You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The general idea of this test case is the following: We will seal a piece of data using TPM and try to unlock it from TrustedGrub2. Every time I try to unseal the key I get a TCG_PassThroughFail: 0xc0000 error.
If everything goes well we should have a sealed key named ‘/tmp/key.enc’.
We should now copy the sealed key to a place that we can access from TrustedGrub2. I copied /tmp/key.enc to the root of the USB drive that we installed TrustedGrub2.
Reboot the system and boot it using the newly created image. Press ‘c’ in the TrustedGrub2 menu. Execute the following command from the grub menu:
grub> unseal /root/key.enc
I always get an error after this step
TCG_PassThroughFail: 0xc0000
The text was updated successfully, but these errors were encountered:
The general idea of this test case is the following: We will seal a piece of data using TPM and try to unlock it from TrustedGrub2. Every time I try to unseal the key I get a TCG_PassThroughFail: 0xc0000 error.
The test is as follows:
Download VirtualBox or VMWare
Download Ubuntu 16.04 (http://releases.ubuntu.com/16.04/ubuntu-16.04.2-desktop-amd64.iso)
Install the OS
sudo apt-get update
sudo apt-get install build-essential automake autopoint libtool libtspi-dev bison flex git
wget https://github.com/Rohde-Schwarz-Cybersecurity/TrustedGRUB2/archive/1.4.0.tar.gz
tar xzf 1.4.0.tar.gz
cd TrustedGRUB2-1.4.0/
export INSTALL_DIR=/path/to/install_dir
./autogen.sh
./configure --prefix=$INSTALL_DIR --target=i386 -with-platform=pc
make CPPFLAGS=-DTGRUB_DEBUG && make install
If everything goes well we should have a file called grub-install under $INSTALL_DIR/sbin/
I installed TrustedGrub2 into a USB stick using the following command:
sudo $INSTALL_DIR/sbin/grub-install --directory=$INSTALL_DIR/lib/grub/i386-pc /dev/sdb ; # device name may be different in your case
Build tpm-tools and tpm ownership
I used Ubuntu 16.04 running on a machine that we want to seal/unseal a key.
Clear and enable TPM (from BIOS)
Boot the OS
sudo apt-get update
sudo apt-get install git
git clone https://github.com/shpedoikal/tpm-tools.git
git checkout tpm-sealdata-raw (# checking out this branch is very important because it adds the -r option to tpm_sealdata).
sudo apt-get install automake autoconf libtool gettext trousers trousers-devel libtspi-dev autopoint (link to instructions https://github.com/shpedoikal/tpm-tools)
sh ./bootstrap.sh
export TPM_DIR=/path/to/tpm_build_dir
./configure --prefix=$TPM_DIR
make && make install
$TPM_DIR/sbin/tpm_takeownership -y -z
$TPM_DIR/sbin/tpm_setenabled --enable -z
$TPM_DIR/sbin/tpm_setactive -z
Create a key
echo “TPM UNSEAL FROM GRUB” > /tmp/key
#seal the key now that we own the TPM using PCRs 8 and 9
$TPM_DIR/bin/tpm_sealdata -p 8 -p 9 -z -r -i /tmp/key -o /tmp/key.enc
If everything goes well we should have a sealed key named ‘/tmp/key.enc’.
We should now copy the sealed key to a place that we can access from TrustedGrub2. I copied /tmp/key.enc to the root of the USB drive that we installed TrustedGrub2.
Reboot the system and boot it using the newly created image. Press ‘c’ in the TrustedGrub2 menu. Execute the following command from the grub menu:
grub> unseal /root/key.enc
I always get an error after this step
TCG_PassThroughFail: 0xc0000
The text was updated successfully, but these errors were encountered: