All of lore.kernel.org
 help / color / mirror / Atom feed
* [tpm2] Re: ActivateCredential not working
@ 2020-01-16 22:43 Roberts, William C
  0 siblings, 0 replies; 4+ messages in thread
From: Roberts, William C @ 2020-01-16 22:43 UTC (permalink / raw)
  To: tpm2

[-- Attachment #1: Type: text/plain, Size: 692 bytes --]

<snip>
> Hello,
> 
> the gist looks very good, thanks for sharing.
> A quick question, tho.
> 
> Sometime you use create_primary, sometimes you use createek
> 
> https://gist.github.com/dnoliver/04364e72d8b81368f72ad4e6896f688d#file-
> enrollment-sh-L19
> 
> https://gist.github.com/dnoliver/04364e72d8b81368f72ad4e6896f688d#file-
> enrollment-sh-L41
> 
> 
> Is it true that those commands are interchangeable

tpm2_createek is just a specific call to tpm2_createprimary with a very specific template for
the object. That template is defined in the EK profile spec:

https://trustedcomputinggroup.org/wp-content/uploads/TCG_IWG_Credential_Profile_EK_V2.1_R13.pdf

<snip>

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [tpm2] Re: ActivateCredential not working
@ 2020-01-16 19:07 nicolasoliver03
  0 siblings, 0 replies; 4+ messages in thread
From: nicolasoliver03 @ 2020-01-16 19:07 UTC (permalink / raw)
  To: tpm2

[-- Attachment #1: Type: text/plain, Size: 400 bytes --]

Apparently they are not interchangeable. I think the correct way is to use tpm2_createek:

https://github.com/tpm2-software/tpm2-tools/issues/1884  [SOLVED]
https://github.com/tpm2-software/tpm2-tools/issues/1883 [NOT SOLVED]

There are some additional authorization steps you need to do when using the key created with tpm2_createek, that are not needed if you create it with tpm2_createprimary

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [tpm2] Re: ActivateCredential not working
@ 2020-01-16 18:51 Steffen Schwebel
  0 siblings, 0 replies; 4+ messages in thread
From: Steffen Schwebel @ 2020-01-16 18:51 UTC (permalink / raw)
  To: tpm2

[-- Attachment #1: Type: text/plain, Size: 2179 bytes --]

Hello,

the gist looks very good, thanks for sharing.
A quick question, tho.

Sometime you use create_primary, sometimes you use createek

https://gist.github.com/dnoliver/04364e72d8b81368f72ad4e6896f688d#file-enrollment-sh-L19

https://gist.github.com/dnoliver/04364e72d8b81368f72ad4e6896f688d#file-enrollment-sh-L41


Is it true that those commands are interchangeable


regards,
Steffen

On 1/16/20 7:37 PM, nicolasoliver03(a)gmail.com wrote:
> Hello Erick,
>
> This worked for me
>
> echo "Enrolling with Atestation Key"
>
>   # Clear the TPM
>   tpm2_clear
>
>   # Create Endorsment Key
>   tpm2_createek -c ek.ctx -G rsa -u ek.pub
>
>   # Create Attestation Key
>   tpm2_createak -C ek.ctx -c ak.ctx -G rsa -g sha256 -s rsassa
>   tpm2_evictcontrol -C o -c ak.ctx 0x81010002
>   tpm2_readpublic -c ak.ctx -f pem -o ak.pem > ak.yaml
>   cat ak.yaml | grep '^name:' | awk '{ print $2 }' > ak.name
>
>   # Generate the nonce and credential for challenge
>   openssl rand -hex 6 > nonce.plain
>   tpm2_makecredential -e ek.pub -s nonce.plain -n $(cat ak.name) -o nonce.encrypted
>
>   # Decrypt nonce with Endorsement Key
>   tpm2_startauthsession --policy-session -S session.ctx
>   TPM2_RH_ENDORSEMENT=0x4000000B
>   tpm2_policysecret -S session.ctx -c ${TPM2_RH_ENDORSEMENT}
>   tpm2_activatecredential -c 0x81010002 -C ek.ctx -i nonce.encrypted -o nonce.decrypted -P "session:session.ctx"
>   tpm2_flushcontext session.ctx
>
>   # Generate Attestation Quote
>   tpm2_quote -c 0x81010002 -l sha256:0,1,2,3,4,5,6,7,8,9 -q $(cat nonce.decrypted) -m quote.message -s quote.signature -o quote.pcrs -g sha256
>
>   # Validate Attestation Quote in the server
>   tpm2_checkquote -u ak.pem -m quote.message -s quote.signature -f quote.pcrs -g sha256 -q $(cat nonce.plain)
>
>
> I have a gist that you can use to test here https://gist.github.com/dnoliver/04364e72d8b81368f72ad4e6896f688d (bash enrollment.sh ak)
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [tpm2] Re: ActivateCredential not working
@ 2020-01-16 18:37 nicolasoliver03
  0 siblings, 0 replies; 4+ messages in thread
From: nicolasoliver03 @ 2020-01-16 18:37 UTC (permalink / raw)
  To: tpm2

[-- Attachment #1: Type: text/plain, Size: 1436 bytes --]

Hello Erick,

This worked for me

echo "Enrolling with Atestation Key"

  # Clear the TPM
  tpm2_clear

  # Create Endorsment Key
  tpm2_createek -c ek.ctx -G rsa -u ek.pub

  # Create Attestation Key
  tpm2_createak -C ek.ctx -c ak.ctx -G rsa -g sha256 -s rsassa
  tpm2_evictcontrol -C o -c ak.ctx 0x81010002
  tpm2_readpublic -c ak.ctx -f pem -o ak.pem > ak.yaml
  cat ak.yaml | grep '^name:' | awk '{ print $2 }' > ak.name

  # Generate the nonce and credential for challenge
  openssl rand -hex 6 > nonce.plain
  tpm2_makecredential -e ek.pub -s nonce.plain -n $(cat ak.name) -o nonce.encrypted

  # Decrypt nonce with Endorsement Key
  tpm2_startauthsession --policy-session -S session.ctx
  TPM2_RH_ENDORSEMENT=0x4000000B
  tpm2_policysecret -S session.ctx -c ${TPM2_RH_ENDORSEMENT}
  tpm2_activatecredential -c 0x81010002 -C ek.ctx -i nonce.encrypted -o nonce.decrypted -P "session:session.ctx"
  tpm2_flushcontext session.ctx

  # Generate Attestation Quote
  tpm2_quote -c 0x81010002 -l sha256:0,1,2,3,4,5,6,7,8,9 -q $(cat nonce.decrypted) -m quote.message -s quote.signature -o quote.pcrs -g sha256

  # Validate Attestation Quote in the server
  tpm2_checkquote -u ak.pem -m quote.message -s quote.signature -f quote.pcrs -g sha256 -q $(cat nonce.plain)


I have a gist that you can use to test here https://gist.github.com/dnoliver/04364e72d8b81368f72ad4e6896f688d (bash enrollment.sh ak)

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-01-16 22:43 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-16 22:43 [tpm2] Re: ActivateCredential not working Roberts, William C
  -- strict thread matches above, loose matches on Subject: below --
2020-01-16 19:07 nicolasoliver03
2020-01-16 18:51 Steffen Schwebel
2020-01-16 18:37 nicolasoliver03

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.