A bit of background. In TPM 1.2, a command like Certify can omit one of the authorization areas if an authorization is not required for that key. Certify permits you to omit the auth for the certifying key. Certify2 permits you to omit the auth for the key to be certified.
Certify2 also handles CMK, which was new for 1.2. There are other differences, and it would be interesting to know if your test uses a different command. It would also be good to know the precise TPM return code hex value, before any mapping by the TSS. Are you saying that PCR3 is the correct value or the wrong value? If it's the wrong value, the return should be TPM_WRONGPCRVAL. Certify does have a keyFlag "pcrIgnoredOnRead". Could it possibly be set in one case but not the other? That would absolutely explain PCR3 being ignored on the emulator but used in the HW TPM. Capture the command packet for the CreateWrapKey and see if any key flags (or anything else) differs. On 1/29/2015 9:33 AM, Simon Gould wrote: > > test one: creates a bind key (Non migratable, Non authorised, Volatile), > loads it and certifies it using the AIK. This passes in the emulator and > on the device. > > test two: creates a bind key object (Non migratable, Non authorised, > Volatile), creates a PCRComposite, reads PCR index 3 and sets that in > the PCRComposite. the bind key is locked to the PCRComposite when it is > created using CreateKey. the bind key is loaded and an attempt to > certify it using the AIK is made. This passes in the emulator but fails > on both the tpm devices with a Bad Parameter return code. > > the only difference between the two tests is that the second bind key is > locked to PCR 3. I have tried setting localities (this failed with other > errors). I looked at CertifyKey2, but this appears to only be relevant > for migratable keys. I looked at the spec, which seemed to suggest that > this mode of operation was possible and didn't include a case where Bad > Parameter was a return value. > > I can only think that either this is not a supported case (PCR locking > excludes the use of CertifyKey) or I am creating the keys incorrectly > for this case, a missing or incorrect flag. but I am a stuck there at > the moment. > > ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
