From: Yasuhiro Hosoda <hosoda-yasuhiro at ntt-el.com>
To: tpm2@lists.01.org
Subject: [tpm2] tpm2-tss question
Date: Thu, 14 Dec 2017 15:58:57 +0900 [thread overview]
Message-ID: <52a6881d-5626-3dde-3ad0-2b06a1726502@ntt-el.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 2666 bytes --]
MY name is Yasuhiro Hosoda.
I am developing a program using TSS1.0(Nov1.2016).
I encountered a problem with PolicySecret error 0x98e and need help.
My program uses tpmtest.cpp as a base of development.
The situation is as follows:
1 Create TPM Keys like this.
EK
|--------
| |
MK AK
|
SK
2 Execute PolicySecret twice using HMAC session. At first, it ends
without error. Then it ends with 0x98e
For clarification, I print out the values of Virtual Handle and Real Handle.
The value of Virtual/Real Handles differ at 2nd excution of the command.
(See NO 25/26 Below)
I understand that the resource manager assigns Virtual Handle and my
program calculates HMAC using that handles.
On the other hand, TPM may calculate HMAC using Real Handle.
That is my hypothesis.
Any suggestion about the usage of Session Handle?
NO Command Virtual/Real Handle LOC
1. CreatePrimary(EK) real=80000000, virtual=80000000 8381
2. HierarchyChangeAuth1 8421
3. HierarchyChangeAuth2 8431
4. StartAuthSession(Policy) real=3000000, virtual=3000000 8480
5. PolicySecret(ENDORSEMENT) 8494
6. Create(MK) 8515
7. PolicySecret(ENDORSEMENT) 8529
8. Load(MK) real=80000001, virtual=80000001 8542
9. Evict(MK) 8552
10. Create(SK) 8590
11. Load(SK) real=80000001, virtual=80000002 8598
12. PolicySecret(ENDORSEMENT) 8609
13. Create(AK) 8635
14. PolicySecret(ENDORSEMENT) 8645
15. Load(AK) real=80000001, virtual=80000003 8655
16. FlushContext(POLICY) 8664
17. StartAuthSession(POLICY) real=3000000, virtual=3000000 8668
18. StartAuthSession(HMAC) real=2000001, virtual=2000001 8678
19. ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000004 3706
20. ComputeCommandHMAC(HMAC_Start) real=80000001, virtual=80000005 3706
21. PolicySecret(SK) 8711
22. FlushContext(HMAC) 8717
23. FlushContext(POLICY) 8724
24. CertifyCreation(SK) 8738
25. StartAuthSession(POLICY) real=3000000, virtual=3000001 8745
26. StartAuthSession(HMAC) real=2000001, virtual=2000000 8754
27. ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000005 8782
28. ComputeCommandHMAC(HMAC_Start) real=80000001, virtual=80000004 8782
29. PolicySecret(SK) 8789
The whole source program can be found here.
https://github.com/intel/tpm2-tss/files/1516612/tpmtest.cpp_0x98e_2.txt
Kind regards,
--
Yasuhiro Hosoda
NTT Electronics Corporation (NEL)
Security Support Project
next reply other threads:[~2017-12-14 6:58 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-14 6:58 Yasuhiro Hosoda [this message]
2017-12-26 17:30 [tpm2] tpm2-tss question Roberts, William C
2018-01-12 9:46 Yasuhiro Hosoda
2018-01-14 21:51 Roberts, William C
2018-01-18 14:43 Yasuhiro Hosoda
2018-01-18 18:11 Roberts, William C
2018-01-18 23:11 Yasuhiro Hosoda
2018-01-25 18:30 Roberts, William C
2018-01-29 22:37 Yasuhiro Hosoda
2018-02-08 13:26 Yasuhiro Hosoda
2018-02-28 22:54 Yasuhiro Hosoda
2018-04-11 6:11 Yasuhiro Hosoda
2018-04-11 6:26 Fuchs, Andreas
2018-04-11 8:38 Yasuhiro Hosoda
2018-04-11 11:18 Fuchs, Andreas
2018-07-23 4:44 Yasuhiro Hosoda
2018-10-24 5:03 Yasuhiro Hosoda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52a6881d-5626-3dde-3ad0-2b06a1726502@ntt-el.com \
--to=tpm2@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.