I am trying to use an application that utilizes the TPM EK certificate on the hardware to perform hardware attestation. I am using an UPxtreme i7 board and I noticed there was no EK certificate in the TPM NVRAM. I have been trying unsuccessfully to manually create an EK certificate and upload into the NVRAM. Any ideas on how to go about this?
I am using ubuntu 20.04 on the board and I have installed all the necessary tpm tools.
Steps I took:
tpm2_createek -G rsa -u ek.pub -c key.ctx // to create the ek key
tpm2_getekcertificate -X -o ECcert.bin -u ek.pub https://ekop.intel.com/ekcertservice/ // to get the ek certificate
tpm2_nvdefine 0x01c00002 -C o -s 1033 -a ppwrite|writedefine|write_stclear|ppread|ownerread|authread|no_da|written|platformcreate // to define the NVRAM index. This is where I keep getting errors.
Error:
WARNING:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:344:Esys_NV_DefineSpace_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:122:Esys_NV_DefineSpace() Esys Finish ErrorCode (0x000002c2)
ERROR: Failed to define NV area at index 0x1C00002
ERROR: Esys_NV_DefineSpace(0x2C2) - tpm:parameter(2):inconsistent attributes
ERROR: Unable to run tpm2_nvdefine
Any ideas on how to successfully define the NVRAM index and upload the certificate. Or if anyone has a better approach to this. Thank you.
The written flag should not be provided, it will be set when an nvwrite is executed, it will cause an inconsistent attributes error when directly set. See Trusted Platform Module Library
Part 2: Structures - table 204 for more details about the flags.
The following works for me:
$ tpm2_nvdefine 0x01c00002 -C p -a 'ppwrite|writedefine|ppread|ownerread|authread|no_da|platformcreate'
$ tpm2_nvwrite 0x01c00002 -C p -i ek.cert
Be aware that the 0x01c00002 index is the NV index for a RSA 2048 EK Certificate. Use 0x01c0000a if you want an ECC NIST P256 EK Certificate. See TCG EK Credential Profile - chapter 2.2.1.4.
To finish it up, you should lock the index so the certificate cannot be overriden:
$ tpm2_nvwritelock 0x01c00002 -C p
I hope the answer is complete enough for you :)
Related
There are 2 pi in this setup:
- PI-domo: running domoticz
- PI-pump: controlling a pump with one GPIO
Those pi are far away, but can communicate through network. PI-domo has some passwordless ssh login setup to pi-pump, and contains three scripts:
- pump_on.sh: sends value to gpio with ssh to turn pump on and returns 1
`ssh pi#pi-pump -n "echo 0 > /sys/class/gpio/gpio18/value" && echo 1`
pump_off.sh: sends value to gpio with ssh to turn pump off and returns 0
ssh pi#pi-pump -n "echo 1 > /sys/class/gpio/gpio18/value" && echo 0
pump_status.sh: returns 1 if pump is on, 0 if pump is off.
All three scripts work as expected when launched in bash, but I can not find how to call them with domoticz. I created a virtual switch and set those as script:///.....[on off].sh but domoticz doesn't seem to be running any of them. nor could I find a place to read the status...
Any idea or link to a RECENT (working) tutorial would be welcome!
Found the issue: stupid me.
It turns out domoticz process was running as root and root didn't have the key setup for passwordless ssh.
I know that this is a old thread and it is answered already, but I have stumbled on the same issue and found that online answers lacked detail. So, here it goes:
On PI-domo run
sudo su to become root
Generate a new key using ssh-keygen -t rsa -b 4096 -C "nameofyourkey"
Copy your key to PI-pump by using ssh-copy-id -i /root/.ssh/yourkey.pub pi#pi-pump
ssh to pi-pump to test that ssh agent for root is working, and if all is well exit and go back to become a pi user.
Note 1: Although logging in as root of PI-domo, it is critical that pump_off and pump_status.sh contain pi#pi-pump and not root#pi-pump or this approach will fail.
Note 2: Domoticz log indicates that the above process has some error by outputting Error: Error executing script command (/home/pi/domoticz/scripts/pump_off.sh). returned: 65280. Note the 65280 error in particular
When running the following command on OpenVAS 7 under root (where gb_iojs_detect_win.nasl is one of the OpenVAS plugins. other plugins cause the same error):
openvas-nasl gb_iojs_detect_win.nasl
causes this error:
base gpgme-Message: Setting GnuPG homedir to '/usr/local/var/lib/openvas/gnupg'
base gpgme-Message: Using OpenPGP engine version '1.4.16'
base gpgme-Message: Setting GnuPG sysconf homedir to '/usr/local/etc/openvas/gnupg'
gb_iojs_detect_win.nasl: bad or missing signature. Will not execute this script
Note that i did follow this page and set nasl_no_signature_check = yes, but this error still persists.
Thanks! Any help would be appreciated!
Execute the following and follow the prompts:
gpg --homedir=/usr/local/etc/openvas/gnupg --gen-key
Then execute:
wget http://www.openvas.org/OpenVAS_TI.asc -P /tmp
gpg --homedir=/usr/local/etc/openvas/gnupg --import /tmp/OpenVAS_TI.asc
gpg --homedir=/usr/local/etc/openvas/gnupg --list-keys
gpg --homedir=/usr/local/etc/openvas/gnupg --lsign-key 48DB4530
Source: http://www.openvas.org/trusted-nvts.html
Do what indicated above and update your feeds plugins
I also struggled with this, due to the documentation falling short.
You need to provide the -X flag, which means authenticated mode, which apparently means "Don't do the signature checks"
I was having this issue with OpenVAS 9, but based on the instructions from #D.W., I read the docs about trusted NVTs, they mention that they're going to start using a new key starting 12/1/18.
However, when I ran openvassd -f to see what it was doing, I noticed that there were only some plugin checksums that were failing, and I'm thinking they're already signing these with the new key.
checksum for /var/lib/openvas/plugins/gb_electrasoft_32bit_ftp_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_atlassian_confluence_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_synology_dsm_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_quixplorer_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_yealink_ip_phone_detect.nasl not matching
checksum for /var/lib/openvas/plugins/secpod_neon_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_torrent_trader_classic_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_simatic_s7_snmp_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_sophos_xg_detect_userportal.nasl not matching
checksum for /var/lib/openvas/plugins/gb_keycloak_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_wd_wdtv_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_get_http_banner.nasl not matching
checksum for /var/lib/openvas/plugins/gb_orion_nta_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_gather_windows_uptime.nasl not matching
checksum for /var/lib/openvas/plugins/gb_teleopti_wfm_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_asp_dotnet_core_detect_win.nasl not matching
checksum for /var/lib/openvas/plugins/eggdrop_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_f5_linerate_lros_version.nasl not matching
checksum for /var/lib/openvas/plugins/gb_mikrotik_router_routeros_consolidation.nasl not matching
However, the fix was to just use the same instructions (had to modify paths for config directory for Ubuntu/Debian), but with the newer key. After that the checksums were validated OK:
wget https://www.greenbone.net/GBCommunitySigningKey.asc -P /tmp
gpg --homedir=/etc/openvas/gnupg --import /tmp/GBCommunitySigningKey.asc
gpg --homedir=/etc/openvas/gnupg --list-keys
gpg --homedir=/etc/openvas/gnupg --lsign-key 0ED1E580
systemctl restart openvas-scanner.service
Your command should be like this:
openvas-nasl -Xp gb_iojs_detect_win.nasl #for parsing
openvas-nasl -Xt IP gb_iojs_detect_win.nasl #for exec
note the additional switches.
For more details, visit this link
I have a single vmware disk image file with vmdk extension
I am trying to mount this and explore all of the partitions (including hidden ones).
I've tried to follow several guides, such as : http://forums.opensuse.org/showthread.php/469942-mounting-virtual-box-machine-images-host
I'm able to mount the image using vdfuse
vdfuse -w -f windows.vmdk /mnt/
After this I can see one partition and an entire disk exposed
# ll /mnt/
total 41942016
-r-------- 1 te users 21474836480 Feb 28 14:16 EntireDisk
-r-------- 1 te users 1569718272 Feb 28 14:16 Partition1
Continuing with the guide I try to mount either EntireDisk or Partition1 using
mount -o loop,ro /mnt/Partition1 mnt2/
But that gives me the error 'mount: you must specify a filesystem type'
In trying to find the correct type I tried
dd if=/mnt/EntireDisk | file -
which outputs a ton of information but of note is:
/dev/stdin: x86 boot sector; partition 1: ....... FATs ....
So i tired to mount as a vfat but that gave me
mount: wrong fs type, bad option, bad superblock ...etc
What am I doing wrong?
For newer Linux systems, you can use guestmount to mount the third partition within a VMDK image:
guestmount -a xyz.vmdk -m /dev/sda3 --ro /mnt/vmdk
Alternatively, to autodetect and mount an image (less reliable), you can try:
guestmount -a xyz.vmdk -i --ro /mnt/vmdk
Do note that the flag --ro simply mounts the image as read-only; to mount the image as read-write, just replace it with the flag --rw.
Installation
guestmount is contained in following packages per distro:
Ubuntu: libguestfs-tools
OpenSuse: guestfs-tools
CentOS / Fedora: libguestfs-tools-c
Troubleshooting
error: could not create appliance through libvirt
$ guestmount -a file.vmdk -i --ro /mnt/guest
libguestfs: error: could not create appliance through libvirt.
Try running qemu directly without libvirt using this environment variable:
export LIBGUESTFS_BACKEND=direct
Original error from libvirt: Cannot access backing file '/path/to/file.vmdk' of storage file '/tmp/libguestfssF6WKX/overlay1.qcow2' (as uid:107, gid:107): Permission denied [code=38 int1=13]
Solution: use LIBGUESTFS_BACKEND=direct, as suggested:
LIBGUESTFS_BACKEND=direct guestmount -a file.vmdk -i --ro /mnt/guest
fusermount: user has no write access to mountpoint
LIBGUESTFS_BACKEND=direct guestmount -a file.vmdk -i --ro /mnt/guest/
fusermount: user has no write access to mountpoint /mnt/guest
libguestfs: error: fuse_mount failed: /mnt/guest/, see error messages above
Solution: use sudo, or change file permissions on the mountpoint
You can also use qemu:
For .vdi disks
sudo modprobe nbd
sudo qemu-nbd -c /dev/nbd1 ./linux_box/VM/image.vdi
if they are not installed, you can install them (issuing this command in Ubuntu)
sudo apt install qemu-utils
and then mount it with:
mount /dev/nbd1p1 /mnt
For .vmdk disks
sudo modprobe nbd
sudo qemu-nbd -r -c /dev/nbd1 ./linux_box/VM/image.vmdk
notice that I use the option -r, that's because VMDK version 3 must be read only to be able to be mounted by qemu
and then I mount it with
mount /dev/nbd1p1 /mnt
I use nbd1, because nbd0 sometimes gives: 'mount: special device /dev/nbd0p1 does not exist'
For .ova disks
tar -tf image.ova
tar -xvf image.ova
The above will extract the .vmdk disk and then mount it.
Install affuse, then mount using it.
affuse /path/file.vmdk /mnt/vmdk
The raw disk image is now found under /mnt/vmdk.
Check its sector size:
fdisk -l /mnt/vmdk/file.vmdk.raw
# example
Disk file.vmdk.raw: 20 GiB, 21474836480 bytes, 41943040 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x000da525
Device Boot Start End Sectors Size Id Type
/mnt/vmdk/file.vmdk.raw1 * 2048 41943039 41940992 20G 83 Linux
Multiply sector size and start sector. In the example it would be 2048*512:
echo '2048*512' | bc
1048576
Mount the raw file using that offset:
mount -o ro,loop,offset=1048576 /mnt/vmdk/file.raw /mnt/vmdisk
The disk should now be mounted and readable on /mnt/vmdisk.
Here is an answer from commandlinefu.com that worked for me:
kpartx -av <image-flat.vmdk>; mount -o /dev/mapper/loop0p1 /mnt/vmdk
You can also activate LVM volumes in the image by running
vgchange -a y
and then you can mount the LV inside the image.
To unmount the image, umount the partition/LV, deactivate the VG for the image
vgchange -a n <volume_group>
then run
kpartx -dv <image-flad.vmdk>
to remove the partition mappings.
You can take a look in this article for a download link for VMware Virtual Disk Development Kit (VDDK). Once downloaded and installed:
vmware-mount -p path_to_vmdk will show the partitions inside the VMDK file. For example:
Nr Start Size Type Id Sytem
-- ---------- ---------- ---- -- ------------------------
1 2048 461371392 BIOS 83 Linux
Then just do:
sudo vmware-mount path_to_vmdk 1 /mnt/mount_point
I tried guestmount, but it is very, very slow. Underneath it creates a virtual machine, uses KVM and so on. Crazy stuff, slow as hell.
Have you got the software package for ntfs?
Try
apt-get install ntfs-3g
on debian based systems.
I almost been stuck a day on the following issue,
I installed LDAP using: apt-get install slapd
and use the following configuration:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
allow bind_v2
loglevel 0
moduleload back_sbdb.la
database bdb
suffix "dc=test,dc=nl"
rootdn "cn=Directory Manager,dc=test,dc=nl"
rootpw test
directory /var/lib/ldap
index objectClass eq
index userPassword eq,pres
index givenName,mail,mobile,sn,title,cn,description eq,sub,pres
index displayName eq,sub,pres
index postalAddress,facsimileTelephoneNumber pres
access to *
by self write
by * read
and I then try to bind using
ldapsearch -D cn=Directory Manager,dc=test,dc=nl -w test
but I still recieve the error ldap_bind: Invalid Credentials (49)
Anyone has any idea or clues what this could be?
Thanks in forward
Try it using quotes like;
ldapsearch -D "cn=Directory Manager,dc=test,dc=nl" -w test
Space character in Directory Manager may cause the problem.
Edit: Also, are you sure you don't need -h -p parameters?
-h The host name of the directory server
-p The port number of the directory server
Edit2: Just figured out what is wrong. You are using rootpw unencrypted in your slapd config file. You should use an encrypted password created by slappasswd tools output. This may cause problems under special circumstances.
Check this link for details: http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-ldap-quickstart.html
A few things you could try:
Turn on more verbose logging (loglevel 255), and see if anything shows up in the log file.
Verify that the server really is reading the configuration file you think by checking the access time on the slapd.conf file (ls -lu slapd.conf)
Try binding using an invalid dn (ldapsearch -D cn=no-such-user -w test) and see if the error message changes (if so, that confirms that the problem is with the password, not the dn).
Try man ldapsearch.
I'm not really sure on debian/ubuntu, but in FreeBSD you need to add a -x to use simple authentication instead of SASL. I think this might be your issue?
Also, you could use -W instead of passing the password plain text on the commmand line.
Edit: Haven't solved my problems, but I've moved on to new and more exciting problems.
Leaving this here in case anyone has and insightful that'll help someone who stumbles on to this question in the future.
Hi,
I'm attempting to send an encrypted email from php to outlook. As such, I need to generate a certificate to import into outlook. I had no problem generating a set of keys using openssl and the CA.pl script that comes with it, but when I try to run the command to generate the PKCS12 file to import into outlook it complains about a missing "demoCA" directory. It appears this directory is a part of openssl, and is referenced in the openssl config... but i have no idea where it is. I've searched the drive in many ways from grep to spotlight (on os x, though i really wasn't expecting spotlight to find anything), and can't come up with anything.
The command I was trying to run is:
$ openssl ca -cert newcert.pem -ss_cert newcert.pem
Using configuration from /sw/etc/ssl/openssl.cnf
./demoCA/private/cakey.pem: No such file or directory trying to load CA private key
19918:error:02001002:system library:fopen:No such file or directory:bss_file.c:245:fopen('./demoCA/private/cakey.pem','r')
19918:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:247:
I am a bit of a noob when it comes to encryption / SSL, so I might be missing something stupid (I'm sure if it, haha).
You should create a new CA by means of the script provided, which is easier than just handle all the openssl options. You can do this be means of openssl bundled with Cygwin inside Windows itself or use your favourite Unix distro. I will show you how to do it with bash scripts (but perl scripts should be the same).
$ ./CA.sh -newca
This creates demoCA directory with the CA certificate inside it. As you invoke above command you will be prompt about the fields of the CA certificate (CN, OU, etc.) and CA private key passphrase.
Now you can create certificate requests or certificates from certificate requestes.
$ ./CA.sh -newreq
This prompts for a new certificate request fields and the passphrase to encrypt the private key generated. By default the request is left in the same directory as CA.sh (newreq.pem). It is important that you use as CN (Common Name) the email address you have.
Now you only need to sign it and you have a full blown certificate.
$ ./CA.sh -sign
This will generate newcert.pem which is the signed certificate request. You have your certificate, you only need to pack the certificate and the private key inside a PFX or P12 file, that Microsoft CSP recognizes.
Then copy the contents of newreq.pem and newcert.pem into a file.
$ cat newreq.pem > keypair.pem
$ cat newcert.pem >> keypair.pem
And now generate P12 file by means of openssl shell (this time we don't have the help of any script). It will prompt you for the passphrase you used when request was generated and then the export password (to encrypt private key inside p12 file).
$ openssl pkcs12 -export -in keypair.pem -out mykeypair.p12
Enter pass phrase for keypair.pem:
Enter Export Password:
Verifying - Enter Export Password:
Et voilĂ . You have a PKCS#12 file that you can double click in Windows and import it to your keystore and use it as a mail signing certificate (I don't remember if default options are enough or you need to specify some additional attributes when creating the certificate so Outlook recognizes as a e-mail signing certificate). You will also need to import CA certificate as a trusted CA (copy cacert.pem to cacert.cer that is inside demoCA directory and double click it to import).