Things to be worried about when using Microsoft's Reference simulator:
It's not production ready
Side channel attacks
Random numbers
Key derivation
David Wooten
- TPM Code for commands
- Interface to crypto library
- module rpovded by platform manufacturer
- Time of day
- Random number generator
- Anything in the module call platform is supposed to be replaced by actual platform or hardware code
- SImulator piece
- TCP/IP interface to talk to the TPM
William (Bill) Roberts (notes from his presentation to
- TPM2-TSS
- SAPI (shouldn't be used people aren't going to use it much)
- ESAPI Full control but encrypted. If you want full low level control but want to do it with encryption
- FAPI high level automatatic verified sessions with TPM and key storage
- RcDecode Return code to error string (strerror for TPM2)
- MU Marshalling and unmarshaling library
- TctiLdr They are similar to a network layer in that they move bytes to and from the TPM over an arbitrary interface. Could talk to simulator, or /dev/tpm0
- pytss
- All based on cffi
- Classes
- Default arguments
- Type coercions (Python types to TPM types, TPM2B, TPMT_PUBLIC)
- Can take dictionaries
- Can take subclass types directly
- Copy constructors work
- Comparison with string, euqivilent Python types, work
- tpm2-tools -G strings work
- -G, -a, -n tpm2-tools strings work
.parse()
supported on TPM2T and TPM2BTPMT_PUBLIC.parse(alg="rsa2048:rsapss", objectAttributes="fixedtpm|sign")
- Defaults to tpm2_create over tpm2_createprimary
- TPM2_ALG.parse("sha") --> TPM2_ALF.SHA or 0x04
- For all structures
- Can load tpm2-tool context files
TPMS_CONTEXT.from_tools(ctxbytes)
- Exceptions run return code thorugh RcDecode for error message
TSS2_Exception
- Handle, parameter, session, and return code are provided
- ESAPI
with ESAPI(TCTILdr("device")) as e: e.get_random()
- Context managers are your friend, they help you close the underlying TCTI
- Will be able to pass TCTI loader string into
ESAPI()
call - Will choose sensible defaults
- Will make you choose auth objects
- Converting PEM/DER/SSH keys to TPM
TPM2B_Public.from_pem(rsa_public_key)
TPM2B_SENSITIVE.from_pem(rsa_private_key)
e.load_extrenal(priv, pub)
- Conversions are being done using Python cryptography package
- Other attributes can be set during call to
.from_pem()
- Importing keys ot TPM
- You must wrap before import.
.wrap()
let's you add keys
make_credential()
will create a TPM credential which doesn't require talking to the TPM- Many people have asked for this
- Calculate Name Without TPM
- You can call
.get_name()
to get the name of aTPM2B_PUBLIC
without going to the TPM
- You can call
- TSS2 PEM/DER Format Support
- Can grab keys from openssl engine / provider
- Could create keys with
key.create_rsa(esapi).to_pem()
- FAPI
- Very close to C API, doesn't use any of the native TPM types
- Strings byte arrays, PEM files
- Very close to C API, doesn't use any of the native TPM types
- Next Steps
- Test against more versions of the TSS
- policy engine
- Eventually pull this back into the Python bindings
- Examples
- Check the test code
- Will be adding to the docs
- test/test_esapi.py
get_random()
in two lines
- Conclusions
- Default arguments make commnds simple and less cluttered than the C code
- Docs get updated automatically on read the docs
- Can pass all your normal session handles
- They'll be validated
- TPM2-TSS