Hi Ken,
Thanks for the response. I have switched over to using the ibm emulator and
it has been very solid so far.
To answer your questions:
We are not shutting down the emulator between test runs. initially we start
the emulator, run tmpbios, then force clear it. We then restart it, run
tpmbios, assert physical presence, enable and activate it. We then restart
it and run tpmbios and proceed to run the tests. On the first run of the
test it takes ownership using the well known owner and srk passwords. On
subsequent runs the tpm is accessed and the srk is loaded the well known
passwords
On the real device we force clear the tpm and reboot. we assert physical
presence, enable and activate the tpm, then reboot. using tpm-tools we take
ownership using the well known passwords and proceed to run the tests.
In the tests (the source is attached to one of my previous posts), we
create the context, get the tpm handle, loads the srk and creates an AIK
for the test. The test Teardown frees the context and all the memory
associated with it.
I deliberately created everything per test to exclude any issue associated
with registering the keys by UUID and reloading them (which is what we do
in the production code)
test one: creates a bind key (Non migratable, Non authorised, Volatile),
loads it and certifies it using the AIK. This passes in the emulator and on
the device.
test two: creates a bind key object (Non migratable, Non authorised,
Volatile), creates a PCRComposite, reads PCR index 3 and sets that in the
PCRComposite. the bind key is locked to the PCRComposite when it is
created using CreateKey. the bind key is loaded and an attempt to certify
it using the AIK is made. This passes in the emulator but fails on both the
tpm devices with a Bad Parameter return code.
the only difference between the two tests is that the second bind key is
locked to PCR 3. I have tried setting localities (this failed with other
errors). I looked at CertifyKey2, but this appears to only be relevant for
migratable keys. I looked at the spec, which seemed to suggest that this
mode of operation was possible and didn't include a case where Bad
Parameter was a return value.
I can only think that either this is not a supported case (PCR locking
excludes the use of CertifyKey) or I am creating the keys incorrectly for
this case, a missing or incorrect flag. but I am a stuck there at the
moment.
Many Thanks
Simon
On 28 January 2015 at 13:58, Ken Goldman <[email protected]> wrote:
> I guess I'm the someone from IBM. :-)
>
> I know the TPM well, but not the TSS.
>
> The TPM has a number (perhaps 5-10) of key slots in its volatile memory.
> When a key is created, it is not stored in a slot. It has to be
> loaded. When loaded, it stays loaded, and is assigned a handle, until
> it's flushed or the TPM is reset.
>
> The TSS maintains a key cache, swapping keys in and out as needed to
> manage the limited number of key slots.
>
> If something is going wrong, perhaps you are using an old key.
>
> Question: It's curious that it works with the emulator. Are you
> perhaps shutting down and restarting the emulator (the equivalent of a
> TPM reset) for each experiment? Are you not rebooting the hardware
> platform? Or vice versa - rebooting the platform but not restarting the
> TPM?
>
> Working with the emulator and not the hardware TPM is a clue, but what?
>
> On 1/27/2015 12:22 PM, Bill Martin wrote:
> >
> > In either case, you get similar errors to what I got. Though you say
> > you get the errors with or without persistent storage. I still think
> > somehow when you make another run of your program you might be
> > stomping on an old key and your TPM might have the old key staged (or
> > whatever term the TCG folks use). ...
> >
> > Hopefully someone from IBM will help out.
>
>
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> TrouSerS-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/trousers-users
>
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
