All of lore.kernel.org
 help / color / mirror / Atom feed
From: Roberts, William C <william.c.roberts at intel.com>
To: tpm2@lists.01.org
Subject: [tpm2] Re: ESys_ActivateCredential
Date: Fri, 10 Apr 2020 15:16:29 +0000	[thread overview]
Message-ID: <476DC76E7D1DF2438D32BFADF679FC5649EBC1A8@ORSMSX101.amr.corp.intel.com> (raw)
In-Reply-To: CAP3jAwQ7FtfMGfonMxxTVi7Ruo-LJQ9wOpGKuouCO4-4gOPscg@mail.gmail.com

[-- Attachment #1: Type: text/plain, Size: 7003 bytes --]



> -----Original Message-----
> From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com]
> Sent: Thursday, April 9, 2020 2:51 PM
> To: Roberts, William C <william.c.roberts(a)intel.com>
> Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
> Subject: Re: [tpm2] Re: ESys_ActivateCredential
> 
> Thanks Bill. I use this
> Esys_Initialize( &ectx, NULL, NULL);
> 
> so i'm assuming it would take the default  libtss2-tcti-tabrmd.so.0.

This should do it for you:
TSS2_RC
Tss2_TctiLdr_Initialize (const char *nameConf,
                         TSS2_TCTI_CONTEXT **context);

Set nameConf to the string "tabrmd", that should give you a tcti pointer you can
pass wot Esys_Initialize()

> 
> 
> If I need to debug Esys_ActivateCredential more, how can I do it, these APIs are
> no more standalone, I have integrated it in a bigger code base and added the
> esys-tss2 and other libs in my poky build, so now it runs as different process that
> invokes this function, I can gdb into the process but I can't seem to gdb into
> Esys_Activate..( )

Did you build tpm2-tss with debug symbols?
Add --enable-debug

> 
> 
> Thanks,
> Rahul
> 
> 
> 
> 
> On Thu, Apr 9, 2020 at 10:23 AM Roberts, William C <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > wrote:
> 
> 
> 	> -----Original Message-----
> 	> From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> ]
> 	> Sent: Thursday, April 9, 2020 11:18 AM
> 	> To: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> >
> 	> Cc: tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> 	> Subject: [tpm2] Re: ESys_ActivateCredential
> 	>
> 	> How do I know if  RM is being used?
> 
> 
> 	If you set the tcti to the device tcti, it will open /dev/tpm0 by default. And
> that wont
> 	Be an RM. You can also give it an option. Esys_Initialize() takes a tcti as an
> option,
> 	NULL will cause it to use the default search behavior of the Tss2_TctiLdr,
> see:
> 
> 	https://github.com/tpm2-software/tpm2-
> tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
> 	https://github.com/tpm2-software/tpm2-
> tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> 	https://github.com/tpm2-software/tpm2-tss/blob/master/man/tss2-
> tcti-device.7.in
> 
> 	You can use man locally if you prefer as well:
> 	man 3 Tss2_TctiLdr_Initialize
> 	man 7 tss2-tcti-device
> 	man 3 Tss2_Tcti_Device_Init
> 
> 	Note that https://github.com/tpm2-software/tpm2-
> tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> 	Has sample code in it.
> 
> 	If you're using the tools, it supports explicitly choosing the TCTI:
> 	https://github.com/tpm2-software/tpm2-
> tools/blob/master/man/common/tcti.md
> 
> 	Also note that the /dev/tpmrm0 (Notice the RM) is an in-kernel resource
> manager.
> 
> 
> 	> When I do ESys_Initialize, I see these WARNINGs, wondering if it's okay
> for multi-
> 	> thread
> 	> WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file()
> Could not
> 	> load TCTI file: libtss2-tcti-default.so <http://libtss2-tcti-default.so/>
> libtss2-tcti-
> 	> default.so <http://libtss2-tcti-default.so/>
> 	> WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file()
> Could not
> 	> load TCTI file: libtss2-tcti-tabrmd.so <http://libtss2-tcti-tabrmd.so/>
> 	>
> 	> In my single threaded process, everything works so smoothly [root]#
> ./tpm
> 	> WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file()
> Could not
> 	> load TCTI file: libtss2-tcti-default.so <http://libtss2-tcti-default.so/>
> 	> WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file()
> Could not
> 	> load TCTI file: libtss2-tcti-tabrmd.so <http://libtss2-tcti-tabrmd.so/>
> ESYS
> 	> Initialization: Pass
> 	>
> 	> Read TPM EK Certificate: Pass
> 	>
> 	> TPM EK Certificate Root-CA Verification: Pass
> 	>
> 	> Clear TPM State: Pass
> 	>
> 	> Created EK Primary object: Pass
> 	> #####Handle 0x418368
> 	>
> 	> Create Attestation Key: Pass
> 	> #####Ak_Handle 0x41836b
> 	>
> 	> Original Credential="deadbeefdeadbeefdead"
> 	>
> 	> Make Credential: Pass
> 	> #####Encrypted Credential
> 	>
> Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> 	> 45c412864f020a7f1bbcab7a34f0"
> 	>
> 	> #####Encrypted
> 	>
> Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
> 	>
> 76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
> 	>
> e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
> 	>
> 077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
> 	>
> 5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
> 	>
> 06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
> 	>
> fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> 	> e1eb9fcc1759c184972779bfc"
> 	>
> 	> Activating Credential: Pass
> 	> #####Recovered Credential="deadbeefdeadbeefdead"
> 	>
> 	> [root]#
> 	>
> 	>
> 	>
> 	> On Wed, Apr 8, 2020 at 7:02 PM Rahul Hardikar
> <rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> 	> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > wrote:
> 	>
> 	>
> 	>       Thanks guys, I'll try this but  i also wanted to know if there is a way to
> 	> know if the TPM still has the EK and AK keys loaded? I have the EK
> handle and AK
> 	> handle (not made it persistent) but I want to make sure it's present as
> these are
> 	> necessary for ActivateCredential to succeed
> 	>       ESys_ActivateCredential complaining about secret parameter
> doesn't
> 	> make sense to me, I tested on server side, ak_name is same as that
> sent and so is
> 	> EK_PUB object as well as  EK_Cert in nvram, I call the same
> 	> external_makecredential call that's in the GitHub to create secret and
> made sure
> 	> secret,credblob matches on the client side when received from server.
> 	>
> 	>       Thanks,
> 	>       Rahul
> 	>
> 	>       On Tue, Mar 17, 2020 at 6:19 AM Imran Desai
> <imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> 	> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> wrote:
> 	>
> 	>
> 	>               Set this up with all handles in use made persistent. If you still see
> 	> issues, gdb-break or turn on debug logging at the Esys call and compare
> the
> 	> function arguments.
> 	>               _______________________________________________
> 	>               tpm2 mailing list -- tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> 	>               To unsubscribe send an email to tpm2-leave(a)lists.01.org
> <mailto:tpm2-leave(a)lists.01.org>
> 	> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> >
> 	>               %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> 	>
> 
> 


             reply	other threads:[~2020-04-10 15:16 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-10 15:16 Roberts, William C [this message]
  -- strict thread matches above, loose matches on Subject: below --
2020-04-16 21:37 [tpm2] Re: ESys_ActivateCredential Roberts, William C
2020-04-16 19:08 Rahul Hardikar
2020-04-16 17:34 Roberts, William C
2020-04-15 18:05 Rahul Hardikar
2020-04-15 15:25 Roberts, William C
2020-04-15 15:23 Roberts, William C
2020-04-13 23:54 Rahul Hardikar
2020-04-13 23:38 Rahul Hardikar
2020-04-13 19:31 Rahul Hardikar
2020-04-13 14:20 Roberts, William C
2020-04-10 21:15 Rahul Hardikar
2020-04-10 18:33 Roberts, William C
2020-04-10 18:07 Rahul Hardikar
2020-04-09 19:50 Rahul Hardikar
2020-04-09 17:23 Roberts, William C
2020-04-09 16:17 Rahul Hardikar
2020-04-09  2:02 Rahul Hardikar
2020-03-17 13:20 Imran Desai
2020-03-17 13:06 Roberts, William C
2020-03-16 22:42 Rahul Hardikar
2020-03-13 17:22 Rahul Hardikar
2020-03-13  0:52 Rahul Hardikar
2020-03-10 23:22 Rahul Hardikar
2020-03-10 22:36 Roberts, William C

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=476DC76E7D1DF2438D32BFADF679FC5649EBC1A8@ORSMSX101.amr.corp.intel.com \
    --to=tpm2@lists.01.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.