Hi Simon, I did get your other messages later than the one below. And I did see the log file but - sorry I did not check the source code. I noticed you are using SRK authentication. In my case I simplified things by using the well known passwords.
In either case, you get similar errors to what I got. Though you say you get the errors with or without persistent storage. I still think somehow when you make another run of your program you might be stomping on an old key and your TPM might have the old key staged (or whatever term the TCG folks use). And when unloading a blob, the blob of data going to the TPM gets hashed and there is a check with the current hash, and a mismatch. This is all guessing on my part. Maybe you can try fresh. clear the TPM, maybe do a tpm_resetdalock in case you got a dictionary attack, reboot, take ownership again. See if your first time ever running goes smooth. If this happens every time but you have to start fresh each time, then it seems like something is stomping over what is in the TPM. Hopefully someone from IBM will help out. Bill ________________________________________ From: Simon Gould [[email protected]] Sent: Tuesday, January 27, 2015 6:58 AM To: Bill Martin Cc: [email protected] Subject: Re: [TrouSerS-users] CertifyKey failing when bind key locked to PCRs Hi Bill, Thanks for the response. I have written a native trousers test case (removing all our classes so not to muddy the water) to see if I could reproduce the issue on our device. It still happens, even with the keys being generated for each test and not registered with the persistent store. I have attached my test code: it is a GTest test program (https://code.google.com/p/googletest/downloads/list), using the QCA library to generate the ca key for the AIK. there are two tests: one without PCR locking which works on the emulator and on two different devices with real tpms one with pcr locking of the bind key which works on the emulator but fails on both tpm devices. If anyone can take a look, and let me know if there are any obvious mistakes? and may be compile it and run it against a tpm device? I would be very greatful. Many thanks Simon On 26 January 2015 at 17:26, Bill Martin <[email protected]<mailto:[email protected]>> wrote: You are running into similar problems I am having. I think I know where my errors are. See if this helps. Take care that you are managing your persistent storage for your keys you load or register by UUID. It makes sense that you need a unique UUID for each user-generated key. At least to me it does. All the examples I used were for a single demonstration and had the UUID {0, 0, 0, 0, 0, {0, 0, 0, 0, 2, 0}. The inner array is the rgbNode array of six bytes. The element 5 (0-based array) has reserved values. And there is a special OWNEREVICT set of values too. See tss_defines.h In my case I also compiled trouSerS with --enable_debug, and it made a lot of sense the area was in a call to unblob a header. You are not using the tcai_aik.c file. But a lot of your errors involve loading by UUID, presumably from the storage. let me know how it goes Bill ________________________________________ From: Simon Gould [[email protected]<mailto:[email protected]>] Sent: Monday, January 26, 2015 7:58 AM To: [email protected]<mailto:[email protected]> Subject: Re: [TrouSerS-users] CertifyKey failing when bind key locked to PCRs Hi all, I appear to have made a schoolboy error in my last post ;-). Apologies, my previous mail included the log where I had attempted to put the localities in. The log where certify fails is attached here. line 1176 is where the certify error occurs. Many thanks Simon On 26 January 2015 at 10:13, Simon Gould <[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>> wrote: Hi all, I have progressed my TPM project thanks to the really useful input from this list and I am hoping someone can help as I have hit another block. I have seen some similar issues to this on the mailing list before, but my issue appears to be slightly different to those. We are using a TPM on an embedded device: TPM 1.2 Version Info: Chip version 1.2.13.10 Spec Level 2 Errata Revision 3 TPM Vendor ID STM Vendor Specific data 4b. we have an internal process that sets up keys on the device. those being the Storage Root Key, Attestation Identity Key & a communications signing key (used to sign SSL comms from the device). there is a second stage to that process happens on the first boot of the device (so we have the correct PCR values). We create a licence encryption key for the device. this is a bind key locked to some of the PCRs that are extended on boot (to ensure that the device is not tampered with). This key is a child of the SRK, locked to 2 PCRs and we want to certify it using the AIK and send that information to the service licencing the device. However the CertifyKey call fails with a Bad Parameter error. I have run the same code against the IBM emulator (which has been very useful) and it passes without issue. If I do not lock the key to the PCRs it passes without issue. The locked key can bind and unbind data without issue. The PCRs haven't changed. I have tried setting localities in the PCR composite object used when we create the key and it complains that the object is in an inconsistent state (I was trying anything I could think of at this point). I have isolated this as a test case and I see the same issue as with the production code when it is run on the device. I am now at a loss as to what may be causing this issue. I have attached the trousers debug log from the test case. if anyone has any insight into the cause or what I can try next that would be great. The log has 3 test cases within it. 1) create a bind key locked to a pcr, bind some data. register the key, clear the key. load the key by UUid and unbind the data. 2) create a bind key locked to a pcr. bind some data. register the key. clear the key. extend the pcr it is locked to. load the key by UUid. try to unbind data which fails. 3) create a bind key locked to a pcr, use the AIK to certify this key (which fails unexpectedly) I have noticed I get some errors in the set up where it appears to be failing to load keys, but I get these in the cases where it works as well, so they maybe red herrings. Many thanks Simon ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ TrouSerS-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/trousers-users ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
