* [tpm2] Question about eviction
@ 2017-08-07 7:22 yongkwan park
0 siblings, 0 replies; 4+ messages in thread
From: yongkwan park @ 2017-08-07 7:22 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 1938 bytes --]
Hi folks,
I want to make a primary key and evict it to make it persistent.
But, failed.
Here is what I did accroding to "How to use tpm2 tools",
pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$ tpm2_createprimary -A o -K
objectpass -g 0x000b -G 0x0001
nameAlg = 0x000b
type = 0x0001
CreatePrimary Succeed ! Handle: 0x800000ff
pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$ tpm2_createprimary -A o -K
objectpass -g 0x000b -G 0x0001
nameAlg = 0x000b
type = 0x0001
CreatePrimary Succeed ! Handle: 0x800000ff
pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$ tpm2_evictcontrol -A o -H
0x800000ff -S 0x81000100 -P objectpass
persistentHandle: 0x81000100
ERROR: EvictControl failed, error code: 0x284
The following are questions.
Q1. In tools/tpm2_createprimary.c, inPublic->t.publicArea.unique.rsa.t.size
is set to zero. It is written in the TPM2 spec part1, "The caller may also
set the size of this field to zero and the TPM will replace it with a
correctly sized structure." I think this means that unique field will be
set with random values by TPM. Is it correct?
tpm2_createprimary was executed twice in a row at the previous test. Those
two tests were successful seeing the messages. If those primary keys were
generated by random values (unique field is zero), result keys would be
different. But, the handles of two keys(0x800000ff) are the same at the
messages. Can anyone explain the meaning?
Q2. I tried to evict the primary key with tpm2_evictcontrol, but failed.
Can anyone tell what's wrong at the command?
Thank you.
--
Yongkwan "Ethan" Park / Principle Engineer
------------------------------------------------------------------
*Security Platform,Inc.* (http://www.securityplatform.co.kr )
CONSEC #C-7, GCCEI Bldg.
12 Daewangpangyo-ro 645beon-gil
Bundang-gu, Seongnam-si, Gyeonggi-do,Korea
T. 82-70-7613-0094
M. 82-10-5156-8532 E. yongkwan.park(a)securityplatform.co.kr
[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 3108 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [tpm2] Question about eviction
@ 2017-08-08 19:48 Roberts, William C
0 siblings, 0 replies; 4+ messages in thread
From: Roberts, William C @ 2017-08-08 19:48 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 5593 bytes --]
I am not sure, but looking at the test code test_tpm2_evictcontrol.sh might help.
From: yongkwan park [mailto:yongkwan.park(a)securityplatform.co.kr]
Sent: Tuesday, August 8, 2017 12:11 AM
To: Roberts, William C <william.c.roberts(a)intel.com>
Cc: tpm2(a)lists.01.org
Subject: Re: [tpm2] Question about eviction
Hi William,
I tested based on your instruction and got the following result.
pi(a)raspberrypi:~/tmp$ tpm2_createprimary -A o -K objectpass -g 0x000b -G 0x0001 -C po.ctx
nameAlg = 0x000b
type = 0x0001
contextFile = po.ctx
CreatePrimary Succeed ! Handle: 0x800000ff
pi(a)raspberrypi:~/tmp$ tpm2_evictcontrol -c po.ctx -A o -H 0x800000ff -S 0x81000100 -P objectpass
persistentHandle: 0x81000100
ERROR: EvictControl failed, error code: 0x9a2
pi(a)raspberrypi:~/tmp$ tpm2_rc_decode 0x9a2
error layer
hex: 0x0
identifier: TSS2_TPM_ERROR_LEVEL
description: Error produced by the TPM
format 1 error code
hex: 0x22
identifier: TPM_RC_BAD_AUTH
description: authorization failure without DA implications
session
hex: 0x100
identifier: TPM_RC_1
description: (null)
The result is the same even if --tcti=device is used.
It seems that the output messages says the password is wrong.
But, I see that the used passwords at tpm2_createprimary and tpm2_evictcontrol are same.
Could you tell what's wrong?
Thank you,
2017-08-08 2:42 GMT+09:00 Roberts, William C <william.c.roberts(a)intel.com<mailto:william.c.roberts(a)intel.com>>:
For the generation of unique, section 27.5.3.1 describes how it is done in detail:
https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf
Since your key was RSA, unique is the public modules of the key.
Decoding your error code:
$ ./tools/tpm2_rc_decode 0x284
error layer
hex: 0x0
identifier: TSS2_TPM_ERROR_LEVEL
description: Error produced by the TPM
format 1 error code
hex: 0x04
identifier: TPM_RC_VALUE
description: value is out of range or is not correct for the context
handle
hex:0x200
identifier: TPM_RC_2
description: (null)
I think points us to the problem. Based on page 118 of "A Practical Guide to TPM2.0",
It states, "TPM2_FlushContext removes a key from the TPM.". The Resource Manager (RM)
is calling FLushContext and thus your just creating primary keys that are getting removed
when the command exits.
You're options are 3 fold:
1. use the -c option for saving the key that can be re-loaded from LoadContext.
See test/system/test_tpm2_createprimary_all.sh
2. Don't use an RM and use the --tcti=device option. Note that no other clients can
Be using the TPM if you do this.
3. Use the experimental tpm-shell branch:
https://github.com/williamcroberts/tpm2.0-tools/tree/tpm-shell
From: tpm2 [mailto:tpm2-bounces(a)lists.01.org<mailto:tpm2-bounces(a)lists.01.org>] On Behalf Of yongkwan park
Sent: Monday, August 7, 2017 12:23 AM
To: tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
Subject: [tpm2] Question about eviction
Hi folks,
I want to make a primary key and evict it to make it persistent.
But, failed.
Here is what I did accroding to "How to use tpm2 tools",
pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$<mailto:pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$> tpm2_createprimary -A o -K objectpass -g 0x000b -G 0x0001
nameAlg = 0x000b
type = 0x0001
CreatePrimary Succeed ! Handle: 0x800000ff
pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$<mailto:pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$> tpm2_createprimary -A o -K objectpass -g 0x000b -G 0x0001
nameAlg = 0x000b
type = 0x0001
CreatePrimary Succeed ! Handle: 0x800000ff
pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$<mailto:pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$> tpm2_evictcontrol -A o -H 0x800000ff -S 0x81000100 -P objectpass
persistentHandle: 0x81000100
ERROR: EvictControl failed, error code: 0x284
The following are questions.
Q1. In tools/tpm2_createprimary.c, inPublic->t.publicArea.unique.rsa.t.size is set to zero. It is written in the TPM2 spec part1, "The caller may also set the size of this field to zero and the TPM will replace it with a correctly sized structure." I think this means that unique field will be set with random values by TPM. Is it correct?
tpm2_createprimary was executed twice in a row at the previous test. Those two tests were successful seeing the messages. If those primary keys were generated by random values (unique field is zero), result keys would be different. But, the handles of two keys(0x800000ff) are the same at the messages. Can anyone explain the meaning?
Q2. I tried to evict the primary key with tpm2_evictcontrol, but failed. Can anyone tell what's wrong at the command?
Thank you.
--
Yongkwan "Ethan" Park / Principle Engineer
------------------------------------------------------------------
Security Platform,Inc. (http://www.securityplatform.co.kr )
CONSEC #C-7, GCCEI Bldg.
12 Daewangpangyo-ro 645beon-gil
Bundang-gu, Seongnam-si, Gyeonggi-do,Korea
T. 82-70-7613-0094
M. 82-10-5156-8532 E. yongkwan.park(a)securityplatform.co.kr<mailto:yongkwan.park(a)securityplatform.co.kr>
--
Yongkwan "Ethan" Park / Principle Engineer
------------------------------------------------------------------
Security Platform,Inc. (http://www.securityplatform.co.kr )
CONSEC #C-7, GCCEI Bldg.
12 Daewangpangyo-ro 645beon-gil
Bundang-gu, Seongnam-si, Gyeonggi-do,Korea
T. 82-70-7613-0094
M. 82-10-5156-8532 E. yongkwan.park(a)securityplatform.co.kr<mailto:yongkwan.park(a)securityplatform.co.kr>
[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 11989 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [tpm2] Question about eviction
@ 2017-08-08 7:10 yongkwan park
0 siblings, 0 replies; 4+ messages in thread
From: yongkwan park @ 2017-08-08 7:10 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 5135 bytes --]
Hi William,
I tested based on your instruction and got the following result.
pi(a)raspberrypi:~/tmp$ tpm2_createprimary -A o -K objectpass -g 0x000b -G
0x0001 -C po.ctx
nameAlg = 0x000b
type = 0x0001
contextFile = po.ctx
CreatePrimary Succeed ! Handle: 0x800000ff
pi(a)raspberrypi:~/tmp$ tpm2_evictcontrol -c po.ctx -A o -H 0x800000ff -S
0x81000100 -P objectpass
persistentHandle: 0x81000100
ERROR: EvictControl failed, error code: 0x9a2
pi(a)raspberrypi:~/tmp$ tpm2_rc_decode 0x9a2
error layer
hex: 0x0
identifier: TSS2_TPM_ERROR_LEVEL
description: Error produced by the TPM
format 1 error code
hex: 0x22
identifier: TPM_RC_BAD_AUTH
description: authorization failure without DA implications
session
hex: 0x100
identifier: TPM_RC_1
description: (null)
The result is the same even if --tcti=device is used.
It seems that the output messages says the password is wrong.
But, I see that the used passwords at tpm2_createprimary and
tpm2_evictcontrol are same.
Could you tell what's wrong?
Thank you,
2017-08-08 2:42 GMT+09:00 Roberts, William C <william.c.roberts(a)intel.com>:
> For the generation of unique, section 27.5.3.1 describes how it is done in
> detail:
> https://trustedcomputinggroup.org/wp-content/uploads/TPM-
> Rev-2.0-Part-1-Architecture-01.38.pdf
> Since your key was RSA, unique is the public modules of the key.
>
> Decoding your error code:
> $ ./tools/tpm2_rc_decode 0x284
> error layer
> hex: 0x0
> identifier: TSS2_TPM_ERROR_LEVEL
> description: Error produced by the TPM
> format 1 error code
> hex: 0x04
> identifier: TPM_RC_VALUE
> description: value is out of range or is not correct for the context
> handle
> hex:0x200
> identifier: TPM_RC_2
> description: (null)
>
> I think points us to the problem. Based on page 118 of "A Practical Guide
> to TPM2.0",
> It states, "TPM2_FlushContext removes a key from the TPM.". The Resource
> Manager (RM)
> is calling FLushContext and thus your just creating primary keys that are
> getting removed
> when the command exits.
>
> You're options are 3 fold:
> 1. use the -c option for saving the key that can be re-loaded from
> LoadContext.
> See test/system/test_tpm2_createprimary_all.sh
> 2. Don't use an RM and use the --tcti=device option. Note that no other
> clients can
> Be using the TPM if you do this.
> 3. Use the experimental tpm-shell branch:
> https://github.com/williamcroberts/tpm2.0-tools/tree/tpm-shell
>
> From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of yongkwan park
> Sent: Monday, August 7, 2017 12:23 AM
> To: tpm2(a)lists.01.org
> Subject: [tpm2] Question about eviction
>
> Hi folks,
>
> I want to make a primary key and evict it to make it persistent.
> But, failed.
>
> Here is what I did accroding to "How to use tpm2 tools",
>
> pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$ tpm2_createprimary -A o -K
> objectpass -g 0x000b -G 0x0001
> nameAlg = 0x000b
> type = 0x0001
>
> CreatePrimary Succeed ! Handle: 0x800000ff
>
> pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$ tpm2_createprimary -A o -K
> objectpass -g 0x000b -G 0x0001
> nameAlg = 0x000b
> type = 0x0001
>
> CreatePrimary Succeed ! Handle: 0x800000ff
>
> pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$ tpm2_evictcontrol -A o -H
> 0x800000ff -S 0x81000100 -P objectpass
> persistentHandle: 0x81000100
> ERROR: EvictControl failed, error code: 0x284
>
>
> The following are questions.
>
> Q1. In tools/tpm2_createprimary.c, inPublic->t.publicArea.unique.rsa.t.size
> is set to zero. It is written in the TPM2 spec part1, "The caller may also
> set the size of this field to zero and the TPM will replace it with a
> correctly sized structure." I think this means that unique field will be
> set with random values by TPM. Is it correct?
>
> tpm2_createprimary was executed twice in a row at the previous test. Those
> two tests were successful seeing the messages. If those primary keys were
> generated by random values (unique field is zero), result keys would be
> different. But, the handles of two keys(0x800000ff) are the same at the
> messages. Can anyone explain the meaning?
>
> Q2. I tried to evict the primary key with tpm2_evictcontrol, but failed.
> Can anyone tell what's wrong at the command?
>
> Thank you.
>
>
> --
> Yongkwan "Ethan" Park / Principle Engineer
> ------------------------------------------------------------------
> Security Platform,Inc. (http://www.securityplatform.co.kr )
> CONSEC #C-7, GCCEI Bldg.
> 12 Daewangpangyo-ro 645beon-gil
> Bundang-gu, Seongnam-si, Gyeonggi-do,Korea
> T. 82-70-7613-0094
> M. 82-10-5156-8532 E. yongkwan.park(a)securityplatform.co.kr
>
--
Yongkwan "Ethan" Park / Principle Engineer
------------------------------------------------------------------
*Security Platform,Inc.* (http://www.securityplatform.co.kr )
CONSEC #C-7, GCCEI Bldg.
12 Daewangpangyo-ro 645beon-gil
Bundang-gu, Seongnam-si, Gyeonggi-do,Korea
T. 82-70-7613-0094
M. 82-10-5156-8532 E. yongkwan.park(a)securityplatform.co.kr
[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 7319 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [tpm2] Question about eviction
@ 2017-08-07 17:42 Roberts, William C
0 siblings, 0 replies; 4+ messages in thread
From: Roberts, William C @ 2017-08-07 17:42 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 3427 bytes --]
For the generation of unique, section 27.5.3.1 describes how it is done in detail:
https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf
Since your key was RSA, unique is the public modules of the key.
Decoding your error code:
$ ./tools/tpm2_rc_decode 0x284
error layer
hex: 0x0
identifier: TSS2_TPM_ERROR_LEVEL
description: Error produced by the TPM
format 1 error code
hex: 0x04
identifier: TPM_RC_VALUE
description: value is out of range or is not correct for the context
handle
hex:0x200
identifier: TPM_RC_2
description: (null)
I think points us to the problem. Based on page 118 of "A Practical Guide to TPM2.0",
It states, "TPM2_FlushContext removes a key from the TPM.". The Resource Manager (RM)
is calling FLushContext and thus your just creating primary keys that are getting removed
when the command exits.
You're options are 3 fold:
1. use the -c option for saving the key that can be re-loaded from LoadContext.
See test/system/test_tpm2_createprimary_all.sh
2. Don't use an RM and use the --tcti=device option. Note that no other clients can
Be using the TPM if you do this.
3. Use the experimental tpm-shell branch:
https://github.com/williamcroberts/tpm2.0-tools/tree/tpm-shell
From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of yongkwan park
Sent: Monday, August 7, 2017 12:23 AM
To: tpm2(a)lists.01.org
Subject: [tpm2] Question about eviction
Hi folks,
I want to make a primary key and evict it to make it persistent.
But, failed.
Here is what I did accroding to "How to use tpm2 tools",
pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$ tpm2_createprimary -A o -K objectpass -g 0x000b -G 0x0001
nameAlg = 0x000b
type = 0x0001
CreatePrimary Succeed ! Handle: 0x800000ff
pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$ tpm2_createprimary -A o -K objectpass -g 0x000b -G 0x0001
nameAlg = 0x000b
type = 0x0001
CreatePrimary Succeed ! Handle: 0x800000ff
pi(a)raspberrypi:~/work/TPM2.0-TSS-1.1.0$ tpm2_evictcontrol -A o -H 0x800000ff -S 0x81000100 -P objectpass
persistentHandle: 0x81000100
ERROR: EvictControl failed, error code: 0x284
The following are questions.
Q1. In tools/tpm2_createprimary.c, inPublic->t.publicArea.unique.rsa.t.size is set to zero. It is written in the TPM2 spec part1, "The caller may also set the size of this field to zero and the TPM will replace it with a correctly sized structure." I think this means that unique field will be set with random values by TPM. Is it correct?
tpm2_createprimary was executed twice in a row at the previous test. Those two tests were successful seeing the messages. If those primary keys were generated by random values (unique field is zero), result keys would be different. But, the handles of two keys(0x800000ff) are the same at the messages. Can anyone explain the meaning?
Q2. I tried to evict the primary key with tpm2_evictcontrol, but failed. Can anyone tell what's wrong at the command?
Thank you.
--
Yongkwan "Ethan" Park / Principle Engineer
------------------------------------------------------------------
Security Platform,Inc. (http://www.securityplatform.co.kr )
CONSEC #C-7, GCCEI Bldg.
12 Daewangpangyo-ro 645beon-gil
Bundang-gu, Seongnam-si, Gyeonggi-do,Korea
T. 82-70-7613-0094
M. 82-10-5156-8532 E. yongkwan.park(a)securityplatform.co.kr
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-08-08 19:48 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-08-07 7:22 [tpm2] Question about eviction yongkwan park
2017-08-07 17:42 Roberts, William C
2017-08-08 7:10 yongkwan park
2017-08-08 19:48 Roberts, William C
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.