[tpm2] TPM Encryption Key

[tpm2] TPM Encryption Key

[Ashok Kumar]

[-- Attachment #1: Type: text/plain, Size: 1786 bytes --]

Hello,

Our requirement is to encrypt the given data (for example, private key)
with TPM key.
As and when required, decrypt the data using the TPM key and use it in the
application.

To address this requirement, did the following.

First time initialization:

- Generated primary key under owner hierarchy
- Created the TPM symmetric key (which is used to encrypt/decrypt
application data)
  under the primary key.
- Used Esys_EvictControl() to store the TPM key handle in the TPM
persistent memory

During Encryption/Decryption:

- Used Esys_TR_FromTPMPublic() to fetch existing TPM key handle from the
persistent memory
- Used Esys_EncryptDecrypt() to encrypt/decrypt the given data

Is this the right approach?

It worked fine with simulator. However, it failed with "command code not
supported" error
with TPM device.

---x---
WARNING:esys:src/tss2-esys/api/Esys_EncryptDecrypt.c:324:Esys_EncryptDecrypt_Finish()
Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_EncryptDecrypt.c:110:Esys_EncryptDecrypt()
Esys Finish ErrorCode (0x00000143)
versa_tpm2_encrypt_decrypt.382: Esys_EncryptDecrypt failed; rc 0x143
Output:
main#568: Wrote 0 bytes of data
[admin(a)TPM2-VersaCSG-Ashok: ~] $ tpm2_rc_decode 0x143
error layer
  hex: 0x0
  identifier: TSS2_TPM_ERROR_LEVEL
  description: Error produced by the TPM
format 0 error code
  hex: 0x43
  name: TPM_RC_COMMAND_CODE
  description: command code not supported
---x---

From the tpm2_dump_capability, looks like Esys_EncryptDecrypt() and
Esys_EncryptDecrypt2() are not supported.

For our usecase, what could be the right alternative method to use? Shall
we use
Esys_RSA_Encrypt()? In that case, which scheme is better? TPM2_ALG_RSAES or
TPM2_ALG_OAEP?

Thanks,
Ashok Kumar

[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 2320 bytes --]