Conversation

Jarkko Sakkinen

While developing asymmetric TPM2 keys, and reviewing TPM bus encryption earlier, I came to realize that both tpm2-tools and ibmtss feel unintuitive.

So I started to seek, if some had ever backed up my old tpm2-scripts, from which kselftest was inherited. I did not have anymore any repo for that one.

With Google I luckily found a backup from the Github profile of @colinianking, so thank you for that. Then I just copied over latest version of just tpm2.py (GPL/BSD dual-licensed file).

Probably will have some incompatibility issues with old scripts and updated main module (less than 10 updates in its total life-time tho) but I will fix them as soon as I need to test anything.

Anyway, a new and to-be-lean TPM2 hacking tool has been initiated: tpm2ctl (there’s no even file of that name yet but definitely will be at some point ;-)).

URL: https://gitlab.com/jarkkojs/tpm2ctl

1
1
1
@colinianking One tool that I missed most is the error decoder, which can show the constant name on which I've been unsuccessful with other options ;-) Contributions are welcome but I might relicense the code base as MIT.
1
0
0

So the first goal would be to make this dump into two commands:

tpm2_createprimary --hierarchy o -G ecc -c owner.txt
tpm2_evictcontrol -c owner.txt 0x81000001
openssl ecparam -name prime256v1 -genkey -noout -out private.pem
tpm2_import -C 0x81000001 -G ecc -i private.pem -u key.pub -r key.priv
tpm2_encodeobject -C 0x81000001 -u key.pub -r key.priv -o key.priv.pem
openssl asn1parse -inform pem -in key.priv.pem -noout -out key.priv.der

The.idea is to make it more like use-case oriented tool rather than one that maps the protocol as “plumbing” commands.

1
0
0
Also this will purposely bound to Linux at least for now. E.g. it should be able to interact directly with kernel keyring.
1
0
0
@colinianking [noticed your reaction] so I started to work on this before taking four weeks of during July and this is the angle: https://codeberg.org/jarkko/tpm2_library

I'm planning to first get all features of tpm2-scripts to it and then add those key generation functionalities. Rust felt natural choice because it is like "Java of system programming", i.e. I can get OpenSSL functionalities for instance by doing cargo add for the crate containing libssl bindings and writing few lines of code :-)

There is also tpm-rs endorsed by TCG but after looking at it a bit I though that yet another TPM stack that makes simple problem more complex than it should be. Did not feel lean and mean enough for kernel testing.
0
0
0