Comments (10)
The policy file for tpm2_create should contain the binary format of the policyAuth. You can create a tools based on TPM2.0-TSS sapi api to create trial session and call policyPCR to update the policyAuth and then export it into a file. You can refer to TPM2.0-TSS/test/tpmclient or tpmtest for how the policyAuth was calculated.
from tpm2-tools.
I created a policyAuth file, and I am able to use this to create and seal an object, but I am able to simply unseal said object no matter what state the PCRs are in, and this is because I have not created a trial session correct? Are there plans to create a tool to do this? I am not sure I have the technical knowledge to create the trial session myself through the sapi
from tpm2-tools.
Also, I see that there is a StartAuthSession.c file in /src, but I have so far been unable to compile this
from tpm2-tools.
you need also add "-A 0x20492" (fixedTPM, fixedParent, noDA, decrypt, adminWithPolicy) as the cmdline option to enforce using policy to access the sealed data.
from tpm2-tools.
Okay, so right now, my method goes as follows:
tpm2_createprimary -A o -P <password> -g 0x4 -G 0x1
tpm2_create -H 0x80000000 -g 0x4 -G 0x1 -A 0x20492 -I key.txt -L policypcr16aaasha1.bin -o out.pub -O out.pri
but this gives me Errorcode 0x2c2, and changing -G 0x1 to -G 0x8 gives me Errorcode 0x2d2, but I am unsure what these mean, or why I am unable to use tpm2_create when I use the -A argument.
from tpm2-tools.
hi @mikzaq, I spent the better part of last week working on a tool to decode these TPM_RC codes. If you've got the time it could use some testing and might help us understand the error code you're seeing better. It looks like @gwei3 just merged this too so it should be in master.
from tpm2-tools.
Okay thanks, I'll check it out!
from tpm2-tools.
Sorry, my fault. Please change the attribute from 0x20492 to 0x492(fixedTPM, fixedParent, noDA, adminWithPolicy), and make sure store parent key in a context file and use parent context instead of parent handle like below can succeed in my side:
tpm2_createprimary -A o -g 0x4 -G 0x1 -C ctx.pri
tpm2_create -c ctx.pri -g 0xb -G 0x1 -A 0x492 -I key.txt -L policypcr16aaasha1.bin -o out.pub -O out.pr
from tpm2-tools.
It works! Thanks so much for your help! I'm still unable to unseal, but I believe this is due to the fact that I cannot create a policy session, as there is currently no tool for this.
from tpm2-tools.
I am trying to do the same as mikzaq but creating the object fails. I tried this on two different hardware-TPMs (manuId: AMD, manuId: IFX) on linux-4.4.19. Both give the same error.
Am I doing something wrong? Or is the problem somewhere else?
% tpm2_createprimary -A o -g 0x4 -G 0x1 -C ctx.pri
nameAlg = 0x0004
type = 0x0001
contextFile = ctx.pri
CreatePrimary Succeed ! Handle: 0x80000000
% tpm2_create -c ctx.pri -g 0xb -G 0x1 -A 0x492 -I ~/msg.bin -L policies/policypcr16aaasha1.bin -o out.pub -O out.pri
contextParentFile = ctx.pri
nameAlg = 0x000b
type = 0x0001
inSensitive.t.sensitive.data.t.size = 64
ObjectAttribute: 0x00000492
Create Object Failed ! ErrorCode: 0x921
from tpm2-tools.
Related Issues (20)
- total :0 in use discrete tpm HOT 1
- I am encountering some issues while using tpm2_loadexternal HOT 3
- I ran into a problem when compiling the latest version: pandoc: command not found HOT 2
- Problems using the tpm2_encodeobject command HOT 14
- when i import a key:ERROR: Could not derive shared secret ERROR: Failed Seed Encryption HOT 1
- Enable TPMA_NV_POLICY_DELETE when defining a new NV Index
- Duplicate/Migratable key with PCRs
- Duplicate/Migratable key with PCR policy HOT 1
- Key split combination procedures internal to TPM
- bootstrap fails with `configure.ac:40: error: possibly undefined macro: AC_MSG_ERROR` HOT 1
- passing argument 2 of ‘Fapi_SetAuthCB’ from incompatible pointer type [-Werror=incompatible-pointer-types] HOT 1
- tpm2_getcap -c 'handles-persistent' gives no output HOT 2
- BUG? Shouldn't passing a pcr value file as an auth policy argument raise an error? HOT 2
- How to execute tpm2_changeeps HOT 5
- DOC: tpm2_unseal manpage complaints (PCR Policy Un/Sealing)
- Seal keys to NV INDEX according to PCR values HOT 1
- Add to tpm2_certify HOT 4
- ERROR:tcti:src/tss2-tcti/tcti-device.c:286:tcti_device_receive() Failed to read response from fd 3, got errno 62: Timer expired HOT 1
- tpm2_createek works with formats 'tss' and 'tpmt' but with not 'der' or 'pem' HOT 2
- Example code for tpm2_policynv use does not work as expected
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tpm2-tools.