Hi, On Tue, Aug 23, 2011 at 10:57 AM, <[email protected]> wrote: > I'm trying to use an AIK to certify a bind key. If I specify no PCR values for > the key (passing hPcrComposite => 0 to Tspi_Key_CreateKey), everything is OK, > however if I specify any PCR values (even if only for PCRs < 16), > Tspi_Key_CertifyKey fails with "Error while certifying key: Error code: > Locality is incorrect for attempted operation (0x3D)". > > If I restrict a bind key to some PCR values (even for PCR values >= 16), I can > bind and unbind with it fine; it's just certifying that fails.. I'm creating > bind keys with initFlags TSS_KEY_TYPE_BIND | TSS_KEY_SIZE_2048 | > TSS_KEY_STRUCT_KEY12, > and the PCR composite objects with TSS_PCRS_STRUCT_INFO_LONG. I also do: > Tspi_PcrComposite_SetPcrLocality(hPCRs, > TPM_LOC_ZERO | TPM_LOC_ONE | TPM_LOC_TWO > | TPM_LOC_THREE | TPM_LOC_FOUR). > > TPM is Infineon 1.2.1.2. > Trousers version is 0.3.5git. > > Any idea what causes this?
I took a look at the code for the software TPM [1] and saw this: " The determination to use the TPM_CERTIFY_INFO or TPM_CERTIFY_INFO2 on the output is based on which PCRs and what localities the certified key is restricted to. A key to be certified that does not have locality restrictions and which uses no PCRs greater than PCR #15 will cause this command to return and sign a TPM_CERTIFY_INFO structure, which provides compatibility with V1.1 TPMs. When this command is run to certify all other keys (those that use PCR #16 or higher, as well as those limited by locality in any way), it will return and sign a TPM_CERTIFY_INFO2 structure." The Infineon TPM may be expecting trousers to use the TPM_ORD_CertifyInfo2 ordinal under the covers in this case (PCR >= 16), but trousers doesn't have that logic in place right now. If you look at the Tspi validation data setup there's no logic to use TPM_ORD_CertifyKey2 instead of TPM_ORD_CertifyKey. I've opened a bug for this issue [2]. Kent [1] http://ibmswtpm.sf.net [2] https://sourceforge.net/tracker/?func=detail&aid=3400858&group_id=126012&atid=704358 > Thanks in advance. > > ------------------------------------------------------------------------------ > Get a FREE DOWNLOAD! and learn more about uberSVN rich system, > user administration capabilities and model configuration. Take > the hassle out of deploying and managing Subversion and the > tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 > _______________________________________________ > TrouSerS-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/trousers-users > ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
