* [tpm2] Re: ActivateCredential not working
@ 2020-01-16 22:43 Roberts, William C
0 siblings, 0 replies; 4+ messages in thread
From: Roberts, William C @ 2020-01-16 22:43 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 692 bytes --]
<snip>
> Hello,
>
> the gist looks very good, thanks for sharing.
> A quick question, tho.
>
> Sometime you use create_primary, sometimes you use createek
>
> https://gist.github.com/dnoliver/04364e72d8b81368f72ad4e6896f688d#file-
> enrollment-sh-L19
>
> https://gist.github.com/dnoliver/04364e72d8b81368f72ad4e6896f688d#file-
> enrollment-sh-L41
>
>
> Is it true that those commands are interchangeable
tpm2_createek is just a specific call to tpm2_createprimary with a very specific template for
the object. That template is defined in the EK profile spec:
https://trustedcomputinggroup.org/wp-content/uploads/TCG_IWG_Credential_Profile_EK_V2.1_R13.pdf
<snip>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [tpm2] Re: ActivateCredential not working
@ 2020-01-16 19:07 nicolasoliver03
0 siblings, 0 replies; 4+ messages in thread
From: nicolasoliver03 @ 2020-01-16 19:07 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 400 bytes --]
Apparently they are not interchangeable. I think the correct way is to use tpm2_createek:
https://github.com/tpm2-software/tpm2-tools/issues/1884 [SOLVED]
https://github.com/tpm2-software/tpm2-tools/issues/1883 [NOT SOLVED]
There are some additional authorization steps you need to do when using the key created with tpm2_createek, that are not needed if you create it with tpm2_createprimary
^ permalink raw reply [flat|nested] 4+ messages in thread
* [tpm2] Re: ActivateCredential not working
@ 2020-01-16 18:51 Steffen Schwebel
0 siblings, 0 replies; 4+ messages in thread
From: Steffen Schwebel @ 2020-01-16 18:51 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 2179 bytes --]
Hello,
the gist looks very good, thanks for sharing.
A quick question, tho.
Sometime you use create_primary, sometimes you use createek
https://gist.github.com/dnoliver/04364e72d8b81368f72ad4e6896f688d#file-enrollment-sh-L19
https://gist.github.com/dnoliver/04364e72d8b81368f72ad4e6896f688d#file-enrollment-sh-L41
Is it true that those commands are interchangeable
regards,
Steffen
On 1/16/20 7:37 PM, nicolasoliver03(a)gmail.com wrote:
> Hello Erick,
>
> This worked for me
>
> echo "Enrolling with Atestation Key"
>
> # Clear the TPM
> tpm2_clear
>
> # Create Endorsment Key
> tpm2_createek -c ek.ctx -G rsa -u ek.pub
>
> # Create Attestation Key
> tpm2_createak -C ek.ctx -c ak.ctx -G rsa -g sha256 -s rsassa
> tpm2_evictcontrol -C o -c ak.ctx 0x81010002
> tpm2_readpublic -c ak.ctx -f pem -o ak.pem > ak.yaml
> cat ak.yaml | grep '^name:' | awk '{ print $2 }' > ak.name
>
> # Generate the nonce and credential for challenge
> openssl rand -hex 6 > nonce.plain
> tpm2_makecredential -e ek.pub -s nonce.plain -n $(cat ak.name) -o nonce.encrypted
>
> # Decrypt nonce with Endorsement Key
> tpm2_startauthsession --policy-session -S session.ctx
> TPM2_RH_ENDORSEMENT=0x4000000B
> tpm2_policysecret -S session.ctx -c ${TPM2_RH_ENDORSEMENT}
> tpm2_activatecredential -c 0x81010002 -C ek.ctx -i nonce.encrypted -o nonce.decrypted -P "session:session.ctx"
> tpm2_flushcontext session.ctx
>
> # Generate Attestation Quote
> tpm2_quote -c 0x81010002 -l sha256:0,1,2,3,4,5,6,7,8,9 -q $(cat nonce.decrypted) -m quote.message -s quote.signature -o quote.pcrs -g sha256
>
> # Validate Attestation Quote in the server
> tpm2_checkquote -u ak.pem -m quote.message -s quote.signature -f quote.pcrs -g sha256 -q $(cat nonce.plain)
>
>
> I have a gist that you can use to test here https://gist.github.com/dnoliver/04364e72d8b81368f72ad4e6896f688d (bash enrollment.sh ak)
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
^ permalink raw reply [flat|nested] 4+ messages in thread
* [tpm2] Re: ActivateCredential not working
@ 2020-01-16 18:37 nicolasoliver03
0 siblings, 0 replies; 4+ messages in thread
From: nicolasoliver03 @ 2020-01-16 18:37 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 1436 bytes --]
Hello Erick,
This worked for me
echo "Enrolling with Atestation Key"
# Clear the TPM
tpm2_clear
# Create Endorsment Key
tpm2_createek -c ek.ctx -G rsa -u ek.pub
# Create Attestation Key
tpm2_createak -C ek.ctx -c ak.ctx -G rsa -g sha256 -s rsassa
tpm2_evictcontrol -C o -c ak.ctx 0x81010002
tpm2_readpublic -c ak.ctx -f pem -o ak.pem > ak.yaml
cat ak.yaml | grep '^name:' | awk '{ print $2 }' > ak.name
# Generate the nonce and credential for challenge
openssl rand -hex 6 > nonce.plain
tpm2_makecredential -e ek.pub -s nonce.plain -n $(cat ak.name) -o nonce.encrypted
# Decrypt nonce with Endorsement Key
tpm2_startauthsession --policy-session -S session.ctx
TPM2_RH_ENDORSEMENT=0x4000000B
tpm2_policysecret -S session.ctx -c ${TPM2_RH_ENDORSEMENT}
tpm2_activatecredential -c 0x81010002 -C ek.ctx -i nonce.encrypted -o nonce.decrypted -P "session:session.ctx"
tpm2_flushcontext session.ctx
# Generate Attestation Quote
tpm2_quote -c 0x81010002 -l sha256:0,1,2,3,4,5,6,7,8,9 -q $(cat nonce.decrypted) -m quote.message -s quote.signature -o quote.pcrs -g sha256
# Validate Attestation Quote in the server
tpm2_checkquote -u ak.pem -m quote.message -s quote.signature -f quote.pcrs -g sha256 -q $(cat nonce.plain)
I have a gist that you can use to test here https://gist.github.com/dnoliver/04364e72d8b81368f72ad4e6896f688d (bash enrollment.sh ak)
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-01-16 22:43 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-16 22:43 [tpm2] Re: ActivateCredential not working Roberts, William C
-- strict thread matches above, loose matches on Subject: below --
2020-01-16 19:07 nicolasoliver03
2020-01-16 18:51 Steffen Schwebel
2020-01-16 18:37 nicolasoliver03
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.