Hi Andreas, I have been trying to get the same answers from the tpm-tools and TrouSers through this users group folks for two months and I guess my posts have been forgotten. This was two or three months ago.
It is interesting that you imply if you use AUTHREAD|AUTHWRITE when you use PCRs 12 and 14 (at the least) that you do not have access to NVRAM if a register changes. First, I modified my menu.lst so that PCR 12 will change. I can still get access to my NVRAM. That is the problem and I even modified my own copy of tpm_nvdefine to print out some debug info to try to pinpoint what is going on. 1) So I'm wondering first: Did you alter PCR-12? That is very important for me to know. 2) Also what versions of TrouSers and tpm-tools are you running? As for changing permission to AUTHWRITE only and being able to access NVRAM, that does not make sense either because you say your access is certainly controlled by AUTHREAD|AUTHWRITE, a weaker condition. Also in case you wonder - localities don't seem to have an effect, according to communication from one of the top TrouSers folks. I do not trust the usage of PCRs to define NVRAM - not yet because I can still access information out of NVRAM regardless of the contents of my PCR 12, which I certainly used in the nvdefine. Bill ________________________________________ From: Andreas Thienemann [[email protected]] Sent: Sunday, January 26, 2014 12:18 PM To: [email protected] Subject: [TrouSerS-users] nvram storage and sealing to PCRs Hi, I've been trying to create a NVRAM area I can keep a key in which is sealed to certain PCRs. If I have the following setting, I am being asked for the nvram password before being able to read the nvram area. [root@foo ~]# tpm_nvinfo -i 2 NVRAM index : 0x00000002 (2) PCR read selection: PCRs : 4, 5, 8, 9, 12, 14 Localities : ALL Hash : 51522172b46ed13a34ca45f445472291c9675ef5 PCR write selection: Localities : ALL Permissions : 0x0040004 (AUTHREAD|AUTHWRITE) bReadSTClear : FALSE bWriteSTClear : FALSE bWriteDefine : FALSE Size : 32 (0x20) [root@foo ~]# If my PCRs change I am unable to access this nvram area with my nvram password. So far so good. I am now trying to have access to this nvram area without having to type in any passwords as long as the PCR registers are the same. When defining the permission as only AUTHWRITE I do have access to the nvnram area without a password but it seems to me that the nvram area is not sealed anymore. If the PCRs change, I can still read out the data from the nvram area which shouldn't be the case. [root@foo ~]# tpm_nvread -i 2 > /dev/null [root@foo ~]# echo $? 0 [root@foo ~]# tpm_nvinfo -i 2 NVRAM index : 0x00000002 (2) PCR read selection: PCRs : 4, 5, 8, 9, 12, 14 Localities : ALL Hash : 51522172b46ed13a34ca45f445472291c9675ef5 PCR write selection: Localities : ALL Permissions : 0x00000004 (AUTHWRITE) bReadSTClear : FALSE bWriteSTClear : FALSE bWriteDefine : FALSE Size : 32 (0x20) [root@foo ~]# Any idea how to achieve what I want? cheers, andreas ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
