The script of tpm2_policyauthorize failed
by Zhao, Shirley
Hi, all,
I ran the script of tpm2_policyauthorize and met error.
The steps is following the page https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_policyau....
Not sure whether it is the script error or any bug in source code.
The log is as below, please help check.
$ openssl genrsa -out signing_key_private.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
........................+++++
....................................................................................................................................................................................................................................+++++
e is 65537 (0x010001)
$ openssl rsa -in signing_key_private.pem -out signing_key_public.pem -pubout
writing RSA key
$ tpm2_startup --clear --tcti=mssim
$ tpm2_loadexternal -G rsa -C o -u signing_key_public.pem -c signing_key.ctx -n signing_key.name --tcti=mssim
name: 000be282af94009998a545488daf129bac7379048a44361b9e77df40a03bc4ab8a4e
$ tpm2_pcrread -opcr0.sha256 sha256:0 --tcti=mssim
sha256:
0 : 0x0000000000000000000000000000000000000000000000000000000000000000
$ tpm2_startauthsession -S session.ctx --tcti=mssim
$ tpm2_policypcr -S session.ctx -l sha256:0 -f pcr0.sha256 -L pcr.policy --tcti=mssim
093ceb41181d47808862d7946268ee6a17a10e3d1b79b32351bc56e4beaceff0
$ tpm2_flushcontext session.ctx --tcti=mssim
$ openssl dgst -sha256 -sign signing_key_private.pem -out pcr.signature pcr.policy
$ tpm2_startauthsession -S session.ctx --tcti=mssim
$ tpm2_policyauthorize -S session.ctx -L authorized.policy -i pcr.policy -n signing_key.name --tcti=mssim
1307183d719d482ddb2465b67e31ee1728313157d4be0f15a6fe0ded4540758d
$ tpm2_flushcontext session.ctx --tcti=mssim
$ tpm2_nvdefine 0x1500017 -C o -s 32 -L authorized.policy -a "policyread|policywrite" --tcti=mssim
nv-index: 0x1500017
$ tpm2_verifysignature -c signing_key.ctx -g sha256 -m pcr.policy -s pcr.signature -t verification.tkt -f rsassa --tcti=mssim
$ tpm2_startauthsession --policy-session -S session.ctx --tcti=mssim
$ tpm2_policyauthorize -S session.ctx -L authorized.policy -i pcr.policy -n signing_key.name -t verification.tkt --tcti=mssim
WARNING:esys:src/tss2-esys/api/Esys_PolicyAuthorize.c:306:Esys_PolicyAuthorize_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_PolicyAuthorize.c:108:Esys_PolicyAuthorize() Esys Finish ErrorCode (0x000001c4)
ERROR: Esys_PolicyAuthorize(0x1C4) - tpm:parameter(1):value is out of range or is not correct for the context
ERROR: Could not build tpm authorized policy
ERROR: Unable to run tpm2_policyauthorize
$ echo "nvpolicyauthorizetest" > nv.test_w
$ tpm2_nvwrite 0x1500017 -P"session:session.ctx" -i nv.test_w --tcti=mssim
WARNING:esys:src/tss2-esys/api/Esys_NV_Write.c:310:Esys_NV_Write_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_NV_Write.c:110:Esys_NV_Write() Esys Finish ErrorCode (0x0000099d)
ERROR: Failed to write NV area at index 0x1500017
ERROR: Tss2_Sys_NV_Write(0x99D) - tpm:session(1):a policy check failed
ERROR: Unable to run tpm2_nvwrite
Thanks.
* Shirley
11 months, 1 week
Re: Hello from a small community of TPM enthusiasts
by Fuchs, Andreas
> Spot on. I have one such example from yesterday, where we were
> wondering why generating a symmetric key with tpm2-tools now
> produces private and public part. Eventually, a clean slide would be the
> only viable option left. I personally am a fan of the minimalistic approach.
That's where I can help:
The public parts don't just include public keys but all kinds of public attributes,
such as usage attributes and authorization policy.
The private parts include a cryptographic link to the public parts as well as the
private information, such as private/secret key and authorization value and are
encrypted.
For the tools, we stayed close to the TPM-spec, which is why they are stored in
those separate files; but also because you sometimes want to send out the public
part to others and use only that (e.g. encryption or key property certification).
Hope that clears things up. :-D
Cheers,
Andreas
11 months, 1 week
Re: Hello from a small community of TPM enthusiasts
by David Woodhouse
On Wed, 2020-05-06 at 18:56 +0000, Dimitar Tomov wrote:
> We have a small community of about 25 TPM enthusiast from companies
> like Nokia Bell Labs, LetsTrust, WolfSSL, etc. We use TPM2 tools and
> discuss various use cases, the TPM implementations, everything, some
> interesting topics arise. We would really appreciate you joining our
> online chats, we have it every Wednesday at 8am PDT -
> https://developers.tpm.dev/events We are thinking about some
> documentation effort of how to use TPM features. Everyone's welcomed.
I'll see if I can join.
With respect to documentation I'd strongly recommend taking the
approach of "if it needs documenting, fix it first. Then document
what's left".
We should make software as trivial and intuitive as possible for users,
not *just* provide a twisty maze of documentation in the hope that some
of the most persistent will eventually navigate their way through it.
On which topic, I should probably improve the user documentation in
http://www.infradead.org/openconnect/tpm.html — would be good if I
should show users how to import an existing key. Did we actually
implement that in the tpm2-tss-engine yet or do users still have to do
it using the IBM engine?
11 months, 1 week
Re: Hello from a small community of TPM enthusiasts
by Roberts, William C
I am going to try and attend next week. Thanks.
Bill
> -----Original Message-----
> From: Dimitar Tomov [mailto:dimi@designfirst.ee]
> Sent: Wednesday, May 6, 2020 1:57 PM
> To: tpm2(a)lists.01.org
> Subject: [tpm2] Hello from a small community of TPM enthusiasts
>
> Hello everyone,
>
>
> We have a small community of about 25 TPM enthusiast from companies like
> Nokia Bell Labs, LetsTrust, WolfSSL, etc. We use TPM2 tools and discuss various
> use cases, the TPM implementations, everything, some interesting topics arise.
> We would really appreciate you joining our online chats, we have it every
> Wednesday at 8am PDT - https://developers.tpm.dev/events We are thinking
> about some documentation effort of how to use TPM features. Everyone's
> welcomed.
>
> Best,
>
> Dimi
11 months, 1 week
Hello from a small community of TPM enthusiasts
by Dimitar Tomov
Hello everyone,
We have a small community of about 25 TPM enthusiast from companies like Nokia Bell Labs, LetsTrust, WolfSSL, etc. We use TPM2 tools and discuss various use cases, the TPM implementations, everything, some interesting topics arise. We would really appreciate you joining our online chats, we have it every Wednesday at 8am PDT - https://developers.tpm.dev/events We are thinking about some documentation effort of how to use TPM features. Everyone's welcomed.
Best,
Dimi
11 months, 1 week
Are there any help documents/sites on writing an ESAPI program.
by Steven Clark
I need to perform a command that doesn't have a tools executable yet
(TPM2_ECDH_ZGen) and on a persistent object handle that won't be compatible
with the on-disk key-databases of FAPI or PKCS#11. So that means I need to
write my own code in C, and that code needs to use the ESAPI.
I've had a lot of lead time to see this coming so I've done a few little
experiments. They have not improved my confidence in my understanding of
the API. For example I'm still not sure which structures I'm supposed to
access directly and which ones are supposed to be manipulated using
functions.
The Specs are either long and theoretical or dry and terse. And both the
tests for TSS and the source files for Tools make use of internal
abstraction layers. I'm having trouble getting a whole-process
picture. Are there any resources out there to help me get my sea-legs on
ESAPI code?
11 months, 2 weeks
