Re: [tpm2] tpm2 Digest, Vol 20, Issue 17

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Petko Manolov <sti at nucleusys.com>
To: tpm2@lists.01.org
Subject: Re: [tpm2] tpm2 Digest, Vol 20, Issue 17
Date: Tue, 26 Feb 2019 13:20:45 +0200	[thread overview]
Message-ID: <20190226112045.GB4322@p310> (raw)
In-Reply-To: D707E35E-98C6-4463-87B5-B6F787A3CE98@intel.com

[-- Attachment #1: Type: text/plain, Size: 3637 bytes --]

	Hey Imran,

Thanks for looking at this one.  Unfortunately i can't reproduce your results on 
either of my machines.  Here is a slightly modified script as "-I-" doesn't work 
for me with tpm2_load:

---
#!/bin/bash

rm -f   pcr0.sha256 \
        pcr.signature \
        session.ctx \
        signing_key.ctx \
	sealing_key.ctx \
        signing_key.name \
        signing_key_private.pem \
        signing_key_public.pem


tpm2_clear

openssl genrsa -out signing_key_private.pem 2048
openssl rsa -in signing_key_private.pem -out signing_key_public.pem -pubout
tpm2_loadexternal -G rsa -a o -u signing_key_public.pem -o signing_key.ctx -n signing_key.name
tpm2_pcrlist -L sha256:0 -o pcr0.sha256
tpm2_startauthsession -S session.ctx
tpm2_policypcr -S session.ctx -L sha256:0 -F pcr0.sha256 -f pcr.policy
tpm2_flushcontext -S session.ctx
rm -f session.ctx
openssl dgst -sha256 -sign signing_key_private.pem -out pcr.signature pcr.policy
tpm2_startauthsession -S session.ctx
tpm2_policyauthorize -S session.ctx -o authorized.policy -f pcr.policy -n signing_key.name
tpm2_flushcontext -S session.ctx
rm -f session.ctx
tpm2_createprimary -Q -a o -g sha256 -G rsa -o prim.ctx
echo "primary created"
tpm2_create -Q -g sha256 -u sealing_pubkey.pub -r sealing_prikey.pub -I da-key -C prim.ctx -L authorized.policy
echo " -I- "
tpm2_verifysignature -c signing_key.ctx -G sha256 -m pcr.policy -s pcr.signature -t verification.tkt -f rsassa
tpm2_startauthsession -a -S session.ctx
tpm2_policypcr -Q -S session.ctx -L sha256:0 -f pcr.policy
tpm2_policyauthorize -S session.ctx -o authorized.policy -f pcr.policy -n signing_key.name -t verification.tkt
tpm2_load -Q -C prim.ctx -u sealing_pubkey.pub -r sealing_prikey.pub -o sealing_key.ctx
tpm2_unseal -p "session:session.ctx" -c sealing_key.ctx -o unsealed
echo $unsealed
tpm2_flushcontext -S session.ctx
rm -f session.ctx
---

and the result being the same:

---
Generating RSA private key, 2048 bit long modulus
.....................................................+++++
...+++++
e is 65537 (0x10001)
writing RSA key
transient-context: signing_key.ctx
name: 0x000b2e70e1f0c627f7a6bd6cb39e0b8fb205224b412cc69a69d7a7fccc3c4d1a6204
sha256:
  0 : 0xAE356E2BE05D368ECC8918AC6E0812E046E278B57884729C0859A94330EE9695
session-context: session.ctx
policy-digest: 0x742C12E7BD0AB460FCF76253DBBB95D39C09C09D87E36FDFBBE3A60F41DBF635
session-context: session.ctx
47b69be668ccacfc8b1fb50c3740500dc69153439a726b8f86a5e05ea1529ff1
primary created
 -I-
session-context: session.ctx
47b69be668ccacfc8b1fb50c3740500dc69153439a726b8f86a5e05ea1529ff1
WARNING:esys:../tpm2-tss/src/tss2-esys/api/Esys_Unseal.c:295:Esys_Unseal_Finish() Received TPM Error
ERROR:esys:../tpm2-tss/src/tss2-esys/api/Esys_Unseal.c:101:Esys_Unseal() Esys Finish ErrorCode (0x0000008f)
ERROR: Esys_Unseal(0x8F) - tpm:handle(unk):invalid nonce size or nonce value mismatch
ERROR: Unseal failed!
ERROR: Unable to run tpm2_unseal
---

---
root(a)alpha-board-a81d160db6b9:/tmp# tpm2_getcap -c properties-fixed | grep -i vendor_string -A2
TPM2_PT_VENDOR_STRING_1:
  raw: 0x496E7465
  value: "Inte"
TPM2_PT_VENDOR_STRING_2:
  raw: 0x6C000000
  value: "l"
TPM2_PT_VENDOR_STRING_3:
  raw: 0x0
  value: ""
TPM2_PT_VENDOR_STRING_4:
  raw: 0x0
  value: ""
root(a)alpha-board-a81d160db6b9:/tmp#  tpm2_getcap --version
tool="tpm2_getcap" version="3.0.2-858-g88956e75" tctis="dynamic" tcti-default=tabrmd dlclose=enabled
---


I wonder if this could be a build flags issue or something else as the TPM 
version pretty much looks the same?


thanks,
Petko

next             reply	other threads:[~2019-02-26 11:20 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-02-26 11:20 Petko Manolov [this message]
  -- strict thread matches above, loose matches on Subject: below --
2019-02-22 21:19 [tpm2] tpm2 Digest, Vol 20, Issue 17 Desai, Imran

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190226112045.GB4322@p310 \
    --to=tpm2@lists.01.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.