From: Yasuhiro Hosoda <hosoda-yasuhiro at ntt-el.com>
To: tpm2@lists.01.org
Subject: Re: [tpm2] tpm2-tss question
Date: Fri, 12 Jan 2018 18:46:34 +0900 [thread overview]
Message-ID: <3934a704-80e0-d595-fcd7-4edec7d33c42@ntt-el.com> (raw)
In-Reply-To: 476DC76E7D1DF2438D32BFADF679FC563FE7163A@ORSMSX106.amr.corp.intel.com
[-- Attachment #1: Type: text/plain, Size: 4620 bytes --]
Hi, Mr. Roberts, William
Thank you for your advice.
I had already checked the details of this error code.
My understanding is that the problem is not the setting of the auth
but there occurs the discrepancy between the virtual handles and
the real handles in the resource manager.
Any help will be greatly appreciated
Regard,
> 0x98e is:
>
> $ ./tpm2_rc_decode 0x98e
> error layer
> hex: 0x0
> identifier: TSS2_TPM_RC_LAYER
> description: Error produced by the TPM
> format 1 error code
> hex: 0x0e
> identifier: TPM2_RC_AUTH_FAIL
> description: the authorization HMAC check failed and DA counter incremented
> session
> hex: 0x100
> identifier: TPM2_RC_1
> description: (null)
>
> SO it looks like you're not setting up the auth properly in the session.
>
>> -----Original Message-----
>> From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of Yasuhiro Hosoda
>> Sent: Wednesday, December 13, 2017 10:59 PM
>> To: tpm2(a)lists.01.org
>> Subject: [tpm2] tpm2-tss question
>>
>> MY name is Yasuhiro Hosoda.
>>
>>
>> I am developing a program using TSS1.0(Nov1.2016).
>> I encountered a problem with PolicySecret error 0x98e and need help.
>> My program uses tpmtest.cpp as a base of development.
>> The situation is as follows:
>>
>> 1 Create TPM Keys like this.
>>
>> EK
>> |--------
>> | |
>> MK AK
>> |
>> SK
>>
>> 2 Execute PolicySecret twice using HMAC session. At first, it ends without error.
>> Then it ends with 0x98e For clarification, I print out the values of Virtual Handle
>> and Real Handle.
>> The value of Virtual/Real Handles differ at 2nd excution of the command.
>> (See NO 25/26 Below)
>>
>> I understand that the resource manager assigns Virtual Handle and my program
>> calculates HMAC using that handles.
>> On the other hand, TPM may calculate HMAC using Real Handle.
>> That is my hypothesis.
>>
>> Any suggestion about the usage of Session Handle?
>>
>> NO Command Virtual/Real Handle LOC 1. CreatePrimary(EK)
>> real=80000000, virtual=80000000 8381 2. HierarchyChangeAuth1 8421
>> 3. HierarchyChangeAuth2 8431 4. StartAuthSession(Policy) real=3000000,
>> virtual=3000000 8480 5. PolicySecret(ENDORSEMENT) 8494 6. Create(MK) 8515
>> 7. PolicySecret(ENDORSEMENT) 8529 8. Load(MK) real=80000001,
>> virtual=80000001 8542 9. Evict(MK) 8552 10. Create(SK) 8590 11. Load(SK)
>> real=80000001, virtual=80000002 8598 12. PolicySecret(ENDORSEMENT) 8609
>> 13. Create(AK) 8635 14. PolicySecret(ENDORSEMENT) 8645 15. Load(AK)
>> real=80000001, virtual=80000003 8655 16. FlushContext(POLICY) 8664
>> 17. StartAuthSession(POLICY) real=3000000, virtual=3000000 8668
>> 18. StartAuthSession(HMAC) real=2000001, virtual=2000001 8678
>> 19. ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000004
>> 3706 20. ComputeCommandHMAC(HMAC_Start) real=80000001,
>> virtual=80000005 3706 21. PolicySecret(SK) 8711 22. FlushContext(HMAC) 8717
>> 23. FlushContext(POLICY) 8724 24. CertifyCreation(SK) 8738
>> 25. StartAuthSession(POLICY) real=3000000, virtual=3000001 8745
>> 26. StartAuthSession(HMAC) real=2000001, virtual=2000000 8754
>> 27. ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000005
>> 8782 28. ComputeCommandHMAC(HMAC_Start) real=80000001,
>> virtual=80000004 8782 29. PolicySecret(SK) 8789
>>
>> The whole source program can be found here.
>> https://github.com/intel/tpm2-tss/files/1516612/tpmtest.cpp_0x98e_2.txt
>>
>>
>> Kind regards,
>>
>> --
>> Yasuhiro Hosoda
>>
>> NTT Electronics Corporation (NEL)
>> Security Support Project
>>
>>
>> _______________________________________________
>> tpm2 mailing list
>> tpm2(a)lists.01.org
>> https://lists.01.org/mailman/listinfo/tpm2
--
__________________________________________
/ 細田泰弘
|
| NTTエレクトロニクス株式会社(NEL)
|
| システム化支援センタ
| セキュリティ技術支援プロジェクト
|
|〒221-0031 神奈川県横浜市神奈川区
| 新浦島町1-1-32
| ニューステージ横浜
|
| Tel 050-9000-6109/050-9000-6485(直)
| (9225(内))
| Fax 045-453-9620
| E-mail: hosoda-yasuhiro(a)ntt-el.com
|________________________________________/
next reply other threads:[~2018-01-12 9:46 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-12 9:46 Yasuhiro Hosoda [this message]
-- strict thread matches above, loose matches on Subject: below --
2018-10-24 5:03 [tpm2] tpm2-tss question Yasuhiro Hosoda
2018-07-23 4:44 Yasuhiro Hosoda
2018-04-11 11:18 Fuchs, Andreas
2018-04-11 8:38 Yasuhiro Hosoda
2018-04-11 6:26 Fuchs, Andreas
2018-04-11 6:11 Yasuhiro Hosoda
2018-02-28 22:54 Yasuhiro Hosoda
2018-02-08 13:26 Yasuhiro Hosoda
2018-01-29 22:37 Yasuhiro Hosoda
2018-01-25 18:30 Roberts, William C
2018-01-18 23:11 Yasuhiro Hosoda
2018-01-18 18:11 Roberts, William C
2018-01-18 14:43 Yasuhiro Hosoda
2018-01-14 21:51 Roberts, William C
2017-12-26 17:30 Roberts, William C
2017-12-14 6:58 Yasuhiro Hosoda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3934a704-80e0-d595-fcd7-4edec7d33c42@ntt-el.com \
--to=tpm2@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.