Richard,
Thanks for the quick reply!
The -x option is the opposite of hexdump/xxd, it decodes the hex input and uses
the decoded bytes as the password.
I'll submit the patches separately as you suggested and I will look at
surrounding the -o and -s with an ifdef and adding a corresponding switch to
the configure script to enable it.
Jonathan
From: Richard [mailto:[email protected]]
Sent: Tuesday, February 11, 2014 10:16 AM
To: [email protected]
Subject: Re: [TrouSerS-users] tpm-tools hex and env-var options
Jonathan,
O like the idea of fetching the password from an environment variable. To me it
looks safer than the one through command-line, which I would only add if there
was a really good reason for (since it gets stored in history database - under
Linux - and all). Note I didn't have enough time to think about the attack
surface it opens, though.
The -x looks interesting. However, couldn't that be made by using a shell
command tool, like hexdump and xxd?
Now I'm really opposed against putting passwords in the command line, specially
for something as sensitive as the owner password. Maybe if we could put a
configure switch to disable it and let it on by default...
Anyway, feel free to submit patches. Just make sure you send different
patchsets for different features.
And thank you in advance for helping,
Richard
Em 11-02-2014 07:27, Buhacoff, Jonathan escreveu:
Hi,
In my project which scripts some uses of tpm-tools, I found it useful to add a
couple of options to tpm_takeownership, tpm_nvdefine, tpm_nvread, tpm_nvwrite,
and tpm_nvrelease:
-x to interpret the passwords on the command line as hex representations and
hex-decode the passwords before using
-t to interpret the password arguments on the command line as environment
variable names and read the passwords from those variables
They can be used together to interpret a hex password from an environment
variable.
Also for tpm_takeownership I added two options to allow setting the password
non-interactively:
-o sets the owner password
-s sets the SRK password
For example, if you run tpm_takeownership it looks like this:
# tpm_takeownership
Enter owner password:
Confirm password:
Enter SRK password:
Confirm password:
But with the options it can look like this:
# export TPM_PASSWORD=ffffffffffffffffffffffffffffffffffffffff
# tpm_takeownership -x -t -oTPM_PASSWORD -z
Which doesn't prompt, doesn't expose the password on the process list, and
allows you to use any arbitrary 20-byte sequence as the password.
So I would like to submit a patch for this.
Is it ok to just create a feature request ticket and attach my patch to it for
the 5 tools I mentioned?
If it's accepted I can add the -x and -t options to other commands and submit
those as well.
Jonathan
------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience. Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
TrouSerS-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/trousers-users
------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience. Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
