RSA signatures with TPM2.0 and OpenSSL

Foreword

Welcome stranger and thanks for stopping by. This is my first blog post (ever) and presently I am not even sure whether I want to maintain a blog… so who knows? It could also be the last. 🙂

What I am going to show applies to any Trusted Platform Module (TPM) implementing TPM2.0 specs. However, I wrote this article after spending two days trying to use the Minnowboard MAX firmware TPM (fTPM) for something useful in real life… I hope I can save you some time and a lot of troubles [1].

The problem

As it turns out tpm2-tools (the only TPM2.0 userland tools available on Linux that I am aware of)  uses an output format for cryptographic operations like signatures, public keys export, hashing, etc which is not compatible with OpenSSL.

This is very annoying as you can’t use directly a TPM for useful stuff if the other party is not able to load those TPM data structure (e.g. using a tpm2-tools).

After spending quite a bit of time on the TPM2.0 specs (a reading that I would recommend to anyone with a lot of time and masochistic personality) I came up with some procedures to convert RSA public keys and signatures.

In this article I am going to generate a RSA key that we can use to identify a particular device using a TPM that implements TPM2.0 specification. The easiest way to achieve that is using an AIK.

But, let’s start from the beginning…

Generating an Endorsement Key (EK)

Before generating a new AIK, we need to generate an EK. As I am using a newly initialised TPM, I have no password configured, so I can just issue the following command:


~# tpm2_getpubek -H 0x81010000 -g 0x01 -f ek.pub

That will generate a new RSA (hex code 0x01) key, store it in the NVRAM of the TPM with handle 0x8101000 and export the public portion in a file named ek.pub.

Unfortunately we can’t use this key directly for what we need to do, so let’s:

Generate an Attestation Identity Key (AIK)

Similarly to what we have done to generate the EK, we can generate a AIK:


~# tpm2_getpubak -E 0x81010000 -k 0x81010010 -f ak.pub -n ak.name

RSA is the default algorithm. The AIK is defined in the endorsement hierarchy so it needs to be generated using a EK (0x81010000 in this case). This new key is stored in the device NVRAM with handle 0x81010010. The public bit is exported in ak.pub.

ak.name contains the cryptographically secure name of the key. We are not going to need it for now.Infineon_TPM_2.0.jpg_1250988720

ak.pub is a TPMT_PUBLIC structure which, among other things, contains the RSA modulus. As we generated a 2048 bits key (default), the modulus is exactly 256 bytes.

It is important to note that ak.pub doesn’t contain the RSA exponent (actually that field is present but it is set to 0). For RSA, TPM2.0 assumes that the exponent is always 2^16+1, or 65537 (for a good reason).

All that being said, we can convert the key to a DER and/or PEM format.

The DER key is then defined as <header> <modulus> <mid-header> <exponent>; we can use the following commands to compute all these elements:

1. Extract the modulus (removing TPMT_PUBLIC header and padding)


~# dd if=ak.pub of=modulus.bin bs=1 skip=102 count=256

2. Define the fixed header used by OpenSSL to identify a RSA key


~# echo 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA' | openssl base64 -a -d > header.bin

3. Mid-header is always 0x02 0x03 i.e. the exponent is a 3 bytes (0x03) integer (0x02)


~# echo -en '\x02\x03' > mid-header.bin

4. Exponent is always 65537 (2^16+1) as we have already seen


~# echo -ne '\x01\x00\x01' > exponent.bin

5. Compose the DER key


~# cat header.bin modulus.bin mid-header.bin exponent.bin > key.der

6. If needed you can easily convert the DER encoded key to PEM


~# openssl pkey -inform der -outform pem -pubin -in key.der -out key.pem

If you want to see how the modulus and the exponent look like, just run:


~# openssl rsa -in key.pem -pubin -noout -text
Modulus (2048 bit):

00:c7:2d:bd:f1:88:30:01:64:6a:0c:ae:61:52:23:
[stuff...]
87:a9

Exponent:
65537 (0x10001)

Ok. It seems legit, doesn’t it?

Signing a document

In TPM1.2 an AIK cannot be used to sign objects that are external to the TPM. TPM2.0 extends this concept: to sign an object with a primary key, we have to prove the TPM that object has been generated by the TPM itself. In order to do so, TPM2.0 uses tickets.

The following command computes the sha256 hash of a txt file and generate a TPM2.0 ticket (0x00B tells tpm2_hash to use SHA256.):

~# tpm2_hash -H e -g 0x00B -I message.txt -o hash.bin -t ticket.bin

Let’s sign the hash using ticket.bin as the authorisation token and the AIK with persistent handle 0x81010010:


~# tpm2_sign -k 0x81010010 -g 0x000B -m message.txt -s sign.bin -t ticket.bin

sign.bin contains the signature, wrapped in a TPMU_SIGNATURE structure.

In order to get something we can use with OpenSSL, let’s extract the relevant bits (i.e. the raw signature):


~# dd if=sign.bin of=sign.raw bs=1 skip=6 count=256

Verifying a TPM2.0 RSA signature

This is easy because we have already got a RSA public key that can be used by OpenSSL and a raw signature:


~# openssl dgst -verify key.pem -keyform pem -sha256 -signature sign.raw message.txt

If you get:


Verified OK

congratulations, it worked!

ConclusionIC790695

This is just an example of what we can do with a TPM. In one of the next articles (if any :P) I will explain how to decrypt a message encrypted with the a pubic key generated by the TPM.


 

[1] To create a custom version of the UEFI firmware for the MBM and enable the fTPM I suggest you to read this excellent article: Minnowboard Max: Enable the firmware (TXE) TPM 2.0

 

30 thoughts on “RSA signatures with TPM2.0 and OpenSSL

  1. Add me as someone who is interested. On my server I have recently installed a TPM2.0 module, and I’ve never done anything with TPM before, it is a lot to cover. Currently I’m learning more about TXT, but the terminology is all so foreign to me, even though I have a lot of experience with Linux. So keep them coming, this was a very nice post that will probably be helpful in the future! Cheers! Thank you for writing it.

    Like

  2. I agree with the all the previous comments. This blog is very useful. There is not much practical documentation on TPM2 out there and I am glad to find this one. Now, I have a way to convert the ek.pub to something that can be parsed by openssl. This is neat stuff. Do you by any chance have examples of how to get the EK certificate from the Infineon SLB9665 tpm2.0 chip and have that parsed by openssl? Thanks!

    Like

  3. I am not sure what’s the point of the tickets. My understanding is that a ticket proves an object has been generated by the TPM. In our case, does the ticket contain the hash or just a proof the hash has been generated by TPM? Actually, I don’t understand this part
    ** Let’s sign the HASH using ticket.bin as the authorisation token and the AIK with persistent handle 0x81010010: **
    ** ~# tpm2_sign -k 0x81010010 -g 0x000B -m message.txt -s sign.bin -t ticket.bin **
    I guess the ticket contains both the message and a proof the hash has been created IN the TPM, otherwise we would use hash.bin

    Liked by 1 person

    • Hello Hello!
      Tickets contain an HMAC calculated on some data.
      From “A Practical Guide to TPM 2.0”:

      The TPM uses tickets when it splits cryptographic operations into multiple operations with respect to time. Here, the HMAC key used to generate the HMAC is not a shared secret, but a secret known only to the TPM

      In our case, the ticket is (most probably) calculated on the generated hash and it is using the aforementioned secret.
      tpm2_sign just uses the message to recalculate the hash (see tpm2_sign.cpp). It could just take in input the hash itself.. yes that’s somewhat confusing: basically we calculate the hash with tpm2_hash, but then we discard the calculated hash and we just use the ticket 🙂

      Hope it helps!

      Like

    • And, yes, it doesn’t make any sense as you should be able to just use tpm2_sign to get a signature of a message.
      There are a lot of weird things/limitations in tpm2 tools (for instance try to calculate the hash of a large file): I believe that those tools are more a PoC than real production tools…

      Like

      • Hashing a large file works now. However, hashing a large file with the TPM is sub-optimal, as performance is terrible. You would be better off hashing it off TPM if software hashing routines are available.
        The tools have recently been getting some love, along with other parts of the stack, so they are becoming more usable, with better docs.

        Liked by 1 person

  4. Hi Dguerri
    Excellent post. Thanks. Helped me a lot in my work. Anxiously waiting for your next article on message decryption. When is it coming?

    Like

    • Hey Shankar, thanks! I am working on something that could be very interesting to you 🙂
      Unfortunately this is going to take some time because of the needed paperwork. But please stay tuned!

      Like

  5. Hi Dguerri,
    Found this article very useful.
    Is it possible to decrypt a message which is encrypted using attestation public key (AIK)?
    Regards,
    Vivek

    Like

    • Ho Vivek,
      sorry for the late reply.
      Yes, of course it is possible. I have never tried with tpm2.0-tools, but I believe you can use tpm2_rsadecrypt.

      There are two caveats, tho:
      1) you can encrypt/decrypt only blocks as large as the RSA key (e.g. 1024): you need to split your data in chunks of that size and apply the encryption to each of them. This has also security implication, mind your padding 🙂 ;
      2) TPMs (regardless of the version) are slow.

      For these reasons, you might want to use envelope encryption: select a symmetric algorithm (e.g. AES-128-CTR), generate a random key for it, encrypt your data with it, encrypt your symmetric key with the public key generated by the TPM. Send encrypted key and ciphertext.
      On the other side, decrypt the symmetric key using the TPM (e.g. with tpm2_rsadecrypt), and use it to decrypt your ciphertext.

      Like

  6. Hi Dguerri,
    First of all, this is an awesome post. thanks.
    After having the EK and AIK generated, how can I delete the already written keys from the TPM?
    Which TSS2 tool can show this sort of usage?
    Regards,
    andras

    Like

    • Hi Andras,
      thanks!

      To delete persistent objects, just use evictcontrol:

      [root@tpm2-test tpm2.0-tools]# tpm2_listpersistent
      1 persistent objects defined.

      0. Persistent handle: 0x81010001
      {
      Type: 0x1
      Hash algorithm(nameAlg): 0xb
      Attributes: 0x604b2
      }

      [root@tpm2-test tpm2.0-tools]# tpm2_evictcontrol -H 0x81010001 -S 0x81010001 -A o
      persistentHandle: 0x81010001
      [root@tpm2-test tpm2.0-tools]# tpm2_listpersistent
      0 persistent objects defined.

      Like

  7. Hi Dguerri,
    Cool post! Hat off!
    I am facing some problem with
    tpm2_sign -k 0x81010010 -g 0x000B -m message.txt -s sign.bin -t ticket.bin.
    Ticket is successfully generated, persistent handle is available(also digest,in_scheme…etc ), but strangely the signature wont be created.
    Q1: If I would like to use the persistent keyhandle, as you have shown, do I have to load the key by either Tss2_sys_load or Tss2_sys_Contextload into the TPMRam from the NVRam, or not neccesary?
    Q2: How can I figure it out the none success return value of the Tss2_sys_Sign? I got 0x921, but I find a bit difficult to resolve what the failure cause is.
    Thanks for your help in advance!
    Regards,
    Oliver

    Like

    • Hi Oliver,
      2., use rc-decoder module from tools, so that you will get the real cause in readable format.
      1., try dictionary lock reset. See Github wiki among the close tickets.
      Cheers,
      Andras

      Liked by 1 person

  8. Hi, I used the TPM trousers API to generate the key pair. I gives out the pub key in a raw binary format. I tried out these steps on that public key, but I get an error
    openssl pkey -inform der -outform pem -pubin -in key.der -out key.pem
    unable to load Public Key

    Any idea why?

    Thanks !

    Liked by 1 person

  9. Excellent post. thx you.
    I have a problem.
    Is it possible to decrypt a message which is encrypted using attestation public key (AIK)?
    i try this
    ===========================================================================
    $ echo “test…test” > encrypt.txt
    $ openssl rsautl -encrypt -inkey key.pem -pubin -in encrypt.txt -out encrypt.dat
    $ tpm2_rsadecrypt -k 0x81010010 -I encrypt.dat -o out_decrypt.txt
    console out :
    rsaDecrypt failed, error code: 0x12f

    $ tpm2_rc_decode 0x12f
    console out :
    error layer
    hex: 0x0
    identifier: TSS2_TPM_ERROR_LEVEL
    description: Error produced by the TPM
    format 0 error code
    hex: 0x2f
    name: TPM_RC_AUTH_UNAVAILABLE
    description: authValue or authPolicy is not available for selected entity.
    ===========================================================================
    Did I miss anything?

    Like

    • Hi Ji-Hun,
      So if you work off of my current branch here, the below examples will work:
      # create an EK
      tpm2_createek -H 0x81010000 -f pem -p ek.pub
      # create an AK
      tpm2_createak -E 0x81010000 -k 0x81010010 -f pem -p ak.pub -n ak.name
      # create some data to encrypt
      echo “test…test” > encrypt.txt
      # Encrypt the data with the AK public key
      openssl rsautl -encrypt -inkey ak.pub -pubin -in encrypt.txt -out encrypt.dat
      # Try and decrypt it with the AK private key
      tpm2_rsadecrypt -k 0x81010010 -I encrypt.dat -o out_decrypt.txt
      ERROR: Tss2_Sys_RSA_Decrypt(0x182) – tpm:handle(1):inconsistent attributes
      ERROR: Unable to run tpm2_rsadecrypt
      # NOW try with the EK
      # Encrypt the data with the EK public key
      openssl rsautl -encrypt -inkey ek.pub -pubin -in encrypt.txt -out encrypt.dat
      # Try and decrypt it with the EK private key
      $ tpm2_rsadecrypt -k 0x81010000 -I encrypt.dat -o out_decrypt.txt
      ERROR: Tss2_Sys_RSA_Decrypt(0x12F) – tpm:error(2.0): authValue or authPolicy is not available for selected entity

      Both of these error codes make sense, when you look at the attributes:
      tpm2_listpersistent
      – { persistent-handle: 0x81010000, key-alg: rsa, hash-alg: sha256, object-attr: fixedtpm|fixedparent|sensitivedataorigin|adminwithpolicy|restricted|decrypt }
      – { persistent-handle: 0x81010010, key-alg: rsa, hash-alg: sha256, object-attr: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|sign }

      The AK (0x81010010) returns an “attribute error” due to the fact that the “encrypt” attribute is not set.
      The EK (0x81010000) returns an “auth error” due to the fact that the “userWithauth” attribute is not set:
      The bits mean:
      userWithauth: If this attribute is CLEAR, then HMAC or password authorizations may not be used for USER role
      authorizations
      adminWithPolicy: If this attribute is SET, then then HMAC or password authorizations may not be used for ADMIN role authorizations.
      Section 8.3.3 of https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf details these attribute bits.

      I tried some quick hacks to twiddle these attribute bits, but couldn’t get the create call to pass in tpm2_createak. I am not sure what that “auth policy” is, but with adminwithpolicy set makes me assume that plays into the equation.

      Like

    • Hi ji-hun,
      I found that the data encrypted using EK cannot be used to decrypt using tmp2_decrypt command. You can use only the keys with tpm2_decrypt which are created using tpm2_createprimary. If you want to use EK for decrypting small data (equal to size of the key), you have to also create AK and use tpm2_makecredential to encrypt and tpm2_activatecredential to decrypt the payload.

      So in my use case, I exported the EK and AK public key, decrypted the original data with a symmetric key (as suggest by Dguerri), encrypted the symmetric key using tpm2_makecredential (you have to use TPM2 simulator incase the server on which you are encrypting the data doesn’t have TPM2 chip), decrypted the symmetric key at the targer using tpm2_activatecredential and used the resultant key to decrypt the actual data.

      I had used the older version of the tools, so I am not aware if there is any change in the latest version for tpm2 tools.
      Regards,
      Vivek

      Like

  10. i integrated slb 9670 with msp430 16 bit controller , which does not support linux. my task is to store keys in slb9670 chip,please help me , how to start the process. iam unable to understand ?

    Like

    • As a note- I am trying to use this to do the reverse process. I am starting with .pem keys from OpenSSL and converting them to keys that can be loaded into the TPM. If you have any advice on this, that would be awesome!

      Like

  11. Hi, thanks for this great resource. Is it possible to generate RSA or ECC keys of different sizes? what is the TPM 2.0 command for that? I got an error each time I tried to encrypt a file with a size larger than 256 Byte with RSA keys in my TPM 2.0. Is there any way to countermeasure this constrain?
    Thanks!
    Mohamed

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s