Re: [tpm2] tpm2-tss question

Re: [tpm2] tpm2-tss question

[Yasuhiro Hosoda]

[-- Attachment #1: Type: text/plain, Size: 4958 bytes --]

I appreciate much for your help. I am expecting for your information about
tpm2-tools.
>
>> -----Original Message-----
>> From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro(a)ntt-el.com]
>> Sent: Friday, January 12, 2018 1:47 AM
>> To: Roberts, William C <william.c.roberts(a)intel.com>; tpm2(a)lists.01.org
>> Subject: Re: [tpm2] tpm2-tss question
>>
>> Hi, Mr. Roberts, William
>>
>> Thank you for your advice.
>> I had already checked the details of this error code.
>> My understanding is that the problem is not the setting of the auth but there
>> occurs the discrepancy between the virtual handles and the real handles in the
>> resource manager.
> Unless you took an RM virtualized handle and went directly to the TPM with it, there shouldn't
> Be a problem. The RM should be swapping out virtualized handles with real ones for you before
> They hit the tpm, and thus, should be transparent.
>
> As far as what the problem is, it's hard to tell offhand. I would look at how the tpm2-tools do it, they
> make for decent reference code.
>
>> Any help will be greatly appreciated
>>
>> Regard,
>>> 0x98e is:
>>>
>>> $ ./tpm2_rc_decode 0x98e
>>> error layer
>>>     hex: 0x0
>>>     identifier: TSS2_TPM_RC_LAYER
>>>     description: Error produced by the TPM format 1 error code
>>>     hex: 0x0e
>>>     identifier: TPM2_RC_AUTH_FAIL
>>>     description: the authorization HMAC check failed and DA counter
>>> incremented session
>>>     hex: 0x100
>>>     identifier: TPM2_RC_1
>>>     description:  (null)
>>>
>>> SO it looks like you're not setting up the auth properly in the session.
>>>
>>>> -----Original Message-----
>>>> From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of Yasuhiro
>>>> Hosoda
>>>> Sent: Wednesday, December 13, 2017 10:59 PM
>>>> To: tpm2(a)lists.01.org
>>>> Subject: [tpm2] tpm2-tss question
>>>>
>>>> MY name is Yasuhiro Hosoda.
>>>>
>>>>
>>>> I am developing a program using TSS1.0(Nov１．2016).
>>>> I encountered a problem with PolicySecret error 0x98e and need help.
>>>> My program uses tpmtest.cpp as a base of development.
>>>> The situation is as follows:
>>>>
>>>> 1 Create TPM Keys like this.
>>>>
>>>> EK
>>>> ｜--------
>>>> ｜          |
>>>> MK       AK
>>>> ｜
>>>> SK
>>>>
>>>> 2 Execute PolicySecret twice using HMAC session. At first, it ends without
>> error.
>>>> Then it ends with 0x98e For clarification, I print out the values of
>>>> Virtual Handle and Real Handle.
>>>> The value of Virtual/Real Handles differ at 2nd excution of the command.
>>>> (See NO 25/26 Below)
>>>>
>>>> I understand that the resource manager assigns Virtual Handle and my
>>>> program calculates HMAC using that handles.
>>>> On the other hand, TPM may calculate HMAC using Real Handle.
>>>> That is my hypothesis.
>>>>
>>>> Any suggestion about the usage of Session Handle?
>>>>
>>>> NO      Command           Virtual/Real Handle         LOC 1.
>>>> CreatePrimary(EK) real=80000000, virtual=80000000 8381 2.
>>>> HierarchyChangeAuth1 8421 3.    HierarchyChangeAuth2 8431 4.
>>>> StartAuthSession(Policy) real=3000000,
>>>> virtual=3000000 8480 5.    PolicySecret(ENDORSEMENT) 8494 6.
>>>> Create(MK) 8515 7.    PolicySecret(ENDORSEMENT) 8529 8.    Load(MK)
>>>> real=80000001,
>>>> virtual=80000001 8542 9.    Evict(MK) 8552 10.    Create(SK) 8590 11.
>>>> Load(SK) real=80000001, virtual=80000002 8598 12.
>>>> PolicySecret(ENDORSEMENT) 8609 13.    Create(AK) 8635 14.
>>>> PolicySecret(ENDORSEMENT) 8645 15.    Load(AK) real=80000001,
>>>> virtual=80000003 8655 16.    FlushContext(POLICY) 8664 17.
>>>> StartAuthSession(POLICY) real=3000000, virtual=3000000 8668 18.
>>>> StartAuthSession(HMAC) real=2000001, virtual=2000001 8678 19.
>>>> ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000004
>>>> 3706 20.    ComputeCommandHMAC(HMAC_Start) real=80000001,
>>>> virtual=80000005 3706 21.    PolicySecret(SK) 8711 22.
>>>> FlushContext(HMAC) 8717 23.    FlushContext(POLICY) 8724 24.
>>>> CertifyCreation(SK) 8738 25.    StartAuthSession(POLICY)
>>>> real=3000000, virtual=3000001 8745 26.    StartAuthSession(HMAC)
>>>> real=2000001, virtual=2000000 8754 27.
>>>> ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000005
>>>> 8782 28.    ComputeCommandHMAC(HMAC_Start) real=80000001,
>>>> virtual=80000004 8782 29.    PolicySecret(SK) 8789
>>>>
>>>> The whole  source program can be found here.
>>>> https://github.com/intel/tpm2-tss/files/1516612/tpmtest.cpp_0x98e_2.t
>>>> xt
>>>>
>>>>
>>>> Kind regards,
>>>>
>>>> --
>>>> Yasuhiro Hosoda
>>>>
>>>> NTT Electronics Corporation （NEL)
>>>> Security Support Project
>>>>
>>>>
>>>> _______________________________________________
>>>> tpm2 mailing list
>>>> tpm2(a)lists.01.org
>>>> https://lists.01.org/mailman/listinfo/tpm2
>>

Re: [tpm2] tpm2-tss question

[Yasuhiro Hosoda]

[-- Attachment #1: Type: text/plain, Size: 3383 bytes --]

I　checked the following combinations with my test program.

tpm2-abrmd-1.1.0 and  tpm2-tss-1.3.0
tpm2-abrmd-1.2.0 and  tpm2-tss-1.3.0
tpm2-abrmd-1.3.0 and  tpm2-tss-1.3.0

They worked well and I am convinced that sessions (no matter if policy 
or hmac or trial)
  are not virtualized.

Still, with the TPM2.0-TSS-1.0 resource manager, it seems that
sessions are virtualized.
Does it mean that the TPM2.0-TSS-1.0 resource manager dose not
comply with "TCG TSS 2.0 TAB and Resource Manager specification"?

Regards,
> Yes, sessions (no matter if policy or hmac or trial) are noirtualized.
>
> I assume tpm2-abrmd to be conforming to the spec.
> If you find any deviation, they'll most happily fix them
>
> ------------------------------------------------------------------------
> *From:* Yasuhiro Hosoda [hosoda-yasuhiro(a)ntt-el.com]
> *Sent:* Wednesday, April 11, 2018 10:38
> *To:* Fuchs, Andreas; tpm2(a)lists.01.org
> *Subject:* Re: [tpm2] tpm2-tss question
>
> Thank you very much for your answer.
>
> I understand that the spec. is that the handles of policy session are
> not virtualized
>
> I check the source programs of the resource managers.
> (TPM2,0-TSS-1.0 and tpm2-abrmd-1.2.0)
> It seems that HMAC sessions and Policy sessions are handled
> in the same way. Do you have any comment comment about
> implementations?
>
>> According to the spec, only key and sequence handles are virtualized.
>>
>> Thus for PolicySecret, the virtual and TPM handles for policySession 
>> shall be the same.
>>
>> For keys and sequences (such as authHandle in PolicySecret) the 
>> virtual and TPM handles differ.
>> But instead of the handle the key's / sequence's public name is used 
>> within the hmac calculation.
>>
>> Hope this helps...
>>
>> ------------------------------------------------------------------------
>> *From:* tpm2 [tpm2-bounces(a)lists.01.org] on behalf of Yasuhiro Hosoda 
>> [hosoda-yasuhiro(a)ntt-el.com]
>> *Sent:* Wednesday, April 11, 2018 08:11
>> *To:* william.c.roberts(a)intel.com; tpm2(a)lists.01.org
>> *Subject:* Re: [tpm2] tpm2-tss question
>>
>> I have one finding about the RM and PolicySecret command,
>>
>> It says in page 10 of the following document
>> "TCG TSS 2.0 TAB and Resource Manager specification"
>> https://trustedcomputinggroup.org/wp-content/uploads/TSS-2.0-TAB-Resource-Manager-SpecVer1.0-Rev18_review_END030918.pdf
>> that
>> "
>> The RM performs a mapping from the (unchanging) virtual handle to the 
>> (currently assigned) TPM
>> handle. It replaces the virtual handle with the TPM handle in the TPM 
>> command packet.
>>
>> NOTE: The TPM 2.0 library specification excludes the handle from 
>> command stream HMAC calculations to enable this
>> substitution."
>> This means that if the virtual handle and the (currently assigned) 
>> TPM differs,
>> the HMAC calculations for most of the commands go well.
>>
>> But, the PolicySecret command takes the policy handle to extend as a 
>> parameter for HMAC.
>> If, the virtual handle and the (currently assigned) TPM differs, the 
>> HMAC calculations
>> for this command doesn't go well and produces the error code 0x98e.
>> Is my understanding right?
>> If so, is there any workaround?
>>
>> Thank you in advance.
>
-----
  Yasuhiro Hosoda

NTT Electronics Corporation （NEL)


[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 7955 bytes --]

[tpm2] tpm2-tss question

[Yasuhiro Hosoda]

[-- Attachment #1: Type: text/plain, Size: 1173 bytes --]

Hello,

I found one problem about the TPM Dictionary Attack Lock mechanism.

I executed the following command sequence to check the functionality of 
DictionaryAttackLockReset.

(1) DictionaryAttackLockReset (right authValue) , rval=0

(2) DictionaryAttackParameters  (wrong authValue), rval=98e

(3) DictionaryAttackParameters  (right authValue), rval=921

<StartAuthSession(Policy)>

<Compute Policy>

(4) DictionaryAttackLockReset  (lockoutPolicy), rval=0

(5) DictionaryAttackLockReset  (right authValue), rval=921

 From the following document

"TCG Library Specification 1.38 Part1 19.8.5 Authorization Failures 
Involving lockoutAuth"

 >>When in this special lockout state, the TPM will not allow use of 
lockoutAuth. The TPM will exit this state when 
TPM2_DictionaryAttackLockReset() is used with a successful lockoutPolicy 
or after the TPM is powered for a configurable time period 
(lockoutRecovery).

I assume that in (1) and (5), the result will be the same.
However, different return codes is produced

I would like to know why they are different..

-----
  Yasuhiro Hosoda

NTT Electronics Corporation （NEL)

Re: [tpm2] tpm2-tss question

[Fuchs, Andreas]

[-- Attachment #1: Type: text/plain, Size: 2634 bytes --]

Yes, sessions (no matter if policy or hmac or trial) are not virtualized.

I assume tpm2-abrmd to be conforming to the spec.
If you find any deviation, they'll most happily fix them

________________________________
From: Yasuhiro Hosoda [hosoda-yasuhiro(a)ntt-el.com]
Sent: Wednesday, April 11, 2018 10:38
To: Fuchs, Andreas; tpm2(a)lists.01.org
Subject: Re: [tpm2] tpm2-tss question

Thank you very much for your answer.

I understand that the spec. is that the handles of policy session are
not virtualized

I check the source programs of the resource managers.
(TPM2,0-TSS-1.0 and tpm2-abrmd-1.2.0)
It seems that HMAC sessions and Policy sessions are handled
in the same way. Do you have any comment comment about
implementations?

According to the spec, only key and sequence handles are virtualized.

Thus for PolicySecret, the virtual and TPM handles for policySession shall be the same.

For keys and sequences (such as authHandle in PolicySecret) the virtual and TPM handles differ.
But instead of the handle the key's / sequence's public name is used within the hmac calculation.

Hope this helps...

________________________________
From: tpm2 [tpm2-bounces(a)lists.01.org<mailto:tpm2-bounces(a)lists.01.org>] on behalf of Yasuhiro Hosoda [hosoda-yasuhiro(a)ntt-el.com<mailto:hosoda-yasuhiro(a)ntt-el.com>]
Sent: Wednesday, April 11, 2018 08:11
To: william.c.roberts(a)intel.com<mailto:william.c.roberts(a)intel.com>; tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
Subject: Re: [tpm2] tpm2-tss question

I have one finding about the RM and PolicySecret command,

It says in page 10 of the following document
"TCG TSS 2.0 TAB and Resource Manager specification"
https://trustedcomputinggroup.org/wp-content/uploads/TSS-2.0-TAB-Resource-Manager-SpecVer1.0-Rev18_review_END030918.pdf
that
"
The RM performs a mapping from the (unchanging) virtual handle to the (currently assigned) TPM
handle. It replaces the virtual handle with the TPM handle in the TPM command packet.

NOTE: The TPM 2.0 library specification excludes the handle from command stream HMAC calculations to enable this
substitution."
This means that if the virtual handle and the (currently assigned) TPM differs,
the HMAC calculations for most of the commands go well.

But, the PolicySecret command takes the policy handle to extend as a parameter for HMAC.
If, the virtual handle and the (currently assigned) TPM differs, the HMAC calculations
for this command doesn't go well and produces the error code 0x98e.
Is my understanding right?
If so, is there any workaround?

Thank you in advance.


[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 4460 bytes --]

Re: [tpm2] tpm2-tss question

[Yasuhiro Hosoda]

[-- Attachment #1: Type: text/plain, Size: 2261 bytes --]

Thank you very much for your answer.

I understand that the spec. is that the handles of policy session are
not virtualized

I check the source programs of the resource managers.
(TPM2,0-TSS-1.0 and tpm2-abrmd-1.2.0)
It seems that HMAC sessions and Policy sessions are handled
in the same way. Do you have any comment comment about
implementations?

> According to the spec, only key and sequence handles are virtualized.
>
> Thus for PolicySecret, the virtual and TPM handles for policySession  
> shall be the same.
>
> For keys and sequences (such as authHandle in PolicySecret) the  
> virtual and TPM handles differ.
> But instead of the handle the key's / sequence's public name is used  
> within the hmac calculation.
>
> Hope this helps...
>
> ------------------------------------------------------------------------
> *From:* tpm2 [tpm2-bounces(a)lists.01.org] on behalf of Yasuhiro Hosoda  
> [hosoda-yasuhiro(a)ntt-el.com]
> *Sent:* Wednesday, April 11, 2018 08:11
> *To:* william.c.roberts(a)intel.com; tpm2(a)lists.01.org
> *Subject:* Re: [tpm2] tpm2-tss question
>
> I have one finding about the RM and PolicySecret command,
>
> It says in page 10 of the following document
> "TCG TSS 2.0 TAB and Resource Manager specification"
> https://trustedcomputinggroup.org/wp-content/uploads/TSS-2.0-TAB-Resource-Manager-SpecVer1.0-Rev18_review_END030918.pdf
> that
> "
> The RM performs a mapping from the (unchanging) virtual handle to the  
> (currently assigned) TPM
> handle. It replaces the virtual handle with the TPM handle in the TPM  
> command packet.
>
> NOTE: The TPM 2.0 library specification excludes the handle from  
> command stream HMAC calculations to enable this
> substitution."
> This means that if the virtual handle and the (currently assigned) TPM  
> differs,
> the HMAC calculations for most of the commands go well.
>
> But, the PolicySecret command takes the policy handle to extend as a  
> parameter for HMAC.
> If, the virtual handle and the (currently assigned) TPM differs, the  
> HMAC calculations
> for this command doesn't go well and produces the error code 0x98e.
> Is my understanding right?
> If so, is there any workaround?
>
> Thank you in advance.


[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 4569 bytes --]

Re: [tpm2] tpm2-tss question

[Fuchs, Andreas]

[-- Attachment #1: Type: text/plain, Size: 8127 bytes --]

According to the spec, only key and sequence handles are virtualized.

Thus for PolicySecret, the virtual and TPM handles for policySession shall be the same.

For keys and sequences (such as authHandle in PolicySecret) the virtual and TPM handles differ.
But instead of the handle the key's / sequence's public name is used within the hmac calculation.

Hope this helps...

________________________________
From: tpm2 [tpm2-bounces(a)lists.01.org] on behalf of Yasuhiro Hosoda [hosoda-yasuhiro(a)ntt-el.com]
Sent: Wednesday, April 11, 2018 08:11
To: william.c.roberts(a)intel.com; tpm2(a)lists.01.org
Subject: Re: [tpm2] tpm2-tss question

I have one finding about the RM and PolicySecret command,

It says in page 10 of the following document
"TCG TSS 2.0 TAB and Resource Manager specification"
https://trustedcomputinggroup.org/wp-content/uploads/TSS-2.0-TAB-Resource-Manager-SpecVer1.0-Rev18_review_END030918.pdf
that
"
The RM performs a mapping from the (unchanging) virtual handle to the (currently assigned) TPM
handle. It replaces the virtual handle with the TPM handle in the TPM command packet.

NOTE: The TPM 2.0 library specification excludes the handle from command stream HMAC calculations to enable this
substitution."
This means that if the virtual handle and the (currently assigned) TPM differs,
the HMAC calculations for most of the commands go well.

But, the PolicySecret command takes the policy handle to extend as a parameter for HMAC.
If, the virtual handle and the (currently assigned) TPM differs, the HMAC calculations
for this command doesn't go well and produces the error code 0x98e.
Is my understanding right?
If so, is there any workaround?

Thank you in advance.

You said in the former mail that
"Unless you took an RM virtualized handle and went directly to the TPM
with it, there shouldn't Be a problem"
I have checked again and found that my program uses an RM
virtualized handle for computing HMAC and if I substitute the virtual
handle to real one, the error 0x98e disappears,
Any advice?

Thank you for your reply.

Where can I find necessary information for "get HMAC to work"?

And, where can I find extended-sessions.sh?

Many thanks.
test/system/tests/tcti/abrmd/extended-sessions.sh

That uses abrmd which has an RM extension to allow session handles
to be marked for non-flushing on client disconnection, but that
point likely won't concern you.

This test script uses tools that start a pcr policy session, satisfy or build the policy,
and use it for unsealing data.

It might be good to see if you can get HMAC to work in this framework from a
Learning perspective and then you could contribute hmac policy session support
Back to the tools.


-----Original Message-----
From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro(a)ntt-el.com]
Sent: Thursday, January 18, 2018 3:11 PM
To: Roberts, William C <william.c.roberts(a)intel.com><mailto:william.c.roberts(a)intel.com>; tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
Subject: Re: [tpm2] tpm2-tss question

You said that "I would look at how the tpm2-tools do it, they make for decent
reference code."
Would you tell me the place of tpm2-tools where I should look as reference code.
Regards,

-----Original Message-----
From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro(a)ntt-el.com]
Sent: Thursday, January 18, 2018 6:44 AM
To: Roberts, William C <william.c.roberts(a)intel.com><mailto:william.c.roberts(a)intel.com>; tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
Subject: Re: [tpm2] tpm2-tss question

I appreciate much for your help. I am expecting for your information about
tpm2-
tools.
What information are you expecting?

-----Original Message-----
From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro(a)ntt-el.com]
Sent: Friday, January 12, 2018 1:47 AM
To: Roberts, William C <william.c.roberts(a)intel.com><mailto:william.c.roberts(a)intel.com>;
tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
Subject: Re: [tpm2] tpm2-tss question

Hi, Mr. Roberts, William

Thank you for your advice.
I had already checked the details of this error code.
My understanding is that the problem is not the setting of the auth
but there occurs the discrepancy between the virtual handles and the
real handles in the resource manager.
Unless you took an RM virtualized handle and went directly to the TPM
with it, there shouldn't Be a problem. The RM should be swapping out
virtualized handles with real ones for you before They hit the tpm, and thus,
should be transparent.
As far as what the problem is, it's hard to tell offhand. I would look
at how the tpm2-tools do it, they make for decent reference code.

Any help will be greatly appreciated

Regard,
0x98e is:

$ ./tpm2_rc_decode 0x98e
error layer
      hex: 0x0
      identifier: TSS2_TPM_RC_LAYER
      description: Error produced by the TPM format 1 error code
      hex: 0x0e
      identifier: TPM2_RC_AUTH_FAIL
      description: the authorization HMAC check failed and DA counter
incremented session
      hex: 0x100
      identifier: TPM2_RC_1
      description:  (null)

SO it looks like you're not setting up the auth properly in the session.

-----Original Message-----
From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of Yasuhiro
Hosoda
Sent: Wednesday, December 13, 2017 10:59 PM
To: tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
Subject: [tpm2] tpm2-tss question

MY name is Yasuhiro Hosoda.


I am developing a program using TSS1.0(Nov１．2016).
I encountered a problem with PolicySecret error 0x98e and need help.
My program uses tpmtest.cpp as a base of development.
The situation is as follows:

1 Create TPM Keys like this.

EK
｜--------
｜          |
MK       AK
｜
SK

2 Execute PolicySecret twice using HMAC session. At first, it ends
without
error.
Then it ends with 0x98e For clarification, I print out the values
of Virtual Handle and Real Handle.
The value of Virtual/Real Handles differ at 2nd excution of the command.
(See NO 25/26 Below)

I understand that the resource manager assigns Virtual Handle and
my program calculates HMAC using that handles.
On the other hand, TPM may calculate HMAC using Real Handle.
That is my hypothesis.

Any suggestion about the usage of Session Handle?

NO      Command           Virtual/Real Handle         LOC 1.
CreatePrimary(EK) real=80000000, virtual=80000000 8381 2.
HierarchyChangeAuth1 8421 3. HierarchyChangeAuth2 8431 4.
StartAuthSession(Policy) real=3000000,
virtual=3000000 8480 5. PolicySecret(ENDORSEMENT) 8494 6.
Create(MK) 8515 7.    PolicySecret(ENDORSEMENT) 8529 8.    Load(MK)
real=80000001,
virtual=80000001 8542 9.    Evict(MK) 8552 10. Create(SK) 8590 11.
Load(SK) real=80000001, virtual=80000002 8598 12.
PolicySecret(ENDORSEMENT) 8609 13.    Create(AK) 8635 14.
PolicySecret(ENDORSEMENT) 8645 15.    Load(AK) real=80000001,
virtual=80000003 8655 16.    FlushContext(POLICY) 8664 17.
StartAuthSession(POLICY) real=3000000, virtual=3000000 8668 18.
StartAuthSession(HMAC) real=2000001, virtual=2000001 8678 19.
ComputeCommandHMAC(LoadExternal) real=80000000,
virtual=80000004
3706 20. ComputeCommandHMAC(HMAC_Start) real=80000001,
virtual=80000005 3706 21.    PolicySecret(SK) 8711 22.
FlushContext(HMAC) 8717 23. FlushContext(POLICY) 8724 24.
CertifyCreation(SK) 8738 25. StartAuthSession(POLICY)
real=3000000, virtual=3000001 8745 26. StartAuthSession(HMAC)
real=2000001, virtual=2000000 8754 27.
ComputeCommandHMAC(LoadExternal) real=80000000,
virtual=80000005
8782 28. ComputeCommandHMAC(HMAC_Start) real=80000001,
virtual=80000004 8782 29.    PolicySecret(SK) 8789

The whole  source program can be found here.
https://github.com/intel/tpm2-tss/files/1516612/tpmtest.cpp_0x98e_2
.t
xt


Kind regards,

--
Yasuhiro Hosoda

NTT Electronics Corporation （NEL)
Security Support Project


_______________________________________________
tpm2 mailing list
tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
https://lists.01.org/mailman/listinfo/tpm2




--




--



[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 13026 bytes --]

Re: [tpm2] tpm2-tss question

[Yasuhiro Hosoda]

[-- Attachment #1: Type: text/plain, Size: 9272 bytes --]

I have one finding about the RM and PolicySecret command,

It says in page 10 of the following document
"TCG TSS 2.0 TAB and Resource Manager specification"
https://trustedcomputinggroup.org/wp-content/uploads/TSS-2.0-TAB-Resource-Manager-SpecVer1.0-Rev18_review_END030918.pdf
that
"
The RM performs a mapping from the (unchanging) virtual handle to the 
(currently assigned) TPM
handle. It replaces the virtual handle with the TPM handle in the TPM 
command packet.

NOTE: The TPM 2.0 library specification excludes the handle from command 
stream HMAC calculations to enable this
substitution."
This means that if the virtual handle and the (currently assigned) TPM 
differs,
the HMAC calculations for most of the commands go well.

But, the PolicySecret command takes the policy handle to extend as a 
parameter for HMAC.
If, the virtual handle and the (currently assigned) TPM differs, the 
HMAC calculations
for this command doesn't go well and produces the error code 0x98e.
Is my understanding right?
If so, is there any workaround?

Thank you in advance.
>
>> You said in the former mail that
>> "Unless you took an RM virtualized handle and went directly to the TPM
>> with it, there shouldn't Be a problem"
>> I have checked again and found that my program uses an RM
>> virtualized handle for computing HMAC and if I substitute the virtual
>> handle to real one, the error 0x98e disappears,
>> Any advice?
>>
>>> Thank you for your reply.
>>>
>>> Where can I find necessary information for "get HMAC to work"?
>>>
>>> And, where can I find extended-sessions.sh?
>>>
>>> Many thanks.
>>>> test/system/tests/tcti/abrmd/extended-sessions.sh
>>>>
>>>> That uses abrmd which has an RM extension to allow session handles
>>>> to be marked for non-flushing on client disconnection, but that
>>>> point likely won't concern you.
>>>>
>>>> This test script uses tools that start a pcr policy session, 
>>>> satisfy or build the policy,
>>>> and use it for unsealing data.
>>>>
>>>> It might be good to see if you can get HMAC to work in this 
>>>> framework from a
>>>> Learning perspective and then you could contribute hmac policy 
>>>> session support
>>>> Back to the tools.
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro(a)ntt-el.com]
>>>>> Sent: Thursday, January 18, 2018 3:11 PM
>>>>> To: Roberts, William C <william.c.roberts(a)intel.com>; 
>>>>> tpm2(a)lists.01.org
>>>>> Subject: Re: [tpm2] tpm2-tss question
>>>>>
>>>>> You said that "I would look at how the tpm2-tools do it, they make 
>>>>> for decent
>>>>> reference code."
>>>>> Would you tell me the place of tpm2-tools where I should look as 
>>>>> reference code.
>>>>> Regards,
>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro(a)ntt-el.com]
>>>>>>> Sent: Thursday, January 18, 2018 6:44 AM
>>>>>>> To: Roberts, William C <william.c.roberts(a)intel.com>; 
>>>>>>> tpm2(a)lists.01.org
>>>>>>> Subject: Re: [tpm2] tpm2-tss question
>>>>>>>
>>>>>>> I appreciate much for your help. I am expecting for your 
>>>>>>> information about
>>>>> tpm2-
>>>>>>> tools.
>>>>>> What information are you expecting?
>>>>>>
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro(a)ntt-el.com]
>>>>>>>>> Sent: Friday, January 12, 2018 1:47 AM
>>>>>>>>> To: Roberts, William C <william.c.roberts(a)intel.com>;
>>>>>>>>> tpm2(a)lists.01.org
>>>>>>>>> Subject: Re: [tpm2] tpm2-tss question
>>>>>>>>>
>>>>>>>>> Hi, Mr. Roberts, William
>>>>>>>>>
>>>>>>>>> Thank you for your advice.
>>>>>>>>> I had already checked the details of this error code.
>>>>>>>>> My understanding is that the problem is not the setting of the 
>>>>>>>>> auth
>>>>>>>>> but there occurs the discrepancy between the virtual handles 
>>>>>>>>> and the
>>>>>>>>> real handles in the resource manager.
>>>>>>>> Unless you took an RM virtualized handle and went directly to 
>>>>>>>> the TPM
>>>>>>>> with it, there shouldn't Be a problem. The RM should be 
>>>>>>>> swapping out
>>>>>>>> virtualized handles with real ones for you before They hit the 
>>>>>>>> tpm, and thus,
>>>>>>> should be transparent.
>>>>>>>> As far as what the problem is, it's hard to tell offhand. I 
>>>>>>>> would look
>>>>>>>> at how the tpm2-tools do it, they make for decent reference code.
>>>>>>>>
>>>>>>>>> Any help will be greatly appreciated
>>>>>>>>>
>>>>>>>>> Regard,
>>>>>>>>>> 0x98e is:
>>>>>>>>>>
>>>>>>>>>> $ ./tpm2_rc_decode 0x98e
>>>>>>>>>> error layer
>>>>>>>>>>       hex: 0x0
>>>>>>>>>>       identifier: TSS2_TPM_RC_LAYER
>>>>>>>>>>       description: Error produced by the TPM format 1 error code
>>>>>>>>>>       hex: 0x0e
>>>>>>>>>>       identifier: TPM2_RC_AUTH_FAIL
>>>>>>>>>>       description: the authorization HMAC check failed and DA 
>>>>>>>>>> counter
>>>>>>>>>> incremented session
>>>>>>>>>>       hex: 0x100
>>>>>>>>>>       identifier: TPM2_RC_1
>>>>>>>>>>       description:  (null)
>>>>>>>>>>
>>>>>>>>>> SO it looks like you're not setting up the auth properly in 
>>>>>>>>>> the session.
>>>>>>>>>>
>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>> From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of 
>>>>>>>>>>> Yasuhiro
>>>>>>>>>>> Hosoda
>>>>>>>>>>> Sent: Wednesday, December 13, 2017 10:59 PM
>>>>>>>>>>> To: tpm2(a)lists.01.org
>>>>>>>>>>> Subject: [tpm2] tpm2-tss question
>>>>>>>>>>>
>>>>>>>>>>> MY name is Yasuhiro Hosoda.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I am developing a program using TSS1.0(Nov１．2016).
>>>>>>>>>>> I encountered a problem with PolicySecret error 0x98e and 
>>>>>>>>>>> need help.
>>>>>>>>>>> My program uses tpmtest.cpp as a base of development.
>>>>>>>>>>> The situation is as follows:
>>>>>>>>>>>
>>>>>>>>>>> 1 Create TPM Keys like this.
>>>>>>>>>>>
>>>>>>>>>>> EK
>>>>>>>>>>> ｜--------
>>>>>>>>>>> ｜          |
>>>>>>>>>>> MK       AK
>>>>>>>>>>> ｜
>>>>>>>>>>> SK
>>>>>>>>>>>
>>>>>>>>>>> 2 Execute PolicySecret twice using HMAC session. At first, 
>>>>>>>>>>> it ends
>>>>>>>>>>> without
>>>>>>>>> error.
>>>>>>>>>>> Then it ends with 0x98e For clarification, I print out the 
>>>>>>>>>>> values
>>>>>>>>>>> of Virtual Handle and Real Handle.
>>>>>>>>>>> The value of Virtual/Real Handles differ at 2nd excution of 
>>>>>>>>>>> the command.
>>>>>>>>>>> (See NO 25/26 Below)
>>>>>>>>>>>
>>>>>>>>>>> I understand that the resource manager assigns Virtual 
>>>>>>>>>>> Handle and
>>>>>>>>>>> my program calculates HMAC using that handles.
>>>>>>>>>>> On the other hand, TPM may calculate HMAC using Real Handle.
>>>>>>>>>>> That is my hypothesis.
>>>>>>>>>>>
>>>>>>>>>>> Any suggestion about the usage of Session Handle?
>>>>>>>>>>>
>>>>>>>>>>> NO      Command           Virtual/Real Handle         LOC 1.
>>>>>>>>>>> CreatePrimary(EK) real=80000000, virtual=80000000 8381 2.
>>>>>>>>>>> HierarchyChangeAuth1 8421 3. HierarchyChangeAuth2 8431 4.
>>>>>>>>>>> StartAuthSession(Policy) real=3000000,
>>>>>>>>>>> virtual=3000000 8480 5. PolicySecret(ENDORSEMENT) 8494 6.
>>>>>>>>>>> Create(MK) 8515 7. PolicySecret(ENDORSEMENT) 8529 8.    
>>>>>>>>>>> Load(MK)
>>>>>>>>>>> real=80000001,
>>>>>>>>>>> virtual=80000001 8542 9.    Evict(MK) 8552 10. Create(SK) 
>>>>>>>>>>> 8590 11.
>>>>>>>>>>> Load(SK) real=80000001, virtual=80000002 8598 12.
>>>>>>>>>>> PolicySecret(ENDORSEMENT) 8609 13. Create(AK) 8635 14.
>>>>>>>>>>> PolicySecret(ENDORSEMENT) 8645 15.    Load(AK) real=80000001,
>>>>>>>>>>> virtual=80000003 8655 16. FlushContext(POLICY) 8664 17.
>>>>>>>>>>> StartAuthSession(POLICY) real=3000000, virtual=3000000 8668 18.
>>>>>>>>>>> StartAuthSession(HMAC) real=2000001, virtual=2000001 8678 19.
>>>>>>>>>>> ComputeCommandHMAC(LoadExternal) real=80000000,
>>>>> virtual=80000004
>>>>>>>>>>> 3706 20. ComputeCommandHMAC(HMAC_Start) real=80000001,
>>>>>>>>>>> virtual=80000005 3706 21.    PolicySecret(SK) 8711 22.
>>>>>>>>>>> FlushContext(HMAC) 8717 23. FlushContext(POLICY) 8724 24.
>>>>>>>>>>> CertifyCreation(SK) 8738 25. StartAuthSession(POLICY)
>>>>>>>>>>> real=3000000, virtual=3000001 8745 26. StartAuthSession(HMAC)
>>>>>>>>>>> real=2000001, virtual=2000000 8754 27.
>>>>>>>>>>> ComputeCommandHMAC(LoadExternal) real=80000000,
>>>>> virtual=80000005
>>>>>>>>>>> 8782 28. ComputeCommandHMAC(HMAC_Start) real=80000001,
>>>>>>>>>>> virtual=80000004 8782 29.    PolicySecret(SK) 8789
>>>>>>>>>>>
>>>>>>>>>>> The whole  source program can be found here.
>>>>>>>>>>> https://github.com/intel/tpm2-tss/files/1516612/tpmtest.cpp_0x98e_2 
>>>>>>>>>>>
>>>>>>>>>>> .t
>>>>>>>>>>> xt
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Kind regards,
>>>>>>>>>>>
>>>>>>>>>>> -- 
>>>>>>>>>>> Yasuhiro Hosoda
>>>>>>>>>>>
>>>>>>>>>>> NTT Electronics Corporation （NEL)
>>>>>>>>>>> Security Support Project
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> tpm2 mailing list
>>>>>>>>>>> tpm2(a)lists.01.org
>>>>>>>>>>> https://lists.01.org/mailman/listinfo/tpm2
>>>>>
>>>
>
> -- 
>

-- 


[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 18203 bytes --]

Re: [tpm2] tpm2-tss question

[Yasuhiro Hosoda]

[-- Attachment #1: Type: text/plain, Size: 8622 bytes --]

I am still expecting your response about this issue.
> You said in the former mail that
> "Unless you took an RM virtualized handle and went directly to the TPM
> with it, there shouldn't Be a problem"
> I have checked again and found that my program uses an RM
> virtualized handle for computing HMAC and if I substitute the virtual
> handle to real one, the error 0x98e disappears,
> Any advice?
>
>> Thank you for your reply.
>>
>> Where can I find necessary information for "get HMAC to work"?
>>
>> And, where can I find extended-sessions.sh?
>>
>> Many thanks.
>>> test/system/tests/tcti/abrmd/extended-sessions.sh
>>>
>>> That uses abrmd which has an RM extension to allow session handles
>>> to be marked for non-flushing on client disconnection, but that
>>> point likely won't concern you.
>>>
>>> This test script uses tools that start a pcr policy session, satisfy 
>>> or build the policy,
>>> and use it for unsealing data.
>>>
>>> It might be good to see if you can get HMAC to work in this 
>>> framework from a
>>> Learning perspective and then you could contribute hmac policy 
>>> session support
>>> Back to the tools.
>>>
>>>
>>>> -----Original Message-----
>>>> From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro(a)ntt-el.com]
>>>> Sent: Thursday, January 18, 2018 3:11 PM
>>>> To: Roberts, William C <william.c.roberts(a)intel.com>; 
>>>> tpm2(a)lists.01.org
>>>> Subject: Re: [tpm2] tpm2-tss question
>>>>
>>>> You said that "I would look at how the tpm2-tools do it, they make 
>>>> for decent
>>>> reference code."
>>>> Would you tell me the place of tpm2-tools where I should look as 
>>>> reference code.
>>>> Regards,
>>>>
>>>>>> -----Original Message-----
>>>>>> From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro(a)ntt-el.com]
>>>>>> Sent: Thursday, January 18, 2018 6:44 AM
>>>>>> To: Roberts, William C <william.c.roberts(a)intel.com>; 
>>>>>> tpm2(a)lists.01.org
>>>>>> Subject: Re: [tpm2] tpm2-tss question
>>>>>>
>>>>>> I appreciate much for your help. I am expecting for your 
>>>>>> information about
>>>> tpm2-
>>>>>> tools.
>>>>> What information are you expecting?
>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro(a)ntt-el.com]
>>>>>>>> Sent: Friday, January 12, 2018 1:47 AM
>>>>>>>> To: Roberts, William C <william.c.roberts(a)intel.com>;
>>>>>>>> tpm2(a)lists.01.org
>>>>>>>> Subject: Re: [tpm2] tpm2-tss question
>>>>>>>>
>>>>>>>> Hi, Mr. Roberts, William
>>>>>>>>
>>>>>>>> Thank you for your advice.
>>>>>>>> I had already checked the details of this error code.
>>>>>>>> My understanding is that the problem is not the setting of the 
>>>>>>>> auth
>>>>>>>> but there occurs the discrepancy between the virtual handles 
>>>>>>>> and the
>>>>>>>> real handles in the resource manager.
>>>>>>> Unless you took an RM virtualized handle and went directly to 
>>>>>>> the TPM
>>>>>>> with it, there shouldn't Be a problem. The RM should be swapping 
>>>>>>> out
>>>>>>> virtualized handles with real ones for you before They hit the 
>>>>>>> tpm, and thus,
>>>>>> should be transparent.
>>>>>>> As far as what the problem is, it's hard to tell offhand. I 
>>>>>>> would look
>>>>>>> at how the tpm2-tools do it, they make for decent reference code.
>>>>>>>
>>>>>>>> Any help will be greatly appreciated
>>>>>>>>
>>>>>>>> Regard,
>>>>>>>>> 0x98e is:
>>>>>>>>>
>>>>>>>>> $ ./tpm2_rc_decode 0x98e
>>>>>>>>> error layer
>>>>>>>>>       hex: 0x0
>>>>>>>>>       identifier: TSS2_TPM_RC_LAYER
>>>>>>>>>       description: Error produced by the TPM format 1 error code
>>>>>>>>>       hex: 0x0e
>>>>>>>>>       identifier: TPM2_RC_AUTH_FAIL
>>>>>>>>>       description: the authorization HMAC check failed and DA 
>>>>>>>>> counter
>>>>>>>>> incremented session
>>>>>>>>>       hex: 0x100
>>>>>>>>>       identifier: TPM2_RC_1
>>>>>>>>>       description:  (null)
>>>>>>>>>
>>>>>>>>> SO it looks like you're not setting up the auth properly in 
>>>>>>>>> the session.
>>>>>>>>>
>>>>>>>>>> -----Original Message-----
>>>>>>>>>> From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of 
>>>>>>>>>> Yasuhiro
>>>>>>>>>> Hosoda
>>>>>>>>>> Sent: Wednesday, December 13, 2017 10:59 PM
>>>>>>>>>> To: tpm2(a)lists.01.org
>>>>>>>>>> Subject: [tpm2] tpm2-tss question
>>>>>>>>>>
>>>>>>>>>> MY name is Yasuhiro Hosoda.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I am developing a program using TSS1.0(Nov１．2016).
>>>>>>>>>> I encountered a problem with PolicySecret error 0x98e and 
>>>>>>>>>> need help.
>>>>>>>>>> My program uses tpmtest.cpp as a base of development.
>>>>>>>>>> The situation is as follows:
>>>>>>>>>>
>>>>>>>>>> 1 Create TPM Keys like this.
>>>>>>>>>>
>>>>>>>>>> EK
>>>>>>>>>> ｜--------
>>>>>>>>>> ｜          |
>>>>>>>>>> MK       AK
>>>>>>>>>> ｜
>>>>>>>>>> SK
>>>>>>>>>>
>>>>>>>>>> 2 Execute PolicySecret twice using HMAC session. At first, it 
>>>>>>>>>> ends
>>>>>>>>>> without
>>>>>>>> error.
>>>>>>>>>> Then it ends with 0x98e For clarification, I print out the 
>>>>>>>>>> values
>>>>>>>>>> of Virtual Handle and Real Handle.
>>>>>>>>>> The value of Virtual/Real Handles differ at 2nd excution of 
>>>>>>>>>> the command.
>>>>>>>>>> (See NO 25/26 Below)
>>>>>>>>>>
>>>>>>>>>> I understand that the resource manager assigns Virtual Handle 
>>>>>>>>>> and
>>>>>>>>>> my program calculates HMAC using that handles.
>>>>>>>>>> On the other hand, TPM may calculate HMAC using Real Handle.
>>>>>>>>>> That is my hypothesis.
>>>>>>>>>>
>>>>>>>>>> Any suggestion about the usage of Session Handle?
>>>>>>>>>>
>>>>>>>>>> NO      Command           Virtual/Real Handle         LOC 1.
>>>>>>>>>> CreatePrimary(EK) real=80000000, virtual=80000000 8381 2.
>>>>>>>>>> HierarchyChangeAuth1 8421 3. HierarchyChangeAuth2 8431 4.
>>>>>>>>>> StartAuthSession(Policy) real=3000000,
>>>>>>>>>> virtual=3000000 8480 5. PolicySecret(ENDORSEMENT) 8494 6.
>>>>>>>>>> Create(MK) 8515 7.    PolicySecret(ENDORSEMENT) 8529 8.    
>>>>>>>>>> Load(MK)
>>>>>>>>>> real=80000001,
>>>>>>>>>> virtual=80000001 8542 9.    Evict(MK) 8552 10. Create(SK) 
>>>>>>>>>> 8590 11.
>>>>>>>>>> Load(SK) real=80000001, virtual=80000002 8598 12.
>>>>>>>>>> PolicySecret(ENDORSEMENT) 8609 13.    Create(AK) 8635 14.
>>>>>>>>>> PolicySecret(ENDORSEMENT) 8645 15.    Load(AK) real=80000001,
>>>>>>>>>> virtual=80000003 8655 16. FlushContext(POLICY) 8664 17.
>>>>>>>>>> StartAuthSession(POLICY) real=3000000, virtual=3000000 8668 18.
>>>>>>>>>> StartAuthSession(HMAC) real=2000001, virtual=2000001 8678 19.
>>>>>>>>>> ComputeCommandHMAC(LoadExternal) real=80000000,
>>>> virtual=80000004
>>>>>>>>>> 3706 20. ComputeCommandHMAC(HMAC_Start) real=80000001,
>>>>>>>>>> virtual=80000005 3706 21.    PolicySecret(SK) 8711 22.
>>>>>>>>>> FlushContext(HMAC) 8717 23. FlushContext(POLICY) 8724 24.
>>>>>>>>>> CertifyCreation(SK) 8738 25. StartAuthSession(POLICY)
>>>>>>>>>> real=3000000, virtual=3000001 8745 26. StartAuthSession(HMAC)
>>>>>>>>>> real=2000001, virtual=2000000 8754 27.
>>>>>>>>>> ComputeCommandHMAC(LoadExternal) real=80000000,
>>>> virtual=80000005
>>>>>>>>>> 8782 28. ComputeCommandHMAC(HMAC_Start) real=80000001,
>>>>>>>>>> virtual=80000004 8782 29.    PolicySecret(SK) 8789
>>>>>>>>>>
>>>>>>>>>> The whole  source program can be found here.
>>>>>>>>>> https://github.com/intel/tpm2-tss/files/1516612/tpmtest.cpp_0x98e_2 
>>>>>>>>>>
>>>>>>>>>> .t
>>>>>>>>>> xt
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Kind regards,
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>> Yasuhiro Hosoda
>>>>>>>>>>
>>>>>>>>>> NTT Electronics Corporation （NEL)
>>>>>>>>>> Security Support Project
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> tpm2 mailing list
>>>>>>>>>> tpm2(a)lists.01.org
>>>>>>>>>> https://lists.01.org/mailman/listinfo/tpm2
>>>>
>>

-- 
  __________________________________________
/ 細田泰弘
|　　　　　　　　　　　　　　　
| NTTエレクトロニクス株式会社（NEL)
|
| システム化支援センタ　　
| セキュリティ技術支援プロジェクト　
|　　　　　　　　　　　　　　　　　　　
|〒221-0031 神奈川県横浜市神奈川区
|　新浦島町1-1-32
|  ニューステージ横浜
|
|　Tel 050-9000-6109/050-9000-6485(直)
|   (9225(内))
|  Fax 045-453-9620
|  E-mail:hosoda-yasuhiro(a)ntt-el.com      
|________________________________________/


[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 16060 bytes --]

Re: [tpm2] tpm2-tss question

[Yasuhiro Hosoda]

[-- Attachment #1: Type: text/plain, Size: 7710 bytes --]

You said in the former mail that
"Unless you took an RM virtualized handle and went directly to the TPM
with it, there shouldn't Be a problem"
I have checked again and found that my program uses an RM
virtualized handle for computing HMAC and if I substitute the virtual
handle to real one, the error 0x98e disappears,
Any advice?

> Thank you for your reply.
>
> Where can I find necessary information for "get HMAC to work"?
>
> And, where can I find extended-sessions.sh?
>
> Many thanks.
>> test/system/tests/tcti/abrmd/extended-sessions.sh
>>
>> That uses abrmd which has an RM extension to allow session handles
>> to be marked for non-flushing on client disconnection, but that
>> point likely won't concern you.
>>
>> This test script uses tools that start a pcr policy session, satisfy 
>> or build the policy,
>> and use it for unsealing data.
>>
>> It might be good to see if you can get HMAC to work in this framework 
>> from a
>> Learning perspective and then you could contribute hmac policy 
>> session support
>> Back to the tools.
>>
>>
>>> -----Original Message-----
>>> From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro(a)ntt-el.com]
>>> Sent: Thursday, January 18, 2018 3:11 PM
>>> To: Roberts, William C <william.c.roberts(a)intel.com>; tpm2(a)lists.01.org
>>> Subject: Re: [tpm2] tpm2-tss question
>>>
>>> You said that "I would look at how the tpm2-tools do it, they make 
>>> for decent
>>> reference code."
>>> Would you tell me the place of tpm2-tools where I should look as 
>>> reference code.
>>> Regards,
>>>
>>>>> -----Original Message-----
>>>>> From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro(a)ntt-el.com]
>>>>> Sent: Thursday, January 18, 2018 6:44 AM
>>>>> To: Roberts, William C <william.c.roberts(a)intel.com>; 
>>>>> tpm2(a)lists.01.org
>>>>> Subject: Re: [tpm2] tpm2-tss question
>>>>>
>>>>> I appreciate much for your help. I am expecting for your 
>>>>> information about
>>> tpm2-
>>>>> tools.
>>>> What information are you expecting?
>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro(a)ntt-el.com]
>>>>>>> Sent: Friday, January 12, 2018 1:47 AM
>>>>>>> To: Roberts, William C <william.c.roberts(a)intel.com>;
>>>>>>> tpm2(a)lists.01.org
>>>>>>> Subject: Re: [tpm2] tpm2-tss question
>>>>>>>
>>>>>>> Hi, Mr. Roberts, William
>>>>>>>
>>>>>>> Thank you for your advice.
>>>>>>> I had already checked the details of this error code.
>>>>>>> My understanding is that the problem is not the setting of the auth
>>>>>>> but there occurs the discrepancy between the virtual handles and 
>>>>>>> the
>>>>>>> real handles in the resource manager.
>>>>>> Unless you took an RM virtualized handle and went directly to the 
>>>>>> TPM
>>>>>> with it, there shouldn't Be a problem. The RM should be swapping out
>>>>>> virtualized handles with real ones for you before They hit the 
>>>>>> tpm, and thus,
>>>>> should be transparent.
>>>>>> As far as what the problem is, it's hard to tell offhand. I would 
>>>>>> look
>>>>>> at how the tpm2-tools do it, they make for decent reference code.
>>>>>>
>>>>>>> Any help will be greatly appreciated
>>>>>>>
>>>>>>> Regard,
>>>>>>>> 0x98e is:
>>>>>>>>
>>>>>>>> $ ./tpm2_rc_decode 0x98e
>>>>>>>> error layer
>>>>>>>>       hex: 0x0
>>>>>>>>       identifier: TSS2_TPM_RC_LAYER
>>>>>>>>       description: Error produced by the TPM format 1 error code
>>>>>>>>       hex: 0x0e
>>>>>>>>       identifier: TPM2_RC_AUTH_FAIL
>>>>>>>>       description: the authorization HMAC check failed and DA 
>>>>>>>> counter
>>>>>>>> incremented session
>>>>>>>>       hex: 0x100
>>>>>>>>       identifier: TPM2_RC_1
>>>>>>>>       description:  (null)
>>>>>>>>
>>>>>>>> SO it looks like you're not setting up the auth properly in the 
>>>>>>>> session.
>>>>>>>>
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of 
>>>>>>>>> Yasuhiro
>>>>>>>>> Hosoda
>>>>>>>>> Sent: Wednesday, December 13, 2017 10:59 PM
>>>>>>>>> To: tpm2(a)lists.01.org
>>>>>>>>> Subject: [tpm2] tpm2-tss question
>>>>>>>>>
>>>>>>>>> MY name is Yasuhiro Hosoda.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I am developing a program using TSS1.0(Nov１．2016).
>>>>>>>>> I encountered a problem with PolicySecret error 0x98e and need 
>>>>>>>>> help.
>>>>>>>>> My program uses tpmtest.cpp as a base of development.
>>>>>>>>> The situation is as follows:
>>>>>>>>>
>>>>>>>>> 1 Create TPM Keys like this.
>>>>>>>>>
>>>>>>>>> EK
>>>>>>>>> ｜--------
>>>>>>>>> ｜          |
>>>>>>>>> MK       AK
>>>>>>>>> ｜
>>>>>>>>> SK
>>>>>>>>>
>>>>>>>>> 2 Execute PolicySecret twice using HMAC session. At first, it 
>>>>>>>>> ends
>>>>>>>>> without
>>>>>>> error.
>>>>>>>>> Then it ends with 0x98e For clarification, I print out the values
>>>>>>>>> of Virtual Handle and Real Handle.
>>>>>>>>> The value of Virtual/Real Handles differ at 2nd excution of 
>>>>>>>>> the command.
>>>>>>>>> (See NO 25/26 Below)
>>>>>>>>>
>>>>>>>>> I understand that the resource manager assigns Virtual Handle and
>>>>>>>>> my program calculates HMAC using that handles.
>>>>>>>>> On the other hand, TPM may calculate HMAC using Real Handle.
>>>>>>>>> That is my hypothesis.
>>>>>>>>>
>>>>>>>>> Any suggestion about the usage of Session Handle?
>>>>>>>>>
>>>>>>>>> NO      Command           Virtual/Real Handle         LOC 1.
>>>>>>>>> CreatePrimary(EK) real=80000000, virtual=80000000 8381 2.
>>>>>>>>> HierarchyChangeAuth1 8421 3. HierarchyChangeAuth2 8431 4.
>>>>>>>>> StartAuthSession(Policy) real=3000000,
>>>>>>>>> virtual=3000000 8480 5. PolicySecret(ENDORSEMENT) 8494 6.
>>>>>>>>> Create(MK) 8515 7.    PolicySecret(ENDORSEMENT) 8529 8.    
>>>>>>>>> Load(MK)
>>>>>>>>> real=80000001,
>>>>>>>>> virtual=80000001 8542 9.    Evict(MK) 8552 10. Create(SK) 8590 
>>>>>>>>> 11.
>>>>>>>>> Load(SK) real=80000001, virtual=80000002 8598 12.
>>>>>>>>> PolicySecret(ENDORSEMENT) 8609 13.    Create(AK) 8635 14.
>>>>>>>>> PolicySecret(ENDORSEMENT) 8645 15.    Load(AK) real=80000001,
>>>>>>>>> virtual=80000003 8655 16.    FlushContext(POLICY) 8664 17.
>>>>>>>>> StartAuthSession(POLICY) real=3000000, virtual=3000000 8668 18.
>>>>>>>>> StartAuthSession(HMAC) real=2000001, virtual=2000001 8678 19.
>>>>>>>>> ComputeCommandHMAC(LoadExternal) real=80000000,
>>> virtual=80000004
>>>>>>>>> 3706 20. ComputeCommandHMAC(HMAC_Start) real=80000001,
>>>>>>>>> virtual=80000005 3706 21.    PolicySecret(SK) 8711 22.
>>>>>>>>> FlushContext(HMAC) 8717 23. FlushContext(POLICY) 8724 24.
>>>>>>>>> CertifyCreation(SK) 8738 25. StartAuthSession(POLICY)
>>>>>>>>> real=3000000, virtual=3000001 8745 26. StartAuthSession(HMAC)
>>>>>>>>> real=2000001, virtual=2000000 8754 27.
>>>>>>>>> ComputeCommandHMAC(LoadExternal) real=80000000,
>>> virtual=80000005
>>>>>>>>> 8782 28. ComputeCommandHMAC(HMAC_Start) real=80000001,
>>>>>>>>> virtual=80000004 8782 29.    PolicySecret(SK) 8789
>>>>>>>>>
>>>>>>>>> The whole  source program can be found here.
>>>>>>>>> https://github.com/intel/tpm2-tss/files/1516612/tpmtest.cpp_0x98e_2 
>>>>>>>>>
>>>>>>>>> .t
>>>>>>>>> xt
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Kind regards,
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> Yasuhiro Hosoda
>>>>>>>>>
>>>>>>>>> NTT Electronics Corporation （NEL)
>>>>>>>>> Security Support Project
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> tpm2 mailing list
>>>>>>>>> tpm2(a)lists.01.org
>>>>>>>>> https://lists.01.org/mailman/listinfo/tpm2
>>>
>

Re: [tpm2] tpm2-tss question

[Yasuhiro Hosoda]

[-- Attachment #1: Type: text/plain, Size: 7017 bytes --]

Thank you for your reply.

Where can I find necessary information for "get HMAC to work"?

And, where can I find extended-sessions.sh?

Many thanks.
> test/system/tests/tcti/abrmd/extended-sessions.sh
>
> That uses abrmd which has an RM extension to allow session handles
> to be marked for non-flushing on client disconnection, but that
> point likely won't concern you.
>
> This test script uses tools that start a pcr policy session, satisfy or build the policy,
> and use it for unsealing data.
>
> It might be good to see if you can get HMAC to work in this framework from a
> Learning perspective and then you could contribute hmac policy session support
> Back to the tools.
>
>
>> -----Original Message-----
>> From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro(a)ntt-el.com]
>> Sent: Thursday, January 18, 2018 3:11 PM
>> To: Roberts, William C <william.c.roberts(a)intel.com>; tpm2(a)lists.01.org
>> Subject: Re: [tpm2] tpm2-tss question
>>
>> You said that "I would look at how the tpm2-tools do it, they make for decent
>> reference code."
>> Would you tell me the place of tpm2-tools where I should look as reference code.
>> Regards,
>>
>>>> -----Original Message-----
>>>> From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro(a)ntt-el.com]
>>>> Sent: Thursday, January 18, 2018 6:44 AM
>>>> To: Roberts, William C <william.c.roberts(a)intel.com>; tpm2(a)lists.01.org
>>>> Subject: Re: [tpm2] tpm2-tss question
>>>>
>>>> I appreciate much for your help. I am expecting for your information about
>> tpm2-
>>>> tools.
>>> What information are you expecting?
>>>
>>>>>> -----Original Message-----
>>>>>> From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro(a)ntt-el.com]
>>>>>> Sent: Friday, January 12, 2018 1:47 AM
>>>>>> To: Roberts, William C <william.c.roberts(a)intel.com>;
>>>>>> tpm2(a)lists.01.org
>>>>>> Subject: Re: [tpm2] tpm2-tss question
>>>>>>
>>>>>> Hi, Mr. Roberts, William
>>>>>>
>>>>>> Thank you for your advice.
>>>>>> I had already checked the details of this error code.
>>>>>> My understanding is that the problem is not the setting of the auth
>>>>>> but there occurs the discrepancy between the virtual handles and the
>>>>>> real handles in the resource manager.
>>>>> Unless you took an RM virtualized handle and went directly to the TPM
>>>>> with it, there shouldn't Be a problem. The RM should be swapping out
>>>>> virtualized handles with real ones for you before They hit the tpm, and thus,
>>>> should be transparent.
>>>>> As far as what the problem is, it's hard to tell offhand. I would look
>>>>> at how the tpm2-tools do it, they make for decent reference code.
>>>>>
>>>>>> Any help will be greatly appreciated
>>>>>>
>>>>>> Regard,
>>>>>>> 0x98e is:
>>>>>>>
>>>>>>> $ ./tpm2_rc_decode 0x98e
>>>>>>> error layer
>>>>>>>       hex: 0x0
>>>>>>>       identifier: TSS2_TPM_RC_LAYER
>>>>>>>       description: Error produced by the TPM format 1 error code
>>>>>>>       hex: 0x0e
>>>>>>>       identifier: TPM2_RC_AUTH_FAIL
>>>>>>>       description: the authorization HMAC check failed and DA counter
>>>>>>> incremented session
>>>>>>>       hex: 0x100
>>>>>>>       identifier: TPM2_RC_1
>>>>>>>       description:  (null)
>>>>>>>
>>>>>>> SO it looks like you're not setting up the auth properly in the session.
>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of Yasuhiro
>>>>>>>> Hosoda
>>>>>>>> Sent: Wednesday, December 13, 2017 10:59 PM
>>>>>>>> To: tpm2(a)lists.01.org
>>>>>>>> Subject: [tpm2] tpm2-tss question
>>>>>>>>
>>>>>>>> MY name is Yasuhiro Hosoda.
>>>>>>>>
>>>>>>>>
>>>>>>>> I am developing a program using TSS1.0(Nov１．2016).
>>>>>>>> I encountered a problem with PolicySecret error 0x98e and need help.
>>>>>>>> My program uses tpmtest.cpp as a base of development.
>>>>>>>> The situation is as follows:
>>>>>>>>
>>>>>>>> 1 Create TPM Keys like this.
>>>>>>>>
>>>>>>>> EK
>>>>>>>> ｜--------
>>>>>>>> ｜          |
>>>>>>>> MK       AK
>>>>>>>> ｜
>>>>>>>> SK
>>>>>>>>
>>>>>>>> 2 Execute PolicySecret twice using HMAC session. At first, it ends
>>>>>>>> without
>>>>>> error.
>>>>>>>> Then it ends with 0x98e For clarification, I print out the values
>>>>>>>> of Virtual Handle and Real Handle.
>>>>>>>> The value of Virtual/Real Handles differ at 2nd excution of the command.
>>>>>>>> (See NO 25/26 Below)
>>>>>>>>
>>>>>>>> I understand that the resource manager assigns Virtual Handle and
>>>>>>>> my program calculates HMAC using that handles.
>>>>>>>> On the other hand, TPM may calculate HMAC using Real Handle.
>>>>>>>> That is my hypothesis.
>>>>>>>>
>>>>>>>> Any suggestion about the usage of Session Handle?
>>>>>>>>
>>>>>>>> NO      Command           Virtual/Real Handle         LOC 1.
>>>>>>>> CreatePrimary(EK) real=80000000, virtual=80000000 8381 2.
>>>>>>>> HierarchyChangeAuth1 8421 3.    HierarchyChangeAuth2 8431 4.
>>>>>>>> StartAuthSession(Policy) real=3000000,
>>>>>>>> virtual=3000000 8480 5.    PolicySecret(ENDORSEMENT) 8494 6.
>>>>>>>> Create(MK) 8515 7.    PolicySecret(ENDORSEMENT) 8529 8.    Load(MK)
>>>>>>>> real=80000001,
>>>>>>>> virtual=80000001 8542 9.    Evict(MK) 8552 10.    Create(SK) 8590 11.
>>>>>>>> Load(SK) real=80000001, virtual=80000002 8598 12.
>>>>>>>> PolicySecret(ENDORSEMENT) 8609 13.    Create(AK) 8635 14.
>>>>>>>> PolicySecret(ENDORSEMENT) 8645 15.    Load(AK) real=80000001,
>>>>>>>> virtual=80000003 8655 16.    FlushContext(POLICY) 8664 17.
>>>>>>>> StartAuthSession(POLICY) real=3000000, virtual=3000000 8668 18.
>>>>>>>> StartAuthSession(HMAC) real=2000001, virtual=2000001 8678 19.
>>>>>>>> ComputeCommandHMAC(LoadExternal) real=80000000,
>> virtual=80000004
>>>>>>>> 3706 20.    ComputeCommandHMAC(HMAC_Start) real=80000001,
>>>>>>>> virtual=80000005 3706 21.    PolicySecret(SK) 8711 22.
>>>>>>>> FlushContext(HMAC) 8717 23.    FlushContext(POLICY) 8724 24.
>>>>>>>> CertifyCreation(SK) 8738 25.    StartAuthSession(POLICY)
>>>>>>>> real=3000000, virtual=3000001 8745 26.    StartAuthSession(HMAC)
>>>>>>>> real=2000001, virtual=2000000 8754 27.
>>>>>>>> ComputeCommandHMAC(LoadExternal) real=80000000,
>> virtual=80000005
>>>>>>>> 8782 28.    ComputeCommandHMAC(HMAC_Start) real=80000001,
>>>>>>>> virtual=80000004 8782 29.    PolicySecret(SK) 8789
>>>>>>>>
>>>>>>>> The whole  source program can be found here.
>>>>>>>> https://github.com/intel/tpm2-tss/files/1516612/tpmtest.cpp_0x98e_2
>>>>>>>> .t
>>>>>>>> xt
>>>>>>>>
>>>>>>>>
>>>>>>>> Kind regards,
>>>>>>>>
>>>>>>>> --
>>>>>>>> Yasuhiro Hosoda
>>>>>>>>
>>>>>>>> NTT Electronics Corporation （NEL)
>>>>>>>> Security Support Project
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> tpm2 mailing list
>>>>>>>> tpm2(a)lists.01.org
>>>>>>>> https://lists.01.org/mailman/listinfo/tpm2
>>

-- 

Re: [tpm2] tpm2-tss question

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 7338 bytes --]

test/system/tests/tcti/abrmd/extended-sessions.sh

That uses abrmd which has an RM extension to allow session handles
to be marked for non-flushing on client disconnection, but that
point likely won't concern you.

This test script uses tools that start a pcr policy session, satisfy or build the policy,
and use it for unsealing data.

It might be good to see if you can get HMAC to work in this framework from a
Learning perspective and then you could contribute hmac policy session support
Back to the tools.


> -----Original Message-----
> From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro(a)ntt-el.com]
> Sent: Thursday, January 18, 2018 3:11 PM
> To: Roberts, William C <william.c.roberts(a)intel.com>; tpm2(a)lists.01.org
> Subject: Re: [tpm2] tpm2-tss question
> 
> You said that "I would look at how the tpm2-tools do it, they make for decent
> reference code."
> Would you tell me the place of tpm2-tools where I should look as reference code.
> Regards,
> 
> >
> >> -----Original Message-----
> >> From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro(a)ntt-el.com]
> >> Sent: Thursday, January 18, 2018 6:44 AM
> >> To: Roberts, William C <william.c.roberts(a)intel.com>; tpm2(a)lists.01.org
> >> Subject: Re: [tpm2] tpm2-tss question
> >>
> >> I appreciate much for your help. I am expecting for your information about
> tpm2-
> >> tools.
> > What information are you expecting?
> >
> >>>> -----Original Message-----
> >>>> From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro(a)ntt-el.com]
> >>>> Sent: Friday, January 12, 2018 1:47 AM
> >>>> To: Roberts, William C <william.c.roberts(a)intel.com>;
> >>>> tpm2(a)lists.01.org
> >>>> Subject: Re: [tpm2] tpm2-tss question
> >>>>
> >>>> Hi, Mr. Roberts, William
> >>>>
> >>>> Thank you for your advice.
> >>>> I had already checked the details of this error code.
> >>>> My understanding is that the problem is not the setting of the auth
> >>>> but there occurs the discrepancy between the virtual handles and the
> >>>> real handles in the resource manager.
> >>> Unless you took an RM virtualized handle and went directly to the TPM
> >>> with it, there shouldn't Be a problem. The RM should be swapping out
> >>> virtualized handles with real ones for you before They hit the tpm, and thus,
> >> should be transparent.
> >>> As far as what the problem is, it's hard to tell offhand. I would look
> >>> at how the tpm2-tools do it, they make for decent reference code.
> >>>
> >>>> Any help will be greatly appreciated
> >>>>
> >>>> Regard,
> >>>>> 0x98e is:
> >>>>>
> >>>>> $ ./tpm2_rc_decode 0x98e
> >>>>> error layer
> >>>>>      hex: 0x0
> >>>>>      identifier: TSS2_TPM_RC_LAYER
> >>>>>      description: Error produced by the TPM format 1 error code
> >>>>>      hex: 0x0e
> >>>>>      identifier: TPM2_RC_AUTH_FAIL
> >>>>>      description: the authorization HMAC check failed and DA counter
> >>>>> incremented session
> >>>>>      hex: 0x100
> >>>>>      identifier: TPM2_RC_1
> >>>>>      description:  (null)
> >>>>>
> >>>>> SO it looks like you're not setting up the auth properly in the session.
> >>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of Yasuhiro
> >>>>>> Hosoda
> >>>>>> Sent: Wednesday, December 13, 2017 10:59 PM
> >>>>>> To: tpm2(a)lists.01.org
> >>>>>> Subject: [tpm2] tpm2-tss question
> >>>>>>
> >>>>>> MY name is Yasuhiro Hosoda.
> >>>>>>
> >>>>>>
> >>>>>> I am developing a program using TSS1.0(Nov１．2016).
> >>>>>> I encountered a problem with PolicySecret error 0x98e and need help.
> >>>>>> My program uses tpmtest.cpp as a base of development.
> >>>>>> The situation is as follows:
> >>>>>>
> >>>>>> 1 Create TPM Keys like this.
> >>>>>>
> >>>>>> EK
> >>>>>> ｜--------
> >>>>>> ｜          |
> >>>>>> MK       AK
> >>>>>> ｜
> >>>>>> SK
> >>>>>>
> >>>>>> 2 Execute PolicySecret twice using HMAC session. At first, it ends
> >>>>>> without
> >>>> error.
> >>>>>> Then it ends with 0x98e For clarification, I print out the values
> >>>>>> of Virtual Handle and Real Handle.
> >>>>>> The value of Virtual/Real Handles differ at 2nd excution of the command.
> >>>>>> (See NO 25/26 Below)
> >>>>>>
> >>>>>> I understand that the resource manager assigns Virtual Handle and
> >>>>>> my program calculates HMAC using that handles.
> >>>>>> On the other hand, TPM may calculate HMAC using Real Handle.
> >>>>>> That is my hypothesis.
> >>>>>>
> >>>>>> Any suggestion about the usage of Session Handle?
> >>>>>>
> >>>>>> NO      Command           Virtual/Real Handle         LOC 1.
> >>>>>> CreatePrimary(EK) real=80000000, virtual=80000000 8381 2.
> >>>>>> HierarchyChangeAuth1 8421 3.    HierarchyChangeAuth2 8431 4.
> >>>>>> StartAuthSession(Policy) real=3000000,
> >>>>>> virtual=3000000 8480 5.    PolicySecret(ENDORSEMENT) 8494 6.
> >>>>>> Create(MK) 8515 7.    PolicySecret(ENDORSEMENT) 8529 8.    Load(MK)
> >>>>>> real=80000001,
> >>>>>> virtual=80000001 8542 9.    Evict(MK) 8552 10.    Create(SK) 8590 11.
> >>>>>> Load(SK) real=80000001, virtual=80000002 8598 12.
> >>>>>> PolicySecret(ENDORSEMENT) 8609 13.    Create(AK) 8635 14.
> >>>>>> PolicySecret(ENDORSEMENT) 8645 15.    Load(AK) real=80000001,
> >>>>>> virtual=80000003 8655 16.    FlushContext(POLICY) 8664 17.
> >>>>>> StartAuthSession(POLICY) real=3000000, virtual=3000000 8668 18.
> >>>>>> StartAuthSession(HMAC) real=2000001, virtual=2000001 8678 19.
> >>>>>> ComputeCommandHMAC(LoadExternal) real=80000000,
> virtual=80000004
> >>>>>> 3706 20.    ComputeCommandHMAC(HMAC_Start) real=80000001,
> >>>>>> virtual=80000005 3706 21.    PolicySecret(SK) 8711 22.
> >>>>>> FlushContext(HMAC) 8717 23.    FlushContext(POLICY) 8724 24.
> >>>>>> CertifyCreation(SK) 8738 25.    StartAuthSession(POLICY)
> >>>>>> real=3000000, virtual=3000001 8745 26.    StartAuthSession(HMAC)
> >>>>>> real=2000001, virtual=2000000 8754 27.
> >>>>>> ComputeCommandHMAC(LoadExternal) real=80000000,
> virtual=80000005
> >>>>>> 8782 28.    ComputeCommandHMAC(HMAC_Start) real=80000001,
> >>>>>> virtual=80000004 8782 29.    PolicySecret(SK) 8789
> >>>>>>
> >>>>>> The whole  source program can be found here.
> >>>>>> https://github.com/intel/tpm2-tss/files/1516612/tpmtest.cpp_0x98e_2
> >>>>>> .t
> >>>>>> xt
> >>>>>>
> >>>>>>
> >>>>>> Kind regards,
> >>>>>>
> >>>>>> --
> >>>>>> Yasuhiro Hosoda
> >>>>>>
> >>>>>> NTT Electronics Corporation （NEL)
> >>>>>> Security Support Project
> >>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> tpm2 mailing list
> >>>>>> tpm2(a)lists.01.org
> >>>>>> https://lists.01.org/mailman/listinfo/tpm2
> 
> 
> --
>   __________________________________________
> / 細田泰弘
> |
> | NTTエレクトロニクス株式会社（NEL)
> |
> | システム化支援センタ
> | セキュリティ技術支援プロジェクト
> |
> |〒221-0031 神奈川県横浜市神奈川区
> |　新浦島町1-1-32
> |  ニューステージ横浜
> |
> |　Tel 050-9000-6109/050-9000-6485(直)
> |   (9225(内))
> |  Fax 045-453-9620
> |  E-mail: hosoda-yasuhiro(a)ntt-el.com
> |________________________________________/

Re: [tpm2] tpm2-tss question

[Yasuhiro Hosoda]

[-- Attachment #1: Type: text/plain, Size: 6335 bytes --]

You said that "I would look at how the tpm2-tools do it, they make for 
decent reference code."
Would you tell me the place of tpm2-tools where I should look as 
reference code.
Regards,

>
>> -----Original Message-----
>> From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro(a)ntt-el.com]
>> Sent: Thursday, January 18, 2018 6:44 AM
>> To: Roberts, William C <william.c.roberts(a)intel.com>; tpm2(a)lists.01.org
>> Subject: Re: [tpm2] tpm2-tss question
>>
>> I appreciate much for your help. I am expecting for your information about tpm2-
>> tools.
> What information are you expecting?
>
>>>> -----Original Message-----
>>>> From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro(a)ntt-el.com]
>>>> Sent: Friday, January 12, 2018 1:47 AM
>>>> To: Roberts, William C <william.c.roberts(a)intel.com>;
>>>> tpm2(a)lists.01.org
>>>> Subject: Re: [tpm2] tpm2-tss question
>>>>
>>>> Hi, Mr. Roberts, William
>>>>
>>>> Thank you for your advice.
>>>> I had already checked the details of this error code.
>>>> My understanding is that the problem is not the setting of the auth
>>>> but there occurs the discrepancy between the virtual handles and the
>>>> real handles in the resource manager.
>>> Unless you took an RM virtualized handle and went directly to the TPM
>>> with it, there shouldn't Be a problem. The RM should be swapping out
>>> virtualized handles with real ones for you before They hit the tpm, and thus,
>> should be transparent.
>>> As far as what the problem is, it's hard to tell offhand. I would look
>>> at how the tpm2-tools do it, they make for decent reference code.
>>>
>>>> Any help will be greatly appreciated
>>>>
>>>> Regard,
>>>>> 0x98e is:
>>>>>
>>>>> $ ./tpm2_rc_decode 0x98e
>>>>> error layer
>>>>>      hex: 0x0
>>>>>      identifier: TSS2_TPM_RC_LAYER
>>>>>      description: Error produced by the TPM format 1 error code
>>>>>      hex: 0x0e
>>>>>      identifier: TPM2_RC_AUTH_FAIL
>>>>>      description: the authorization HMAC check failed and DA counter
>>>>> incremented session
>>>>>      hex: 0x100
>>>>>      identifier: TPM2_RC_1
>>>>>      description:  (null)
>>>>>
>>>>> SO it looks like you're not setting up the auth properly in the session.
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of Yasuhiro
>>>>>> Hosoda
>>>>>> Sent: Wednesday, December 13, 2017 10:59 PM
>>>>>> To: tpm2(a)lists.01.org
>>>>>> Subject: [tpm2] tpm2-tss question
>>>>>>
>>>>>> MY name is Yasuhiro Hosoda.
>>>>>>
>>>>>>
>>>>>> I am developing a program using TSS1.0(Nov１．2016).
>>>>>> I encountered a problem with PolicySecret error 0x98e and need help.
>>>>>> My program uses tpmtest.cpp as a base of development.
>>>>>> The situation is as follows:
>>>>>>
>>>>>> 1 Create TPM Keys like this.
>>>>>>
>>>>>> EK
>>>>>> ｜--------
>>>>>> ｜          |
>>>>>> MK       AK
>>>>>> ｜
>>>>>> SK
>>>>>>
>>>>>> 2 Execute PolicySecret twice using HMAC session. At first, it ends
>>>>>> without
>>>> error.
>>>>>> Then it ends with 0x98e For clarification, I print out the values
>>>>>> of Virtual Handle and Real Handle.
>>>>>> The value of Virtual/Real Handles differ at 2nd excution of the command.
>>>>>> (See NO 25/26 Below)
>>>>>>
>>>>>> I understand that the resource manager assigns Virtual Handle and
>>>>>> my program calculates HMAC using that handles.
>>>>>> On the other hand, TPM may calculate HMAC using Real Handle.
>>>>>> That is my hypothesis.
>>>>>>
>>>>>> Any suggestion about the usage of Session Handle?
>>>>>>
>>>>>> NO      Command           Virtual/Real Handle         LOC 1.
>>>>>> CreatePrimary(EK) real=80000000, virtual=80000000 8381 2.
>>>>>> HierarchyChangeAuth1 8421 3.    HierarchyChangeAuth2 8431 4.
>>>>>> StartAuthSession(Policy) real=3000000,
>>>>>> virtual=3000000 8480 5.    PolicySecret(ENDORSEMENT) 8494 6.
>>>>>> Create(MK) 8515 7.    PolicySecret(ENDORSEMENT) 8529 8.    Load(MK)
>>>>>> real=80000001,
>>>>>> virtual=80000001 8542 9.    Evict(MK) 8552 10.    Create(SK) 8590 11.
>>>>>> Load(SK) real=80000001, virtual=80000002 8598 12.
>>>>>> PolicySecret(ENDORSEMENT) 8609 13.    Create(AK) 8635 14.
>>>>>> PolicySecret(ENDORSEMENT) 8645 15.    Load(AK) real=80000001,
>>>>>> virtual=80000003 8655 16.    FlushContext(POLICY) 8664 17.
>>>>>> StartAuthSession(POLICY) real=3000000, virtual=3000000 8668 18.
>>>>>> StartAuthSession(HMAC) real=2000001, virtual=2000001 8678 19.
>>>>>> ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000004
>>>>>> 3706 20.    ComputeCommandHMAC(HMAC_Start) real=80000001,
>>>>>> virtual=80000005 3706 21.    PolicySecret(SK) 8711 22.
>>>>>> FlushContext(HMAC) 8717 23.    FlushContext(POLICY) 8724 24.
>>>>>> CertifyCreation(SK) 8738 25.    StartAuthSession(POLICY)
>>>>>> real=3000000, virtual=3000001 8745 26.    StartAuthSession(HMAC)
>>>>>> real=2000001, virtual=2000000 8754 27.
>>>>>> ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000005
>>>>>> 8782 28.    ComputeCommandHMAC(HMAC_Start) real=80000001,
>>>>>> virtual=80000004 8782 29.    PolicySecret(SK) 8789
>>>>>>
>>>>>> The whole  source program can be found here.
>>>>>> https://github.com/intel/tpm2-tss/files/1516612/tpmtest.cpp_0x98e_2
>>>>>> .t
>>>>>> xt
>>>>>>
>>>>>>
>>>>>> Kind regards,
>>>>>>
>>>>>> --
>>>>>> Yasuhiro Hosoda
>>>>>>
>>>>>> NTT Electronics Corporation （NEL)
>>>>>> Security Support Project
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> tpm2 mailing list
>>>>>> tpm2(a)lists.01.org
>>>>>> https://lists.01.org/mailman/listinfo/tpm2


-- 
  __________________________________________
/ 細田泰弘
|　　　　　　　　　　　　　　　
| NTTエレクトロニクス株式会社（NEL)
|
| システム化支援センタ　　
| セキュリティ技術支援プロジェクト　
|　　　　　　　　　　　　　　　　　　　
|〒221-0031 神奈川県横浜市神奈川区
|　新浦島町1-1-32
|  ニューステージ横浜
|
|　Tel 050-9000-6109/050-9000-6485(直)
|   (9225(内))
|  Fax 045-453-9620
|  E-mail: hosoda-yasuhiro(a)ntt-el.com
|________________________________________/

Re: [tpm2] tpm2-tss question

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 5541 bytes --]



> -----Original Message-----
> From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro(a)ntt-el.com]
> Sent: Thursday, January 18, 2018 6:44 AM
> To: Roberts, William C <william.c.roberts(a)intel.com>; tpm2(a)lists.01.org
> Subject: Re: [tpm2] tpm2-tss question
> 
> I appreciate much for your help. I am expecting for your information about tpm2-
> tools.

What information are you expecting?

> >
> >> -----Original Message-----
> >> From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro(a)ntt-el.com]
> >> Sent: Friday, January 12, 2018 1:47 AM
> >> To: Roberts, William C <william.c.roberts(a)intel.com>;
> >> tpm2(a)lists.01.org
> >> Subject: Re: [tpm2] tpm2-tss question
> >>
> >> Hi, Mr. Roberts, William
> >>
> >> Thank you for your advice.
> >> I had already checked the details of this error code.
> >> My understanding is that the problem is not the setting of the auth
> >> but there occurs the discrepancy between the virtual handles and the
> >> real handles in the resource manager.
> > Unless you took an RM virtualized handle and went directly to the TPM
> > with it, there shouldn't Be a problem. The RM should be swapping out
> > virtualized handles with real ones for you before They hit the tpm, and thus,
> should be transparent.
> >
> > As far as what the problem is, it's hard to tell offhand. I would look
> > at how the tpm2-tools do it, they make for decent reference code.
> >
> >> Any help will be greatly appreciated
> >>
> >> Regard,
> >>> 0x98e is:
> >>>
> >>> $ ./tpm2_rc_decode 0x98e
> >>> error layer
> >>>     hex: 0x0
> >>>     identifier: TSS2_TPM_RC_LAYER
> >>>     description: Error produced by the TPM format 1 error code
> >>>     hex: 0x0e
> >>>     identifier: TPM2_RC_AUTH_FAIL
> >>>     description: the authorization HMAC check failed and DA counter
> >>> incremented session
> >>>     hex: 0x100
> >>>     identifier: TPM2_RC_1
> >>>     description:  (null)
> >>>
> >>> SO it looks like you're not setting up the auth properly in the session.
> >>>
> >>>> -----Original Message-----
> >>>> From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of Yasuhiro
> >>>> Hosoda
> >>>> Sent: Wednesday, December 13, 2017 10:59 PM
> >>>> To: tpm2(a)lists.01.org
> >>>> Subject: [tpm2] tpm2-tss question
> >>>>
> >>>> MY name is Yasuhiro Hosoda.
> >>>>
> >>>>
> >>>> I am developing a program using TSS1.0(Nov１．2016).
> >>>> I encountered a problem with PolicySecret error 0x98e and need help.
> >>>> My program uses tpmtest.cpp as a base of development.
> >>>> The situation is as follows:
> >>>>
> >>>> 1 Create TPM Keys like this.
> >>>>
> >>>> EK
> >>>> ｜--------
> >>>> ｜          |
> >>>> MK       AK
> >>>> ｜
> >>>> SK
> >>>>
> >>>> 2 Execute PolicySecret twice using HMAC session. At first, it ends
> >>>> without
> >> error.
> >>>> Then it ends with 0x98e For clarification, I print out the values
> >>>> of Virtual Handle and Real Handle.
> >>>> The value of Virtual/Real Handles differ at 2nd excution of the command.
> >>>> (See NO 25/26 Below)
> >>>>
> >>>> I understand that the resource manager assigns Virtual Handle and
> >>>> my program calculates HMAC using that handles.
> >>>> On the other hand, TPM may calculate HMAC using Real Handle.
> >>>> That is my hypothesis.
> >>>>
> >>>> Any suggestion about the usage of Session Handle?
> >>>>
> >>>> NO      Command           Virtual/Real Handle         LOC 1.
> >>>> CreatePrimary(EK) real=80000000, virtual=80000000 8381 2.
> >>>> HierarchyChangeAuth1 8421 3.    HierarchyChangeAuth2 8431 4.
> >>>> StartAuthSession(Policy) real=3000000,
> >>>> virtual=3000000 8480 5.    PolicySecret(ENDORSEMENT) 8494 6.
> >>>> Create(MK) 8515 7.    PolicySecret(ENDORSEMENT) 8529 8.    Load(MK)
> >>>> real=80000001,
> >>>> virtual=80000001 8542 9.    Evict(MK) 8552 10.    Create(SK) 8590 11.
> >>>> Load(SK) real=80000001, virtual=80000002 8598 12.
> >>>> PolicySecret(ENDORSEMENT) 8609 13.    Create(AK) 8635 14.
> >>>> PolicySecret(ENDORSEMENT) 8645 15.    Load(AK) real=80000001,
> >>>> virtual=80000003 8655 16.    FlushContext(POLICY) 8664 17.
> >>>> StartAuthSession(POLICY) real=3000000, virtual=3000000 8668 18.
> >>>> StartAuthSession(HMAC) real=2000001, virtual=2000001 8678 19.
> >>>> ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000004
> >>>> 3706 20.    ComputeCommandHMAC(HMAC_Start) real=80000001,
> >>>> virtual=80000005 3706 21.    PolicySecret(SK) 8711 22.
> >>>> FlushContext(HMAC) 8717 23.    FlushContext(POLICY) 8724 24.
> >>>> CertifyCreation(SK) 8738 25.    StartAuthSession(POLICY)
> >>>> real=3000000, virtual=3000001 8745 26.    StartAuthSession(HMAC)
> >>>> real=2000001, virtual=2000000 8754 27.
> >>>> ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000005
> >>>> 8782 28.    ComputeCommandHMAC(HMAC_Start) real=80000001,
> >>>> virtual=80000004 8782 29.    PolicySecret(SK) 8789
> >>>>
> >>>> The whole  source program can be found here.
> >>>> https://github.com/intel/tpm2-tss/files/1516612/tpmtest.cpp_0x98e_2
> >>>> .t
> >>>> xt
> >>>>
> >>>>
> >>>> Kind regards,
> >>>>
> >>>> --
> >>>> Yasuhiro Hosoda
> >>>>
> >>>> NTT Electronics Corporation （NEL)
> >>>> Security Support Project
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> tpm2 mailing list
> >>>> tpm2(a)lists.01.org
> >>>> https://lists.01.org/mailman/listinfo/tpm2
> >>

Re: [tpm2] tpm2-tss question

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 5360 bytes --]



> -----Original Message-----
> From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro(a)ntt-el.com]
> Sent: Friday, January 12, 2018 1:47 AM
> To: Roberts, William C <william.c.roberts(a)intel.com>; tpm2(a)lists.01.org
> Subject: Re: [tpm2] tpm2-tss question
> 
> Hi, Mr. Roberts, William
> 
> Thank you for your advice.
> I had already checked the details of this error code.
> My understanding is that the problem is not the setting of the auth but there
> occurs the discrepancy between the virtual handles and the real handles in the
> resource manager.

Unless you took an RM virtualized handle and went directly to the TPM with it, there shouldn't
Be a problem. The RM should be swapping out virtualized handles with real ones for you before
They hit the tpm, and thus, should be transparent.

As far as what the problem is, it's hard to tell offhand. I would look at how the tpm2-tools do it, they
make for decent reference code.

> Any help will be greatly appreciated
> 
> Regard,
> > 0x98e is:
> >
> > $ ./tpm2_rc_decode 0x98e
> > error layer
> >    hex: 0x0
> >    identifier: TSS2_TPM_RC_LAYER
> >    description: Error produced by the TPM format 1 error code
> >    hex: 0x0e
> >    identifier: TPM2_RC_AUTH_FAIL
> >    description: the authorization HMAC check failed and DA counter
> > incremented session
> >    hex: 0x100
> >    identifier: TPM2_RC_1
> >    description:  (null)
> >
> > SO it looks like you're not setting up the auth properly in the session.
> >
> >> -----Original Message-----
> >> From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of Yasuhiro
> >> Hosoda
> >> Sent: Wednesday, December 13, 2017 10:59 PM
> >> To: tpm2(a)lists.01.org
> >> Subject: [tpm2] tpm2-tss question
> >>
> >> MY name is Yasuhiro Hosoda.
> >>
> >>
> >> I am developing a program using TSS1.0(Nov１．2016).
> >> I encountered a problem with PolicySecret error 0x98e and need help.
> >> My program uses tpmtest.cpp as a base of development.
> >> The situation is as follows:
> >>
> >> 1 Create TPM Keys like this.
> >>
> >> EK
> >> ｜--------
> >> ｜          |
> >> MK       AK
> >> ｜
> >> SK
> >>
> >> 2 Execute PolicySecret twice using HMAC session. At first, it ends without
> error.
> >> Then it ends with 0x98e For clarification, I print out the values of
> >> Virtual Handle and Real Handle.
> >> The value of Virtual/Real Handles differ at 2nd excution of the command.
> >> (See NO 25/26 Below)
> >>
> >> I understand that the resource manager assigns Virtual Handle and my
> >> program calculates HMAC using that handles.
> >> On the other hand, TPM may calculate HMAC using Real Handle.
> >> That is my hypothesis.
> >>
> >> Any suggestion about the usage of Session Handle?
> >>
> >> NO      Command           Virtual/Real Handle         LOC 1.
> >> CreatePrimary(EK) real=80000000, virtual=80000000 8381 2.
> >> HierarchyChangeAuth1 8421 3.    HierarchyChangeAuth2 8431 4.
> >> StartAuthSession(Policy) real=3000000,
> >> virtual=3000000 8480 5.    PolicySecret(ENDORSEMENT) 8494 6.
> >> Create(MK) 8515 7.    PolicySecret(ENDORSEMENT) 8529 8.    Load(MK)
> >> real=80000001,
> >> virtual=80000001 8542 9.    Evict(MK) 8552 10.    Create(SK) 8590 11.
> >> Load(SK) real=80000001, virtual=80000002 8598 12.
> >> PolicySecret(ENDORSEMENT) 8609 13.    Create(AK) 8635 14.
> >> PolicySecret(ENDORSEMENT) 8645 15.    Load(AK) real=80000001,
> >> virtual=80000003 8655 16.    FlushContext(POLICY) 8664 17.
> >> StartAuthSession(POLICY) real=3000000, virtual=3000000 8668 18.
> >> StartAuthSession(HMAC) real=2000001, virtual=2000001 8678 19.
> >> ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000004
> >> 3706 20.    ComputeCommandHMAC(HMAC_Start) real=80000001,
> >> virtual=80000005 3706 21.    PolicySecret(SK) 8711 22.
> >> FlushContext(HMAC) 8717 23.    FlushContext(POLICY) 8724 24.
> >> CertifyCreation(SK) 8738 25.    StartAuthSession(POLICY)
> >> real=3000000, virtual=3000001 8745 26.    StartAuthSession(HMAC)
> >> real=2000001, virtual=2000000 8754 27.
> >> ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000005
> >> 8782 28.    ComputeCommandHMAC(HMAC_Start) real=80000001,
> >> virtual=80000004 8782 29.    PolicySecret(SK) 8789
> >>
> >> The whole  source program can be found here.
> >> https://github.com/intel/tpm2-tss/files/1516612/tpmtest.cpp_0x98e_2.t
> >> xt
> >>
> >>
> >> Kind regards,
> >>
> >> --
> >> Yasuhiro Hosoda
> >>
> >> NTT Electronics Corporation （NEL)
> >> Security Support Project
> >>
> >>
> >> _______________________________________________
> >> tpm2 mailing list
> >> tpm2(a)lists.01.org
> >> https://lists.01.org/mailman/listinfo/tpm2
> 
> 
> --
>   __________________________________________
> / 細田泰弘
> |
> | NTTエレクトロニクス株式会社（NEL)
> |
> | システム化支援センタ
> | セキュリティ技術支援プロジェクト
> |
> |〒221-0031 神奈川県横浜市神奈川区
> |　新浦島町1-1-32
> |  ニューステージ横浜
> |
> |　Tel 050-9000-6109/050-9000-6485(直)
> |   (9225(内))
> |  Fax 045-453-9620
> |  E-mail: hosoda-yasuhiro(a)ntt-el.com
> |________________________________________/

Re: [tpm2] tpm2-tss question

[Yasuhiro Hosoda]

[-- Attachment #1: Type: text/plain, Size: 4620 bytes --]

Hi, Mr. Roberts, William

Thank you for your advice.
I had already checked the details of this error code.
My understanding is that the problem is not the setting of the auth
but there occurs the discrepancy between the virtual handles and
the real handles in the resource manager.
Any help will be greatly appreciated

Regard,
> 0x98e is:
>
> $ ./tpm2_rc_decode 0x98e
> error layer
>    hex: 0x0
>    identifier: TSS2_TPM_RC_LAYER
>    description: Error produced by the TPM
> format 1 error code
>    hex: 0x0e
>    identifier: TPM2_RC_AUTH_FAIL
>    description: the authorization HMAC check failed and DA counter incremented
> session
>    hex: 0x100
>    identifier: TPM2_RC_1
>    description:  (null)
>
> SO it looks like you're not setting up the auth properly in the session.
>
>> -----Original Message-----
>> From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of Yasuhiro Hosoda
>> Sent: Wednesday, December 13, 2017 10:59 PM
>> To: tpm2(a)lists.01.org
>> Subject: [tpm2] tpm2-tss question
>>
>> MY name is Yasuhiro Hosoda.
>>
>>
>> I am developing a program using TSS1.0(Nov１．2016).
>> I encountered a problem with PolicySecret error 0x98e and need help.
>> My program uses tpmtest.cpp as a base of development.
>> The situation is as follows:
>>
>> 1 Create TPM Keys like this.
>>
>> EK
>> ｜--------
>> ｜          |
>> MK       AK
>> ｜
>> SK
>>
>> 2 Execute PolicySecret twice using HMAC session. At first, it ends without error.
>> Then it ends with 0x98e For clarification, I print out the values of Virtual Handle
>> and Real Handle.
>> The value of Virtual/Real Handles differ at 2nd excution of the command.
>> (See NO 25/26 Below)
>>
>> I understand that the resource manager assigns Virtual Handle and my program
>> calculates HMAC using that handles.
>> On the other hand, TPM may calculate HMAC using Real Handle.
>> That is my hypothesis.
>>
>> Any suggestion about the usage of Session Handle?
>>
>> NO      Command           Virtual/Real Handle         LOC 1.    CreatePrimary(EK)
>> real=80000000, virtual=80000000 8381 2.    HierarchyChangeAuth1 8421
>> 3.    HierarchyChangeAuth2 8431 4.    StartAuthSession(Policy) real=3000000,
>> virtual=3000000 8480 5.    PolicySecret(ENDORSEMENT) 8494 6.    Create(MK) 8515
>> 7.    PolicySecret(ENDORSEMENT) 8529 8.    Load(MK) real=80000001,
>> virtual=80000001 8542 9.    Evict(MK) 8552 10.    Create(SK) 8590 11.    Load(SK)
>> real=80000001, virtual=80000002 8598 12.    PolicySecret(ENDORSEMENT) 8609
>> 13.    Create(AK) 8635 14.    PolicySecret(ENDORSEMENT) 8645 15.    Load(AK)
>> real=80000001, virtual=80000003 8655 16.    FlushContext(POLICY) 8664
>> 17.    StartAuthSession(POLICY) real=3000000, virtual=3000000 8668
>> 18.    StartAuthSession(HMAC) real=2000001, virtual=2000001 8678
>> 19.    ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000004
>> 3706 20.    ComputeCommandHMAC(HMAC_Start) real=80000001,
>> virtual=80000005 3706 21.    PolicySecret(SK) 8711 22.    FlushContext(HMAC) 8717
>> 23.    FlushContext(POLICY) 8724 24.    CertifyCreation(SK) 8738
>> 25.    StartAuthSession(POLICY) real=3000000, virtual=3000001 8745
>> 26.    StartAuthSession(HMAC) real=2000001, virtual=2000000 8754
>> 27.    ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000005
>> 8782 28.    ComputeCommandHMAC(HMAC_Start) real=80000001,
>> virtual=80000004 8782 29.    PolicySecret(SK) 8789
>>
>> The whole  source program can be found here.
>> https://github.com/intel/tpm2-tss/files/1516612/tpmtest.cpp_0x98e_2.txt
>>
>>
>> Kind regards,
>>
>> --
>> Yasuhiro Hosoda
>>
>> NTT Electronics Corporation （NEL)
>> Security Support Project
>>
>>
>> _______________________________________________
>> tpm2 mailing list
>> tpm2(a)lists.01.org
>> https://lists.01.org/mailman/listinfo/tpm2


-- 
  __________________________________________
/ 細田泰弘
|　　　　　　　　　　　　　　　
| NTTエレクトロニクス株式会社（NEL)
|
| システム化支援センタ　　
| セキュリティ技術支援プロジェクト　
|　　　　　　　　　　　　　　　　　　　
|〒221-0031 神奈川県横浜市神奈川区
|　新浦島町1-1-32
|  ニューステージ横浜
|
|　Tel 050-9000-6109/050-9000-6485(直)
|   (9225(内))
|  Fax 045-453-9620
|  E-mail: hosoda-yasuhiro(a)ntt-el.com
|________________________________________/

Re: [tpm2] tpm2-tss question

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 3581 bytes --]

0x98e is:

$ ./tpm2_rc_decode 0x98e
error layer
  hex: 0x0
  identifier: TSS2_TPM_RC_LAYER
  description: Error produced by the TPM
format 1 error code
  hex: 0x0e
  identifier: TPM2_RC_AUTH_FAIL
  description: the authorization HMAC check failed and DA counter incremented
session
  hex: 0x100
  identifier: TPM2_RC_1
  description:  (null)

SO it looks like you're not setting up the auth properly in the session.

> -----Original Message-----
> From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of Yasuhiro Hosoda
> Sent: Wednesday, December 13, 2017 10:59 PM
> To: tpm2(a)lists.01.org
> Subject: [tpm2] tpm2-tss question
> 
> MY name is Yasuhiro Hosoda.
> 
> 
> I am developing a program using TSS1.0(Nov１．2016).
> I encountered a problem with PolicySecret error 0x98e and need help.
> My program uses tpmtest.cpp as a base of development.
> The situation is as follows:
> 
> 1 Create TPM Keys like this.
> 
> EK
> ｜--------
> ｜          |
> MK       AK
> ｜
> SK
> 
> 2 Execute PolicySecret twice using HMAC session. At first, it ends without error.
> Then it ends with 0x98e For clarification, I print out the values of Virtual Handle
> and Real Handle.
> The value of Virtual/Real Handles differ at 2nd excution of the command.
> (See NO 25/26 Below)
> 
> I understand that the resource manager assigns Virtual Handle and my program
> calculates HMAC using that handles.
> On the other hand, TPM may calculate HMAC using Real Handle.
> That is my hypothesis.
> 
> Any suggestion about the usage of Session Handle?
> 
> NO      Command           Virtual/Real Handle         LOC 1.    CreatePrimary(EK)
> real=80000000, virtual=80000000 8381 2.    HierarchyChangeAuth1 8421
> 3.    HierarchyChangeAuth2 8431 4.    StartAuthSession(Policy) real=3000000,
> virtual=3000000 8480 5.    PolicySecret(ENDORSEMENT) 8494 6.    Create(MK) 8515
> 7.    PolicySecret(ENDORSEMENT) 8529 8.    Load(MK) real=80000001,
> virtual=80000001 8542 9.    Evict(MK) 8552 10.    Create(SK) 8590 11.    Load(SK)
> real=80000001, virtual=80000002 8598 12.    PolicySecret(ENDORSEMENT) 8609
> 13.    Create(AK) 8635 14.    PolicySecret(ENDORSEMENT) 8645 15.    Load(AK)
> real=80000001, virtual=80000003 8655 16.    FlushContext(POLICY) 8664
> 17.    StartAuthSession(POLICY) real=3000000, virtual=3000000 8668
> 18.    StartAuthSession(HMAC) real=2000001, virtual=2000001 8678
> 19.    ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000004
> 3706 20.    ComputeCommandHMAC(HMAC_Start) real=80000001,
> virtual=80000005 3706 21.    PolicySecret(SK) 8711 22.    FlushContext(HMAC) 8717
> 23.    FlushContext(POLICY) 8724 24.    CertifyCreation(SK) 8738
> 25.    StartAuthSession(POLICY) real=3000000, virtual=3000001 8745
> 26.    StartAuthSession(HMAC) real=2000001, virtual=2000000 8754
> 27.    ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000005
> 8782 28.    ComputeCommandHMAC(HMAC_Start) real=80000001,
> virtual=80000004 8782 29.    PolicySecret(SK) 8789
> 
> The whole  source program can be found here.
> https://github.com/intel/tpm2-tss/files/1516612/tpmtest.cpp_0x98e_2.txt
> 
> 
> Kind regards,
> 
> --
> Yasuhiro Hosoda
> 
> NTT Electronics Corporation （NEL)
> Security Support Project
> 
> 
> _______________________________________________
> tpm2 mailing list
> tpm2(a)lists.01.org
> https://lists.01.org/mailman/listinfo/tpm2

[tpm2] tpm2-tss question

[Yasuhiro Hosoda]

[-- Attachment #1: Type: text/plain, Size: 2666 bytes --]

MY name is Yasuhiro Hosoda.


I am developing a program using TSS1.0(Nov１．2016).
I encountered a problem with PolicySecret error 0x98e and need help.
My program uses tpmtest.cpp as a base of development.
The situation is as follows:

1 Create TPM Keys like this.

EK
｜--------
｜          |
MK       AK
｜
SK

2 Execute PolicySecret twice using HMAC session. At first, it ends 
without error. Then it ends with 0x98e
For clarification, I print out the values of Virtual Handle and Real Handle.
The value of Virtual/Real Handles differ at 2nd excution of the command. 
(See NO 25/26 Below)

I understand that the resource manager assigns Virtual Handle and my 
program calculates HMAC using that handles.
On the other hand, TPM may calculate HMAC using Real Handle.
That is my hypothesis.

Any suggestion about the usage of Session Handle?

NO      Command           Virtual/Real Handle         LOC
1.    CreatePrimary(EK) real=80000000, virtual=80000000 8381
2.    HierarchyChangeAuth1 8421
3.    HierarchyChangeAuth2 8431
4.    StartAuthSession(Policy) real=3000000, virtual=3000000 8480
5.    PolicySecret(ENDORSEMENT) 8494
6.    Create(MK) 8515
7.    PolicySecret(ENDORSEMENT) 8529
8.    Load(MK) real=80000001, virtual=80000001 8542
9.    Evict(MK) 8552
10.    Create(SK) 8590
11.    Load(SK) real=80000001, virtual=80000002 8598
12.    PolicySecret(ENDORSEMENT) 8609
13.    Create(AK) 8635
14.    PolicySecret(ENDORSEMENT) 8645
15.    Load(AK) real=80000001, virtual=80000003 8655
16.    FlushContext(POLICY) 8664
17.    StartAuthSession(POLICY) real=3000000, virtual=3000000 8668
18.    StartAuthSession(HMAC) real=2000001, virtual=2000001 8678
19.    ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000004 3706
20.    ComputeCommandHMAC(HMAC_Start) real=80000001, virtual=80000005 3706
21.    PolicySecret(SK) 8711
22.    FlushContext(HMAC) 8717
23.    FlushContext(POLICY) 8724
24.    CertifyCreation(SK) 8738
25.    StartAuthSession(POLICY) real=3000000, virtual=3000001 8745
26.    StartAuthSession(HMAC) real=2000001, virtual=2000000 8754
27.    ComputeCommandHMAC(LoadExternal) real=80000000, virtual=80000005 8782
28.    ComputeCommandHMAC(HMAC_Start) real=80000001, virtual=80000004 8782
29.    PolicySecret(SK) 8789

The whole  source program can be found here.
https://github.com/intel/tpm2-tss/files/1516612/tpmtest.cpp_0x98e_2.txt


Kind regards,

-- 
Yasuhiro Hosoda

NTT Electronics Corporation （NEL)
Security Support Project