[tpm2] Re: tpm2_createek and transient EK problem

[tpm2] Re: tpm2_createek and transient EK problem

[Martin Townsend]

[-- Attachment #1: Type: text/plain, Size: 6004 bytes --]

I have one more question, what is the ek.ctx file that is saved to the
disk? Is this the EK private key that is wrapped/encrypted by the
Owner Hierarchy's Primary Key?

On Fri, Feb 28, 2020 at 4:06 PM Martin Townsend <mtownsend1973(a)gmail.com> wrote:
>
> Yes it was defaulting to abrmd.  I read the links and can confirm if I
> use the device directly I get some transient objects :)
>
> tpm2_createek -G rsa -u ek.pub -c ek.ctx -P xxx -T device:/dev/tpm0
> root(a)varsomam43-b1871a-elite[net-nfs-rw]:~# tpm2_getcap
> handles-transient -T device:/dev/tpm0
> - 0x80000000
> - 0x80000001
>
> So if you want to use transient objects with tpm2-tools don't use the
> resource manager.  Out of interest what is the advantages of the
> Resource Manager? Is there some documentation for it that I could
> read?
>
> On Fri, Feb 28, 2020 at 3:57 PM Rowan Moul <lists(a)rowan.moul.ca> wrote:
> >
> > Running any tool with the -v option will print out both the version of tpm2-tools that tool came from, and the TCTI that it is using.
> >
> > If you have the abrmd service running it should default to that.
> >
> > https://github.com/tpm2-software/tpm2-tools/blob/master/man/common/options.md
> >
> > https://github.com/tpm2-software/tpm2-tools/blob/master/man/common/tcti.md
> >
> >
> > Rowan
> >
> > On Feb 28, 2020, at 08:37, Martin Townsend <mtownsend1973(a)gmail.com> wrote:
> >
> > On Fri, Feb 28, 2020 at 2:45 PM Roberts, William C
> > <william.c.roberts(a)intel.com> wrote:
> >
> >
> >
> >
> > -----Original Message-----
> >
> > From: Roberts, William C [mailto:william.c.roberts(a)intel.com]
> >
> > Sent: Friday, February 28, 2020 8:35 AM
> >
> > To: Martin Townsend <mtownsend1973(a)gmail.com>; tpm2(a)lists.01.org
> >
> > Subject: [tpm2] Re: tpm2_createek and transient EK problem
> >
> >
> >
> >
> > -----Original Message-----
> >
> > From: Martin Townsend [mailto:mtownsend1973(a)gmail.com]
> >
> > Sent: Friday, February 28, 2020 5:42 AM
> >
> > To: tpm2(a)lists.01.org
> >
> > Subject: [tpm2] tpm2_createek and transient EK problem
> >
> >
> > Hi,
> >
> >
> > I'm trying out the tpm2_createek tool and in the manual
> >
> > https://github.com/tpm2-software/tpm2-
> >
> > tools/blob/master/man/tpm2_createek.1.md
> >
> >
> > It explains how to create a transient EK, I following these
> >
> > instructions but can't get them to work.  I've taken ownership of the
> >
> > TPM and created a SRK.  I then ran the command as listed in the manual
> >
> > page:
> >
> >
> > tpm2_createek -G rsa -u ek.pub
> >
> > ERROR: Expected option -c
> >
> > Usage: tpm2_createek [<options>]
> >
> > Where <options> are:
> >
> >    [ -P | --eh-auth=<value>] [ -w | --owner-auth=<value>] [ -p |
> >
> > --ek- auth=<value>] [ -G | --key-algorithm=<value>]
> >
> >    [ -u | --public=<value>] [ -f | --format=<value>] [ -c |
> >
> > --ek-context=<value>] [ - t | --template=<value>]
> >
> >
> > So I added the -c to save the context to disk and provide the EH authorisation:
> >
> >
> > tpm2_createek -G rsa -u ek.pub -c ek.ctx -P xxx echo $?
> >
> > 0
> >
> >
> > so it looks like it's succeeded but I then try the to list the
> >
> > transient objects with
> >
> >
> > tpm2_getcap handles-transient
> >
> >
> > and I get nothing.  The files have been created
> >
> >
> > So a resource manager will flush all transient objects when the client disconnects.
> >
> > So in this case, when tpm2_createek exits, the RM flushes. This assumes you're
> >
> > Using a resource manager (RM), like tpm2-abrmd or the in kernel RM
> >
> > /dev/tpmrm0.
> >
> >
> > If you're not using an RM, and using the device directly  (/dev/tpm0), I am not
> >
> > really sure why it wouldn't remain loaded.
> >
> >
> > Once you have the transient EK in a context file, you can just pass that to any
> >
> > tools -c or -C Option (depends on command and use). The tools will notice that
> >
> > you need to restore the object from the context file and perform a ContextLoad
> >
> > command.
> >
> >
> > Typically, the EK is persisted at a specific handle, I thought it was in the PC client
> >
> > spec or Credential Profile EK spec:
> >
> > https://trustedcomputinggroup.org/wp-
> >
> > content/uploads/TCG_PC_Client_Platform_TPM_Profile_PTP_Specification_Fam
> >
> > ily_2.0_Revision_1.3v22.pdf
> >
> > https://trustedcomputinggroup.org/wp-
> >
> > content/uploads/TCG_IWG_Credential_Profile_EK_V2.1_R13.pdf
> >
> >
> > However, I can't find that handle, so perhaps I am miss remembering, but you
> >
> > can persist it via the tpm2_evictcontrol command
> >
> >
> >
> > Ahh the provisioning guide has it in Table 2:
> >
> > https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf
> >
> >
> > The EK should be persisted at: 0x81010001
> >
> >
> > If you want to conform with the spec
> >
> >
> >
> >
> >
> >
> > Hi Wiliam,
> >
> > Thank you for the reply, this is something I didn't know about the
> > resource manager.  I'm fairly new to TPM so I'm on a bit of a steep
> > learning curve.
> >
> > I have no idea if it's using a resource manager, there is a ABRMD process:
> > tss        834     1  0 14:12 ?        00:00:00 /usr/sbin/tpm2-abrmd
> > and there is also the kernel device
> > ls -la /dev/tpmrm0
> > crw-rw---- 1 tss tss 253, 65536 Sep 21 14:11 /dev/tpmrm0
> >
> > How would I know what the tools are using? Can I force it to not use a
> > resource manager to see if the transient object is there?
> >
> > I have already tried the method of making the key persist and this
> > works fine but thank you for the proper handle value, I was using
> > 0x81010000 :)
> > _______________________________________________
> > tpm2 mailing list -- tpm2(a)lists.01.org
> > To unsubscribe send an email to tpm2-leave(a)lists.01.org
> > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[tpm2] Re: tpm2_createek and transient EK problem

[Martin Townsend]

[-- Attachment #1: Type: text/plain, Size: 1856 bytes --]

On Mon, Mar 2, 2020 at 4:51 PM Roberts, William C
<william.c.roberts(a)intel.com> wrote:
>
>
>
> > -----Original Message-----
> > From: Tadeusz Struk [mailto:tadeusz.struk(a)intel.com]
> > Sent: Friday, February 28, 2020 10:51 AM
> > To: Martin Townsend <mtownsend1973(a)gmail.com>; Rowan Moul
> > <lists(a)rowan.moul.ca>
> > Cc: tpm2(a)lists.01.org
> > Subject: [tpm2] Re: tpm2_createek and transient EK problem
> >
> > On 2/28/20 8:06 AM, Martin Townsend wrote:
> > > So if you want to use transient objects with tpm2-tools don't use the
> > > resource manager.  Out of interest what is the advantages of the
>
> That's not really true. You can use a resource manager, with transient objects just fine.
> The transient context file is saved and restored by the tools. So you just pass the ctx file whenever
> you need to use the object.
>
> You won't be able to run tpm2_getcap between tool invocations and see the transient
> handle loaded in the TPM, because the RM flushes it. But you can still use your context
> file for the life of the TPM boot. If you restart the TPM,  then you need to call tpm2_load
> and get the context file again.
>

Got it. I've read up some more on context management and I think I now
understand.  I didn't appreciate the context file is only valid for
the life of the TPM boot though so thank you for the info.

> > > Resource Manager? Is there some documentation for it that I could
> > > read?
> > Here is the spec:
> > https://trustedcomputinggroup.org/wp-content/uploads/TSS-TAB-and-
> > Resource-Manager-ver1.0-rev16_Public_Review.pdf
> >
> > --
> > Tadeusz
> > _______________________________________________
> > tpm2 mailing list -- tpm2(a)lists.01.org
> > To unsubscribe send an email to tpm2-leave(a)lists.01.org
> > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[tpm2] Re: tpm2_createek and transient EK problem

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 1494 bytes --]



> -----Original Message-----
> From: Tadeusz Struk [mailto:tadeusz.struk(a)intel.com]
> Sent: Friday, February 28, 2020 10:51 AM
> To: Martin Townsend <mtownsend1973(a)gmail.com>; Rowan Moul
> <lists(a)rowan.moul.ca>
> Cc: tpm2(a)lists.01.org
> Subject: [tpm2] Re: tpm2_createek and transient EK problem
> 
> On 2/28/20 8:06 AM, Martin Townsend wrote:
> > So if you want to use transient objects with tpm2-tools don't use the
> > resource manager.  Out of interest what is the advantages of the

That's not really true. You can use a resource manager, with transient objects just fine.
The transient context file is saved and restored by the tools. So you just pass the ctx file whenever
you need to use the object.

You won't be able to run tpm2_getcap between tool invocations and see the transient
handle loaded in the TPM, because the RM flushes it. But you can still use your context
file for the life of the TPM boot. If you restart the TPM,  then you need to call tpm2_load
and get the context file again.

> > Resource Manager? Is there some documentation for it that I could
> > read?
> Here is the spec:
> https://trustedcomputinggroup.org/wp-content/uploads/TSS-TAB-and-
> Resource-Manager-ver1.0-rev16_Public_Review.pdf
> 
> --
> Tadeusz
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[tpm2] Re: tpm2_createek and transient EK problem

[Tadeusz Struk]

[-- Attachment #1: Type: text/plain, Size: 410 bytes --]

On 2/28/20 8:06 AM, Martin Townsend wrote:
> So if you want to use transient objects with tpm2-tools don't use the
> resource manager.  Out of interest what is the advantages of the
> Resource Manager? Is there some documentation for it that I could
> read?
Here is the spec:
https://trustedcomputinggroup.org/wp-content/uploads/TSS-TAB-and-Resource-Manager-ver1.0-rev16_Public_Review.pdf

-- 
Tadeusz

[tpm2] Re: tpm2_createek and transient EK problem

[Martin Townsend]

[-- Attachment #1: Type: text/plain, Size: 5357 bytes --]

Yes it was defaulting to abrmd.  I read the links and can confirm if I
use the device directly I get some transient objects :)

tpm2_createek -G rsa -u ek.pub -c ek.ctx -P xxx -T device:/dev/tpm0
root(a)varsomam43-b1871a-elite[net-nfs-rw]:~# tpm2_getcap
handles-transient -T device:/dev/tpm0
- 0x80000000
- 0x80000001

So if you want to use transient objects with tpm2-tools don't use the
resource manager.  Out of interest what is the advantages of the
Resource Manager? Is there some documentation for it that I could
read?

On Fri, Feb 28, 2020 at 3:57 PM Rowan Moul <lists(a)rowan.moul.ca> wrote:
>
> Running any tool with the -v option will print out both the version of tpm2-tools that tool came from, and the TCTI that it is using.
>
> If you have the abrmd service running it should default to that.
>
> https://github.com/tpm2-software/tpm2-tools/blob/master/man/common/options.md
>
> https://github.com/tpm2-software/tpm2-tools/blob/master/man/common/tcti.md
>
>
> Rowan
>
> On Feb 28, 2020, at 08:37, Martin Townsend <mtownsend1973(a)gmail.com> wrote:
>
> On Fri, Feb 28, 2020 at 2:45 PM Roberts, William C
> <william.c.roberts(a)intel.com> wrote:
>
>
>
>
> -----Original Message-----
>
> From: Roberts, William C [mailto:william.c.roberts(a)intel.com]
>
> Sent: Friday, February 28, 2020 8:35 AM
>
> To: Martin Townsend <mtownsend1973(a)gmail.com>; tpm2(a)lists.01.org
>
> Subject: [tpm2] Re: tpm2_createek and transient EK problem
>
>
>
>
> -----Original Message-----
>
> From: Martin Townsend [mailto:mtownsend1973(a)gmail.com]
>
> Sent: Friday, February 28, 2020 5:42 AM
>
> To: tpm2(a)lists.01.org
>
> Subject: [tpm2] tpm2_createek and transient EK problem
>
>
> Hi,
>
>
> I'm trying out the tpm2_createek tool and in the manual
>
> https://github.com/tpm2-software/tpm2-
>
> tools/blob/master/man/tpm2_createek.1.md
>
>
> It explains how to create a transient EK, I following these
>
> instructions but can't get them to work.  I've taken ownership of the
>
> TPM and created a SRK.  I then ran the command as listed in the manual
>
> page:
>
>
> tpm2_createek -G rsa -u ek.pub
>
> ERROR: Expected option -c
>
> Usage: tpm2_createek [<options>]
>
> Where <options> are:
>
>    [ -P | --eh-auth=<value>] [ -w | --owner-auth=<value>] [ -p |
>
> --ek- auth=<value>] [ -G | --key-algorithm=<value>]
>
>    [ -u | --public=<value>] [ -f | --format=<value>] [ -c |
>
> --ek-context=<value>] [ - t | --template=<value>]
>
>
> So I added the -c to save the context to disk and provide the EH authorisation:
>
>
> tpm2_createek -G rsa -u ek.pub -c ek.ctx -P xxx echo $?
>
> 0
>
>
> so it looks like it's succeeded but I then try the to list the
>
> transient objects with
>
>
> tpm2_getcap handles-transient
>
>
> and I get nothing.  The files have been created
>
>
> So a resource manager will flush all transient objects when the client disconnects.
>
> So in this case, when tpm2_createek exits, the RM flushes. This assumes you're
>
> Using a resource manager (RM), like tpm2-abrmd or the in kernel RM
>
> /dev/tpmrm0.
>
>
> If you're not using an RM, and using the device directly  (/dev/tpm0), I am not
>
> really sure why it wouldn't remain loaded.
>
>
> Once you have the transient EK in a context file, you can just pass that to any
>
> tools -c or -C Option (depends on command and use). The tools will notice that
>
> you need to restore the object from the context file and perform a ContextLoad
>
> command.
>
>
> Typically, the EK is persisted at a specific handle, I thought it was in the PC client
>
> spec or Credential Profile EK spec:
>
> https://trustedcomputinggroup.org/wp-
>
> content/uploads/TCG_PC_Client_Platform_TPM_Profile_PTP_Specification_Fam
>
> ily_2.0_Revision_1.3v22.pdf
>
> https://trustedcomputinggroup.org/wp-
>
> content/uploads/TCG_IWG_Credential_Profile_EK_V2.1_R13.pdf
>
>
> However, I can't find that handle, so perhaps I am miss remembering, but you
>
> can persist it via the tpm2_evictcontrol command
>
>
>
> Ahh the provisioning guide has it in Table 2:
>
> https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf
>
>
> The EK should be persisted at: 0x81010001
>
>
> If you want to conform with the spec
>
>
>
>
>
>
> Hi Wiliam,
>
> Thank you for the reply, this is something I didn't know about the
> resource manager.  I'm fairly new to TPM so I'm on a bit of a steep
> learning curve.
>
> I have no idea if it's using a resource manager, there is a ABRMD process:
> tss        834     1  0 14:12 ?        00:00:00 /usr/sbin/tpm2-abrmd
> and there is also the kernel device
> ls -la /dev/tpmrm0
> crw-rw---- 1 tss tss 253, 65536 Sep 21 14:11 /dev/tpmrm0
>
> How would I know what the tools are using? Can I force it to not use a
> resource manager to see if the transient object is there?
>
> I have already tried the method of making the key persist and this
> works fine but thank you for the proper handle value, I was using
> 0x81010000 :)
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[tpm2] Re: tpm2_createek and transient EK problem

[Rowan Moul]

[-- Attachment #1: Type: text/plain, Size: 4638 bytes --]

Running any tool with the -v option will print out both the version of tpm2-tools that tool came from, and the TCTI that it is using.

If you have the abrmd service running it should default to that.

https://github.com/tpm2-software/tpm2-tools/blob/master/man/common/options.md

https://github.com/tpm2-software/tpm2-tools/blob/master/man/common/tcti.md


Rowan

>> On Feb 28, 2020, at 08:37, Martin Townsend <mtownsend1973(a)gmail.com> wrote:
> On Fri, Feb 28, 2020 at 2:45 PM Roberts, William C
> <william.c.roberts(a)intel.com> wrote:
>> 
>> 
>> 
>>> -----Original Message-----
>>> From: Roberts, William C [mailto:william.c.roberts(a)intel.com]
>>> Sent: Friday, February 28, 2020 8:35 AM
>>> To: Martin Townsend <mtownsend1973(a)gmail.com>; tpm2(a)lists.01.org
>>> Subject: [tpm2] Re: tpm2_createek and transient EK problem
>>>> -----Original Message-----
>>>> From: Martin Townsend [mailto:mtownsend1973(a)gmail.com]
>>>> Sent: Friday, February 28, 2020 5:42 AM
>>>> To: tpm2(a)lists.01.org
>>>> Subject: [tpm2] tpm2_createek and transient EK problem
>>>> Hi,
>>>> I'm trying out the tpm2_createek tool and in the manual
>>>> https://github.com/tpm2-software/tpm2-
>>>> tools/blob/master/man/tpm2_createek.1.md
>>>> It explains how to create a transient EK, I following these
>>>> instructions but can't get them to work.  I've taken ownership of the
>>>> TPM and created a SRK.  I then ran the command as listed in the manual
>>>> page:
>>>> tpm2_createek -G rsa -u ek.pub
>>>> ERROR: Expected option -c
>>>> Usage: tpm2_createek [<options>]
>>>> Where <options> are:
>>>>    [ -P | --eh-auth=<value>] [ -w | --owner-auth=<value>] [ -p |
>>>> --ek- auth=<value>] [ -G | --key-algorithm=<value>]
>>>>    [ -u | --public=<value>] [ -f | --format=<value>] [ -c |
>>>> --ek-context=<value>] [ - t | --template=<value>]
>>>> So I added the -c to save the context to disk and provide the EH authorisation:
>>>> tpm2_createek -G rsa -u ek.pub -c ek.ctx -P xxx echo $?
>>>> 0
>>>> so it looks like it's succeeded but I then try the to list the
>>>> transient objects with
>>>> tpm2_getcap handles-transient
>>>> and I get nothing.  The files have been created
>>> So a resource manager will flush all transient objects when the client disconnects.
>>> So in this case, when tpm2_createek exits, the RM flushes. This assumes you're
>>> Using a resource manager (RM), like tpm2-abrmd or the in kernel RM
>>> /dev/tpmrm0.
>>> If you're not using an RM, and using the device directly  (/dev/tpm0), I am not
>>> really sure why it wouldn't remain loaded.
>>> Once you have the transient EK in a context file, you can just pass that to any
>>> tools -c or -C Option (depends on command and use). The tools will notice that
>>> you need to restore the object from the context file and perform a ContextLoad
>>> command.
>>> Typically, the EK is persisted at a specific handle, I thought it was in the PC client
>>> spec or Credential Profile EK spec:
>>> https://trustedcomputinggroup.org/wp-
>>> content/uploads/TCG_PC_Client_Platform_TPM_Profile_PTP_Specification_Fam
>>> ily_2.0_Revision_1.3v22.pdf
>>> https://trustedcomputinggroup.org/wp-
>>> content/uploads/TCG_IWG_Credential_Profile_EK_V2.1_R13.pdf
>>> However, I can't find that handle, so perhaps I am miss remembering, but you
>>> can persist it via the tpm2_evictcontrol command
>> 
>> Ahh the provisioning guide has it in Table 2:
>> https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf
>> 
>> The EK should be persisted at: 0x81010001
>> 
>> If you want to conform with the spec
> 
> Hi Wiliam,
> 
> Thank you for the reply, this is something I didn't know about the
> resource manager.  I'm fairly new to TPM so I'm on a bit of a steep
> learning curve.
> 
> I have no idea if it's using a resource manager, there is a ABRMD process:
> tss        834     1  0 14:12 ?        00:00:00 /usr/sbin/tpm2-abrmd
> and there is also the kernel device
> ls -la /dev/tpmrm0
> crw-rw---- 1 tss tss 253, 65536 Sep 21 14:11 /dev/tpmrm0
> 
> How would I know what the tools are using? Can I force it to not use a
> resource manager to see if the transient object is there?
> 
> I have already tried the method of making the key persist and this
> works fine but thank you for the proper handle value, I was using
> 0x81010000 :)
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 14163 bytes --]

[tpm2] Re: tpm2_createek and transient EK problem

[Martin Townsend]

[-- Attachment #1: Type: text/plain, Size: 4903 bytes --]

On Fri, Feb 28, 2020 at 3:46 PM Rowan Moul <lists(a)rowan.moul.ca> wrote:
>
> I think William’s response about the resource manager flushing transient handles is more in-line with the behaviour you are seeing so his suggestions there should help solve this specific issue.
>
> But I will point out that tpm2_takeownership was removed in tpm2-tools 4.0.0. In that same version, tpm2_createek was added so if you have both those tools available at the same time I think you might have multiple versions installed and that could cause you issues going forward.
> And yes you are correct the Owner Hierarchy is the same as the Storage Hierarchy. The first term is more correct, while the second (I think) is used to draw comparison with tpm 1.2, for those familiar, which only had one hierarchy.
>
> Rowan
>
> >>> On Feb 28, 2020, at 08:26, Martin Townsend <mtownsend1973(a)gmail.com> wrote:
> >> On Fri, Feb 28, 2020 at 2:39 PM Roberts, William C
> >> <william.c.roberts(a)intel.com> wrote:
> >>> -----Original Message-----
> >>> From: Rowan Moul [mailto:lists(a)rowan.moul.ca]
> >>> Sent: Friday, February 28, 2020 8:34 AM
> >>> To: Martin Townsend <mtownsend1973(a)gmail.com>
> >>> Cc: tpm2(a)lists.01.org
> >>> Subject: [tpm2] Re: tpm2_createek and transient EK problem
> >>> Hi Martin,
> >>> What version of the tools are you using?
> >>> Also, just to clarify terminology, when you say that you “took ownership of the
> >>> tpm and created an SRK” what do you mean? That sounds a lot like tpm 1.2 which
> >>> is not compatible with this toolset.
> >> You can still do the same with TPM 2.0, the steps are just slightly different and the SRK
> >> could be of a different key type.
> >>> Rowan
> >>>> On Feb 28, 2020, at 04:42, Martin Townsend <mtownsend1973(a)gmail.com>
> >>> wrote:
> >>>> Hi,
> >>>> I'm trying out the tpm2_createek tool and in the manual
> >>>> https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_creat
> >>>> eek.1.md
> >>>> It explains how to create a transient EK, I following these
> >>>> instructions but can't get them to work.  I've taken ownership of the
> >>>> TPM and created a SRK.  I then ran the command as listed in the manual
> >>>> page:
> >>>> tpm2_createek -G rsa -u ek.pub
> >>>> ERROR: Expected option -c
> >>>> Usage: tpm2_createek [<options>]
> >>>> Where <options> are:
> >>>> [ -P | --eh-auth=<value>] [ -w | --owner-auth=<value>] [ -p |
> >>>> --ek-auth=<value>] [ -G | --key-algorithm=<value>]
> >>>> [ -u | --public=<value>] [ -f | --format=<value>] [ -c |
> >>>> --ek-context=<value>] [ -t | --template=<value>]
> >>>> So I added the -c to save the context to disk and provide the EH authorisation:
> >>>> tpm2_createek -G rsa -u ek.pub -c ek.ctx -P xxx echo $?
> >>>> 0
> >>>> so it looks like it's succeeded but I then try the to list the
> >>>> transient objects with
> >>>> tpm2_getcap handles-transient
> >>>> and I get nothing.  The files have been created
> >>>> ls -la ek*
> >>>> -rw-r--r-- 1 root root 1287 Feb 28  2020 ek.ctx
> >>>> -rw-r--r-- 1 root root  316 Feb 28  2020 ek.pub
> >>>> Any ideas as to why this is not working for me, do I need to perform
> >>>> some other step first?
> >>>> Many Thanks,
> >>>> Martin.
> >>>> _______________________________________________
> >>>> tpm2 mailing list -- tpm2(a)lists.01.org To unsubscribe send an email to
> >>>> tpm2-leave(a)lists.01.org
> >>>> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> >>> _______________________________________________
> >>> tpm2 mailing list -- tpm2(a)lists.01.org
> >>> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> >>> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> >
> > Thanks for the replies.
> >
> > I'm using the latest releases I think
> > tpm2-tools = 4.1.1
> > tpm2-tss = 2.3.2
> > tpm2-abrmd = 2.3.0
> >
> > I've not used 1.2 so apologies for any confusion with terminology. By
> > taking ownership I mean running tpm2_takeownership and by creating SRK
> > I mean creating a primary key for the Storage Hierarchy with
> > tpm2_createprimary -C owner ... I get confused with the naming for
> > this hierarchy as sometimes I see if referred to as Storage Hierarchy
> > and other times Owner Hierarchy, I take it they are the same thing.
> > _______________________________________________
> > tpm2 mailing list -- tpm2(a)lists.01.org
> > To unsubscribe send an email to tpm2-leave(a)lists.01.org
> > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>

Ah, I was using 4.0.0 and have just moved over to 4.1.1 to see if the
transients EK would work with this version.  You are right the
tpm2_takeownership is no longer there.  Looks like it's been renamed
to tpm2_changeauth, I shall port my script over to using this.

Thanks for clarifying about Storage/Owner, I'll try and stick to Owner
from now on :)

[tpm2] Re: tpm2_createek and transient EK problem

[Rowan Moul]

[-- Attachment #1: Type: text/plain, Size: 4305 bytes --]

I think William’s response about the resource manager flushing transient handles is more in-line with the behaviour you are seeing so his suggestions there should help solve this specific issue.

But I will point out that tpm2_takeownership was removed in tpm2-tools 4.0.0. In that same version, tpm2_createek was added so if you have both those tools available at the same time I think you might have multiple versions installed and that could cause you issues going forward.
And yes you are correct the Owner Hierarchy is the same as the Storage Hierarchy. The first term is more correct, while the second (I think) is used to draw comparison with tpm 1.2, for those familiar, which only had one hierarchy.

Rowan

>>> On Feb 28, 2020, at 08:26, Martin Townsend <mtownsend1973(a)gmail.com> wrote:
>> On Fri, Feb 28, 2020 at 2:39 PM Roberts, William C
>> <william.c.roberts(a)intel.com> wrote:
>>> -----Original Message-----
>>> From: Rowan Moul [mailto:lists(a)rowan.moul.ca]
>>> Sent: Friday, February 28, 2020 8:34 AM
>>> To: Martin Townsend <mtownsend1973(a)gmail.com>
>>> Cc: tpm2(a)lists.01.org
>>> Subject: [tpm2] Re: tpm2_createek and transient EK problem
>>> Hi Martin,
>>> What version of the tools are you using?
>>> Also, just to clarify terminology, when you say that you “took ownership of the
>>> tpm and created an SRK” what do you mean? That sounds a lot like tpm 1.2 which
>>> is not compatible with this toolset.
>> You can still do the same with TPM 2.0, the steps are just slightly different and the SRK
>> could be of a different key type.
>>> Rowan
>>>> On Feb 28, 2020, at 04:42, Martin Townsend <mtownsend1973(a)gmail.com>
>>> wrote:
>>>> Hi,
>>>> I'm trying out the tpm2_createek tool and in the manual
>>>> https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_creat
>>>> eek.1.md
>>>> It explains how to create a transient EK, I following these
>>>> instructions but can't get them to work.  I've taken ownership of the
>>>> TPM and created a SRK.  I then ran the command as listed in the manual
>>>> page:
>>>> tpm2_createek -G rsa -u ek.pub
>>>> ERROR: Expected option -c
>>>> Usage: tpm2_createek [<options>]
>>>> Where <options> are:
>>>> [ -P | --eh-auth=<value>] [ -w | --owner-auth=<value>] [ -p |
>>>> --ek-auth=<value>] [ -G | --key-algorithm=<value>]
>>>> [ -u | --public=<value>] [ -f | --format=<value>] [ -c |
>>>> --ek-context=<value>] [ -t | --template=<value>]
>>>> So I added the -c to save the context to disk and provide the EH authorisation:
>>>> tpm2_createek -G rsa -u ek.pub -c ek.ctx -P xxx echo $?
>>>> 0
>>>> so it looks like it's succeeded but I then try the to list the
>>>> transient objects with
>>>> tpm2_getcap handles-transient
>>>> and I get nothing.  The files have been created
>>>> ls -la ek*
>>>> -rw-r--r-- 1 root root 1287 Feb 28  2020 ek.ctx
>>>> -rw-r--r-- 1 root root  316 Feb 28  2020 ek.pub
>>>> Any ideas as to why this is not working for me, do I need to perform
>>>> some other step first?
>>>> Many Thanks,
>>>> Martin.
>>>> _______________________________________________
>>>> tpm2 mailing list -- tpm2(a)lists.01.org To unsubscribe send an email to
>>>> tpm2-leave(a)lists.01.org
>>>> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>>> _______________________________________________
>>> tpm2 mailing list -- tpm2(a)lists.01.org
>>> To unsubscribe send an email to tpm2-leave(a)lists.01.org
>>> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> 
> Thanks for the replies.
> 
> I'm using the latest releases I think
> tpm2-tools = 4.1.1
> tpm2-tss = 2.3.2
> tpm2-abrmd = 2.3.0
> 
> I've not used 1.2 so apologies for any confusion with terminology. By
> taking ownership I mean running tpm2_takeownership and by creating SRK
> I mean creating a primary key for the Storage Hierarchy with
> tpm2_createprimary -C owner ... I get confused with the naming for
> this hierarchy as sometimes I see if referred to as Storage Hierarchy
> and other times Owner Hierarchy, I take it they are the same thing.
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[tpm2] Re: tpm2_createek and transient EK problem

[Martin Townsend]

[-- Attachment #1: Type: text/plain, Size: 4056 bytes --]

On Fri, Feb 28, 2020 at 2:45 PM Roberts, William C
<william.c.roberts(a)intel.com> wrote:
>
>
>
> > -----Original Message-----
> > From: Roberts, William C [mailto:william.c.roberts(a)intel.com]
> > Sent: Friday, February 28, 2020 8:35 AM
> > To: Martin Townsend <mtownsend1973(a)gmail.com>; tpm2(a)lists.01.org
> > Subject: [tpm2] Re: tpm2_createek and transient EK problem
> >
> >
> >
> > > -----Original Message-----
> > > From: Martin Townsend [mailto:mtownsend1973(a)gmail.com]
> > > Sent: Friday, February 28, 2020 5:42 AM
> > > To: tpm2(a)lists.01.org
> > > Subject: [tpm2] tpm2_createek and transient EK problem
> > >
> > > Hi,
> > >
> > > I'm trying out the tpm2_createek tool and in the manual
> > > https://github.com/tpm2-software/tpm2-
> > > tools/blob/master/man/tpm2_createek.1.md
> > >
> > > It explains how to create a transient EK, I following these
> > > instructions but can't get them to work.  I've taken ownership of the
> > > TPM and created a SRK.  I then ran the command as listed in the manual
> > > page:
> > >
> > > tpm2_createek -G rsa -u ek.pub
> > > ERROR: Expected option -c
> > > Usage: tpm2_createek [<options>]
> > > Where <options> are:
> > >     [ -P | --eh-auth=<value>] [ -w | --owner-auth=<value>] [ -p |
> > > --ek- auth=<value>] [ -G | --key-algorithm=<value>]
> > >     [ -u | --public=<value>] [ -f | --format=<value>] [ -c |
> > > --ek-context=<value>] [ - t | --template=<value>]
> > >
> > > So I added the -c to save the context to disk and provide the EH authorisation:
> > >
> > > tpm2_createek -G rsa -u ek.pub -c ek.ctx -P xxx echo $?
> > > 0
> > >
> > > so it looks like it's succeeded but I then try the to list the
> > > transient objects with
> > >
> > > tpm2_getcap handles-transient
> > >
> > > and I get nothing.  The files have been created
> >
> > So a resource manager will flush all transient objects when the client disconnects.
> > So in this case, when tpm2_createek exits, the RM flushes. This assumes you're
> > Using a resource manager (RM), like tpm2-abrmd or the in kernel RM
> > /dev/tpmrm0.
> >
> > If you're not using an RM, and using the device directly  (/dev/tpm0), I am not
> > really sure why it wouldn't remain loaded.
> >
> > Once you have the transient EK in a context file, you can just pass that to any
> > tools -c or -C Option (depends on command and use). The tools will notice that
> > you need to restore the object from the context file and perform a ContextLoad
> > command.
> >
> > Typically, the EK is persisted at a specific handle, I thought it was in the PC client
> > spec or Credential Profile EK spec:
> >  https://trustedcomputinggroup.org/wp-
> > content/uploads/TCG_PC_Client_Platform_TPM_Profile_PTP_Specification_Fam
> > ily_2.0_Revision_1.3v22.pdf
> > https://trustedcomputinggroup.org/wp-
> > content/uploads/TCG_IWG_Credential_Profile_EK_V2.1_R13.pdf
> >
> > However, I can't find that handle, so perhaps I am miss remembering, but you
> > can persist it via the tpm2_evictcontrol command
> >
>
> Ahh the provisioning guide has it in Table 2:
> https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf
>
> The EK should be persisted at: 0x81010001
>
> If you want to conform with the spec
>
>
>
>

Hi Wiliam,

Thank you for the reply, this is something I didn't know about the
resource manager.  I'm fairly new to TPM so I'm on a bit of a steep
learning curve.

I have no idea if it's using a resource manager, there is a ABRMD process:
tss        834     1  0 14:12 ?        00:00:00 /usr/sbin/tpm2-abrmd
and there is also the kernel device
ls -la /dev/tpmrm0
crw-rw---- 1 tss tss 253, 65536 Sep 21 14:11 /dev/tpmrm0

How would I know what the tools are using? Can I force it to not use a
resource manager to see if the transient object is there?

I have already tried the method of making the key persist and this
works fine but thank you for the proper handle value, I was using
0x81010000 :)

[tpm2] Re: tpm2_createek and transient EK problem

[Martin Townsend]

[-- Attachment #1: Type: text/plain, Size: 3400 bytes --]

On Fri, Feb 28, 2020 at 2:39 PM Roberts, William C
<william.c.roberts(a)intel.com> wrote:
>
>
>
> > -----Original Message-----
> > From: Rowan Moul [mailto:lists(a)rowan.moul.ca]
> > Sent: Friday, February 28, 2020 8:34 AM
> > To: Martin Townsend <mtownsend1973(a)gmail.com>
> > Cc: tpm2(a)lists.01.org
> > Subject: [tpm2] Re: tpm2_createek and transient EK problem
> >
> > Hi Martin,
> > What version of the tools are you using?
> >
> > Also, just to clarify terminology, when you say that you “took ownership of the
> > tpm and created an SRK” what do you mean? That sounds a lot like tpm 1.2 which
> > is not compatible with this toolset.
>
> You can still do the same with TPM 2.0, the steps are just slightly different and the SRK
> could be of a different key type.
>
> >
> > Rowan
> >
> > > On Feb 28, 2020, at 04:42, Martin Townsend <mtownsend1973(a)gmail.com>
> > wrote:
> > >
> > > Hi,
> > >
> > > I'm trying out the tpm2_createek tool and in the manual
> > > https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_creat
> > > eek.1.md
> > >
> > > It explains how to create a transient EK, I following these
> > > instructions but can't get them to work.  I've taken ownership of the
> > > TPM and created a SRK.  I then ran the command as listed in the manual
> > > page:
> > >
> > > tpm2_createek -G rsa -u ek.pub
> > > ERROR: Expected option -c
> > > Usage: tpm2_createek [<options>]
> > > Where <options> are:
> > >   [ -P | --eh-auth=<value>] [ -w | --owner-auth=<value>] [ -p |
> > > --ek-auth=<value>] [ -G | --key-algorithm=<value>]
> > >   [ -u | --public=<value>] [ -f | --format=<value>] [ -c |
> > > --ek-context=<value>] [ -t | --template=<value>]
> > >
> > > So I added the -c to save the context to disk and provide the EH authorisation:
> > >
> > > tpm2_createek -G rsa -u ek.pub -c ek.ctx -P xxx echo $?
> > > 0
> > >
> > > so it looks like it's succeeded but I then try the to list the
> > > transient objects with
> > >
> > > tpm2_getcap handles-transient
> > >
> > > and I get nothing.  The files have been created
> > >
> > > ls -la ek*
> > > -rw-r--r-- 1 root root 1287 Feb 28  2020 ek.ctx
> > > -rw-r--r-- 1 root root  316 Feb 28  2020 ek.pub
> > >
> > > Any ideas as to why this is not working for me, do I need to perform
> > > some other step first?
> > >
> > > Many Thanks,
> > > Martin.
> > > _______________________________________________
> > > tpm2 mailing list -- tpm2(a)lists.01.org To unsubscribe send an email to
> > > tpm2-leave(a)lists.01.org
> > > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> > _______________________________________________
> > tpm2 mailing list -- tpm2(a)lists.01.org
> > To unsubscribe send an email to tpm2-leave(a)lists.01.org
> > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

Thanks for the replies.

I'm using the latest releases I think
tpm2-tools = 4.1.1
tpm2-tss = 2.3.2
tpm2-abrmd = 2.3.0

I've not used 1.2 so apologies for any confusion with terminology. By
taking ownership I mean running tpm2_takeownership and by creating SRK
I mean creating a primary key for the Storage Hierarchy with
tpm2_createprimary -C owner ... I get confused with the naming for
this hierarchy as sometimes I see if referred to as Storage Hierarchy
and other times Owner Hierarchy, I take it they are the same thing.

[tpm2] Re: tpm2_createek and transient EK problem

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 3095 bytes --]



> -----Original Message-----
> From: Roberts, William C [mailto:william.c.roberts(a)intel.com]
> Sent: Friday, February 28, 2020 8:35 AM
> To: Martin Townsend <mtownsend1973(a)gmail.com>; tpm2(a)lists.01.org
> Subject: [tpm2] Re: tpm2_createek and transient EK problem
> 
> 
> 
> > -----Original Message-----
> > From: Martin Townsend [mailto:mtownsend1973(a)gmail.com]
> > Sent: Friday, February 28, 2020 5:42 AM
> > To: tpm2(a)lists.01.org
> > Subject: [tpm2] tpm2_createek and transient EK problem
> >
> > Hi,
> >
> > I'm trying out the tpm2_createek tool and in the manual
> > https://github.com/tpm2-software/tpm2-
> > tools/blob/master/man/tpm2_createek.1.md
> >
> > It explains how to create a transient EK, I following these
> > instructions but can't get them to work.  I've taken ownership of the
> > TPM and created a SRK.  I then ran the command as listed in the manual
> > page:
> >
> > tpm2_createek -G rsa -u ek.pub
> > ERROR: Expected option -c
> > Usage: tpm2_createek [<options>]
> > Where <options> are:
> >     [ -P | --eh-auth=<value>] [ -w | --owner-auth=<value>] [ -p |
> > --ek- auth=<value>] [ -G | --key-algorithm=<value>]
> >     [ -u | --public=<value>] [ -f | --format=<value>] [ -c |
> > --ek-context=<value>] [ - t | --template=<value>]
> >
> > So I added the -c to save the context to disk and provide the EH authorisation:
> >
> > tpm2_createek -G rsa -u ek.pub -c ek.ctx -P xxx echo $?
> > 0
> >
> > so it looks like it's succeeded but I then try the to list the
> > transient objects with
> >
> > tpm2_getcap handles-transient
> >
> > and I get nothing.  The files have been created
> 
> So a resource manager will flush all transient objects when the client disconnects.
> So in this case, when tpm2_createek exits, the RM flushes. This assumes you're
> Using a resource manager (RM), like tpm2-abrmd or the in kernel RM
> /dev/tpmrm0.
> 
> If you're not using an RM, and using the device directly  (/dev/tpm0), I am not
> really sure why it wouldn't remain loaded.
> 
> Once you have the transient EK in a context file, you can just pass that to any
> tools -c or -C Option (depends on command and use). The tools will notice that
> you need to restore the object from the context file and perform a ContextLoad
> command.
> 
> Typically, the EK is persisted at a specific handle, I thought it was in the PC client
> spec or Credential Profile EK spec:
>  https://trustedcomputinggroup.org/wp-
> content/uploads/TCG_PC_Client_Platform_TPM_Profile_PTP_Specification_Fam
> ily_2.0_Revision_1.3v22.pdf
> https://trustedcomputinggroup.org/wp-
> content/uploads/TCG_IWG_Credential_Profile_EK_V2.1_R13.pdf
> 
> However, I can't find that handle, so perhaps I am miss remembering, but you
> can persist it via the tpm2_evictcontrol command
> 

Ahh the provisioning guide has it in Table 2:
https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf

The EK should be persisted at: 0x81010001

If you want to conform with the spec

[tpm2] Re: tpm2_createek and transient EK problem

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 2626 bytes --]



> -----Original Message-----
> From: Rowan Moul [mailto:lists(a)rowan.moul.ca]
> Sent: Friday, February 28, 2020 8:34 AM
> To: Martin Townsend <mtownsend1973(a)gmail.com>
> Cc: tpm2(a)lists.01.org
> Subject: [tpm2] Re: tpm2_createek and transient EK problem
> 
> Hi Martin,
> What version of the tools are you using?
> 
> Also, just to clarify terminology, when you say that you “took ownership of the
> tpm and created an SRK” what do you mean? That sounds a lot like tpm 1.2 which
> is not compatible with this toolset.

You can still do the same with TPM 2.0, the steps are just slightly different and the SRK
could be of a different key type.

> 
> Rowan
> 
> > On Feb 28, 2020, at 04:42, Martin Townsend <mtownsend1973(a)gmail.com>
> wrote:
> >
> > Hi,
> >
> > I'm trying out the tpm2_createek tool and in the manual
> > https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_creat
> > eek.1.md
> >
> > It explains how to create a transient EK, I following these
> > instructions but can't get them to work.  I've taken ownership of the
> > TPM and created a SRK.  I then ran the command as listed in the manual
> > page:
> >
> > tpm2_createek -G rsa -u ek.pub
> > ERROR: Expected option -c
> > Usage: tpm2_createek [<options>]
> > Where <options> are:
> >   [ -P | --eh-auth=<value>] [ -w | --owner-auth=<value>] [ -p |
> > --ek-auth=<value>] [ -G | --key-algorithm=<value>]
> >   [ -u | --public=<value>] [ -f | --format=<value>] [ -c |
> > --ek-context=<value>] [ -t | --template=<value>]
> >
> > So I added the -c to save the context to disk and provide the EH authorisation:
> >
> > tpm2_createek -G rsa -u ek.pub -c ek.ctx -P xxx echo $?
> > 0
> >
> > so it looks like it's succeeded but I then try the to list the
> > transient objects with
> >
> > tpm2_getcap handles-transient
> >
> > and I get nothing.  The files have been created
> >
> > ls -la ek*
> > -rw-r--r-- 1 root root 1287 Feb 28  2020 ek.ctx
> > -rw-r--r-- 1 root root  316 Feb 28  2020 ek.pub
> >
> > Any ideas as to why this is not working for me, do I need to perform
> > some other step first?
> >
> > Many Thanks,
> > Martin.
> > _______________________________________________
> > tpm2 mailing list -- tpm2(a)lists.01.org To unsubscribe send an email to
> > tpm2-leave(a)lists.01.org
> > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[tpm2] Re: tpm2_createek and transient EK problem

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 2900 bytes --]



> -----Original Message-----
> From: Martin Townsend [mailto:mtownsend1973(a)gmail.com]
> Sent: Friday, February 28, 2020 5:42 AM
> To: tpm2(a)lists.01.org
> Subject: [tpm2] tpm2_createek and transient EK problem
> 
> Hi,
> 
> I'm trying out the tpm2_createek tool and in the manual
> https://github.com/tpm2-software/tpm2-
> tools/blob/master/man/tpm2_createek.1.md
> 
> It explains how to create a transient EK, I following these instructions but can't
> get them to work.  I've taken ownership of the TPM and created a SRK.  I then ran
> the command as listed in the manual
> page:
> 
> tpm2_createek -G rsa -u ek.pub
> ERROR: Expected option -c
> Usage: tpm2_createek [<options>]
> Where <options> are:
>     [ -P | --eh-auth=<value>] [ -w | --owner-auth=<value>] [ -p | --ek-
> auth=<value>] [ -G | --key-algorithm=<value>]
>     [ -u | --public=<value>] [ -f | --format=<value>] [ -c | --ek-context=<value>] [ -
> t | --template=<value>]
> 
> So I added the -c to save the context to disk and provide the EH authorisation:
> 
> tpm2_createek -G rsa -u ek.pub -c ek.ctx -P xxx echo $?
> 0
> 
> so it looks like it's succeeded but I then try the to list the transient objects with
> 
> tpm2_getcap handles-transient
> 
> and I get nothing.  The files have been created

So a resource manager will flush all transient objects when the client disconnects.
So in this case, when tpm2_createek exits, the RM flushes. This assumes you're
Using a resource manager (RM), like tpm2-abrmd or the in kernel RM /dev/tpmrm0.

If you're not using an RM, and using the device directly  (/dev/tpm0), I am not really sure why it
wouldn't remain loaded.

Once you have the transient EK in a context file, you can just pass that to any tools -c or -C
Option (depends on command and use). The tools will notice that you need to restore the
object from the context file and perform a ContextLoad command.

Typically, the EK is persisted at a specific handle, I thought it was in the PC client spec or Credential Profile EK spec:
 https://trustedcomputinggroup.org/wp-content/uploads/TCG_PC_Client_Platform_TPM_Profile_PTP_Specification_Family_2.0_Revision_1.3v22.pdf
https://trustedcomputinggroup.org/wp-content/uploads/TCG_IWG_Credential_Profile_EK_V2.1_R13.pdf

However, I can't find that handle, so perhaps I am miss remembering, but you can persist it via the
tpm2_evictcontrol command


> 
> ls -la ek*
> -rw-r--r-- 1 root root 1287 Feb 28  2020 ek.ctx
> -rw-r--r-- 1 root root  316 Feb 28  2020 ek.pub
> 
> Any ideas as to why this is not working for me, do I need to perform some other
> step first?
> 
> Many Thanks,
> Martin.
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[tpm2] Re: tpm2_createek and transient EK problem

[Rowan Moul]

[-- Attachment #1: Type: text/plain, Size: 1905 bytes --]

Hi Martin,
What version of the tools are you using?

Also, just to clarify terminology, when you say that you “took ownership of the tpm and created an SRK” what do you mean? That sounds a lot like tpm 1.2 which is not compatible with this toolset.

Rowan

> On Feb 28, 2020, at 04:42, Martin Townsend <mtownsend1973(a)gmail.com> wrote:
> 
> Hi,
> 
> I'm trying out the tpm2_createek tool and in the manual
> https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_createek.1.md
> 
> It explains how to create a transient EK, I following these
> instructions but can't get them to work.  I've taken ownership of the
> TPM and created a SRK.  I then ran the command as listed in the manual
> page:
> 
> tpm2_createek -G rsa -u ek.pub
> ERROR: Expected option -c
> Usage: tpm2_createek [<options>]
> Where <options> are:
>   [ -P | --eh-auth=<value>] [ -w | --owner-auth=<value>] [ -p |
> --ek-auth=<value>] [ -G | --key-algorithm=<value>]
>   [ -u | --public=<value>] [ -f | --format=<value>] [ -c |
> --ek-context=<value>] [ -t | --template=<value>]
> 
> So I added the -c to save the context to disk and provide the EH authorisation:
> 
> tpm2_createek -G rsa -u ek.pub -c ek.ctx -P xxx
> echo $?
> 0
> 
> so it looks like it's succeeded but I then try the to list the
> transient objects with
> 
> tpm2_getcap handles-transient
> 
> and I get nothing.  The files have been created
> 
> ls -la ek*
> -rw-r--r-- 1 root root 1287 Feb 28  2020 ek.ctx
> -rw-r--r-- 1 root root  316 Feb 28  2020 ek.pub
> 
> Any ideas as to why this is not working for me, do I need to perform
> some other step first?
> 
> Many Thanks,
> Martin.
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s