Thanks again for the help. I read through your response and I am very
close to getting the Seal command to work. When I send the command, it
returns with TPM_INVALID_PCR_INFO. I did some investigation into my
TPM_PCR_INFO structure to see if it makes sense, and I discovered
something odd in the spec. TPM_PCR_INFO contains a TPM_PCR_SELECTION,
which is defined like this:
typedef struct tdTPM_PCR_SELECTION {
UINT16 sizeOfSelect;
[size_is(sizeOfSelect)] BYTE* pcrSelect;
} TPM_PCR_SELECTION;
Is pcrSelect really a pointer into memory? This seems really odd. So
when I save pcrSelect on my stack and pass the pointer to the TPM, does
this mean the TPM is reading pcrSelect off my stack? Why not just
include the bytes directly in the structure, instead of a pointer to
memory? This makes more sense because pcrSelect will never be more than
a couple of bytes. I honestly didn't even know the TPM could read
directly from memory like that.
Rob
On 02/28/2014 10:07 AM, Ken Goldman wrote:
> In line.
>
> On 2/25/2014 2:50 PM, Robert Sutton II wrote:
>> Thanks for the quick reply. Yes, I would like to seal to the SRK. I am
>> also sealing to PCR state.
>>
>> [snip]
>>
>> Since I am sealing to the SRK, I need keyHandle to be the SRK handle.
>> But which command do I use to obtain the SRK keyHandle?
> The SRK handle is hard coded to 0x40000000. See Part 2 Reserved Key
> Handles.
>
>> It says the authHandle must be OSAP. However, in the TPM_Seal Actions,
>> it says that authHandle indicates the ADIP used to decrypt encAuth. Does
>> this mean I need to execute a command to set authHandle to indicate this
>> ADIP?
> The ADIP encryption type is set up when the session is started. In
> TPM_OSAP(), see the entityType parameter.
>
> Reading Part 2 for TPM_ENTITY_TYPE, LSB is 0x04 (SRK) and MSB is your
> ADIP algorithm, XOR or AES. AES might be optional for your platform.
>
>> Looking at the Actions of TPM_Seal, it doesn't use pubAuth anywhere. So
>> what should I put for it?
> That's the authorization for the key, the SRK in your case.
>
> It's used implicitly in Action 1. The spec doesn't list the
> authorization calculation for each command, because it's always the
> same. It just says something like "validate the authorization" or
> "validate the parameters" or "validate the authData" or some similar
> wording.
>
> It's the HMAC of the parameters using the SRK auth as the HMAC key.
>
>
>
>
> ------------------------------------------------------------------------------
> Flow-based real-time traffic analytics software. Cisco certified tool.
> Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
> Customize your own dashboards, set traffic alerts and generate reports.
> Network behavioral analysis & security monitoring. All-in-one tool.
> http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
> _______________________________________________
> TrouSerS-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/trousers-users
------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
