ThomasHabets
commented
8 years ago Strange. I'll try to reproduce this.
Open TomsFilatovs opened 8 years ago
ThomasHabets
commented
8 years ago Strange. I'll try to reproduce this.
ThomasHabets
commented
7 years ago Not only am I unable to reproduce this, I can't seem to get stpm-exfiltrate to work at all:
$ ./stpm-exfiltrate -k unsafe
Enter owner password:
stpm-exfiltrate: Exception:
Tspi_Key_CreateMigrationBlob: Code=0x00000009: tpm: Operation failedBuilding trousers with --enable-debug is not helping much:
TCSD TCS rpc/tcstp/rpc_migration.c:45 tcs_wrap_CreateMigrationBlob: thread 140413693056768 context a02a1800
TCSD TCS tcsi_migration.c:50 Entering TPM_CreateMigrationBlob
TCSD TCS tcs_key_mem_cache.c:159 ensureKeyIsLoaded: 0x40000000
TCSD TCS tcs_key_mem_cache.c:716 mc_get_slot_by_handle: TCSD mem_cached handle: 0x22330000
TCSD TCS tcs_key_mem_cache.c:716 mc_get_slot_by_handle: TCSD mem_cached handle: 0x40000000
TCSD TCS tcs_key_mem_cache.c:167 keySlot is 40000000
TCSD TCS tcs_key_mem_cache.c:872 mc_update_time_stamp: TCSD mem_cached handle: 0x22330000
TCSD TCS tcs_key_mem_cache.c:872 mc_update_time_stamp: TCSD mem_cached handle: 0x40000000
TCSD TCS tcs_key_mem_cache.c:192 ensureKeyIsLoaded: Exit
To TPM: 00 C3 00 00 02 A0 00 00 00 28 40 00 00 00 00 02
[… many "To TPM" lines …]
TCSD TDDL tddl.c:171 Calling write to driver
From TPM: 00 C4 00 00 00 0A 00 00 00 09
LOG_RETERR TPM tcsi_migration.c:89: 0x9That 0x9 appears to be the only thing the TPM tells the host, which is what we already have in the command output: "operation failed".
reanimus
commented
7 years ago Has there been any changes on this? I'm getting a different error when I try to exfiltrate the key:
stpm-exfiltrate: Exception:
Tspi_Key_CreateMigrationBlob: Code=0x00000001: tpm: Authentication failed
Likely problem:
Either the SRK password or the key password is incorrect.
The Well Known Secret (20 nulls unhashed) is not the same as the password "".
Possible solution:
The SRK password can (and arguable should) be set to the Well Known Secret using:
tpm_changeownerauth -s -r
Alternatively the SRK password can be given with -s to stpm-keygen/stpm-sign and
with srk_pin in the configuration file for the PKCS#11 module.This is on a Lenovo T450s, btw.
tpm_version output:
TPM 1.2 Version Info:
Chip Version: 1.2.13.12
Spec Level: 2
Errata Revision: 3
TPM Vendor ID: STM
Vendor Specific data: 50
TPM Version: 01010000
Manufacturer Info: 53544d20@reanimus maybe you got the owner password wrong? Alt what is your SRK password?
reanimus
commented
7 years ago I double checked and I think I used a hardware key (at least, I assume that's what old me did). Thus, the keys aren't migrateable.
I've generated a key in software and am now trying to exfiltrate it, but after entering the owner password, the utility returns only
mod=,exp=,key=Using the key for ssh logins and ssh key signing works fine, I have the dependencies installed, stpm-keygen did not return any errors or warnings during generation, there's no PIN on the ssh key, the SRK password is the well known secret, I've runtpm_restrictsrk -aand tried clearing the TPM and starting fresh as well as trying all combinations of the 2 TPM settings I saw in the BIOS ( 'PPI provision override' and 'PPI deprovision override'). The OS is Ubuntu 16.04, the issue affects both the version of stpm-exfiltrate from Ubuntu's package repos and the one I got by compiling from git source. The device is a Dell Latitude E5440. tpm_version TPM 1.2 Version Info: Chip Version: 1.2.41.1 Spec Level: 2 Errata Revision: 3 TPM Vendor ID: ATML TPM Version: 01010000 Manufacturer Info: 41544d4c