From: Roberts, William C <william.c.roberts at intel.com>
To: tpm2@lists.01.org
Subject: Re: [tpm2] tpm2_nvwrite failing
Date: Thu, 15 Mar 2018 22:03:01 +0000 [thread overview]
Message-ID: <476DC76E7D1DF2438D32BFADF679FC563FEF442A@ORSMSX101.amr.corp.intel.com> (raw)
In-Reply-To: CAAxBZJtjWDzxwfMTfikPqucRjaAxwZGMaz5Opb7mk=uM5bQQrQ@mail.gmail.com
[-- Attachment #1: Type: text/plain, Size: 3872 bytes --]
You're using the owner hierarchy for authorization, where
as you want to use the nv index for authorization.
So when you write and read, your -a needs to match your -x value.
This worked for me:
#!/bin/sh
echo "my nv daat" > /tmp/idfile
NVRAM=0x1800005
HIERACHY=0x40000001
PCRS=sha256:0,1,2,3
PCRVALUE=/tmp/pcrvalue
POLICY=/tmp/policy
echo "Releasing NVRAM - this might fail, but this is OK"
tpm2_nvrelease -x $NVRAM -a $HIERACHY
echo "Constructing policy"
tpm2_pcrlist -Q -L $PCRS -o $PCRVALUE
tpm2_createpolicy -P -L $PCRS -F $PCRVALUE -f $POLICY
echo "Defining area"
tpm2_nvdefine -x $NVRAM -a $HIERACHY -s 64 -L $POLICY -t "policywrite|policyread"
#tpm2_nvdefine -x $NVRAM -a $HIERACHY -s 64 -t "policyread|policywrite"
echo "Writing ID"
cat /tmp/idfile | tpm2_nvwrite -x $NVRAM -a $NVRAM -L $PCRS -F $PCRVALUE
#cat /tmp/idfile | tpm2_nvwrite -x $NVRAM -a $HIERACHY
echo "Reading ID - first attempt should fail if the policy works"
tpm2_nvread -x $NVRAM -a $NVRAM
echo "Reading ID - second attempt should work"
tpm2_nvread -x $NVRAM -a $NVRAM -L $PCRS -F $PCRVALUE
--- EOF ----
As far as nv.sh failures, I don't see them on the simulator. So I would need more information
to understand what the issue you might be.
From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of Ian Oliver
Sent: Tuesday, March 13, 2018 6:06 AM
To: tpm2(a)lists.01.org
Subject: [tpm2] tpm2_nvwrite failing
Hi
Using 1.3-rc2 of tpm2_tools
We're seeing tpm2_nvwrite fail with policies, both in the nv.sh test file and when run manually
Here's the script which basically follows nv.sh. NB: the file /tmp/idfile exists and contains data!
#!/bin/sh
NVRAM=0x1800005
HIERACHY=0x40000001
PCRS=sha256:0,1,2,3
PCRVALUE=/tmp/pcrvalue
POLICY=/tmp/policy
echo "Releasing NVRAM - this might fail, but this is OK"
tpm2_nvrelease -x $NVRAM -a $HIERACHY
echo "Constructing policy"
tpm2_pcrlist -Q -L $PCRS -o $PCRVALUE
tpm2_createpolicy -P -L $PCRS -F $PCRVALUE -f $POLICY
echo "Defining area"
tpm2_nvdefine -x $NVRAM -a $HIERACHY -s 64 -L $POLICY -t "policyread|policywrite"
#tpm2_nvdefine -x $NVRAM -a $HIERACHY -s 64 -t "policyread|policywrite"
echo "Writing ID"
cat /tmp/idfile | tpm2_nvwrite -x $NVRAM -a $HIERACHY -L $PCRS -F $PCRVALUE
#cat /tmp/idfile | tpm2_nvwrite -x $NVRAM -a $HIERACHY
echo "Reading ID - first attempt should fail if the policy works"
tpm2_nvread -x $NVRAM -a $HIERACHY
tpm2_nvread -x $NVRAM -a $HIERACHY -L $PCRS -F $PCRVALUE
Specifically:
15$tpm2_nvrelease -x 0x1800005 -a 0x40000001
16$tpm2_pcrlist -Q -L sha256:0,1,2,3 -o /tmp/pcrvalue
17$tpm2_createpolicy -P -L sha256:0,1,2,3 -F /tmp/pcrvalue -f /tmp/policy
18$tpm2_nvdefine -x 0x1800005 -a 0x40000001 -s 64 -L /tmp/policy -t "policyread|policywrite"
19$tpm2_nvlist
0x1800005:
hash algorithm:
friendly: sha256
value: 0xB
attributes:
friendly: policywrite|policyread
value: 0x8000800
size: 64
authorization policy: 60DF98CF0931EE42B5372DBC49E7B1966559A62A159B12C90556240D37E2D938
20$echo -n "test" | tpm2_nvwrite -x 0x1800005 -a 0x40000001 -L sha256:0,1,2,3 -F /tmp/pcrvalue
ERROR: Failed to write NV area at index 0x1800005 (25165829) offset 0x0. Error:0x12f
21$cat /tmp/idfile | tpm2_nvwrite -x 0x1800005 -a 0x40000001 -L sha256:0,1,2,3 -F /tmp/pcrvalue
ERROR: Failed to write NV area at index 0x1800005 (25165829) offset 0x0. Error:0x12f
22$tpm2_rc_decode 0x12f
error layer
hex: 0x0
identifier: TSS2_TPM_ERROR_LEVEL
description: Error produced by the TPM
format 0 error code
hex: 0x2f
name: TPM_RC_AUTH_UNAVAILABLE
description: authValue or authPolicy is not available for selected entity.
t.
Ian
--
Dr. Ian Oliver
===============================
Privacy Engineering: via Amazon
Twitter: @i_j_oliver
next reply other threads:[~2018-03-15 22:03 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-15 22:03 Roberts, William C [this message]
-- strict thread matches above, loose matches on Subject: below --
2018-03-13 13:06 [tpm2] tpm2_nvwrite failing Ian Oliver
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=476DC76E7D1DF2438D32BFADF679FC563FEF442A@ORSMSX101.amr.corp.intel.com \
--to=tpm2@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.