For keys in general that require PCR authorization, the authorization is not checked when the key is loaded. It is checked when the key is used.
(When a key is loaded, the authorization of the parent is checked, since the parent is used at that time to decrypt the child. However, the SRK parent does not typically require PCR authorization). If you forward to me the entire TPM emulator trace and what you think the sequence should be, I'll take a look at it. On 1/15/2015 11:22 AM, Simon Gould wrote: > Hi all, > > I am new to TPM development with trousers and have been writing some > test cases for an internal project so I can lean the library and be > confident we are getting the expected behaviour. > > One of the things we want to do is to Create a bind key locked to some > PCR states. But in my development environment I can't seem to get the > expected behaviour. The development environment is linux running a TPM > emulator and trousers. > > What I was expecting was for the loading of the key to fail after I had > extended the PCR it was locked to. But it succeeds in loading and using > the key. I am probably doing something obviously wrong, but I can't see it. > > The test case goes as follows : > > SETUP: > > Create Context > > > TEST: > > Create TPM object from context. > > Create SRK object and load it > > Create PCRComposite object. > > Create Key object > > Read PCR 0 > > Set PCR 0 in PCRComposite object to Read value > > //This is where I thought the Key is locked to the PCR index 0 > Create Key from key object as child of SRK and locked to PCRComposite > ThrowOnError(Tspi_Key_CreateKey(keyHandle,SRKHandle,pcrCompositeHandle > )) > > Load key using SRK > > Register the key in system storage with UUID > > Use Key to bind and unbind some text data > > Unload the key > > Clear the key object > > Clear the PCRComposite object > > Clear the SRK object > > Clear the TPM object > > Clear the Context > > Create new context > > Create TPM object from context > > Load the SRK > > use the TPM object to extend PCR 0 twice > //it was my understanding that this would invalidate the key we had > locked to the previous value of PCR index 0 > > Load the key object using LoadbyUuid > //expect it to fail but it passes > > > Load key using SRK > //this also passes > > Use Key to unbing previously bound data > //this also works. > > > > TEARDOWN: > > Free all context memory > > Close context > > > > If someone can point me at some sample code that locks a bind key to the > A PCR index value or has some insight into where I am going wrong I > would be very grateful. > ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
