Re: [TrouSerS-users] tpm-tools hex and env-var options

[Buhacoff, Jonathan]

Are you referring to tcsd?  Yeah it's a good option.

Jonathan

From: Chris Hawkins [mailto:hawkin...@gmail.com]
Sent: Tuesday, February 11, 2014 11:09 AM
To: Richard
Cc: trousers-users@lists.sourceforge.net
Subject: Re: [TrouSerS-users] tpm-tools hex and env-var options

In the long run, it would be good to consider building your project to use the 
TSP directly, rather than scripting the use of tpm-tools. When you use the 
TrouSerS libraries, communication to the TPM goes through the TCS. At the TCS 
level, all passwords are protected within the protocol, which generally uses 
rolling nonces and HMACs to avoid exposing secrets or allowing replays.

If you don't want to build your project in C/C++, you could attempt to open a 
socket directly to the TCS. I've done this in Java and Python. It's quite a bit 
more effort going that route, but it does do a much better job than scripting 
with tpm-tools for protecting secrets.

Chris

On Tue, Feb 11, 2014 at 11:15 AM, Richard 
<rmac...@linux.vnet.ibm.com<mailto:rmac...@linux.vnet.ibm.com>> wrote:
Jonathan,

O like the idea of fetching the password from an environment variable. To me it 
looks safer than the one through command-line, which I would only add if there 
was a really good reason for (since it gets stored in history database - under 
Linux -  and all). Note I didn't have enough time to think about the attack 
surface it opens, though.

The -x looks interesting. However, couldn't that be made by using a shell 
command tool, like hexdump and xxd?

Now I'm really opposed against putting passwords in the command line, specially 
for something as sensitive as the owner password. Maybe if we could put a 
configure switch to disable it and let it on by default...

Anyway, feel free to submit patches. Just make sure you send different 
patchsets for different features.

And thank you in advance for helping,

Richard

Em 11-02-2014 07:27, Buhacoff, Jonathan escreveu:
Hi,

In my project which scripts some uses of tpm-tools, I found it useful to add a 
couple of options to tpm_takeownership, tpm_nvdefine, tpm_nvread, tpm_nvwrite, 
and tpm_nvrelease:

-x   to interpret the passwords on the command line as hex representations and 
hex-decode the passwords before using

-t  to interpret the password arguments on the command line as environment 
variable names and read the passwords from those variables

They can be used together to interpret a hex password from an environment 
variable.

Also for tpm_takeownership I added two options to allow setting the password 
non-interactively:

-o   sets the owner password

-s   sets the SRK password


For example, if you run tpm_takeownership it looks like this:

# tpm_takeownership
Enter owner password:
Confirm password:
Enter SRK password:
Confirm password:

But with the options it can look like this:

# export TPM_PASSWORD=ffffffffffffffffffffffffffffffffffffffff
# tpm_takeownership -x -t -oTPM_PASSWORD -z

Which doesn't prompt, doesn't expose the password on the process list, and 
allows you to use any arbitrary 20-byte sequence as the password.

So I would like to submit a patch for this.

Is it ok to just create a feature request ticket and attach my patch to it for 
the 5 tools I mentioned?

If it's accepted I can add the -x and -t options to other commands and submit 
those as well.

Jonathan




------------------------------------------------------------------------------

Android apps run on BlackBerry 10

Introducing the new BlackBerry 10.2.1 Runtime for Android apps.

Now with support for Jelly Bean, Bluetooth, Mapview and more.

Get your Android app in front of a whole new audience.  Start now.

http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk


_______________________________________________

TrouSerS-users mailing list

TrouSerS-users@lists.sourceforge.net<mailto:TrouSerS-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/trousers-users


------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
TrouSerS-users mailing list
TrouSerS-users@lists.sourceforge.net<mailto:TrouSerS-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/trousers-users


------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
TrouSerS-users mailing list
TrouSerS-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/trousers-users