How to backup TPM data?
Hi. Very inexperienced in computer management. To complete a security update I am instructed to clear my TPM. Before I clear it it is recommended that I perform a backup of the TPM data. I do not know how to do this task.
I have done some google searches, but can seem to find the answer.
Can someone guide me through this? I have managed to navigate to the TPM manager via device management. I do have screen shots if needed.
HP ProBook 640 G1/
Windows 10 build 17134.165/
TPM version 1.2
Related
I am trying to install my own web App to a ROOTED LG TV, ignoring Developer mode status. I have successfully run it with Devmode = On, but it expires after 48 hours, and I have to do it over. I want to use the TV as a menu display. I can install my App, using "ApplicationInstallerUtility -c install -p /tmp/com.xxx.xxx_1.0.0_all.ipk -u 0 -l /media/cryptofs -d", but when I try to start it with Developer Mode = Off , using ssh and luna://com.webos.applicationManager/launch, I get an error code 302, and a text "errorText": "Failed to identify a proper DRM file".
What can I do to solve this issue? How can I sign my app, without going to LG content store? Thanks in advance.
Many DRM implementations will have a check for rooted devices and will not work if they detect the device is rooted - the logic is that a rooted device may not have the same protection for the media path and the keys.
If for your use case you don't actually need DRM, which could be the case if the streams you want to play are not encrypted, then it may be worth looking at your application and removing any DRM configuration or libraries it includes.
Update
The term DRM can be used generally to describe Digital Rights Management for anything, e.g. software, book, media etc, or to refer to the common DRM solutions used to protect media such as Widevine, PlayReady, FairPlay etc.
Unfortunately, the LG WebOS documentation seems to use the term for both which makes it hard to interpret the type of error you are seeing.
The manual for the error code you are seeing simply suggests the error message should be "Failed to check DRM.'
http://webostv.developer.lge.com/api/webos-service-api/application-manager/?wos_flag=launch#launch.
This might be a reference to a media DRM, but it also could be talking about the DRM used to sign and protect apps themselves.
LG have a WebOS security solutions guide also that explains their app signing security which you may be able to find on the web.
I suspect that the error message you are seeing is related to this use of the term 'DRM'.
Assuming that is the case, then unfortunatly, you are either going to have to remove this security framework in your device, which I suspect will not be trivial, or submit the app to the LG content store.
I am trying to add a TPM 2.0 enabled device to Azure Device Provisioning Service Enrollment List. This requires the Endorsement Key (EKPub) of the TPM.
What would be the best way to extract (find out) the EKPub (Endorsment Key) of a TPM? I appreciate your help.
Intel provide a suite of tools for interacting with a TPM 2.0 which you can download from here: https://github.com/tpm2-software/tpm2-tools
Note you'll have to also compile and install abrmd (a resource manager) and the tss stack/libraries. The tools work on Linux (Ubuntu, RedHat, CentOS, Debian at least, and Raspian on the Raspberry PI with a suitable TPM board).
The command you're looking for here is: tpm2_createek which will generate the EK and store it in the TPM. Meaning, that the TPM 2.0 has a seed value from which the EK (and AK) is generated when needed. Typically - at least we do - is generate the EK and AK, then move these to persistent handles so they survive power down.
https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_createek.1.md
We will start using Microsoft Intune for all our devices soon, and while configuring Intune, the question came up of which certificate to choose, for authentication etc.
I have followed this link and others similar: https://learn.microsoft.com/en-us/intune/certificates-configure
However these links only explain how to install CA's, configure settings etc. I can not find a clear differentiation between the 2 certificates (SCEP and PFX) and why one would choose one over the other.
Are there any general guidelines to follow?
Edit: Our devices are mostly company laptops, with Windows 10.
It's hard to say how to choose one kind rather than the other one. It really depends on what devices you're using and what platforms runs for those devices:
You can create and assign a PKCS or SCEP certificate profile for
devices running the following platforms:
iOS 8.0 and later
Android 4.0 and later
Android for Work Windows 10
(desktop and mobile) and later
You can only use a SCEP certificate
profile for devices running the following platforms:
macOS 10.9 and later
Windows Phone 8.1 and later
So, it's clear that If your devices are using macOS 10.9 and later
,Windows Phone 8.1 and later platforms, you must choose to use SCEP certificates.
Also, it sometimes depends on what CA that your Network devices support. E.g, if your VPN devices only supports SCEP CA,you just need to use SCEP CA.
You can also refer to this Tech Note of Cisco to find more details about SCEP and PKCS.
For same devices:
If you are building a prototype or a small not critical service then go with PKCS12.
If you use SCEP profiles, you need to configure a Network Device Enrollment Service (NDES) server. So,If you are building a serious product (production and touching devices of people with sensitive info) then go with SCEP (you can get a free SCEP servers. It's not that complex).
Hope this helps!
I have a machine with TPM and I am running windows 7 on it.
I have a piece of code and I want to get run it and get the PCR register values at that time.
How can I do that?
Secondly, if i run the same code on other machine can I get the same PCR values? If I cannot then is there anyway to get it?
-------------- EDITED version Below----------------------
The Scenario is as follows,
I have an executable code written in C++ (for example a simple card game).
I want to run this file on my computer.
I want to get the PCR values.
Windows platform has 24 PCR register, Now which register has the hash of my running file (game)?
Without detailed information I can just provide a general answer. I will edit it if you provide more details.
Reading PCRs
There is a low-level Windows API you can use. Look at this question and its answer:
Controlling TPM with C#.
Basically look at the documentation of TPM Base Services (TBS). You will need to implement the read command on your own.
If you have a Java application, use JSR321 or jTSS.
There is an experimental port of TrouSerS for Windows.
Comparison of PCRs
A TPM on a PC platform will have 24 PCRs. In almost all cases the set of all 24 will not be the same on two different machines. In general you cannot alter it's values, especially not the "lower" ones representing firmware measurements. I guess what you are looking for is information whether a remote PC is in a trusted state or not. That's the holy grail. Get some literature on Trusted Computing and search the web for "trusted computing + attestation".
How can I develop applications that use Arm's trust zone? Specifically, I want to develop a program that can save sensitive data in the secure world.
Should this program run in the normal world or the secure world? I know there are trustlets in the secure world, do I need to develop trustlets? Are there SDK or API
that I can use to directly interact with an existing secure world os or do I need to compile and install my own secure os?
Any advice will be greatly appreciated.
Thank you!
There are two extremes. These are documented in the Software overview chapter of ARMs Security Technology: Building a Secure System using TrustZone Technology.
APIs
At the one end of the spectrum, there is only a set of APIs which can be called from the normal world. This is detailed in the SMC calls for Linux. For instance, if the device contains a public-private key, an API call could sign data. The normal world would never have access to the private key, but anyone can verify that the device is original by verifying the signature. So the normal world is free to forward this request over any communications interface. This maybe part of authenticating a device.
Co-operative OSs
In this mode, there is a full blown OS in both the secure and normal world (called TEE and REE elsewhere). The OSs must co-operate with interrupts and scheduling. They may also use SMC calls, lock free algorithms and semaphores along with shared memory.
ARM recommends using the FIQ for the secure world and to leave the IRQ for the normal world. Specifically, there are settings to stop the normal world from masking the FIQ ever. All of these issue rely on the type of IPC, scheduling, interrupt response, etc that the system needs.
The simplest Secure scheduler would always pre-empt the normal world. Only the idle task would yield the CPU to the normal world. A more flexible solution would have the schedulers co-operate so that both worlds can have higher and lower priority tasks.
The better way is install a REE OS and a TEE OS in one device. When a program wants to do some sensitive things, the device will change to TEE OS, so you can deal with sensitive date securely. When you have done with sensitvie date, device will change to REE OS.
But implementing two OS switch on a device is a tough work.
Operating Systems such as MobiCore already exist and have been deployed on mass market devices such as Samsung Galaxy S3.
MobiCore is an OS that runs alongside Android, so trustlets (= MobiCore apps) can communicate with Android apps via a set of system calls to the MobiCore driver, which is the part of the Android OS in charge of communicating with the trusted execution enviromnent.
If you are looking to develop trustlets for MobiCore as explained above, you must become a MobiCore developer, which you could theoretically do by signing up as a developer for MobiCore's Trustonic venture.
If you wish to use ARM's TrustZone technology on your own device / dev board with an open-source secure OS, perhaps you can use OpenVirtualization's SierraTEE, which seems to be compiled for Xilinx Zynq-7000 AP SOC and also compatible with Android as the rich OS.
You can use OPTEE(Open Sourec Portable Trusted Execution environment) OS. If you are looking for trusted execution environment application examples, which are also know Trusted Applications(TA), then you can check this optee trusted applications examples repository and this TA using OP-TEE and Comcast Crypto API.
Optee os provides following APIs for writing Trusted Applications:
Secure Storage APIs for secure storage
Cryptographic Operations APIs for encryptiion, decryption of secure credentials and data
Secure Element API which help in hosting applications or applets on tamper-resistant platform
Time APIs
Arithmetical APIs
For client side or normal world optee provides:
Tee client side Apis
You can refer documentation here.