From: Thibaut Sautereau <thibaut.sautereau at clip-os.org>
To: tpm2@lists.01.org
Subject: [tpm2] Issues experimenting with tpm2-tools and keyctl trusted keys
Date: Mon, 21 Jan 2019 09:16:42 +0100 [thread overview]
Message-ID: <20190121081642.GB976@gandi.net> (raw)
[-- Attachment #1: Type: text/plain, Size: 2492 bytes --]
Hello folks,
I'm experimenting with TPM 2.0 (using swtpm 0.1.0), tpm2-tools 3.1.3,
tpm2-tss 2.1.0 and the Linux 4.19.16 kernel's trusted keys. I found this
thread [1] about the "policydigest" and "policyhandle" options added to
keyctl but I cannot reproduce the given example [2] using tpm2-tools
instead of the author's Python testing scripts [3]. I wonder if I do
something wrong by executing the following commands:
export TPM2TOOLS_TCTI="device:/dev/tpmrm0"
tpm2_takeownership --clear
# I tried fiddling with the object attributes in the following command
# but AIUI the default ones should be OK
tpm2_createprimary --hierarchy=o --halg=sha256 --kalg=rsa \
--context=/tmp/primary.context
tpm2_evictcontrol --auth=o --context=/tmp/primary.context \
--handle=0x80ffffff --persistent=0x81010001
tpm2_createpolicy --policy-file=/tmp/policy.digest --policy-pcr \
--set-list=sha256:0 --policy-digest-alg=sha256
policydigest=$(xxd -p /tmp/policy.digest | tr -d '\n')
keyid=$(keyctl add trusted test \
"new 32 keyhandle=0x81010001 hash=sha256 policydigest=$policydigest" @u)
keyctl link @us @s
keyctl pipe $keyid > /tmp/blob.hex
Until here, everything works fine.
Now for testing I want to reimport the key from the blob file, but I
need a handle to a TPM_SE_POLICY and thus need to directly use the TPM
device, as the in-kernel resource manager I was using so far would
prevent me from keeping a policy session "opened". So I re-export
TPM2TOOLS_TCTI just as Javier Martinez Canillas showed on GitHub [4]:
export TPM2TOOLS_TCTI="device:/dev/tpm0"
# --auth-policy-session implies --extend-policy-session
tpm2_createpolicy --policy-pcr --set-list=sha256:0 \
--policy-digest-alg=sha256 --auth-policy-session
keyctl add trusted test2 \
"load $(cat /tmp/blob.hex) keyhandle=0x81010001 policyhandle=0x03000000" @u
This last command causes: "add_key: Operation not permitted".
In kernel logs, I have:
[ 1350.287556] tpm tpm0: A TPM error (2466) occurred unsealing
[ 1350.289856] trusted_key: key_unseal failed (-1)
The TPM error is 0x9a2, i.e. TPM2_RC_BAD_AUTH. I cannot see what I'm
doing wrong. Do you see something obvious?
[1] https://lkml.org/lkml/2015/11/17/520
[2] https://lkml.org/lkml/2015/11/21/125
[3] https://github.com/jsakkine-intel/tpm2-scripts
[4] https://github.com/tpm2-software/tpm2-tools/issues/510#issuecomment-331385565
Thanks a lot for your time and your work!
--
Thibaut Sautereau
CLIP OS developper
next reply other threads:[~2019-01-21 8:16 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-21 8:16 Thibaut Sautereau [this message]
2019-01-23 9:36 [tpm2] Issues experimenting with tpm2-tools and keyctl trusted keys Javier Martinez Canillas
2019-01-23 12:59 Thibaut Sautereau
2019-01-23 13:11 Fuchs, Andreas
2019-01-23 13:56 Thibaut Sautereau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190121081642.GB976@gandi.net \
--to=tpm2@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.