Comments (4)
dgarske
commented on August 24, 2024
1
Support for XOR parameter encryption was merged via #PR #122. AES CFB mode and keygen example are next.
from wolftpm.
tomoveu
commented on August 24, 2024
Quick update (this is the short version)
Had a "fun" tiny bug on the XOR symmetric attributes that made me sweat. Once solved, I figured out how to use unbounded, unsalted session for XOR parameter encryption. Turns out the logical first choice is the one with most specifics....
TCG Spec, Part 1
Chapter 21.2
the XOR obfuscation is (parameter, hashAlg, sessionValue, nonceNewer, nonceOlder)
Chapter 21.1
If the session is not being used for authorization, sessionValue is sessionKey.
Chapter 19.6.8
the sessionKey is Empty buffer when tpmKey and bind are TPM_RH_NULL (i.e unbounded, unsalted session).
So, if we have an empty buffer and no shared secret, how do we have parameter encryption? Well, see below ...
Chapter 19.6.9
A session started using this format (unbound, unsalted) can be used for parameter encryption while executing TPM
commands. However, during these commands, the key used to encrypt the parameter will only use the
authValue of the object being accessed by the commands in the key generation, so the strength of the
encryption will be no better than the entropy in the authValue of the object.
Back to Chapter 19.6.8 we find
sessionKey β KDFa(sessionAlg, (authValue || salt), βATHβ , nonceTPM, nonceCaller, bits)
and later clarifies
authValue if bind is not TPM_RH_NULL,
a TPM2B_AUTH.buffer that is found in the sensitive area of a TPM entity;
otherwise, an Empty Buffer
Also, the tradeoff now becomes obvious, but funny it is briefly mentioned on one single place. This is the result of extensive digging into the TCG Spec until I find the answers. Unbounded & unsalted session is supposed to be the simplest one, yet it is also the one with most specifics to get parameter encryption(surprisingly).
Anyways, both big challenges are solved - TPM session and SessionKey. I just need to use the KDFa and replace the parameter with the encrypted buffer. I will try to use your KDFa port @dgarske with Woflcrypt. Hopefully, no new surprises arise and next week I am done with the XOR. And I move to the CFB/AES :)
Cheers,
Dimi
from wolftpm.
tomoveu
commented on August 24, 2024
Solving the parameter encryption issue found #129 before continuing with the addition of AES CFB
I expect 129 will be solved soon and we would have PR for AES CFB next week.
from wolftpm.
tomoveu
commented on August 24, 2024
Thanks to great teamwork, full parameter encryption support is now added to wolfTPM by #129.
Kudos @dgarske π― Very hard work at the end, with deep core redesign of wolfTPM to support HMAC sessions and full parameter encryption.
Looking forward to wolfTPM's major release π₯
from wolftpm.
Related Issues (20)
- I2C driver for Nuvoton NPCT75x TPM2.0 module HOT 6
- Add a TPM signature verifier example
- Can't clear TPM chip HOT 2
- git commit fails even though no change was made HOT 3
- Build errors
- wolftpm C# wrapper needs to implement IDisposable instead of using Finalizer. HOT 2
- Error handling in C# wrapper HOT 2
- Fix the maximum clock speed for SLB9672
- wolfTPM is not thread-safe (`gActiveTPM` ought to be a thread-local) HOT 5
- Add more examples: TPM2_ActivateCredential() HOT 1
- Software-only implementations of TPM2_Duplicate() and TPM2_MakeCredential() HOT 1
- Response to TCG TPM2.0 Errata ID: TCGVRT0007 and CVE-2023-1017 and CVE-2023-1018 HOT 1
- How to go through wolfTPM2_Init with gdb HOT 7
- Building in MSYS2: undefined reference to `__imp_wolfSSL.._ HOT 10
- keygen -rsa -eh failed with TPM_RC_BAD_AUTH HOT 7
- Stuck in TPM2_Startup(&startupIn) function HOT 11
- Windows/WSL Problem with .git/hooks/pre-commit zero-length file
- Is 1,000,000 a reasonable value for TPM_TIMEOUT_TRIES? HOT 2
- P-256K1 support in the TCG standards HOT 7
- Support of tpmrmX interface HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wolftpm.