* [tpm2] seal and unseal data based on a PCR value
@ 2018-06-20 20:42 Petko Manolov
0 siblings, 0 replies; 4+ messages in thread
From: Petko Manolov @ 2018-06-20 20:42 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 443 bytes --]
Hello guys,
I know this one has been asked many times, but i could not find a definitive
howto, exact steps, etc.
This project requires that a piece of data is being sealed to a TPM2 based on a
PCR value and then unsealed from TBoot. I've harvested some bits an pieces from
various discussions and still can't build a coherent picture in my mind.
What would be the best place to start reading up on this?
cheers,
Petko
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [tpm2] seal and unseal data based on a PCR value
@ 2018-06-20 23:11 Roberts, William C
0 siblings, 0 replies; 4+ messages in thread
From: Roberts, William C @ 2018-06-20 23:11 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 1234 bytes --]
I just uploaded a wiki that has the bits on seal/unseal
https://github.com/tpm2-software/tpm2-tools/wiki/Creating-Objects
You need PCR policy support on top of what that wiki discusses, which we have a script test for here:
test/integration/tests/unseal.sh
If you need to implement natively, the tools will serve as reference code on how to piece it all together.
Bill
> -----Original Message-----
> From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of Petko Manolov
> Sent: Wednesday, June 20, 2018 1:42 PM
> To: tpm2(a)lists.01.org
> Subject: [tpm2] seal and unseal data based on a PCR value
>
> Hello guys,
>
> I know this one has been asked many times, but i could not find a definitive
> howto, exact steps, etc.
>
> This project requires that a piece of data is being sealed to a TPM2 based on a
> PCR value and then unsealed from TBoot. I've harvested some bits an pieces
> from various discussions and still can't build a coherent picture in my mind.
>
> What would be the best place to start reading up on this?
>
>
> cheers,
> Petko
> _______________________________________________
> tpm2 mailing list
> tpm2(a)lists.01.org
> https://lists.01.org/mailman/listinfo/tpm2
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [tpm2] seal and unseal data based on a PCR value
@ 2018-06-20 23:22 Tadeusz Struk
0 siblings, 0 replies; 4+ messages in thread
From: Tadeusz Struk @ 2018-06-20 23:22 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 1269 bytes --]
On 06/20/2018 01:42 PM, Petko Manolov wrote:
> I know this one has been asked many times, but i could not find a definitive
> howto, exact steps, etc.
>
> This project requires that a piece of data is being sealed to a TPM2 based on a
> PCR value and then unsealed from TBoot. I've harvested some bits an pieces from
> various discussions and still can't build a coherent picture in my mind.
>
> What would be the best place to start reading up on this?
The steps to do this using the System API would be
1. Make sure PCRs state are in a know good state i.e. system is healthy.
2. Call TPM2_StartAuthSession() to create Policy session
3. Call TPM2_PolicyPCR() selecting the PCRs you want to include and the session created in step 2.
4. Call TPM2_Create() using the session created in step 2.
5. Optionally TPM2_Load() to load the data created in 4 into TPM.
This is result in a key "sealed" in the TPM, which can only be unsealed when the PCR are in the same state when the key was created.
The steps to unseal the key/data:
1. Call TPM2_StartAuthSession() to create Policy session
2. Call TPM2_PolicyPCR() selecting the session created in step 1
3. Call TPM2_Unseal() selecting the session created in step 1
Thanks,
--
Tadeusz
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [tpm2] seal and unseal data based on a PCR value
@ 2018-06-21 17:38 Petko Manolov
0 siblings, 0 replies; 4+ messages in thread
From: Petko Manolov @ 2018-06-21 17:38 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 1575 bytes --]
On 18-06-20 23:11:05, Roberts, William C wrote:
> I just uploaded a wiki that has the bits on seal/unseal
> https://github.com/tpm2-software/tpm2-tools/wiki/Creating-Objects
Thanks for this pointer. It's very usefull.
> You need PCR policy support on top of what that wiki discusses, which we have
> a script test for here: test/integration/tests/unseal.sh
Yeah, i finally managed to get it to work with the latest stable tpm2-tools.
> If you need to implement natively, the tools will serve as reference code on
> how to piece it all together.
So far i only need to use the tools. Using the API is not on the roadmap yet.
cheers,
Petko
> > -----Original Message-----
> > From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of Petko Manolov
> > Sent: Wednesday, June 20, 2018 1:42 PM
> > To: tpm2(a)lists.01.org
> > Subject: [tpm2] seal and unseal data based on a PCR value
> >
> > Hello guys,
> >
> > I know this one has been asked many times, but i could not find a definitive
> > howto, exact steps, etc.
> >
> > This project requires that a piece of data is being sealed to a TPM2 based on a
> > PCR value and then unsealed from TBoot. I've harvested some bits an pieces
> > from various discussions and still can't build a coherent picture in my mind.
> >
> > What would be the best place to start reading up on this?
> >
> >
> > cheers,
> > Petko
> > _______________________________________________
> > tpm2 mailing list
> > tpm2(a)lists.01.org
> > https://lists.01.org/mailman/listinfo/tpm2
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-06-21 17:38 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-06-21 17:38 [tpm2] seal and unseal data based on a PCR value Petko Manolov
-- strict thread matches above, loose matches on Subject: below --
2018-06-20 23:22 Tadeusz Struk
2018-06-20 23:11 Roberts, William C
2018-06-20 20:42 Petko Manolov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.