I am using IBM TPM v1332 + IBM TSS v1470 now and trying to store some essential keywords/passwords to non-volatile memory on TPM.
I found two ways to do so. One is to create a sealed object and use evictcontrol to store it, like:
${PREFIX}evictcontrol -ho $objHandle -hp 81800002 -hi p
Another way is using NV command directly to store something:
${PREFIX}nvdefinespace -hi o -ha 01000000 -pwdn nnn
${PREFIX}nvwrite -ha 01000000 -pwdn nnn
However, I couldn't find any information about the non-volatile spaces available in TPM. Is this described in the TPM spec? Where could I find the information? Thanks.
The TPM PC platform specification says:
"1.The TPM SHALL provide a minimum of 6962 (dec) bytes of NV Storage."
If you use evictcontrol you should note that the TPM allows only a small number of persitstent objects at the same time (at least 7, of which 4 are reserved).
You can get the number of available persistent slots using the TPM2_GetCapability command with TPM_CAP_TPM_PROPERTIES as capability. TPM_PT_HR_PERSISTENT_AVAIL will be at least 1 if you can store another object.
The amount of available NV memory is device dependant, you have to check the data sheets. I suggest to work with the numbers from the PC platform specification, they are valid for every device.
Related
I'm sorting out how to achieve the following, I want to use smart or memory cards in a project. The cards should be read by standardized card readers (for example ACR38). When they are read by the computer ( command line or by a software (processing or p5js or similar), there should be a popup a window which shows the contents of the card being a picture and a text. Bit similar when I use my regular ID to be read by my E-idsoftware.
For the moment the card I have is this one SLE4428 (at the bottom instructions from the vendor)
These have no data on it yet and are bought blank
=> datasheet
The software I found but don't know if it's suited for my project and how to specifically use it is the following.
Opensource tools that I found when searching for SC cards software (no id how to use them.)
https://linux.die.net/man/1/opensc-tool
https://linux.die.net/man/1/opensc-explorer
I looked at my smartcard reader and found that http://www.acr38u.com/
is a platform but has to be payed for and I'm unable to found sofware for this on linux or apple.
Again here I found a datasheet with hex code to connect to the card, but still not how to physically connect to the cards.
This site shows many points of a working shell but I can't find the installer for it. opendsc
Then lastly this is the most promising and I already contacted the maker of it. But installation gets stuck in the make process (which I've already searched for and is not solution yet, being at it for a week now so therefore this post, maybe the community can help with an alternative look)
This is the explanation from the vendor side (Aliexpress) which is kind of specific. Though I don't know where to input these hex codes to write or read from the card. (there is a software but it's windows (If there is somebody that can say, that the way to solve the core question of my project then I'll try to get a windows pc to work on it via that way))
ISO7816 SLE 4442 Chip PVC Contact Smart Card (0.8* 85.5 * 54mm)
If you need write the 4442 cards,you should buy the contact smart reader writer!! 4442 cards not support 13.56mhz rfid writer!!!
NOTE:There is NO magnetic strip behind the card.
Graphics Quality Cards For All Photo ID Card Printers Including
DataCard, Zebra, Fargo, Evolis, Magicard, NBS & etc.
(These Cards Will Not Work In Inkjet Printers)
If you need 100pcs 4442 cards,pls check the links below:
[https://www.aliexpress.com/store/product/100-pcs-lot-ISO7816-RFID-Contact-SLE-4442-Chip-PVC-Smart-Card/516120_32425491077.html?spm=2114.12010608.0.0.R0bzFx][1]
Features:
Standard:ISO7816
Product Chip:SLE4442
Color:White
Dimension: L 85.5 x W 54 x H 0.80±0.04mm
256 × 8-bit EEPROM organization
32 × 1-bit organization of protection memory
erase cycles more than 100,000 times
Data retention for minimum of ten years
Default passwords: FFFFFF
3 bytes for error counter and card secret code area
1,Write protected area (first 32 bytes) of each byte can be individually write protected, After write,the data can't be changed.
2, Before checking the password, all the data can be read, if necessary,you could encryption data.
3, After confirm password is correct,the data could be write or modify.
4, The 3 bytes of user passwords, after confirm is correct,it could be change.
5, The password error counter, the initial value of 3, check the error code 1, then subtract 1, if the counter value is 0, the card is automatically locked, the data just read out, no longer change can no longer be password verification; if zero, the one time password verification is correct, restore to the initial value.
6, The byte address 0-5,6-7 factory prior written by the manufacturers can not be changed.
The specifics for this question lies in either
A: How can I achieve a working environment on linux or mac (first) to read and write data on an sc card (the one I have or !B: a working alternative)
C: Create a viewer program or webapp, etc.. to view or route the data to when the SC card is being read. (This would be a valid question, If i where to chose a Windows based existing program, I think)
Because this is not code specific, but I still want people that have the same questions to be able to see this page to show them pletora of scripts and ways to approach this or similar SC project.
This guy knows a lot about OpenSC!
As I understand the term "word length" (spi_bits_per_word) in spi, defines the CS (chip select) active time.
It therefore seems that linux driver will function correctly when dealing with simple spi protocols which keeps word size constant.
But, How can we deal with spi protocols which use different spi size as part of protocol.
for example cs need to be active for sending spi word - 9 bits, and then reading spi - 8 bits or 24 bits (the length of the register read is different each time, depends on register)
How can we implement that using spi_write_then_read ?
Do we need to set bits_per_word size for the sending and then another bits_per_word for the receiving ?
Regards,
Ran
"word length" means number of bits you can send in one transaction. It doesn't defines the CS (chip select) active time. You can keep it active for whatever time you want(least is for word-length).
SPI has got some format. You cannot randomly read-write whatever number of bits you want.Most of SPI supports 4-bit, 8-bit, 16-bit and 32-bit mode. If the given mode doesn't satisfy your requirement then you need to break your requirement. For eg:- To read 24-bit data, we need to use 8-bit word-length transfer for 3 times.
Generally SPI is fullduplex means it will read at same time it will write.
The dmaengine in Linux significantly simplifies writing of drivers for devices using DMA, especially if they support and use scatter-gather (SG) transfers.
However, there is a problem in case if the length of such transfer is not known a priori. This situation is quite common. It may happen in case of USB transfers, or in case of AXI Stream transfers. In the case of an AXI Stream connected device, the transfer should be terminated by setting the tlast signal to '1'. The driver should prepare the buffer for the longest possible transfer, but after the transfer is complete, it should be able to find the number of actually transferred bytes. Unfortunately it seems, that there is no documented way to read the length of the completed transfer.
The single transfer is represented with an SG-table, that is later converted into the dma_async_tx_descriptor, using the dmaengine_prep_slave_sg function , submitted to the DMA layer (e.g. like here), and finally scheduled for execution via dma_async_issue_pending. After that, the transfer descriptor may be accessed only via a dma_cookie returned by the dmaengine_prep_slave_sg function.
The problem with determining the actual length of the transfer was reported for the USB transfers, and a patch adding the transferred field to the dma_async_tx_descriptor was proposed. However that proposal was rejected, and after a discussion a solution based on using the dmaengine_tx_status, and checking the residue field in the returned dma_tx_state structure.
Unfortunately, it seems that the proposed solution does not work neither in the 4.4 kernel (used for Xilinx SoC devices) nor in the newest 4.7 kernel.
The residue field is set to 0 in case of completed transfers regardless of the actual number of transferred bytes.
So my question is: How can I reliably determine the actual number of transferred bytes in the completed SG DMA transfer in a dmaengine compatible driver?
PS. That question with more Xilinx-specific details related to the AXI DMA IP core has been also asked on the Xilinx forum.
I need to read serial number of MiFare card usin WinSCard. I am able to read 7B UID from the MiFare card.
The confusion is that i dont know if the UID and the serial number of
MiFare card are same?!!
I have googled the issue but only could get partial success. I found a question on stackoverflow also but it did not help.
I found a document of NXP online which says UID and serial number are different. (on page number 3, line number 5)
There is an application of OmniKey that reads the serial number of the card, and it also returns UID only.
NXP documentation says UID <> Serial Number and a other standard OmniKey application returns UID as Serial Number.
I have started pulling my hair off on the issue. I'd greatly appreciate if anyone could help.
Each smart card contains an integrated chip with a unique permanent identification (UID) number burned-in during the manufacturing process. This UID is often referred to as the Card Serial Number (CSN). The card serial number is not encrypted and any reader that is ISO compliant can read the card serial number.
Edit 1:
Mifare Card Serial Number is the unique identifier defined in ISO 14443-3A. There are 3 types of UID defined in the standard - single (4 bytes), double (7 bytes) and triple (10 bytes). Only in first versions of the Mifare card, the UID was 4 bytes but now have migrated to 7 bytes.
EDIT 2:
It might be helpful to you...
What is the difference between a 4 byte UID and a 4 byte ID?
A 4 byte UID is an identifier which has been assigned by the card
manufacturer using a controlled database. This database ensures that a
single identifier is not used twice. In contradiction, a 4 byte ID is an
identifier which may be assigned to more then one contactless chip over
the production time of a product so that more then one card with the same
identified may be deployed into one particular contactless system.
The differentiation in this case comes from the fact that a "Serial Number" implies that the numbers are a series, thus sequentially assigned.
MIFARE cards have Unique Identification Numbers (or in short UID), which are generated by an internal rule which is not necessarily sequential. This means that if you see a card with UID 01020304050607 it does not mean that there are at least that many cards produced so far.
If you ever see someone referring to the Card Serial Number, they are in fact referring to the UID.
The only last confusion can come from the fact that MIFARE cards can be configured to return Random IDs during activation. If that is the case, you would get different "UID" each time you activate the card. In that scenario you need to read the data contained in Block 0 (for which you will need to know the key to sector 0) to get the real UID of the card.
For DesFire cards:
UID is analogous to ethernet MAC address. It is assigned by the chip
manufacturer from a database. Everyone who creates applications for
the card has access to the UID.
The Card Serial Number is specific
to the application loaded on to the card. It can only be accessed by
that application via an encryption key. If the card had several applications loaded on to
it (unlikely but possible), then each could have a different CSN.
I am trying to understand the concept of java card , I have some doubts , I want to share with , perhaps you would any best suggestion for me.
//Jcop- I read somewhere that Java Card OpenPlatform (JCOP) is a smart card operating system for the Java Card platform developed by IBM Zürich Research Laboratory.
question 1- if this above sentence is right it means jcop is an operating system developed by IBM, handle all operation inside the card.right?
I have a card which indicate
ATR like- 3b 89 80 01 4a ....40 ( in character form it indicate- ;---jcop41v22m) ,
so can i say? this is a card which o.s is made by IBM. and we require only and only JCOP tool to send cap inside this card because OS inside is JCOP and jcop tool would be the only option to talk to jCOp card?
question 2- or is there any other method by which i can send the applet inside my card?
enable_trace
establish_context
card_connect
select -AID a0000000030000
open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f // Open secure channel
delete -AID D0D1D2D3D4D50101
delete -AID D0D1D2D3D4D501
delete -AID D0D1D2D3D4D50101
install -file helloworld.cap -nvDataLimit 500 -instParam 00 -priv 2
# getdata
# close_sc // Close secure channel
# putkey // Put key
// options:
// -keyind Key index
// -keyver Key version
// -key Key value in hex
card_disconnect
release_context`
question 3- above code i got from gpshell 1.4.4 , the code style indictate that this is also a method tp send cap file inside the java card, I want to know that for my card case { atr is -3b 89 80 01 4a ....40 ( in character form it indicate- ;---jcop41v22m)} , I can apply gpshell to send .cap file in my card.
question 4- is gpshell is used to send cap into a special java card which is not jcop enable or which does not contaion jcop operating system?
there are so many techniques , so many type of java card, it makes me confuse , I hope you seems this question genuine and would give me revert back
regards:-
The question is good. I see a lot of people that work with smart card for years and cannot still get the picture.
What you read is right JCOP is operating system for smart cards.
Although it is NOT true that you have to use JCOP tool to deploy applets. They might be helpful but it is not the only way. In fact what you need to know is what version of Global Platform is supported by your card. Global Platform is the standard that defines how Card Contend is managed. This includes installation, security concept and so on. For example if your card support GP 2.1.1 you should use this document as a reference:
http://www.win.tue.nl/pinpasjc/docs/Card%20Spec%20v2.1.1%20v0303.pdf
All the tools like gpshell, jcshell are wrapping global platform commands in more user friendly commands, and also implementing the security protocols for you. So you can use whatever tool that supports the GP version of your target card.
I hope this makes it a bit more clear.
Answer to the subject of the question is:
NO.
Have a look at https://github.com/martinpaljak/GlobalPlatform
NXP currently owns JCOP, you should go to them for questions.
Yes, the VM inside a Java Card implementation executes all byte code.
You can use any Global Platform compatible library, although there are some implementation mistakes that could make a difference.
Try it, it should work
Java Card is a standard, and implementations are tested by Oracle, so sending your Applet to another card should work *1
*1 unless you make assumptions that are not cleared up in Java Card, use too much stack or heap memory for that card, use crypto algorithms that are not present, Java Card API's that have not been implemented by the other card, or of course, proprietary JCOP functionality.
The answer to question 1 is "no". You shouldn't rely on the historical bytes "jcop41v22" in the ATR to recognize the type of card. Any Java Card applet can change these bytes.
Q1&Q2: No.It's right that Java Card OpenPlatform (JCOP) is a smart card operating system for the Java Card platform.But it's not the only tool to deploy applet. For example,i'm using PyAPDUTool to send cap file inside the java card.
Q3: Yes,you can use gpshell to send .cap file in your card.
Q4: NO,you can also send your applet to other javacards.
NO.
You can take a look at this website "www.javacos.com" . On this the tool of jcide also can get what you want And it is free of charge.Although some function is not very perfect.