hi,
thank you hal and i manage to find the correct auth values for the SRK as
well as my sealed blob, as adviced by your posts 2 years ago in this mailing
list to run the seal and unseal from testsuites and read the debug output.
but theres just one (hopefully, last) bit to unseal:
right now, i am sealing some data using a modified testsuite sealing
example, sealing to PCR8 (which is 0x00 all the time) using the SRK.
however, when i tried to unseal the sealed blob at a different locality, i
get the a TIS_READ_ERROR 0x00, and a TPM_WRONGPCRVAL (0x18) (PCR values does
not match) error if i used the TSS_PCRS_STRUCT_DEFAULT (0x00) or
TSS_PCRS_STRUCT_INFO flag. but i printed out my PCR8 and its at 0x00. then
i realised locality is also checked during an unseal to match the locality
during seal. my unseal is at locality 3 during after SKINIT instruction is
being called while my seal is done before SKINIT (not locality 3).
On another occasion, i got a TPM_BAD_LOCALITY, which i think was created by
using TSS_PCRS_STRUCT_INFO_LONG flag instead, but i couldn't replicate it.
i am assuming that by reaching these checks, my auth values for the key and
the sealed data are both correct since this is the last check to be done as
stated in the specs.
i looked at the part 1 of the specifications (Design Principles) and there
is a section on PCR Grand Unification Theory and it said something about
sealing for another configuration. How do i seal it for an unseal at a
different locality to take place? If not, what can i set/unset to ignore
locality during the seal operation?
thanks a lot! - adrian
On Thu, Dec 3, 2009 at 2:04 AM, Hal Finney <[email protected]> wrote:
> Hi Adrian - If I understand your question, yes, Seal has a data auth
> value. Seal/Unseal is a rather unusual operation that is different
> from Encrypt/Decrypt. With Seal, in addition to specifying the auth
> value for the key you are sealing to, you specify a separate auth
> value that is specific to that Seal operation. Then to Unseal, you
> have to specify the same auth value that was used for the Seal (in
> addition to the key auth value).
>
> One thing this allows you to do is to securely Seal to the SRK even
> though its auth value is usually well-known (often 20 bytes of zeros).
> You can do the Seal using a password as the auth value, and then the
> same password must be given for the Unseal. You don't have to create a
> key in order to do secure encryption operations with the TPM, you can
> use the pre-existing SRK.
>
> Hal
>
> On Tue, Dec 1, 2009 at 6:59 PM, adrian golding <[email protected]>
> wrote:
> > hi,
> > this post helped me a
> > lot:
> http://sourceforge.net/mailarchive/[email protected]
> > i am trying to write an unseal very much alike what the authors in the
> above
> > post had done, and i need to obtain all the 13 parameters to send as part
> of
> > TPM_Unseal and i'm down to the last one, which is the dataAuth parameter
> > (TPM_AUTHDATA) that is the authorization digest for the sealed blob. for
> > easy reference, i cut and pasted a portion of the referenced post here:
> > "
> >> Unseal requires two auth sessions, one for the key and one for the
> >> data blob. So you make two calls to OSAP or OIAP before doing
> >> TPM_Unseal. Then you compute a second HMAC over the parameters labeled
> >> 2H2, 3H2, and 4H2. As before, the 1st HMAC parameter is the
> >> inParamDigest, the SHA-1 of the parameters labeled 1S and 2S. The HMAC
> >> key is either the shared secret if an OSAP session was used, or the
> >> data auth value if it was an OIAP session. Then the output of this
> >> HMAC is the dataAuth parameter.
> > "
> > since i am using OIAP sessions to calculate the HMACs, my question is on
> how
> > to get the "auth value" (which is stated as entity.usageAuth) for the
> data
> > blob, so i can use it as the key to the HMAC. is this 20-byte value
> passed
> > in as a parameter during the seal operation? Since this is a sealed blob
> > instead of a key object, does it even have an auth value?
> > thank you - adrian
>
------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
