Closed Dvergatal closed 2 years ago
@arsing is this actually fixed in 1.4?
Yes, 1.4's tpmd switched from utpm to libtpm2-tss, so the restrictions that utpm had no longer apply. The C SDK still uses utpm so its behavior will not necessarily be consistent with tpmd.
In the OpenSSL 3.0 thread you asked:
has it been already fixed and iotedge is now working properly with all the verifications that williamcroberts mentioned about?
... to which answer is, "Probably yes. Try it and see?"
OK we will try it and verify, because according to our investigation the attestation should not work with the EK/SRK generated with tpm_device_provision
binary, which are working on iotedge-1.1.15.
@Dvergatal how's it looking? Did it work?
@Dvergatal how's it looking? Did it work?
Dunno yet, because we need to rewrite our yocto recipe for 1.4. Additionally the https://github.com/Azure/azure-iot-sdk-c/issues/2329 has been closed and I need to report a security issue in here https://github.com/Azure/azure-iot-sdk-c/blob/main/SECURITY.md#reporting-security-issues which I haven't done yet, due lack of time...
OK, the issue is reported to the system. The whole communication will be probably from now on there.
@micahl is this issue related to the TPM docs update you mentioned yesterday?
No, I believe this is separate, although I'll admit I'm not clear on the scope of what is being considered in this specific issue.
The statement in our release notes about hierarchy authorization is referring to the ability to use simple password authorization on the endorsement and owner hierarchies. The auth value can be set in the config.toml. Prior to v1.4 this wasn't something we could do b/c of limitations with utpm.
@Dvergatal I'm closing this issue as a known limitation in 1.1.x, but if I misunderstand the core issue you're raising here then do enlighten me.
The statement in our release notes about hierarchy authorization is referring to the ability to use simple password authorization on the endorsement and owner hierarchies. The auth value can be set in the config.toml. Prior to v1.4 this wasn't something we could do b/c of limitations with utpm.
@micahl we thought that if azure has switched to tpm2 tss API with this hierarchy authorization, meaning the generated EK is being verified against its own certificate (written to the persistent memory of tpm), than you have fixed templates used in generation according to my previous posts in https://github.com/Azure/azure-iot-sdk-c/issues/2329
Now, that you have enlighten me with this new comment, that there is only a password being used for the authorization, meaning that the issue still persist and the whole communication related to this bug should be continued on this reporting security issue site.
@Dvergatal yes, if there are potential security concerns then they should be discussed on the reporting site.
In regards to provisioning with DPS using the EK as a unique machine identifier, I expect that a v1.4 device can successfully onboard to Azure when creating / extracting the EK is done with things like tpm2-tools.
@micahl I have reported the issue on the reporting site, but @RonaldAi has returned to me with these informations, that the team thinks, that i is not a security issue, which we, together with @williamcroberts, still think, that this is a security issue.
Nevertheless this https://github.com/Azure/azure-iot-sdk-c/issues/2329 has been unblocked and we will continue this subject over there. For now on I think we can close this one.
Due to discovered bug in https://github.com/Azure/azure-iot-sdk-c/issues/2329 and informations that: