running in
> initramfs). This uses the tpm_nvread command. On top of this I added
> code to create a AIK, unregister any previous AIK (into a throwaway
> key handle), and register the new AIK. Also I have another program to
> activate the AIK (first loading the AIK by UUID then call the
> Tspi_TPM_ActivateIdentity command.
>
> This works well...
>
> Until I reboot the computer with this TPM. The tpm_nvread command
> complains it cannot decrypt the file. It's that message about PCR
> does not match or something.

At the TPM layer, there is no tpm_nvread command. Can you translate
your command sequence into the TPM commands.

An NV read will not decrypt a file. It might go as far as reading the
decryption key from NV, although there might be some levels of
indirection there as well.
>
> It seems I have to do a pkill -9 tcsd and then a tcsd -f & prior to
> rebooting so that the tpm_nvread succeeds.

It would be helpful to know the NV read error return.

It would also be helpful to have a dump of the NV public area to see
what the read authorizations are.

>
> I wonder if anyone can explain why this is necessary. The PCRs don't
> seem to be changed. Somehow I suspect the AIK creation does something
> funny with the PCRs.

Have you actually read the PCRs during the failing case and success case?

A typical AIK creation should not affect PCRs.



------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
TrouSerS-users mailing list
TrouSerS-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/trousers-users
Loading...