search

tpm2-software / tpm2-tools

The source repository for the Trusted Platform Module (TPM2.0) tools
https://tpm2-software.github.io
717 stars 378 forks source link

tpm2 verifysignature --format is no longer supported #2169

Closed osresearch closed 4 years ago

osresearch commented 4 years ago

I'm attempting to follow the Intel guide for signing PCRs with an RSA key. However, tpm2 verifysignature fails with "the TPM was unable to unmarshall a value because there were not enough octets in the input buffer".

This is using https://github.com/tpm2-software/tpm2-tools/tree/c643ff688834d573772c9cc57fcbdf48a7e7735e and https://github.com/tpm2-software/tpm2-tss/tree/76be63d641e01e7a3fcdb987fedadf98e970ba8b

As a minimal test case:

#!/bin/bash -x
die() { echo >&2 "$*" ; exit 1 ; }

tpm2 flushcontext --transient-object
tpm2 flushcontext --loaded-session

# Generate RSA key
openssl genrsa -out key.priv 2048 || die genrsa
openssl rsa -in key.priv -out key.pem -pubout || die key.pem

# Create policy and sign it
tpm2 startauthsession --session session.ctx || die startsession

tpm2 policypcr \
    --session session.ctx \
    --pcr-list "sha256:0,11" \
    --policy pcr.policy \
|| die policypcr

tpm2 flushcontext session.ctx

openssl dgst \
    -sha256 \
    -sign key.priv \
    -out pcr.policy.sig \
    pcr.policy \
|| die openssl sign plicy

# Load the key into the TPM and validate on policy signature
tpm2 loadexternal \
    --key-algorithm rsa \
    --hierarchy o \
    --public key.pem \
    --key-context key.ctx \
    --name key.name \
|| die loadexternal

tpm2 verifysignature \
    --hash-algorithm sha256 \
    --format rsassa \
    --key-context key.ctx \
    --message pcr.policy \
    --signature pcr.policy.sig \
    --ticket verification.tkt \
|| die verifysignature
williamcroberts commented 4 years ago

@osresearch I ran your test and am getting a slightly different output:

ERROR: Error deserializing signature structure: 0x9000b
ERROR: The input file needs to be a valid TPMT_SIGNATURE data structure
ERROR: Unable to run verifysignature
tpm2 rc_decode 0x9000b
mu:A parameter has a bad value

My tss version is:

pkg-config --modversion tss2-esys
3.1.0-dev

$ git describe 
3.0.0-16-g76be63d641e0

Is that what you're seeing? If not, whats your tpm2-tss version?

osresearch commented 4 years ago

I'm using tpm2-tss @ 76be63d641e01e7a3fcdb987fedadf98e970ba8b and my initial report had a library skew issue, so it was picking up the wrong version of ESYS/MU/RC. With that fixed it produces the same error as yours.

The guide has the policy signature file generated as a raw RSA signature with OpenSSL, not a TPMT_SIGNATURE:

openssl dgst -sha256 -sign signing_key_private.pem -out set2.pcr.signature set2.pcr.policy

It looks like the --format option is being ignored and was replaced with --scheme since the guide? There appears to be an attempt to support both, but the case 0: should be case '0' to make it work. https://github.com/tpm2-software/tpm2-tools/blob/master/tools/tpm2_verifysignature.c#L205