On 05/02/2019 23:35, Munson, Charles - 0553 - MITLL wrote:
I’m not sure if this is user error or an issue with one of the tools.
I am trying to do a createek -> createak -> makecredential ->
activatecredential workflow with the new ESAPI tools in master
(following the advice when used with a resource manager here:
This seems to work well when there is no AK authorization set (when
performing createak), though fails with an “authorization HMAC check
failed“ error when setting an AK_AUTH.
So for instance (following the documentation):
tpm2_createek -c 0x81010001 -G rsa -p ek.pub
tpm2_createak -C 0x81010001 -k 0x81010002 -p ak.pub -n ak.name*-P "akpw"*
tpm2_makecredential -e ek.pub -s file_input_data.txt -n <ak.name here>
tpm2_activatecredential -c 0x81010002 -C 0x81010001 -f outcred.out -o
Received TPM Error
Esys Finish ErrorCode (0x0000098e)
ERROR: Esys_ActivateCredential(0x98E) - tpm:session(1):the authorization
HMAC check failed and DA counter incremented
ERROR: Unable to run tpm2_activatecredential
Note that by not using an AK_AUTH (removing all of the -P "akpw" code)
that this works, and this example used to work pre-ESAPI. Is this no
longer supported? Everything seems to work fine still with tpm2_quote.
This is a bug introduced when I ported tpm2_activatecredential to use
the ESAPI. I took a look and can't immediately see what the fix is, but
I'm still trying to wrap my head around TPM sessions. I am working on a
fix for this in tandem with some other session related changes in the tools.