I created a cheat sheet of my accumulated custom shortcuts in vim using typst. i'm going to maintain this and capping custom shortcuts to fit into single A4 helps to make sure that things don't get too complicated :-)

tpm2sh 0.15.0 compiles the policy commands to the DER payload.

Crypto has been migrated to OpenSSL for sake of allowing to be (or delegating the policy of being) FIPS compatible, and making crypto patchable.

#linux #kernel #tpm #openssl #rustlang

tpm2sh 0.12.3 loads and processes multi-level ancestor chains correctly, policy expressions have now a more stable manually implemented custom-built parser.

https://crates.io/crates/tpm2sh/0.12.3

#linux #tpm #rustlang

Noteworthy in this is the implict parent discovery without having to specify parent when loading keys :-) It recursively loads always the whole hierarchy where parent key is discovered either among persistent keys or cache.

#linux #kernel #tpm

@lkundrak

After starting this work one Sunday on August and ~13000 lines of new Rust code after that, this is the first release where I don't have any catastrophical bugs to resolve, or have personally any immediate needs :-)

https://crates.io/crates/tpm2sh

#linux #rustlang #tpm

tpm2sh policy has now more inituitive infix expressions :-) [learning nom by trial and error]

policies:

Refined the interface of offloaded objects:

1. Objects resident/loaded in TPM: tpm:
2. Offloaded objects: vtpm:

Thus, I removed also "key" and "session" subcommands and introduced "virtual" subcommand.

#linux #tpm #rustlang

tpm2sh 0.11.16

This is the release where things mostly work and is first usable version for wider audience than just me.

Functionality is focused on key management and it is quite limited on operations.

That said, it the most important functionalities, and most difficult to implement, in place:

1. Implicit creation of HMAC sessions to protect communication, and hiding its complexity . It is still a stub as parameter encryption is not in place but the mechanism is working correctly.
2. Key management including direct support for PKCS#1, PKCS#8 and SEC1 external keys with custom parsers so that dependencies are light for e.g., BuildRoot embedded/VM targets. 3, Seamless over-subscription with key context cache (in ~/.cache/tpm2sh). Detects stale contexts from previous power cycles. “Cache keys” can be referred bit “key:<hex grip>” type of “URI”, where grip is 8 bytes of the key’s name hash.
3. Seamless policy sessions with policy command, which can output both composite digest and session handle.
4. Intuitive way to download vendor certificates from the chip.
5. Full support for the TPMKey ASN.1 format, which is what kernel speaks.

Adding signing etc. ops would have been worse mistake to do before getting this basis right.

It’s not aiming to do all what tpm2-tools does but more like do stuff that I want to do and implementing that as a command-line tool :-) I.

#linux #kernel #tpm #rustlang #buildroot

@andrew fixed since

known argument parsing bug but downloading certs does work :-)

tpm2sh 0.11: https://crates.io/crates/tpm2sh/0.11.0

cli philosophy, which I should document to README.md, is that no nested subcommands thank you. That constraint enforces to do efficient subcommand design (IMHO).

#linux #kernel #tpm

had my favorite breakfast at morning i.e. karelian pies with egg butter :-) only think that would add up to this would some cold-cured salmon

my shitty buildroot kernel testing environment keeps improving as the years pass like a good wine ;-)

#buildroot

and what this gives is factors better debugging environment to fix the remaining external key import issue :-) swtpm dump in the top split

yay, now tpm2sh has software digest calculator for policy expressions (which can query e.g. PCR values but does not exercise policy tpm commands), the remaining errata is not a huge stretch:

https://github.com/puavo-org/tpm2sh/issues/2

Many of the things are just minor collapses while turning this over and over again. Sessions need still a bit of work but lot of the functionality is already there...

I'd like to add quote generation etc. for Remote Attestation purposes but it is definitely out of scope and better just to stabilize the command set.

Sessions are represented like this (to be cosmetic tweaked in some places):

session://handle=0x02000000;nonce=135eac83db00e0c691fba1653405e79f8f285964e18add0488337fc7caf90606;attrs=00;key=;alg=sha256

And there's already `--session` argument but further I'll add an environment variable TPM2SH_SESSION, which command not only read but also update (to enable chaining e.g., nonce needs to be updated).

The general gist and main goal of the command set and "command-line experience" is to enable both user interactive experience and also TPM2 access for shell implemented tools such as password managers.

Load loads both external PKCS#8 and TPM ASN.1. Convert command converts PKCS#8 to TPM ASN.1.

So instead of this:

tpm2_createprimary --hierarchy o -G rsa2048 -c owner.txt
tpm2_evictcontrol -c owner.txt 0x81000001
openssl genrsa -out private.pem 2048
tpm2_import -C 0x81000001 -G rsa -i private.pem -u key.pub -r key.priv
tpm2_encodeobject -C 0x81000001 -u key.pub -r key.priv -o key.priv.pem
openssl asn1parse -inform pem -in key.priv.pem -noout -out key.priv.der

You can just:

tpm2sh create-primary rsa:2048:sha256 --output file://owner.txt
openssl genrsa -out private.pem 2048
tpm2sh convert --parent "tpm://0x81000001" file://private.pem --output file://key.priv.der

#linux #rust #tpm

two fun facts about kiova and tampere:

1. last year it was 70th anniversary of twin town friendship between tampere and kiova (tampere is my hown town).
2. kiova has a street called "tampere", which was named in 2014 to celebrate 60th anniversary of friendship, which has lasted well over its "soviet origins".

my generation does not know what it is like to be at war obviously and it would be obnoxious to say that "i get it" when it comes to war at ukraine. however, we owe to our grandparents to not forget, not make compromises and generally not to be ignorant of the situation.

🇺🇦 🇫🇮

The current feature set of upcoming tpm2sh 0.11. It’s quite basic but everything is tested with care and e.g., load does all the import dance for PKCS8 RSA and ECC keys without having to mess with openssl command line. I.e. single robust load command instead of:

tpm2_createprimary --hierarchy o -G ecc -c owner.txt
tpm2_evictcontrol -c owner.txt 0x81000001
openssl ecparam -name prime256v1 -genkey -noout -out private.pem
tpm2_import -C 0x81000001 -G ecc -i private.pem -u key.pub -r key.priv
tpm2_encodeobject -C 0x81000001 -u key.pub -r key.priv -o key.priv.pem
openssl asn1parse -inform pem -in key.priv.pem -noout -out key.priv.der

And generally flows are somewhat polished and will be polished further before released to not have any rough corners. Finally most of non-trivial functionality is tested against built-in TPM emulator MockTPM.

Sometime after 0.11 release I’ll add also --dry-run switch that can exercise TPM commands with the emulator before applying them to the chip.

#linux #rust #tpm