Tpm2 Tools Versions Save

5.3 2022-09-27

Features:

• lib/tpm2_tool.c: add --help=no-man for tpm2 option. Prior to this change the tool parsed no-man as an unrecognized option and errored out. Now it lists all the available tool options.
• tpm2_encodeobject: New tool to encode TPM2 object. It takes public and private portions of an object and encode them in a combined PEM form called tssprivkey used by tpm2-tss-engine and other applications.
• Support alternative ECC curves for which default EK templates exist (NIST_P256, NIST_P384, NIST_P521, and SM2_P256).
• tools/misc/tpm2_checkquote: add sm2 verification of signature.
• crypto: support the TPM2_ECC_SM2_P256 curveID.
• fapi: add new command to enable the use of fapi objects for tπpm2 tools. The new command tss2_gettpm2object was added. With this command context files which can be used for tpm2 tool commands can be created.
• Support for sign and verify with sm2 algorithms.
• tools/tpm2_startauthsession: add sym-algorithm argument for supported symmetric algorithm.
• Attestation (certify, command audit, sessionaudit and quote): add scheme argument for supported signature schemes. This also enable support for SM signing.
• tpm2_flushcontext: support all options at a time Support the -t/-l/-s options all at once so folks don't have to call it multiple times.
• tools/tpm2_nvread: add human readable output for NV content Enable parsing and YAML-style output for the different NV index types.
• New event types in tpm2_eventlog: EV_EFI_PLATFORM_FIRMWARE_BLOB2, EV_EFI_HANDOFF_TABLES2, EV_EFI_VARIABLE_BOOT2
• VERSION: add version file - Generate the version file with bootstrap and include in the DIST tarball so endusers can call autoreconf on a dist tarball which doesn't have git. This alleviates git describe errors on release tarballs in the autoreconf case.
• import: support restricted parents - Support a restricted parent with an aes128cfb symmetric parameter.
• tpm2_load - Added capability to load pem files in TSS2-Private-Key format for interoperability with tpm2-tss-engine, tpm2-openssl provider tpm2-pkcs11, and tpm2-pytss.
• tpm2_print - Added capability to parse out and print the public portion of a TSS Private Key in the PEM format with the arg option TSSPRIVKEY_OBJ.
• tpm2_loadexternal: Added support to tpm2_loadexternal for parsing and loading the public portion of a TSS2 Privkey PEM file. The path to the PEM file must be specified using the -r option while skipping the -G option for key type.
• Support added for calculating cpHash, rpHash, sessions for parameter encryption and auditing in: tpm2_nvwrite, tpm2_nvcertify, tpm2_nvincrement, tpm2_nvwritelock, tpm2_nvreadlock, tpm2_nvundefine and tpm2_nvreadpublic.
• Support added for calculating cpHash in: tpm2_clear, tpm2_dictionarylockout, tpm2_clearcontrol, tpm2_sign, tpm2_setprimarypolicy, tpm2_setclock, tpm2_rsadecrypt, tpm2_duplicate, tpm2_clockrateadjust, tpm2_createprimary, tpm2_quote, tpm2_policysecret, tpm2_policynv, tpm2_policyauthorizenv, tpm2_import, tpm2_hmac, tpm2_hierarchycontrol, tpm2_load, tpm2_gettime, tpm2_evictcontrol, tpm2_encryptdecrypt, tpm2_getpolicydigest, tpm2_loadexternal, tpm2_commit, tpm2_ecdhkeygen, tpm2_ecdhzgen, tpm2_ecephemeral, tpm2_geteccparameters, tpm2_flushcontext, tpm2_pcrallocate, tpm2_pcrevent, tpm2_pcrreset, tpm2_pcrread.
• Support for using tcti=none for cpHash calculations to avoid invoking checks for active TPM in: tpm2_nvreadpublic, tpm2_nvundefine, tpm2_nvreadlock, tpm2_nvwritelock, tpm2_nvincrement, tpm2_nvcertify, tpm2_nvdefine, tpm2_nvwrite.

Known issue:

• FAPI tools will not work on 32bit user-static qemu on 64bit host because readdir returns NULL. Follow the issue on https://gitlab.com/qemu-project/qemu/-/issues/263

Bug fixes:

• tools/tpm2_pcrreset.c: fix build errors in 32bit systems.
• Fix tssprivkey formatted PEM generation and load errors on 32 bit systems.
• CI: Add testing of 32bit systems with multiarch/qemu-user-static containers.
• tools/tpm2_evictcontrol: fix for calls to Esys_TR_Close on bad handles.
• tools/tpm2_nvextend: fix for ESYS_TR handle not being used in calculating the object name.
• tools/tpm2_nvwrite, tools/tpm2_nvread: Policy authorization must be re-instantiated on each iteration of the read/ write when size exceeds the allowed operating size (TPM2_PT_NV_BUFFER_MAX). However, information on the compounded policies cannot be retrieved from the only policy digest read from the session and hence the session cannot be re-instantiated. To avoid this scenario only a single iteration is allowed when policy authorization is in use.
• Fix argument parsing in tpm2_policylocality to fix an issue causing almost always to generate PolicyLocality(0). There was a logical inversion that caused almost any argument (including invalid ones) to be interpreted as zero, except “zero" would be interpreted as one.
• test/fapi/fapi-quote-verify.sh Fix check of qualifying data. Because of a bug in Fapi_VerifyQuote the qualifying data was not checked correctly. Errors that were not recognized before occur now. The order of the tests was cleaned up and for every quote and verify quote now the correct combination of the qualifying data and quote info containing the nonce is used.
• tpm2_nvdefine: set TPMA_NV_PLATFORMCREATE when authenticating with the platform hierarchy.
• tools/tpm2_getekcertificate: fixed the url link to ekop.intel.com. There were two places where the fix was needed:
  1. In the tool source code where a forward slash was always appended irrespective of it already being part of the link specified by the user and
  2. In the integration test where curl tests the link to the ekop.intel.com backend. It now requires the full link to include the base64 encoded ek pub hash.
• tools/tpm2_tool.c: Fix an issue where LOG_WARN is always displayed Despite setting the 'quiet' flag with -Q.
• fapi: fix usage of parameter pcrLog for tss2_quote. pcrLog is an optional parameter. If pcrLog is not used as parameter currently the pcr log is still calculated in Fapi_Quote. To avoid this calculation a NULL pointer will be passed to Fapi_Quote if the parameter pcrLog is not passed. So tss2_quote can be executed for a user which has no access rights to the files with the system measurements.
• import: fix bug on using scheme wherein if scheme is specified in the template, the openssl load functions clobber the scheme value and set it to TPM2_ALG_NULL.
• tools/tpm2_sign and tpm2_verifysignature: fix sm2 sign and verifysignature bugs : (1.) sm2 sign could not get output signature. (2.) sm2 verify tss format signature failed.
• lib/tpm2.c: added workaround for a system api bug where in the flush handle is erroneously placed in the handle area instead of the parameter area.
• nvreadpublic: drop ntoh on attributes The attributes get marshalled to correct endianess by libmu and don’t need to be changed again.
• Removing unused '-i' option from tpm2_print
• tpm2_policyor: fix unallocated policy list The TPML_DIGEST policy list was calloc'd for some reason, however it could just be statically allocated in the context. The side effect is that when no options or arguments were given a NPD occured when checking the count of the policy list.
• tools/tpm2_certify: fix man page for short options and add tests The short options for the signing-key-auth and certified-key-auth were swapped. The case fix in the man page makes it less intuitive but have to go through with the change so that we don't break any existing scripts. This change does not affect the long options. Tests have been added to ensure the functionality.

CI:

• ci: add ubuntu-22.04. This also requires the min tpm2-tss version to be at 3.2.0 to support the openSSL major version 3.
• cirrus.yml: update freebsd version to 13.1
• .ci/download-deps.sh: update tpm2-abrmd dependency version to 2.4.1

Reference the CHANGELOG for this pre-release.

Reference the CHANGELOG for this pre-release.

• tpm2_nvextend:

  • Added option -n, --name to specify the name of the nvindex in hex bytes. This is used when cpHash ought to be calculated without dispatching the TPM2_NV_Extend command to the TPM.

• tpm2_nvread:

  • Added option --rphash=FILE to specify ile path to record the hash of the response parameters. This is commonly termed as rpHash.
  • Added option -n, --name to specify the name of the nvindex in hex bytes. This is used when cpHash ought to be calculated without dispatching the TPM2_NVRead command to the TPM.
  • Added option -S, --session to specify to specify an auxiliary session for auditing and or encryption/decryption of the parameters.

• tpm2_nvsetbits:

  • Added option --rphash=FILE to specify file path to record the hash of the response parameters. This is commonly termed as rpHash.
  • Added option -S, --session to specify to specify an auxiliary session for auditing and or encryption/decryption of the parameters.
  • Added option -n, --name to specify the name of the nvindex in hex bytes. This is used when cpHash ought to be calculated without dispatching the TPM2_NV_SetBits command to the TPM.

• tpm2_createprimary:

  • Support public-key output at creation time in various public-key formats.

• tpm2_create:

  • Support public-key output at creation time in various public-key formats.

• tpm2_print:

  • Support outputing public key in various public key formats over the default YAML output. Supports taking -u output from tpm2_create and converting it to a PEM or DER file format.

• tpm2_import:

  • Add support for importing keys with sealed-data-blobs.

• tpm2_rsaencrypt, tpm2_rsadecrypt:

  • Add support for specifying the hash algorithm with oaep.

• tpm2_pcrread, tpm2_quote:

  • Add option -F, --pcrs_format to specify PCR format selection for the binary blob in the PCR output file. 'values' will output a binary blob of the PCR values. 'serialized' will output a binary blob of the PCR values in the form of serialized data structure in little endian format.

• tpm2_eventlog:

  • Add support for decoding StartupLocality.
  • Add support for printing the partition information.
  • Add support for reading eventlogs longer than 64kb including from /sys/kernel/security/tpm0/binary_bios-measurements.

• tpm2_duplicate:

  • Add option -L, --policy to specify an authorization policy to be associated with the duplicated object.
  • Added support for external key duplication without needing the TCTI.

• tools:

  • Enhance error message on invalid passwords when sessions cannot be used.

• lib/tpm2_options:

  • Add option to specify fake tcti which is required in cases where sapi ctx is required to be initialized for retrieving command parameters without invoking the tcti to talk to the TPM.

• openssl:

  • Dropped support for OpenSSL < 1.1.0
  • Add support for OpenSSL 3.0.0

• Support added to make the repository documentation and man pages available live on readthedocs.

• Bug-fixes:

  • tpm2_import: Don't allow setting passwords for imported object with -p option as the tool doesn't modify the TPM2B_SENSITIVE structure. Added appropriate logging to indicate using tpm2_changeauth after import.

  • lib/tpm2_util.c: The function to calculate pHash algorithm returned error when input session is a password session and the only session in the command.

  • lib/tpm2_alg_util.c: Fix an error where oaep was parsed under ECC.

  • tpm2_sign: Fix segfaults when tool does not find TPM resources (TPM or RM).

  • tpm2_makecredential: Fix an issue where reading input from stdin could result in unsupported data size larger than the largest digest size.

  • tpm2_loadexternal: Fix an issue where restricted attribute could not be set.

  • lib/tpm2_nv_util.h: The NV index size is dependent on different data sets read from the GetCapability structures because there is a dependency on the NV operation type: Define vs Read vs Write vs Extend. Fix a sane default in the case where GetCapability fails or fails to report the specific property/ data set. This is especially true because some properties are TPM implementation dependent.

  • tpm2_createpolicy: Fix an issue where tool exited silently without reporting an error if wrong pcr string is specified.

  • lib/tpm2_alg_util: add error message on public init to prevent tools from dying silently, add an error message.

  • tpm2_import: fix an issue where an imported hmac object scheme was NULL. While allowed, it was inconsistent with other tools like tpm2_create which set the scheme as hmac->sha256 when generating a keyedhash object.

Reference the CHANGELOG for this pre-release.

4.3.2 2021-06-21

• tpm2_import: fix fixed AES key CVE-2021-3565
  • tpm2_import used a fixed AES key for the inner wrapper, which means that a MITM attack would be able to unwrap the imported key. To fix this, ensure the key size is 16 bytes or bigger and use OpenSSL to generate a secure random AES key.

5.1.1 2021-06-21

• tpm2_import: fix fixed AES key CVE-2021-3565
  • tpm2_import used a fixed AES key for the inner wrapper, which means that a MITM attack would be able to unwrap the imported key. To fix this, ensure the key size is 16 bytes or bigger and use OpenSSL to generate a secure random AES key.

Reference the CHANGELOG for this pre-release.

Reference the CHANGELOG for this pre-release.

• Build

  • Dependency-update: Minimum tpm2-tss version dependency bumped to 3.1.0
  • Dependency-update: Minimum tpm2-abrmd version dependency bumped to 2.4.0
  • tpm2_eventlog: Fix build errors on 64 bit arm systems.
  • tpm2_checkquote: Fix build on 32b little-endian platforms.
  • Fixes builds on CentOS 7 which notably has an ancient version of GCC: 4.8.5 and an older version of OSSL, 1.0.2
  • Configure handles searching for python executable more gracefully, thus just having python3, will work.
  • Moved to GitHub Actions for CI testing.
  • Added fedora-32 to CI testing configurations and related fixes.
  • FreeBSD testing is bumped up to version 12.2
  • Fix compiler and packaging warnings for OpenSuse builds.
  • configure: make build gnu99.
  • configure: make -Wbool-compare non fatal.
  • configure: only use -Werror for non-release builds

• tss2:

  • Support in tools for PolicyRef inclusion in policy search per latest TSS.
  • Support to use TPM objects protected by a policy with PolicySigned.
  • Enable backward compatibility to old Fapi callback API.
  • Fix PCR selection for tss2 quote.
  • Support policy signed policies by implementing Fapi_SetSignCB.

• Command/ response parameter support for auditing and pHash policies:

  • lib/tpm2_util.c: Add method to determine hashing alg for cp/rphash
  • Add support to calculate rphash for tpm2_create, tpm2_activatecredential, tpm2_certify, tpm2_certifycreation, tpm2_changeauth, tpm2_changeeps, tpm2_changepps, tpm2_nvdefine, tpm2_nvextend, tpm2_unseal
  • Add support to calculate cphash for tpm2_changeeps, tpm2_changepps.

• Session-support:

  • tpm2_sessionconfig: Add tool to display and configure session attributes.
  • tpm2_getrandom: Fix— session input was hardcoded for audit-only
  • tpm2_startauthsession: Add option to specify the bind object and its authorization value.
  • tpm2_startauthsession: support for bounded-only session.
  • tpm2_startauthsession: support for salted-only session.
  • tpm2_startauthsession: add option to specify an hmac session type.
  • Add support for specifying non-authorization sessions for audit and parameter encryption for tpm2_getrandom, tpm2_create, tpm2_nvextend, tpm2_nvdefine, tpm2_unseal, tpm2_activatecredential, tpm2_certify, tpm2_certifycreation, tpm2_changeauth, tpm2_changeeps, tpm2_changepps.

• tpm2_eventlog:

  • Support for event type: EV_IPL extensively used by the Shim and Grub.
  • Support for event type: EV_EFI_GPT_EVENT to parse. UEFI_PARTITION_TABLE_HEADER and UEFI_PARTITION_ENTRY.
  • Support for event type: EFI_SIGNATURE_LIST, which contains one or more EFI_SIGNATURE_DATA.
  • Support for event type EV_EFI_VARIABLE_AUTHORITY.
  • Parse UEFI_PLATFORM_FIRMWARE_BLOB structure that the CRTM MUST put into the Event Log entry TCG_PCR_EVENT2.event field for event types EV_POST_CODE, EV_S_CRTM_CONTENTS, and EV_EFI_PLATFORM_FIRMWARE_BLOB.
  • Parse secureboot variable to indicate enable as 'Yes'.
  • Parse BootOrder variable to a more readable format.
  • Parse Boot variables per EFI_LOAD_OPTION described in more details in UEFI Spec Section 3.1.3
  • Parse Device-path in a readable format using the efivar library.
  • Support for logs longer than 64 kilobytes.
  • Perform verification for event types where digest can be verified from their event payload.
  • Better support for multiline strings.
  • Fix handling of event log EV_POST_CODE data where field is empty and len is specified.

• scripts/utils: Add a utility to read the cert chain of embedded CA.

• tpm2_getekcertificate: Fix tool failing to return error/non-zero for HTTP 404.

• tpm2_nvdefine: allow setting hash algorithm by command line parameter for NV indices set in extend mode.

• tpm2_duplicate, tpm2_import: support duplicating non-TPM keys to a remote TPM without first requiring them to be loaded to a local TPM.

• tpm2_dictionarylockout: Fix issue where setting value for one parameter caused to reset the others.

• tpm2_getpolicydigest: Add new tool to enable TPM2_CC_PolicyGetDigest.

• Fix segfault where optind > argc.

• tools/tpm2_checkquote: fix missing initializer

• tpm2_convert: fix EVP_EncodeUpdate usage for OSSL < 1.1.0

• openssl: fix EVP_ENCODE_CTX_(new|free)

• test: Add support for swTPM simulator to the testing framework and make it the default if mssim isn't available.

• tpm2_unseal:

  • Added option --rphash=FILE to specify ile path to record the hash of the response parameters. This is commonly termed as rpHash.

• tpm2_nvextend:

  • Added option --rphash=FILE to specify ile path to record the hash of the response parameters. This is commonly termed as rpHash.

• tpm2_nvdefine:

  • Added option --rphash=FILE to specify ile path to record the hash of the response parameters. This is commonly termed as rpHash.

• tpm2_changepps:

  • Added option --cphash=FILE to specify ile path to record the hash of the command parameters. This is commonly termed as cpHash.
  • Added option --rphash=FILE to specify ile path to record the hash
  • Added option -S, --session to specify to specify an auxiliary session for auditing and or encryption/decryption of the parameters.

• tpm2_changeeps:

  • Added option --cphash=FILE to specify ile path to record the hash of the command parameters. This is commonly termed as cpHash.
  • Added option --rphash=FILE to specify ile path to record the hash of the response parameters. This is commonly termed as rpHash.
  • Added option -S, --session to specify to specify an auxiliary session for auditing and or encryption/decryption of the parameters.

• tpm2_changeauth:

  • Added option --rphash=FILE to specify ile path to record the hash of the response parameters. This is commonly termed as rpHash.
  • Added option -S, --session to specify to specify an auxiliary session for auditing and or encryption/decryption of the parameters.

• tpm2_certifycreation:

  • Added option --rphash=FILE to specify ile path to record the hash of the response parameters. This is commonly termed as rpHash.
  • Added option -S, --session to specify to specify an auxiliary session for auditing and or encryption/decryption of the parameters.

• tpm2_certify:

  • Added option --rphash=FILE to specify ile path to record the hash of the response parameters. This is commonly termed as rpHash.
  • Added option -S, --session to specify to specify an auxiliary session for auditing and or encryption/decryption of the parameters.

• tpm2_activatecredential:

  • Added option --rphash=FILE to specify ile path to record the hash of the response parameters. This is commonly termed as rpHash.
  • Added option -S, --session to specify to specify an auxiliary session for auditing and or encryption/decryption of the parameters.

• tpm2_create:

  • Added option --rphash=FILE to specify ile path to record the hash of the response parameters. This is commonly termed as rpHash.

• tpm2_unseal:

  • Added option -S, --session to specify auxiliary sessions for audit and encryption.

• tpm2_nvdefine:

  • Added option -S, --session to specify auxiliary sessions for audit and encryption.

• tpm2_nvextend:

  • Added option -S, --session to specify auxilary sessions for audit and encryption.