> I'm interested to know what you see in your testcase after applying > these patches. I get a 0x22 (invalid auth handle) return code from > Tspi_Context_CloseSignTransport, which I can't yet explain. I'm on an > STM TPM here.
Ok, I see what's happening now. The code sets up an exclusive transport session, which means that while its open, any TPM command that executes outside the TS will force a close of the TS. This includes commands sent down by the tcsd during normal operations, for things like asking the TPM which keys it has loaded. This is what happens in this case, the tcsd asks the TPM which keys it has loaded during key management, terminating the session before close. Because there's a signing key involved in closing and signing the session hash, this might *always* happen. :-( I've opened a defect against the tcsd [1] to look into better support for ETS. Kent [1] https://sourceforge.net/tracker/?func=detail&aid=3601290&group_id=126012&atid=704358 > Kent > >> fairly sure, that the key I am using (which is an AIK) has been loaded >> correctly, and that I correctly initialized the validation structure as >> well as the context, because I can quote within the same context using >> the same code for initializing them. >> >> I am using: >> >> Ubuntu 11.04 (have to for compatibility reasons with other software) >> trousers0.3.5-2_i386.deb (haven't seen anything on the update logs, that >> would possibly fix this in future versions) >> Atmel TPM v1.2 (capabilities include one transport session) >> gcc 4.5.2 >> >> I will attach a piece of code to the bottom, which produces the error >> with my system setup. I cleaned it from any unrelated code and at the >> moment it is not executing anything within the transport. However the >> same problem occurs, when executing TPM-commands during the transport. >> >> Calling >> >> gcc -ltspi -Wall -o ttest cleanTransportCall.c >> >> on my source file should give no warning, or at least I do not get any. >> >> Best regards, >> >> Michael Dorner >> >> >> >> ########### Code for cleanTransportCall.c:############################## >> >> /* >> * cleanTransportCall.c >> * >> * Created on: Jan 7, 2013 >> * Author: michaeldorner >> * Purpose: Bugreport CloseSignTransport >> * >> */ >> #include <stdio.h> >> #include <string.h> >> #include <stdlib.h> >> #include <sys/types.h> >> #include <tss/platform.h> >> #include <tss/tspi.h> >> #include <trousers/trousers.h> >> //challener debug macro (from tutorial) >> #define DBG(message,tResult)printf("(Line%d, %s)%s returned 0x%08x. %s >> \n", __LINE__,__func__,message, tResult, >> (char*)Trspi_Error_String(tResult)) >> >> //declarations, supporting only plaintext secrets here >> TSS_RESULT context_init(TSS_HCONTEXT *phContext); >> TSS_RESULT srk_tpm_init(TSS_HCONTEXT *phContext, TSS_HKEY *phSRK, >> char* srk_auth, TSS_HTPM *phTPM, char* owner_auth); >> TSS_RESULT load_aik(TSS_HCONTEXT *hContext, TSS_HKEY *srk, TSS_HKEY >> *hAIK, >> TSS_UUID aik_uuid, char* aik_auth); >> int main(int argc, char **agrv) { >> printf("entered main\n"); >> TSS_HCONTEXT hContext; >> TSS_HTPM hTPM; >> TSS_HKEY hSRK, hAIKey; >> TSS_VALIDATION vData; >> TSS_RESULT result; >> BYTE nonce[20]; >> int size = 20; >> //modify this code to select own aik >> TSS_UUID aik_uuid = { 0, 0, 0, 0, 0, { 0, 0, 0, 0, 0, 12 } }; >> if ((result = context_init(&hContext)) != TSS_SUCCESS) { >> exit(result); >> } >> if ((result = srk_tpm_init(&hContext, &hSRK, "password", &hTPM, >> "password")) >> != TSS_SUCCESS) { >> exit(result); >> } >> vData.ulExternalDataLength = size; >> vData.rgbExternalData = nonce; >> if ((result = load_aik(&hContext, &hSRK, &hAIKey, aik_uuid, NULL )) >> != TSS_SUCCESS) { >> exit(result); >> } >> //set the nonce as external data >> printf("starting transport session\n"); >> if ((result = Tspi_SetAttribUint32(hContext, >> TSS_TSPATTRIB_CONTEXT_TRANSPORT, >> TSS_TSPATTRIB_CONTEXTTRANS_CONTROL, >> TSS_TSPATTRIB_ENABLE_TRANSPORT)) != TSS_SUCCESS) { >> exit(result); >> } >> if ((result = Tspi_SetAttribUint32(hContext, >> TSS_TSPATTRIB_CONTEXT_TRANSPORT, >> TSS_TSPATTRIB_CONTEXTTRANS_MODE, >> TSS_TSPATTRIB_TRANSPORT_NO_DEFAULT_ENCRYPTION)) != >> TSS_SUCCESS) { >> exit(result); >> } >> if ((result = Tspi_SetAttribUint32(hContext, >> TSS_TSPATTRIB_CONTEXT_TRANSPORT, >> TSS_TSPATTRIB_CONTEXTTRANS_MODE, >> TSS_TSPATTRIB_TRANSPORT_EXCLUSIVE)) != TSS_SUCCESS) { >> exit(result); >> } >> if ((result = Tspi_SetAttribUint32(hContext, >> TSS_TSPATTRIB_CONTEXT_TRANSPORT, >> TSS_TSPATTRIB_CONTEXTTRANS_MODE, >> TSS_TSPATTRIB_TRANSPORT_AUTHENTIC_CHANNEL)) >> != TSS_SUCCESS) { >> exit(result); >> } >> //encapsulated commands start >> >> >> >> //encapsulated commands end >> printf("calling closeSignTransport\n"); >> if ((result = Tspi_Context_CloseSignTransport(hContext, hAIKey, >> &vData)) >> != TSS_SUCCESS) { >> DBG("closing transport", result); >> exit(result); >> } >> Tspi_Context_FreeMemory(hContext, NULL); >> Tspi_Context_Close(hContext); >> DBG("leaving main", result); >> exit(result); >> } >> >> //helpers >> /* >> * this function takes an uninitalized tpmobject, srk and context and >> initializes/loads it >> */ >> TSS_RESULT context_init(TSS_HCONTEXT *phContext) { >> printf("entered context_init\n"); >> TSS_RESULT result; >> //create context and connect to it >> if ((result = Tspi_Context_Create(phContext)) != TSS_SUCCESS) { >> return (result); >> } >> if ((result = Tspi_Context_Connect(*phContext, NULL )) != >> TSS_SUCCESS) >> { >> return (result); >> } >> DBG("leaving context_init", result); >> return result; >> } >> >> TSS_RESULT srk_tpm_init(TSS_HCONTEXT *phContext, TSS_HKEY *phSRK, >> char* srk_auth, TSS_HTPM *phTPM, char* owner_auth) { >> TSS_RESULT result; >> TSS_HPOLICY hSRKPolicy, hTPMPolicy; >> TSS_UUID UUID_SRK = TSS_UUID_SRK; >> if ((result = Tspi_Context_LoadKeyByUUID(*phContext, >> TSS_PS_TYPE_SYSTEM, >> UUID_SRK, phSRK)) != TSS_SUCCESS) { >> return (result); >> } >> //create policy object for the SRK and assign it >> if ((result = Tspi_Context_CreateObject(*phContext, >> TSS_OBJECT_TYPE_POLICY, >> TSS_POLICY_USAGE, &hSRKPolicy)) != TSS_SUCCESS) { >> return (result); >> } >> if ((result = Tspi_Policy_SetSecret(hSRKPolicy, >> TSS_SECRET_MODE_PLAIN, >> strlen(srk_auth), (BYTE *) srk_auth)) != >> TSS_SUCCESS) { >> return (result); >> } >> if ((result = Tspi_Policy_AssignToObject(hSRKPolicy, *phSRK)) != >> TSS_SUCCESS) { >> return (result); >> } >> >> if ((result = Tspi_Context_GetTpmObject(*phContext, phTPM)) != >> TSS_SUCCESS) { >> return (result); >> } >> if ((result = Tspi_Context_CreateObject(*phContext, >> TSS_OBJECT_TYPE_POLICY, >> TSS_POLICY_USAGE, &hTPMPolicy)) != TSS_SUCCESS) { >> return (result); >> } >> if ((result = Tspi_Policy_SetSecret(hTPMPolicy, >> TSS_SECRET_MODE_PLAIN, >> strlen(owner_auth), (BYTE *) owner_auth)) != >> TSS_SUCCESS) { >> return (result); >> } >> if ((result = Tspi_Policy_AssignToObject(hTPMPolicy, *phTPM)) != >> TSS_SUCCESS) { >> return (result); >> } >> return result; >> } >> >> /* >> * load an attestation key by its UUID, the context has to be connected >> and the srk has to be loaded >> */ >> TSS_RESULT load_aik(TSS_HCONTEXT *hContext, TSS_HKEY *srk, TSS_HKEY >> *hAIK, >> TSS_UUID aik_uuid, char *aik_auth) { >> printf("entered load_aik_by_uuid\n"); >> TSS_RESULT result; >> TSS_HPOLICY hAIKPolicy; >> if ((result = Tspi_Context_LoadKeyByUUID(*hContext, >> TSS_PS_TYPE_SYSTEM, >> aik_uuid, hAIK)) != TSS_SUCCESS) { >> return (result); >> } >> if ((result = Tspi_GetPolicyObject(*hAIK, TSS_POLICY_USAGE, >> &hAIKPolicy)) >> != TSS_SUCCESS) { >> return (result); >> } >> //if using an AIK generated from the privacyCA.com code, it has NULL >> as >> plain secret >> if (aik_auth != NULL ) { >> if ((result = Tspi_Policy_SetSecret(hAIKPolicy, >> TSS_SECRET_MODE_PLAIN, >> strlen(aik_auth), (BYTE*) aik_auth)) != >> TSS_SUCCESS) { >> return (result); >> } >> } else { >> if ((result = Tspi_Policy_SetSecret(hAIKPolicy, >> TSS_SECRET_MODE_PLAIN, >> 0, NULL )) != TSS_SUCCESS) { >> return (result); >> } >> } >> DBG("leaving load_aik_by_uuid", result); >> return (result); >> } >> >> >> >> >> ------------------------------------------------------------------------------ >> Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and >> much more. Get web development skills now with LearnDevNow - >> 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. >> SALE $99.99 this month only -- learn more at: >> http://p.sf.net/sfu/learnmore_122812 >> _______________________________________________ >> TrouSerS-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/trousers-users ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnmore_122712 _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
