Open Deepansharora27 opened 1 year ago
salrashid123
commented
1 year ago The tutorial assumes the tpm device is available at /dev/tpm0 (which is the path for GCP Shielded VMs)
I'm guessing your trying it out on a mac which i don't really know how to access the TPM on that os.
Deepansharora27
commented
1 year ago Aren't we executing this command as a remote user and reading the value from the PCR Bank directly from the GCP VM Instance ?
When you say, access TPM on MacOS, why is that required aren't we directly communicating with the TPM Device on the Remote GCP VM ?
Why do we need to access the TPM on MacOS ?
Please correct me if I am wrong on this
salrashid123
commented
1 year ago slightly.
the repo shows a way to seal some data on your laptop and only get it unsealed on a remote VM that has a TPM.
your laptop doesn't need a TPM but it does need the endorsement public key of the remove VM. How your laptop gets that public key isn't specified here in this repo; the fact that the key was distributed to your laptop by other means is assumed.
once your laptop has the endorsement key, it can seal data such that it can only get decrypted by that same TPM.
the encryption part on yoru laptop can also contain a set of PCR values you expect to be present on the target TPM. If the PCR values don't match, you can't decrypt.
the command from your original post is
go run pcr_utils/main.go --mode=read is intended to be just read the state of the PCR values on the VM that has the TPM
Deepansharora27
commented
1 year ago slightly.
the repo shows a way to seal some data on your laptop and only get it unsealed on a remote VM that has a TPM.
your laptop doesn't need a TPM but it does need the endorsement public key of the remove VM. How your laptop gets that public key isn't specified here in this repo; the fact that the key was distributed to your laptop by other means is assumed.
once your laptop has the endorsement key, it can seal data such that it can only get decrypted by that same TPM.
the encryption part on yoru laptop can also contain a set of PCR values you expect to be present on the target TPM. If the PCR values don't match, you can't decrypt.
the command from your original post is
go run pcr_utils/main.go --mode=readis intended to be just read the state of the PCR values on the VM that has the TPM
One Further Question:
Question : When you say that the Command is intended to just read the State of the PCR Values on the VM that has the TPM. I am assuming you mean to refer the VM as GCP Remote VM ? If that is the Case, then why the Command to Read the PCR Value fails ?
If you are mentioning the VM as the Laptop(Local Machine), then it is understood that it will fail to read the PCR Value because as you said earlier, path to access the TPM on MacOS is not defined yet
salrashid123
commented
1 year ago no, you read the state of the PCR banks only on the system where the TPM is present. (when i mentioned VM, i'm talking just about a gcp vm here that has a TPM)
for a GCP Shielded VM, PCR0 happens to be 24af52a4f429b71a3184a6d64cddad17e54ea030e2aa6576bf3a5a3d8bd3328f
Hi, I was trying to build the Project, and I was trying to run this command to derive the PCR Value in Read Mode:
go run pcr_utils/main.go --mode=read --pcr=23 -v 10 -alsologtostderrBut, I get the following error while trying to build it:
F0313 15:06:45.723237 58900 main.go:42] can't open TPM %!q(*string=0xc000050f60): stat /dev/tpm0: no such file or directory goroutine 1 [running]: github.com/golang/glog.stacks(0x0) /Users/deepanshu/go/pkg/mod/github.com/golang/glog@v0.0.0-20160126235308-23def4e6c14b/glog.go:769 +0x89 github.com/golang/glog.(*loggingT).output(0x1005585e0, 0x3, 0xc00014e3f0, {0x1003dcde5?, 0xc00011bec8?}, 0x2?, 0x0) /Users/deepanshu/go/pkg/mod/github.com/golang/glog@v0.0.0-20160126235308-23def4e6c14b/glog.go:720 +0x46d github.com/golang/glog.(*loggingT).printf(0xc000050f90?, 0x1?, {0x1002fe32d, 0x15}, {0xc00011bec8, 0x2, 0x2}) /Users/deepanshu/go/pkg/mod/github.com/golang/glog@v0.0.0-20160126235308-23def4e6c14b/glog.go:655 +0x10f github.com/golang/glog.Fatalf(...) /Users/deepanshu/go/pkg/mod/github.com/golang/glog@v0.0.0-20160126235308-23def4e6c14b/glog.go:1148 main.main() /Users/deepanshu/Desktop/gcp_tpm_sealed_keys/pcr_utils/main.go:42 +0x1bf exit status 255Your help will be appreciated on this Thanks !!