Here is a followup. I had a problem with the DAA_Sign stage 10 when I tried to
sign a AIK handle. It took a while since I had other tasks. Ken encouraged me
to use the SW TPM. From the software TPM (and the TPM Main Part 3 Comands
guide) it was clear the TPM key handle (as opposed to "TPM Handle") was not
getting passed out of TCS to the TSP. In fact, there is no function that I have
found in TrouSerS 0.3.10 to pass out the TPM Key Handle to the TSP. The short
term solution is at the time you load the AIK, the TCS call
LoadKeyByBlob_Internal needed a hack to save off the TPM Key Handle to a binary
file. the newSlot variables essentially the handle retrieved from the TPM ("TPM
Key Handle"). The test_sign.c file has to be modified (in addition to the
other modifications I made) to retrieve the key handle and store it in
signData.payload (reverse-byte order) when signData.payloadFlag =
TSS_FLAG_DAA_SIGN_IDENTITY_KEY. Also just before the call to
Tspi_DAA_VerifySignature, reallocate th
e signData.payload to hold the 256-byte modulus of the AIK and retrieve the
modulus using Tspi_GetAttribData.
A few years back, the late Hal Finney wrote a nice progress report on his
attempt to get the DAA going. Unfortunately I could not find his work on line.
I think DAA is a great process and I know TPM 2.0 will have ECDAA in it. I
think I did as much as Hal Finney did - I do not have the anonymity revocation
feature nor do I have the commitments done.
The key point is that the TCS layer needs a way to export the TPM Key Handle to
the TSCI for the TPM DAA Sign stage 10.
I have saved my work in a tar and have to take out some debug statements (and
the writing of the TPM Key handle is to a fixed folder, so I will have to fix
that) - before others can make use of this.
The work that needs to be done includes commitments and anonymity revocation.
But all the TPM functionality works, as far as I can tell.
thanks
Bill Martin
________________________________________
From: Ken Goldman <[email protected]>
Sent: Thursday, November 19, 2015 2:45 PM
To: [email protected]
Subject: Re: [TrouSerS-users] Bad Handle to AIK in DAA_Sign stage 10
On 11/18/2015 8:07 PM, Bill Martin wrote:
>
> I can successfully sign a message using the -m option in
> ~/trousers-0.3.10/src/tspi/daa/test_sign. So I do not think the problem
> is the structure of the TrouSerS software. I suspect something in the
> chip. Error code 0x58, TPM_E_BAD_HANDLE, is not mentioned in the TPM
> command spec. The IBM TPM emulator suggests it's a problem with the
> session handle. Yet the previous stages worked. Here is my Stage 10
> output when signData.payload was a hash digest message. The stage
> completed successfully:
I don't see a 0x58 in your trace. I believe that it is out of the range
of TPM return codes.
If you send me the IBM TPM trace, I can see if there's anything obvious.
I'm not a DAA expert, though.
A trick I've used to line up the TPM and TSS traces is to use the
session nonces.
It's always possible that there's a bug in the TPM. The only regression
testing I did on the SW TPM was the IBM Zurich DAA regression test. I
suspect it's what everyone used.
------------------------------------------------------------------------------
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
------------------------------------------------------------------------------
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
