I am still expecting your response about this issue. > You said in the former mail that > "Unless you took an RM virtualized handle and went directly to the TPM > with it, there shouldn't Be a problem" > I have checked again and found that my program uses an RM > virtualized handle for computing HMAC and if I substitute the virtual > handle to real one, the error 0x98e disappears, > Any advice? > >> Thank you for your reply. >> >> Where can I find necessary information for "get HMAC to work"? >> >> And, where can I find extended-sessions.sh? >> >> Many thanks. >>> test/system/tests/tcti/abrmd/extended-sessions.sh >>> >>> That uses abrmd which has an RM extension to allow session handles >>> to be marked for non-flushing on client disconnection, but that >>> point likely won't concern you. >>> >>> This test script uses tools that start a pcr policy session, satisfy >>> or build the policy, >>> and use it for unsealing data. >>> >>> It might be good to see if you can get HMAC to work in this >>> framework from a >>> Learning perspective and then you could contribute hmac policy >>> session support >>> Back to the tools. >>> >>> >>>> -----Original Message----- >>>> From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro(a)ntt-el.com] >>>> Sent: Thursday, January 18, 2018 3:11 PM >>>> To: Roberts, William C ; >>>> tpm2(a)lists.01.org >>>> Subject: Re: [tpm2] tpm2-tss question >>>> >>>> You said that "I would look at how the tpm2-tools do it, they make >>>> for decent >>>> reference code." >>>> Would you tell me the place of tpm2-tools where I should look as >>>> reference code. >>>> Regards, >>>> >>>>>> -----Original Message----- >>>>>> From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro(a)ntt-el.com] >>>>>> Sent: Thursday, January 18, 2018 6:44 AM >>>>>> To: Roberts, William C ; >>>>>> tpm2(a)lists.01.org >>>>>> Subject: Re: [tpm2] tpm2-tss question >>>>>> >>>>>> I appreciate much for your help. I am expecting for your >>>>>> information about >>>> tpm2- >>>>>> tools. >>>>> What information are you expecting? >>>>> >>>>>>>> -----Original Message----- >>>>>>>> From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro(a)ntt-el.com] >>>>>>>> Sent: Friday, January 12, 2018 1:47 AM >>>>>>>> To: Roberts, William C ; >>>>>>>> tpm2(a)lists.01.org >>>>>>>> Subject: Re: [tpm2] tpm2-tss question >>>>>>>> >>>>>>>> Hi, Mr. Roberts, William >>>>>>>> >>>>>>>> Thank you for your advice. >>>>>>>> I had already checked the details of this error code. >>>>>>>> My understanding is that the problem is not the setting of the >>>>>>>> auth >>>>>>>> but there occurs the discrepancy between the virtual handles >>>>>>>> and the >>>>>>>> real handles in the resource manager. >>>>>>> Unless you took an RM virtualized handle and went directly to >>>>>>> the TPM >>>>>>> with it, there shouldn't Be a problem. The RM should be swapping >>>>>>> out >>>>>>> virtualized handles with real ones for you before They hit the >>>>>>> tpm, and thus, >>>>>> should be transparent. >>>>>>> As far as what the problem is, it's hard to tell offhand. I >>>>>>> would look >>>>>>> at how the tpm2-tools do it, they make for decent reference code. >>>>>>> >>>>>>>> Any help will be greatly appreciated >>>>>>>> >>>>>>>> Regard, >>>>>>>>> 0x98e is: >>>>>>>>> >>>>>>>>> $ ./tpm2_rc_decode 0x98e >>>>>>>>> error layer >>>>>>>>>       hex: 0x0 >>>>>>>>>       identifier: TSS2_TPM_RC_LAYER >>>>>>>>>       description: Error produced by the TPM format 1 error code >>>>>>>>>       hex: 0x0e >>>>>>>>>       identifier: TPM2_RC_AUTH_FAIL >>>>>>>>>       description: the authorization HMAC check failed and DA >>>>>>>>> counter >>>>>>>>> incremented session >>>>>>>>>       hex: 0x100 >>>>>>>>>       identifier: TPM2_RC_1 >>>>>>>>>       description:  (null) >>>>>>>>> >>>>>>>>> SO it looks like you're not setting up the auth properly in >>>>>>>>> the session. >>>>>>>>> >>>>>>>>>> -----Original Message----- >>>>>>>>>> From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of >>>>>>>>>> Yasuhiro >>>>>>>>>> Hosoda >>>>>>>>>> Sent: Wednesday, December 13, 2017 10:59 PM >>>>>>>>>> To: tpm2(a)lists.01.org >>>>>>>>>> Subject: [tpm2] tpm2-tss question >>>>>>>>>> >>>>>>>>>> MY name is Yasuhiro Hosoda. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I am developing a program using TSS1.0(Nov1.2016). >>>>>>>>>> I encountered a problem with PolicySecret error 0x98e and >>>>>>>>>> need help. >>>>>>>>>> My program uses tpmtest.cpp as a base of development. >>>>>>>>>> The situation is as follows: >>>>>>>>>> >>>>>>>>>> 1 Create TPM Keys like this. >>>>>>>>>> >>>>>>>>>> EK >>>>>>>>>> |-------- >>>>>>>>>> |          | >>>>>>>>>> MK       AK >>>>>>>>>> | >>>>>>>>>> SK >>>>>>>>>> >>>>>>>>>> 2 Execute PolicySecret twice using HMAC session. At first, it >>>>>>>>>> ends >>>>>>>>>> without >>>>>>>> error. >>>>>>>>>> Then it ends with 0x98e For clarification, I print out the >>>>>>>>>> values >>>>>>>>>> of Virtual Handle and Real Handle. >>>>>>>>>> The value of Virtual/Real Handles differ at 2nd excution of >>>>>>>>>> the command. >>>>>>>>>> (See NO 25/26 Below) >>>>>>>>>> >>>>>>>>>> I understand that the resource manager assigns Virtual Handle >>>>>>>>>> and >>>>>>>>>> my program calculates HMAC using that handles. >>>>>>>>>> On the other hand, TPM may calculate HMAC using Real Handle. >>>>>>>>>> That is my hypothesis. >>>>>>>>>> >>>>>>>>>> Any suggestion about the usage of Session Handle? >>>>>>>>>> >>>>>>>>>> NO      Command           Virtual/Real Handle         LOC 1. >>>>>>>>>> CreatePrimary(EK) real=80000000, virtual=80000000 8381 2. >>>>>>>>>> HierarchyChangeAuth1 8421 3. HierarchyChangeAuth2 8431 4. >>>>>>>>>> StartAuthSession(Policy) real=3000000, >>>>>>>>>> virtual=3000000 8480 5. PolicySecret(ENDORSEMENT) 8494 6. >>>>>>>>>> Create(MK) 8515 7.    PolicySecret(ENDORSEMENT) 8529 8.    >>>>>>>>>> Load(MK) >>>>>>>>>> real=80000001, >>>>>>>>>> virtual=80000001 8542 9.    Evict(MK) 8552 10. Create(SK) >>>>>>>>>> 8590 11. >>>>>>>>>> Load(SK) real=80000001, virtual=80000002 8598 12. >>>>>>>>>> PolicySecret(ENDORSEMENT) 8609 13.    Create(AK) 8635 14. >>>>>>>>>> PolicySecret(ENDORSEMENT) 8645 15.    Load(AK) real=80000001, >>>>>>>>>> virtual=80000003 8655 16. FlushContext(POLICY) 8664 17. >>>>>>>>>> StartAuthSession(POLICY) real=3000000, virtual=3000000 8668 18. >>>>>>>>>> StartAuthSession(HMAC) real=2000001, virtual=2000001 8678 19. >>>>>>>>>> ComputeCommandHMAC(LoadExternal) real=80000000, >>>> virtual=80000004 >>>>>>>>>> 3706 20. ComputeCommandHMAC(HMAC_Start) real=80000001, >>>>>>>>>> virtual=80000005 3706 21.    PolicySecret(SK) 8711 22. >>>>>>>>>> FlushContext(HMAC) 8717 23. FlushContext(POLICY) 8724 24. >>>>>>>>>> CertifyCreation(SK) 8738 25. StartAuthSession(POLICY) >>>>>>>>>> real=3000000, virtual=3000001 8745 26. StartAuthSession(HMAC) >>>>>>>>>> real=2000001, virtual=2000000 8754 27. >>>>>>>>>> ComputeCommandHMAC(LoadExternal) real=80000000, >>>> virtual=80000005 >>>>>>>>>> 8782 28. ComputeCommandHMAC(HMAC_Start) real=80000001, >>>>>>>>>> virtual=80000004 8782 29.    PolicySecret(SK) 8789 >>>>>>>>>> >>>>>>>>>> The whole  source program can be found here. >>>>>>>>>> https://github.com/intel/tpm2-tss/files/1516612/tpmtest.cpp_0x98e_2 >>>>>>>>>> >>>>>>>>>> .t >>>>>>>>>> xt >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Kind regards, >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Yasuhiro Hosoda >>>>>>>>>> >>>>>>>>>> NTT Electronics Corporation (NEL) >>>>>>>>>> Security Support Project >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> tpm2 mailing list >>>>>>>>>> tpm2(a)lists.01.org >>>>>>>>>> https://lists.01.org/mailman/listinfo/tpm2 >>>> >> -- __________________________________________ / 細田泰弘 |                | NTTエレクトロニクス株式会社(NEL) | | システム化支援センタ   | セキュリティ技術支援プロジェクト  |                    |〒221-0031 神奈川県横浜市神奈川区 | 新浦島町1-1-32 | ニューステージ横浜 | | Tel 050-9000-6109/050-9000-6485(直) | (9225(内)) | Fax 045-453-9620 | E-mail:hosoda-yasuhiro(a)ntt-el.com |________________________________________/