Hi all, I have progressed my TPM project thanks to the really useful input from this list and I am hoping someone can help as I have hit another block.
I have seen some similar issues to this on the mailing list before, but my issue appears to be slightly different to those. We are using a TPM on an embedded device: TPM 1.2 Version Info: Chip version 1.2.13.10 Spec Level 2 Errata Revision 3 TPM Vendor ID STM Vendor Specific data 4b. we have an internal process that sets up keys on the device. those being the Storage Root Key, Attestation Identity Key & a communications signing key (used to sign SSL comms from the device). there is a second stage to that process happens on the first boot of the device (so we have the correct PCR values). We create a licence encryption key for the device. this is a bind key locked to some of the PCRs that are extended on boot (to ensure that the device is not tampered with). This key is a child of the SRK, locked to 2 PCRs and we want to certify it using the AIK and send that information to the service licencing the device. However the CertifyKey call fails with a Bad Parameter error. I have run the same code against the IBM emulator (which has been very useful) and it passes without issue. If I do not lock the key to the PCRs it passes without issue. The locked key can bind and unbind data without issue. The PCRs haven't changed. I have tried setting localities in the PCR composite object used when we create the key and it complains that the object is in an inconsistent state (I was trying anything I could think of at this point). I have isolated this as a test case and I see the same issue as with the production code when it is run on the device. I am now at a loss as to what may be causing this issue. I have attached the trousers debug log from the test case. if anyone has any insight into the cause or what I can try next that would be great. The log has 3 test cases within it. 1) create a bind key locked to a pcr, bind some data. register the key, clear the key. load the key by UUid and unbind the data. 2) create a bind key locked to a pcr. bind some data. register the key. clear the key. extend the pcr it is locked to. load the key by UUid. try to unbind data which fails. 3) create a bind key locked to a pcr, use the AIK to certify this key (which fails unexpectedly) I have noticed I get some errors in the set up where it appears to be failing to load keys, but I get these in the cases where it works as well, so they maybe red herrings. Many thanks Simon
trouser.log
Description: Binary data
------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
