terilenard
commented
1 year ago Follow-up. There is a related known issue here 2569 on tpm2-tss. But this is on FAPI, not on ESAPI. Any toughts?
Open terilenard opened 1 year ago
terilenard
commented
1 year ago Follow-up. There is a related known issue here 2569 on tpm2-tss. But this is on FAPI, not on ESAPI. Any toughts?
JuergenReppSIT
commented
1 year ago @terilenard with ESAPI you have to create a policy session with activated parameter encryption FAPI uses ESAPI for this purpose. At:
https://github.com/JuergenReppSIT/tpm2-tss/blob/8e6aca9ce03c67cec7f3e6c01946d7398f816260/src/tss2-fapi/ifapi_policyutil_execute.c#L97
you can see how how FAPI does it. the SRK is here used as tpm key for the session. The example implements a state machine with the ESAPI async functions. You could create a simpler version (without context->state) with the ESAPI one call functions.
terilenard
commented
1 year ago @terilenard with ESAPI you have to create a policy session with activated parameter encryption FAPI uses ESAPI for this purpose. At: https://github.com/JuergenReppSIT/tpm2-tss/blob/8e6aca9ce03c67cec7f3e6c01946d7398f816260/src/tss2-fapi/ifapi_policyutil_execute.c#L97 you can see how how FAPI does it. the SRK is here used as tpm key for the session. The example implements a state machine with the ESAPI async functions. You could create a simpler version (without
context->state) with the ESAPI one call functions.
Your help is much appreciated! Thank you for pointing me in the right direction.
virgilhem
commented
9 months ago Has the issue been resolved? Noticing that I2C bus sniffing attacks are becoming more straightforward to execute (for instance https://www.tomshardware.com/pc-components/cpus/youtuber-breaks-bitlocker-encryption-in-less-than-43-seconds-with-sub-dollar10-raspberry-pi-pico), I think it would be appreciated to add information to the wiki on the proper configuration of command parameter encryption.
terilenard
commented
9 months ago Has the issue been resolved? Noticing that I2C bus sniffing attacks are becoming more straightforward to execute (for instance https://www.tomshardware.com/pc-components/cpus/youtuber-breaks-bitlocker-encryption-in-less-than-43-seconds-with-sub-dollar10-raspberry-pi-pico), I think it would be appreciated to add information to the wiki on the proper configuration of command parameter encryption.
Hello, I think the issue was solved on the C library on #2569.
Hello,
I have the following use-case. Create a sealed secret that is accessed only when a TPM PCR policy is met. Additionally, I want to have an authenticated and encrypted communication with the TPM. Please find below the TPM commands, software versions, setup, and issues.
Output of
uname -a: Linux Ubuntu-beaver 5.4.0-144-generic Output oftpm2 -v:tool="tpm2" version="5.5-4-g90534beb" tctis="libtss2-tctildr" tcti-default=tcti-abrmdTPM: IBMTss virtual TPM with tpm2-abrmdIssue: sealed secret is visible on the network communication when performing tpm2_unseal. I expected the sealed secret to be visible only at application level, not in the tpm to application communication.
Question: Is it possible to have the tpm2_startauthsession encrypt the communication between the application and tpm?
Commands:
At one point I also tried to run:
to create a aes key that could be used in the session. This was executed before:
Thank you! Teri