You said in the former mail that
"Unless you took an RM virtualized handle and went directly to the TPM
with it, there shouldn't Be a problem"
I have checked again and found that my program uses an RM
virtualized handle for computing HMAC and if I substitute the virtual
handle to real one, the error 0x98e disappears,
Any advice?
Thank you for your reply.
Where can I find necessary information for "get HMAC to work"?
And, where can I find extended-sessions.sh?
Many thanks.
test/system/tests/tcti/abrmd/extended-sessions.sh
That uses abrmd which has an RM extension to allow session handles
to be marked for non-flushing on client disconnection, but that
point likely won't concern you.
This test script uses tools that start a pcr policy session, satisfy or build the policy,
and use it for unsealing data.
It might be good to see if you can get HMAC to work in this framework from a
Learning perspective and then you could contribute hmac policy session support
Back to the tools.
-----Original Message-----
From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro@ntt-el.com]
Sent: Thursday, January 18, 2018 3:11 PM
To: Roberts, William C <william.c.roberts@intel.com>; tpm2@lists.01.org
Subject: Re: [tpm2] tpm2-tss question
You said that "I would look at how the tpm2-tools do it, they make for decent
reference code."
Would you tell me the place of tpm2-tools where I should look as reference code.
Regards,
tpm2------Original Message-----
From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro@ntt-el.com]
Sent: Thursday, January 18, 2018 6:44 AM
To: Roberts, William C <william.c.roberts@intel.com>; tpm2@lists.01.org
Subject: Re: [tpm2] tpm2-tss question
I appreciate much for your help. I am expecting for your information about
virtual=80000004tools.What information are you expecting?
should be transparent.-----Original Message-----Unless you took an RM virtualized handle and went directly to the TPM
From: Yasuhiro Hosoda [mailto:hosoda-yasuhiro@ntt-el.com]
Sent: Friday, January 12, 2018 1:47 AM
To: Roberts, William C <william.c.roberts@intel.com>;
tpm2@lists.01.org
Subject: Re: [tpm2] tpm2-tss question
Hi, Mr. Roberts, William
Thank you for your advice.
I had already checked the details of this error code.
My understanding is that the problem is not the setting of the auth
but there occurs the discrepancy between the virtual handles and the
real handles in the resource manager.
with it, there shouldn't Be a problem. The RM should be swapping out
virtualized handles with real ones for you before They hit the tpm, and thus,
As far as what the problem is, it's hard to tell offhand. I would look
at how the tpm2-tools do it, they make for decent reference code.
Any help will be greatly appreciated
Regard,
0x98e is:error.
$ ./tpm2_rc_decode 0x98e
error layer
hex: 0x0
identifier: TSS2_TPM_RC_LAYER
description: Error produced by the TPM format 1 error code
hex: 0x0e
identifier: TPM2_RC_AUTH_FAIL
description: the authorization HMAC check failed and DA counter
incremented session
hex: 0x100
identifier: TPM2_RC_1
description: (null)
SO it looks like you're not setting up the auth properly in the session.
-----Original Message-----
From: tpm2 [mailto:tpm2-bounces@lists.01.org] On Behalf Of Yasuhiro
Hosoda
Sent: Wednesday, December 13, 2017 10:59 PM
To: tpm2@lists.01.org
Subject: [tpm2] tpm2-tss question
MY name is Yasuhiro Hosoda.
I am developing a program using TSS1.0(Nov1.2016).
I encountered a problem with PolicySecret error 0x98e and need help.
My program uses tpmtest.cpp as a base of development.
The situation is as follows:
1 Create TPM Keys like this.
EK
|--------
| |
MK AK
|
SK
2 Execute PolicySecret twice using HMAC session. At first, it ends
without
Then it ends with 0x98e For clarification, I print out the values
of Virtual Handle and Real Handle.
The value of Virtual/Real Handles differ at 2nd excution of the command.
(See NO 25/26 Below)
I understand that the resource manager assigns Virtual Handle and
my program calculates HMAC using that handles.
On the other hand, TPM may calculate HMAC using Real Handle.
That is my hypothesis.
Any suggestion about the usage of Session Handle?
NO Command Virtual/Real Handle LOC 1.
CreatePrimary(EK) real=80000000, virtual=80000000 8381 2.
HierarchyChangeAuth1 8421 3. HierarchyChangeAuth2 8431 4.
StartAuthSession(Policy) real=3000000,
virtual=3000000 8480 5. PolicySecret(ENDORSEMENT) 8494 6.
Create(MK) 8515 7. PolicySecret(ENDORSEMENT) 8529 8. Load(MK)
real=80000001,
virtual=80000001 8542 9. Evict(MK) 8552 10. Create(SK) 8590 11.
Load(SK) real=80000001, virtual=80000002 8598 12.
PolicySecret(ENDORSEMENT) 8609 13. Create(AK) 8635 14.
PolicySecret(ENDORSEMENT) 8645 15. Load(AK) real=80000001,
virtual=80000003 8655 16. FlushContext(POLICY) 8664 17.
StartAuthSession(POLICY) real=3000000, virtual=3000000 8668 18.
StartAuthSession(HMAC) real=2000001, virtual=2000001 8678 19.
ComputeCommandHMAC(LoadExternal) real=80000000,
virtual=800000053706 20. ComputeCommandHMAC(HMAC_Start) real=80000001,
virtual=80000005 3706 21. PolicySecret(SK) 8711 22.
FlushContext(HMAC) 8717 23. FlushContext(POLICY) 8724 24.
CertifyCreation(SK) 8738 25. StartAuthSession(POLICY)
real=3000000, virtual=3000001 8745 26. StartAuthSession(HMAC)
real=2000001, virtual=2000000 8754 27.
ComputeCommandHMAC(LoadExternal) real=80000000,
8782 28. ComputeCommandHMAC(HMAC_Start) real=80000001,
virtual=80000004 8782 29. PolicySecret(SK) 8789
The whole source program can be found here.
https://github.com/intel/tpm2-tss/files/1516612/tpmtest.cpp_0x98e_2
.t
xt
Kind regards,
--
Yasuhiro Hosoda
NTT Electronics Corporation (NEL)
Security Support Project
_______________________________________________
tpm2 mailing list
tpm2@lists.01.org
https://lists.01.org/mailman/listinfo/tpm2
--
--