Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tpm2_encryptdecrypt won't work on Infineon TPM2.0 SLB9670 chip #407

Closed
liuqun opened this issue Aug 16, 2017 · 6 comments
Closed

tpm2_encryptdecrypt won't work on Infineon TPM2.0 SLB9670 chip #407

liuqun opened this issue Aug 16, 2017 · 6 comments

Comments

@liuqun
Copy link
Contributor

liuqun commented Aug 16, 2017
edited

tpm2_encryptdecrypt won't work on Infineon TPM2.0 SLB9670 chip

For example:

  • sudo tpm2_encryptdecrypt -k 0x81010001 -P abc123 -D NO -I a.txt -o b.txt
ERROR: EncryptDecrypt failed, error code: 0x143
  • /usr/local/sbin/tpm2_rc_decode 0x143
error layer
  hex: 0x0
  identifier: TSS2_TPM_ERROR_LEVEL
  description: Error produced by the TPM
format 0 error code
  hex: 0x43
  name: TPM_RC_COMMAND_CODE
  description: command code not supported

TPM Rev 2.0 Part 3: Commands - Chapter 15 says:

  • TPM2_EncryptDecrypt2() is identical to TPM2_EncryptDecrypt(), except that the inData parameter is the first parameter. This permits inData to be parameter encrypted.
  • TPM2_EncryptDecrypt() is deprecated, and TPM2_EncryptDecrypt2() is preferred.

I also post a related issue to TPM2.0-TSS, see: tpm2-software/tpm2-tss#506
@liuqun
Copy link
Contributor Author

liuqun commented Aug 16, 2017
edited

"sudo tpm2_dump_capability -c commands" shows none of these 2 command codes on my device:

  • 0x0164 TPM_CC_EncryptDecrypt
  • 0x0193 TPM_CC_EncryptDecrypt2

I guess that "tpm2_dump_capability -c commands" might have ignored the following 4 commands (which might exist in a hardware TPM chip):

  • 0x0190 TPM_CC_PolicyTemplate
  • 0x0191 TPM_CC_CreateLoaded
  • 0x0192 TPM_CC_PolicyAuthorizeNV
  • 0x0193 TPM_CC_EncryptDecrypt2

@webmeister
Copy link
Contributor

TPM2_EncryptDecrypt is an optional command according to PTP, so you cannot expect any TPM to support it. The other commands that you mention were introduced with the TPM Library Specification 01.38, whereas your TPM probably implements version 01.16 (check TPM_PT_REVISION via TPM2_GetCapability), so there is no support for these commands either.

@williamcroberts
Copy link
Member

@liuqun I don't see a bug here as it's lack of support by the hardware, if you agree please close.

@liuqun
Copy link
Contributor Author

liuqun commented Aug 18, 2017

OK I agree. By the way, I hope that in the future "tpm2_encryptdecrypt" will support using "TPM_CC_EncryptDecrypt2" as soon as this command code is available. Using "TPM_CC_EncryptDecrypt" may cause some security problems.

The "TPM_PT_REVISION" on my chip is "1.00"

$ sudo tpm2_dump_capability -c properties-fixed
TPM_PT_FAMILY_INDICATOR:
  as UINT32:                0x08322e3000
  as string:                "2.0"
TPM_PT_LEVEL:               0
TPM_PT_REVISION:            1.00
TPM_PT_DAY_OF_YEAR:         0x0000000f
TPM_PT_YEAR:                0x000007e0
TPM_PT_MANUFACTURER:        0x49465800
TPM_PT_VENDOR_STRING_1:
  as UINT32:                0x534c4239
  as string:                "SLB9"
TPM_PT_VENDOR_STRING_2:
  as UINT32:                0x36373000
  as string:                "670"
TPM_PT_VENDOR_STRING_3:
  as UINT32:                0x00000000
  as string:                ""
TPM_PT_VENDOR_STRING_4:
  as UINT32:                0x00000000
  as string:                ""
TPM_PT_VENDOR_TPM_TYPE:     0x00000000
TPM_PT_FIRMWARE_VERSION_1:  0x0007003d
TPM_PT_FIRMWARE_VERSION_2:  0x000ae100
TPM_PT_INPUT_BUFFER:        0x00000400
TPM_PT_HR_TRANSIENT_MIN:    0x00000003
TPM_PT_HR_PERSISTENT_MIN:   0x00000007
TPM_PT_HR_LOADED_MIN:       0x00000003
TPM_PT_ACTIVE_SESSIONS_MAX: 0x00000040
TPM_PT_PCR_COUNT:           0x00000018
TPM_PT_PCR_SELECT_MIN:      0x00000003
TPM_PT_CONTEXT_GAP_MAX:     0x0000ffff
TPM_PT_NV_COUNTERS_MAX:     0x00000008
TPM_PT_NV_INDEX_MAX:        0x00000680
TPM_PT_MEMORY:              0x00000006
TPM_PT_CLOCK_UPDATE:        0x00080000
TPM_PT_CONTEXT_HASH:        0x0000000b
TPM_PT_CONTEXT_SYM:         0x00000006
TPM_PT_CONTEXT_SYM_SIZE:    0x00000080
TPM_PT_ORDERLY_COUNT:       0x000000ff
TPM_PT_MAX_COMMAND_SIZE:    0x00000500
TPM_PT_MAX_RESPONSE_SIZE:   0x00000500
TPM_PT_MAX_DIGEST:          0x00000020
TPM_PT_MAX_OBJECT_CONTEXT:  0x000003b8
TPM_PT_MAX_SESSION_CONTEXT: 0x000000eb
TPM_PT_PS_FAMILY_INDICATOR: 0x00000001
TPM_PT_PS_LEVEL:            0x00000000
TPM_PT_PS_REVISION:         0x00000100
TPM_PT_PS_DAY_OF_YEAR:      0x00000000
TPM_PT_PS_YEAR:             0x00000000
TPM_PT_SPLIT_MAX:           0x00000080
TPM_PT_TOTAL_COMMANDS:      0x0000005a
TPM_PT_LIBRARY_COMMANDS:    0x00000059
TPM_PT_VENDOR_COMMANDS:     0x00000001
TPM_PT_NV_BUFFER_MAX:       0x00000300

@liuqun liuqun closed this as completed Aug 18, 2017
@webmeister
Copy link
Contributor

The "TPM_PT_REVISION" on my chip is "1.00"

This is probably not what the chip reports, the tool seems to have a bug that displays the minor version always as "00". #416 should fix this.

@liuqun
Copy link
Contributor Author

liuqun commented Aug 22, 2017

Now I got the correct TPM_PT_REVISION with the newest fixed tpm2_dump_capability.
Thanks very much!

$ sudo tpm2_dump_capability -c properties-fixed
...
TPM_PT_REVISION:            1.16
...

@liuqun liuqun changed the title tpm2_encryptdecrypt won't work on Infineon TPM2.0 SLB6970 chip tpm2_encryptdecrypt won't work on Infineon TPM2.0 SLB9670 chip Aug 29, 2017
@irtimmer irtimmer mentioned this issue Sep 24, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@liuqun @webmeister @williamcroberts