Comments (7)
A little bit of googling indicates that 0x80090030 is NTE_DEVICE_NOT_READY. I don't really know what that indicates. What kind of TPM are you running against? Do any commands work?
from go-attestation.
Thanks for the reply.
Here is the TPM information :
PS C:\Windows\system32> Get-Tpm
TpmPresent : True
TpmReady : True
ManufacturerId : 1229346816
ManufacturerIdTxt : IFX
ManufacturerVersion : 7.40
ManufacturerVersionFull20 : 7.40.8.12800
ManagedAuthLevel : Full
OwnerAuth :
OwnerClearDisabled : False
AutoProvisioning : Enabled
LockedOut : False
LockoutHealTime : 10 minutes
LockoutCount : 0
LockoutMax : 31
SelfTest : {}
I also searched for the error code. So, i tried update the TPM firmware. But it is already uptodate.
In Two systems, I got this error.
Other system which I have also has similar configuration of TPM, there I am able to run the tool.
from go-attestation.
I am facing the same issue. It's a permission thing.
ActivateCredential() (the pcp_windows version) makes 2 calls:
- https://docs.microsoft.com/en-us/windows/win32/api/ncrypt/nf-ncrypt-ncryptsetproperty
- https://docs.microsoft.com/en-us/windows/win32/api/ncrypt/nf-ncrypt-ncryptgetproperty
The call to the second method fails. I was able to find out that the current user was denied read access to the EK in the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TPM\WMI\Endorsement
But even after I granted read permission to the user the command failed, this time claiming (0x80280400) The command was blocked.
If you run it with elevated rights it works as expected. I think it could work with the correct dwflags in the NCryptSetProperty() call but all this security stuff surpasses my intellect.
from go-attestation.
@buhtig0815 Thanks you for the response. I am running in all the systems as administrator.
Even then it is not working in some systems.
Can you please tell me how to check and add permission or endorsement ?
Thanks.
from go-attestation.
Mmmh, that's weird.
Check:
MS's Sysinternals Procmon is your friend here: https://live.sysinternals.com/Procmon.exe
Run it as admin and Add a filter: path contains tpm
Now run your tool/command that is causing the 0x80090030 error.
Then look for ACCESS DENIED results.
Ignore the Telemetry entries
Add permission
In the registry right click on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TPM\WMI\Endorsement key.
Click Permissions...
Click Add..
Click Locations...
Select the computer, click OK
Enter everyone in the object names field, click Check Names
Click OK
The add window should be closed now.
Select Everyone from the list.
Click on the read checkbox in the Allow column.
Click OK
from go-attestation.
@buhtig0815 Thank you. This looks like a great way to check for permissions.
Tried the same. I ran the tool in admin mode :
Now, I am getting the same error code but different error statement ,
FAIL
Error: credential activation failed: EKs() failed: could not read ek public key from tpm: could not read ekpub: NCryptGetProperty returned 0,80090030 (The operation completed successfully.) for key "PCP_EKPUB" on size read.
from go-attestation.
I am facing the same issue. The ProcMon tool is very helpful, thank you! It seems like I had to allow access for "everyone" for registries "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TPM\WMI\Endorsement" and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TPM\WMI\Admin" and another one for telemetry. However, it looks like it still get's blocked somewhere in TBS and I continue receiving the same error always.
PS C:\Users\vnkts\go-attestation\attest\attest-tool> .\attest.exe self-test
FAIL
Error: credential activation failed: failed to generate activate credential: NCryptGetProperty returned 80280400 (tpm or subsystem failure: TPM_E_COMMAND_BLOCKED) for key activation
I tried to compare the Process Monitor results with and without admin, and they literally look the same. So I have no idea where it ends up being blocked.
from go-attestation.
Related Issues (20)
- Cannot set key attributes in NewKey and RSA template doesnt allow for "decrypt" - mTLS in Chrome not possible HOT 2
- Implicit platform attestation (question) HOT 2
- A question about EK,SRK HOT 5
- rhshim introduced a MokListTrusted event, leading to failed parsing of the SecureBootState
- error code 0x04: value is out of range or is not for the correct context when Activating credentials HOT 11
- OSS-Fuzz issue 52044 HOT 1
- Wrong decoding of ints in win_events.go HOT 1
- OSS-Fuzz issue 52520 HOT 1
- OSS-Fuzz issue 53008 HOT 1
- [Windows] Guidance around access management for key-attestation on TPMs via the Windows PCP library HOT 4
- OSS-Fuzz issue 54576
- EC Nist P521 key size too short? HOT 2
- suggest go.mod version bump HOT 1
- Proposal to add tpm_event package in an experimental directory HOT 2
- Handle "AttestedCertifyInfo" in ActivationParameter checks for TPM2.0 Challenges HOT 3
- Make AttestationParameters.CreateData an optional field HOT 3
- Support using AK from NV
- Fails to parse malformed Nuvoton EK certs with leading 0s in serial number HOT 1
- MarshalSubjectAltName should support specificing if the extension is critical.
- ECDSA Support on Windows HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from go-attestation.