Topics

ibmtss

Doug Fraser
 

Does anyone know if tssclear supports hardware PresenceDetect clear?

(I want to wipe the device....)

I can use TPM FW update to move it back to 1.2 FW then back to 2.0 FW, and that will also wipe it, but just wiping with tssclear using the presence detect would be easier.


Thanks......

Douglas Fraser

-----Original Message-----
From: Doug Fraser
Sent: Friday, December 21, 2018 4:45 PM
To: Fredrik Ternerot <fredrik.trot@...>
Cc: openssl-tpm2-engine@groups.io
Subject: RE: [openssl-tpm2-engine] TSS aligned with TPM2 engine

I am doing this between my ibmtss build and my openssl_tpm2_engine build....
This gets me the proper path, then I hand install using my own makefile.
I tried editing the configured Makefile using the results of this, but it still does some strange things with libtool that blows it up, so I hand install the output to the target after the build.

This *should* work with any installed version of opensll.
Feel free to pick away at parts of this if they are useful at all.

Douglas Fraser

# For OPENSSL TPM2 Engine, we need to know where the installed OpenSSL # is going to look for its engines.
# We do that by cross building this little application and running it # in chroot, and then extracting the string that it spits out.
rm -f enginesdir
rm -f openssl_engine_path.c
cat <<PATH_TEST >openssl_engine_path.c
#define HEADER_CRYPTLIB_H
#include <openssl/crypto.h>
#include <stdio.h>
int
main ()
{
#if OPENSSL_VERSION_NUMBER < 0x10100000
puts(ENGINESDIR);
#else
puts(OpenSSL_version(OPENSSL_ENGINES_DIR));
#endif

;
return 0;
}
PATH_TEST

# Cross compile directly to /tmp on chroot install top.
if ! "${CROSS_COMPILE}"gcc -o "${install_top}"/tmp/openssl_engine_path --sysroot="${install_top}" openssl_engine_path.c then
echo "Failed: unable to build openssl_engine_path.c"
exit "${exit_code}"
fi
exit_code=$((exit_code+1))

# Execute and store the printed string in /tmp chroot ${install_top} /bin/sh -c '/tmp/openssl_engine_path > /tmp/enginesdir'

# Bring the string up here (in its file) and clean up cp "${install_top}"/tmp/enginesdir "${build_top}"/enginesdir rm -f "${install_top}"/tmp/openssl_engine_path "${install_top}"/tmp/enginesdir


-----Original Message-----
From: Fredrik Ternerot <fredrik.trot@...>
Sent: Friday, December 21, 2018 4:37 PM
To: Doug Fraser <doug.fraser@...>
Cc: openssl-tpm2-engine@groups.io
Subject: Re: [openssl-tpm2-engine] TSS aligned with TPM2 engine

On Fri, Dec 21, 2018 at 8:11 PM Doug Fraser <doug.fraser@...> wrote:

Fred,

Thanks for your response.

I have some ideas how I am going to install at this point, but I am curious how you are determining your OpenSSL engine directory for your specific target?
We are actually building OpenSSL on our target, so I have two options:

1) grep for OPENSSL_ENGINES_DIR in the build artifacts and process
that. *it is indeed, there..... ugly, but useable*
2) after cross building and installing openssl, cross building a small test application that does nothing more than "puts(OpenSSL_version(OPENSSL_ENGINES_DIR));" and running that in chroot on target.

Those are the two methods I have at hand, did you use one of these? Or a third way?
Sorry but I have no good solution for this either, I'm basically hard coding the engines dir. I will try to clean up my changes after the holidays and if I come up with some good solution I will let you know.

I also have some other workarounds that I probably should send mails about. In short one problem regarding padding for RSA decrypt when using openssl 1.0.x (not seen when using 1.1) and one problem regarding permission of TSS tmp dir when the application is changing user (in my case Apache httpd loads the keys as root but using them as another user).

Fredrik Ternerot


Thanks for the reply!

Douglas Fraser

-----Original Message-----
From: Fredrik Ternerot <fredrik.trot@...>
Sent: Friday, December 21, 2018 1:59 PM
To: openssl-tpm2-engine@groups.io; Doug Fraser <doug.fraser@...>
Subject: Re: [openssl-tpm2-engine] TSS aligned with TPM2 engine

============

#$ sed -i 's/ create_tpm2_key.1//' Makefile.am
I actually do almost exactly the same fix. I'm also cross compiling for 32-bit armv7 using OpenEmbedded.


This removes a documentation dependency on help2man.
This is required because I am cross-compiling, and I cannot execute `create_tpm2_key --help` on the build host to extract the document.

It would be helpful if there were a configure option to block documentation generation completely.
I agree.


In addition, when I `make install`, everything goes well until it runs libtool on libtpm2(.la/.so), where it installs it on my host, not on my cross target.
It is not honoring --prefix for the cross target libraries, only the binary.
In case you wonder, I haven't checked this since I'm using a custom install variant in my bitbake recipe instead of relying on 'make install'.

Fredrik Ternerot

James Bottomley
 

On Wed, 2018-12-26 at 19:23 +0000, Doug Fraser wrote:
Does anyone know if tssclear supports hardware PresenceDetect clear?
This isn't a property of the command code (or the actual tssclear
command) but the platform and the TPM configuration.

(I want to wipe the device....)

I can use TPM FW update to move it back to 1.2 FW then back to 2.0
FW, and that will also wipe it, but just wiping with tssclear using
the presence detect would be easier.
I added the tss users list for better information, but TPM2_Clear()
only requires physical presence (PP) if the TPM2_Clear command is in
the physical presence set list. If it is, tssclear will return
TPM_RC_PP. If it does return this, how you signal physical presence is
very platform dependent. The best way is to clear the TPM from the
BIOS/UEFI because it will be wired in correctly to the PP interface. I
know on most Dell systems, holding F12 while executing the command is
supposed to work, but I've never actually tried it.

James

Thanks......

Douglas Fraser

-----Original Message-----
From: Doug Fraser
Sent: Friday, December 21, 2018 4:45 PM
To: Fredrik Ternerot <fredrik.trot@...>
Cc: openssl-tpm2-engine@groups.io
Subject: RE: [openssl-tpm2-engine] TSS aligned with TPM2 engine

I am doing this between my ibmtss build and my openssl_tpm2_engine
build....
This gets me the proper path, then I hand install using my own
makefile.
I tried editing the configured Makefile using the results of this,
but it still does some strange things with libtool that blows it up,
so I hand install the output to the target after the build.

This *should* work with any installed version of opensll.
Feel free to pick away at parts of this if they are useful at all.

Douglas Fraser

# For OPENSSL TPM2 Engine, we need to know where the installed
OpenSSL # is going to look for its engines.
# We do that by cross building this little application and running it
# in chroot, and then extracting the string that it spits out.
rm -f enginesdir
rm -f openssl_engine_path.c
cat <<PATH_TEST >openssl_engine_path.c
#define HEADER_CRYPTLIB_H
#include <openssl/crypto.h>
#include <stdio.h>
int
main ()
{
#if OPENSSL_VERSION_NUMBER < 0x10100000
puts(ENGINESDIR);
#else
puts(OpenSSL_version(OPENSSL_ENGINES_DIR));
#endif

;
return 0;
}
PATH_TEST

# Cross compile directly to /tmp on chroot install top.
if ! "${CROSS_COMPILE}"gcc
-o "${install_top}"/tmp/openssl_engine_path --
sysroot="${install_top}" openssl_engine_path.c then
echo "Failed: unable to build openssl_engine_path.c"
exit "${exit_code}"
fi
exit_code=$((exit_code+1))

# Execute and store the printed string in /tmp chroot ${install_top}
/bin/sh -c '/tmp/openssl_engine_path > /tmp/enginesdir'

# Bring the string up here (in its file) and clean up cp
"${install_top}"/tmp/enginesdir "${build_top}"/enginesdir rm -f
"${install_top}"/tmp/openssl_engine_path
"${install_top}"/tmp/enginesdir


-----Original Message-----
From: Fredrik Ternerot <fredrik.trot@...>
Sent: Friday, December 21, 2018 4:37 PM
To: Doug Fraser <doug.fraser@...>
Cc: openssl-tpm2-engine@groups.io
Subject: Re: [openssl-tpm2-engine] TSS aligned with TPM2 engine

On Fri, Dec 21, 2018 at 8:11 PM Doug Fraser <doug.fraser@...>
wrote:

Fred,

Thanks for your response.

I have some ideas how I am going to install at this point, but I am
curious how you are determining your OpenSSL engine directory for
your specific target?
We are actually building OpenSSL on our target, so I have two
options:

1) grep for OPENSSL_ENGINES_DIR in the build artifacts and process
that. *it is indeed, there..... ugly, but useable*
2) after cross building and installing openssl, cross building a
small test application that does nothing more than
"puts(OpenSSL_version(OPENSSL_ENGINES_DIR));" and running that in
chroot on target.

Those are the two methods I have at hand, did you use one of these?
Or a third way?
Sorry but I have no good solution for this either, I'm basically hard
coding the engines dir. I will try to clean up my changes after the
holidays and if I come up with some good solution I will let you
know.

I also have some other workarounds that I probably should send mails
about. In short one problem regarding padding for RSA decrypt when
using openssl 1.0.x (not seen when using 1.1) and one problem
regarding permission of TSS tmp dir when the application is changing
user (in my case Apache httpd loads the keys as root but using them
as another user).

Fredrik Ternerot


Thanks for the reply!

Douglas Fraser

-----Original Message-----
From: Fredrik Ternerot <fredrik.trot@...>
Sent: Friday, December 21, 2018 1:59 PM
To: openssl-tpm2-engine@groups.io; Doug Fraser <doug.fraser@...
m>
Subject: Re: [openssl-tpm2-engine] TSS aligned with TPM2 engine

============

#$ sed -i 's/ create_tpm2_key.1//' Makefile.am
I actually do almost exactly the same fix. I'm also cross compiling
for 32-bit armv7 using OpenEmbedded.


This removes a documentation dependency on help2man.
This is required because I am cross-compiling, and I cannot
execute `create_tpm2_key --help` on the build host to extract the
document.

It would be helpful if there were a configure option to block
documentation generation completely.
I agree.


In addition, when I `make install`, everything goes well until it
runs libtool on libtpm2(.la/.so), where it installs it on my
host, not on my cross target.
It is not honoring --prefix for the cross target libraries, only
the binary.
In case you wonder, I haven't checked this since I'm using a custom
install variant in my bitbake recipe instead of relying on 'make
install'.

Fredrik Ternerot