From: Petko Manolov <sti at nucleusys.com>
To: tpm2@lists.01.org
Subject: Re: [tpm2] facilitating BIOS update with seamless PCR policy change
Date: Mon, 18 Feb 2019 09:48:37 +0100 [thread overview]
Message-ID: <20190218084837.GA4620@carbon> (raw)
In-Reply-To: 476DC76E7D1DF2438D32BFADF679FC5649CD993A@ORSMSX101.amr.corp.intel.com
[-- Attachment #1: Type: text/plain, Size: 2192 bytes --]
Hello again,
I managed to get authorized PCR policies to work for me. The attached script
works fine on my thinkpad and on rpi3 with Infineon's SLB9670 SPI TPM2.
However, i stumbled upon a problem with an fTPM implementation in a very recent
AMI BIOS. Everything seems to be working properly, until i get tpm2_unseal to
give me the error below. The tpm2-tools is built with at-the-time tip of git
commit id:
872076e1b31f22b18391c6761d47575a93891cd7
tpm2_unseal -v:
tool="tpm2_unseal" version="3.0.2-858-g88956e75" tctis="dynamic" tcti-default=tabrmd dlclose=enabled
tpm-tss is v2.1.0 and tpm-abrmd is v2.0.3. Unfortunately the error message does
not mean much for me so any help will be greatly appreciated.
thanks,
Petko
---
Generating RSA private key, 2048 bit long modulus
..............................+++++
...........................................+++++
e is 65537 (0x10001)
writing RSA key
transient-context: signing_key.ctx
name: 0x000b5e069ba4b591842c25155d812f635970dabe7cee663aff121088940f88e2da80
Signing authority created
sha256:
0 : 0x647992CBC9EEBF49D367559D870620C324B1A4307EB2A6166F1ACEC0DC186AEA
1 : 0x519B03509291B643DA7FEC4407FFC47C1C18AF706A611ECA1C159D4608342338
2 : 0x369BB94CEB4A1DF8E76720141B64C57EC70E6C620F07B27E335E70AD2DDC25DB
3 : 0x369BB94CEB4A1DF8E76720141B64C57EC70E6C620F07B27E335E70AD2DDC25DB
session-context: session.ctx
policy-digest: 0x22035897291FE4681D7800685BFC5C73EBCBB88C7A579AB20C2E345A9815FDFE
pcr policy created
policy is signed
session-context: session.ctx
45a41a53c9f74f09b72151af6ffdd199fe1129eff2b749b8e481b6b21f2281f1
policy authorized
sealing object created
session-context: session.ctx
45a41a53c9f74f09b72151af6ffdd199fe1129eff2b749b8e481b6b21f2281f1
WARNING:esys:../tpm2-tss/src/tss2-esys/api/Esys_Unseal.c:295:Esys_Unseal_Finish() Received TPM Error
ERROR:esys:../tpm2-tss/src/tss2-esys/api/Esys_Unseal.c:101:Esys_Unseal() Esys Finish ErrorCode (0x0000008f)
ERROR: Esys_Unseal(0x8F) - tpm:handle(unk):invalid nonce size or nonce value mismatch
ERROR: Unseal failed!
ERROR: Unable to run tpm2_unseal
cat: unsealed: No such file or directory
the end
[-- Attachment #2: policy_auth.sh --]
[-- Type: application/x-sh, Size: 1941 bytes --]
next reply other threads:[~2019-02-18 8:48 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-18 8:48 Petko Manolov [this message]
-- strict thread matches above, loose matches on Subject: below --
2019-02-21 13:12 [tpm2] facilitating BIOS update with seamless PCR policy change Petko Manolov
2019-02-20 13:05 Petko Manolov
2019-02-18 9:20 Petko Manolov
2019-01-15 19:58 Roberts, William C
2019-01-06 2:47 Desai, Imran
2019-01-05 18:42 Petko Manolov
2019-01-04 21:50 Roberts, William C
2019-01-04 18:20 Petko Manolov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190218084837.GA4620@carbon \
--to=tpm2@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.