Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Support Intel On Die Certificate Authority #2934

Open
qfiard opened this issue Jan 31, 2025 · 4 comments
Open

Support Intel On Die Certificate Authority #2934

qfiard opened this issue Jan 31, 2025 · 4 comments

Comments

@qfiard
Copy link

qfiard commented Jan 31, 2025
edited
Loading

From https://community.intel.com/t5/Processors/How-to-verify-an-Intel-PTT-endorsement-key-certificate/m-p/1613959/highlight/true#M74331, intermediate certificates are now stored On Die starting with Intel 11th gen.

This doesn't appear to be supported yet as the intermediate certificates are searched for online.

tpm2-tss/src/tss2-fapi/ifapi_curl.c

Lines 207 to 223 in da3d525

for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) {
ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(info, i);
if (ad->location->type != GEN_URI) {
continue;
}
uri = ad->location->d.uniformResourceIdentifier;
url = uri->data;
curl_rc = ifapi_get_curl_buffer(url, &cert_buffer, &cert_buffer_size);
if (curl_rc != 0) {
goto_error(r, TSS2_FAPI_RC_NO_CERT, "Get certificate.", cleanup);
}
goto_if_null2(cert_buffer, "No certificate downloaded", r,
TSS2_FAPI_RC_NO_CERT, cleanup);
LOGBLOB_DEBUG(cert_buffer, cert_buffer_size, "Intermediate certificate:");
}
goto_if_null2(cert_buffer, "No certificate downloaded", r,
TSS2_FAPI_RC_NO_CERT, cleanup);

Provisioning fails with

ERROR:fapi:src/tss2-fapi/fapi_crypto.c:2082:ifapi_verify_ek_cert() ErrorCode (0x00060025) No certificate downloaded
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:847:Fapi_Provision_Finish() ErrorCode (0x00060025) Verify EK certificate
ERROR:esys:src/tss2-esys/esys_iutil.c:394:iesys_handle_to_tpm_handle() Error: Esys invalid ESAPI handle (ff).
ERROR:esys:src/tss2-esys/esys_iutil.c:1105:esys_GetResourceObject() Unknown ESYS handle. ErrorCode (0x0007000b)
ERROR:esys:src/tss2-esys/api/Esys_FlushContext.c:138:Esys_FlushContext_Async() flushHandle unknown. ErrorCode (0x0007000b)
ERROR:esys:src/tss2-esys/api/Esys_FlushContext.c:66:Esys_FlushContext() Error in async function ErrorCode (0x0007000b)
ERROR:fapi:src/tss2-fapi/fapi_util.c:1171:ifapi_session_clean() Cleanup session failed.
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:168:Fapi_Provision() ErrorCode (0x00060025) Provision

lscpu
Architecture:             x86_64
  CPU op-mode(s):         32-bit, 64-bit
  Address sizes:          39 bits physical, 48 bits virtual
  Byte Order:             Little Endian
CPU(s):                   12
  On-line CPU(s) list:    0-11
Vendor ID:                GenuineIntel
  Model name:             12th Gen Intel(R) Core(TM) i5-1235U
    CPU family:           6
    Model:                154
    Thread(s) per core:   2
    Core(s) per socket:   10
    Socket(s):            1
    Stepping:             4
    CPU(s) scaling MHz:   14%
    CPU max MHz:          4400.0000
    CPU min MHz:          400.0000
    BogoMIPS:             4992.00
    Flags:                fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss 
                          ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_
                          tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xt
                          pr pdcm sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefet
                          ch cpuid_fault epb ssbd ibrs ibpb stibp ibrs_enhanced tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase ts
                          c_adjust bmi1 avx2 smep bmi2 erms invpcid rdseed adx smap clflushopt clwb intel_pt sha_ni xsaveopt xsavec xget
                          bv1 xsaves split_lock_detect avx_vnni dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp hwp_pkg_re
                          q hfi umip pku ospke waitpkg gfni vaes vpclmulqdq rdpid movdiri movdir64b fsrm md_clear serialize arch_lbr ibt
                           flush_l1d arch_capabilities
Virtualization features:  
  Virtualization:         VT-x
Caches (sum of all):      
  L1d:                    352 KiB (10 instances)
  L1i:                    576 KiB (10 instances)
  L2:                     6.5 MiB (4 instances)
  L3:                     12 MiB (1 instance)
NUMA:                     
  NUMA node(s):           1
  NUMA node0 CPU(s):      0-11
Vulnerabilities:          
  Gather data sampling:   Not affected
  Itlb multihit:          Not affected
  L1tf:                   Not affected
  Mds:                    Not affected
  Meltdown:               Not affected
  Mmio stale data:        Not affected
  Reg file data sampling: Vulnerable: No microcode
  Retbleed:               Not affected
  Spec rstack overflow:   Not affected
  Spec store bypass:      Mitigation; Speculative Store Bypass disabled via prctl
  Spectre v1:             Mitigation; usercopy/swapgs barriers and __user pointer sanitization
  Spectre v2:             Mitigation; Enhanced / Automatic IBRS; IBPB conditional; RSB filling; PBRSB-eIBRS SW sequence; BHI BHI_DIS_S
  Srbds:                  Not affected
  Tsx async abort:        Not affected
@qfiard
Copy link
Author

qfiard commented Jan 31, 2025

Clearing the TPM appears to have fixed it.

@qfiard qfiard closed this as completed Jan 31, 2025
@qfiard
Copy link
Author

qfiard commented Jan 31, 2025

Actually no, clearing only fixed it because I had already initialized the Fapi by disabling the check. Starting from scratch raises the same error:

ERROR:fapi:src/tss2-fapi/ifapi_curl.c:222:ifapi_curl_verify_ek_cert() ErrorCode (0x00060025) No certificate downloaded 
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:974:Fapi_Provision_Finish() ErrorCode (0x00060025) Verify EK certificate 
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:182:Fapi_Provision() ErrorCode (0x00060025) Provision

@qfiard qfiard reopened this Jan 31, 2025
@JuergenReppSIT
Copy link
Member

@qfiard Thank you for reporting this problem. I will implement the reading of certificates from the address range 0x01c00100 to 0x01c001ff and add the appropriate root certificate. It would be useful for me if i could get intel certificates stored in this range for testing.

@JuergenReppSIT JuergenReppSIT mentioned this issue Feb 12, 2025
Open
@JuergenReppSIT
Copy link
Member

JuergenReppSIT commented Feb 12, 2025
edited
Loading

@qfiard I have created a draft PR (#2943). It would be great if you you could check whether it works with the Intel ODCA Root Certificate I have added.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@qfiard @JuergenReppSIT