* [tpm2] Re: ESys_ActivateCredential
@ 2020-04-16 17:34 Roberts, William C
0 siblings, 0 replies; 25+ messages in thread
From: Roberts, William C @ 2020-04-16 17:34 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 46981 bytes --]
> -----Original Message-----
> From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com]
> Sent: Wednesday, April 15, 2020 1:06 PM
> To: Roberts, William C <william.c.roberts(a)intel.com>
> Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
> Subject: Re: [tpm2] Re: ESys_ActivateCredential
>
> Thanks Bill. I am taking help from the poky team on this.
> Getting back to the Activate Credential issue, since my code worked fine as a
> single application as well as being run inside another process but as a single
> thread (including makeCredential and activateCred).
> My guess for failing is:
> 1. When server sends secret/credBlob, they dont match ---> But i ran gdb and
> checked all bytes and they match, so thats not an issue, server is running same
> OpenSSL as client, so no mismatch in version for single-threaded vs multi-
> threaded 2. Probably AK key or EK key is not loaded or changed
> --> to prove this, i would need to use Esys_ReadPublic , if it fails,
> --> implies its not loaded, if it succeeds, I need to verify ek_pub and
> --> ak_name is same when we created it
> Assuming I have the ESYS_CONTEXT saved as well as the ESYS_TR handle for both
> AK and EK saved, Esys_ReadPublic should still work right, as it only needs these
> 2?
What do you mean ESYS_CONTEXT saved? I may be misunderstanding you here,
But you can't save those, it's a pointer so it has the same lifecycle as the process.
Also, AFIAK, they are not thread safe. Each thread needs its own ESYS_CONTEXT
from Esys_Initialize().
For Esys_ReadPublic(), you need an ESYS_CONTEXT and an ESYS_TR. Like ESYS_CONTEXT
Pointers that cannot be shared, ESYS_TR's are handle's that eventually get turned into a
pointer under the hood, so you can't share those either. You can serialize and reserialize to
pass from thread A to B.
If you want to use the same ESYS_CONTEXT and ESYS_TR from thread A and B, you need
to lock ALL ESYS CALLS. But if you're going to do that, does multi-threading really get
you any benefit.
>
> Any other reason for failing?
> Thanks,
> Rahul
>
> On Wed, Apr 15, 2020 at 8:25 AM Roberts, William C <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > wrote:
>
>
> > -----Original Message-----
> > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> ]
> > Sent: Monday, April 13, 2020 6:55 PM
> > To: Roberts, William C <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > Cc: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> >; tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org>
> > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> >
> > What is the latest stable release for tpm2_tss ?
>
> Really? Github has a releases tab, use it.
> https://github.com/tpm2-software/tpm2-tss/releases
>
>
> >
> > Thanks,
> > Rahul
> >
> > On Mon, Apr 13, 2020 at 4:38 PM Rahul Hardikar
> <rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > wrote:
> >
> >
> > Looks like the version I have is old, the file tss2_tctildr.h does not
> exist
> >
> >
> > On Mon, Apr 13, 2020 at 12:31 PM Rahul Hardikar
> > <rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> > > wrote:
> >
> >
> > Ok, got it. I'm using ESAPI C APIs. But its pretty much the same as
> > the tpm2 tools implementation.
> > How do i add debugs in my poky directory? I have tpm2.0-
> > tss_2.1.4.bb <http://tss_2.1.4.bb> <http://tpm2.0-tss_2.1.4.bb> file.
> > Also, how to add compile-time log flags to my src file that uses
> > ESAPI calls? Running separately was easy, I just called
> > TSS2_LOG="all+ERROR,tcti+DEBUG"
> >
> > On Mon, Apr 13, 2020 at 7:20 AM Roberts, William C
> > <william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com>
> <mailto:william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com> > >
> wrote:
> >
> >
> > > -----Original Message-----
> > > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> ]
> > > Sent: Friday, April 10, 2020 4:15 PM
> > > To: Roberts, William C <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > >
> > > Cc: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >;
> tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> > >
> > > Hi Bill,
> > > I have this on my system: Is tpmrm0 same as tabrmd? I
> > believe mine is using this
> > > right now , i'm changing it to what you mentioned to
> > see if it helps.
> > > [root(a)nfvis ~]# ls -l /dev/tpm*
> > > crw-rw----. 1 tss root 10, 224 Apr 8 23:19 /dev/tpm0
> > > crw-rw----. 1 tss tss 254, 65536 Apr 8 23:19
> > /dev/tpmrm0 Thanks, Rahul
> >
> > In theory, yes. In practice no.
> > /dev/tpmrm0 is the in kernel resource manager
> > tpm2-abrmd is the userspace resource manager
> >
> > tpm2-abrmd has a few features tpmrm0 doesn't have,
> > but unless you're
> > using policy sessions with tpm2-tools, you shouldn't
> > notice a difference.
> >
> > >
> > > On Fri, Apr 10, 2020 at 11:33 AM Roberts, William C
> > <william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com>
> <mailto:william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > > wrote:
> > >
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Rahul Hardikar
> > [mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > ]
> > > > Sent: Friday, April 10, 2020 1:08 PM
> > > > To: Roberts, William C
> > <william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com>
> <mailto:william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > >
> > > > Cc: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > >;
> tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > >
> > > > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> > > >
> > > > Thanks Bill, trying that.
> > > > I did not get debug build tpm2_tss, isn't it all
> > prebuilt ? I will have to see
> > > how to
> > > > do it in poky.
> > >
> > > If you're getting it from a package manager, yes. But
> > there's nothing
> > > stopping you
> > > from using source builds. Some distro's will package
> > debug symbols for
> > > their
> > > packages.
> > >
> > > >
> > > > On Fri, Apr 10, 2020 at 8:16 AM Roberts, William C
> > > <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > >
> > > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > > > wrote:
> > > >
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Rahul Hardikar
> > [mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> >
> > > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > >
> > > ]
> > > > > Sent: Thursday, April 9, 2020 2:51 PM
> > > > > To: Roberts, William C
> > <william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com>
> <mailto:william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > >
> > > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > > >
> > > > > Cc: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > >
> >;
> > > tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > >
> > > > > Subject: Re: [tpm2] Re:
> > ESys_ActivateCredential
> > > > >
> > > > > Thanks Bill. I use this
> > > > > Esys_Initialize( &ectx, NULL, NULL);
> > > > >
> > > > > so i'm assuming it would take the default
> > libtss2-tcti-tabrmd.so.0.
> > > >
> > > > This should do it for you:
> > > > TSS2_RC
> > > > Tss2_TctiLdr_Initialize (const char *nameConf,
> > > > TSS2_TCTI_CONTEXT **context);
> > > >
> > > > Set nameConf to the string "tabrmd", that
> > should give you a tcti
> > > pointer
> > > > you can
> > > > pass wot Esys_Initialize()
> > > >
> > > > >
> > > > >
> > > > > If I need to debug Esys_ActivateCredential
> > more, how can I do it,
> > > these
> > > > APIs are
> > > > > no more standalone, I have integrated it in a
> > bigger code base and
> > > > added the
> > > > > esys-tss2 and other libs in my poky build, so
> > now it runs as
> > > different
> > > > process that
> > > > > invokes this function, I can gdb into the
> > process but I can't seem to
> > > gdb
> > > > into
> > > > > Esys_Activate..( )
> > > >
> > > > Did you build tpm2-tss with debug symbols?
> > > > Add --enable-debug
> > > >
> > > > >
> > > > >
> > > > > Thanks,
> > > > > Rahul
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On Thu, Apr 9, 2020 at 10:23 AM Roberts,
> > William C
> > > > <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > >
> > > > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > >
> > > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > > > > wrote:
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Rahul Hardikar
> > [mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> >
> > > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > >
> > > > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > >
> > > > ]
> > > > > > Sent: Thursday, April 9, 2020 11:18 AM
> > > > > > To: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > >
> > > > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > > >
> >
> > > > > > Cc: tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > >
> > > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > > >
> > > > > > Subject: [tpm2] Re:
> > ESys_ActivateCredential
> > > > > >
> > > > > > How do I know if RM is being used?
> > > > >
> > > > >
> > > > > If you set the tcti to the device tcti, it will
> > open /dev/tpm0 by
> > > > default. And
> > > > > that wont
> > > > > Be an RM. You can also give it an option.
> > Esys_Initialize() takes a
> > > tcti
> > > > as an
> > > > > option,
> > > > > NULL will cause it to use the default search
> > behavior of the
> > > > Tss2_TctiLdr,
> > > > > see:
> > > > >
> > > > > https://github.com/tpm2-software/tpm2-
> > > > >
> > tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
> <http://Tss2_TctiLdr_Initialize.3.in>
> > <http://Tss2_TctiLdr_Initialize.3.in>
> > > <http://Tss2_TctiLdr_Initialize.3.in>
> > > > <http://Tss2_TctiLdr_Initialize.3.in>
> > > > > https://github.com/tpm2-software/tpm2-
> > > > >
> > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> <http://Tss2_Tcti_Device_Init.3.in>
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > > https://github.com/tpm2-software/tpm2-
> > > > tss/blob/master/man/tss2-
> > > > > tcti-device.7.in <http://tcti-device.7.in>
> <http://tcti-device.7.in>
> > <http://tcti-device.7.in> <http://tcti-device.7.in>
> > > > >
> > > > > You can use man locally if you prefer as
> > well:
> > > > > man 3 Tss2_TctiLdr_Initialize
> > > > > man 7 tss2-tcti-device
> > > > > man 3 Tss2_Tcti_Device_Init
> > > > >
> > > > > Note that https://github.com/tpm2-
> > software/tpm2-
> > > > >
> > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> <http://Tss2_Tcti_Device_Init.3.in>
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > > Has sample code in it.
> > > > >
> > > > > If you're using the tools, it supports
> > explicitly choosing the TCTI:
> > > > > https://github.com/tpm2-software/tpm2-
> > > > > tools/blob/master/man/common/tcti.md
> > > > >
> > > > > Also note that the /dev/tpmrm0 (Notice
> > the RM) is an in-kernel
> > > > resource
> > > > > manager.
> > > > >
> > > > >
> > > > > > When I do ESys_Initialize, I see these
> > WARNINGs, wondering
> > > if it's
> > > > okay
> > > > > for multi-
> > > > > > thread
> > > > > > WARNING:esys:src/tss2-
> > > > esys/esys_tcti_default.c:137:tcti_from_file()
> > > > > Could not
> > > > > > load TCTI file: libtss2-tcti-default.so
> > <http://libtss2-tcti-
> > > > default.so/ <http://default.so/> <http://default.so/>
> > <http://default.so/> >
> > > > > libtss2-tcti-
> > > > > > default.so <http://libtss2-tcti-
> > default.so/ <http://default.so/> >
> > > > > > WARNING:esys:src/tss2-
> > > > esys/esys_tcti_default.c:137:tcti_from_file()
> > > > > Could not
> > > > > > load TCTI file: libtss2-tcti-tabrmd.so
> > <http://libtss2-tcti-
> > > > tabrmd.so/ <http://tabrmd.so/>
> <http://tabrmd.so/>
> > <http://tabrmd.so/> >
> > > > > >
> > > > > > In my single threaded process,
> > everything works so smoothly
> > > > [root]#
> > > > > ./tpm
> > > > > > WARNING:esys:src/tss2-
> > > > esys/esys_tcti_default.c:137:tcti_from_file()
> > > > > Could not
> > > > > > load TCTI file: libtss2-tcti-default.so
> > <http://libtss2-tcti-
> > > > default.so/ <http://default.so/> <http://default.so/>
> > <http://default.so/> >
> > > > > > WARNING:esys:src/tss2-
> > > > esys/esys_tcti_default.c:137:tcti_from_file()
> > > > > Could not
> > > > > > load TCTI file: libtss2-tcti-tabrmd.so
> > <http://libtss2-tcti-
> > > > tabrmd.so/ <http://tabrmd.so/>
> <http://tabrmd.so/>
> > <http://tabrmd.so/> >
> > > > > ESYS
> > > > > > Initialization: Pass
> > > > > >
> > > > > > Read TPM EK Certificate: Pass
> > > > > >
> > > > > > TPM EK Certificate Root-CA Verification:
> > Pass
> > > > > >
> > > > > > Clear TPM State: Pass
> > > > > >
> > > > > > Created EK Primary object: Pass
> > > > > > #####Handle 0x418368
> > > > > >
> > > > > > Create Attestation Key: Pass
> > > > > > #####Ak_Handle 0x41836b
> > > > > >
> > > > > > Original
> > Credential="deadbeefdeadbeefdead"
> > > > > >
> > > > > > Make Credential: Pass
> > > > > > #####Encrypted Credential
> > > > > >
> > > > >
> > > >
> > >
> >
> Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> > > > > > 45c412864f020a7f1bbcab7a34f0"
> > > > > >
> > > > > > #####Encrypted
> > > > > >
> > > > >
> > > >
> > >
> >
> Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
> > > > > >
> > > > >
> > > >
> > >
> >
> 76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
> > > > > >
> > > > >
> > > >
> > >
> >
> e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
> > > > > >
> > > > >
> > > >
> > >
> >
> 077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
> > > > > >
> > > > >
> > > >
> > >
> >
> 5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
> > > > > >
> > > > >
> > > >
> > >
> >
> 06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
> > > > > >
> > > > >
> > > >
> > >
> >
> fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> > > > > > e1eb9fcc1759c184972779bfc"
> > > > > >
> > > > > > Activating Credential: Pass
> > > > > > #####Recovered
> > Credential="deadbeefdeadbeefdead"
> > > > > >
> > > > > > [root]#
> > > > > >
> > > > > >
> > > > > >
> > > > > > On Wed, Apr 8, 2020 at 7:02 PM Rahul
> > Hardikar
> > > > > <rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > >
> > > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > >
> > > > > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> >
> > > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> >
> > > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > >
> > > > >
> > > > > > wrote:
> > > > > >
> > > > > >
> > > > > > Thanks guys, I'll try this but i also
> > wanted to know if there
> > > is a
> > > > way to
> > > > > > know if the TPM still has the EK and AK
> > keys loaded? I have
> > > the EK
> > > > > handle and AK
> > > > > > handle (not made it persistent) but I
> > want to make sure it's
> > > > present as
> > > > > these are
> > > > > > necessary for ActivateCredential to
> > succeed
> > > > > > ESys_ActivateCredential complaining
> > about secret
> > > parameter
> > > > > doesn't
> > > > > > make sense to me, I tested on server
> > side, ak_name is same
> > > as
> > > > that
> > > > > sent and so is
> > > > > > EK_PUB object as well as EK_Cert in
> > nvram, I call the same
> > > > > > external_makecredential call that's in the
> > GitHub to create
> > > secret
> > > > and
> > > > > made sure
> > > > > > secret,credblob matches on the client
> > side when received
> > > from
> > > > server.
> > > > > >
> > > > > > Thanks,
> > > > > > Rahul
> > > > > >
> > > > > > On Tue, Mar 17, 2020 at 6:19 AM Imran
> > Desai
> > > > > <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > >
> > > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > > >
> > > > > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > >
> > > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > > >
> > >
> > > > > wrote:
> > > > > >
> > > > > >
> > > > > > Set this up with all handles in use
> > made persistent. If
> > > you
> > > > still see
> > > > > > issues, gdb-break or turn on debug
> > logging at the Esys call and
> > > > compare
> > > > > the
> > > > > > function arguments.
> > > > > >
> > > >
> > _______________________________________________
> > > > > > tpm2 mailing list --
> > tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > >
> > > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > > >
> > > > > <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > >
> > > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > > > >
> > > > > > To unsubscribe send an email to
> > tpm2-
> > > leave(a)lists.01.org <mailto:leave(a)lists.01.org>
> <mailto:leave(a)lists.01.org <mailto:leave(a)lists.01.org> >
> > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> > >
> > > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> leave(a)lists.01.org> <mailto:tpm2- <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave(a)lists.01.org> > <mailto:tpm2-
> leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> <mailto:tpm2-
> <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave(a)lists.01.org> > > >
> > > > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> leave(a)lists.01.org>
> > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> >
> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> > >
> > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> leave(a)lists.01.org> <mailto:tpm2- <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave(a)lists.01.org> > <mailto:tpm2-
> leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> <mailto:tpm2-
> <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave(a)lists.01.org> > > > >
> > > > > > <mailto:tpm2-leave(a)lists.01.org
> <mailto:tpm2-leave(a)lists.01.org>
> > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> >
> <mailto:tpm2- <mailto:tpm2-> <mailto:tpm2- <mailto:tpm2-> >
> > > leave(a)lists.01.org <mailto:leave(a)lists.01.org>
> <mailto:leave(a)lists.01.org <mailto:leave(a)lists.01.org> > >
> > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> >
> > <mailto:tpm2- <mailto:tpm2-> <mailto:tpm2- <mailto:tpm2-> >
> > > leave(a)lists.01.org <mailto:leave(a)lists.01.org>
> <mailto:leave(a)lists.01.org <mailto:leave(a)lists.01.org> > > >
> > > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> leave(a)lists.01.org> <mailto:tpm2- <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave(a)lists.01.org> > <mailto:tpm2-
> leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> <mailto:tpm2-
> <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave(a)lists.01.org> > >
> > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> leave(a)lists.01.org> <mailto:tpm2- <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave(a)lists.01.org> > <mailto:tpm2-
> leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> <mailto:tpm2-
> <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave(a)lists.01.org> > > > > >
> > > > > >
> > >
> > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
^ permalink raw reply [flat|nested] 25+ messages in thread
* [tpm2] Re: ESys_ActivateCredential
@ 2020-04-16 21:37 Roberts, William C
0 siblings, 0 replies; 25+ messages in thread
From: Roberts, William C @ 2020-04-16 21:37 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 77356 bytes --]
> -----Original Message-----
> From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com]
> Sent: Thursday, April 16, 2020 2:08 PM
> To: Roberts, William C <william.c.roberts(a)intel.com>
> Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
> Subject: Re: [tpm2] Re: ESys_ActivateCredential
>
> Hi Bill,
> So the main thread does a lot of other stuff, tpm2 is just one of them, in order to
> avoid blocking main thread, I create another pthread.
This is exactly what the async API is for. You can call the async API and then select()/poll() on the
FD's Esys_GetPollHandles()
/* this won't block */
TSS2_RC
Esys_GetRandom_Async(
ESYS_CONTEXT *esysContext,
ESYS_TR shandle1,
ESYS_TR shandle2,
ESYS_TR shandle3,
UINT16 bytesRequested);
Main thread does stuff..... it sounds like an event loop (gui thread?), so it would
call Select() with a super low timeout.
If fd is ready:
Esys_GetRandom_Finish(
ESYS_CONTEXT *esysContext,
TPM2B_DIGEST **randomBytes);
}
> This is my logic:
> global variables are ESYS_CONTEXT etcx, ESYS_TR ekHandle, ESYS_TR akHandle so
> all threads can see this
> main_thread():
> Calls Esys_initialize() and saves the context
> Reads EK_CERT and stores in global variable
> creates a new pthread, T_1 and continues with its other work
> T_1():
> Checks if ectx is not null and
> creates EK --saves the handle (ESYS_TR ekHandle) and EK_PUB object
> creates AK -- saves the handle (ESYS_TR akhandle) and another global variable for
> ak_name
> sends EK_CERT, EK_PUB,AK_NAME in a buffer to server (marshaled)
> thread exits
>
> Server side again has main thread that accepts it and creates a new thread S_1()
> to handle this, S_1() only does external_make_credential(), (basically GitHub
> code) and sends SECRET and CREDBLOB back to client
>
> Clients main_thread copies the SECRET/CREDBLOB to a global var and again
> creates a new thread T_2 to handle this,
> T_2():
> T_2 makes sure T_1 is done (which is always done)
> Now since ectx,ekHandle,akHandle are all global, it just calls
> Esys_ActivateCredential() (after creating the necessary session, of course )
> Esys_Activate...() fails returning 0x2c4 (always..ran it 20times...always)
>
> Now if I do all this in one thread, i.e main, T_1,S_1,T_2 ,it works like a charm!
Somewhere something must not be as described, have you ran your program through ASAN
To make sure it's not memory corruption? If it's not that, something somewhere must be stomping
on the state.
Why not just make T_1 perform T_2 task as well. Start T1, it sends to server and waits for response,
Gets response and does the activate credential. This would avoid you having to fire up additional
threads, which is slow.
>
> Now I see you mentioned that each thread needs its own Esys_Initialize()!! If
> that's the case, then I would HAVE to make them persistent, no?
No its more of how you share data and design it. I typically use a message passing design,
I have a thread sleeping on a message queue and wake up that thread with a task, and then
In my main event loop check the result queue to see if I have anything to do. Thiers lots
of ways to do this. But typically firing off a thread every time isn't the best approach even if
it works. If you want your main thread responsive on a busy system, its best not to ask for
a new thread everytime.
But in the sake of completeness, I have a skeleton multi-threaded application that does something
Similar:
Main - esys init
T1 - Creates key
Main - does stuff (like go to a server)
T2 - Signs with key
https://gist.github.com/williamcroberts/a3966e2131ba7e0adbf3ea757d36f15d
How are you synchronizing your threads? Everything must be mutually exclusive for ESYS....
Im making sure that T1 starts after ESYS_Initialize and that T2 waits on T1 and that main, which
Destroys everything waits on T2.
> Thanks,
> Rahul
>
> On Thu, Apr 16, 2020 at 10:34 AM Roberts, William C <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > wrote:
>
>
> > -----Original Message-----
> > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> ]
> > Sent: Wednesday, April 15, 2020 1:06 PM
> > To: Roberts, William C <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > Cc: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> >; tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org>
> > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> >
> > Thanks Bill. I am taking help from the poky team on this.
> > Getting back to the Activate Credential issue, since my code worked
> fine as a
> > single application as well as being run inside another process but as a
> single
> > thread (including makeCredential and activateCred).
> > My guess for failing is:
> > 1. When server sends secret/credBlob, they dont match ---> But i ran
> gdb and
> > checked all bytes and they match, so thats not an issue, server is
> running same
> > OpenSSL as client, so no mismatch in version for single-threaded vs
> multi-
> > threaded 2. Probably AK key or EK key is not loaded or changed
> > --> to prove this, i would need to use Esys_ReadPublic , if it fails,
> > --> implies its not loaded, if it succeeds, I need to verify ek_pub and
> > --> ak_name is same when we created it
> > Assuming I have the ESYS_CONTEXT saved as well as the ESYS_TR
> handle for both
> > AK and EK saved, Esys_ReadPublic should still work right, as it only
> needs these
> > 2?
>
> What do you mean ESYS_CONTEXT saved? I may be misunderstanding
> you here,
> But you can't save those, it's a pointer so it has the same lifecycle as the
> process.
> Also, AFIAK, they are not thread safe. Each thread needs its own
> ESYS_CONTEXT
> from Esys_Initialize().
>
> For Esys_ReadPublic(), you need an ESYS_CONTEXT and an ESYS_TR. Like
> ESYS_CONTEXT
> Pointers that cannot be shared, ESYS_TR's are handle's that eventually
> get turned into a
> pointer under the hood, so you can't share those either. You can serialize
> and reserialize to
> pass from thread A to B.
>
> If you want to use the same ESYS_CONTEXT and ESYS_TR from thread A
> and B, you need
> to lock ALL ESYS CALLS. But if you're going to do that, does multi-
> threading really get
> you any benefit.
>
> >
> > Any other reason for failing?
> > Thanks,
> > Rahul
> >
> > On Wed, Apr 15, 2020 at 8:25 AM Roberts, William C
> <william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > wrote:
> >
> >
> > > -----Original Message-----
> > > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> ]
> > > Sent: Monday, April 13, 2020 6:55 PM
> > > To: Roberts, William C <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > >
> > > Cc: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >;
> tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> > >
> > > What is the latest stable release for tpm2_tss ?
> >
> > Really? Github has a releases tab, use it.
> > https://github.com/tpm2-software/tpm2-tss/releases
> >
> >
> > >
> > > Thanks,
> > > Rahul
> > >
> > > On Mon, Apr 13, 2020 at 4:38 PM Rahul Hardikar
> > <rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > > wrote:
> > >
> > >
> > > Looks like the version I have is old, the file tss2_tctildr.h does
> not
> > exist
> > >
> > >
> > > On Mon, Apr 13, 2020 at 12:31 PM Rahul Hardikar
> > > <rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> > > >
> wrote:
> > >
> > >
> > > Ok, got it. I'm using ESAPI C APIs. But its pretty much the
> same as
> > > the tpm2 tools implementation.
> > > How do i add debugs in my poky directory? I have tpm2.0-
> > > tss_2.1.4.bb <http://tss_2.1.4.bb> <http://tss_2.1.4.bb>
> <http://tpm2.0-tss_2.1.4.bb> file.
> > > Also, how to add compile-time log flags to my src file that
> uses
> > > ESAPI calls? Running separately was easy, I just called
> > > TSS2_LOG="all+ERROR,tcti+DEBUG"
> > >
> > > On Mon, Apr 13, 2020 at 7:20 AM Roberts, William C
> > > <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > >
> > wrote:
> > >
> > >
> > > > -----Original Message-----
> > > > From: Rahul Hardikar
> [mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > ]
> > > > Sent: Friday, April 10, 2020 4:15 PM
> > > > To: Roberts, William C <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > >
> > > > Cc: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > >;
> > tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> > > >
> > > > Hi Bill,
> > > > I have this on my system: Is tpmrm0 same as tabrmd?
> I
> > > believe mine is using this
> > > > right now , i'm changing it to what you mentioned to
> > > see if it helps.
> > > > [root(a)nfvis ~]# ls -l /dev/tpm*
> > > > crw-rw----. 1 tss root 10, 224 Apr 8 23:19 /dev/tpm0
> > > > crw-rw----. 1 tss tss 254, 65536 Apr 8 23:19
> > > /dev/tpmrm0 Thanks, Rahul
> > >
> > > In theory, yes. In practice no.
> > > /dev/tpmrm0 is the in kernel resource manager
> > > tpm2-abrmd is the userspace resource manager
> > >
> > > tpm2-abrmd has a few features tpmrm0 doesn't have,
> > > but unless you're
> > > using policy sessions with tpm2-tools, you shouldn't
> > > notice a difference.
> > >
> > > >
> > > > On Fri, Apr 10, 2020 at 11:33 AM Roberts, William C
> > > <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > >
> > > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > > > wrote:
> > > >
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Rahul Hardikar
> > > [mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> >
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> > >
> > > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > > ]
> > > > > Sent: Friday, April 10, 2020 1:08 PM
> > > > > To: Roberts, William C
> > > <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > >
> > > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > > >
> > > > > Cc: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > > >;
> > tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > >
> > > > > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> > > > >
> > > > > Thanks Bill, trying that.
> > > > > I did not get debug build tpm2_tss, isn't it all
> > > prebuilt ? I will have to see
> > > > how to
> > > > > do it in poky.
> > > >
> > > > If you're getting it from a package manager, yes.
> But
> > > there's nothing
> > > > stopping you
> > > > from using source builds. Some distro's will package
> > > debug symbols for
> > > > their
> > > > packages.
> > > >
> > > > >
> > > > > On Fri, Apr 10, 2020 at 8:16 AM Roberts, William C
> > > > <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > >
> > > > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > >
> > > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > > > > wrote:
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Rahul Hardikar
> > > [mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> >
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> > >
> > > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > >
> > > > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > > >
> > > > ]
> > > > > > Sent: Thursday, April 9, 2020 2:51 PM
> > > > > > To: Roberts, William C
> > > <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > >
> > > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > >
> > > > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > >
> > > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > > > >
> > > > > > Cc: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > >
> > > > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > > >
> > >;
> > > > tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > >
> > > > > <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org> <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > > >
> > > > > > Subject: Re: [tpm2] Re:
> > > ESys_ActivateCredential
> > > > > >
> > > > > > Thanks Bill. I use this
> > > > > > Esys_Initialize( &ectx, NULL, NULL);
> > > > > >
> > > > > > so i'm assuming it would take the default
> > > libtss2-tcti-tabrmd.so.0.
> > > > >
> > > > > This should do it for you:
> > > > > TSS2_RC
> > > > > Tss2_TctiLdr_Initialize (const char *nameConf,
> > > > > TSS2_TCTI_CONTEXT **context);
> > > > >
> > > > > Set nameConf to the string "tabrmd", that
> > > should give you a tcti
> > > > pointer
> > > > > you can
> > > > > pass wot Esys_Initialize()
> > > > >
> > > > > >
> > > > > >
> > > > > > If I need to debug Esys_ActivateCredential
> > > more, how can I do it,
> > > > these
> > > > > APIs are
> > > > > > no more standalone, I have integrated it in a
> > > bigger code base and
> > > > > added the
> > > > > > esys-tss2 and other libs in my poky build, so
> > > now it runs as
> > > > different
> > > > > process that
> > > > > > invokes this function, I can gdb into the
> > > process but I can't seem to
> > > > gdb
> > > > > into
> > > > > > Esys_Activate..( )
> > > > >
> > > > > Did you build tpm2-tss with debug symbols?
> > > > > Add --enable-debug
> > > > >
> > > > > >
> > > > > >
> > > > > > Thanks,
> > > > > > Rahul
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > On Thu, Apr 9, 2020 at 10:23 AM Roberts,
> > > William C
> > > > > <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > >
> > > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > > >
> > > > > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > >
> > > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > >
> > > > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > >
> > > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > > > > > wrote:
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Rahul Hardikar
> > > [mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> >
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> > >
> > > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > >
> > > > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > > >
> > > > > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > > > >
> > > > > ]
> > > > > > > Sent: Thursday, April 9, 2020 11:18 AM
> > > > > > > To: Desai, Imran
> <imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > >
> > > > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > > >
> > > > > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > >
> > > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > > > >
> > >
> > > > > > > Cc: tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > >
> > > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > > >
> > > > > <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org> <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > >
> > > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > > > >
> > > > > > > Subject: [tpm2] Re:
> > > ESys_ActivateCredential
> > > > > > >
> > > > > > > How do I know if RM is being used?
> > > > > >
> > > > > >
> > > > > > If you set the tcti to the device tcti, it will
> > > open /dev/tpm0 by
> > > > > default. And
> > > > > > that wont
> > > > > > Be an RM. You can also give it an option.
> > > Esys_Initialize() takes a
> > > > tcti
> > > > > as an
> > > > > > option,
> > > > > > NULL will cause it to use the default
> search
> > > behavior of the
> > > > > Tss2_TctiLdr,
> > > > > > see:
> > > > > >
> > > > > > https://github.com/tpm2-
> software/tpm2-
> > > > > >
> > > tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
> <http://Tss2_TctiLdr_Initialize.3.in>
> > <http://Tss2_TctiLdr_Initialize.3.in>
> > > <http://Tss2_TctiLdr_Initialize.3.in>
> > > > <http://Tss2_TctiLdr_Initialize.3.in>
> > > > > <http://Tss2_TctiLdr_Initialize.3.in>
> > > > > > https://github.com/tpm2-
> software/tpm2-
> > > > > >
> > > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> <http://Tss2_Tcti_Device_Init.3.in>
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > > > https://github.com/tpm2-
> software/tpm2-
> > > > > tss/blob/master/man/tss2-
> > > > > > tcti-device.7.in <http://tcti-device.7.in>
> <http://tcti-device.7.in>
> > <http://tcti-device.7.in>
> > > <http://tcti-device.7.in> <http://tcti-device.7.in>
> > > > > >
> > > > > > You can use man locally if you prefer as
> > > well:
> > > > > > man 3 Tss2_TctiLdr_Initialize
> > > > > > man 7 tss2-tcti-device
> > > > > > man 3 Tss2_Tcti_Device_Init
> > > > > >
> > > > > > Note that https://github.com/tpm2-
> > > software/tpm2-
> > > > > >
> > > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> <http://Tss2_Tcti_Device_Init.3.in>
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > > > Has sample code in it.
> > > > > >
> > > > > > If you're using the tools, it supports
> > > explicitly choosing the TCTI:
> > > > > > https://github.com/tpm2-
> software/tpm2-
> > > > > > tools/blob/master/man/common/tcti.md
> > > > > >
> > > > > > Also note that the /dev/tpmrm0 (Notice
> > > the RM) is an in-kernel
> > > > > resource
> > > > > > manager.
> > > > > >
> > > > > >
> > > > > > > When I do ESys_Initialize, I see these
> > > WARNINGs, wondering
> > > > if it's
> > > > > okay
> > > > > > for multi-
> > > > > > > thread
> > > > > > > WARNING:esys:src/tss2-
> > > > > esys/esys_tcti_default.c:137:tcti_from_file()
> > > > > > Could not
> > > > > > > load TCTI file: libtss2-tcti-default.so
> > > <http://libtss2-tcti-
> > > > > default.so/ <http://default.so/>
> <http://default.so/> <http://default.so/>
> > > <http://default.so/> >
> > > > > > libtss2-tcti-
> > > > > > > default.so <http://libtss2-tcti-
> > > default.so/ <http://default.so/> <http://default.so/> >
> > > > > > > WARNING:esys:src/tss2-
> > > > > esys/esys_tcti_default.c:137:tcti_from_file()
> > > > > > Could not
> > > > > > > load TCTI file: libtss2-tcti-tabrmd.so
> > > <http://libtss2-tcti-
> > > > > tabrmd.so/ <http://tabrmd.so/>
> <http://tabrmd.so/>
> > <http://tabrmd.so/>
> > > <http://tabrmd.so/> >
> > > > > > >
> > > > > > > In my single threaded process,
> > > everything works so smoothly
> > > > > [root]#
> > > > > > ./tpm
> > > > > > > WARNING:esys:src/tss2-
> > > > > esys/esys_tcti_default.c:137:tcti_from_file()
> > > > > > Could not
> > > > > > > load TCTI file: libtss2-tcti-default.so
> > > <http://libtss2-tcti-
> > > > > default.so/ <http://default.so/>
> <http://default.so/> <http://default.so/>
> > > <http://default.so/> >
> > > > > > > WARNING:esys:src/tss2-
> > > > > esys/esys_tcti_default.c:137:tcti_from_file()
> > > > > > Could not
> > > > > > > load TCTI file: libtss2-tcti-tabrmd.so
> > > <http://libtss2-tcti-
> > > > > tabrmd.so/ <http://tabrmd.so/>
> <http://tabrmd.so/>
> > <http://tabrmd.so/>
> > > <http://tabrmd.so/> >
> > > > > > ESYS
> > > > > > > Initialization: Pass
> > > > > > >
> > > > > > > Read TPM EK Certificate: Pass
> > > > > > >
> > > > > > > TPM EK Certificate Root-CA Verification:
> > > Pass
> > > > > > >
> > > > > > > Clear TPM State: Pass
> > > > > > >
> > > > > > > Created EK Primary object: Pass
> > > > > > > #####Handle 0x418368
> > > > > > >
> > > > > > > Create Attestation Key: Pass
> > > > > > > #####Ak_Handle 0x41836b
> > > > > > >
> > > > > > > Original
> > > Credential="deadbeefdeadbeefdead"
> > > > > > >
> > > > > > > Make Credential: Pass
> > > > > > > #####Encrypted Credential
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> > > > > > > 45c412864f020a7f1bbcab7a34f0"
> > > > > > >
> > > > > > > #####Encrypted
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> 76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> 077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> 5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> 06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> > > > > > > e1eb9fcc1759c184972779bfc"
> > > > > > >
> > > > > > > Activating Credential: Pass
> > > > > > > #####Recovered
> > > Credential="deadbeefdeadbeefdead"
> > > > > > >
> > > > > > > [root]#
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On Wed, Apr 8, 2020 at 7:02 PM Rahul
> > > Hardikar
> > > > > > <rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > >
> > > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > > >
> > > > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > >
> > > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > > > >
> > > > > > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > >
> > > > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > > >
> > > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > >
> > > > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > > >
> > > > > >
> > > > > > > wrote:
> > > > > > >
> > > > > > >
> > > > > > > Thanks guys, I'll try this but i also
> > > wanted to know if there
> > > > is a
> > > > > way to
> > > > > > > know if the TPM still has the EK and AK
> > > keys loaded? I have
> > > > the EK
> > > > > > handle and AK
> > > > > > > handle (not made it persistent) but I
> > > want to make sure it's
> > > > > present as
> > > > > > these are
> > > > > > > necessary for ActivateCredential to
> > > succeed
> > > > > > > ESys_ActivateCredential complaining
> > > about secret
> > > > parameter
> > > > > > doesn't
> > > > > > > make sense to me, I tested on server
> > > side, ak_name is same
> > > > as
> > > > > that
> > > > > > sent and so is
> > > > > > > EK_PUB object as well as EK_Cert in
> > > nvram, I call the same
> > > > > > > external_makecredential call that's in
> the
> > > GitHub to create
> > > > secret
> > > > > and
> > > > > > made sure
> > > > > > > secret,credblob matches on the client
> > > side when received
> > > > from
> > > > > server.
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Rahul
> > > > > > >
> > > > > > > On Tue, Mar 17, 2020 at 6:19 AM
> Imran
> > > Desai
> > > > > > <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > >
> > > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > > >
> > > > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > >
> > > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > > > >
> > > > > > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > >
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > > >
> > > > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > >
> > > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > > > >
> > > >
> > > > > > wrote:
> > > > > > >
> > > > > > >
> > > > > > > Set this up with all handles in use
> > > made persistent. If
> > > > you
> > > > > still see
> > > > > > > issues, gdb-break or turn on debug
> > > logging at the Esys call and
> > > > > compare
> > > > > > the
> > > > > > > function arguments.
> > > > > > >
> > > > >
> > > _______________________________________________
> > > > > > > tpm2 mailing list --
> > > tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > >
> > > > > <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org> <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > > >
> > > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > >
> > > > > <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org> <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > > > >
> > > > > > <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > >
> > > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > > >
> > > > > <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org> <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > >
> > > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > > > > >
> > > > > > > To unsubscribe send an email to
> > > tpm2-
> > > > leave(a)lists.01.org <mailto:leave(a)lists.01.org>
> <mailto:leave(a)lists.01.org <mailto:leave(a)lists.01.org> >
> > <mailto:leave(a)lists.01.org <mailto:leave(a)lists.01.org>
> <mailto:leave(a)lists.01.org <mailto:leave(a)lists.01.org> > >
> > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> >
> > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> > > >
> > > > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> leave(a)lists.01.org> <mailto:tpm2- <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave(a)lists.01.org> > <mailto:tpm2-
> <mailto:tpm2-> <mailto:tpm2- <mailto:tpm2-> >
> > > leave(a)lists.01.org <mailto:leave(a)lists.01.org>
> <mailto:leave(a)lists.01.org <mailto:leave(a)lists.01.org> > > <mailto:tpm2-
> <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave(a)lists.01.org> <mailto:tpm2-
> leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> > <mailto:tpm2-
> <mailto:tpm2->
> > <mailto:tpm2- <mailto:tpm2-> >
> > > leave(a)lists.01.org <mailto:leave(a)lists.01.org>
> <mailto:leave(a)lists.01.org <mailto:leave(a)lists.01.org> > > > >
> > > > > > <mailto:tpm2-leave(a)lists.01.org
> <mailto:tpm2-leave(a)lists.01.org> <mailto:tpm2- <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave(a)lists.01.org> >
> > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> > >
> > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> >
> > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> > > >
> > > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> leave(a)lists.01.org> <mailto:tpm2- <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave(a)lists.01.org> > <mailto:tpm2-
> <mailto:tpm2-> <mailto:tpm2- <mailto:tpm2-> >
> > > leave(a)lists.01.org <mailto:leave(a)lists.01.org>
> <mailto:leave(a)lists.01.org <mailto:leave(a)lists.01.org> > > <mailto:tpm2-
> <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave(a)lists.01.org> <mailto:tpm2-
> leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> > <mailto:tpm2-
> <mailto:tpm2->
> > <mailto:tpm2- <mailto:tpm2-> >
> > > leave(a)lists.01.org <mailto:leave(a)lists.01.org>
> <mailto:leave(a)lists.01.org <mailto:leave(a)lists.01.org> > > > > >
> > > > > > > <mailto:tpm2-leave(a)lists.01.org
> <mailto:tpm2-leave(a)lists.01.org>
> > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> >
> > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> > >
> > <mailto:tpm2- <mailto:tpm2-> <mailto:tpm2- <mailto:tpm2-> >
> <mailto:tpm2- <mailto:tpm2-> <mailto:tpm2- <mailto:tpm2-> > >
> > > > leave(a)lists.01.org <mailto:leave(a)lists.01.org>
> <mailto:leave(a)lists.01.org <mailto:leave(a)lists.01.org> >
> > <mailto:leave(a)lists.01.org <mailto:leave(a)lists.01.org>
> <mailto:leave(a)lists.01.org <mailto:leave(a)lists.01.org> > > >
> > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> >
> > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> > >
> > > <mailto:tpm2- <mailto:tpm2-> <mailto:tpm2- <mailto:tpm2-> >
> <mailto:tpm2- <mailto:tpm2-> <mailto:tpm2- <mailto:tpm2-> > >
> > > > leave(a)lists.01.org <mailto:leave(a)lists.01.org>
> <mailto:leave(a)lists.01.org <mailto:leave(a)lists.01.org> >
> > <mailto:leave(a)lists.01.org <mailto:leave(a)lists.01.org>
> <mailto:leave(a)lists.01.org <mailto:leave(a)lists.01.org> > > > >
> > > > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> leave(a)lists.01.org> <mailto:tpm2- <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave(a)lists.01.org> > <mailto:tpm2-
> <mailto:tpm2-> <mailto:tpm2- <mailto:tpm2-> >
> > > leave(a)lists.01.org <mailto:leave(a)lists.01.org>
> <mailto:leave(a)lists.01.org <mailto:leave(a)lists.01.org> > > <mailto:tpm2-
> <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave(a)lists.01.org> <mailto:tpm2-
> leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> > <mailto:tpm2-
> <mailto:tpm2->
> > <mailto:tpm2- <mailto:tpm2-> >
> > > leave(a)lists.01.org <mailto:leave(a)lists.01.org>
> <mailto:leave(a)lists.01.org <mailto:leave(a)lists.01.org> > > >
> > > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> leave(a)lists.01.org> <mailto:tpm2- <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave(a)lists.01.org> > <mailto:tpm2-
> <mailto:tpm2-> <mailto:tpm2- <mailto:tpm2-> >
> > > leave(a)lists.01.org <mailto:leave(a)lists.01.org>
> <mailto:leave(a)lists.01.org <mailto:leave(a)lists.01.org> > > <mailto:tpm2-
> <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave(a)lists.01.org> <mailto:tpm2-
> leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> > <mailto:tpm2-
> <mailto:tpm2->
> > <mailto:tpm2- <mailto:tpm2-> >
> > > leave(a)lists.01.org <mailto:leave(a)lists.01.org>
> <mailto:leave(a)lists.01.org <mailto:leave(a)lists.01.org> > > > > > >
> > > > > > >
> > > >
> > > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
^ permalink raw reply [flat|nested] 25+ messages in thread
* [tpm2] Re: ESys_ActivateCredential
@ 2020-04-16 19:08 Rahul Hardikar
0 siblings, 0 replies; 25+ messages in thread
From: Rahul Hardikar @ 2020-04-16 19:08 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 53987 bytes --]
Hi Bill,
So the main thread does a lot of other stuff, tpm2 is just one of them, in
order to avoid blocking main thread, I create another pthread.
This is my logic:
global variables are ESYS_CONTEXT etcx, ESYS_TR ekHandle, ESYS_TR akHandle
so all threads can see this
main_thread():
Calls Esys_initialize() and saves the context
Reads EK_CERT and stores in global variable
creates a new pthread, T_1 and continues with its other work
T_1():
Checks if ectx is not null and
creates EK --saves the handle (ESYS_TR ekHandle) and EK_PUB object
creates AK -- saves the handle (ESYS_TR akhandle) and another global
variable for ak_name
sends EK_CERT, EK_PUB,AK_NAME in a buffer to server (marshaled)
thread exits
Server side again has main thread that accepts it and creates a new thread
S_1() to handle this, S_1() only does external_make_credential(),
(basically GitHub code) and sends SECRET and CREDBLOB back to client
Clients main_thread copies the SECRET/CREDBLOB to a global var and again
creates a new thread T_2 to handle this,
T_2():
T_2 makes sure T_1 is done (which is always done)
Now since ectx,ekHandle,akHandle are all global, it just calls
Esys_ActivateCredential() (after creating the necessary session, of course
)
Esys_Activate...() fails returning 0x2c4 (always..ran it 20times...always)
Now if I do all this in one thread, i.e main, T_1,S_1,T_2 ,it works like a
charm!
Now I see you mentioned that each thread needs its own Esys_Initialize()!!
If that's the case, then I would HAVE to make them persistent, no?
Thanks,
Rahul
On Thu, Apr 16, 2020 at 10:34 AM Roberts, William C <
william.c.roberts(a)intel.com> wrote:
> > -----Original Message-----
> > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com]
> > Sent: Wednesday, April 15, 2020 1:06 PM
> > To: Roberts, William C <william.c.roberts(a)intel.com>
> > Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
> > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> >
> > Thanks Bill. I am taking help from the poky team on this.
> > Getting back to the Activate Credential issue, since my code worked fine
> as a
> > single application as well as being run inside another process but as a
> single
> > thread (including makeCredential and activateCred).
> > My guess for failing is:
> > 1. When server sends secret/credBlob, they dont match ---> But i ran gdb
> and
> > checked all bytes and they match, so thats not an issue, server is
> running same
> > OpenSSL as client, so no mismatch in version for single-threaded vs
> multi-
> > threaded 2. Probably AK key or EK key is not loaded or changed
> > --> to prove this, i would need to use Esys_ReadPublic , if it fails,
> > --> implies its not loaded, if it succeeds, I need to verify ek_pub and
> > --> ak_name is same when we created it
> > Assuming I have the ESYS_CONTEXT saved as well as the ESYS_TR handle for
> both
> > AK and EK saved, Esys_ReadPublic should still work right, as it only
> needs these
> > 2?
>
> What do you mean ESYS_CONTEXT saved? I may be misunderstanding you here,
> But you can't save those, it's a pointer so it has the same lifecycle as
> the process.
> Also, AFIAK, they are not thread safe. Each thread needs its own
> ESYS_CONTEXT
> from Esys_Initialize().
>
> For Esys_ReadPublic(), you need an ESYS_CONTEXT and an ESYS_TR. Like
> ESYS_CONTEXT
> Pointers that cannot be shared, ESYS_TR's are handle's that eventually get
> turned into a
> pointer under the hood, so you can't share those either. You can serialize
> and reserialize to
> pass from thread A to B.
>
> If you want to use the same ESYS_CONTEXT and ESYS_TR from thread A and B,
> you need
> to lock ALL ESYS CALLS. But if you're going to do that, does
> multi-threading really get
> you any benefit.
>
> >
> > Any other reason for failing?
> > Thanks,
> > Rahul
> >
> > On Wed, Apr 15, 2020 at 8:25 AM Roberts, William C <
> william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> > wrote:
> >
> >
> > > -----Original Message-----
> > > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> ]
> > > Sent: Monday, April 13, 2020 6:55 PM
> > > To: Roberts, William C <william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> >
> > > Cc: Desai, Imran <imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> >; tpm2(a)lists.01.org
> > <mailto:tpm2(a)lists.01.org>
> > > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> > >
> > > What is the latest stable release for tpm2_tss ?
> >
> > Really? Github has a releases tab, use it.
> > https://github.com/tpm2-software/tpm2-tss/releases
> >
> >
> > >
> > > Thanks,
> > > Rahul
> > >
> > > On Mon, Apr 13, 2020 at 4:38 PM Rahul Hardikar
> > <rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > > wrote:
> > >
> > >
> > > Looks like the version I have is old, the file
> tss2_tctildr.h does not
> > exist
> > >
> > >
> > > On Mon, Apr 13, 2020 at 12:31 PM Rahul Hardikar
> > > <rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> > >
> wrote:
> > >
> > >
> > > Ok, got it. I'm using ESAPI C APIs. But its pretty
> much the same as
> > > the tpm2 tools implementation.
> > > How do i add debugs in my poky directory? I have
> tpm2.0-
> > > tss_2.1.4.bb <http://tss_2.1.4.bb> <http://tpm2.0-tss_2.1.4.bb>
> file.
> > > Also, how to add compile-time log flags to my src
> file that uses
> > > ESAPI calls? Running separately was easy, I just called
> > > TSS2_LOG="all+ERROR,tcti+DEBUG"
> > >
> > > On Mon, Apr 13, 2020 at 7:20 AM Roberts, William C
> > > <william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com
> >
> > <mailto:william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com>
> > >
> > wrote:
> > >
> > >
> > > > -----Original Message-----
> > > > From: Rahul Hardikar [mailto:
> rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > ]
> > > > Sent: Friday, April 10, 2020 4:15 PM
> > > > To: Roberts, William C <
> william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com>
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> > >
> > > > Cc: Desai, Imran <imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> >;
> > tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > > Subject: Re: [tpm2] Re:
> ESys_ActivateCredential
> > > >
> > > > Hi Bill,
> > > > I have this on my system: Is tpmrm0 same
> as tabrmd? I
> > > believe mine is using this
> > > > right now , i'm changing it to what you
> mentioned to
> > > see if it helps.
> > > > [root(a)nfvis ~]# ls -l /dev/tpm*
> > > > crw-rw----. 1 tss root 10, 224 Apr 8
> 23:19 /dev/tpm0
> > > > crw-rw----. 1 tss tss 254, 65536 Apr 8
> 23:19
> > > /dev/tpmrm0 Thanks, Rahul
> > >
> > > In theory, yes. In practice no.
> > > /dev/tpmrm0 is the in kernel resource
> manager
> > > tpm2-abrmd is the userspace resource
> manager
> > >
> > > tpm2-abrmd has a few features tpmrm0
> doesn't have,
> > > but unless you're
> > > using policy sessions with tpm2-tools, you
> shouldn't
> > > notice a difference.
> > >
> > > >
> > > > On Fri, Apr 10, 2020 at 11:33 AM
> Roberts, William C
> > > <william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com
> >
> > <mailto:william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com>
> >
> > > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com>
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> > > > wrote:
> > > >
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Rahul Hardikar
> > > [mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > > ]
> > > > > Sent: Friday, April 10, 2020
> 1:08 PM
> > > > > To: Roberts, William C
> > > <william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com
> >
> > <mailto:william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com>
> >
> > > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com>
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> > > >
> > > > > Cc: Desai, Imran <
> imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > > <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > >;
> > tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > > <mailto:tpm2(a)lists.01.org <mailto:
> tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > >
> > > > > Subject: Re: [tpm2] Re:
> ESys_ActivateCredential
> > > > >
> > > > > Thanks Bill, trying that.
> > > > > I did not get debug build
> tpm2_tss, isn't it all
> > > prebuilt ? I will have to see
> > > > how to
> > > > > do it in poky.
> > > >
> > > > If you're getting it from a
> package manager, yes. But
> > > there's nothing
> > > > stopping you
> > > > from using source builds. Some
> distro's will package
> > > debug symbols for
> > > > their
> > > > packages.
> > > >
> > > > >
> > > > > On Fri, Apr 10, 2020 at 8:16 AM
> Roberts, William C
> > > > <william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com>
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> > <mailto:
> william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com>
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> > >
> > > > > <mailto:
> william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com>
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> >
> > > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com>
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> > > > > wrote:
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > > -----Original
> Message-----
> > > > > > From: Rahul Hardikar
> > > [mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > >
> > > > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > > >
> > > > ]
> > > > > > Sent: Thursday, April 9,
> 2020 2:51 PM
> > > > > > To: Roberts, William C
> > > <william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com
> >
> > <mailto:william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com>
> >
> > > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com>
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> > >
> > > > > <mailto:
> william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com>
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> >
> > > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com>
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> > > > >
> > > > > > Cc: Desai, Imran <
> imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > > <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > > > > <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > >
> > >;
> > > > tpm2(a)lists.01.org <mailto:
> tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > > > <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org>
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > >
> > > > > > Subject: Re: [tpm2] Re:
> > > ESys_ActivateCredential
> > > > > >
> > > > > > Thanks Bill. I use this
> > > > > > Esys_Initialize( &ectx,
> NULL, NULL);
> > > > > >
> > > > > > so i'm assuming it would
> take the default
> > > libtss2-tcti-tabrmd.so.0.
> > > > >
> > > > > This should do it for you:
> > > > > TSS2_RC
> > > > > Tss2_TctiLdr_Initialize
> (const char *nameConf,
> > > > >
> TSS2_TCTI_CONTEXT **context);
> > > > >
> > > > > Set nameConf to the string
> "tabrmd", that
> > > should give you a tcti
> > > > pointer
> > > > > you can
> > > > > pass wot Esys_Initialize()
> > > > >
> > > > > >
> > > > > >
> > > > > > If I need to debug
> Esys_ActivateCredential
> > > more, how can I do it,
> > > > these
> > > > > APIs are
> > > > > > no more standalone, I
> have integrated it in a
> > > bigger code base and
> > > > > added the
> > > > > > esys-tss2 and other libs
> in my poky build, so
> > > now it runs as
> > > > different
> > > > > process that
> > > > > > invokes this function, I
> can gdb into the
> > > process but I can't seem to
> > > > gdb
> > > > > into
> > > > > > Esys_Activate..( )
> > > > >
> > > > > Did you build tpm2-tss
> with debug symbols?
> > > > > Add --enable-debug
> > > > >
> > > > > >
> > > > > >
> > > > > > Thanks,
> > > > > > Rahul
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > On Thu, Apr 9, 2020 at
> 10:23 AM Roberts,
> > > William C
> > > > > <william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com>
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> > <mailto:
> william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com>
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> > >
> > > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com>
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> > <mailto:
> william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com>
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> > > >
> > > > > > <mailto:
> william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com>
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> >
> > > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com>
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> > >
> > > > > <mailto:
> william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com>
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> >
> > > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com>
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> > > > > > wrote:
> > > > > >
> > > > > >
> > > > > > > -----Original
> Message-----
> > > > > > > From: Rahul
> Hardikar
> > > [mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > >
> > > > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > > >
> > > > > > <mailto:
> rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > > > >
> > > > > ]
> > > > > > > Sent: Thursday,
> April 9, 2020 11:18 AM
> > > > > > > To: Desai, Imran
> <imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > > <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > > > > <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > >
> > > > > > <mailto:
> imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > > > <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > >
> > >
> > > > > > > Cc:
> tpm2(a)lists.01.org
> > <mailto:tpm2(a)lists.01.org>
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > > <mailto:tpm2(a)lists.01.org <mailto:
> tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > >
> > > > > <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org>
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > > <mailto:tpm2(a)lists.01.org <mailto:
> tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > > >
> > > > > > > Subject: [tpm2]
> Re:
> > > ESys_ActivateCredential
> > > > > > >
> > > > > > > How do I know
> if RM is being used?
> > > > > >
> > > > > >
> > > > > > If you set the
> tcti to the device tcti, it will
> > > open /dev/tpm0 by
> > > > > default. And
> > > > > > that wont
> > > > > > Be an RM. You can
> also give it an option.
> > > Esys_Initialize() takes a
> > > > tcti
> > > > > as an
> > > > > > option,
> > > > > > NULL will cause it
> to use the default search
> > > behavior of the
> > > > > Tss2_TctiLdr,
> > > > > > see:
> > > > > >
> > > > > >
> https://github.com/tpm2-software/tpm2-
> > > > > >
> > > tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
> > <http://Tss2_TctiLdr_Initialize.3.in>
> > > <http://Tss2_TctiLdr_Initialize.3.in>
> > > > <http://Tss2_TctiLdr_Initialize.3.in>
> > > > > <
> http://Tss2_TctiLdr_Initialize.3.in>
> > > > > >
> https://github.com/tpm2-software/tpm2-
> > > > > >
> > > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > > <
> http://Tss2_Tcti_Device_Init.3.in>
> > > > > >
> https://github.com/tpm2-software/tpm2-
> > > > > tss/blob/master/man/tss2-
> > > > > > tcti-device.7.in <
> http://tcti-device.7.in>
> > <http://tcti-device.7.in>
> > > <http://tcti-device.7.in> <http://tcti-device.7.in>
> > > > > >
> > > > > > You can use man
> locally if you prefer as
> > > well:
> > > > > > man 3
> Tss2_TctiLdr_Initialize
> > > > > > man 7
> tss2-tcti-device
> > > > > > man 3
> Tss2_Tcti_Device_Init
> > > > > >
> > > > > > Note that
> https://github.com/tpm2-
> > > software/tpm2-
> > > > > >
> > > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > > <
> http://Tss2_Tcti_Device_Init.3.in>
> > > > > > Has sample code in
> it.
> > > > > >
> > > > > > If you're using
> the tools, it supports
> > > explicitly choosing the TCTI:
> > > > > >
> https://github.com/tpm2-software/tpm2-
> > > > > >
> tools/blob/master/man/common/tcti.md
> > > > > >
> > > > > > Also note that the
> /dev/tpmrm0 (Notice
> > > the RM) is an in-kernel
> > > > > resource
> > > > > > manager.
> > > > > >
> > > > > >
> > > > > > > When I do
> ESys_Initialize, I see these
> > > WARNINGs, wondering
> > > > if it's
> > > > > okay
> > > > > > for multi-
> > > > > > > thread
> > > > > > >
> WARNING:esys:src/tss2-
> > > > >
> esys/esys_tcti_default.c:137:tcti_from_file()
> > > > > > Could not
> > > > > > > load TCTI file:
> libtss2-tcti-default.so
> > > <http://libtss2-tcti-
> > > > > default.so/ <http://default.so/>
> <http://default.so/>
> > > <http://default.so/> >
> > > > > > libtss2-tcti-
> > > > > > > default.so <
> http://libtss2-tcti-
> > > default.so/ <http://default.so/> >
> > > > > > >
> WARNING:esys:src/tss2-
> > > > >
> esys/esys_tcti_default.c:137:tcti_from_file()
> > > > > > Could not
> > > > > > > load TCTI file:
> libtss2-tcti-tabrmd.so
> > > <http://libtss2-tcti-
> > > > > tabrmd.so/ <http://tabrmd.so/>
> > <http://tabrmd.so/>
> > > <http://tabrmd.so/> >
> > > > > > >
> > > > > > > In my single
> threaded process,
> > > everything works so smoothly
> > > > > [root]#
> > > > > > ./tpm
> > > > > > >
> WARNING:esys:src/tss2-
> > > > >
> esys/esys_tcti_default.c:137:tcti_from_file()
> > > > > > Could not
> > > > > > > load TCTI file:
> libtss2-tcti-default.so
> > > <http://libtss2-tcti-
> > > > > default.so/ <http://default.so/>
> <http://default.so/>
> > > <http://default.so/> >
> > > > > > >
> WARNING:esys:src/tss2-
> > > > >
> esys/esys_tcti_default.c:137:tcti_from_file()
> > > > > > Could not
> > > > > > > load TCTI file:
> libtss2-tcti-tabrmd.so
> > > <http://libtss2-tcti-
> > > > > tabrmd.so/ <http://tabrmd.so/>
> > <http://tabrmd.so/>
> > > <http://tabrmd.so/> >
> > > > > > ESYS
> > > > > > > Initialization:
> Pass
> > > > > > >
> > > > > > > Read TPM EK
> Certificate: Pass
> > > > > > >
> > > > > > > TPM EK
> Certificate Root-CA Verification:
> > > Pass
> > > > > > >
> > > > > > > Clear TPM State:
> Pass
> > > > > > >
> > > > > > > Created EK
> Primary object: Pass
> > > > > > > #####Handle
> 0x418368
> > > > > > >
> > > > > > > Create
> Attestation Key: Pass
> > > > > > > #####Ak_Handle
> 0x41836b
> > > > > > >
> > > > > > > Original
> > > Credential="deadbeefdeadbeefdead"
> > > > > > >
> > > > > > > Make Credential:
> Pass
> > > > > > > #####Encrypted
> Credential
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> > > > > > >
> 45c412864f020a7f1bbcab7a34f0"
> > > > > > >
> > > > > > > #####Encrypted
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > 76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > 077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > 5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > 06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> > > > > > >
> e1eb9fcc1759c184972779bfc"
> > > > > > >
> > > > > > > Activating
> Credential: Pass
> > > > > > > #####Recovered
> > > Credential="deadbeefdeadbeefdead"
> > > > > > >
> > > > > > > [root]#
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On Wed, Apr 8,
> 2020 at 7:02 PM Rahul
> > > Hardikar
> > > > > > <rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > >
> > > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > > >
> > > > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > >
> > > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > > > >
> > > > > > > <mailto:
> rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > >
> > > > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > > >
> > > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > >
> > > > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > > >
> > > > > >
> > > > > > > wrote:
> > > > > > >
> > > > > > >
> > > > > > > Thanks
> guys, I'll try this but i also
> > > wanted to know if there
> > > > is a
> > > > > way to
> > > > > > > know if the TPM
> still has the EK and AK
> > > keys loaded? I have
> > > > the EK
> > > > > > handle and AK
> > > > > > > handle (not made
> it persistent) but I
> > > want to make sure it's
> > > > > present as
> > > > > > these are
> > > > > > > necessary for
> ActivateCredential to
> > > succeed
> > > > > > >
> ESys_ActivateCredential complaining
> > > about secret
> > > > parameter
> > > > > > doesn't
> > > > > > > make sense to
> me, I tested on server
> > > side, ak_name is same
> > > > as
> > > > > that
> > > > > > sent and so is
> > > > > > > EK_PUB object as
> well as EK_Cert in
> > > nvram, I call the same
> > > > > > >
> external_makecredential call that's in the
> > > GitHub to create
> > > > secret
> > > > > and
> > > > > > made sure
> > > > > > > secret,credblob
> matches on the client
> > > side when received
> > > > from
> > > > > server.
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Rahul
> > > > > > >
> > > > > > > On Tue,
> Mar 17, 2020 at 6:19 AM Imran
> > > Desai
> > > > > > <imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > > > <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > >
> > > > > <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > > > <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > >
> > > > > > > <mailto:
> imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > > <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > > <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > >
> > > > > <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > > > <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > >
> > > >
> > > > > > wrote:
> > > > > > >
> > > > > > >
> > > > > > >
> Set this up with all handles in use
> > > made persistent. If
> > > > you
> > > > > still see
> > > > > > > issues,
> gdb-break or turn on debug
> > > logging at the Esys call and
> > > > > compare
> > > > > > the
> > > > > > > function
> arguments.
> > > > > > >
> > > > >
> > > _______________________________________________
> > > > > > >
> tpm2 mailing list --
> > > tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > > <mailto:tpm2(a)lists.01.org <mailto:
> tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > >
> > > > > <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org>
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > >
> > > > <mailto:tpm2(a)lists.01.org <mailto:
> tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > > > <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org>
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > > >
> > > > > > <mailto:
> tpm2(a)lists.01.org
> > <mailto:tpm2(a)lists.01.org>
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > > <mailto:tpm2(a)lists.01.org <mailto:
> tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > >
> > > > > <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org>
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > > <mailto:tpm2(a)lists.01.org <mailto:
> tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > > > >
> > > > > > > To
> unsubscribe send an email to
> > > tpm2-
> > > > leave(a)lists.01.org <mailto:
> leave(a)lists.01.org>
> > <mailto:leave(a)lists.01.org <mailto:leave(a)lists.01.org> >
> > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> > >
> > > > > <mailto:tpm2-leave(a)lists.01.org
> <mailto:tpm2-
> > leave(a)lists.01.org> <mailto:tpm2- <mailto:tpm2->
> > > leave(a)lists.01.org <mailto:leave(a)lists.01.org> > <mailto:tpm2-
> > leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> <mailto:tpm2-
> > <mailto:tpm2->
> > > leave(a)lists.01.org <mailto:leave(a)lists.01.org> > > >
> > > > > > <mailto:
> tpm2-leave(a)lists.01.org <mailto:tpm2-
> > leave(a)lists.01.org>
> > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> >
> > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> > >
> > > > <mailto:tpm2-leave(a)lists.01.org <mailto:
> tpm2-
> > leave(a)lists.01.org> <mailto:tpm2- <mailto:tpm2->
> > > leave(a)lists.01.org <mailto:leave(a)lists.01.org> > <mailto:tpm2-
> > leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> <mailto:tpm2-
> > <mailto:tpm2->
> > > leave(a)lists.01.org <mailto:leave(a)lists.01.org> > > > >
> > > > > > > <mailto:
> tpm2-leave(a)lists.01.org
> > <mailto:tpm2-leave(a)lists.01.org>
> > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> >
> > <mailto:tpm2- <mailto:tpm2-> <mailto:tpm2- <mailto:tpm2-> >
> > > > leave(a)lists.01.org <mailto:
> leave(a)lists.01.org>
> > <mailto:leave(a)lists.01.org <mailto:leave(a)lists.01.org> > >
> > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> >
> > > <mailto:tpm2- <mailto:tpm2-> <mailto:tpm2- <mailto:tpm2-> >
> > > > leave(a)lists.01.org <mailto:
> leave(a)lists.01.org>
> > <mailto:leave(a)lists.01.org <mailto:leave(a)lists.01.org> > > >
> > > > > <mailto:tpm2-leave(a)lists.01.org
> <mailto:tpm2-
> > leave(a)lists.01.org> <mailto:tpm2- <mailto:tpm2->
> > > leave(a)lists.01.org <mailto:leave(a)lists.01.org> > <mailto:tpm2-
> > leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> <mailto:tpm2-
> > <mailto:tpm2->
> > > leave(a)lists.01.org <mailto:leave(a)lists.01.org> > >
> > > > <mailto:tpm2-leave(a)lists.01.org <mailto:
> tpm2-
> > leave(a)lists.01.org> <mailto:tpm2- <mailto:tpm2->
> > > leave(a)lists.01.org <mailto:leave(a)lists.01.org> > <mailto:tpm2-
> > leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> <mailto:tpm2-
> > <mailto:tpm2->
> > > leave(a)lists.01.org <mailto:leave(a)lists.01.org> > > > > >
> > > > > > >
> > > >
> > > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 111593 bytes --]
^ permalink raw reply [flat|nested] 25+ messages in thread
* [tpm2] Re: ESys_ActivateCredential
@ 2020-04-15 18:05 Rahul Hardikar
0 siblings, 0 replies; 25+ messages in thread
From: Rahul Hardikar @ 2020-04-15 18:05 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 35251 bytes --]
Thanks Bill. I am taking help from the poky team on this.
Getting back to the Activate Credential issue, since my code worked fine as
a single application as well as being run inside another process but as a
single thread (including makeCredential and activateCred).
My guess for failing is:
1. When server sends secret/credBlob, they dont match ---> But i ran gdb
and checked all bytes and they match, so thats not an issue, server is
running same OpenSSL as client, so no mismatch in version for
single-threaded vs multi-threaded
2. Probably AK key or EK key is not loaded or changed
--> to prove this, i would need to use Esys_ReadPublic , if it fails,
implies its not loaded, if it succeeds, I need to verify ek_pub and ak_name
is same when we created it
Assuming I have the ESYS_CONTEXT saved as well as the ESYS_TR handle for
both AK and EK saved, Esys_ReadPublic should still work right, as it only
needs these 2?
Any other reason for failing?
Thanks,
Rahul
On Wed, Apr 15, 2020 at 8:25 AM Roberts, William C <
william.c.roberts(a)intel.com> wrote:
> > -----Original Message-----
> > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com]
> > Sent: Monday, April 13, 2020 6:55 PM
> > To: Roberts, William C <william.c.roberts(a)intel.com>
> > Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
> > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> >
> > What is the latest stable release for tpm2_tss ?
>
> Really? Github has a releases tab, use it.
> https://github.com/tpm2-software/tpm2-tss/releases
>
>
> >
> > Thanks,
> > Rahul
> >
> > On Mon, Apr 13, 2020 at 4:38 PM Rahul Hardikar <rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> > wrote:
> >
> >
> > Looks like the version I have is old, the file tss2_tctildr.h does
> not exist
> >
> >
> > On Mon, Apr 13, 2020 at 12:31 PM Rahul Hardikar
> > <rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> > wrote:
> >
> >
> > Ok, got it. I'm using ESAPI C APIs. But its pretty much
> the same as
> > the tpm2 tools implementation.
> > How do i add debugs in my poky directory? I have tpm2.0-
> > tss_2.1.4.bb <http://tpm2.0-tss_2.1.4.bb> file.
> > Also, how to add compile-time log flags to my src file
> that uses
> > ESAPI calls? Running separately was easy, I just called
> > TSS2_LOG="all+ERROR,tcti+DEBUG"
> >
> > On Mon, Apr 13, 2020 at 7:20 AM Roberts, William C
> > <william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com> >
> wrote:
> >
> >
> > > -----Original Message-----
> > > From: Rahul Hardikar [mailto:
> rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> ]
> > > Sent: Friday, April 10, 2020 4:15 PM
> > > To: Roberts, William C <
> william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> >
> > > Cc: Desai, Imran <imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> >; tpm2(a)lists.01.org
> > <mailto:tpm2(a)lists.01.org>
> > > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> > >
> > > Hi Bill,
> > > I have this on my system: Is tpmrm0 same as
> tabrmd? I
> > believe mine is using this
> > > right now , i'm changing it to what you
> mentioned to
> > see if it helps.
> > > [root(a)nfvis ~]# ls -l /dev/tpm*
> > > crw-rw----. 1 tss root 10, 224 Apr 8 23:19
> /dev/tpm0
> > > crw-rw----. 1 tss tss 254, 65536 Apr 8 23:19
> > /dev/tpmrm0 Thanks, Rahul
> >
> > In theory, yes. In practice no.
> > /dev/tpmrm0 is the in kernel resource manager
> > tpm2-abrmd is the userspace resource manager
> >
> > tpm2-abrmd has a few features tpmrm0 doesn't have,
> > but unless you're
> > using policy sessions with tpm2-tools, you
> shouldn't
> > notice a difference.
> >
> > >
> > > On Fri, Apr 10, 2020 at 11:33 AM Roberts,
> William C
> > <william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com>
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> > > wrote:
> > >
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Rahul Hardikar
> > [mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> > ]
> > > > Sent: Friday, April 10, 2020 1:08 PM
> > > > To: Roberts, William C
> > <william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com>
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> > >
> > > > Cc: Desai, Imran <imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> > >; tpm2(a)lists.01.org
> > <mailto:tpm2(a)lists.01.org>
> > > <mailto:tpm2(a)lists.01.org <mailto:
> tpm2(a)lists.01.org>
> > >
> > > > Subject: Re: [tpm2] Re:
> ESys_ActivateCredential
> > > >
> > > > Thanks Bill, trying that.
> > > > I did not get debug build tpm2_tss,
> isn't it all
> > prebuilt ? I will have to see
> > > how to
> > > > do it in poky.
> > >
> > > If you're getting it from a package
> manager, yes. But
> > there's nothing
> > > stopping you
> > > from using source builds. Some distro's
> will package
> > debug symbols for
> > > their
> > > packages.
> > >
> > > >
> > > > On Fri, Apr 10, 2020 at 8:16 AM Roberts,
> William C
> > > <william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> <mailto:
> william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> >
> > > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com>
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> > > > wrote:
> > > >
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Rahul Hardikar
> > [mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> >
> > > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> > >
> > > ]
> > > > > Sent: Thursday, April 9, 2020
> 2:51 PM
> > > > > To: Roberts, William C
> > <william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com>
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> >
> > > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com>
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> > > >
> > > > > Cc: Desai, Imran <
> imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> >
> > > > <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> > > >;
> > > tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > > <mailto:tpm2(a)lists.01.org
> > <mailto:tpm2(a)lists.01.org> <mailto:tpm2(a)lists.01.org
> > <mailto:tpm2(a)lists.01.org> > >
> > > > > Subject: Re: [tpm2] Re:
> > ESys_ActivateCredential
> > > > >
> > > > > Thanks Bill. I use this
> > > > > Esys_Initialize( &ectx, NULL,
> NULL);
> > > > >
> > > > > so i'm assuming it would take
> the default
> > libtss2-tcti-tabrmd.so.0.
> > > >
> > > > This should do it for you:
> > > > TSS2_RC
> > > > Tss2_TctiLdr_Initialize (const
> char *nameConf,
> > > >
> TSS2_TCTI_CONTEXT **context);
> > > >
> > > > Set nameConf to the string
> "tabrmd", that
> > should give you a tcti
> > > pointer
> > > > you can
> > > > pass wot Esys_Initialize()
> > > >
> > > > >
> > > > >
> > > > > If I need to debug
> Esys_ActivateCredential
> > more, how can I do it,
> > > these
> > > > APIs are
> > > > > no more standalone, I have
> integrated it in a
> > bigger code base and
> > > > added the
> > > > > esys-tss2 and other libs in my
> poky build, so
> > now it runs as
> > > different
> > > > process that
> > > > > invokes this function, I can gdb
> into the
> > process but I can't seem to
> > > gdb
> > > > into
> > > > > Esys_Activate..( )
> > > >
> > > > Did you build tpm2-tss with debug
> symbols?
> > > > Add --enable-debug
> > > >
> > > > >
> > > > >
> > > > > Thanks,
> > > > > Rahul
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On Thu, Apr 9, 2020 at 10:23 AM
> Roberts,
> > William C
> > > > <william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> <mailto:
> william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> <mailto:
> william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> > >
> > > > > <mailto:
> william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com>
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> >
> > > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com>
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> > > > > wrote:
> > > > >
> > > > >
> > > > > > -----Original
> Message-----
> > > > > > From: Rahul Hardikar
> > [mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> >
> > > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> > >
> > > > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> > > >
> > > > ]
> > > > > > Sent: Thursday, April 9,
> 2020 11:18 AM
> > > > > > To: Desai, Imran <
> imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> >
> > > > <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> > >
> > > > > <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> > > > >
> > > > > > Cc: tpm2(a)lists.01.org
> > <mailto:tpm2(a)lists.01.org> <mailto:tpm2(a)lists.01.org
> > <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:
> tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > > <mailto:tpm2(a)lists.01.org
> > <mailto:tpm2(a)lists.01.org> <mailto:tpm2(a)lists.01.org
> > <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:
> tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > >
> > > > > > Subject: [tpm2] Re:
> > ESys_ActivateCredential
> > > > > >
> > > > > > How do I know if RM is
> being used?
> > > > >
> > > > >
> > > > > If you set the tcti to the
> device tcti, it will
> > open /dev/tpm0 by
> > > > default. And
> > > > > that wont
> > > > > Be an RM. You can also
> give it an option.
> > Esys_Initialize() takes a
> > > tcti
> > > > as an
> > > > > option,
> > > > > NULL will cause it to use
> the default search
> > behavior of the
> > > > Tss2_TctiLdr,
> > > > > see:
> > > > >
> > > > >
> https://github.com/tpm2-software/tpm2-
> > > > >
> > tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
> > <http://Tss2_TctiLdr_Initialize.3.in>
> > > <http://Tss2_TctiLdr_Initialize.3.in>
> > > > <http://Tss2_TctiLdr_Initialize.3.in>
> > > > >
> https://github.com/tpm2-software/tpm2-
> > > > >
> > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > >
> https://github.com/tpm2-software/tpm2-
> > > > tss/blob/master/man/tss2-
> > > > > tcti-device.7.in <
> http://tcti-device.7.in>
> > <http://tcti-device.7.in> <http://tcti-device.7.in>
> > > > >
> > > > > You can use man locally if
> you prefer as
> > well:
> > > > > man 3
> Tss2_TctiLdr_Initialize
> > > > > man 7 tss2-tcti-device
> > > > > man 3 Tss2_Tcti_Device_Init
> > > > >
> > > > > Note that
> https://github.com/tpm2-
> > software/tpm2-
> > > > >
> > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > > Has sample code in it.
> > > > >
> > > > > If you're using the tools,
> it supports
> > explicitly choosing the TCTI:
> > > > >
> https://github.com/tpm2-software/tpm2-
> > > > >
> tools/blob/master/man/common/tcti.md
> > > > >
> > > > > Also note that the
> /dev/tpmrm0 (Notice
> > the RM) is an in-kernel
> > > > resource
> > > > > manager.
> > > > >
> > > > >
> > > > > > When I do
> ESys_Initialize, I see these
> > WARNINGs, wondering
> > > if it's
> > > > okay
> > > > > for multi-
> > > > > > thread
> > > > > > WARNING:esys:src/tss2-
> > > >
> esys/esys_tcti_default.c:137:tcti_from_file()
> > > > > Could not
> > > > > > load TCTI file:
> libtss2-tcti-default.so
> > <http://libtss2-tcti-
> > > > default.so/ <http://default.so/>
> > <http://default.so/> >
> > > > > libtss2-tcti-
> > > > > > default.so <
> http://libtss2-tcti-
> > default.so/>
> > > > > > WARNING:esys:src/tss2-
> > > >
> esys/esys_tcti_default.c:137:tcti_from_file()
> > > > > Could not
> > > > > > load TCTI file:
> libtss2-tcti-tabrmd.so
> > <http://libtss2-tcti-
> > > > tabrmd.so/ <http://tabrmd.so/>
> > <http://tabrmd.so/> >
> > > > > >
> > > > > > In my single threaded
> process,
> > everything works so smoothly
> > > > [root]#
> > > > > ./tpm
> > > > > > WARNING:esys:src/tss2-
> > > >
> esys/esys_tcti_default.c:137:tcti_from_file()
> > > > > Could not
> > > > > > load TCTI file:
> libtss2-tcti-default.so
> > <http://libtss2-tcti-
> > > > default.so/ <http://default.so/>
> > <http://default.so/> >
> > > > > > WARNING:esys:src/tss2-
> > > >
> esys/esys_tcti_default.c:137:tcti_from_file()
> > > > > Could not
> > > > > > load TCTI file:
> libtss2-tcti-tabrmd.so
> > <http://libtss2-tcti-
> > > > tabrmd.so/ <http://tabrmd.so/>
> > <http://tabrmd.so/> >
> > > > > ESYS
> > > > > > Initialization: Pass
> > > > > >
> > > > > > Read TPM EK Certificate:
> Pass
> > > > > >
> > > > > > TPM EK Certificate
> Root-CA Verification:
> > Pass
> > > > > >
> > > > > > Clear TPM State: Pass
> > > > > >
> > > > > > Created EK Primary
> object: Pass
> > > > > > #####Handle 0x418368
> > > > > >
> > > > > > Create Attestation Key:
> Pass
> > > > > > #####Ak_Handle 0x41836b
> > > > > >
> > > > > > Original
> > Credential="deadbeefdeadbeefdead"
> > > > > >
> > > > > > Make Credential: Pass
> > > > > > #####Encrypted Credential
> > > > > >
> > > > >
> > > >
> > >
> > Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> > > > > >
> 45c412864f020a7f1bbcab7a34f0"
> > > > > >
> > > > > > #####Encrypted
> > > > > >
> > > > >
> > > >
> > >
> > Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
> > > > > >
> > > > >
> > > >
> > >
> > 76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
> > > > > >
> > > > >
> > > >
> > >
> > e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
> > > > > >
> > > > >
> > > >
> > >
> > 077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
> > > > > >
> > > > >
> > > >
> > >
> > 5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
> > > > > >
> > > > >
> > > >
> > >
> > 06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
> > > > > >
> > > > >
> > > >
> > >
> > fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> > > > > >
> e1eb9fcc1759c184972779bfc"
> > > > > >
> > > > > > Activating Credential:
> Pass
> > > > > > #####Recovered
> > Credential="deadbeefdeadbeefdead"
> > > > > >
> > > > > > [root]#
> > > > > >
> > > > > >
> > > > > >
> > > > > > On Wed, Apr 8, 2020 at
> 7:02 PM Rahul
> > Hardikar
> > > > > <rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> > >
> > > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> > > >
> > > > > > <mailto:
> rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> >
> > > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> > >
> > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> >
> > > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> > >
> > > > >
> > > > > > wrote:
> > > > > >
> > > > > >
> > > > > > Thanks guys, I'll
> try this but i also
> > wanted to know if there
> > > is a
> > > > way to
> > > > > > know if the TPM still
> has the EK and AK
> > keys loaded? I have
> > > the EK
> > > > > handle and AK
> > > > > > handle (not made it
> persistent) but I
> > want to make sure it's
> > > > present as
> > > > > these are
> > > > > > necessary for
> ActivateCredential to
> > succeed
> > > > > >
> ESys_ActivateCredential complaining
> > about secret
> > > parameter
> > > > > doesn't
> > > > > > make sense to me, I
> tested on server
> > side, ak_name is same
> > > as
> > > > that
> > > > > sent and so is
> > > > > > EK_PUB object as well
> as EK_Cert in
> > nvram, I call the same
> > > > > > external_makecredential
> call that's in the
> > GitHub to create
> > > secret
> > > > and
> > > > > made sure
> > > > > > secret,credblob matches
> on the client
> > side when received
> > > from
> > > > server.
> > > > > >
> > > > > > Thanks,
> > > > > > Rahul
> > > > > >
> > > > > > On Tue, Mar 17,
> 2020 at 6:19 AM Imran
> > Desai
> > > > > <imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> > >
> > > > <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> > > >
> > > > > > <mailto:
> imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> > <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> > >
> > > > <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> > > > > >
> > > > > wrote:
> > > > > >
> > > > > >
> > > > > > Set this
> up with all handles in use
> > made persistent. If
> > > you
> > > > still see
> > > > > > issues, gdb-break or
> turn on debug
> > logging at the Esys call and
> > > > compare
> > > > > the
> > > > > > function arguments.
> > > > > >
> > > >
> > _______________________________________________
> > > > > > tpm2
> mailing list --
> > tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > > <mailto:tpm2(a)lists.01.org <mailto:
> tpm2(a)lists.01.org>
> > >
> > > > <mailto:tpm2(a)lists.01.org
> > <mailto:tpm2(a)lists.01.org> <mailto:tpm2(a)lists.01.org
> > <mailto:tpm2(a)lists.01.org> > >
> > > <mailto:tpm2(a)lists.01.org <mailto:
> tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > > <mailto:tpm2(a)lists.01.org
> > <mailto:tpm2(a)lists.01.org> <mailto:tpm2(a)lists.01.org
> > <mailto:tpm2(a)lists.01.org> > > >
> > > > > <mailto:tpm2(a)lists.01.org
> > <mailto:tpm2(a)lists.01.org> <mailto:tpm2(a)lists.01.org
> > <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:
> tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > > <mailto:tpm2(a)lists.01.org
> > <mailto:tpm2(a)lists.01.org> <mailto:tpm2(a)lists.01.org
> > <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:
> tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > > >
> > > > > > To
> unsubscribe send an email to
> > tpm2-
> > > leave(a)lists.01.org <mailto:leave(a)lists.01.org>
> > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> >
> > > > <mailto:tpm2-leave(a)lists.01.org <mailto:
> tpm2-
> > leave(a)lists.01.org> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> > leave(a)lists.01.org> > >
> > > > > <mailto:tpm2-leave(a)lists.01.org
> > <mailto:tpm2-leave(a)lists.01.org> <mailto:tpm2-leave(a)lists.01.org
> > <mailto:tpm2-leave(a)lists.01.org> >
> > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> > leave(a)lists.01.org> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> > leave(a)lists.01.org> > > >
> > > > > > <mailto:
> tpm2-leave(a)lists.01.org
> > <mailto:tpm2-leave(a)lists.01.org> <mailto:tpm2- <mailto:tpm2->
> > > leave(a)lists.01.org <mailto:leave(a)lists.01.org> >
> > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> > <mailto:tpm2- <mailto:tpm2->
> > > leave(a)lists.01.org <mailto:leave(a)lists.01.org>
> > >
> > > > <mailto:tpm2-leave(a)lists.01.org <mailto:
> tpm2-
> > leave(a)lists.01.org> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> > leave(a)lists.01.org> >
> > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> > leave(a)lists.01.org> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> > leave(a)lists.01.org> > > > >
> > > > > >
> > >
> > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 69198 bytes --]
^ permalink raw reply [flat|nested] 25+ messages in thread
* [tpm2] Re: ESys_ActivateCredential
@ 2020-04-15 15:25 Roberts, William C
0 siblings, 0 replies; 25+ messages in thread
From: Roberts, William C @ 2020-04-15 15:25 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 25504 bytes --]
> -----Original Message-----
> From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com]
> Sent: Monday, April 13, 2020 6:55 PM
> To: Roberts, William C <william.c.roberts(a)intel.com>
> Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
> Subject: Re: [tpm2] Re: ESys_ActivateCredential
>
> What is the latest stable release for tpm2_tss ?
Really? Github has a releases tab, use it.
https://github.com/tpm2-software/tpm2-tss/releases
>
> Thanks,
> Rahul
>
> On Mon, Apr 13, 2020 at 4:38 PM Rahul Hardikar <rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > wrote:
>
>
> Looks like the version I have is old, the file tss2_tctildr.h does not exist
>
>
> On Mon, Apr 13, 2020 at 12:31 PM Rahul Hardikar
> <rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> > wrote:
>
>
> Ok, got it. I'm using ESAPI C APIs. But its pretty much the same as
> the tpm2 tools implementation.
> How do i add debugs in my poky directory? I have tpm2.0-
> tss_2.1.4.bb <http://tpm2.0-tss_2.1.4.bb> file.
> Also, how to add compile-time log flags to my src file that uses
> ESAPI calls? Running separately was easy, I just called
> TSS2_LOG="all+ERROR,tcti+DEBUG"
>
> On Mon, Apr 13, 2020 at 7:20 AM Roberts, William C
> <william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com> > wrote:
>
>
> > -----Original Message-----
> > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> ]
> > Sent: Friday, April 10, 2020 4:15 PM
> > To: Roberts, William C <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > Cc: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> >; tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org>
> > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> >
> > Hi Bill,
> > I have this on my system: Is tpmrm0 same as tabrmd? I
> believe mine is using this
> > right now , i'm changing it to what you mentioned to
> see if it helps.
> > [root(a)nfvis ~]# ls -l /dev/tpm*
> > crw-rw----. 1 tss root 10, 224 Apr 8 23:19 /dev/tpm0
> > crw-rw----. 1 tss tss 254, 65536 Apr 8 23:19
> /dev/tpmrm0 Thanks, Rahul
>
> In theory, yes. In practice no.
> /dev/tpmrm0 is the in kernel resource manager
> tpm2-abrmd is the userspace resource manager
>
> tpm2-abrmd has a few features tpmrm0 doesn't have,
> but unless you're
> using policy sessions with tpm2-tools, you shouldn't
> notice a difference.
>
> >
> > On Fri, Apr 10, 2020 at 11:33 AM Roberts, William C
> <william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > wrote:
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Rahul Hardikar
> [mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > ]
> > > Sent: Friday, April 10, 2020 1:08 PM
> > > To: Roberts, William C
> <william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > >
> > > Cc: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> > >; tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> >
> > > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> > >
> > > Thanks Bill, trying that.
> > > I did not get debug build tpm2_tss, isn't it all
> prebuilt ? I will have to see
> > how to
> > > do it in poky.
> >
> > If you're getting it from a package manager, yes. But
> there's nothing
> > stopping you
> > from using source builds. Some distro's will package
> debug symbols for
> > their
> > packages.
> >
> > >
> > > On Fri, Apr 10, 2020 at 8:16 AM Roberts, William C
> > <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > > wrote:
> > >
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Rahul Hardikar
> [mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > ]
> > > > Sent: Thursday, April 9, 2020 2:51 PM
> > > > To: Roberts, William C
> <william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > >
> > > > Cc: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> > > >;
> > tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org> <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org> > >
> > > > Subject: Re: [tpm2] Re:
> ESys_ActivateCredential
> > > >
> > > > Thanks Bill. I use this
> > > > Esys_Initialize( &ectx, NULL, NULL);
> > > >
> > > > so i'm assuming it would take the default
> libtss2-tcti-tabrmd.so.0.
> > >
> > > This should do it for you:
> > > TSS2_RC
> > > Tss2_TctiLdr_Initialize (const char *nameConf,
> > > TSS2_TCTI_CONTEXT **context);
> > >
> > > Set nameConf to the string "tabrmd", that
> should give you a tcti
> > pointer
> > > you can
> > > pass wot Esys_Initialize()
> > >
> > > >
> > > >
> > > > If I need to debug Esys_ActivateCredential
> more, how can I do it,
> > these
> > > APIs are
> > > > no more standalone, I have integrated it in a
> bigger code base and
> > > added the
> > > > esys-tss2 and other libs in my poky build, so
> now it runs as
> > different
> > > process that
> > > > invokes this function, I can gdb into the
> process but I can't seem to
> > gdb
> > > into
> > > > Esys_Activate..( )
> > >
> > > Did you build tpm2-tss with debug symbols?
> > > Add --enable-debug
> > >
> > > >
> > > >
> > > > Thanks,
> > > > Rahul
> > > >
> > > >
> > > >
> > > >
> > > > On Thu, Apr 9, 2020 at 10:23 AM Roberts,
> William C
> > > <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > >
> > > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > > > wrote:
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Rahul Hardikar
> [mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > > >
> > > ]
> > > > > Sent: Thursday, April 9, 2020 11:18 AM
> > > > > To: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> > >
> > > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> >
> > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> > > > >
> > > > > Cc: tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org> <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org> <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > >
> > > > > Subject: [tpm2] Re:
> ESys_ActivateCredential
> > > > >
> > > > > How do I know if RM is being used?
> > > >
> > > >
> > > > If you set the tcti to the device tcti, it will
> open /dev/tpm0 by
> > > default. And
> > > > that wont
> > > > Be an RM. You can also give it an option.
> Esys_Initialize() takes a
> > tcti
> > > as an
> > > > option,
> > > > NULL will cause it to use the default search
> behavior of the
> > > Tss2_TctiLdr,
> > > > see:
> > > >
> > > > https://github.com/tpm2-software/tpm2-
> > > >
> tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
> <http://Tss2_TctiLdr_Initialize.3.in>
> > <http://Tss2_TctiLdr_Initialize.3.in>
> > > <http://Tss2_TctiLdr_Initialize.3.in>
> > > > https://github.com/tpm2-software/tpm2-
> > > >
> tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> <http://Tss2_Tcti_Device_Init.3.in>
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > https://github.com/tpm2-software/tpm2-
> > > tss/blob/master/man/tss2-
> > > > tcti-device.7.in <http://tcti-device.7.in>
> <http://tcti-device.7.in> <http://tcti-device.7.in>
> > > >
> > > > You can use man locally if you prefer as
> well:
> > > > man 3 Tss2_TctiLdr_Initialize
> > > > man 7 tss2-tcti-device
> > > > man 3 Tss2_Tcti_Device_Init
> > > >
> > > > Note that https://github.com/tpm2-
> software/tpm2-
> > > >
> tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> <http://Tss2_Tcti_Device_Init.3.in>
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > Has sample code in it.
> > > >
> > > > If you're using the tools, it supports
> explicitly choosing the TCTI:
> > > > https://github.com/tpm2-software/tpm2-
> > > > tools/blob/master/man/common/tcti.md
> > > >
> > > > Also note that the /dev/tpmrm0 (Notice
> the RM) is an in-kernel
> > > resource
> > > > manager.
> > > >
> > > >
> > > > > When I do ESys_Initialize, I see these
> WARNINGs, wondering
> > if it's
> > > okay
> > > > for multi-
> > > > > thread
> > > > > WARNING:esys:src/tss2-
> > > esys/esys_tcti_default.c:137:tcti_from_file()
> > > > Could not
> > > > > load TCTI file: libtss2-tcti-default.so
> <http://libtss2-tcti-
> > > default.so/ <http://default.so/>
> <http://default.so/> >
> > > > libtss2-tcti-
> > > > > default.so <http://libtss2-tcti-
> default.so/>
> > > > > WARNING:esys:src/tss2-
> > > esys/esys_tcti_default.c:137:tcti_from_file()
> > > > Could not
> > > > > load TCTI file: libtss2-tcti-tabrmd.so
> <http://libtss2-tcti-
> > > tabrmd.so/ <http://tabrmd.so/>
> <http://tabrmd.so/> >
> > > > >
> > > > > In my single threaded process,
> everything works so smoothly
> > > [root]#
> > > > ./tpm
> > > > > WARNING:esys:src/tss2-
> > > esys/esys_tcti_default.c:137:tcti_from_file()
> > > > Could not
> > > > > load TCTI file: libtss2-tcti-default.so
> <http://libtss2-tcti-
> > > default.so/ <http://default.so/>
> <http://default.so/> >
> > > > > WARNING:esys:src/tss2-
> > > esys/esys_tcti_default.c:137:tcti_from_file()
> > > > Could not
> > > > > load TCTI file: libtss2-tcti-tabrmd.so
> <http://libtss2-tcti-
> > > tabrmd.so/ <http://tabrmd.so/>
> <http://tabrmd.so/> >
> > > > ESYS
> > > > > Initialization: Pass
> > > > >
> > > > > Read TPM EK Certificate: Pass
> > > > >
> > > > > TPM EK Certificate Root-CA Verification:
> Pass
> > > > >
> > > > > Clear TPM State: Pass
> > > > >
> > > > > Created EK Primary object: Pass
> > > > > #####Handle 0x418368
> > > > >
> > > > > Create Attestation Key: Pass
> > > > > #####Ak_Handle 0x41836b
> > > > >
> > > > > Original
> Credential="deadbeefdeadbeefdead"
> > > > >
> > > > > Make Credential: Pass
> > > > > #####Encrypted Credential
> > > > >
> > > >
> > >
> >
> Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> > > > > 45c412864f020a7f1bbcab7a34f0"
> > > > >
> > > > > #####Encrypted
> > > > >
> > > >
> > >
> >
> Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
> > > > >
> > > >
> > >
> >
> 76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
> > > > >
> > > >
> > >
> >
> e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
> > > > >
> > > >
> > >
> >
> 077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
> > > > >
> > > >
> > >
> >
> 5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
> > > > >
> > > >
> > >
> >
> 06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
> > > > >
> > > >
> > >
> >
> fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> > > > > e1eb9fcc1759c184972779bfc"
> > > > >
> > > > > Activating Credential: Pass
> > > > > #####Recovered
> Credential="deadbeefdeadbeefdead"
> > > > >
> > > > > [root]#
> > > > >
> > > > >
> > > > >
> > > > > On Wed, Apr 8, 2020 at 7:02 PM Rahul
> Hardikar
> > > > <rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> >
> > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> >
> > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > > >
> > > > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > > >
> > > > > wrote:
> > > > >
> > > > >
> > > > > Thanks guys, I'll try this but i also
> wanted to know if there
> > is a
> > > way to
> > > > > know if the TPM still has the EK and AK
> keys loaded? I have
> > the EK
> > > > handle and AK
> > > > > handle (not made it persistent) but I
> want to make sure it's
> > > present as
> > > > these are
> > > > > necessary for ActivateCredential to
> succeed
> > > > > ESys_ActivateCredential complaining
> about secret
> > parameter
> > > > doesn't
> > > > > make sense to me, I tested on server
> side, ak_name is same
> > as
> > > that
> > > > sent and so is
> > > > > EK_PUB object as well as EK_Cert in
> nvram, I call the same
> > > > > external_makecredential call that's in the
> GitHub to create
> > secret
> > > and
> > > > made sure
> > > > > secret,credblob matches on the client
> side when received
> > from
> > > server.
> > > > >
> > > > > Thanks,
> > > > > Rahul
> > > > >
> > > > > On Tue, Mar 17, 2020 at 6:19 AM Imran
> Desai
> > > > <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> >
> > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> > >
> > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> >
> > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> > > >
> > > > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> > >
> > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> >
> > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> > > > > >
> > > > wrote:
> > > > >
> > > > >
> > > > > Set this up with all handles in use
> made persistent. If
> > you
> > > still see
> > > > > issues, gdb-break or turn on debug
> logging at the Esys call and
> > > compare
> > > > the
> > > > > function arguments.
> > > > >
> > >
> _______________________________________________
> > > > > tpm2 mailing list --
> tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> >
> > > <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org> <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org> > >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org> <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org> > > >
> > > > <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org> <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org> <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > > >
> > > > > To unsubscribe send an email to
> tpm2-
> > leave(a)lists.01.org <mailto:leave(a)lists.01.org>
> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> >
> > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> leave(a)lists.01.org> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> leave(a)lists.01.org> > >
> > > > <mailto:tpm2-leave(a)lists.01.org
> <mailto:tpm2-leave(a)lists.01.org> <mailto:tpm2-leave(a)lists.01.org
> <mailto:tpm2-leave(a)lists.01.org> >
> > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> leave(a)lists.01.org> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> leave(a)lists.01.org> > > >
> > > > > <mailto:tpm2-leave(a)lists.01.org
> <mailto:tpm2-leave(a)lists.01.org> <mailto:tpm2- <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave(a)lists.01.org> >
> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> <mailto:tpm2- <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave(a)lists.01.org> > >
> > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> leave(a)lists.01.org> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> leave(a)lists.01.org> >
> > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> leave(a)lists.01.org> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> leave(a)lists.01.org> > > > >
> > > > >
> >
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
^ permalink raw reply [flat|nested] 25+ messages in thread
* [tpm2] Re: ESys_ActivateCredential
@ 2020-04-15 15:23 Roberts, William C
0 siblings, 0 replies; 25+ messages in thread
From: Roberts, William C @ 2020-04-15 15:23 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 24892 bytes --]
> -----Original Message-----
> From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com]
> Sent: Monday, April 13, 2020 2:32 PM
> To: Roberts, William C <william.c.roberts(a)intel.com>
> Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
> Subject: Re: [tpm2] Re: ESys_ActivateCredential
>
> Ok, got it. I'm using ESAPI C APIs. But its pretty much the same as the tpm2 tools
> implementation.
> How do i add debugs in my poky directory? I have tpm2.0-tss_2.1.4.bb
> <http://tpm2.0-tss_2.1.4.bb> file.
I've never touched Yocto, so we're probably not going to be able to help
much there.
> Also, how to add compile-time log flags to my src file that uses ESAPI calls?
> Running separately was easy, I just called TSS2_LOG="all+ERROR,tcti+DEBUG"
That’s not a compile time flag, it's in the environment. All programs have access to
The environment, via getenv and setenv calls. See: https://linux.die.net/man/5/environ
So you could call setenv() in the program. However, usually if you're not staring
The program directly on the shell, some type of execution environment, like init
or system will allow you to add these values in. This sounds very yocto specific on
how to do that, thus you would probably want to discuss that on the Yocto project
mailing lists.
The log messages go to stderr and stdout, so you could redirect them. Doing it in C:
https://stackoverflow.com/questions/584868/rerouting-stdin-and-stdout-from-c
But it would probably be easier just to alter the execution environment of the program,
How to do that is system specific.
>
> On Mon, Apr 13, 2020 at 7:20 AM Roberts, William C <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > wrote:
>
>
> > -----Original Message-----
> > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> ]
> > Sent: Friday, April 10, 2020 4:15 PM
> > To: Roberts, William C <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > Cc: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> >; tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org>
> > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> >
> > Hi Bill,
> > I have this on my system: Is tpmrm0 same as tabrmd? I believe mine is
> using this
> > right now , i'm changing it to what you mentioned to see if it helps.
> > [root(a)nfvis ~]# ls -l /dev/tpm*
> > crw-rw----. 1 tss root 10, 224 Apr 8 23:19 /dev/tpm0
> > crw-rw----. 1 tss tss 254, 65536 Apr 8 23:19 /dev/tpmrm0 Thanks, Rahul
>
> In theory, yes. In practice no.
> /dev/tpmrm0 is the in kernel resource manager
> tpm2-abrmd is the userspace resource manager
>
> tpm2-abrmd has a few features tpmrm0 doesn't have, but unless you're
> using policy sessions with tpm2-tools, you shouldn't notice a difference.
>
> >
> > On Fri, Apr 10, 2020 at 11:33 AM Roberts, William C
> <william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > wrote:
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> ]
> > > Sent: Friday, April 10, 2020 1:08 PM
> > > To: Roberts, William C <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > >
> > > Cc: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >;
> tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> > >
> > > Thanks Bill, trying that.
> > > I did not get debug build tpm2_tss, isn't it all prebuilt ? I will have
> to see
> > how to
> > > do it in poky.
> >
> > If you're getting it from a package manager, yes. But there's nothing
> > stopping you
> > from using source builds. Some distro's will package debug symbols
> for
> > their
> > packages.
> >
> > >
> > > On Fri, Apr 10, 2020 at 8:16 AM Roberts, William C
> > <william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com>
> <mailto:william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > > wrote:
> > >
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > ]
> > > > Sent: Thursday, April 9, 2020 2:51 PM
> > > > To: Roberts, William C <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > >
> > > > Cc: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > >;
> > tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> > > >
> > > > Thanks Bill. I use this
> > > > Esys_Initialize( &ectx, NULL, NULL);
> > > >
> > > > so i'm assuming it would take the default libtss2-tcti-
> tabrmd.so.0.
> > >
> > > This should do it for you:
> > > TSS2_RC
> > > Tss2_TctiLdr_Initialize (const char *nameConf,
> > > TSS2_TCTI_CONTEXT **context);
> > >
> > > Set nameConf to the string "tabrmd", that should give you a tcti
> > pointer
> > > you can
> > > pass wot Esys_Initialize()
> > >
> > > >
> > > >
> > > > If I need to debug Esys_ActivateCredential more, how can I do
> it,
> > these
> > > APIs are
> > > > no more standalone, I have integrated it in a bigger code base
> and
> > > added the
> > > > esys-tss2 and other libs in my poky build, so now it runs as
> > different
> > > process that
> > > > invokes this function, I can gdb into the process but I can't
> seem to
> > gdb
> > > into
> > > > Esys_Activate..( )
> > >
> > > Did you build tpm2-tss with debug symbols?
> > > Add --enable-debug
> > >
> > > >
> > > >
> > > > Thanks,
> > > > Rahul
> > > >
> > > >
> > > >
> > > >
> > > > On Thu, Apr 9, 2020 at 10:23 AM Roberts, William C
> > > <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > >
> > > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > > > wrote:
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > >
> > > ]
> > > > > Sent: Thursday, April 9, 2020 11:18 AM
> > > > > To: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> >
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > > >
> > > > > Cc: tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > >
> > > > > Subject: [tpm2] Re: ESys_ActivateCredential
> > > > >
> > > > > How do I know if RM is being used?
> > > >
> > > >
> > > > If you set the tcti to the device tcti, it will open /dev/tpm0
> by
> > > default. And
> > > > that wont
> > > > Be an RM. You can also give it an option. Esys_Initialize()
> takes a
> > tcti
> > > as an
> > > > option,
> > > > NULL will cause it to use the default search behavior of the
> > > Tss2_TctiLdr,
> > > > see:
> > > >
> > > > https://github.com/tpm2-software/tpm2-
> > > > tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
> <http://Tss2_TctiLdr_Initialize.3.in>
> > <http://Tss2_TctiLdr_Initialize.3.in>
> > > <http://Tss2_TctiLdr_Initialize.3.in>
> > > > https://github.com/tpm2-software/tpm2-
> > > > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> <http://Tss2_Tcti_Device_Init.3.in>
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > https://github.com/tpm2-software/tpm2-
> > > tss/blob/master/man/tss2-
> > > > tcti-device.7.in <http://tcti-device.7.in> <http://tcti-
> device.7.in> <http://tcti-device.7.in>
> > > >
> > > > You can use man locally if you prefer as well:
> > > > man 3 Tss2_TctiLdr_Initialize
> > > > man 7 tss2-tcti-device
> > > > man 3 Tss2_Tcti_Device_Init
> > > >
> > > > Note that https://github.com/tpm2-software/tpm2-
> > > > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> <http://Tss2_Tcti_Device_Init.3.in>
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > Has sample code in it.
> > > >
> > > > If you're using the tools, it supports explicitly choosing the
> TCTI:
> > > > https://github.com/tpm2-software/tpm2-
> > > > tools/blob/master/man/common/tcti.md
> > > >
> > > > Also note that the /dev/tpmrm0 (Notice the RM) is an in-
> kernel
> > > resource
> > > > manager.
> > > >
> > > >
> > > > > When I do ESys_Initialize, I see these WARNINGs,
> wondering
> > if it's
> > > okay
> > > > for multi-
> > > > > thread
> > > > > WARNING:esys:src/tss2-
> > > esys/esys_tcti_default.c:137:tcti_from_file()
> > > > Could not
> > > > > load TCTI file: libtss2-tcti-default.so <http://libtss2-tcti-
> > > default.so/ <http://default.so/> <http://default.so/> >
> > > > libtss2-tcti-
> > > > > default.so <http://libtss2-tcti-default.so/>
> > > > > WARNING:esys:src/tss2-
> > > esys/esys_tcti_default.c:137:tcti_from_file()
> > > > Could not
> > > > > load TCTI file: libtss2-tcti-tabrmd.so <http://libtss2-tcti-
> > > tabrmd.so/ <http://tabrmd.so/> <http://tabrmd.so/> >
> > > > >
> > > > > In my single threaded process, everything works so
> smoothly
> > > [root]#
> > > > ./tpm
> > > > > WARNING:esys:src/tss2-
> > > esys/esys_tcti_default.c:137:tcti_from_file()
> > > > Could not
> > > > > load TCTI file: libtss2-tcti-default.so <http://libtss2-tcti-
> > > default.so/ <http://default.so/> <http://default.so/> >
> > > > > WARNING:esys:src/tss2-
> > > esys/esys_tcti_default.c:137:tcti_from_file()
> > > > Could not
> > > > > load TCTI file: libtss2-tcti-tabrmd.so <http://libtss2-tcti-
> > > tabrmd.so/ <http://tabrmd.so/> <http://tabrmd.so/> >
> > > > ESYS
> > > > > Initialization: Pass
> > > > >
> > > > > Read TPM EK Certificate: Pass
> > > > >
> > > > > TPM EK Certificate Root-CA Verification: Pass
> > > > >
> > > > > Clear TPM State: Pass
> > > > >
> > > > > Created EK Primary object: Pass
> > > > > #####Handle 0x418368
> > > > >
> > > > > Create Attestation Key: Pass
> > > > > #####Ak_Handle 0x41836b
> > > > >
> > > > > Original Credential="deadbeefdeadbeefdead"
> > > > >
> > > > > Make Credential: Pass
> > > > > #####Encrypted Credential
> > > > >
> > > >
> > >
> >
> Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> > > > > 45c412864f020a7f1bbcab7a34f0"
> > > > >
> > > > > #####Encrypted
> > > > >
> > > >
> > >
> >
> Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
> > > > >
> > > >
> > >
> >
> 76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
> > > > >
> > > >
> > >
> >
> e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
> > > > >
> > > >
> > >
> >
> 077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
> > > > >
> > > >
> > >
> >
> 5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
> > > > >
> > > >
> > >
> >
> 06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
> > > > >
> > > >
> > >
> >
> fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> > > > > e1eb9fcc1759c184972779bfc"
> > > > >
> > > > > Activating Credential: Pass
> > > > > #####Recovered Credential="deadbeefdeadbeefdead"
> > > > >
> > > > > [root]#
> > > > >
> > > > >
> > > > >
> > > > > On Wed, Apr 8, 2020 at 7:02 PM Rahul Hardikar
> > > > <rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> >
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> > >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> >
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> > > >
> > > > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > > >
> > > > > wrote:
> > > > >
> > > > >
> > > > > Thanks guys, I'll try this but i also wanted to know if
> there
> > is a
> > > way to
> > > > > know if the TPM still has the EK and AK keys loaded? I
> have
> > the EK
> > > > handle and AK
> > > > > handle (not made it persistent) but I want to make sure
> it's
> > > present as
> > > > these are
> > > > > necessary for ActivateCredential to succeed
> > > > > ESys_ActivateCredential complaining about secret
> > parameter
> > > > doesn't
> > > > > make sense to me, I tested on server side, ak_name is
> same
> > as
> > > that
> > > > sent and so is
> > > > > EK_PUB object as well as EK_Cert in nvram, I call the
> same
> > > > > external_makecredential call that's in the GitHub to
> create
> > secret
> > > and
> > > > made sure
> > > > > secret,credblob matches on the client side when
> received
> > from
> > > server.
> > > > >
> > > > > Thanks,
> > > > > Rahul
> > > > >
> > > > > On Tue, Mar 17, 2020 at 6:19 AM Imran Desai
> > > > <imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > >
> > > > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > > > >
> > > > wrote:
> > > > >
> > > > >
> > > > > Set this up with all handles in use made persistent.
> If
> > you
> > > still see
> > > > > issues, gdb-break or turn on debug logging at the Esys call
> and
> > > compare
> > > > the
> > > > > function arguments.
> > > > >
> > > _______________________________________________
> > > > > tpm2 mailing list -- tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > >
> > > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > > >
> > > > > To unsubscribe send an email to tpm2-
> > leave(a)lists.01.org <mailto:leave(a)lists.01.org> <mailto:tpm2-
> leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> >
> > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> > >
> > > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> leave(a)lists.01.org> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> leave(a)lists.01.org> >
> > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> > > >
> > > > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> leave(a)lists.01.org> <mailto:tpm2- <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave(a)lists.01.org> > <mailto:tpm2-
> leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> <mailto:tpm2-
> <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave(a)lists.01.org> > >
> > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> >
> > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> > > > >
> > > > >
> > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
^ permalink raw reply [flat|nested] 25+ messages in thread
* [tpm2] Re: ESys_ActivateCredential
@ 2020-04-13 23:54 Rahul Hardikar
0 siblings, 0 replies; 25+ messages in thread
From: Rahul Hardikar @ 2020-04-13 23:54 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 19535 bytes --]
What is the latest stable release for tpm2_tss ?
Thanks,
Rahul
On Mon, Apr 13, 2020 at 4:38 PM Rahul Hardikar <rahulhardikar(a)gmail.com>
wrote:
> Looks like the version I have is old, the file tss2_tctildr.h does not
> exist
>
>
>
> On Mon, Apr 13, 2020 at 12:31 PM Rahul Hardikar <rahulhardikar(a)gmail.com>
> wrote:
>
>> Ok, got it. I'm using ESAPI C APIs. But its pretty much the same as the
>> tpm2 tools implementation.
>> How do i add debugs in my poky directory? I have tpm2.0-tss_2.1.4.bb
>> file.
>> Also, how to add compile-time log flags to my src file that uses ESAPI
>> calls? Running separately was easy, I just called
>> TSS2_LOG="all+ERROR,tcti+DEBUG"
>>
>> On Mon, Apr 13, 2020 at 7:20 AM Roberts, William C <
>> william.c.roberts(a)intel.com> wrote:
>>
>>> > -----Original Message-----
>>> > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com]
>>> > Sent: Friday, April 10, 2020 4:15 PM
>>> > To: Roberts, William C <william.c.roberts(a)intel.com>
>>> > Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
>>> > Subject: Re: [tpm2] Re: ESys_ActivateCredential
>>> >
>>> > Hi Bill,
>>> > I have this on my system: Is tpmrm0 same as tabrmd? I believe mine is
>>> using this
>>> > right now , i'm changing it to what you mentioned to see if it helps.
>>> > [root(a)nfvis ~]# ls -l /dev/tpm*
>>> > crw-rw----. 1 tss root 10, 224 Apr 8 23:19 /dev/tpm0
>>> > crw-rw----. 1 tss tss 254, 65536 Apr 8 23:19 /dev/tpmrm0 Thanks,
>>> Rahul
>>>
>>> In theory, yes. In practice no.
>>> /dev/tpmrm0 is the in kernel resource manager
>>> tpm2-abrmd is the userspace resource manager
>>>
>>> tpm2-abrmd has a few features tpmrm0 doesn't have, but unless you're
>>> using policy sessions with tpm2-tools, you shouldn't notice a difference.
>>>
>>> >
>>> > On Fri, Apr 10, 2020 at 11:33 AM Roberts, William C <
>>> william.c.roberts(a)intel.com
>>> > <mailto:william.c.roberts(a)intel.com> > wrote:
>>> >
>>> >
>>> >
>>> >
>>> > > -----Original Message-----
>>> > > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com
>>> > <mailto:rahulhardikar(a)gmail.com> ]
>>> > > Sent: Friday, April 10, 2020 1:08 PM
>>> > > To: Roberts, William C <william.c.roberts(a)intel.com
>>> > <mailto:william.c.roberts(a)intel.com> >
>>> > > Cc: Desai, Imran <imran.desai(a)intel.com
>>> > <mailto:imran.desai(a)intel.com> >; tpm2(a)lists.01.org
>>> > <mailto:tpm2(a)lists.01.org>
>>> > > Subject: Re: [tpm2] Re: ESys_ActivateCredential
>>> > >
>>> > > Thanks Bill, trying that.
>>> > > I did not get debug build tpm2_tss, isn't it all prebuilt ? I
>>> will have to see
>>> > how to
>>> > > do it in poky.
>>> >
>>> > If you're getting it from a package manager, yes. But there's
>>> nothing
>>> > stopping you
>>> > from using source builds. Some distro's will package debug
>>> symbols for
>>> > their
>>> > packages.
>>> >
>>> > >
>>> > > On Fri, Apr 10, 2020 at 8:16 AM Roberts, William C
>>> > <william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com>
>>> > > <mailto:william.c.roberts(a)intel.com
>>> > <mailto:william.c.roberts(a)intel.com> > > wrote:
>>> > >
>>> > >
>>> > >
>>> > >
>>> > > > -----Original Message-----
>>> > > > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com
>>> > <mailto:rahulhardikar(a)gmail.com>
>>> > > <mailto:rahulhardikar(a)gmail.com <mailto:
>>> rahulhardikar(a)gmail.com> >
>>> > ]
>>> > > > Sent: Thursday, April 9, 2020 2:51 PM
>>> > > > To: Roberts, William C <william.c.roberts(a)intel.com
>>> > <mailto:william.c.roberts(a)intel.com>
>>> > > <mailto:william.c.roberts(a)intel.com
>>> > <mailto:william.c.roberts(a)intel.com> > >
>>> > > > Cc: Desai, Imran <imran.desai(a)intel.com
>>> > <mailto:imran.desai(a)intel.com>
>>> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
>>> > >;
>>> > tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
>>> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
>>> > > > Subject: Re: [tpm2] Re: ESys_ActivateCredential
>>> > > >
>>> > > > Thanks Bill. I use this
>>> > > > Esys_Initialize( &ectx, NULL, NULL);
>>> > > >
>>> > > > so i'm assuming it would take the default
>>> libtss2-tcti-tabrmd.so.0.
>>> > >
>>> > > This should do it for you:
>>> > > TSS2_RC
>>> > > Tss2_TctiLdr_Initialize (const char *nameConf,
>>> > > TSS2_TCTI_CONTEXT **context);
>>> > >
>>> > > Set nameConf to the string "tabrmd", that should give
>>> you a tcti
>>> > pointer
>>> > > you can
>>> > > pass wot Esys_Initialize()
>>> > >
>>> > > >
>>> > > >
>>> > > > If I need to debug Esys_ActivateCredential more, how
>>> can I do it,
>>> > these
>>> > > APIs are
>>> > > > no more standalone, I have integrated it in a bigger
>>> code base and
>>> > > added the
>>> > > > esys-tss2 and other libs in my poky build, so now it
>>> runs as
>>> > different
>>> > > process that
>>> > > > invokes this function, I can gdb into the process but
>>> I can't seem to
>>> > gdb
>>> > > into
>>> > > > Esys_Activate..( )
>>> > >
>>> > > Did you build tpm2-tss with debug symbols?
>>> > > Add --enable-debug
>>> > >
>>> > > >
>>> > > >
>>> > > > Thanks,
>>> > > > Rahul
>>> > > >
>>> > > >
>>> > > >
>>> > > >
>>> > > > On Thu, Apr 9, 2020 at 10:23 AM Roberts, William C
>>> > > <william.c.roberts(a)intel.com <mailto:
>>> william.c.roberts(a)intel.com>
>>> > <mailto:william.c.roberts(a)intel.com <mailto:
>>> william.c.roberts(a)intel.com> >
>>> > > > <mailto:william.c.roberts(a)intel.com
>>> > <mailto:william.c.roberts(a)intel.com>
>>> > > <mailto:william.c.roberts(a)intel.com
>>> > <mailto:william.c.roberts(a)intel.com> > > > wrote:
>>> > > >
>>> > > >
>>> > > > > -----Original Message-----
>>> > > > > From: Rahul Hardikar [mailto:
>>> rahulhardikar(a)gmail.com
>>> > <mailto:rahulhardikar(a)gmail.com>
>>> > > <mailto:rahulhardikar(a)gmail.com <mailto:
>>> rahulhardikar(a)gmail.com> >
>>> > > > <mailto:rahulhardikar(a)gmail.com
>>> > <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
>>> > <mailto:rahulhardikar(a)gmail.com> > >
>>> > > ]
>>> > > > > Sent: Thursday, April 9, 2020 11:18 AM
>>> > > > > To: Desai, Imran <imran.desai(a)intel.com
>>> > <mailto:imran.desai(a)intel.com>
>>> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
>>> > > > <mailto:imran.desai(a)intel.com <mailto:
>>> imran.desai(a)intel.com>
>>> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > >
>>> > > > > Cc: tpm2(a)lists.01.org <mailto:
>>> tpm2(a)lists.01.org>
>>> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
>>> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
>>> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
>>> > > > > Subject: [tpm2] Re: ESys_ActivateCredential
>>> > > > >
>>> > > > > How do I know if RM is being used?
>>> > > >
>>> > > >
>>> > > > If you set the tcti to the device tcti, it will
>>> open /dev/tpm0 by
>>> > > default. And
>>> > > > that wont
>>> > > > Be an RM. You can also give it an option.
>>> Esys_Initialize() takes a
>>> > tcti
>>> > > as an
>>> > > > option,
>>> > > > NULL will cause it to use the default search
>>> behavior of the
>>> > > Tss2_TctiLdr,
>>> > > > see:
>>> > > >
>>> > > > https://github.com/tpm2-software/tpm2-
>>> > > > tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
>>> > <http://Tss2_TctiLdr_Initialize.3.in>
>>> > > <http://Tss2_TctiLdr_Initialize.3.in>
>>> > > > https://github.com/tpm2-software/tpm2-
>>> > > > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
>>> > <http://Tss2_Tcti_Device_Init.3.in>
>>> > > <http://Tss2_Tcti_Device_Init.3.in>
>>> > > > https://github.com/tpm2-software/tpm2-
>>> > > tss/blob/master/man/tss2-
>>> > > > tcti-device.7.in <http://tcti-device.7.in> <
>>> http://tcti-device.7.in>
>>> > > >
>>> > > > You can use man locally if you prefer as well:
>>> > > > man 3 Tss2_TctiLdr_Initialize
>>> > > > man 7 tss2-tcti-device
>>> > > > man 3 Tss2_Tcti_Device_Init
>>> > > >
>>> > > > Note that https://github.com/tpm2-software/tpm2-
>>> > > > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
>>> > <http://Tss2_Tcti_Device_Init.3.in>
>>> > > <http://Tss2_Tcti_Device_Init.3.in>
>>> > > > Has sample code in it.
>>> > > >
>>> > > > If you're using the tools, it supports
>>> explicitly choosing the TCTI:
>>> > > > https://github.com/tpm2-software/tpm2-
>>> > > > tools/blob/master/man/common/tcti.md
>>> > > >
>>> > > > Also note that the /dev/tpmrm0 (Notice the RM)
>>> is an in-kernel
>>> > > resource
>>> > > > manager.
>>> > > >
>>> > > >
>>> > > > > When I do ESys_Initialize, I see these
>>> WARNINGs, wondering
>>> > if it's
>>> > > okay
>>> > > > for multi-
>>> > > > > thread
>>> > > > > WARNING:esys:src/tss2-
>>> > > esys/esys_tcti_default.c:137:tcti_from_file()
>>> > > > Could not
>>> > > > > load TCTI file: libtss2-tcti-default.so <
>>> http://libtss2-tcti-
>>> > > default.so/ <http://default.so/> >
>>> > > > libtss2-tcti-
>>> > > > > default.so <http://libtss2-tcti-default.so/>
>>> > > > > WARNING:esys:src/tss2-
>>> > > esys/esys_tcti_default.c:137:tcti_from_file()
>>> > > > Could not
>>> > > > > load TCTI file: libtss2-tcti-tabrmd.so <
>>> http://libtss2-tcti-
>>> > > tabrmd.so/ <http://tabrmd.so/> >
>>> > > > >
>>> > > > > In my single threaded process, everything
>>> works so smoothly
>>> > > [root]#
>>> > > > ./tpm
>>> > > > > WARNING:esys:src/tss2-
>>> > > esys/esys_tcti_default.c:137:tcti_from_file()
>>> > > > Could not
>>> > > > > load TCTI file: libtss2-tcti-default.so <
>>> http://libtss2-tcti-
>>> > > default.so/ <http://default.so/> >
>>> > > > > WARNING:esys:src/tss2-
>>> > > esys/esys_tcti_default.c:137:tcti_from_file()
>>> > > > Could not
>>> > > > > load TCTI file: libtss2-tcti-tabrmd.so <
>>> http://libtss2-tcti-
>>> > > tabrmd.so/ <http://tabrmd.so/> >
>>> > > > ESYS
>>> > > > > Initialization: Pass
>>> > > > >
>>> > > > > Read TPM EK Certificate: Pass
>>> > > > >
>>> > > > > TPM EK Certificate Root-CA Verification: Pass
>>> > > > >
>>> > > > > Clear TPM State: Pass
>>> > > > >
>>> > > > > Created EK Primary object: Pass
>>> > > > > #####Handle 0x418368
>>> > > > >
>>> > > > > Create Attestation Key: Pass
>>> > > > > #####Ak_Handle 0x41836b
>>> > > > >
>>> > > > > Original Credential="deadbeefdeadbeefdead"
>>> > > > >
>>> > > > > Make Credential: Pass
>>> > > > > #####Encrypted Credential
>>> > > > >
>>> > > >
>>> > >
>>> > Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
>>> > > > > 45c412864f020a7f1bbcab7a34f0"
>>> > > > >
>>> > > > > #####Encrypted
>>> > > > >
>>> > > >
>>> > >
>>> > Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
>>> > > > >
>>> > > >
>>> > >
>>> > 76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
>>> > > > >
>>> > > >
>>> > >
>>> > e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
>>> > > > >
>>> > > >
>>> > >
>>> > 077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
>>> > > > >
>>> > > >
>>> > >
>>> > 5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
>>> > > > >
>>> > > >
>>> > >
>>> > 06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
>>> > > > >
>>> > > >
>>> > >
>>> > fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
>>> > > > > e1eb9fcc1759c184972779bfc"
>>> > > > >
>>> > > > > Activating Credential: Pass
>>> > > > > #####Recovered
>>> Credential="deadbeefdeadbeefdead"
>>> > > > >
>>> > > > > [root]#
>>> > > > >
>>> > > > >
>>> > > > >
>>> > > > > On Wed, Apr 8, 2020 at 7:02 PM Rahul Hardikar
>>> > > > <rahulhardikar(a)gmail.com <mailto:
>>> rahulhardikar(a)gmail.com>
>>> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
>>> > > <mailto:rahulhardikar(a)gmail.com <mailto:
>>> rahulhardikar(a)gmail.com>
>>> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> > >
>>> > > > > <mailto:rahulhardikar(a)gmail.com
>>> > <mailto:rahulhardikar(a)gmail.com>
>>> > > <mailto:rahulhardikar(a)gmail.com <mailto:
>>> rahulhardikar(a)gmail.com> >
>>> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
>>> > > <mailto:rahulhardikar(a)gmail.com <mailto:
>>> rahulhardikar(a)gmail.com> >
>>> > > >
>>> > > > > wrote:
>>> > > > >
>>> > > > >
>>> > > > > Thanks guys, I'll try this but i also
>>> wanted to know if there
>>> > is a
>>> > > way to
>>> > > > > know if the TPM still has the EK and AK keys
>>> loaded? I have
>>> > the EK
>>> > > > handle and AK
>>> > > > > handle (not made it persistent) but I want to
>>> make sure it's
>>> > > present as
>>> > > > these are
>>> > > > > necessary for ActivateCredential to succeed
>>> > > > > ESys_ActivateCredential complaining
>>> about secret
>>> > parameter
>>> > > > doesn't
>>> > > > > make sense to me, I tested on server side,
>>> ak_name is same
>>> > as
>>> > > that
>>> > > > sent and so is
>>> > > > > EK_PUB object as well as EK_Cert in nvram, I
>>> call the same
>>> > > > > external_makecredential call that's in the
>>> GitHub to create
>>> > secret
>>> > > and
>>> > > > made sure
>>> > > > > secret,credblob matches on the client side
>>> when received
>>> > from
>>> > > server.
>>> > > > >
>>> > > > > Thanks,
>>> > > > > Rahul
>>> > > > >
>>> > > > > On Tue, Mar 17, 2020 at 6:19 AM Imran
>>> Desai
>>> > > > <imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
>>> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
>>> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
>>> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
>>> > > > > <mailto:imran.desai(a)intel.com
>>> > <mailto:imran.desai(a)intel.com> <mailto:imran.desai(a)intel.com
>>> > <mailto:imran.desai(a)intel.com> >
>>> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
>>> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > > >
>>> > > > wrote:
>>> > > > >
>>> > > > >
>>> > > > > Set this up with all handles in
>>> use made persistent. If
>>> > you
>>> > > still see
>>> > > > > issues, gdb-break or turn on debug logging at
>>> the Esys call and
>>> > > compare
>>> > > > the
>>> > > > > function arguments.
>>> > > > >
>>> > > _______________________________________________
>>> > > > > tpm2 mailing list --
>>> tpm2(a)lists.01.org
>>> > <mailto:tpm2(a)lists.01.org>
>>> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
>>> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
>>> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
>>> > > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
>>> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
>>> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
>>> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > >
>>> > > > > To unsubscribe send an email to
>>> tpm2-
>>> > leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
>>> > > <mailto:tpm2-leave(a)lists.01.org <mailto:
>>> tpm2-leave(a)lists.01.org> >
>>> > > > <mailto:tpm2-leave(a)lists.01.org <mailto:
>>> tpm2-leave(a)lists.01.org>
>>> > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> > >
>>> > > > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
>>> > leave(a)lists.01.org> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
>>> > leave(a)lists.01.org> >
>>> > > <mailto:tpm2-leave(a)lists.01.org <mailto:
>>> tpm2-leave(a)lists.01.org>
>>> > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> > > >
>>> > > > >
>>> > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>>> > > > >
>>> > > >
>>> > > >
>>> > >
>>> > >
>>> >
>>> >
>>>
>>>
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 36032 bytes --]
^ permalink raw reply [flat|nested] 25+ messages in thread
* [tpm2] Re: ESys_ActivateCredential
@ 2020-04-13 23:38 Rahul Hardikar
0 siblings, 0 replies; 25+ messages in thread
From: Rahul Hardikar @ 2020-04-13 23:38 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 18907 bytes --]
Looks like the version I have is old, the file tss2_tctildr.h does not exist
On Mon, Apr 13, 2020 at 12:31 PM Rahul Hardikar <rahulhardikar(a)gmail.com>
wrote:
> Ok, got it. I'm using ESAPI C APIs. But its pretty much the same as the
> tpm2 tools implementation.
> How do i add debugs in my poky directory? I have tpm2.0-tss_2.1.4.bb
> file.
> Also, how to add compile-time log flags to my src file that uses ESAPI
> calls? Running separately was easy, I just called
> TSS2_LOG="all+ERROR,tcti+DEBUG"
>
> On Mon, Apr 13, 2020 at 7:20 AM Roberts, William C <
> william.c.roberts(a)intel.com> wrote:
>
>> > -----Original Message-----
>> > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com]
>> > Sent: Friday, April 10, 2020 4:15 PM
>> > To: Roberts, William C <william.c.roberts(a)intel.com>
>> > Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
>> > Subject: Re: [tpm2] Re: ESys_ActivateCredential
>> >
>> > Hi Bill,
>> > I have this on my system: Is tpmrm0 same as tabrmd? I believe mine is
>> using this
>> > right now , i'm changing it to what you mentioned to see if it helps.
>> > [root(a)nfvis ~]# ls -l /dev/tpm*
>> > crw-rw----. 1 tss root 10, 224 Apr 8 23:19 /dev/tpm0
>> > crw-rw----. 1 tss tss 254, 65536 Apr 8 23:19 /dev/tpmrm0 Thanks, Rahul
>>
>> In theory, yes. In practice no.
>> /dev/tpmrm0 is the in kernel resource manager
>> tpm2-abrmd is the userspace resource manager
>>
>> tpm2-abrmd has a few features tpmrm0 doesn't have, but unless you're
>> using policy sessions with tpm2-tools, you shouldn't notice a difference.
>>
>> >
>> > On Fri, Apr 10, 2020 at 11:33 AM Roberts, William C <
>> william.c.roberts(a)intel.com
>> > <mailto:william.c.roberts(a)intel.com> > wrote:
>> >
>> >
>> >
>> >
>> > > -----Original Message-----
>> > > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com
>> > <mailto:rahulhardikar(a)gmail.com> ]
>> > > Sent: Friday, April 10, 2020 1:08 PM
>> > > To: Roberts, William C <william.c.roberts(a)intel.com
>> > <mailto:william.c.roberts(a)intel.com> >
>> > > Cc: Desai, Imran <imran.desai(a)intel.com
>> > <mailto:imran.desai(a)intel.com> >; tpm2(a)lists.01.org
>> > <mailto:tpm2(a)lists.01.org>
>> > > Subject: Re: [tpm2] Re: ESys_ActivateCredential
>> > >
>> > > Thanks Bill, trying that.
>> > > I did not get debug build tpm2_tss, isn't it all prebuilt ? I
>> will have to see
>> > how to
>> > > do it in poky.
>> >
>> > If you're getting it from a package manager, yes. But there's
>> nothing
>> > stopping you
>> > from using source builds. Some distro's will package debug
>> symbols for
>> > their
>> > packages.
>> >
>> > >
>> > > On Fri, Apr 10, 2020 at 8:16 AM Roberts, William C
>> > <william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com>
>> > > <mailto:william.c.roberts(a)intel.com
>> > <mailto:william.c.roberts(a)intel.com> > > wrote:
>> > >
>> > >
>> > >
>> > >
>> > > > -----Original Message-----
>> > > > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com
>> > <mailto:rahulhardikar(a)gmail.com>
>> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
>> >
>> > ]
>> > > > Sent: Thursday, April 9, 2020 2:51 PM
>> > > > To: Roberts, William C <william.c.roberts(a)intel.com
>> > <mailto:william.c.roberts(a)intel.com>
>> > > <mailto:william.c.roberts(a)intel.com
>> > <mailto:william.c.roberts(a)intel.com> > >
>> > > > Cc: Desai, Imran <imran.desai(a)intel.com
>> > <mailto:imran.desai(a)intel.com>
>> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
>> >;
>> > tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
>> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
>> > > > Subject: Re: [tpm2] Re: ESys_ActivateCredential
>> > > >
>> > > > Thanks Bill. I use this
>> > > > Esys_Initialize( &ectx, NULL, NULL);
>> > > >
>> > > > so i'm assuming it would take the default
>> libtss2-tcti-tabrmd.so.0.
>> > >
>> > > This should do it for you:
>> > > TSS2_RC
>> > > Tss2_TctiLdr_Initialize (const char *nameConf,
>> > > TSS2_TCTI_CONTEXT **context);
>> > >
>> > > Set nameConf to the string "tabrmd", that should give you
>> a tcti
>> > pointer
>> > > you can
>> > > pass wot Esys_Initialize()
>> > >
>> > > >
>> > > >
>> > > > If I need to debug Esys_ActivateCredential more, how
>> can I do it,
>> > these
>> > > APIs are
>> > > > no more standalone, I have integrated it in a bigger
>> code base and
>> > > added the
>> > > > esys-tss2 and other libs in my poky build, so now it
>> runs as
>> > different
>> > > process that
>> > > > invokes this function, I can gdb into the process but I
>> can't seem to
>> > gdb
>> > > into
>> > > > Esys_Activate..( )
>> > >
>> > > Did you build tpm2-tss with debug symbols?
>> > > Add --enable-debug
>> > >
>> > > >
>> > > >
>> > > > Thanks,
>> > > > Rahul
>> > > >
>> > > >
>> > > >
>> > > >
>> > > > On Thu, Apr 9, 2020 at 10:23 AM Roberts, William C
>> > > <william.c.roberts(a)intel.com <mailto:
>> william.c.roberts(a)intel.com>
>> > <mailto:william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com>
>> >
>> > > > <mailto:william.c.roberts(a)intel.com
>> > <mailto:william.c.roberts(a)intel.com>
>> > > <mailto:william.c.roberts(a)intel.com
>> > <mailto:william.c.roberts(a)intel.com> > > > wrote:
>> > > >
>> > > >
>> > > > > -----Original Message-----
>> > > > > From: Rahul Hardikar [mailto:
>> rahulhardikar(a)gmail.com
>> > <mailto:rahulhardikar(a)gmail.com>
>> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
>> >
>> > > > <mailto:rahulhardikar(a)gmail.com
>> > <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
>> > <mailto:rahulhardikar(a)gmail.com> > >
>> > > ]
>> > > > > Sent: Thursday, April 9, 2020 11:18 AM
>> > > > > To: Desai, Imran <imran.desai(a)intel.com
>> > <mailto:imran.desai(a)intel.com>
>> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
>> > > > <mailto:imran.desai(a)intel.com <mailto:
>> imran.desai(a)intel.com>
>> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > >
>> > > > > Cc: tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org
>> >
>> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
>> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
>> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
>> > > > > Subject: [tpm2] Re: ESys_ActivateCredential
>> > > > >
>> > > > > How do I know if RM is being used?
>> > > >
>> > > >
>> > > > If you set the tcti to the device tcti, it will
>> open /dev/tpm0 by
>> > > default. And
>> > > > that wont
>> > > > Be an RM. You can also give it an option.
>> Esys_Initialize() takes a
>> > tcti
>> > > as an
>> > > > option,
>> > > > NULL will cause it to use the default search
>> behavior of the
>> > > Tss2_TctiLdr,
>> > > > see:
>> > > >
>> > > > https://github.com/tpm2-software/tpm2-
>> > > > tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
>> > <http://Tss2_TctiLdr_Initialize.3.in>
>> > > <http://Tss2_TctiLdr_Initialize.3.in>
>> > > > https://github.com/tpm2-software/tpm2-
>> > > > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
>> > <http://Tss2_Tcti_Device_Init.3.in>
>> > > <http://Tss2_Tcti_Device_Init.3.in>
>> > > > https://github.com/tpm2-software/tpm2-
>> > > tss/blob/master/man/tss2-
>> > > > tcti-device.7.in <http://tcti-device.7.in> <
>> http://tcti-device.7.in>
>> > > >
>> > > > You can use man locally if you prefer as well:
>> > > > man 3 Tss2_TctiLdr_Initialize
>> > > > man 7 tss2-tcti-device
>> > > > man 3 Tss2_Tcti_Device_Init
>> > > >
>> > > > Note that https://github.com/tpm2-software/tpm2-
>> > > > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
>> > <http://Tss2_Tcti_Device_Init.3.in>
>> > > <http://Tss2_Tcti_Device_Init.3.in>
>> > > > Has sample code in it.
>> > > >
>> > > > If you're using the tools, it supports explicitly
>> choosing the TCTI:
>> > > > https://github.com/tpm2-software/tpm2-
>> > > > tools/blob/master/man/common/tcti.md
>> > > >
>> > > > Also note that the /dev/tpmrm0 (Notice the RM) is
>> an in-kernel
>> > > resource
>> > > > manager.
>> > > >
>> > > >
>> > > > > When I do ESys_Initialize, I see these
>> WARNINGs, wondering
>> > if it's
>> > > okay
>> > > > for multi-
>> > > > > thread
>> > > > > WARNING:esys:src/tss2-
>> > > esys/esys_tcti_default.c:137:tcti_from_file()
>> > > > Could not
>> > > > > load TCTI file: libtss2-tcti-default.so <
>> http://libtss2-tcti-
>> > > default.so/ <http://default.so/> >
>> > > > libtss2-tcti-
>> > > > > default.so <http://libtss2-tcti-default.so/>
>> > > > > WARNING:esys:src/tss2-
>> > > esys/esys_tcti_default.c:137:tcti_from_file()
>> > > > Could not
>> > > > > load TCTI file: libtss2-tcti-tabrmd.so <
>> http://libtss2-tcti-
>> > > tabrmd.so/ <http://tabrmd.so/> >
>> > > > >
>> > > > > In my single threaded process, everything works
>> so smoothly
>> > > [root]#
>> > > > ./tpm
>> > > > > WARNING:esys:src/tss2-
>> > > esys/esys_tcti_default.c:137:tcti_from_file()
>> > > > Could not
>> > > > > load TCTI file: libtss2-tcti-default.so <
>> http://libtss2-tcti-
>> > > default.so/ <http://default.so/> >
>> > > > > WARNING:esys:src/tss2-
>> > > esys/esys_tcti_default.c:137:tcti_from_file()
>> > > > Could not
>> > > > > load TCTI file: libtss2-tcti-tabrmd.so <
>> http://libtss2-tcti-
>> > > tabrmd.so/ <http://tabrmd.so/> >
>> > > > ESYS
>> > > > > Initialization: Pass
>> > > > >
>> > > > > Read TPM EK Certificate: Pass
>> > > > >
>> > > > > TPM EK Certificate Root-CA Verification: Pass
>> > > > >
>> > > > > Clear TPM State: Pass
>> > > > >
>> > > > > Created EK Primary object: Pass
>> > > > > #####Handle 0x418368
>> > > > >
>> > > > > Create Attestation Key: Pass
>> > > > > #####Ak_Handle 0x41836b
>> > > > >
>> > > > > Original Credential="deadbeefdeadbeefdead"
>> > > > >
>> > > > > Make Credential: Pass
>> > > > > #####Encrypted Credential
>> > > > >
>> > > >
>> > >
>> > Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
>> > > > > 45c412864f020a7f1bbcab7a34f0"
>> > > > >
>> > > > > #####Encrypted
>> > > > >
>> > > >
>> > >
>> > Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
>> > > > >
>> > > >
>> > >
>> > 76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
>> > > > >
>> > > >
>> > >
>> > e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
>> > > > >
>> > > >
>> > >
>> > 077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
>> > > > >
>> > > >
>> > >
>> > 5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
>> > > > >
>> > > >
>> > >
>> > 06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
>> > > > >
>> > > >
>> > >
>> > fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
>> > > > > e1eb9fcc1759c184972779bfc"
>> > > > >
>> > > > > Activating Credential: Pass
>> > > > > #####Recovered Credential="deadbeefdeadbeefdead"
>> > > > >
>> > > > > [root]#
>> > > > >
>> > > > >
>> > > > >
>> > > > > On Wed, Apr 8, 2020 at 7:02 PM Rahul Hardikar
>> > > > <rahulhardikar(a)gmail.com <mailto:
>> rahulhardikar(a)gmail.com>
>> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
>> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com
>> >
>> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> > >
>> > > > > <mailto:rahulhardikar(a)gmail.com
>> > <mailto:rahulhardikar(a)gmail.com>
>> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
>> >
>> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
>> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
>> >
>> > > >
>> > > > > wrote:
>> > > > >
>> > > > >
>> > > > > Thanks guys, I'll try this but i also
>> wanted to know if there
>> > is a
>> > > way to
>> > > > > know if the TPM still has the EK and AK keys
>> loaded? I have
>> > the EK
>> > > > handle and AK
>> > > > > handle (not made it persistent) but I want to
>> make sure it's
>> > > present as
>> > > > these are
>> > > > > necessary for ActivateCredential to succeed
>> > > > > ESys_ActivateCredential complaining about
>> secret
>> > parameter
>> > > > doesn't
>> > > > > make sense to me, I tested on server side,
>> ak_name is same
>> > as
>> > > that
>> > > > sent and so is
>> > > > > EK_PUB object as well as EK_Cert in nvram, I
>> call the same
>> > > > > external_makecredential call that's in the
>> GitHub to create
>> > secret
>> > > and
>> > > > made sure
>> > > > > secret,credblob matches on the client side when
>> received
>> > from
>> > > server.
>> > > > >
>> > > > > Thanks,
>> > > > > Rahul
>> > > > >
>> > > > > On Tue, Mar 17, 2020 at 6:19 AM Imran
>> Desai
>> > > > <imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
>> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
>> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
>> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
>> > > > > <mailto:imran.desai(a)intel.com
>> > <mailto:imran.desai(a)intel.com> <mailto:imran.desai(a)intel.com
>> > <mailto:imran.desai(a)intel.com> >
>> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
>> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > > >
>> > > > wrote:
>> > > > >
>> > > > >
>> > > > > Set this up with all handles in
>> use made persistent. If
>> > you
>> > > still see
>> > > > > issues, gdb-break or turn on debug logging at
>> the Esys call and
>> > > compare
>> > > > the
>> > > > > function arguments.
>> > > > >
>> > > _______________________________________________
>> > > > > tpm2 mailing list --
>> tpm2(a)lists.01.org
>> > <mailto:tpm2(a)lists.01.org>
>> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
>> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
>> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
>> > > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
>> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
>> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
>> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > >
>> > > > > To unsubscribe send an email to
>> tpm2-
>> > leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
>> > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
>> >
>> > > > <mailto:tpm2-leave(a)lists.01.org <mailto:
>> tpm2-leave(a)lists.01.org>
>> > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> > >
>> > > > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
>> > leave(a)lists.01.org> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
>> > leave(a)lists.01.org> >
>> > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org
>> >
>> > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> > > >
>> > > > >
>> > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>> > > > >
>> > > >
>> > > >
>> > >
>> > >
>> >
>> >
>>
>>
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 35511 bytes --]
^ permalink raw reply [flat|nested] 25+ messages in thread
* [tpm2] Re: ESys_ActivateCredential
@ 2020-04-13 19:31 Rahul Hardikar
0 siblings, 0 replies; 25+ messages in thread
From: Rahul Hardikar @ 2020-04-13 19:31 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 18268 bytes --]
Ok, got it. I'm using ESAPI C APIs. But its pretty much the same as the
tpm2 tools implementation.
How do i add debugs in my poky directory? I have tpm2.0-tss_2.1.4.bb file.
Also, how to add compile-time log flags to my src file that uses ESAPI
calls? Running separately was easy, I just called
TSS2_LOG="all+ERROR,tcti+DEBUG"
On Mon, Apr 13, 2020 at 7:20 AM Roberts, William C <
william.c.roberts(a)intel.com> wrote:
> > -----Original Message-----
> > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com]
> > Sent: Friday, April 10, 2020 4:15 PM
> > To: Roberts, William C <william.c.roberts(a)intel.com>
> > Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
> > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> >
> > Hi Bill,
> > I have this on my system: Is tpmrm0 same as tabrmd? I believe mine is
> using this
> > right now , i'm changing it to what you mentioned to see if it helps.
> > [root(a)nfvis ~]# ls -l /dev/tpm*
> > crw-rw----. 1 tss root 10, 224 Apr 8 23:19 /dev/tpm0
> > crw-rw----. 1 tss tss 254, 65536 Apr 8 23:19 /dev/tpmrm0 Thanks, Rahul
>
> In theory, yes. In practice no.
> /dev/tpmrm0 is the in kernel resource manager
> tpm2-abrmd is the userspace resource manager
>
> tpm2-abrmd has a few features tpmrm0 doesn't have, but unless you're
> using policy sessions with tpm2-tools, you shouldn't notice a difference.
>
> >
> > On Fri, Apr 10, 2020 at 11:33 AM Roberts, William C <
> william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> > wrote:
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> ]
> > > Sent: Friday, April 10, 2020 1:08 PM
> > > To: Roberts, William C <william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> >
> > > Cc: Desai, Imran <imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> >; tpm2(a)lists.01.org
> > <mailto:tpm2(a)lists.01.org>
> > > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> > >
> > > Thanks Bill, trying that.
> > > I did not get debug build tpm2_tss, isn't it all prebuilt ? I
> will have to see
> > how to
> > > do it in poky.
> >
> > If you're getting it from a package manager, yes. But there's
> nothing
> > stopping you
> > from using source builds. Some distro's will package debug symbols
> for
> > their
> > packages.
> >
> > >
> > > On Fri, Apr 10, 2020 at 8:16 AM Roberts, William C
> > <william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com>
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> > > wrote:
> > >
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > ]
> > > > Sent: Thursday, April 9, 2020 2:51 PM
> > > > To: Roberts, William C <william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com>
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> > >
> > > > Cc: Desai, Imran <imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> >;
> > tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> > > >
> > > > Thanks Bill. I use this
> > > > Esys_Initialize( &ectx, NULL, NULL);
> > > >
> > > > so i'm assuming it would take the default
> libtss2-tcti-tabrmd.so.0.
> > >
> > > This should do it for you:
> > > TSS2_RC
> > > Tss2_TctiLdr_Initialize (const char *nameConf,
> > > TSS2_TCTI_CONTEXT **context);
> > >
> > > Set nameConf to the string "tabrmd", that should give you
> a tcti
> > pointer
> > > you can
> > > pass wot Esys_Initialize()
> > >
> > > >
> > > >
> > > > If I need to debug Esys_ActivateCredential more, how can
> I do it,
> > these
> > > APIs are
> > > > no more standalone, I have integrated it in a bigger
> code base and
> > > added the
> > > > esys-tss2 and other libs in my poky build, so now it
> runs as
> > different
> > > process that
> > > > invokes this function, I can gdb into the process but I
> can't seem to
> > gdb
> > > into
> > > > Esys_Activate..( )
> > >
> > > Did you build tpm2-tss with debug symbols?
> > > Add --enable-debug
> > >
> > > >
> > > >
> > > > Thanks,
> > > > Rahul
> > > >
> > > >
> > > >
> > > >
> > > > On Thu, Apr 9, 2020 at 10:23 AM Roberts, William C
> > > <william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com
> >
> > <mailto:william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com>
> >
> > > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com>
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> > > > wrote:
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Rahul Hardikar [mailto:
> rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> > >
> > > ]
> > > > > Sent: Thursday, April 9, 2020 11:18 AM
> > > > > To: Desai, Imran <imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > > <mailto:imran.desai(a)intel.com <mailto:
> imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > >
> > > > > Cc: tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > > > Subject: [tpm2] Re: ESys_ActivateCredential
> > > > >
> > > > > How do I know if RM is being used?
> > > >
> > > >
> > > > If you set the tcti to the device tcti, it will
> open /dev/tpm0 by
> > > default. And
> > > > that wont
> > > > Be an RM. You can also give it an option.
> Esys_Initialize() takes a
> > tcti
> > > as an
> > > > option,
> > > > NULL will cause it to use the default search
> behavior of the
> > > Tss2_TctiLdr,
> > > > see:
> > > >
> > > > https://github.com/tpm2-software/tpm2-
> > > > tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
> > <http://Tss2_TctiLdr_Initialize.3.in>
> > > <http://Tss2_TctiLdr_Initialize.3.in>
> > > > https://github.com/tpm2-software/tpm2-
> > > > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > https://github.com/tpm2-software/tpm2-
> > > tss/blob/master/man/tss2-
> > > > tcti-device.7.in <http://tcti-device.7.in> <
> http://tcti-device.7.in>
> > > >
> > > > You can use man locally if you prefer as well:
> > > > man 3 Tss2_TctiLdr_Initialize
> > > > man 7 tss2-tcti-device
> > > > man 3 Tss2_Tcti_Device_Init
> > > >
> > > > Note that https://github.com/tpm2-software/tpm2-
> > > > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > Has sample code in it.
> > > >
> > > > If you're using the tools, it supports explicitly
> choosing the TCTI:
> > > > https://github.com/tpm2-software/tpm2-
> > > > tools/blob/master/man/common/tcti.md
> > > >
> > > > Also note that the /dev/tpmrm0 (Notice the RM) is
> an in-kernel
> > > resource
> > > > manager.
> > > >
> > > >
> > > > > When I do ESys_Initialize, I see these WARNINGs,
> wondering
> > if it's
> > > okay
> > > > for multi-
> > > > > thread
> > > > > WARNING:esys:src/tss2-
> > > esys/esys_tcti_default.c:137:tcti_from_file()
> > > > Could not
> > > > > load TCTI file: libtss2-tcti-default.so <
> http://libtss2-tcti-
> > > default.so/ <http://default.so/> >
> > > > libtss2-tcti-
> > > > > default.so <http://libtss2-tcti-default.so/>
> > > > > WARNING:esys:src/tss2-
> > > esys/esys_tcti_default.c:137:tcti_from_file()
> > > > Could not
> > > > > load TCTI file: libtss2-tcti-tabrmd.so <
> http://libtss2-tcti-
> > > tabrmd.so/ <http://tabrmd.so/> >
> > > > >
> > > > > In my single threaded process, everything works
> so smoothly
> > > [root]#
> > > > ./tpm
> > > > > WARNING:esys:src/tss2-
> > > esys/esys_tcti_default.c:137:tcti_from_file()
> > > > Could not
> > > > > load TCTI file: libtss2-tcti-default.so <
> http://libtss2-tcti-
> > > default.so/ <http://default.so/> >
> > > > > WARNING:esys:src/tss2-
> > > esys/esys_tcti_default.c:137:tcti_from_file()
> > > > Could not
> > > > > load TCTI file: libtss2-tcti-tabrmd.so <
> http://libtss2-tcti-
> > > tabrmd.so/ <http://tabrmd.so/> >
> > > > ESYS
> > > > > Initialization: Pass
> > > > >
> > > > > Read TPM EK Certificate: Pass
> > > > >
> > > > > TPM EK Certificate Root-CA Verification: Pass
> > > > >
> > > > > Clear TPM State: Pass
> > > > >
> > > > > Created EK Primary object: Pass
> > > > > #####Handle 0x418368
> > > > >
> > > > > Create Attestation Key: Pass
> > > > > #####Ak_Handle 0x41836b
> > > > >
> > > > > Original Credential="deadbeefdeadbeefdead"
> > > > >
> > > > > Make Credential: Pass
> > > > > #####Encrypted Credential
> > > > >
> > > >
> > >
> > Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> > > > > 45c412864f020a7f1bbcab7a34f0"
> > > > >
> > > > > #####Encrypted
> > > > >
> > > >
> > >
> > Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
> > > > >
> > > >
> > >
> > 76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
> > > > >
> > > >
> > >
> > e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
> > > > >
> > > >
> > >
> > 077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
> > > > >
> > > >
> > >
> > 5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
> > > > >
> > > >
> > >
> > 06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
> > > > >
> > > >
> > >
> > fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> > > > > e1eb9fcc1759c184972779bfc"
> > > > >
> > > > > Activating Credential: Pass
> > > > > #####Recovered Credential="deadbeefdeadbeefdead"
> > > > >
> > > > > [root]#
> > > > >
> > > > >
> > > > >
> > > > > On Wed, Apr 8, 2020 at 7:02 PM Rahul Hardikar
> > > > <rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com
> >
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> > >
> > > > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > > >
> > > > > wrote:
> > > > >
> > > > >
> > > > > Thanks guys, I'll try this but i also
> wanted to know if there
> > is a
> > > way to
> > > > > know if the TPM still has the EK and AK keys
> loaded? I have
> > the EK
> > > > handle and AK
> > > > > handle (not made it persistent) but I want to
> make sure it's
> > > present as
> > > > these are
> > > > > necessary for ActivateCredential to succeed
> > > > > ESys_ActivateCredential complaining about
> secret
> > parameter
> > > > doesn't
> > > > > make sense to me, I tested on server side,
> ak_name is same
> > as
> > > that
> > > > sent and so is
> > > > > EK_PUB object as well as EK_Cert in nvram, I
> call the same
> > > > > external_makecredential call that's in the
> GitHub to create
> > secret
> > > and
> > > > made sure
> > > > > secret,credblob matches on the client side when
> received
> > from
> > > server.
> > > > >
> > > > > Thanks,
> > > > > Rahul
> > > > >
> > > > > On Tue, Mar 17, 2020 at 6:19 AM Imran Desai
> > > > <imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > > > > <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> <mailto:imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > > >
> > > > wrote:
> > > > >
> > > > >
> > > > > Set this up with all handles in
> use made persistent. If
> > you
> > > still see
> > > > > issues, gdb-break or turn on debug logging at
> the Esys call and
> > > compare
> > > > the
> > > > > function arguments.
> > > > >
> > > _______________________________________________
> > > > > tpm2 mailing list --
> tpm2(a)lists.01.org
> > <mailto:tpm2(a)lists.01.org>
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > >
> > > > > To unsubscribe send an email to
> tpm2-
> > leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> >
> > > > <mailto:tpm2-leave(a)lists.01.org <mailto:
> tpm2-leave(a)lists.01.org>
> > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> > >
> > > > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> > leave(a)lists.01.org> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> > leave(a)lists.01.org> >
> > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> > > >
> > > > >
> > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 34792 bytes --]
^ permalink raw reply [flat|nested] 25+ messages in thread
* [tpm2] Re: ESys_ActivateCredential
@ 2020-04-13 14:20 Roberts, William C
0 siblings, 0 replies; 25+ messages in thread
From: Roberts, William C @ 2020-04-13 14:20 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 15547 bytes --]
> -----Original Message-----
> From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com]
> Sent: Friday, April 10, 2020 4:15 PM
> To: Roberts, William C <william.c.roberts(a)intel.com>
> Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
> Subject: Re: [tpm2] Re: ESys_ActivateCredential
>
> Hi Bill,
> I have this on my system: Is tpmrm0 same as tabrmd? I believe mine is using this
> right now , i'm changing it to what you mentioned to see if it helps.
> [root(a)nfvis ~]# ls -l /dev/tpm*
> crw-rw----. 1 tss root 10, 224 Apr 8 23:19 /dev/tpm0
> crw-rw----. 1 tss tss 254, 65536 Apr 8 23:19 /dev/tpmrm0 Thanks, Rahul
In theory, yes. In practice no.
/dev/tpmrm0 is the in kernel resource manager
tpm2-abrmd is the userspace resource manager
tpm2-abrmd has a few features tpmrm0 doesn't have, but unless you're
using policy sessions with tpm2-tools, you shouldn't notice a difference.
>
> On Fri, Apr 10, 2020 at 11:33 AM Roberts, William C <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > wrote:
>
>
>
>
> > -----Original Message-----
> > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> ]
> > Sent: Friday, April 10, 2020 1:08 PM
> > To: Roberts, William C <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > Cc: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> >; tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org>
> > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> >
> > Thanks Bill, trying that.
> > I did not get debug build tpm2_tss, isn't it all prebuilt ? I will have to see
> how to
> > do it in poky.
>
> If you're getting it from a package manager, yes. But there's nothing
> stopping you
> from using source builds. Some distro's will package debug symbols for
> their
> packages.
>
> >
> > On Fri, Apr 10, 2020 at 8:16 AM Roberts, William C
> <william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > wrote:
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> ]
> > > Sent: Thursday, April 9, 2020 2:51 PM
> > > To: Roberts, William C <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > >
> > > Cc: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >;
> tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> > >
> > > Thanks Bill. I use this
> > > Esys_Initialize( &ectx, NULL, NULL);
> > >
> > > so i'm assuming it would take the default libtss2-tcti-tabrmd.so.0.
> >
> > This should do it for you:
> > TSS2_RC
> > Tss2_TctiLdr_Initialize (const char *nameConf,
> > TSS2_TCTI_CONTEXT **context);
> >
> > Set nameConf to the string "tabrmd", that should give you a tcti
> pointer
> > you can
> > pass wot Esys_Initialize()
> >
> > >
> > >
> > > If I need to debug Esys_ActivateCredential more, how can I do it,
> these
> > APIs are
> > > no more standalone, I have integrated it in a bigger code base and
> > added the
> > > esys-tss2 and other libs in my poky build, so now it runs as
> different
> > process that
> > > invokes this function, I can gdb into the process but I can't seem to
> gdb
> > into
> > > Esys_Activate..( )
> >
> > Did you build tpm2-tss with debug symbols?
> > Add --enable-debug
> >
> > >
> > >
> > > Thanks,
> > > Rahul
> > >
> > >
> > >
> > >
> > > On Thu, Apr 9, 2020 at 10:23 AM Roberts, William C
> > <william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com>
> <mailto:william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com> >
> > > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > > wrote:
> > >
> > >
> > > > -----Original Message-----
> > > > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > ]
> > > > Sent: Thursday, April 9, 2020 11:18 AM
> > > > To: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > >
> > > > Cc: tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > > Subject: [tpm2] Re: ESys_ActivateCredential
> > > >
> > > > How do I know if RM is being used?
> > >
> > >
> > > If you set the tcti to the device tcti, it will open /dev/tpm0 by
> > default. And
> > > that wont
> > > Be an RM. You can also give it an option. Esys_Initialize() takes a
> tcti
> > as an
> > > option,
> > > NULL will cause it to use the default search behavior of the
> > Tss2_TctiLdr,
> > > see:
> > >
> > > https://github.com/tpm2-software/tpm2-
> > > tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
> <http://Tss2_TctiLdr_Initialize.3.in>
> > <http://Tss2_TctiLdr_Initialize.3.in>
> > > https://github.com/tpm2-software/tpm2-
> > > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> <http://Tss2_Tcti_Device_Init.3.in>
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > https://github.com/tpm2-software/tpm2-
> > tss/blob/master/man/tss2-
> > > tcti-device.7.in <http://tcti-device.7.in> <http://tcti-device.7.in>
> > >
> > > You can use man locally if you prefer as well:
> > > man 3 Tss2_TctiLdr_Initialize
> > > man 7 tss2-tcti-device
> > > man 3 Tss2_Tcti_Device_Init
> > >
> > > Note that https://github.com/tpm2-software/tpm2-
> > > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> <http://Tss2_Tcti_Device_Init.3.in>
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > Has sample code in it.
> > >
> > > If you're using the tools, it supports explicitly choosing the TCTI:
> > > https://github.com/tpm2-software/tpm2-
> > > tools/blob/master/man/common/tcti.md
> > >
> > > Also note that the /dev/tpmrm0 (Notice the RM) is an in-kernel
> > resource
> > > manager.
> > >
> > >
> > > > When I do ESys_Initialize, I see these WARNINGs, wondering
> if it's
> > okay
> > > for multi-
> > > > thread
> > > > WARNING:esys:src/tss2-
> > esys/esys_tcti_default.c:137:tcti_from_file()
> > > Could not
> > > > load TCTI file: libtss2-tcti-default.so <http://libtss2-tcti-
> > default.so/ <http://default.so/> >
> > > libtss2-tcti-
> > > > default.so <http://libtss2-tcti-default.so/>
> > > > WARNING:esys:src/tss2-
> > esys/esys_tcti_default.c:137:tcti_from_file()
> > > Could not
> > > > load TCTI file: libtss2-tcti-tabrmd.so <http://libtss2-tcti-
> > tabrmd.so/ <http://tabrmd.so/> >
> > > >
> > > > In my single threaded process, everything works so smoothly
> > [root]#
> > > ./tpm
> > > > WARNING:esys:src/tss2-
> > esys/esys_tcti_default.c:137:tcti_from_file()
> > > Could not
> > > > load TCTI file: libtss2-tcti-default.so <http://libtss2-tcti-
> > default.so/ <http://default.so/> >
> > > > WARNING:esys:src/tss2-
> > esys/esys_tcti_default.c:137:tcti_from_file()
> > > Could not
> > > > load TCTI file: libtss2-tcti-tabrmd.so <http://libtss2-tcti-
> > tabrmd.so/ <http://tabrmd.so/> >
> > > ESYS
> > > > Initialization: Pass
> > > >
> > > > Read TPM EK Certificate: Pass
> > > >
> > > > TPM EK Certificate Root-CA Verification: Pass
> > > >
> > > > Clear TPM State: Pass
> > > >
> > > > Created EK Primary object: Pass
> > > > #####Handle 0x418368
> > > >
> > > > Create Attestation Key: Pass
> > > > #####Ak_Handle 0x41836b
> > > >
> > > > Original Credential="deadbeefdeadbeefdead"
> > > >
> > > > Make Credential: Pass
> > > > #####Encrypted Credential
> > > >
> > >
> >
> Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> > > > 45c412864f020a7f1bbcab7a34f0"
> > > >
> > > > #####Encrypted
> > > >
> > >
> >
> Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
> > > >
> > >
> >
> 76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
> > > >
> > >
> >
> e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
> > > >
> > >
> >
> 077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
> > > >
> > >
> >
> 5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
> > > >
> > >
> >
> 06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
> > > >
> > >
> >
> fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> > > > e1eb9fcc1759c184972779bfc"
> > > >
> > > > Activating Credential: Pass
> > > > #####Recovered Credential="deadbeefdeadbeefdead"
> > > >
> > > > [root]#
> > > >
> > > >
> > > >
> > > > On Wed, Apr 8, 2020 at 7:02 PM Rahul Hardikar
> > > <rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> > >
> > > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > >
> > > > wrote:
> > > >
> > > >
> > > > Thanks guys, I'll try this but i also wanted to know if there
> is a
> > way to
> > > > know if the TPM still has the EK and AK keys loaded? I have
> the EK
> > > handle and AK
> > > > handle (not made it persistent) but I want to make sure it's
> > present as
> > > these are
> > > > necessary for ActivateCredential to succeed
> > > > ESys_ActivateCredential complaining about secret
> parameter
> > > doesn't
> > > > make sense to me, I tested on server side, ak_name is same
> as
> > that
> > > sent and so is
> > > > EK_PUB object as well as EK_Cert in nvram, I call the same
> > > > external_makecredential call that's in the GitHub to create
> secret
> > and
> > > made sure
> > > > secret,credblob matches on the client side when received
> from
> > server.
> > > >
> > > > Thanks,
> > > > Rahul
> > > >
> > > > On Tue, Mar 17, 2020 at 6:19 AM Imran Desai
> > > <imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > > > <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> <mailto:imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> >
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > > >
> > > wrote:
> > > >
> > > >
> > > > Set this up with all handles in use made persistent. If
> you
> > still see
> > > > issues, gdb-break or turn on debug logging at the Esys call and
> > compare
> > > the
> > > > function arguments.
> > > >
> > _______________________________________________
> > > > tpm2 mailing list -- tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > > >
> > > > To unsubscribe send an email to tpm2-
> leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> >
> > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> > >
> > > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> leave(a)lists.01.org> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-
> leave(a)lists.01.org> >
> > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> > > >
> > > >
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> > > >
> > >
> > >
> >
> >
>
>
^ permalink raw reply [flat|nested] 25+ messages in thread
* [tpm2] Re: ESys_ActivateCredential
@ 2020-04-10 21:15 Rahul Hardikar
0 siblings, 0 replies; 25+ messages in thread
From: Rahul Hardikar @ 2020-04-10 21:15 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 12188 bytes --]
Hi Bill,
I have this on my system: Is tpmrm0 same as tabrmd? I believe mine is using
this right now , i'm changing it to what you mentioned to see if it helps.
[root(a)nfvis ~]# ls -l /dev/tpm*
crw-rw----. 1 tss root 10, 224 Apr 8 23:19 /dev/tpm0
crw-rw----. 1 tss tss 254, 65536 Apr 8 23:19 /dev/tpmrm0
Thanks,
Rahul
On Fri, Apr 10, 2020 at 11:33 AM Roberts, William C <
william.c.roberts(a)intel.com> wrote:
>
>
> > -----Original Message-----
> > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com]
> > Sent: Friday, April 10, 2020 1:08 PM
> > To: Roberts, William C <william.c.roberts(a)intel.com>
> > Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
> > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> >
> > Thanks Bill, trying that.
> > I did not get debug build tpm2_tss, isn't it all prebuilt ? I will have
> to see how to
> > do it in poky.
>
> If you're getting it from a package manager, yes. But there's nothing
> stopping you
> from using source builds. Some distro's will package debug symbols for
> their
> packages.
>
> >
> > On Fri, Apr 10, 2020 at 8:16 AM Roberts, William C <
> william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> > wrote:
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> ]
> > > Sent: Thursday, April 9, 2020 2:51 PM
> > > To: Roberts, William C <william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> >
> > > Cc: Desai, Imran <imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> >; tpm2(a)lists.01.org
> > <mailto:tpm2(a)lists.01.org>
> > > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> > >
> > > Thanks Bill. I use this
> > > Esys_Initialize( &ectx, NULL, NULL);
> > >
> > > so i'm assuming it would take the default
> libtss2-tcti-tabrmd.so.0.
> >
> > This should do it for you:
> > TSS2_RC
> > Tss2_TctiLdr_Initialize (const char *nameConf,
> > TSS2_TCTI_CONTEXT **context);
> >
> > Set nameConf to the string "tabrmd", that should give you a tcti
> pointer
> > you can
> > pass wot Esys_Initialize()
> >
> > >
> > >
> > > If I need to debug Esys_ActivateCredential more, how can I do
> it, these
> > APIs are
> > > no more standalone, I have integrated it in a bigger code base
> and
> > added the
> > > esys-tss2 and other libs in my poky build, so now it runs as
> different
> > process that
> > > invokes this function, I can gdb into the process but I can't
> seem to gdb
> > into
> > > Esys_Activate..( )
> >
> > Did you build tpm2-tss with debug symbols?
> > Add --enable-debug
> >
> > >
> > >
> > > Thanks,
> > > Rahul
> > >
> > >
> > >
> > >
> > > On Thu, Apr 9, 2020 at 10:23 AM Roberts, William C
> > <william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com>
> > > <mailto:william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> > > wrote:
> > >
> > >
> > > > -----Original Message-----
> > > > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > ]
> > > > Sent: Thursday, April 9, 2020 11:18 AM
> > > > To: Desai, Imran <imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > > > Cc: tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > > Subject: [tpm2] Re: ESys_ActivateCredential
> > > >
> > > > How do I know if RM is being used?
> > >
> > >
> > > If you set the tcti to the device tcti, it will open
> /dev/tpm0 by
> > default. And
> > > that wont
> > > Be an RM. You can also give it an option.
> Esys_Initialize() takes a tcti
> > as an
> > > option,
> > > NULL will cause it to use the default search behavior of
> the
> > Tss2_TctiLdr,
> > > see:
> > >
> > > https://github.com/tpm2-software/tpm2-
> > > tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
> > <http://Tss2_TctiLdr_Initialize.3.in>
> > > https://github.com/tpm2-software/tpm2-
> > > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > https://github.com/tpm2-software/tpm2-
> > tss/blob/master/man/tss2-
> > > tcti-device.7.in <http://tcti-device.7.in>
> > >
> > > You can use man locally if you prefer as well:
> > > man 3 Tss2_TctiLdr_Initialize
> > > man 7 tss2-tcti-device
> > > man 3 Tss2_Tcti_Device_Init
> > >
> > > Note that https://github.com/tpm2-software/tpm2-
> > > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > Has sample code in it.
> > >
> > > If you're using the tools, it supports explicitly choosing
> the TCTI:
> > > https://github.com/tpm2-software/tpm2-
> > > tools/blob/master/man/common/tcti.md
> > >
> > > Also note that the /dev/tpmrm0 (Notice the RM) is an
> in-kernel
> > resource
> > > manager.
> > >
> > >
> > > > When I do ESys_Initialize, I see these WARNINGs,
> wondering if it's
> > okay
> > > for multi-
> > > > thread
> > > > WARNING:esys:src/tss2-
> > esys/esys_tcti_default.c:137:tcti_from_file()
> > > Could not
> > > > load TCTI file: libtss2-tcti-default.so <
> http://libtss2-tcti-
> > default.so/>
> > > libtss2-tcti-
> > > > default.so <http://libtss2-tcti-default.so/>
> > > > WARNING:esys:src/tss2-
> > esys/esys_tcti_default.c:137:tcti_from_file()
> > > Could not
> > > > load TCTI file: libtss2-tcti-tabrmd.so <
> http://libtss2-tcti-
> > tabrmd.so/>
> > > >
> > > > In my single threaded process, everything works so
> smoothly
> > [root]#
> > > ./tpm
> > > > WARNING:esys:src/tss2-
> > esys/esys_tcti_default.c:137:tcti_from_file()
> > > Could not
> > > > load TCTI file: libtss2-tcti-default.so <
> http://libtss2-tcti-
> > default.so/>
> > > > WARNING:esys:src/tss2-
> > esys/esys_tcti_default.c:137:tcti_from_file()
> > > Could not
> > > > load TCTI file: libtss2-tcti-tabrmd.so <
> http://libtss2-tcti-
> > tabrmd.so/>
> > > ESYS
> > > > Initialization: Pass
> > > >
> > > > Read TPM EK Certificate: Pass
> > > >
> > > > TPM EK Certificate Root-CA Verification: Pass
> > > >
> > > > Clear TPM State: Pass
> > > >
> > > > Created EK Primary object: Pass
> > > > #####Handle 0x418368
> > > >
> > > > Create Attestation Key: Pass
> > > > #####Ak_Handle 0x41836b
> > > >
> > > > Original Credential="deadbeefdeadbeefdead"
> > > >
> > > > Make Credential: Pass
> > > > #####Encrypted Credential
> > > >
> > >
> > Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> > > > 45c412864f020a7f1bbcab7a34f0"
> > > >
> > > > #####Encrypted
> > > >
> > >
> > Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
> > > >
> > >
> > 76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
> > > >
> > >
> > e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
> > > >
> > >
> > 077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
> > > >
> > >
> > 5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
> > > >
> > >
> > 06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
> > > >
> > >
> > fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> > > > e1eb9fcc1759c184972779bfc"
> > > >
> > > > Activating Credential: Pass
> > > > #####Recovered Credential="deadbeefdeadbeefdead"
> > > >
> > > > [root]#
> > > >
> > > >
> > > >
> > > > On Wed, Apr 8, 2020 at 7:02 PM Rahul Hardikar
> > > <rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > > <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> > >
> > > > wrote:
> > > >
> > > >
> > > > Thanks guys, I'll try this but i also wanted to
> know if there is a
> > way to
> > > > know if the TPM still has the EK and AK keys loaded? I
> have the EK
> > > handle and AK
> > > > handle (not made it persistent) but I want to make sure
> it's
> > present as
> > > these are
> > > > necessary for ActivateCredential to succeed
> > > > ESys_ActivateCredential complaining about secret
> parameter
> > > doesn't
> > > > make sense to me, I tested on server side, ak_name is
> same as
> > that
> > > sent and so is
> > > > EK_PUB object as well as EK_Cert in nvram, I call the
> same
> > > > external_makecredential call that's in the GitHub to
> create secret
> > and
> > > made sure
> > > > secret,credblob matches on the client side when received
> from
> > server.
> > > >
> > > > Thanks,
> > > > Rahul
> > > >
> > > > On Tue, Mar 17, 2020 at 6:19 AM Imran Desai
> > > <imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > > <mailto:imran.desai(a)intel.com <mailto:
> imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > >
> > > wrote:
> > > >
> > > >
> > > > Set this up with all handles in use made
> persistent. If you
> > still see
> > > > issues, gdb-break or turn on debug logging at the Esys
> call and
> > compare
> > > the
> > > > function arguments.
> > > >
> > _______________________________________________
> > > > tpm2 mailing list -- tpm2(a)lists.01.org
> > <mailto:tpm2(a)lists.01.org> <mailto:tpm2(a)lists.01.org
> > <mailto:tpm2(a)lists.01.org> >
> > > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > > To unsubscribe send an email to
> tpm2-leave(a)lists.01.org
> > <mailto:tpm2-leave(a)lists.01.org>
> > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> >
> > > > <mailto:tpm2-leave(a)lists.01.org <mailto:
> tpm2-leave(a)lists.01.org>
> > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> > >
> > > >
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> > > >
> > >
> > >
> >
> >
>
>
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 21618 bytes --]
^ permalink raw reply [flat|nested] 25+ messages in thread
* [tpm2] Re: ESys_ActivateCredential
@ 2020-04-10 18:33 Roberts, William C
0 siblings, 0 replies; 25+ messages in thread
From: Roberts, William C @ 2020-04-10 18:33 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 10134 bytes --]
> -----Original Message-----
> From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com]
> Sent: Friday, April 10, 2020 1:08 PM
> To: Roberts, William C <william.c.roberts(a)intel.com>
> Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
> Subject: Re: [tpm2] Re: ESys_ActivateCredential
>
> Thanks Bill, trying that.
> I did not get debug build tpm2_tss, isn't it all prebuilt ? I will have to see how to
> do it in poky.
If you're getting it from a package manager, yes. But there's nothing stopping you
from using source builds. Some distro's will package debug symbols for their
packages.
>
> On Fri, Apr 10, 2020 at 8:16 AM Roberts, William C <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > wrote:
>
>
>
>
> > -----Original Message-----
> > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> ]
> > Sent: Thursday, April 9, 2020 2:51 PM
> > To: Roberts, William C <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> >
> > Cc: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> >; tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org>
> > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> >
> > Thanks Bill. I use this
> > Esys_Initialize( &ectx, NULL, NULL);
> >
> > so i'm assuming it would take the default libtss2-tcti-tabrmd.so.0.
>
> This should do it for you:
> TSS2_RC
> Tss2_TctiLdr_Initialize (const char *nameConf,
> TSS2_TCTI_CONTEXT **context);
>
> Set nameConf to the string "tabrmd", that should give you a tcti pointer
> you can
> pass wot Esys_Initialize()
>
> >
> >
> > If I need to debug Esys_ActivateCredential more, how can I do it, these
> APIs are
> > no more standalone, I have integrated it in a bigger code base and
> added the
> > esys-tss2 and other libs in my poky build, so now it runs as different
> process that
> > invokes this function, I can gdb into the process but I can't seem to gdb
> into
> > Esys_Activate..( )
>
> Did you build tpm2-tss with debug symbols?
> Add --enable-debug
>
> >
> >
> > Thanks,
> > Rahul
> >
> >
> >
> >
> > On Thu, Apr 9, 2020 at 10:23 AM Roberts, William C
> <william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > > wrote:
> >
> >
> > > -----Original Message-----
> > > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> ]
> > > Sent: Thursday, April 9, 2020 11:18 AM
> > > To: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > > Cc: tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > Subject: [tpm2] Re: ESys_ActivateCredential
> > >
> > > How do I know if RM is being used?
> >
> >
> > If you set the tcti to the device tcti, it will open /dev/tpm0 by
> default. And
> > that wont
> > Be an RM. You can also give it an option. Esys_Initialize() takes a tcti
> as an
> > option,
> > NULL will cause it to use the default search behavior of the
> Tss2_TctiLdr,
> > see:
> >
> > https://github.com/tpm2-software/tpm2-
> > tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
> <http://Tss2_TctiLdr_Initialize.3.in>
> > https://github.com/tpm2-software/tpm2-
> > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> <http://Tss2_Tcti_Device_Init.3.in>
> > https://github.com/tpm2-software/tpm2-
> tss/blob/master/man/tss2-
> > tcti-device.7.in <http://tcti-device.7.in>
> >
> > You can use man locally if you prefer as well:
> > man 3 Tss2_TctiLdr_Initialize
> > man 7 tss2-tcti-device
> > man 3 Tss2_Tcti_Device_Init
> >
> > Note that https://github.com/tpm2-software/tpm2-
> > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> <http://Tss2_Tcti_Device_Init.3.in>
> > Has sample code in it.
> >
> > If you're using the tools, it supports explicitly choosing the TCTI:
> > https://github.com/tpm2-software/tpm2-
> > tools/blob/master/man/common/tcti.md
> >
> > Also note that the /dev/tpmrm0 (Notice the RM) is an in-kernel
> resource
> > manager.
> >
> >
> > > When I do ESys_Initialize, I see these WARNINGs, wondering if it's
> okay
> > for multi-
> > > thread
> > > WARNING:esys:src/tss2-
> esys/esys_tcti_default.c:137:tcti_from_file()
> > Could not
> > > load TCTI file: libtss2-tcti-default.so <http://libtss2-tcti-
> default.so/>
> > libtss2-tcti-
> > > default.so <http://libtss2-tcti-default.so/>
> > > WARNING:esys:src/tss2-
> esys/esys_tcti_default.c:137:tcti_from_file()
> > Could not
> > > load TCTI file: libtss2-tcti-tabrmd.so <http://libtss2-tcti-
> tabrmd.so/>
> > >
> > > In my single threaded process, everything works so smoothly
> [root]#
> > ./tpm
> > > WARNING:esys:src/tss2-
> esys/esys_tcti_default.c:137:tcti_from_file()
> > Could not
> > > load TCTI file: libtss2-tcti-default.so <http://libtss2-tcti-
> default.so/>
> > > WARNING:esys:src/tss2-
> esys/esys_tcti_default.c:137:tcti_from_file()
> > Could not
> > > load TCTI file: libtss2-tcti-tabrmd.so <http://libtss2-tcti-
> tabrmd.so/>
> > ESYS
> > > Initialization: Pass
> > >
> > > Read TPM EK Certificate: Pass
> > >
> > > TPM EK Certificate Root-CA Verification: Pass
> > >
> > > Clear TPM State: Pass
> > >
> > > Created EK Primary object: Pass
> > > #####Handle 0x418368
> > >
> > > Create Attestation Key: Pass
> > > #####Ak_Handle 0x41836b
> > >
> > > Original Credential="deadbeefdeadbeefdead"
> > >
> > > Make Credential: Pass
> > > #####Encrypted Credential
> > >
> >
> Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> > > 45c412864f020a7f1bbcab7a34f0"
> > >
> > > #####Encrypted
> > >
> >
> Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
> > >
> >
> 76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
> > >
> >
> e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
> > >
> >
> 077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
> > >
> >
> 5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
> > >
> >
> 06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
> > >
> >
> fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> > > e1eb9fcc1759c184972779bfc"
> > >
> > > Activating Credential: Pass
> > > #####Recovered Credential="deadbeefdeadbeefdead"
> > >
> > > [root]#
> > >
> > >
> > >
> > > On Wed, Apr 8, 2020 at 7:02 PM Rahul Hardikar
> > <rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > > <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> <mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > >
> > > wrote:
> > >
> > >
> > > Thanks guys, I'll try this but i also wanted to know if there is a
> way to
> > > know if the TPM still has the EK and AK keys loaded? I have the EK
> > handle and AK
> > > handle (not made it persistent) but I want to make sure it's
> present as
> > these are
> > > necessary for ActivateCredential to succeed
> > > ESys_ActivateCredential complaining about secret parameter
> > doesn't
> > > make sense to me, I tested on server side, ak_name is same as
> that
> > sent and so is
> > > EK_PUB object as well as EK_Cert in nvram, I call the same
> > > external_makecredential call that's in the GitHub to create secret
> and
> > made sure
> > > secret,credblob matches on the client side when received from
> server.
> > >
> > > Thanks,
> > > Rahul
> > >
> > > On Tue, Mar 17, 2020 at 6:19 AM Imran Desai
> > <imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> >
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > > >
> > wrote:
> > >
> > >
> > > Set this up with all handles in use made persistent. If you
> still see
> > > issues, gdb-break or turn on debug logging at the Esys call and
> compare
> > the
> > > function arguments.
> > >
> _______________________________________________
> > > tpm2 mailing list -- tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org> <mailto:tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org> >
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> > >
> > > To unsubscribe send an email to tpm2-leave(a)lists.01.org
> <mailto:tpm2-leave(a)lists.01.org>
> > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> >
> > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> > >
> > > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> > >
> >
> >
>
>
^ permalink raw reply [flat|nested] 25+ messages in thread
* [tpm2] Re: ESys_ActivateCredential
@ 2020-04-10 18:07 Rahul Hardikar
0 siblings, 0 replies; 25+ messages in thread
From: Rahul Hardikar @ 2020-04-10 18:07 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 8218 bytes --]
Thanks Bill, trying that.
I did not get debug build tpm2_tss, isn't it all prebuilt ? I will have to
see how to do it in poky.
On Fri, Apr 10, 2020 at 8:16 AM Roberts, William C <
william.c.roberts(a)intel.com> wrote:
>
>
> > -----Original Message-----
> > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com]
> > Sent: Thursday, April 9, 2020 2:51 PM
> > To: Roberts, William C <william.c.roberts(a)intel.com>
> > Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
> > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> >
> > Thanks Bill. I use this
> > Esys_Initialize( &ectx, NULL, NULL);
> >
> > so i'm assuming it would take the default libtss2-tcti-tabrmd.so.0.
>
> This should do it for you:
> TSS2_RC
> Tss2_TctiLdr_Initialize (const char *nameConf,
> TSS2_TCTI_CONTEXT **context);
>
> Set nameConf to the string "tabrmd", that should give you a tcti pointer
> you can
> pass wot Esys_Initialize()
>
> >
> >
> > If I need to debug Esys_ActivateCredential more, how can I do it, these
> APIs are
> > no more standalone, I have integrated it in a bigger code base and added
> the
> > esys-tss2 and other libs in my poky build, so now it runs as different
> process that
> > invokes this function, I can gdb into the process but I can't seem to
> gdb into
> > Esys_Activate..( )
>
> Did you build tpm2-tss with debug symbols?
> Add --enable-debug
>
> >
> >
> > Thanks,
> > Rahul
> >
> >
> >
> >
> > On Thu, Apr 9, 2020 at 10:23 AM Roberts, William C <
> william.c.roberts(a)intel.com
> > <mailto:william.c.roberts(a)intel.com> > wrote:
> >
> >
> > > -----Original Message-----
> > > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> ]
> > > Sent: Thursday, April 9, 2020 11:18 AM
> > > To: Desai, Imran <imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> >
> > > Cc: tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > > Subject: [tpm2] Re: ESys_ActivateCredential
> > >
> > > How do I know if RM is being used?
> >
> >
> > If you set the tcti to the device tcti, it will open /dev/tpm0 by
> default. And
> > that wont
> > Be an RM. You can also give it an option. Esys_Initialize() takes
> a tcti as an
> > option,
> > NULL will cause it to use the default search behavior of the
> Tss2_TctiLdr,
> > see:
> >
> > https://github.com/tpm2-software/tpm2-
> > tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
> > https://github.com/tpm2-software/tpm2-
> > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> > https://github.com/tpm2-software/tpm2-tss/blob/master/man/tss2-
> > tcti-device.7.in
> >
> > You can use man locally if you prefer as well:
> > man 3 Tss2_TctiLdr_Initialize
> > man 7 tss2-tcti-device
> > man 3 Tss2_Tcti_Device_Init
> >
> > Note that https://github.com/tpm2-software/tpm2-
> > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> > Has sample code in it.
> >
> > If you're using the tools, it supports explicitly choosing the
> TCTI:
> > https://github.com/tpm2-software/tpm2-
> > tools/blob/master/man/common/tcti.md
> >
> > Also note that the /dev/tpmrm0 (Notice the RM) is an in-kernel
> resource
> > manager.
> >
> >
> > > When I do ESys_Initialize, I see these WARNINGs, wondering if
> it's okay
> > for multi-
> > > thread
> > >
> WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file()
> > Could not
> > > load TCTI file: libtss2-tcti-default.so <
> http://libtss2-tcti-default.so/>
> > libtss2-tcti-
> > > default.so <http://libtss2-tcti-default.so/>
> > >
> WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file()
> > Could not
> > > load TCTI file: libtss2-tcti-tabrmd.so <
> http://libtss2-tcti-tabrmd.so/>
> > >
> > > In my single threaded process, everything works so smoothly
> [root]#
> > ./tpm
> > >
> WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file()
> > Could not
> > > load TCTI file: libtss2-tcti-default.so <
> http://libtss2-tcti-default.so/>
> > >
> WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file()
> > Could not
> > > load TCTI file: libtss2-tcti-tabrmd.so <
> http://libtss2-tcti-tabrmd.so/>
> > ESYS
> > > Initialization: Pass
> > >
> > > Read TPM EK Certificate: Pass
> > >
> > > TPM EK Certificate Root-CA Verification: Pass
> > >
> > > Clear TPM State: Pass
> > >
> > > Created EK Primary object: Pass
> > > #####Handle 0x418368
> > >
> > > Create Attestation Key: Pass
> > > #####Ak_Handle 0x41836b
> > >
> > > Original Credential="deadbeefdeadbeefdead"
> > >
> > > Make Credential: Pass
> > > #####Encrypted Credential
> > >
> > Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> > > 45c412864f020a7f1bbcab7a34f0"
> > >
> > > #####Encrypted
> > >
> > Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
> > >
> > 76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
> > >
> > e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
> > >
> > 077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
> > >
> > 5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
> > >
> > 06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
> > >
> > fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> > > e1eb9fcc1759c184972779bfc"
> > >
> > > Activating Credential: Pass
> > > #####Recovered Credential="deadbeefdeadbeefdead"
> > >
> > > [root]#
> > >
> > >
> > >
> > > On Wed, Apr 8, 2020 at 7:02 PM Rahul Hardikar
> > <rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> >
> > > wrote:
> > >
> > >
> > > Thanks guys, I'll try this but i also wanted to know if
> there is a way to
> > > know if the TPM still has the EK and AK keys loaded? I have the
> EK
> > handle and AK
> > > handle (not made it persistent) but I want to make sure it's
> present as
> > these are
> > > necessary for ActivateCredential to succeed
> > > ESys_ActivateCredential complaining about secret parameter
> > doesn't
> > > make sense to me, I tested on server side, ak_name is same as
> that
> > sent and so is
> > > EK_PUB object as well as EK_Cert in nvram, I call the same
> > > external_makecredential call that's in the GitHub to create
> secret and
> > made sure
> > > secret,credblob matches on the client side when received from
> server.
> > >
> > > Thanks,
> > > Rahul
> > >
> > > On Tue, Mar 17, 2020 at 6:19 AM Imran Desai
> > <imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> > wrote:
> > >
> > >
> > > Set this up with all handles in use made
> persistent. If you still see
> > > issues, gdb-break or turn on debug logging at the Esys call and
> compare
> > the
> > > function arguments.
> > > _______________________________________________
> > > tpm2 mailing list -- tpm2(a)lists.01.org <mailto:
> tpm2(a)lists.01.org>
> > <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > > To unsubscribe send an email to
> tpm2-leave(a)lists.01.org
> > <mailto:tpm2-leave(a)lists.01.org>
> > > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
> >
> > >
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> > >
> >
> >
>
>
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 13016 bytes --]
^ permalink raw reply [flat|nested] 25+ messages in thread
* [tpm2] Re: ESys_ActivateCredential
@ 2020-04-10 15:16 Roberts, William C
0 siblings, 0 replies; 25+ messages in thread
From: Roberts, William C @ 2020-04-10 15:16 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 7003 bytes --]
> -----Original Message-----
> From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com]
> Sent: Thursday, April 9, 2020 2:51 PM
> To: Roberts, William C <william.c.roberts(a)intel.com>
> Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
> Subject: Re: [tpm2] Re: ESys_ActivateCredential
>
> Thanks Bill. I use this
> Esys_Initialize( &ectx, NULL, NULL);
>
> so i'm assuming it would take the default libtss2-tcti-tabrmd.so.0.
This should do it for you:
TSS2_RC
Tss2_TctiLdr_Initialize (const char *nameConf,
TSS2_TCTI_CONTEXT **context);
Set nameConf to the string "tabrmd", that should give you a tcti pointer you can
pass wot Esys_Initialize()
>
>
> If I need to debug Esys_ActivateCredential more, how can I do it, these APIs are
> no more standalone, I have integrated it in a bigger code base and added the
> esys-tss2 and other libs in my poky build, so now it runs as different process that
> invokes this function, I can gdb into the process but I can't seem to gdb into
> Esys_Activate..( )
Did you build tpm2-tss with debug symbols?
Add --enable-debug
>
>
> Thanks,
> Rahul
>
>
>
>
> On Thu, Apr 9, 2020 at 10:23 AM Roberts, William C <william.c.roberts(a)intel.com
> <mailto:william.c.roberts(a)intel.com> > wrote:
>
>
> > -----Original Message-----
> > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> ]
> > Sent: Thursday, April 9, 2020 11:18 AM
> > To: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> >
> > Cc: tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> > Subject: [tpm2] Re: ESys_ActivateCredential
> >
> > How do I know if RM is being used?
>
>
> If you set the tcti to the device tcti, it will open /dev/tpm0 by default. And
> that wont
> Be an RM. You can also give it an option. Esys_Initialize() takes a tcti as an
> option,
> NULL will cause it to use the default search behavior of the Tss2_TctiLdr,
> see:
>
> https://github.com/tpm2-software/tpm2-
> tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
> https://github.com/tpm2-software/tpm2-
> tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> https://github.com/tpm2-software/tpm2-tss/blob/master/man/tss2-
> tcti-device.7.in
>
> You can use man locally if you prefer as well:
> man 3 Tss2_TctiLdr_Initialize
> man 7 tss2-tcti-device
> man 3 Tss2_Tcti_Device_Init
>
> Note that https://github.com/tpm2-software/tpm2-
> tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> Has sample code in it.
>
> If you're using the tools, it supports explicitly choosing the TCTI:
> https://github.com/tpm2-software/tpm2-
> tools/blob/master/man/common/tcti.md
>
> Also note that the /dev/tpmrm0 (Notice the RM) is an in-kernel resource
> manager.
>
>
> > When I do ESys_Initialize, I see these WARNINGs, wondering if it's okay
> for multi-
> > thread
> > WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file()
> Could not
> > load TCTI file: libtss2-tcti-default.so <http://libtss2-tcti-default.so/>
> libtss2-tcti-
> > default.so <http://libtss2-tcti-default.so/>
> > WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file()
> Could not
> > load TCTI file: libtss2-tcti-tabrmd.so <http://libtss2-tcti-tabrmd.so/>
> >
> > In my single threaded process, everything works so smoothly [root]#
> ./tpm
> > WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file()
> Could not
> > load TCTI file: libtss2-tcti-default.so <http://libtss2-tcti-default.so/>
> > WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file()
> Could not
> > load TCTI file: libtss2-tcti-tabrmd.so <http://libtss2-tcti-tabrmd.so/>
> ESYS
> > Initialization: Pass
> >
> > Read TPM EK Certificate: Pass
> >
> > TPM EK Certificate Root-CA Verification: Pass
> >
> > Clear TPM State: Pass
> >
> > Created EK Primary object: Pass
> > #####Handle 0x418368
> >
> > Create Attestation Key: Pass
> > #####Ak_Handle 0x41836b
> >
> > Original Credential="deadbeefdeadbeefdead"
> >
> > Make Credential: Pass
> > #####Encrypted Credential
> >
> Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> > 45c412864f020a7f1bbcab7a34f0"
> >
> > #####Encrypted
> >
> Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
> >
> 76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
> >
> e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
> >
> 077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
> >
> 5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
> >
> 06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
> >
> fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> > e1eb9fcc1759c184972779bfc"
> >
> > Activating Credential: Pass
> > #####Recovered Credential="deadbeefdeadbeefdead"
> >
> > [root]#
> >
> >
> >
> > On Wed, Apr 8, 2020 at 7:02 PM Rahul Hardikar
> <rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> >
> > wrote:
> >
> >
> > Thanks guys, I'll try this but i also wanted to know if there is a way to
> > know if the TPM still has the EK and AK keys loaded? I have the EK
> handle and AK
> > handle (not made it persistent) but I want to make sure it's present as
> these are
> > necessary for ActivateCredential to succeed
> > ESys_ActivateCredential complaining about secret parameter
> doesn't
> > make sense to me, I tested on server side, ak_name is same as that
> sent and so is
> > EK_PUB object as well as EK_Cert in nvram, I call the same
> > external_makecredential call that's in the GitHub to create secret and
> made sure
> > secret,credblob matches on the client side when received from server.
> >
> > Thanks,
> > Rahul
> >
> > On Tue, Mar 17, 2020 at 6:19 AM Imran Desai
> <imran.desai(a)intel.com <mailto:imran.desai(a)intel.com>
> > <mailto:imran.desai(a)intel.com <mailto:imran.desai(a)intel.com> > >
> wrote:
> >
> >
> > Set this up with all handles in use made persistent. If you still see
> > issues, gdb-break or turn on debug logging at the Esys call and compare
> the
> > function arguments.
> > _______________________________________________
> > tpm2 mailing list -- tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> <mailto:tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org> >
> > To unsubscribe send an email to tpm2-leave(a)lists.01.org
> <mailto:tpm2-leave(a)lists.01.org>
> > <mailto:tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org> >
> > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> >
>
>
^ permalink raw reply [flat|nested] 25+ messages in thread
* [tpm2] Re: ESys_ActivateCredential
@ 2020-04-09 19:50 Rahul Hardikar
0 siblings, 0 replies; 25+ messages in thread
From: Rahul Hardikar @ 2020-04-09 19:50 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 5735 bytes --]
Thanks Bill. I use this
Esys_Initialize( &ectx, NULL, NULL);
so i'm assuming it would take the default libtss2-tcti-tabrmd.so.0.
If I need to debug Esys_ActivateCredential more, how can I do it, these
APIs are no more standalone, I have integrated it in a bigger code base and
added the esys-tss2 and other libs in my poky build, so now it runs as
different process that invokes this function, I can gdb into the process
but I can't seem to gdb into Esys_Activate..( )
Thanks,
Rahul
On Thu, Apr 9, 2020 at 10:23 AM Roberts, William C <
william.c.roberts(a)intel.com> wrote:
> > -----Original Message-----
> > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com]
> > Sent: Thursday, April 9, 2020 11:18 AM
> > To: Desai, Imran <imran.desai(a)intel.com>
> > Cc: tpm2(a)lists.01.org
> > Subject: [tpm2] Re: ESys_ActivateCredential
> >
> > How do I know if RM is being used?
>
>
> If you set the tcti to the device tcti, it will open /dev/tpm0 by default.
> And that wont
> Be an RM. You can also give it an option. Esys_Initialize() takes a tcti
> as an option,
> NULL will cause it to use the default search behavior of the Tss2_TctiLdr,
> see:
>
>
> https://github.com/tpm2-software/tpm2-tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
>
> https://github.com/tpm2-software/tpm2-tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
>
> https://github.com/tpm2-software/tpm2-tss/blob/master/man/tss2-tcti-device.7.in
>
> You can use man locally if you prefer as well:
> man 3 Tss2_TctiLdr_Initialize
> man 7 tss2-tcti-device
> man 3 Tss2_Tcti_Device_Init
>
> Note that
> https://github.com/tpm2-software/tpm2-tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> Has sample code in it.
>
> If you're using the tools, it supports explicitly choosing the TCTI:
> https://github.com/tpm2-software/tpm2-tools/blob/master/man/common/tcti.md
>
> Also note that the /dev/tpmrm0 (Notice the RM) is an in-kernel resource
> manager.
>
>
> > When I do ESys_Initialize, I see these WARNINGs, wondering if it's okay
> for multi-
> > thread
> > WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file()
> Could not
> > load TCTI file: libtss2-tcti-default.so <http://libtss2-tcti-default.so/>
> libtss2-tcti-
> > default.so <http://libtss2-tcti-default.so/>
> > WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file()
> Could not
> > load TCTI file: libtss2-tcti-tabrmd.so <http://libtss2-tcti-tabrmd.so/>
> >
> > In my single threaded process, everything works so smoothly [root]# ./tpm
> > WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file()
> Could not
> > load TCTI file: libtss2-tcti-default.so <http://libtss2-tcti-default.so/
> >
> > WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file()
> Could not
> > load TCTI file: libtss2-tcti-tabrmd.so <http://libtss2-tcti-tabrmd.so/>
> ESYS
> > Initialization: Pass
> >
> > Read TPM EK Certificate: Pass
> >
> > TPM EK Certificate Root-CA Verification: Pass
> >
> > Clear TPM State: Pass
> >
> > Created EK Primary object: Pass
> > #####Handle 0x418368
> >
> > Create Attestation Key: Pass
> > #####Ak_Handle 0x41836b
> >
> > Original Credential="deadbeefdeadbeefdead"
> >
> > Make Credential: Pass
> > #####Encrypted Credential
> > Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> > 45c412864f020a7f1bbcab7a34f0"
> >
> > #####Encrypted
> > Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
> > 76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
> > e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
> > 077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
> > 5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
> > 06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
> > fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> > e1eb9fcc1759c184972779bfc"
> >
> > Activating Credential: Pass
> > #####Recovered Credential="deadbeefdeadbeefdead"
> >
> > [root]#
> >
> >
> >
> > On Wed, Apr 8, 2020 at 7:02 PM Rahul Hardikar <rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar(a)gmail.com> > wrote:
> >
> >
> > Thanks guys, I'll try this but i also wanted to know if there is
> a way to
> > know if the TPM still has the EK and AK keys loaded? I have the EK
> handle and AK
> > handle (not made it persistent) but I want to make sure it's present as
> these are
> > necessary for ActivateCredential to succeed
> > ESys_ActivateCredential complaining about secret parameter doesn't
> > make sense to me, I tested on server side, ak_name is same as that sent
> and so is
> > EK_PUB object as well as EK_Cert in nvram, I call the same
> > external_makecredential call that's in the GitHub to create secret and
> made sure
> > secret,credblob matches on the client side when received from server.
> >
> > Thanks,
> > Rahul
> >
> > On Tue, Mar 17, 2020 at 6:19 AM Imran Desai <imran.desai(a)intel.com
> > <mailto:imran.desai(a)intel.com> > wrote:
> >
> >
> > Set this up with all handles in use made persistent. If
> you still see
> > issues, gdb-break or turn on debug logging at the Esys call and compare
> the
> > function arguments.
> > _______________________________________________
> > tpm2 mailing list -- tpm2(a)lists.01.org <mailto:
> tpm2(a)lists.01.org>
> > To unsubscribe send an email to tpm2-leave(a)lists.01.org
> > <mailto:tpm2-leave(a)lists.01.org>
> > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> >
>
>
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 10263 bytes --]
^ permalink raw reply [flat|nested] 25+ messages in thread
* [tpm2] Re: ESys_ActivateCredential
@ 2020-04-09 17:23 Roberts, William C
0 siblings, 0 replies; 25+ messages in thread
From: Roberts, William C @ 2020-04-09 17:23 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 4780 bytes --]
> -----Original Message-----
> From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com]
> Sent: Thursday, April 9, 2020 11:18 AM
> To: Desai, Imran <imran.desai(a)intel.com>
> Cc: tpm2(a)lists.01.org
> Subject: [tpm2] Re: ESys_ActivateCredential
>
> How do I know if RM is being used?
If you set the tcti to the device tcti, it will open /dev/tpm0 by default. And that wont
Be an RM. You can also give it an option. Esys_Initialize() takes a tcti as an option,
NULL will cause it to use the default search behavior of the Tss2_TctiLdr, see:
https://github.com/tpm2-software/tpm2-tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
https://github.com/tpm2-software/tpm2-tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
https://github.com/tpm2-software/tpm2-tss/blob/master/man/tss2-tcti-device.7.in
You can use man locally if you prefer as well:
man 3 Tss2_TctiLdr_Initialize
man 7 tss2-tcti-device
man 3 Tss2_Tcti_Device_Init
Note that https://github.com/tpm2-software/tpm2-tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
Has sample code in it.
If you're using the tools, it supports explicitly choosing the TCTI:
https://github.com/tpm2-software/tpm2-tools/blob/master/man/common/tcti.md
Also note that the /dev/tpmrm0 (Notice the RM) is an in-kernel resource manager.
> When I do ESys_Initialize, I see these WARNINGs, wondering if it's okay for multi-
> thread
> WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not
> load TCTI file: libtss2-tcti-default.so <http://libtss2-tcti-default.so/> libtss2-tcti-
> default.so <http://libtss2-tcti-default.so/>
> WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not
> load TCTI file: libtss2-tcti-tabrmd.so <http://libtss2-tcti-tabrmd.so/>
>
> In my single threaded process, everything works so smoothly [root]# ./tpm
> WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not
> load TCTI file: libtss2-tcti-default.so <http://libtss2-tcti-default.so/>
> WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not
> load TCTI file: libtss2-tcti-tabrmd.so <http://libtss2-tcti-tabrmd.so/> ESYS
> Initialization: Pass
>
> Read TPM EK Certificate: Pass
>
> TPM EK Certificate Root-CA Verification: Pass
>
> Clear TPM State: Pass
>
> Created EK Primary object: Pass
> #####Handle 0x418368
>
> Create Attestation Key: Pass
> #####Ak_Handle 0x41836b
>
> Original Credential="deadbeefdeadbeefdead"
>
> Make Credential: Pass
> #####Encrypted Credential
> Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> 45c412864f020a7f1bbcab7a34f0"
>
> #####Encrypted
> Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
> 76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
> e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
> 077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
> 5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
> 06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
> fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> e1eb9fcc1759c184972779bfc"
>
> Activating Credential: Pass
> #####Recovered Credential="deadbeefdeadbeefdead"
>
> [root]#
>
>
>
> On Wed, Apr 8, 2020 at 7:02 PM Rahul Hardikar <rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > wrote:
>
>
> Thanks guys, I'll try this but i also wanted to know if there is a way to
> know if the TPM still has the EK and AK keys loaded? I have the EK handle and AK
> handle (not made it persistent) but I want to make sure it's present as these are
> necessary for ActivateCredential to succeed
> ESys_ActivateCredential complaining about secret parameter doesn't
> make sense to me, I tested on server side, ak_name is same as that sent and so is
> EK_PUB object as well as EK_Cert in nvram, I call the same
> external_makecredential call that's in the GitHub to create secret and made sure
> secret,credblob matches on the client side when received from server.
>
> Thanks,
> Rahul
>
> On Tue, Mar 17, 2020 at 6:19 AM Imran Desai <imran.desai(a)intel.com
> <mailto:imran.desai(a)intel.com> > wrote:
>
>
> Set this up with all handles in use made persistent. If you still see
> issues, gdb-break or turn on debug logging at the Esys call and compare the
> function arguments.
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> <mailto:tpm2-leave(a)lists.01.org>
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>
^ permalink raw reply [flat|nested] 25+ messages in thread
* [tpm2] Re: ESys_ActivateCredential
@ 2020-04-09 16:17 Rahul Hardikar
0 siblings, 0 replies; 25+ messages in thread
From: Rahul Hardikar @ 2020-04-09 16:17 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 3058 bytes --]
How do I know if RM is being used?
When I do ESys_Initialize, I see these WARNINGs, wondering if it's okay for
multi-thread
WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could
not load TCTI file: libtss2-tcti-default.so
libtss2-tcti-default.so
WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could
not load TCTI file: libtss2-tcti-tabrmd.so
In my single threaded process, everything works so smoothly
[root]# ./tpm
WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could
not load TCTI file: libtss2-tcti-default.so
WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could
not load TCTI file: libtss2-tcti-tabrmd.so
ESYS Initialization: Pass
Read TPM EK Certificate: Pass
TPM EK Certificate Root-CA Verification: Pass
Clear TPM State: Pass
Created EK Primary object: Pass
#####Handle 0x418368
Create Attestation Key: Pass
#####Ak_Handle 0x41836b
Original Credential="deadbeefdeadbeefdead"
Make Credential: Pass
#####Encrypted Credential
Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a45c412864f020a7f1bbcab7a34f0"
#####Encrypted
Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aece0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d830794775dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f1406612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687e1eb9fcc1759c184972779bfc"
Activating Credential: Pass
#####Recovered Credential="deadbeefdeadbeefdead"
[root]#
On Wed, Apr 8, 2020 at 7:02 PM Rahul Hardikar <rahulhardikar(a)gmail.com>
wrote:
> Thanks guys, I'll try this but i also wanted to know if there is a way to
> know if the TPM still has the EK and AK keys loaded? I have the EK handle
> and AK handle (not made it persistent) but I want to make sure it's present
> as these are necessary for ActivateCredential to succeed
> ESys_ActivateCredential complaining about secret parameter doesn't make
> sense to me, I tested on server side, ak_name is same as that sent and so
> is EK_PUB object as well as EK_Cert in nvram, I call the same
> external_makecredential call that's in the GitHub to create secret and made
> sure secret,credblob matches on the client side when received from server.
>
> Thanks,
> Rahul
>
> On Tue, Mar 17, 2020 at 6:19 AM Imran Desai <imran.desai(a)intel.com> wrote:
>
>> Set this up with all handles in use made persistent. If you still see
>> issues, gdb-break or turn on debug logging at the Esys call and compare the
>> function arguments.
>> _______________________________________________
>> tpm2 mailing list -- tpm2(a)lists.01.org
>> To unsubscribe send an email to tpm2-leave(a)lists.01.org
>> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>>
>
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 11793 bytes --]
^ permalink raw reply [flat|nested] 25+ messages in thread
* [tpm2] Re: ESys_ActivateCredential
@ 2020-04-09 2:02 Rahul Hardikar
0 siblings, 0 replies; 25+ messages in thread
From: Rahul Hardikar @ 2020-04-09 2:02 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 1142 bytes --]
Thanks guys, I'll try this but i also wanted to know if there is a way to
know if the TPM still has the EK and AK keys loaded? I have the EK handle
and AK handle (not made it persistent) but I want to make sure it's present
as these are necessary for ActivateCredential to succeed
ESys_ActivateCredential complaining about secret parameter doesn't make
sense to me, I tested on server side, ak_name is same as that sent and so
is EK_PUB object as well as EK_Cert in nvram, I call the same
external_makecredential call that's in the GitHub to create secret and made
sure secret,credblob matches on the client side when received from server.
Thanks,
Rahul
On Tue, Mar 17, 2020 at 6:19 AM Imran Desai <imran.desai(a)intel.com> wrote:
> Set this up with all handles in use made persistent. If you still see
> issues, gdb-break or turn on debug logging at the Esys call and compare the
> function arguments.
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 1620 bytes --]
^ permalink raw reply [flat|nested] 25+ messages in thread
* [tpm2] Re: ESys_ActivateCredential
@ 2020-03-17 13:20 Imran Desai
0 siblings, 0 replies; 25+ messages in thread
From: Imran Desai @ 2020-03-17 13:20 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 165 bytes --]
Set this up with all handles in use made persistent. If you still see issues, gdb-break or turn on debug logging at the Esys call and compare the function arguments.
^ permalink raw reply [flat|nested] 25+ messages in thread
* [tpm2] Re: ESys_ActivateCredential
@ 2020-03-17 13:06 Roberts, William C
0 siblings, 0 replies; 25+ messages in thread
From: Roberts, William C @ 2020-03-17 13:06 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 4809 bytes --]
> -----Original Message-----
> From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com]
> Sent: Monday, March 16, 2020 5:43 PM
> To: Roberts, William C <william.c.roberts(a)intel.com>
> Cc: tpm2(a)lists.01.org
> Subject: Re: [tpm2] ESys_ActivateCredential
>
> One last attempt...wondering if AK needs to be loaded in this case Thread 1 in
> client .. creates EK and AK and sends to server Server creates credential
> externally sends secret and credential blob Thread 2 in client - Calls
> ActivateCredential (it has access to the global ESYS_CONTEXT structures,
> ak_handles and ek_handles that thread 1 created)
>
> Question: Are AK keys still present in the TPM? Will the ESAPI structures still work
> even after few seconds or are they flushed?
> I'm trying to understand why if I run all these methods in a single thread, it works!
They should work, all of this would work if done properly. The ESYS/TCTI contexts are
not thread safe IIUC, so you can't share without locking or ensuring mutual exclusion.
If you're using a RM, it should just be seeing a connection from a process, it has no
Idea if you have multiple threads, and thus doesn't care. Nothing will get flushed from
The TPM unless your application or an RM does it. So all the handles, etc should remain
valid until one of those events occur.
>
> Thanks
> Rahul
>
> On Fri, Mar 13, 2020 at 10:22 AM Rahul Hardikar <rahulhardikar(a)gmail.com
> <mailto:rahulhardikar(a)gmail.com> > wrote:
>
>
> Any idea folks?
>
> On Thu, Mar 12, 2020 at 5:52 PM Rahul Hardikar
> <rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> > wrote:
>
>
> I noticed the same changes when its run as a single process, the
> remote attestation method works, the moment i move the make external
> credential part to the server I hit this issue.
> Wondering what could go wrong? Do the AK keys get flushed
> out?
> On the client side, I have the EKCERT and EK and AK keys loaded
> in the tpm2, I save the handle of EK and AK for future use when I receive the
> credential blob and secret, so basically i fork out a thread to send the data (and
> create EK/AK) and then fork another thread to handle the receive part, but
> EK/AK handles are global and saved and no other process touches the TPM!
>
> Why would I get 0x2c4 in Esys_ActivateCredential () but works
> perfectly fine when everything is run as one thread?
>
> Thanks,
> Rahul
>
> On Tue, Mar 10, 2020 at 4:22 PM Rahul Hardikar
> <rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> > wrote:
>
>
> Thanks Bill.
> Wondering why this would fail. The external make
> credential API, I have taken from tss2 GitHub only why would secret fail? When I
> ran all of this locally it worked, the moment I moved the make external credential
> to the server Im hitting this?
> Can it be because of OpenSSL 1.1.0 required in tss2 and
> 1.0.2 version running on my server?
> Thanks
> Rahul
>
> On Tue, Mar 10, 2020 at 3:36 PM Roberts, William C
> <william.c.roberts(a)intel.com <mailto:william.c.roberts(a)intel.com> > wrote:
>
>
> The error codes encode a bunch of values, so you
> won't see that value via a straight grep.
>
> But you can use tpm2_rc_decode from the tpm2-
> tools project, like so:
> $ tpm2_rc_decode 0x2c4
> tpm:parameter(2):value is out of range or is not
> correct for the contex
>
> See the tools project:
> https://github.com/tpm2-software/tpm2-tools
>
> Note that the commands specification will show
> you what parameter 2 is:
> https://trustedcomputinggroup.org/wp-
> content/uploads/TPM-Rev-2.0-Part-3-Commands-01.38.pdf
>
> Everything after the triple line starts the
> parameters starting at index 1.
> So in this case the secret parameter is wrong.
>
> Note that since TSS version 2.3.0 a software
> library was also added
> for converting these return codes to more human
> understandable strings,
> The header file is here:
> https://github.com/tpm2-software/tpm2-
> tss/blob/master/include/tss2/tss2_rc.h
>
> and then you just link against lib tss2-rc, just in
> case you needed this built into
> your program.
>
> Bill
>
> > -----Original Message-----
> > From: Rahul Hardikar
> [mailto:rahulhardikar(a)gmail.com <mailto:rahulhardikar(a)gmail.com> ]
> > Sent: Tuesday, March 10, 2020 5:02 PM
> > To: tpm2(a)lists.01.org
> <mailto:tpm2(a)lists.01.org>
> > Subject: [tpm2] ESys_ActivateCredential
> >
> >
> > Hi All,
> > What does it mean when
> Esys_ActivateCredential returns 0x2c4? I don't see this
> > error defined anywhere.
> >
> > Thanks,
> > Rahul
>
^ permalink raw reply [flat|nested] 25+ messages in thread
* [tpm2] Re: ESys_ActivateCredential
@ 2020-03-16 22:42 Rahul Hardikar
0 siblings, 0 replies; 25+ messages in thread
From: Rahul Hardikar @ 2020-03-16 22:42 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 3784 bytes --]
One last attempt...wondering if AK needs to be loaded in this case
Thread 1 in client .. creates EK and AK and sends to server
Server creates credential externally sends secret and credential blob
Thread 2 in client - Calls ActivateCredential (it has access to the global
ESYS_CONTEXT structures, ak_handles and ek_handles that thread 1 created)
Question: Are AK keys still present in the TPM? Will the ESAPI structures
still work even after few seconds or are they flushed?
I'm trying to understand why if I run all these methods in a single thread,
it works!
Thanks
Rahul
On Fri, Mar 13, 2020 at 10:22 AM Rahul Hardikar <rahulhardikar(a)gmail.com>
wrote:
> Any idea folks?
>
> On Thu, Mar 12, 2020 at 5:52 PM Rahul Hardikar <rahulhardikar(a)gmail.com>
> wrote:
>
>> I noticed the same changes when its run as a single process, the remote
>> attestation method works, the moment i move the make external credential
>> part to the server I hit this issue.
>> Wondering what could go wrong? Do the AK keys get flushed out?
>> On the client side, I have the EKCERT and EK and AK keys loaded in the
>> tpm2, I save the handle of EK and AK for future use when I receive the
>> credential blob and secret, so basically i fork out a thread to send the
>> data (and create EK/AK) and then fork another thread to handle the
>> receive part, but EK/AK handles are global and saved and no other process
>> touches the TPM!
>>
>> Why would I get 0x2c4 in Esys_ActivateCredential () but works perfectly
>> fine when everything is run as one thread?
>>
>> Thanks,
>> Rahul
>>
>> On Tue, Mar 10, 2020 at 4:22 PM Rahul Hardikar <rahulhardikar(a)gmail.com>
>> wrote:
>>
>>> Thanks Bill.
>>> Wondering why this would fail. The external make credential API, I have
>>> taken from tss2 GitHub only why would secret fail? When I ran all of this
>>> locally it worked, the moment I moved the make external credential to the
>>> server Im hitting this?
>>> Can it be because of OpenSSL 1.1.0 required in tss2 and 1.0.2 version
>>> running on my server?
>>> Thanks
>>> Rahul
>>>
>>> On Tue, Mar 10, 2020 at 3:36 PM Roberts, William C <
>>> william.c.roberts(a)intel.com> wrote:
>>>
>>>> The error codes encode a bunch of values, so you won't see that value
>>>> via a straight grep.
>>>>
>>>> But you can use tpm2_rc_decode from the tpm2-tools project, like so:
>>>> $ tpm2_rc_decode 0x2c4
>>>> tpm:parameter(2):value is out of range or is not correct for the contex
>>>>
>>>> See the tools project:
>>>> https://github.com/tpm2-software/tpm2-tools
>>>>
>>>> Note that the commands specification will show you what parameter 2 is:
>>>>
>>>> https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-Commands-01.38.pdf
>>>>
>>>> Everything after the triple line starts the parameters starting at
>>>> index 1.
>>>> So in this case the secret parameter is wrong.
>>>>
>>>> Note that since TSS version 2.3.0 a software library was also added
>>>> for converting these return codes to more human understandable strings,
>>>> The header file is here:
>>>>
>>>> https://github.com/tpm2-software/tpm2-tss/blob/master/include/tss2/tss2_rc.h
>>>>
>>>> and then you just link against lib tss2-rc, just in case you needed
>>>> this built into
>>>> your program.
>>>>
>>>> Bill
>>>>
>>>> > -----Original Message-----
>>>> > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com]
>>>> > Sent: Tuesday, March 10, 2020 5:02 PM
>>>> > To: tpm2(a)lists.01.org
>>>> > Subject: [tpm2] ESys_ActivateCredential
>>>> >
>>>> >
>>>> > Hi All,
>>>> > What does it mean when Esys_ActivateCredential returns 0x2c4? I don't
>>>> see this
>>>> > error defined anywhere.
>>>> >
>>>> > Thanks,
>>>> > Rahul
>>>>
>>>
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 5580 bytes --]
^ permalink raw reply [flat|nested] 25+ messages in thread
* [tpm2] Re: ESys_ActivateCredential
@ 2020-03-13 17:22 Rahul Hardikar
0 siblings, 0 replies; 25+ messages in thread
From: Rahul Hardikar @ 2020-03-13 17:22 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 3019 bytes --]
Any idea folks?
On Thu, Mar 12, 2020 at 5:52 PM Rahul Hardikar <rahulhardikar(a)gmail.com>
wrote:
> I noticed the same changes when its run as a single process, the remote
> attestation method works, the moment i move the make external credential
> part to the server I hit this issue.
> Wondering what could go wrong? Do the AK keys get flushed out?
> On the client side, I have the EKCERT and EK and AK keys loaded in the
> tpm2, I save the handle of EK and AK for future use when I receive the
> credential blob and secret, so basically i fork out a thread to send the
> data (and create EK/AK) and then fork another thread to handle the
> receive part, but EK/AK handles are global and saved and no other process
> touches the TPM!
>
> Why would I get 0x2c4 in Esys_ActivateCredential () but works perfectly
> fine when everything is run as one thread?
>
> Thanks,
> Rahul
>
> On Tue, Mar 10, 2020 at 4:22 PM Rahul Hardikar <rahulhardikar(a)gmail.com>
> wrote:
>
>> Thanks Bill.
>> Wondering why this would fail. The external make credential API, I have
>> taken from tss2 GitHub only why would secret fail? When I ran all of this
>> locally it worked, the moment I moved the make external credential to the
>> server Im hitting this?
>> Can it be because of OpenSSL 1.1.0 required in tss2 and 1.0.2 version
>> running on my server?
>> Thanks
>> Rahul
>>
>> On Tue, Mar 10, 2020 at 3:36 PM Roberts, William C <
>> william.c.roberts(a)intel.com> wrote:
>>
>>> The error codes encode a bunch of values, so you won't see that value
>>> via a straight grep.
>>>
>>> But you can use tpm2_rc_decode from the tpm2-tools project, like so:
>>> $ tpm2_rc_decode 0x2c4
>>> tpm:parameter(2):value is out of range or is not correct for the contex
>>>
>>> See the tools project:
>>> https://github.com/tpm2-software/tpm2-tools
>>>
>>> Note that the commands specification will show you what parameter 2 is:
>>>
>>> https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-Commands-01.38.pdf
>>>
>>> Everything after the triple line starts the parameters starting at index
>>> 1.
>>> So in this case the secret parameter is wrong.
>>>
>>> Note that since TSS version 2.3.0 a software library was also added
>>> for converting these return codes to more human understandable strings,
>>> The header file is here:
>>>
>>> https://github.com/tpm2-software/tpm2-tss/blob/master/include/tss2/tss2_rc.h
>>>
>>> and then you just link against lib tss2-rc, just in case you needed this
>>> built into
>>> your program.
>>>
>>> Bill
>>>
>>> > -----Original Message-----
>>> > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com]
>>> > Sent: Tuesday, March 10, 2020 5:02 PM
>>> > To: tpm2(a)lists.01.org
>>> > Subject: [tpm2] ESys_ActivateCredential
>>> >
>>> >
>>> > Hi All,
>>> > What does it mean when Esys_ActivateCredential returns 0x2c4? I don't
>>> see this
>>> > error defined anywhere.
>>> >
>>> > Thanks,
>>> > Rahul
>>>
>>
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 4479 bytes --]
^ permalink raw reply [flat|nested] 25+ messages in thread
* [tpm2] Re: ESys_ActivateCredential
@ 2020-03-13 0:52 Rahul Hardikar
0 siblings, 0 replies; 25+ messages in thread
From: Rahul Hardikar @ 2020-03-13 0:52 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 2819 bytes --]
I noticed the same changes when its run as a single process, the remote
attestation method works, the moment i move the make external credential
part to the server I hit this issue.
Wondering what could go wrong? Do the AK keys get flushed out?
On the client side, I have the EKCERT and EK and AK keys loaded in the
tpm2, I save the handle of EK and AK for future use when I receive the
credential blob and secret, so basically i fork out a thread to send the
data (and create EK/AK) and then fork another thread to handle the
receive part, but EK/AK handles are global and saved and no other process
touches the TPM!
Why would I get 0x2c4 in Esys_ActivateCredential () but works perfectly
fine when everything is run as one thread?
Thanks,
Rahul
On Tue, Mar 10, 2020 at 4:22 PM Rahul Hardikar <rahulhardikar(a)gmail.com>
wrote:
> Thanks Bill.
> Wondering why this would fail. The external make credential API, I have
> taken from tss2 GitHub only why would secret fail? When I ran all of this
> locally it worked, the moment I moved the make external credential to the
> server Im hitting this?
> Can it be because of OpenSSL 1.1.0 required in tss2 and 1.0.2 version
> running on my server?
> Thanks
> Rahul
>
> On Tue, Mar 10, 2020 at 3:36 PM Roberts, William C <
> william.c.roberts(a)intel.com> wrote:
>
>> The error codes encode a bunch of values, so you won't see that value via
>> a straight grep.
>>
>> But you can use tpm2_rc_decode from the tpm2-tools project, like so:
>> $ tpm2_rc_decode 0x2c4
>> tpm:parameter(2):value is out of range or is not correct for the contex
>>
>> See the tools project:
>> https://github.com/tpm2-software/tpm2-tools
>>
>> Note that the commands specification will show you what parameter 2 is:
>>
>> https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-Commands-01.38.pdf
>>
>> Everything after the triple line starts the parameters starting at index
>> 1.
>> So in this case the secret parameter is wrong.
>>
>> Note that since TSS version 2.3.0 a software library was also added
>> for converting these return codes to more human understandable strings,
>> The header file is here:
>>
>> https://github.com/tpm2-software/tpm2-tss/blob/master/include/tss2/tss2_rc.h
>>
>> and then you just link against lib tss2-rc, just in case you needed this
>> built into
>> your program.
>>
>> Bill
>>
>> > -----Original Message-----
>> > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com]
>> > Sent: Tuesday, March 10, 2020 5:02 PM
>> > To: tpm2(a)lists.01.org
>> > Subject: [tpm2] ESys_ActivateCredential
>> >
>> >
>> > Hi All,
>> > What does it mean when Esys_ActivateCredential returns 0x2c4? I don't
>> see this
>> > error defined anywhere.
>> >
>> > Thanks,
>> > Rahul
>>
>
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 4041 bytes --]
^ permalink raw reply [flat|nested] 25+ messages in thread
* [tpm2] Re: ESys_ActivateCredential
@ 2020-03-10 23:22 Rahul Hardikar
0 siblings, 0 replies; 25+ messages in thread
From: Rahul Hardikar @ 2020-03-10 23:22 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 1890 bytes --]
Thanks Bill.
Wondering why this would fail. The external make credential API, I have
taken from tss2 GitHub only why would secret fail? When I ran all of this
locally it worked, the moment I moved the make external credential to the
server Im hitting this?
Can it be because of OpenSSL 1.1.0 required in tss2 and 1.0.2 version
running on my server?
Thanks
Rahul
On Tue, Mar 10, 2020 at 3:36 PM Roberts, William C <
william.c.roberts(a)intel.com> wrote:
> The error codes encode a bunch of values, so you won't see that value via
> a straight grep.
>
> But you can use tpm2_rc_decode from the tpm2-tools project, like so:
> $ tpm2_rc_decode 0x2c4
> tpm:parameter(2):value is out of range or is not correct for the contex
>
> See the tools project:
> https://github.com/tpm2-software/tpm2-tools
>
> Note that the commands specification will show you what parameter 2 is:
>
> https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-Commands-01.38.pdf
>
> Everything after the triple line starts the parameters starting at index 1.
> So in this case the secret parameter is wrong.
>
> Note that since TSS version 2.3.0 a software library was also added
> for converting these return codes to more human understandable strings,
> The header file is here:
>
> https://github.com/tpm2-software/tpm2-tss/blob/master/include/tss2/tss2_rc.h
>
> and then you just link against lib tss2-rc, just in case you needed this
> built into
> your program.
>
> Bill
>
> > -----Original Message-----
> > From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com]
> > Sent: Tuesday, March 10, 2020 5:02 PM
> > To: tpm2(a)lists.01.org
> > Subject: [tpm2] ESys_ActivateCredential
> >
> >
> > Hi All,
> > What does it mean when Esys_ActivateCredential returns 0x2c4? I don't
> see this
> > error defined anywhere.
> >
> > Thanks,
> > Rahul
>
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 2786 bytes --]
^ permalink raw reply [flat|nested] 25+ messages in thread
* [tpm2] Re: ESys_ActivateCredential
@ 2020-03-10 22:36 Roberts, William C
0 siblings, 0 replies; 25+ messages in thread
From: Roberts, William C @ 2020-03-10 22:36 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 1338 bytes --]
The error codes encode a bunch of values, so you won't see that value via a straight grep.
But you can use tpm2_rc_decode from the tpm2-tools project, like so:
$ tpm2_rc_decode 0x2c4
tpm:parameter(2):value is out of range or is not correct for the contex
See the tools project:
https://github.com/tpm2-software/tpm2-tools
Note that the commands specification will show you what parameter 2 is:
https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-Commands-01.38.pdf
Everything after the triple line starts the parameters starting at index 1.
So in this case the secret parameter is wrong.
Note that since TSS version 2.3.0 a software library was also added
for converting these return codes to more human understandable strings,
The header file is here:
https://github.com/tpm2-software/tpm2-tss/blob/master/include/tss2/tss2_rc.h
and then you just link against lib tss2-rc, just in case you needed this built into
your program.
Bill
> -----Original Message-----
> From: Rahul Hardikar [mailto:rahulhardikar(a)gmail.com]
> Sent: Tuesday, March 10, 2020 5:02 PM
> To: tpm2(a)lists.01.org
> Subject: [tpm2] ESys_ActivateCredential
>
>
> Hi All,
> What does it mean when Esys_ActivateCredential returns 0x2c4? I don't see this
> error defined anywhere.
>
> Thanks,
> Rahul
^ permalink raw reply [flat|nested] 25+ messages in thread
end of thread, other threads:[~2020-04-16 21:37 UTC | newest]
Thread overview: 25+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-16 17:34 [tpm2] Re: ESys_ActivateCredential Roberts, William C
-- strict thread matches above, loose matches on Subject: below --
2020-04-16 21:37 Roberts, William C
2020-04-16 19:08 Rahul Hardikar
2020-04-15 18:05 Rahul Hardikar
2020-04-15 15:25 Roberts, William C
2020-04-15 15:23 Roberts, William C
2020-04-13 23:54 Rahul Hardikar
2020-04-13 23:38 Rahul Hardikar
2020-04-13 19:31 Rahul Hardikar
2020-04-13 14:20 Roberts, William C
2020-04-10 21:15 Rahul Hardikar
2020-04-10 18:33 Roberts, William C
2020-04-10 18:07 Rahul Hardikar
2020-04-10 15:16 Roberts, William C
2020-04-09 19:50 Rahul Hardikar
2020-04-09 17:23 Roberts, William C
2020-04-09 16:17 Rahul Hardikar
2020-04-09 2:02 Rahul Hardikar
2020-03-17 13:20 Imran Desai
2020-03-17 13:06 Roberts, William C
2020-03-16 22:42 Rahul Hardikar
2020-03-13 17:22 Rahul Hardikar
2020-03-13 0:52 Rahul Hardikar
2020-03-10 23:22 Rahul Hardikar
2020-03-10 22:36 Roberts, William C
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.