From: ted.h.kim at oracle.com
To: tpm2@lists.01.org
Subject: [tpm2] Re: trying duplication and then rsa_en/decrypt
Date: Wed, 20 May 2020 11:03:07 -0700 [thread overview]
Message-ID: <c2e6d7db-708d-003c-64e4-911911448c40@oracle.com> (raw)
In-Reply-To: 20200520173152.2843.3012@ml01.vlan13.01.org
[-- Attachment #1: Type: text/plain, Size: 1952 bytes --]
Hi Imran,
Thanks for your reply.
I had two cases, but for now, let's talk about the one in the
tpm2_policyduplicationselect(1) man page. I did the exact steps listed
there in the example. Then after the duplication, I did an import and
load, as follows:
# tpm2_import -Q -C dst_n.ctx -i new_dupkey.priv -u dupkey.pub \
-s dupseed.dat -r imported.priv -L policydupselect.dat
# tpm2_load -Q -C dst_n.ctx -r imported.priv -u dupkey.pub -c imported.ctx
I then tried to do tpm2_rsa_en/decrypt with imported.ctx. The decrypt is
where the policy errors came up.
But as you point out below the "userwithauth" attribute is not part of
the example in that man page. So let me try again with that attribute
added. IIRC, the readpublic on the duplicated/imported key did reference
a policy, which I could not figure out how to satisfy. Will get back to
you shortly after trying again.
Thanks,
-ted
On 5/20/20 10:31 AM, Imran Desai wrote:
> Hi Ted,
>
> Based on what you said you want to accomplish and your above-mentioned references, I have a hunch that you have the keys set up incorrectly.
> Can you please,
> 1. Try to create a key with "userwithauth" set in the step in your script that references policy_duplication man page as in here: "tpm2_create -C src_o.ctx -g sha256 -G rsa -r dupkey.priv -u dupkey.pub \
> -L policydupselect.dat -a "sensitivedataorigin|sign|decrypt|userwithauth" -c dupkey.ctx -Q"
> 2. Share your exact steps/ script that you implemented.
> 3. Share the key properties of the parent and child object you created. You can use tpm2_readpublic command to dump the key properties.
>
> Thanks
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
--
Ted H. Kim, PhD
ted.h.kim(a)oracle.com
+1 310-258-7515
next reply other threads:[~2020-05-20 18:03 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-20 18:03 ted.h.kim [this message]
-- strict thread matches above, loose matches on Subject: below --
2020-05-21 17:06 [tpm2] Re: trying duplication and then rsa_en/decrypt Roberts, William C
2020-05-21 16:18 ted.h.kim
2020-05-21 15:08 Roberts, William C
2020-05-21 0:37 ted.h.kim
2020-05-20 20:49 ted.h.kim
2020-05-20 19:44 Imran Desai
2020-05-20 19:38 Imran Desai
2020-05-20 19:15 Imran Desai
2020-05-20 18:56 ted.h.kim
2020-05-20 17:31 Imran Desai
2020-05-20 15:09 Roberts, William C
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c2e6d7db-708d-003c-64e4-911911448c40@oracle.com \
--to=tpm2@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.