Foreword
Welcome stranger and thanks for stopping by. This is my first blog post (ever) and presently I am not even sure whether I want to maintain a blog… so who knows? It could also be the last. 🙂
What I am going to show applies to any Trusted Platform Module (TPM) implementing TPM2.0 specs. However, I wrote this article after spending two days trying to use the Minnowboard MAX firmware TPM (fTPM) for something useful in real life… I hope I can save you some time and a lot of troubles [1].
The problem
As it turns out tpm2-tools (the only TPM2.0 userland tools available on Linux that I am aware of) uses an output format for cryptographic operations like signatures, public keys export, hashing, etc which is not compatible with OpenSSL.
This is very annoying as you can’t use directly a TPM for useful stuff if the other party is not able to load those TPM data structure (e.g. using a tpm2-tools).
After spending quite a bit of time on the TPM2.0 specs (a reading that I would recommend to anyone with a lot of time and masochistic personality) I came up with some procedures to convert RSA public keys and signatures.
In this article I am going to generate a RSA key that we can use to identify a particular device using a TPM that implements TPM2.0 specification. The easiest way to achieve that is using an AIK.
But, let’s start from the beginning…
Generating an Endorsement Key (EK)
Before generating a new AIK, we need to generate an EK. As I am using a newly initialised TPM, I have no password configured, so I can just issue the following command:
~# tpm2_getpubek -H 0x81010000 -g 0x01 -f ek.pub
That will generate a new RSA (hex code 0x01) key, store it in the NVRAM of the TPM with handle 0x8101000 and export the public portion in a file named ek.pub.
Unfortunately we can’t use this key directly for what we need to do, so let’s:
Generate an Attestation Identity Key (AIK)
Similarly to what we have done to generate the EK, we can generate a AIK:
~# tpm2_getpubak -E 0x81010000 -k 0x81010010 -f ak.pub -n ak.name
RSA is the default algorithm. The AIK is defined in the endorsement hierarchy so it needs to be generated using a EK (0x81010000 in this case). This new key is stored in the device NVRAM with handle 0x81010010. The public bit is exported in ak.pub.
ak.name contains the cryptographically secure name of the key. We are not going to need it for now.
ak.pub is a TPMT_PUBLIC structure which, among other things, contains the RSA modulus. As we generated a 2048 bits key (default), the modulus is exactly 256 bytes.
It is important to note that ak.pub doesn’t contain the RSA exponent (actually that field is present but it is set to 0). For RSA, TPM2.0 assumes that the exponent is always 2^16+1, or 65537 (for a good reason).
All that being said, we can convert the key to a DER and/or PEM format.
The DER key is then defined as <header> <modulus> <mid-header> <exponent>; we can use the following commands to compute all these elements:
1. Extract the modulus (removing TPMT_PUBLIC header and padding)
~# dd if=ak.pub of=modulus.bin bs=1 skip=102 count=256
2. Define the fixed header used by OpenSSL to identify a RSA key
~# echo 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA' | openssl base64 -a -d > header.bin
3. Mid-header is always 0x02 0x03 i.e. the exponent is a 3 bytes (0x03) integer (0x02)
~# echo -en '\x02\x03' > mid-header.bin
4. Exponent is always 65537 (2^16+1) as we have already seen
~# echo -ne '\x01\x00\x01' > exponent.bin
5. Compose the DER key
~# cat header.bin modulus.bin mid-header.bin exponent.bin > key.der
6. If needed you can easily convert the DER encoded key to PEM
~# openssl pkey -inform der -outform pem -pubin -in key.der -out key.pem
If you want to see how the modulus and the exponent look like, just run:
~# openssl rsa -in key.pem -pubin -noout -text Modulus (2048 bit): 00:c7:2d:bd:f1:88:30:01:64:6a:0c:ae:61:52:23: [stuff...] 87:a9 Exponent: 65537 (0x10001)
Ok. It seems legit, doesn’t it?
Signing a document
In TPM1.2 an AIK cannot be used to sign objects that are external to the TPM. TPM2.0 extends this concept: to sign an object with a primary key, we have to prove the TPM that object has been generated by the TPM itself. In order to do so, TPM2.0 uses tickets.
The following command computes the sha256 hash of a txt file and generate a TPM2.0 ticket (0x00B tells tpm2_hash to use SHA256.):
~# tpm2_hash -H e -g 0x00B -I message.txt -o hash.bin -t ticket.bin
Let’s sign the hash using ticket.bin as the authorisation token and the AIK with persistent handle 0x81010010:
~# tpm2_sign -k 0x81010010 -g 0x000B -m message.txt -s sign.bin -t ticket.bin
sign.bin contains the signature, wrapped in a TPMU_SIGNATURE structure.
In order to get something we can use with OpenSSL, let’s extract the relevant bits (i.e. the raw signature):
~# dd if=sign.bin of=sign.raw bs=1 skip=6 count=256
Verifying a TPM2.0 RSA signature
This is easy because we have already got a RSA public key that can be used by OpenSSL and a raw signature:
~# openssl dgst -verify key.pem -keyform pem -sha256 -signature sign.raw message.txt
If you get:
Verified OK
congratulations, it worked!
Conclusion
This is just an example of what we can do with a TPM. In one of the next articles (if any :P) I will explain how to decrypt a message encrypted with the a pubic key generated by the TPM.
[1] To create a custom version of the UEFI firmware for the MBM and enable the fTPM I suggest you to read this excellent article: Minnowboard Max: Enable the firmware (TXE) TPM 2.0
Great post! Seriously useful stuff… thanks!
LikeLiked by 1 person
Thanks Peter!:) Let me know if you are interested in more stuff on TPMs!
LikeLike
I found your explanations clear, and the examples relevant and practical. I would love to see the follow up to this post, mentioned in your conclusion… i.e. how to decrypt a message w/ the TPM, which was encrypted with a TPM derived public key.
Cheers!
LikeLiked by 1 person
Add me as someone who is interested. On my server I have recently installed a TPM2.0 module, and I’ve never done anything with TPM before, it is a lot to cover. Currently I’m learning more about TXT, but the terminology is all so foreign to me, even though I have a lot of experience with Linux. So keep them coming, this was a very nice post that will probably be helpful in the future! Cheers! Thank you for writing it.
LikeLike
I agree with the all the previous comments. This blog is very useful. There is not much practical documentation on TPM2 out there and I am glad to find this one. Now, I have a way to convert the ek.pub to something that can be parsed by openssl. This is neat stuff. Do you by any chance have examples of how to get the EK certificate from the Infineon SLB9665 tpm2.0 chip and have that parsed by openssl? Thanks!
LikeLike
I am not sure what’s the point of the tickets. My understanding is that a ticket proves an object has been generated by the TPM. In our case, does the ticket contain the hash or just a proof the hash has been generated by TPM? Actually, I don’t understand this part
** Let’s sign the HASH using ticket.bin as the authorisation token and the AIK with persistent handle 0x81010010: **
** ~# tpm2_sign -k 0x81010010 -g 0x000B -m message.txt -s sign.bin -t ticket.bin **
I guess the ticket contains both the message and a proof the hash has been created IN the TPM, otherwise we would use hash.bin
LikeLiked by 1 person
Hello Hello!
Tickets contain an HMAC calculated on some data.
From “A Practical Guide to TPM 2.0”:
In our case, the ticket is (most probably) calculated on the generated hash and it is using the aforementioned secret.
tpm2_signjust uses the message to recalculate the hash (see tpm2_sign.cpp). It could just take in input the hash itself.. yes that’s somewhat confusing: basically we calculate the hash withtpm2_hash, but then we discard the calculated hash and we just use the ticket 🙂Hope it helps!
LikeLike
And, yes, it doesn’t make any sense as you should be able to just use tpm2_sign to get a signature of a message.
There are a lot of weird things/limitations in tpm2 tools (for instance try to calculate the hash of a large file): I believe that those tools are more a PoC than real production tools…
LikeLike
Thanks for the answers. It’s much clearer now, and it reassures me that you find some things weird.
LikeLiked by 1 person
Hashing a large file works now. However, hashing a large file with the TPM is sub-optimal, as performance is terrible. You would be better off hashing it off TPM if software hashing routines are available.
The tools have recently been getting some love, along with other parts of the stack, so they are becoming more usable, with better docs.
LikeLiked by 1 person
Hi Dguerri
Excellent post. Thanks. Helped me a lot in my work. Anxiously waiting for your next article on message decryption. When is it coming?
LikeLike
Hey Shankar, thanks! I am working on something that could be very interesting to you 🙂
Unfortunately this is going to take some time because of the needed paperwork. But please stay tuned!
LikeLike
Hi Dguerri,
Found this article very useful.
Is it possible to decrypt a message which is encrypted using attestation public key (AIK)?
Regards,
Vivek
LikeLike
Ho Vivek,
sorry for the late reply.
Yes, of course it is possible. I have never tried with tpm2.0-tools, but I believe you can use
tpm2_rsadecrypt.There are two caveats, tho:
1) you can encrypt/decrypt only blocks as large as the RSA key (e.g. 1024): you need to split your data in chunks of that size and apply the encryption to each of them. This has also security implication, mind your padding 🙂 ;
2) TPMs (regardless of the version) are slow.
For these reasons, you might want to use envelope encryption: select a symmetric algorithm (e.g. AES-128-CTR), generate a random key for it, encrypt your data with it, encrypt your symmetric key with the public key generated by the TPM. Send encrypted key and ciphertext.
On the other side, decrypt the symmetric key using the TPM (e.g. with
tpm2_rsadecrypt), and use it to decrypt your ciphertext.LikeLike
Hi Dguerri,
First of all, this is an awesome post. thanks.
After having the EK and AIK generated, how can I delete the already written keys from the TPM?
Which TSS2 tool can show this sort of usage?
Regards,
andras
LikeLike
Hi Andras,
thanks!
To delete persistent objects, just use evictcontrol:
[root@tpm2-test tpm2.0-tools]# tpm2_listpersistent1 persistent objects defined.
0. Persistent handle: 0x81010001
{
Type: 0x1
Hash algorithm(nameAlg): 0xb
Attributes: 0x604b2
}
[root@tpm2-test tpm2.0-tools]# tpm2_evictcontrol -H 0x81010001 -S 0x81010001 -A o
persistentHandle: 0x81010001
[root@tpm2-test tpm2.0-tools]# tpm2_listpersistent
0 persistent objects defined.
LikeLike
Hi Dguerri,
Cool post! Hat off!
I am facing some problem with
tpm2_sign -k 0x81010010 -g 0x000B -m message.txt -s sign.bin -t ticket.bin.
Ticket is successfully generated, persistent handle is available(also digest,in_scheme…etc ), but strangely the signature wont be created.
Q1: If I would like to use the persistent keyhandle, as you have shown, do I have to load the key by either Tss2_sys_load or Tss2_sys_Contextload into the TPMRam from the NVRam, or not neccesary?
Q2: How can I figure it out the none success return value of the Tss2_sys_Sign? I got 0x921, but I find a bit difficult to resolve what the failure cause is.
Thanks for your help in advance!
Regards,
Oliver
LikeLike
Hi Oliver,
2., use rc-decoder module from tools, so that you will get the real cause in readable format.
1., try dictionary lock reset. See Github wiki among the close tickets.
Cheers,
Andras
LikeLiked by 1 person
Hi, I used the TPM trousers API to generate the key pair. I gives out the pub key in a raw binary format. I tried out these steps on that public key, but I get an error
openssl pkey -inform der -outform pem -pubin -in key.der -out key.pem
unable to load Public Key
Any idea why?
Thanks !
LikeLiked by 1 person
Not all the keys have the modulus in the same place. Hexdump the ak.pub file and the 256 bytes that follow “0000 0100” are the modulus.
LikeLike
Can’t remember the details right now, but TPMT_PUBLIC should be fixed size, at least up to the part we are interested in. Types are here: https://tinyurl.com/ybq8kjd6
LikeLike
Excellent post. thx you.
I have a problem.
Is it possible to decrypt a message which is encrypted using attestation public key (AIK)?
i try this
===========================================================================
$ echo “test…test” > encrypt.txt
$ openssl rsautl -encrypt -inkey key.pem -pubin -in encrypt.txt -out encrypt.dat
$ tpm2_rsadecrypt -k 0x81010010 -I encrypt.dat -o out_decrypt.txt
console out :
rsaDecrypt failed, error code: 0x12f
$ tpm2_rc_decode 0x12f
console out :
error layer
hex: 0x0
identifier: TSS2_TPM_ERROR_LEVEL
description: Error produced by the TPM
format 0 error code
hex: 0x2f
name: TPM_RC_AUTH_UNAVAILABLE
description: authValue or authPolicy is not available for selected entity.
===========================================================================
Did I miss anything?
LikeLike
Hi Ji-Hun,
So if you work off of my current branch here, the below examples will work:
# create an EK
tpm2_createek -H 0x81010000 -f pem -p ek.pub
# create an AK
tpm2_createak -E 0x81010000 -k 0x81010010 -f pem -p ak.pub -n ak.name
# create some data to encrypt
echo “test…test” > encrypt.txt
# Encrypt the data with the AK public key
openssl rsautl -encrypt -inkey ak.pub -pubin -in encrypt.txt -out encrypt.dat
# Try and decrypt it with the AK private key
tpm2_rsadecrypt -k 0x81010010 -I encrypt.dat -o out_decrypt.txt
ERROR: Tss2_Sys_RSA_Decrypt(0x182) – tpm:handle(1):inconsistent attributes
ERROR: Unable to run tpm2_rsadecrypt
# NOW try with the EK
# Encrypt the data with the EK public key
openssl rsautl -encrypt -inkey ek.pub -pubin -in encrypt.txt -out encrypt.dat
# Try and decrypt it with the EK private key
$ tpm2_rsadecrypt -k 0x81010000 -I encrypt.dat -o out_decrypt.txt
ERROR: Tss2_Sys_RSA_Decrypt(0x12F) – tpm:error(2.0): authValue or authPolicy is not available for selected entity
Both of these error codes make sense, when you look at the attributes:
tpm2_listpersistent
– { persistent-handle: 0x81010000, key-alg: rsa, hash-alg: sha256, object-attr: fixedtpm|fixedparent|sensitivedataorigin|adminwithpolicy|restricted|decrypt }
– { persistent-handle: 0x81010010, key-alg: rsa, hash-alg: sha256, object-attr: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|sign }
The AK (0x81010010) returns an “attribute error” due to the fact that the “encrypt” attribute is not set.
The EK (0x81010000) returns an “auth error” due to the fact that the “userWithauth” attribute is not set:
The bits mean:
userWithauth: If this attribute is CLEAR, then HMAC or password authorizations may not be used for USER role
authorizations
adminWithPolicy: If this attribute is SET, then then HMAC or password authorizations may not be used for ADMIN role authorizations.
Section 8.3.3 of https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf details these attribute bits.
I tried some quick hacks to twiddle these attribute bits, but couldn’t get the create call to pass in tpm2_createak. I am not sure what that “auth policy” is, but with adminwithpolicy set makes me assume that plays into the equation.
LikeLike
Hi ji-hun,
I found that the data encrypted using EK cannot be used to decrypt using tmp2_decrypt command. You can use only the keys with tpm2_decrypt which are created using tpm2_createprimary. If you want to use EK for decrypting small data (equal to size of the key), you have to also create AK and use tpm2_makecredential to encrypt and tpm2_activatecredential to decrypt the payload.
So in my use case, I exported the EK and AK public key, decrypted the original data with a symmetric key (as suggest by Dguerri), encrypted the symmetric key using tpm2_makecredential (you have to use TPM2 simulator incase the server on which you are encrypting the data doesn’t have TPM2 chip), decrypted the symmetric key at the targer using tpm2_activatecredential and used the resultant key to decrypt the actual data.
I had used the older version of the tools, so I am not aware if there is any change in the latest version for tpm2 tools.
Regards,
Vivek
LikeLike
Forgot to leave the branch: https://github.com/williamcroberts/tpm2.0-tools/tree/openssl-format
LikeLike
i integrated slb 9670 with msp430 16 bit controller , which does not support linux. my task is to store keys in slb9670 chip,please help me , how to start the process. iam unable to understand ?
LikeLike
Brilliant!
LikeLiked by 1 person
As a note- I am trying to use this to do the reverse process. I am starting with .pem keys from OpenSSL and converting them to keys that can be loaded into the TPM. If you have any advice on this, that would be awesome!
LikeLike