[tpm2] Question about eviction

[tpm2] Question about eviction

[yongkwan park]

[-- Attachment #1: Type: text/plain, Size: 1938 bytes --]

Hi folks,

I want to make a primary key and evict it to make it persistent.
But, failed.

Here is what I did accroding to "How to use tpm2 tools",

pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$ tpm2_createprimary -A o -K
objectpass -g 0x000b -G 0x0001
nameAlg = 0x000b
type = 0x0001

CreatePrimary Succeed ! Handle: 0x800000ff

pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$ tpm2_createprimary -A o -K
objectpass -g 0x000b -G 0x0001
nameAlg = 0x000b
type = 0x0001

CreatePrimary Succeed ! Handle: 0x800000ff

pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$ tpm2_evictcontrol -A o -H
0x800000ff -S 0x81000100 -P objectpass
persistentHandle: 0x81000100
ERROR: EvictControl failed, error code: 0x284


The following are questions.

Q1. In tools/tpm2_createprimary.c, inPublic->t.publicArea.unique.rsa.t.size
is set to zero. It is written in the TPM2 spec part1, "The caller may also
set the size of this field to zero and the TPM will replace it with a
correctly sized structure." I think this means that unique field will be
set with random values by TPM. Is it correct?

tpm2_createprimary was executed twice in a row at the previous test. Those
two tests were successful seeing the messages. If those primary keys were
generated by random values (unique field is zero), result keys would be
different. But, the handles of two keys(0x800000ff) are the same at the
messages. Can anyone explain the meaning?

Q2. I tried to evict the primary key with tpm2_evictcontrol, but failed.
Can anyone tell what's wrong at the command?

Thank you.


-- 
Yongkwan "Ethan" Park / Principle Engineer
------------------------------------------------------------------
*Security Platform,Inc.* (http://www.securityplatform.co.kr )
CONSEC #C-7, GCCEI Bldg.
12 Daewangpangyo-ro 645beon-gil
Bundang-gu, Seongnam-si, Gyeonggi-do,Korea
T. 82-70-7613-0094
M. 82-10-5156-8532    E. yongkwan.park(a)securityplatform.co.kr

[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 3108 bytes --]

Re: [tpm2] Question about eviction

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 5593 bytes --]

I am not sure, but looking at the test code  test_tpm2_evictcontrol.sh might help.

From: yongkwan park [mailto:yongkwan.park(a)securityplatform.co.kr]
Sent: Tuesday, August 8, 2017 12:11 AM
To: Roberts, William C <william.c.roberts(a)intel.com>
Cc: tpm2(a)lists.01.org
Subject: Re: [tpm2] Question about eviction

Hi William,

I tested based on your instruction and got the following result.

pi(a)raspberrypi:~/tmp$ tpm2_createprimary -A o -K objectpass -g 0x000b -G 0x0001 -C po.ctx
nameAlg = 0x000b
type = 0x0001
contextFile = po.ctx

CreatePrimary Succeed ! Handle: 0x800000ff

pi(a)raspberrypi:~/tmp$ tpm2_evictcontrol -c po.ctx -A o -H 0x800000ff -S 0x81000100 -P objectpass
persistentHandle: 0x81000100
ERROR: EvictControl failed, error code: 0x9a2

pi(a)raspberrypi:~/tmp$ tpm2_rc_decode 0x9a2
error layer
  hex: 0x0
  identifier: TSS2_TPM_ERROR_LEVEL
  description: Error produced by the TPM
format 1 error code
  hex: 0x22
  identifier: TPM_RC_BAD_AUTH
  description: authorization failure without DA implications
session
  hex: 0x100
  identifier: TPM_RC_1
  description:  (null)

The result is the same even if --tcti=device is used.
It seems that the output messages says the password is wrong.
But, I see that the used passwords at tpm2_createprimary and tpm2_evictcontrol are same.
Could you tell what's wrong?

Thank you,


2017-08-08 2:42 GMT+09:00 Roberts, William C <william.c.roberts(a)intel.com<mailto:william.c.roberts(a)intel.com>>:
For the generation of unique, section 27.5.3.1 describes how it is done in detail:
https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf
Since your key was RSA, unique is the public modules of the key.

Decoding your error code:
$ ./tools/tpm2_rc_decode 0x284
error layer
  hex: 0x0
  identifier: TSS2_TPM_ERROR_LEVEL
  description: Error produced by the TPM
format 1 error code
  hex: 0x04
  identifier: TPM_RC_VALUE
  description: value is out of range or is not correct for the context
handle
  hex:0x200
  identifier:  TPM_RC_2
  description:  (null)

I think points us to the problem. Based on page 118 of "A Practical Guide to TPM2.0",
It states, "TPM2_FlushContext removes a key from the TPM.". The Resource Manager (RM)
is calling FLushContext and thus your just creating primary keys that are getting removed
when the command exits.

You're options are 3 fold:
1. use the -c option for saving the key that can be re-loaded from LoadContext.
    See test/system/test_tpm2_createprimary_all.sh
2. Don't use an RM and use the --tcti=device option. Note that no other clients can
    Be using the TPM if you do this.
3. Use the experimental tpm-shell branch:
    https://github.com/williamcroberts/tpm2.0-tools/tree/tpm-shell

From: tpm2 [mailto:tpm2-bounces(a)lists.01.org<mailto:tpm2-bounces(a)lists.01.org>] On Behalf Of yongkwan park
Sent: Monday, August 7, 2017 12:23 AM
To: tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
Subject: [tpm2] Question about eviction

Hi folks,

I want to make a primary key and evict it to make it persistent.
But, failed.

Here is what I did accroding to "How to use tpm2 tools",

pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$<mailto:pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$> tpm2_createprimary -A o -K objectpass -g 0x000b -G 0x0001
nameAlg = 0x000b
type = 0x0001

CreatePrimary Succeed ! Handle: 0x800000ff

pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$<mailto:pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$> tpm2_createprimary -A o -K objectpass -g 0x000b -G 0x0001
nameAlg = 0x000b
type = 0x0001

CreatePrimary Succeed ! Handle: 0x800000ff

pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$<mailto:pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$> tpm2_evictcontrol -A o -H 0x800000ff -S 0x81000100 -P objectpass
persistentHandle: 0x81000100
ERROR: EvictControl failed, error code: 0x284


The following are questions.

Q1. In tools/tpm2_createprimary.c, inPublic->t.publicArea.unique.rsa.t.size is set to zero. It is written in the TPM2 spec part1, "The caller may also set the size of this field to zero and the TPM will replace it with a correctly sized structure." I think this means that unique field will be set with random values by TPM. Is it correct?

tpm2_createprimary was executed twice in a row at the previous test. Those two tests were successful seeing the messages. If those primary keys were generated by random values (unique field is zero), result keys would be different. But, the handles of two keys(0x800000ff) are the same at the messages. Can anyone explain the meaning?

Q2. I tried to evict the primary key with tpm2_evictcontrol, but failed. Can anyone tell what's wrong at the command?

Thank you.


--
Yongkwan "Ethan" Park / Principle Engineer
------------------------------------------------------------------
Security Platform,Inc. (http://www.securityplatform.co.kr )
CONSEC #C-7, GCCEI Bldg.
12 Daewangpangyo-ro 645beon-gil
Bundang-gu, Seongnam-si, Gyeonggi-do,Korea
T. 82-70-7613-0094
M. 82-10-5156-8532    E. yongkwan.park(a)securityplatform.co.kr<mailto:yongkwan.park(a)securityplatform.co.kr>



--
Yongkwan "Ethan" Park / Principle Engineer
------------------------------------------------------------------
Security Platform,Inc. (http://www.securityplatform.co.kr )
CONSEC #C-7, GCCEI Bldg.
12 Daewangpangyo-ro 645beon-gil
Bundang-gu, Seongnam-si, Gyeonggi-do,Korea
T. 82-70-7613-0094
M. 82-10-5156-8532    E. yongkwan.park(a)securityplatform.co.kr<mailto:yongkwan.park(a)securityplatform.co.kr>

[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 11989 bytes --]

Re: [tpm2] Question about eviction

[yongkwan park]

[-- Attachment #1: Type: text/plain, Size: 5135 bytes --]

Hi William,

I tested based on your instruction and got the following result.

pi(a)raspberrypi:~/tmp$ tpm2_createprimary -A o -K objectpass -g 0x000b -G
0x0001 -C po.ctx
nameAlg = 0x000b
type = 0x0001
contextFile = po.ctx

CreatePrimary Succeed ! Handle: 0x800000ff

pi(a)raspberrypi:~/tmp$ tpm2_evictcontrol -c po.ctx -A o -H 0x800000ff -S
0x81000100 -P objectpass
persistentHandle: 0x81000100
ERROR: EvictControl failed, error code: 0x9a2

pi(a)raspberrypi:~/tmp$ tpm2_rc_decode 0x9a2
error layer
  hex: 0x0
  identifier: TSS2_TPM_ERROR_LEVEL
  description: Error produced by the TPM
format 1 error code
  hex: 0x22
  identifier: TPM_RC_BAD_AUTH
  description: authorization failure without DA implications
session
  hex: 0x100
  identifier: TPM_RC_1
  description:  (null)

The result is the same even if --tcti=device is used.
It seems that the output messages says the password is wrong.
But, I see that the used passwords at tpm2_createprimary and
tpm2_evictcontrol are same.
Could you tell what's wrong?

Thank you,


2017-08-08 2:42 GMT+09:00 Roberts, William C <william.c.roberts(a)intel.com>:

> For the generation of unique, section 27.5.3.1 describes how it is done in
> detail:
> https://trustedcomputinggroup.org/wp-content/uploads/TPM-
> Rev-2.0-Part-1-Architecture-01.38.pdf
> Since your key was RSA, unique is the public modules of the key.
>
> Decoding your error code:
> $ ./tools/tpm2_rc_decode 0x284
> error layer
>   hex: 0x0
>   identifier: TSS2_TPM_ERROR_LEVEL
>   description: Error produced by the TPM
> format 1 error code
>   hex: 0x04
>   identifier: TPM_RC_VALUE
>   description: value is out of range or is not correct for the context
> handle
>   hex:0x200
>   identifier:  TPM_RC_2
>   description:  (null)
>
> I think points us to the problem. Based on page 118 of "A Practical Guide
> to TPM2.0",
> It states, "TPM2_FlushContext removes a key from the TPM.". The Resource
> Manager (RM)
> is calling FLushContext and thus your just creating primary keys that are
> getting removed
> when the command exits.
>
> You're options are 3 fold:
> 1. use the -c option for saving the key that can be re-loaded from
> LoadContext.
>     See test/system/test_tpm2_createprimary_all.sh
> 2. Don't use an RM and use the --tcti=device option. Note that no other
> clients can
>     Be using the TPM if you do this.
> 3. Use the experimental tpm-shell branch:
>     https://github.com/williamcroberts/tpm2.0-tools/tree/tpm-shell
>
> From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of yongkwan park
> Sent: Monday, August 7, 2017 12:23 AM
> To: tpm2(a)lists.01.org
> Subject: [tpm2] Question about eviction
>
> Hi folks,
>
> I want to make a primary key and evict it to make it persistent.
> But, failed.
>
> Here is what I did accroding to "How to use tpm2 tools",
>
> pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$ tpm2_createprimary -A o -K
> objectpass -g 0x000b -G 0x0001
> nameAlg = 0x000b
> type = 0x0001
>
> CreatePrimary Succeed ! Handle: 0x800000ff
>
> pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$ tpm2_createprimary -A o -K
> objectpass -g 0x000b -G 0x0001
> nameAlg = 0x000b
> type = 0x0001
>
> CreatePrimary Succeed ! Handle: 0x800000ff
>
> pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$ tpm2_evictcontrol -A o -H
> 0x800000ff -S 0x81000100 -P objectpass
> persistentHandle: 0x81000100
> ERROR: EvictControl failed, error code: 0x284
>
>
> The following are questions.
>
> Q1. In tools/tpm2_createprimary.c, inPublic->t.publicArea.unique.rsa.t.size
> is set to zero. It is written in the TPM2 spec part1, "The caller may also
> set the size of this field to zero and the TPM will replace it with a
> correctly sized structure." I think this means that unique field will be
> set with random values by TPM. Is it correct?
>
> tpm2_createprimary was executed twice in a row at the previous test. Those
> two tests were successful seeing the messages. If those primary keys were
> generated by random values (unique field is zero), result keys would be
> different. But, the handles of two keys(0x800000ff) are the same at the
> messages. Can anyone explain the meaning?
>
> Q2. I tried to evict the primary key with tpm2_evictcontrol, but failed.
> Can anyone tell what's wrong at the command?
>
> Thank you.
>
>
> --
> Yongkwan "Ethan" Park / Principle Engineer
> ------------------------------------------------------------------
> Security Platform,Inc. (http://www.securityplatform.co.kr )
> CONSEC #C-7, GCCEI Bldg.
> 12 Daewangpangyo-ro 645beon-gil
> Bundang-gu, Seongnam-si, Gyeonggi-do,Korea
> T. 82-70-7613-0094
> M. 82-10-5156-8532    E. yongkwan.park(a)securityplatform.co.kr
>



-- 
Yongkwan "Ethan" Park / Principle Engineer
------------------------------------------------------------------
*Security Platform,Inc.* (http://www.securityplatform.co.kr )
CONSEC #C-7, GCCEI Bldg.
12 Daewangpangyo-ro 645beon-gil
Bundang-gu, Seongnam-si, Gyeonggi-do,Korea
T. 82-70-7613-0094
M. 82-10-5156-8532    E. yongkwan.park(a)securityplatform.co.kr

[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 7319 bytes --]

Re: [tpm2] Question about eviction

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 3427 bytes --]

For the generation of unique, section 27.5.3.1 describes how it is done in detail:
https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf
Since your key was RSA, unique is the public modules of the key.

Decoding your error code:
$ ./tools/tpm2_rc_decode 0x284
error layer
  hex: 0x0
  identifier: TSS2_TPM_ERROR_LEVEL
  description: Error produced by the TPM
format 1 error code
  hex: 0x04
  identifier: TPM_RC_VALUE
  description: value is out of range or is not correct for the context
handle
  hex:0x200
  identifier:  TPM_RC_2
  description:  (null)

I think points us to the problem. Based on page 118 of "A Practical Guide to TPM2.0",
It states, "TPM2_FlushContext removes a key from the TPM.". The Resource Manager (RM)
is calling FLushContext and thus your just creating primary keys that are getting removed
when the command exits.

You're options are 3 fold:
1. use the -c option for saving the key that can be re-loaded from LoadContext.
    See test/system/test_tpm2_createprimary_all.sh
2. Don't use an RM and use the --tcti=device option. Note that no other clients can
    Be using the TPM if you do this.
3. Use the experimental tpm-shell branch: 
    https://github.com/williamcroberts/tpm2.0-tools/tree/tpm-shell

From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of yongkwan park
Sent: Monday, August 7, 2017 12:23 AM
To: tpm2(a)lists.01.org
Subject: [tpm2] Question about eviction

Hi folks,

I want to make a primary key and evict it to make it persistent.
But, failed.

Here is what I did accroding to "How to use tpm2 tools",

pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$ tpm2_createprimary -A o -K objectpass -g 0x000b -G 0x0001
nameAlg = 0x000b
type = 0x0001

CreatePrimary Succeed ! Handle: 0x800000ff

pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$ tpm2_createprimary -A o -K objectpass -g 0x000b -G 0x0001
nameAlg = 0x000b
type = 0x0001

CreatePrimary Succeed ! Handle: 0x800000ff

pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$ tpm2_evictcontrol -A o -H 0x800000ff -S 0x81000100 -P objectpass
persistentHandle: 0x81000100
ERROR: EvictControl failed, error code: 0x284


The following are questions.

Q1. In tools/tpm2_createprimary.c, inPublic->t.publicArea.unique.rsa.t.size is set to zero. It is written in the TPM2 spec part1, "The caller may also set the size of this field to zero and the TPM will replace it with a correctly sized structure." I think this means that unique field will be set with random values by TPM. Is it correct? 

tpm2_createprimary was executed twice in a row at the previous test. Those two tests were successful seeing the messages. If those primary keys were generated by random values (unique field is zero), result keys would be different. But, the handles of two keys(0x800000ff) are the same at the messages. Can anyone explain the meaning?

Q2. I tried to evict the primary key with tpm2_evictcontrol, but failed. Can anyone tell what's wrong at the command? 

Thank you.


-- 
Yongkwan "Ethan" Park / Principle Engineer
------------------------------------------------------------------
Security Platform,Inc. (http://www.securityplatform.co.kr )
CONSEC #C-7, GCCEI Bldg.
12 Daewangpangyo-ro 645beon-gil
Bundang-gu, Seongnam-si, Gyeonggi-do,Korea 
T. 82-70-7613-0094
M. 82-10-5156-8532    E. yongkwan.park(a)securityplatform.co.kr