4

I'd like to perform a TPM Seal operation in windows. I'm familiar with C++ programming but have no idea what libraries I'd even use.

I'm currently stuck with the following two questions:

Can I perform this action using e.g. WMI and a powershell script? This http://msdn.microsoft.com/en-us/library/windows/desktop/aa446799(v=vs.85).aspx indicates that I can use TBS To Submit a Command, but I don't have the faintest how I would set up the parameters in e.g. WMI.

Can I use the tbs.h/tbs.lib from the Windows 7 SDK to perform a TPM_Seal operation?

Is there a TSS API Like http://trousers.sourceforge.net/ where I can call this from some C++ Code?

The method through which I do this is not a big deal, but I am using TPM 1.2 on windows, and all of my clients are windows.

Yablargo
  • 3,520
  • 7
  • 37
  • 58
  • 1
    This http://msdn.microsoft.com/en-us/library/windows/desktop/aa446799(v=vs.85).aspx looks like what I would call, but I have *no* idea what my "command buffer" would look like. – Yablargo Jun 11 '14 at 22:08
  • Wow, your question is completely different now.... – Scolytus Jun 13 '14 at 10:19
  • 1
    I was really a bit lost when I initially asked. I vaguely knew what I must do, but had little implementation details. You've been helpful. I was able to do some basic TBS commands last week and feel like im a LOT closer to the goal now. – Yablargo Jun 16 '14 at 13:00

2 Answers2

4

Update 2023-05: This answer covers TPM 1.2 and might be outdated

You can use TPM Base Sevices for sending commands to the TPM. So you need to assemble the commands yourself.

The TPM commands, structures and flows are defined in 3 documents:

First you need to figure out which command you want to send. Then you have to lookup the command's reference in Part 3 and assembled the needed structures as described in Part 2.

The TPM_seal command for example is defined in section 10.1 on page 72 of Part 3. Line 1331 shows you how the command has to look like. After issuing the command you can evaluate the returned structure according to line 1332. (All numbers apply to revision 116.)

This can be really tricky. However, you can have a look at other implementations. If you just need a few commands it's not that hard, especially when you can be sure that some cornercases don't happen.

I would suggest you start looking at IBM's software TPM. This project also provides libtpm and some utilities. This is one of the lighter implementations I know.

You can also try whether TrouSerS for Windows is stable enough to fit your needs. There you would have a highlevel TSS API.

If Java is an option, have a look at jTSS. It supports Windows.

Scolytus
  • 16,338
  • 6
  • 46
  • 69
  • Hi. I loaded a Windows 8 box and was browsing the list of commands for TPM Base Services. I do indeed only need to protect a symmetric key. I can see that I can do this, and I really don't even need to use C#. If I can accomplish this in powershell,etc, that is really all I need. I'm going to reword my question to cut out the fat and try to get to the core of the issue – Yablargo Jun 11 '14 at 16:37
  • Thanks for the heads up on the software TPM. My main development machine does not in fact have a TPM so I've been using an aux box. – Yablargo Jun 16 '14 at 13:08
  • Links are dead. – Andrew Henle May 11 '23 at 22:47
  • 1
    @AndrewHenle links updated – Scolytus May 14 '23 at 11:10
0

I was able to do this without much issue with JTSS. There is an example @ https://security.stackexchange.com/questions/60841/encrypting-a-symmetric-key-or-small-file-using-tpm-and-windows-tbs

Community
  • 1
  • 1
Yablargo
  • 3,520
  • 7
  • 37
  • 58