Hi Adrian - If you look at the document titled "TCG PC Client Specific TPM Interface Specification (TIS)" section 7.2, it shows what you can do with each PCR in terms of localities. PCR 17 can be reset only in locality 4 and can be extended only in localities 2, 3, or 4. Then if you look at section 9.1 it says:
"The platform-specific specification indicates what the locality settings are for each PCR register. PCR[0-15] do not allow the reset and have no locality requirements (this matches the usage model of these PCR registers for TCG 1.1). PCR[17-20] can be reset using Locality 4 and can be read, used or modified using Locality 1-3. PCR[21-22] are reserved for and controlled by the T/OS. PCR[23]’s usage is reserved and must not be used." It appears that PCR17 cannot be read or used in locality 0, which is the only locality available unless you are using the special dynamic trust instructions GETSEC[SENTER] or skinit. I believe you could use PCR16 or PCR23 in locality 0, if you want to use a high numbered one. I would ignore that command that PCR23 must not be used, I think it is directed as system designers and means that it should not be reserved for use by the OS, rather it is available for application programmers. Hal Finney On Mon, Dec 7, 2009 at 9:13 PM, adrian golding <[email protected]> wrote: > hi > > - decided to create a new tread since its another issue now - > instead of PCR8 as i tried previously, this time i tried to seal PCR17 > instead, and i had to use TSS_PCRS_STRUCT_INFO_LONG flag as advised in a > previous forum post. > > 1) using the modified testsuites code for unseal (which worked for PCR8), i > tried to seal and then unseal the encrypted blob to PCR17 and it returned me > a TPM_BAD_LOCALITY (0x3D) as the return value for tpm_unseal (which is not > stated in the specs for TPM_Unseal). if i deliberately seal to a wrong PCR > value, it will return the TPM_WRONGPCRVAL error code, which was what i > expected. > 2) If i try to unseal using the unseal (the first case is using the > tspi_data_unseal(), in this case, i am in locality 3 sending parameters for > a TPM_Unseal directly to the TPM ) i had written myself, i get the same > error. The error log for (1) as follows, the log for (2) is the about same > too, except that it is not generated from tcsd and it has different OIAP > session nonces: > > TCSD TCS tcsi_seal.c:103 Entering Unseal > TCSD TCS tcsi_seal.c:112 Auth used > TCSD TCS tcs_key_mem_cache.c:159 ensureKeyIsLoaded: 0x40000000 > TCSD TCS tcs_key_mem_cache.c:708 mc_get_slot_by_handle: TCSD mem_cached > handle: 0x40000000 > TCSD TCS tcs_key_mem_cache.c:167 keySlot is 40000000 > TCSD TCS tcs_key_mem_cache.c:865 mc_update_time_stamp: TCSD mem_cached > handle: 0x40000000 > TCSD TCS tcs_key_mem_cache.c:192 ensureKeyIsLoaded: Exit > To TPM: 00 C3 00 00 01 AA 00 00 00 18 40 00 00 00 00 16 > To TPM: 00 00 00 00 00 36 00 06 01 00 00 03 00 00 00 00 > To TPM: 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 > To TPM: 00 00 00 00 00 00 00 00 08 A7 34 68 E0 11 85 51 > To TPM: 86 80 B2 41 5B B9 59 07 CE 71 1D 9D 00 00 01 00 > To TPM: 3D BB 49 46 F1 19 A8 D1 AA 26 DF CA 32 6C B6 B4 > To TPM: 30 9E 82 38 6C 83 96 C0 68 87 09 2B 5E 0B 8C 29 > To TPM: 96 B9 6A 12 D0 D3 9A BB D9 4B 23 35 07 40 04 5F > To TPM: E8 5C 19 8B 7B 5D DF 7F A5 DC 71 69 D8 53 CB DF > To TPM: 76 23 EF 9A 9F F9 8C 71 29 60 3D 89 9F 90 A7 53 > To TPM: 59 32 CC 93 BA 51 EE 6F 11 E8 BC B0 49 55 40 83 > To TPM: C6 31 A6 17 6F A2 10 4B FA E2 F0 C7 FA E0 D9 C4 > To TPM: E9 4C 40 4B 1E 99 BC 42 3B AE 29 8B 0F 09 EB 68 > To TPM: 82 1D F1 20 17 5C B4 C3 2F CC 93 7F 86 82 CA 1A > To TPM: EC BB 50 3B F0 5F 75 6F 90 DB 47 7F 53 A9 E9 4B > To TPM: 6F D2 AF 12 E7 0A 6B B3 62 B5 50 C7 47 C5 4F 3F > To TPM: 00 AA F0 06 E0 D2 B3 5A 0A 90 86 34 4C 37 82 68 > To TPM: DE 14 FA F3 96 63 62 FC C1 5B 8C 55 10 BD E4 85 > To TPM: C7 17 13 B3 3C 4A 53 52 A5 53 FB F3 9C 76 94 07 > To TPM: 13 59 B4 F9 C0 28 97 D2 0B 1A 87 7D 33 91 99 76 > To TPM: 46 10 3E 54 26 1F 68 48 AD 80 99 6A 18 43 2B 43 > To TPM: 8D DC 09 D7 7F 0F 0D CA ED 7A 80 C4 D9 6A C9 23 > To TPM: 49 07 CF F9 88 B7 73 50 00 12 46 ED 03 FE 70 79 > To TPM: BD 51 7E 56 F4 78 00 60 D6 56 0B 45 35 78 31 65 > To TPM: 22 E7 1D 81 E5 F4 36 35 D7 00 4F AD 0E 82 55 83 > To TPM: 9E 1C 28 98 90 00 D0 3B 0F D1 AE FA 78 F3 4C 4C > To TPM: E6 A2 3F 88 0F A8 50 85 B7 FC > TCSD TDDL tddl.c:105 Calling write to driver > >From TPM: 00 C4 00 00 00 0A 00 00 00 3D > > --------------- > did anyone try to seal and unseal to PCR17 and it works? > > thank you - adrian > > > > > On Fri, Dec 4, 2009 at 5:43 PM, adrian golding <[email protected]> > wrote: >> >> hi, >> >> thank you hal and i manage to find the correct auth values for the SRK as >> well as my sealed blob, as adviced by your posts 2 years ago in this mailing >> list to run the seal and unseal from testsuites and read the debug output. >> but theres just one (hopefully, last) bit to unseal: >> >> right now, i am sealing some data using a modified testsuite sealing >> example, sealing to PCR8 (which is 0x00 all the time) using the SRK. >> however, when i tried to unseal the sealed blob at a different locality, i >> get the a TIS_READ_ERROR 0x00, and a TPM_WRONGPCRVAL (0x18) (PCR values does >> not match) error if i used the TSS_PCRS_STRUCT_DEFAULT (0x00) or >> TSS_PCRS_STRUCT_INFO flag. but i printed out my PCR8 and its at 0x00. then >> i realised locality is also checked during an unseal to match the locality >> during seal. my unseal is at locality 3 during after SKINIT instruction is >> being called while my seal is done before SKINIT (not locality 3). >> >> On another occasion, i got a TPM_BAD_LOCALITY, which i think was created >> by using TSS_PCRS_STRUCT_INFO_LONG flag instead, but i couldn't replicate >> it. >> >> i am assuming that by reaching these checks, my auth values for the key >> and the sealed data are both correct since this is the last check to be done >> as stated in the specs. >> >> i looked at the part 1 of the specifications (Design Principles) and there >> is a section on PCR Grand Unification Theory and it said something about >> sealing for another configuration. How do i seal it for an unseal at a >> different locality to take place? If not, what can i set/unset to ignore >> locality during the seal operation? >> >> thanks a lot! - adrian > > > ------------------------------------------------------------------------------ > Return on Information: > Google Enterprise Search pays you back > Get the facts. > http://p.sf.net/sfu/google-dev2dev > > _______________________________________________ > TrouSerS-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/trousers-users > > ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
