I found your explanations clear, and the examples relevant and practical. I would love to see the follow up to this post, mentioned in your conclusion… i.e. how to decrypt a message w/ the TPM, which was encrypted with a TPM derived public key.
Cheers!
Add me as someone who is interested. On my server I have recently installed a TPM2.0 module, and I’ve never done anything with TPM before, it is a lot to cover. Currently I’m learning more about TXT, but the terminology is all so foreign to me, even though I have a lot of experience with Linux. So keep them coming, this was a very nice post that will probably be helpful in the future! Cheers! Thank you for writing it.
I agree with the all the previous comments. This blog is very useful. There is not much practical documentation on TPM2 out there and I am glad to find this one. Now, I have a way to convert the ek.pub to something that can be parsed by openssl. This is neat stuff. Do you by any chance have examples of how to get the EK certificate from the Infineon SLB9665 tpm2.0 chip and have that parsed by openssl? Thanks!
I am not sure what’s the point of the tickets. My understanding is that a ticket proves an object has been generated by the TPM. In our case, does the ticket contain the hash or just a proof the hash has been generated by TPM? Actually, I don’t understand this part
** Let’s sign the HASH using ticket.bin as the authorisation token and the AIK with persistent handle 0x81010010: **
** ~# tpm2_sign -k 0x81010010 -g 0x000B -m message.txt -s sign.bin -t ticket.bin **
I guess the ticket contains both the message and a proof the hash has been created IN the TPM, otherwise we would use hash.bin
Hello Hello!
Tickets contain an HMAC calculated on some data.
From “A Practical Guide to TPM 2.0”:
The TPM uses tickets when it splits cryptographic operations into multiple operations with respect to time. Here, the HMAC key used to generate the HMAC is not a shared secret, but a secret known only to the TPM
In our case, the ticket is (most probably) calculated on the generated hash and it is using the aforementioned secret. tpm2_sign just uses the message to recalculate the hash (see tpm2_sign.cpp). It could just take in input the hash itself.. yes that’s somewhat confusing: basically we calculate the hash with tpm2_hash, but then we discard the calculated hash and we just use the ticket 🙂
And, yes, it doesn’t make any sense as you should be able to just use tpm2_sign to get a signature of a message.
There are a lot of weird things/limitations in tpm2 tools (for instance try to calculate the hash of a large file): I believe that those tools are more a PoC than real production tools…
Hashing a large file works now. However, hashing a large file with the TPM is sub-optimal, as performance is terrible. You would be better off hashing it off TPM if software hashing routines are available.
The tools have recently been getting some love, along with other parts of the stack, so they are becoming more usable, with better docs.
Hey Shankar, thanks! I am working on something that could be very interesting to you 🙂
Unfortunately this is going to take some time because of the needed paperwork. But please stay tuned!
Ho Vivek,
sorry for the late reply.
Yes, of course it is possible. I have never tried with tpm2.0-tools, but I believe you can use tpm2_rsadecrypt.
There are two caveats, tho:
1) you can encrypt/decrypt only blocks as large as the RSA key (e.g. 1024): you need to split your data in chunks of that size and apply the encryption to each of them. This has also security implication, mind your padding 🙂 ;
2) TPMs (regardless of the version) are slow.
For these reasons, you might want to use envelope encryption: select a symmetric algorithm (e.g. AES-128-CTR), generate a random key for it, encrypt your data with it, encrypt your symmetric key with the public key generated by the TPM. Send encrypted key and ciphertext.
On the other side, decrypt the symmetric key using the TPM (e.g. with tpm2_rsadecrypt), and use it to decrypt your ciphertext.
Hi Dguerri,
First of all, this is an awesome post. thanks.
After having the EK and AIK generated, how can I delete the already written keys from the TPM?
Which TSS2 tool can show this sort of usage?
Regards,
andras
Hi Dguerri,
Cool post! Hat off!
I am facing some problem with
tpm2_sign -k 0x81010010 -g 0x000B -m message.txt -s sign.bin -t ticket.bin.
Ticket is successfully generated, persistent handle is available(also digest,in_scheme…etc ), but strangely the signature wont be created.
Q1: If I would like to use the persistent keyhandle, as you have shown, do I have to load the key by either Tss2_sys_load or Tss2_sys_Contextload into the TPMRam from the NVRam, or not neccesary?
Q2: How can I figure it out the none success return value of the Tss2_sys_Sign? I got 0x921, but I find a bit difficult to resolve what the failure cause is.
Thanks for your help in advance!
Regards,
Oliver
Hi Oliver,
2., use rc-decoder module from tools, so that you will get the real cause in readable format.
1., try dictionary lock reset. See Github wiki among the close tickets.
Cheers,
Andras
Hi, I used the TPM trousers API to generate the key pair. I gives out the pub key in a raw binary format. I tried out these steps on that public key, but I get an error
openssl pkey -inform der -outform pem -pubin -in key.der -out key.pem
unable to load Public Key
Can’t remember the details right now, but TPMT_PUBLIC should be fixed size, at least up to the part we are interested in. Types are here: https://tinyurl.com/ybq8kjd6
It’s been some years, but maybe this will still help someone else. I ran into the same issue: openssl refused to load the “key.der” produced by the recipe above.
I was able to work around it by doing “tpm2_readpublic -H 0x81010010 -f pem -o key.pem” instead.
I’m testing with out of the box CentOS 7, which means openssl-1.0.2k, tpm2-tools-3.0.4.
Excellent post. thx you.
I have a problem.
Is it possible to decrypt a message which is encrypted using attestation public key (AIK)?
i try this
===========================================================================
$ echo “test…test” > encrypt.txt
$ openssl rsautl -encrypt -inkey key.pem -pubin -in encrypt.txt -out encrypt.dat
$ tpm2_rsadecrypt -k 0x81010010 -I encrypt.dat -o out_decrypt.txt
console out :
rsaDecrypt failed, error code: 0x12f
$ tpm2_rc_decode 0x12f
console out :
error layer
hex: 0x0
identifier: TSS2_TPM_ERROR_LEVEL
description: Error produced by the TPM
format 0 error code
hex: 0x2f
name: TPM_RC_AUTH_UNAVAILABLE
description: authValue or authPolicy is not available for selected entity.
===========================================================================
Did I miss anything?
Hi Ji-Hun,
So if you work off of my current branch here, the below examples will work:
# create an EK
tpm2_createek -H 0x81010000 -f pem -p ek.pub
# create an AK
tpm2_createak -E 0x81010000 -k 0x81010010 -f pem -p ak.pub -n ak.name
# create some data to encrypt
echo “test…test” > encrypt.txt
# Encrypt the data with the AK public key
openssl rsautl -encrypt -inkey ak.pub -pubin -in encrypt.txt -out encrypt.dat
# Try and decrypt it with the AK private key
tpm2_rsadecrypt -k 0x81010010 -I encrypt.dat -o out_decrypt.txt
ERROR: Tss2_Sys_RSA_Decrypt(0x182) – tpm:handle(1):inconsistent attributes
ERROR: Unable to run tpm2_rsadecrypt
# NOW try with the EK
# Encrypt the data with the EK public key
openssl rsautl -encrypt -inkey ek.pub -pubin -in encrypt.txt -out encrypt.dat
# Try and decrypt it with the EK private key
$ tpm2_rsadecrypt -k 0x81010000 -I encrypt.dat -o out_decrypt.txt
ERROR: Tss2_Sys_RSA_Decrypt(0x12F) – tpm:error(2.0): authValue or authPolicy is not available for selected entity
Both of these error codes make sense, when you look at the attributes:
tpm2_listpersistent
– { persistent-handle: 0x81010000, key-alg: rsa, hash-alg: sha256, object-attr: fixedtpm|fixedparent|sensitivedataorigin|adminwithpolicy|restricted|decrypt }
– { persistent-handle: 0x81010010, key-alg: rsa, hash-alg: sha256, object-attr: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|sign }
The AK (0x81010010) returns an “attribute error” due to the fact that the “encrypt” attribute is not set.
The EK (0x81010000) returns an “auth error” due to the fact that the “userWithauth” attribute is not set:
The bits mean:
userWithauth: If this attribute is CLEAR, then HMAC or password authorizations may not be used for USER role
authorizations
adminWithPolicy: If this attribute is SET, then then HMAC or password authorizations may not be used for ADMIN role authorizations.
Section 8.3.3 of https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf details these attribute bits.
I tried some quick hacks to twiddle these attribute bits, but couldn’t get the create call to pass in tpm2_createak. I am not sure what that “auth policy” is, but with adminwithpolicy set makes me assume that plays into the equation.
Hi ji-hun,
I found that the data encrypted using EK cannot be used to decrypt using tmp2_decrypt command. You can use only the keys with tpm2_decrypt which are created using tpm2_createprimary. If you want to use EK for decrypting small data (equal to size of the key), you have to also create AK and use tpm2_makecredential to encrypt and tpm2_activatecredential to decrypt the payload.
So in my use case, I exported the EK and AK public key, decrypted the original data with a symmetric key (as suggest by Dguerri), encrypted the symmetric key using tpm2_makecredential (you have to use TPM2 simulator incase the server on which you are encrypting the data doesn’t have TPM2 chip), decrypted the symmetric key at the targer using tpm2_activatecredential and used the resultant key to decrypt the actual data.
I had used the older version of the tools, so I am not aware if there is any change in the latest version for tpm2 tools.
Regards,
Vivek
Few correction in the above reply.
decrypted the original data with a symmetric key (as suggest by Dguerri), -> encrypted the original data with a symmetric key (as suggest by Dguerri)
i integrated slb 9670 with msp430 16 bit controller , which does not support linux. my task is to store keys in slb9670 chip,please help me , how to start the process. iam unable to understand ?
As a note- I am trying to use this to do the reverse process. I am starting with .pem keys from OpenSSL and converting them to keys that can be loaded into the TPM. If you have any advice on this, that would be awesome!
Hi, thanks for this great resource. Is it possible to generate RSA or ECC keys of different sizes? what is the TPM 2.0 command for that? I got an error each time I tried to encrypt a file with a size larger than 256 Byte with RSA keys in my TPM 2.0. Is there any way to countermeasure this constrain?
Thanks!
Mohamed
dguerri blog 
Great post! Seriously useful stuff… thanks!
LikeLiked by 1 person
Thanks Peter!:) Let me know if you are interested in more stuff on TPMs!
LikeLike
I found your explanations clear, and the examples relevant and practical. I would love to see the follow up to this post, mentioned in your conclusion… i.e. how to decrypt a message w/ the TPM, which was encrypted with a TPM derived public key.
Cheers!
LikeLiked by 1 person
Add me as someone who is interested. On my server I have recently installed a TPM2.0 module, and I’ve never done anything with TPM before, it is a lot to cover. Currently I’m learning more about TXT, but the terminology is all so foreign to me, even though I have a lot of experience with Linux. So keep them coming, this was a very nice post that will probably be helpful in the future! Cheers! Thank you for writing it.
LikeLike
I agree with the all the previous comments. This blog is very useful. There is not much practical documentation on TPM2 out there and I am glad to find this one. Now, I have a way to convert the ek.pub to something that can be parsed by openssl. This is neat stuff. Do you by any chance have examples of how to get the EK certificate from the Infineon SLB9665 tpm2.0 chip and have that parsed by openssl? Thanks!
LikeLike
I am not sure what’s the point of the tickets. My understanding is that a ticket proves an object has been generated by the TPM. In our case, does the ticket contain the hash or just a proof the hash has been generated by TPM? Actually, I don’t understand this part
** Let’s sign the HASH using ticket.bin as the authorisation token and the AIK with persistent handle 0x81010010: **
** ~# tpm2_sign -k 0x81010010 -g 0x000B -m message.txt -s sign.bin -t ticket.bin **
I guess the ticket contains both the message and a proof the hash has been created IN the TPM, otherwise we would use hash.bin
LikeLiked by 1 person
Hello Hello!
Tickets contain an HMAC calculated on some data.
From “A Practical Guide to TPM 2.0”:
In our case, the ticket is (most probably) calculated on the generated hash and it is using the aforementioned secret.
tpm2_signjust uses the message to recalculate the hash (see tpm2_sign.cpp). It could just take in input the hash itself.. yes that’s somewhat confusing: basically we calculate the hash withtpm2_hash, but then we discard the calculated hash and we just use the ticket 🙂Hope it helps!
LikeLike
And, yes, it doesn’t make any sense as you should be able to just use tpm2_sign to get a signature of a message.
There are a lot of weird things/limitations in tpm2 tools (for instance try to calculate the hash of a large file): I believe that those tools are more a PoC than real production tools…
LikeLike
Thanks for the answers. It’s much clearer now, and it reassures me that you find some things weird.
LikeLiked by 1 person
Hashing a large file works now. However, hashing a large file with the TPM is sub-optimal, as performance is terrible. You would be better off hashing it off TPM if software hashing routines are available.
The tools have recently been getting some love, along with other parts of the stack, so they are becoming more usable, with better docs.
LikeLiked by 1 person
Hi Dguerri
Excellent post. Thanks. Helped me a lot in my work. Anxiously waiting for your next article on message decryption. When is it coming?
LikeLike
Hey Shankar, thanks! I am working on something that could be very interesting to you 🙂
Unfortunately this is going to take some time because of the needed paperwork. But please stay tuned!
LikeLike
Hi Dguerri,
Found this article very useful.
Is it possible to decrypt a message which is encrypted using attestation public key (AIK)?
Regards,
Vivek
LikeLike
Ho Vivek,
sorry for the late reply.
Yes, of course it is possible. I have never tried with tpm2.0-tools, but I believe you can use
tpm2_rsadecrypt.There are two caveats, tho:
1) you can encrypt/decrypt only blocks as large as the RSA key (e.g. 1024): you need to split your data in chunks of that size and apply the encryption to each of them. This has also security implication, mind your padding 🙂 ;
2) TPMs (regardless of the version) are slow.
For these reasons, you might want to use envelope encryption: select a symmetric algorithm (e.g. AES-128-CTR), generate a random key for it, encrypt your data with it, encrypt your symmetric key with the public key generated by the TPM. Send encrypted key and ciphertext.
On the other side, decrypt the symmetric key using the TPM (e.g. with
tpm2_rsadecrypt), and use it to decrypt your ciphertext.LikeLike
Hi Dguerri,
First of all, this is an awesome post. thanks.
After having the EK and AIK generated, how can I delete the already written keys from the TPM?
Which TSS2 tool can show this sort of usage?
Regards,
andras
LikeLike
Hi Andras,
thanks!
To delete persistent objects, just use evictcontrol:
[root@tpm2-test tpm2.0-tools]# tpm2_listpersistent1 persistent objects defined.
0. Persistent handle: 0x81010001
{
Type: 0x1
Hash algorithm(nameAlg): 0xb
Attributes: 0x604b2
}
[root@tpm2-test tpm2.0-tools]# tpm2_evictcontrol -H 0x81010001 -S 0x81010001 -A o
persistentHandle: 0x81010001
[root@tpm2-test tpm2.0-tools]# tpm2_listpersistent
0 persistent objects defined.
LikeLike
Hi Dguerri,
Cool post! Hat off!
I am facing some problem with
tpm2_sign -k 0x81010010 -g 0x000B -m message.txt -s sign.bin -t ticket.bin.
Ticket is successfully generated, persistent handle is available(also digest,in_scheme…etc ), but strangely the signature wont be created.
Q1: If I would like to use the persistent keyhandle, as you have shown, do I have to load the key by either Tss2_sys_load or Tss2_sys_Contextload into the TPMRam from the NVRam, or not neccesary?
Q2: How can I figure it out the none success return value of the Tss2_sys_Sign? I got 0x921, but I find a bit difficult to resolve what the failure cause is.
Thanks for your help in advance!
Regards,
Oliver
LikeLike
Hi Oliver,
2., use rc-decoder module from tools, so that you will get the real cause in readable format.
1., try dictionary lock reset. See Github wiki among the close tickets.
Cheers,
Andras
LikeLiked by 1 person
Hi, I used the TPM trousers API to generate the key pair. I gives out the pub key in a raw binary format. I tried out these steps on that public key, but I get an error
openssl pkey -inform der -outform pem -pubin -in key.der -out key.pem
unable to load Public Key
Any idea why?
Thanks !
LikeLiked by 1 person
Not all the keys have the modulus in the same place. Hexdump the ak.pub file and the 256 bytes that follow “0000 0100” are the modulus.
LikeLike
Can’t remember the details right now, but TPMT_PUBLIC should be fixed size, at least up to the part we are interested in. Types are here: https://tinyurl.com/ybq8kjd6
LikeLike
It’s been some years, but maybe this will still help someone else. I ran into the same issue: openssl refused to load the “key.der” produced by the recipe above.
I was able to work around it by doing “tpm2_readpublic -H 0x81010010 -f pem -o key.pem” instead.
I’m testing with out of the box CentOS 7, which means openssl-1.0.2k, tpm2-tools-3.0.4.
LikeLiked by 1 person
Excellent post. thx you.
I have a problem.
Is it possible to decrypt a message which is encrypted using attestation public key (AIK)?
i try this
===========================================================================
$ echo “test…test” > encrypt.txt
$ openssl rsautl -encrypt -inkey key.pem -pubin -in encrypt.txt -out encrypt.dat
$ tpm2_rsadecrypt -k 0x81010010 -I encrypt.dat -o out_decrypt.txt
console out :
rsaDecrypt failed, error code: 0x12f
$ tpm2_rc_decode 0x12f
console out :
error layer
hex: 0x0
identifier: TSS2_TPM_ERROR_LEVEL
description: Error produced by the TPM
format 0 error code
hex: 0x2f
name: TPM_RC_AUTH_UNAVAILABLE
description: authValue or authPolicy is not available for selected entity.
===========================================================================
Did I miss anything?
LikeLike
Hi Ji-Hun,
So if you work off of my current branch here, the below examples will work:
# create an EK
tpm2_createek -H 0x81010000 -f pem -p ek.pub
# create an AK
tpm2_createak -E 0x81010000 -k 0x81010010 -f pem -p ak.pub -n ak.name
# create some data to encrypt
echo “test…test” > encrypt.txt
# Encrypt the data with the AK public key
openssl rsautl -encrypt -inkey ak.pub -pubin -in encrypt.txt -out encrypt.dat
# Try and decrypt it with the AK private key
tpm2_rsadecrypt -k 0x81010010 -I encrypt.dat -o out_decrypt.txt
ERROR: Tss2_Sys_RSA_Decrypt(0x182) – tpm:handle(1):inconsistent attributes
ERROR: Unable to run tpm2_rsadecrypt
# NOW try with the EK
# Encrypt the data with the EK public key
openssl rsautl -encrypt -inkey ek.pub -pubin -in encrypt.txt -out encrypt.dat
# Try and decrypt it with the EK private key
$ tpm2_rsadecrypt -k 0x81010000 -I encrypt.dat -o out_decrypt.txt
ERROR: Tss2_Sys_RSA_Decrypt(0x12F) – tpm:error(2.0): authValue or authPolicy is not available for selected entity
Both of these error codes make sense, when you look at the attributes:
tpm2_listpersistent
– { persistent-handle: 0x81010000, key-alg: rsa, hash-alg: sha256, object-attr: fixedtpm|fixedparent|sensitivedataorigin|adminwithpolicy|restricted|decrypt }
– { persistent-handle: 0x81010010, key-alg: rsa, hash-alg: sha256, object-attr: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|sign }
The AK (0x81010010) returns an “attribute error” due to the fact that the “encrypt” attribute is not set.
The EK (0x81010000) returns an “auth error” due to the fact that the “userWithauth” attribute is not set:
The bits mean:
userWithauth: If this attribute is CLEAR, then HMAC or password authorizations may not be used for USER role
authorizations
adminWithPolicy: If this attribute is SET, then then HMAC or password authorizations may not be used for ADMIN role authorizations.
Section 8.3.3 of https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf details these attribute bits.
I tried some quick hacks to twiddle these attribute bits, but couldn’t get the create call to pass in tpm2_createak. I am not sure what that “auth policy” is, but with adminwithpolicy set makes me assume that plays into the equation.
LikeLike
Hi ji-hun,
I found that the data encrypted using EK cannot be used to decrypt using tmp2_decrypt command. You can use only the keys with tpm2_decrypt which are created using tpm2_createprimary. If you want to use EK for decrypting small data (equal to size of the key), you have to also create AK and use tpm2_makecredential to encrypt and tpm2_activatecredential to decrypt the payload.
So in my use case, I exported the EK and AK public key, decrypted the original data with a symmetric key (as suggest by Dguerri), encrypted the symmetric key using tpm2_makecredential (you have to use TPM2 simulator incase the server on which you are encrypting the data doesn’t have TPM2 chip), decrypted the symmetric key at the targer using tpm2_activatecredential and used the resultant key to decrypt the actual data.
I had used the older version of the tools, so I am not aware if there is any change in the latest version for tpm2 tools.
Regards,
Vivek
LikeLike
Few correction in the above reply.
decrypted the original data with a symmetric key (as suggest by Dguerri), -> encrypted the original data with a symmetric key (as suggest by Dguerri)
LikeLike
Forgot to leave the branch: https://github.com/williamcroberts/tpm2.0-tools/tree/openssl-format
LikeLike
i integrated slb 9670 with msp430 16 bit controller , which does not support linux. my task is to store keys in slb9670 chip,please help me , how to start the process. iam unable to understand ?
LikeLike
Brilliant!
LikeLiked by 1 person
As a note- I am trying to use this to do the reverse process. I am starting with .pem keys from OpenSSL and converting them to keys that can be loaded into the TPM. If you have any advice on this, that would be awesome!
LikeLike
Hi, thanks for this great resource. Is it possible to generate RSA or ECC keys of different sizes? what is the TPM 2.0 command for that? I got an error each time I tried to encrypt a file with a size larger than 256 Byte with RSA keys in my TPM 2.0. Is there any way to countermeasure this constrain?
Thanks!
Mohamed
LikeLike