search

microsoft / TSS.MSR

The TPM Software Stack from Microsoft Research
Other
428 stars 161 forks source link

Unable to store data more than ~1024 bytes into TPM. Am I missing anything? #162

Closed dsaiju closed 2 years ago

dsaiju commented 2 years ago

I am writing a .NET app that stores and reads strings to TPM storage and it is targeted for both Windows and Red Hat Linux VMs. I'm using Microsoft.TSS (2.1.1) NuGet package for this purpose. I can store byte[] up to ~1024 bytes. But when when I try anything around 4000bytes (my max data size), it breaks. Below is the code I am using to store and retrieve data. Any suggestions would be helpful. Store()

private ushort defaultDataSize = 5120;
private AuthValue nvAuthValue = new AuthValue(new byte[] { 1, 2, 3, 4, 5 });
_Tpm2Device tpmDevice = RuntimeInformation.IsOSPlatform(OSPlatform.Windows) ? new TbsDevice() : new LinuxTpmDevice();
tpmDevice.Connect();
var tpm = new Tpm2(tpmDevice);           
var ownerAuth = new AuthValue();
var nvHandle = TpmHandle.NV(int.Parse(key));
tpm[ownerAuth]._AllowErrors().NvUndefineSpace(TpmHandle.RhOwner, nvHandle);
tpm[ownerAuth].NvDefineSpace(TpmHandle.RhOwner, nvAuthValue, new NvPublic(nvHandle, TpmAlgId.Sha1, NvAttr.Authwrite | NvAttr.Authread, new byte[0], defaultDataSize));
tpm[nvAuthValue].NvWrite(nvHandle, nvHandle, Encoding.ASCII.GetBytes(value ?? string.Empty), 0);
tpm.Dispose();

Get()

private ushort defaultDataSize = 5120;
private AuthValue nvAuthValue = new AuthValue(new byte[] { 1, 2, 3, 4, 5 });
Tpm2Device tpmDevice = RuntimeInformation.IsOSPlatform(OSPlatform.Windows) ? new TbsDevice() : new LinuxTpmDevice();
tpmDevice.Connect();
var tpm = new Tpm2(tpmDevice);        
var nvHandle = TpmHandle.NV(int.Parse(key));
byte[] storedBytes = tpm[nvAuthValue].NvRead(nvHandle, nvHandle, defaultDataSize, 0);
return storedBytes == null ? string.Empty : Encoding.ASCII.GetString(storedBytes).Trim('\0');
tpm.Dispose();
RonaldAi commented 2 years ago

The TPM has a space for a few hundred bytes. It should not be used to store arbitrary data. The outcome is expected.

jamieyello commented 1 year ago

To add to this, consider only storing a regular-sized key that encrypts your larger data. TPM modules are not meant to store encrypted data, but keys.