[tpm2] Re: trying duplication and then rsa_en/decrypt

[Roberts, William C <william.c.roberts at intel.com>]

[-- Attachment #1: Type: text/plain, Size: 3893 bytes --]



> -----Original Message-----
> From: ted.h.kim(a)oracle.com [mailto:ted.h.kim(a)oracle.com]
> Sent: Thursday, May 21, 2020 11:19 AM
> To: Roberts, William C <william.c.roberts(a)intel.com>
> Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
> Subject: Re: [tpm2] Re: trying duplication and then rsa_en/decrypt
> 
> William,
> 
> Thanks for your reply.
> 
> On 5/21/20 8:08 AM, Roberts, William C wrote:
> >> -----Original Message-----
> >> From: ted.h.kim(a)oracle.com [mailto:ted.h.kim(a)oracle.com]
> >> Sent: Wednesday, May 20, 2020 7:38 PM
> >> To: Desai, Imran <imran.desai(a)intel.com>
> >> Cc: tpm2(a)lists.01.org
> >> Subject: [tpm2] Re: trying duplication and then rsa_en/decrypt
> >>
> >> Imran,
> >>
> >> The fix worked -- Thank you.
> >>
> >> One other suggestion would be to add "userwithauth" to the
> >> tpm2_create commands in the man page examples for tpm2_duplicate(1)
> >> and tpm2_policyduplicationselect(1). This would make the duplicated
> >> keys in those examples more useful.
> > That patch I had to revert, a similar fix will come out, but we must
> > not turn down userwith when someone:
> > - doesn't provide attributes via -a
> > - doesn't provide a password
> > - does provide a policy
> >
> > If someone specifies a policy and no password without explicitly
> > providing the attributes, they likely want the authorization to the
> > object to be controlled via policy, not policy and an empty password. So when
> the tool is choosing attributes that's how it needs to do it.
> > So for your example, you'll have to specify userwithauth and then we
> > will update the manpage to reflect this.
> >
> > Note that your creating an object with no real auth value (empty
> > password), so keep that in mind.
> 
> understand, looking forward to the final fix
> 
> 
> >> Since I am on the 4.1.X branch, should I expect this fix to roll out with 4.1.3 ?
> > Why not just bump versions? Everything on 4.X is backwards compat, nothing
> breaks.
> > You may need to bump your tss version, but again, backwards compat,
> > should just Work.
> 
> I will eventually do that.
> 
> But for the moment, I don't have the time. I know using tpm2-tools-4.2.X
> requires tpm2-tss-2.4.x which for my environment has some missing
> dependencies which I have yet to resolve.

No worries, we should be able to do a backport fix for you. We have a milestone here:
https://github.com/tpm2-software/tpm2-tools/milestone/20

Hopefully Monday we can cut RC0 and then a week form that have a full release.


> 
> Thanks,
> -ted
> 
> 
> >> Thanks,
> >> -ted
> >>
> >> On 5/20/20 1:49 PM, ted.h.kim(a)oracle.com wrote:
> >>> Imran,
> >>>
> >>> Okay, I will try it out.
> >>>
> >>> Also thanks for the pointer to the example on duplicating objects
> >>> between TPMs.
> >>>
> >>> Thanks,
> >>> -ted
> >>>
> >>> On 5/20/20 12:44 PM, Imran Desai wrote:
> >>>> I have a PR fixing this issue. If you want to try your script with
> >>>> this branch, it is here:
> >>>> https://urldefense.com/v3/__https://github.com/tpm2-software/tpm2-t
> >>>> oo
> >>>> ls/pull/2038__;!!GqivPVa7Brio!JgE6G26n2bbDPLYBuJ2jf-Buv9U53CDF_b_5y
> >>>> 43
> >>>> EAj8Q9hiybuldt1D8ZH_RPlQ$
> >>>> _______________________________________________
> >>>> tpm2 mailing list -- tpm2(a)lists.01.org To unsubscribe send an email
> >>>> to tpm2-leave(a)lists.01.org
> >>>> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> >> --
> >> Ted H. Kim, PhD
> >> ted.h.kim(a)oracle.com
> >> +1 310-258-7515
> >>
> >> _______________________________________________
> >> tpm2 mailing list -- tpm2(a)lists.01.org To unsubscribe send an email
> >> to tpm2-leave(a)lists.01.org
> >> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> 
> --
> Ted H. Kim, PhD
> ted.h.kim(a)oracle.com
> +1 310-258-7515
>