Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tpm2 verifysignature --format is no longer supported #2169

Closed
osresearch opened this issue Aug 17, 2020 · 2 comments · Fixed by #2170
Closed

tpm2 verifysignature --format is no longer supported #2169

osresearch opened this issue Aug 17, 2020 · 2 comments · Fixed by #2170

Comments

@osresearch
Copy link
Contributor

I'm attempting to follow the Intel guide for signing PCRs with an RSA key. However, tpm2 verifysignature fails with "the TPM was unable to unmarshall a value because there were not enough octets in the input buffer".

This is using https://github.com/tpm2-software/tpm2-tools/tree/c643ff688834d573772c9cc57fcbdf48a7e7735e and https://github.com/tpm2-software/tpm2-tss/tree/76be63d641e01e7a3fcdb987fedadf98e970ba8b

As a minimal test case:

#!/bin/bash -x
die() { echo >&2 "$*" ; exit 1 ; }

tpm2 flushcontext --transient-object
tpm2 flushcontext --loaded-session

# Generate RSA key
openssl genrsa -out key.priv 2048 || die genrsa
openssl rsa -in key.priv -out key.pem -pubout || die key.pem

# Create policy and sign it
tpm2 startauthsession --session session.ctx || die startsession

tpm2 policypcr \
	--session session.ctx \
	--pcr-list "sha256:0,11" \
	--policy pcr.policy \
|| die policypcr

tpm2 flushcontext session.ctx

openssl dgst \
	-sha256 \
	-sign key.priv \
	-out pcr.policy.sig \
	pcr.policy \
|| die openssl sign plicy

# Load the key into the TPM and validate on policy signature
tpm2 loadexternal \
	--key-algorithm rsa \
	--hierarchy o \
	--public key.pem \
	--key-context key.ctx \
	--name key.name \
|| die loadexternal

tpm2 verifysignature \
	--hash-algorithm sha256 \
	--format rsassa \
	--key-context key.ctx \
	--message pcr.policy \
	--signature pcr.policy.sig \
	--ticket verification.tkt \
|| die verifysignature
@williamcroberts
Copy link
Member

@osresearch I ran your test and am getting a slightly different output:

ERROR: Error deserializing signature structure: 0x9000b
ERROR: The input file needs to be a valid TPMT_SIGNATURE data structure
ERROR: Unable to run verifysignature

tpm2 rc_decode 0x9000b
mu:A parameter has a bad value

My tss version is:

pkg-config --modversion tss2-esys
3.1.0-dev

$ git describe 
3.0.0-16-g76be63d641e0

Is that what you're seeing? If not, whats your tpm2-tss version?

@osresearch
Copy link
Contributor Author

I'm using tpm2-tss @ 76be63d641e01e7a3fcdb987fedadf98e970ba8b and my initial report had a library skew issue, so it was picking up the wrong version of ESYS/MU/RC. With that fixed it produces the same error as yours.

The guide has the policy signature file generated as a raw RSA signature with OpenSSL, not a TPMT_SIGNATURE:

openssl dgst -sha256 -sign signing_key_private.pem -out set2.pcr.signature set2.pcr.policy

It looks like the --format option is being ignored and was replaced with --scheme since the guide? There appears to be an attempt to support both, but the case 0: should be case '0' to make it work. https://github.com/tpm2-software/tpm2-tools/blob/master/tools/tpm2_verifysignature.c#L205

@osresearch osresearch changed the title tpm2 verifysignature unable to marshall a value tpm2 verifysignature --format is no longer supported Aug 17, 2020
williamcroberts pushed a commit to williamcroberts/tpm2-tools that referenced this issue Aug 17, 2020
tpm2_verifysignature: fix --format to --scheme fallback
6b694ce 
--format was changed to --scheme in e275ba5. However, the option
for --format was set to '0' (ASCII 0)  in the selector char. However,
the case statement was set to 0, thus --format was being silently
ignored. Fix this by setting the getopt selector charactar to 0.

Fixes: tpm2-software#2169

Signed-off-by: William Roberts <[email protected]>
@williamcroberts williamcroberts mentioned this issue Aug 17, 2020
Merged
@osresearch osresearch mentioned this issue Aug 17, 2020
Closed
williamcroberts pushed a commit to williamcroberts/tpm2-tools that referenced this issue Aug 18, 2020
tpm2_verifysignature: fix --format to --scheme fallback
7f3b808 
--format was changed to --scheme in e275ba5. However, the option
for --format was set to '0' (ASCII 0)  in the selector char. However,
the case statement was set to 0, thus --format was being silently
ignored. Fix this by setting the getopt selector charactar to 0.

Fixes: tpm2-software#2169

Signed-off-by: William Roberts <[email protected]>
williamcroberts pushed a commit that referenced this issue Aug 20, 2020
tpm2_verifysignature: fix --format to --scheme fallback
d435ede 
--format was changed to --scheme in e275ba5. However, the option
for --format was set to '0' (ASCII 0)  in the selector char. However,
the case statement was set to 0, thus --format was being silently
ignored. Fix this by setting the getopt selector charactar to 0.

Fixes: #2169

Signed-off-by: William Roberts <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

tpm2_verifysignature: fix --format to --scheme fallback williamcroberts/tpm2-tools
2 participants
@osresearch @williamcroberts