public inbox for tpm2@lists.linux.dev
 help / color / mirror / Atom feed
From: Lennart Poettering <mzgcz2gff@0pointer.net>
To: tpm2@lists.linux.dev
Subject: Using TPM2_LoadExternal() for loading an HMAC key into the TPM?
Date: Tue, 16 Apr 2024 15:05:51 +0200	[thread overview]
Message-ID: <Zh53rw5o97SVXZWT@gardel-login> (raw)

Hi!

I was wondering, if anyone has an idea how precisely to set up a pair
of TPM2B_PUBLIC and TPM2_SENSITIVE structures for loading an
HMAC-SHA256 key into the TPM via TPM_LoadExternal()?

I am currently setting things up more or less like this:

        TPM2B_PUBLIC auth_hmac_public = {
                .size = sizeof(TPMT_PUBLIC),
                .publicArea = {
                        .type = TPM2_ALG_KEYEDHASH,
                        .nameAlg = TPM2_ALG_SHA256,
                        .objectAttributes = TPMA_OBJECT_DECRYPT | TPMA_OBJECT_SIGN_ENCRYPT /* | TPMA_OBJECT_USERWITHAUTH */,
                        .parameters.keyedHashDetail.scheme.scheme = TPM2_ALG_SHA256,
                        .unique.keyedHash.size = buffer.size,
                },
        };

        TPM2B_SENSITIVE auth_hmac_private = {
                .size = sizeof(TPMT_SENSITIVE),
                .sensitiveArea = {
                        .sensitiveType = TPM2_ALG_KEYEDHASH,
                        .sensitive.sym.size = buffer.size,
                },
        };

        memcpy(auth_hmac_private.sensitiveArea.sensitive.sym.buffer, buffer.buffer, buffer.size);

And then use TPM2_LoadExternal() with this, for the NULL hierarchy.

tpm2-tss responds with these errors:

         ERROR:esys:src/tss2-esys/api/Esys_LoadExternal.c:184:Esys_LoadExternal_Async() SAPI Prepare returned error. ErrorCode (0x0009000b)
         ERROR:esys:src/tss2-esys/api/Esys_LoadExternal.c:85:Esys_LoadExternal() Error in async function ErrorCode (0x0009000b)

But, uh, what am I supposed to make of this?

I figure it's not even the TPM that refuses this, but it's tpm2-tss
already?

Anyone has an idea?

(Background: I am trying to protect an nvindex that I want to use with
TPM2_AuthorizeNV, with an TPM2_PolicySigned access policy. I want to
use an HMAC key for the signature scheme. If you want to know even
more, see → https://github.com/systemd/systemd/pull/31790. The above
is more or less a copy of the topmost commit of that)

Any help appreciated!

Lennart

             reply	other threads:[~2024-04-16 13:05 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-04-16 13:05 Lennart Poettering [this message]
2024-04-16 14:23 ` Using TPM2_LoadExternal() for loading an HMAC key into the TPM? Juergen Repp

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Zh53rw5o97SVXZWT@gardel-login \
    --to=mzgcz2gff@0pointer.net \
    --cc=tpm2@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox