On 1/12/2015 4:24 PM, Bill Martin wrote: > I am using trouSerS 0.3.10 and have an Infineon TPM running 1.2 on an > embedded Linux system. > > I have a system where I use tpm-luks scripts to retrieve a LUKS key > from TPM NVRAM and decrypt the root partition (while running in > initramfs). This uses the tpm_nvread command. On top of this I added > code to create a AIK, unregister any previous AIK (into a throwaway > key handle), and register the new AIK. Also I have another program to > activate the AIK (first loading the AIK by UUID then call the > Tspi_TPM_ActivateIdentity command. > > This works well... > > Until I reboot the computer with this TPM. The tpm_nvread command > complains it cannot decrypt the file. It's that message about PCR > does not match or something.
At the TPM layer, there is no tpm_nvread command. Can you translate your command sequence into the TPM commands. An NV read will not decrypt a file. It might go as far as reading the decryption key from NV, although there might be some levels of indirection there as well. > > It seems I have to do a pkill -9 tcsd and then a tcsd -f & prior to > rebooting so that the tpm_nvread succeeds. It would be helpful to know the NV read error return. It would also be helpful to have a dump of the NV public area to see what the read authorizations are. > > I wonder if anyone can explain why this is necessary. The PCRs don't > seem to be changed. Somehow I suspect the AIK creation does something > funny with the PCRs. Have you actually read the PCRs during the failing case and success case? A typical AIK creation should not affect PCRs. ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
