search

psanford / tpm-fido

A WebAuthn/U2F token protected by a TPM (Go/Linux)
MIT License
285 stars 17 forks source link

CreatePrimary Key error? #15

Closed uski closed 1 year ago

uski commented 1 year ago

Hi !

I just installed tpm-fido to try it out. Great idea by the way!

Unfortunately, I cannot get it to work. After following the installation steps and starting tpm-fido, I tried it at the following URL: https://demo.yubico.com/webauthn-technical/registration

In the console I get the following error:

$ ./tpm-fido
2022/11/12 03:09:05 unsuppoted cmd: CmdCbor 16
2022/11/12 03:09:05 got RegisterCmd site=demo.yubico.com
2022/11/12 03:09:06 got RegisterCmd site=demo.yubico.com
2022/11/12 03:09:07 got RegisterCmd site=demo.yubico.com
2022/11/12 03:09:08 RegisteKey err: CreatePrimary key err: parameter 2, error code 0xa : the type of the value is not appropriate for the use

The browser I am using is Google Chrome Version 107.0.5304.87 (Official Build) (64-bit) on Ubuntu 22.04.1 LTS

Any idea ?

uski commented 1 year ago

I found what the issue was. The TPM I was using was brand new. The problem is that brand new hardware TPMs ship with outdated firmwares apparently, at least for the one I got. And I guess these older versions do not support the commands used by tpm-fido.

tpm-fido maintainer, I suggest to add some code to:

  1. check the capabilities of the TPM
  2. display an error if the necessary TPM capabilities are not present, suggesting that the user upgrades the firmware of their TPM

Specifically, in my case it was an Infineon SLB9665 TPM with an ancient firmware (which also happened to be vulnerable to the ROCA RSA key attacks).

I updated it with the software from https://github.com/iavael/infineon-firmware-updater following instructions at https://blog.3mdeb.com/2019/2019-04-17-roca/

One challenge was that I had to disable the HW TPM and enable the SW TPM, and also tell the updated software to access the TPM through an alternative method, otherwise it was hitting the AMD firmware TPM and aborting.

Hope this helps someone with a similar problem.

$ sudo ./TPMFactoryUpd -firmware /path/to/9665FW\ update\ package_1.5/Firmware/TPM20_5.0.1089.2_to_TPM20_5.62.3126.2.BIN -update tpm20-emptyplatformauth -access-mode 1
  **********************************************************************
  *    Infineon Technologies AG   TPMFactoryUpd   Ver 01.01.2459.00    *
  **********************************************************************

       TPM update information:
       -----------------------
       Firmware valid                    :    Yes
       TPM family                        :    2.0
       TPM firmware version              :    5.0.1089.2
       TPM platformAuth                  :    Empty Buffer
       Remaining updates                 :    64
       New firmware valid for TPM        :    Yes
       TPM family after update           :    2.0
       TPM firmware version after update :    5.62.3126.2
       TPM chip state after update       :    reset to factory defaults

       Preparation steps:
       TPM2.0 policy session created to authorize the update.

    DO NOT TURN OFF OR SHUT DOWN THE SYSTEM DURING THE UPDATE PROCESS!

       Updating the TPM firmware ...
       Completion: 100 %
       TPM Firmware Update completed successfully.