David,
As I said before, I am following Hal Finney's code that creates AIKs. After I
create a dummy PCA key, I create an AIK object with Tspi_Context_CreateObjject
and then generate the new AIK with Tspi_TPM_CollateIdentityRequest. A user
reports that my code fails when it tries to create the PCA key in the TPM. The
error code returned is 0x1. I cannot duplicate the error, but I have come to
understand that odd things happen with some TPMs. What I don't understand is
how to interpret an error code 0x1. What advice should I give the user to
further debug the situation?
John
From: David Challener <[email protected]>
Date: Friday, March 3, 2017 at 6:01 PM
To: Tadd Seiff <[email protected]>, "[email protected]"
<[email protected]>
Subject: Re: [TrouSerS-users] Trousers error code 0x1
I am pretty certain that you have to use: Tspi_TPM_CollateIdentityRequest in
order to make an AIK.
It does not work to make one with Key_CreateKey because of an offhand remark I
typed into an informative comment into the spec under Key_CreateKey that was
somehow taken as Gospel. (It said that under the covers the command used the
TPM command that generates normal keys, and didn't mention the MakeIdentity
command. Mea culpa.
That is of course fixed in 2.0
On Fri, Mar 3, 2017 at 4:37 PM, Tadd Seiff
<[email protected]<mailto:[email protected]>> wrote:
Hi John,
Indeed, when I said I "followed someone else's example", I meant Hal Finney. No
need to second-guess it, especially if it has been working.
I see now that you aren't actually trying to create an AIK key in this step.
That's how I interpreted "When making an AIK...(I call this function)". You
just meant, "in the greater process of creating an AIK, I do this at some point
and it's failing".
Now that all of that is cleared up, no ideas, sorry, especially since this code
has worked for you in the past.
-Tadd
On Fri, Mar 3, 2017 at 12:27 PM Ramsdell, John D.
<[email protected]<mailto:[email protected]>> wrote:
Tadd,
Thank you for your quick reply. The code I wrote was inspired by Hal Finney's
code on http://privacyca.com. I hadn't thought to second guess Hal's algorithm
as it has worked for me for at least seven years. I will check the documents
and see if I can verify Hal's work.
As to your second point, hPCA is just a dummy PCA key. Here is how the PCA
object is created and used.
/* Create dummy PCA key */
TSS_HKEY hPCA;
rc = Tspi_Context_CreateObject(hContext,
TSS_OBJECT_TYPE_RSAKEY,
TSS_KEY_TYPE_LEGACY|TSS_KEY_SIZE_2048,
&hPCA);
if (rc != TSS_SUCCESS)
return tidy(hContext, tss_err(rc, "creating PCA object"));
/* Create the PCA key in the TPM, it is not user supplied */
rc = Tspi_Key_CreateKey(hPCA, hSRK, 0);
if (rc != TSS_SUCCESS)
return tidy(hContext, tss_err(rc, "creating PCA key in TPM"));
John
From: Tadd Seiff <[email protected]<mailto:[email protected]>>
Date: Friday, March 3, 2017 at 3:08 PM
To: "Ramsdell, John D." <[email protected]<mailto:[email protected]>>,
"[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Cc: Andrew Pollock <[email protected]<mailto:[email protected]>>
Subject: Re: [TrouSerS-users] Trousers error code 0x1
Hey John,
I'm not sure about the return code.
But some other comments here:
1) I've used Tspi_ContextCreateObject(...) to create AIK objects with success.
I guess CreateKey() should work too, seems logical. I'm not sure how I ended
up using CreateObject(), I'm guessing I followed someone else's example:
UINT32 initFlags = TSS_KEY_TYPE_IDENTITY | TSS_KEY_SIZE_2048 |
TSS_KEY_AUTHORIZATION |
TSS_KEY_VOLATILE | TSS_KEY_NOT_MIGRATABLE;
result = Tspi_Context_CreateObject(hContext,
TSS_OBJECT_TYPE_RSAKEY,
initFlags, &hIdentKey);
2) Even if CreateKey() should work, it looks like you are passing in your PCA
server public key as the first argument (hPCA)? This should be the handle to
your new key, I think, so if this is a TSS KEY object that you created from DER
that the user passed in (deduced from Andrew's comments below), I don't think
that would work anyway. The PCA key material is not used until the
CollateIdentityRequest() step.
-Tadd
On Fri, Mar 3, 2017 at 6:37 AM Ramsdell, John D.
<[email protected]<mailto:[email protected]>> wrote:
I am trying to address a bug report for TPM Quote Tools which is built on
Trousers. I am having trouble diagnosing the problem because the return code
is not what I expect. When making an AIK, my program executes:
rc = Tspi_Key_CreateKey(hPCA, hSRK, 0);
if rc != TSS_SUCCESS, I print an error message using the values in tss/tspi.h
which includes tss/tss_error.h. In the bug report, the return value is 1, but
that value has no translation. What does it mean when create key returns an
error code of 1?
John
-----Original Message-----
From: Andrew Pollock <[email protected]<mailto:[email protected]>>
Date: Friday, March 3, 2017 at 2:44 AM
To: "Ramsdell, John D." <[email protected]<mailto:[email protected]>>
Subject: Re: Fooling around with tpm-quote-tools
Excellent. I finally had some spare cycles to return to this, and after
addressing a bug with an older version of Trousers, I was able to reproduce
the problem again.
So, I have a Lenovo X1 Carbon
$ sudo tpm_version
TPM 1.2 Version Info:
Chip Version: 1.2.13.12
Spec Level: 2
Errata Revision: 3
TPM Vendor ID: STM
Vendor Specific data: 50
TPM Version: 01010000
Manufacturer Info: 53544d20
I have previously taken ownership of it with a non-well-known owner
password.
Note that I'm executing this with two non-existent files for both arguments
$ sudo tpm_mkaik /tmp/blob /tmp/pubkey
Enter owner password:
Error while creating PCA key in TPM. Error code: 0x1
Just in case I had misunderstood something for grins I created a CA with
OpenSSL and converted the public key to DER and used it as the second
argument,
but got the same result
Any further insights you have would be much appreciated.
regards
Andrew
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
TrouSerS-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/trousers-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
TrouSerS-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/trousers-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
