Hi Ken,
I have got to the bottom of the issue we were having. there were 3 flags
which needed to be set in trousers.
The BIND key needs to have the TSS_KEY_STRUCT_KEY12 when the object is
created.
The PCRComposite structure requires TSS_PCRS_STRUCT_INFO_LONG flag when the
object is created.
The PCRComposite locality needs to be set to TPM_LOC_ZERO.
then it all works fine. I found it by looking at the Trousers test suite.
Thanks for the tip (I found the test suite code by looking for
pcrIgnoredOnRead).
Thanks for all the responses, hopefully this will help anyone having
similar issues and I'll make the trousers test suite my first port of call
;-).
Mank Thanks
Simon
On 29 January 2015 at 15:19, Ken Goldman <[email protected]> wrote:
> A bit of background. In TPM 1.2, a command like Certify can omit one of
> the authorization areas if an authorization is not required for that
> key. Certify permits you to omit the auth for the certifying key.
> Certify2 permits you to omit the auth for the key to be certified.
>
> Certify2 also handles CMK, which was new for 1.2.
>
> There are other differences, and it would be interesting to know if your
> test uses a different command. It would also be good to know the
> precise TPM return code hex value, before any mapping by the TSS.
>
> Are you saying that PCR3 is the correct value or the wrong value? If
> it's the wrong value, the return should be TPM_WRONGPCRVAL.
>
> Certify does have a keyFlag "pcrIgnoredOnRead". Could it possibly be
> set in one case but not the other? That would absolutely explain PCR3
> being ignored on the emulator but used in the HW TPM.
>
> Capture the command packet for the CreateWrapKey and see if any key
> flags (or anything else) differs.
>
> On 1/29/2015 9:33 AM, Simon Gould wrote:
> >
> > test one: creates a bind key (Non migratable, Non authorised, Volatile),
> > loads it and certifies it using the AIK. This passes in the emulator and
> > on the device.
> >
> > test two: creates a bind key object (Non migratable, Non authorised,
> > Volatile), creates a PCRComposite, reads PCR index 3 and sets that in
> > the PCRComposite. the bind key is locked to the PCRComposite when it is
> > created using CreateKey. the bind key is loaded and an attempt to
> > certify it using the AIK is made. This passes in the emulator but fails
> > on both the tpm devices with a Bad Parameter return code.
> >
> > the only difference between the two tests is that the second bind key is
> > locked to PCR 3. I have tried setting localities (this failed with other
> > errors). I looked at CertifyKey2, but this appears to only be relevant
> > for migratable keys. I looked at the spec, which seemed to suggest that
> > this mode of operation was possible and didn't include a case where Bad
> > Parameter was a return value.
> >
> > I can only think that either this is not a supported case (PCR locking
> > excludes the use of CertifyKey) or I am creating the keys incorrectly
> > for this case, a missing or incorrect flag. but I am a stuck there at
> > the moment.
>
> >
> >
>
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> TrouSerS-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/trousers-users
>
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
