3:06 p.m.
Hello everyone,
New to the TPM world, I've been reading various docs and forums the past
two weeks and I am now attempting to put all the learning into practice.
More specifically, I'm trying to have the TPM create an AES key.
Here is what I did so far:
DEFAULT_HIERARCHY="o"
DEFAULT_ATTRIBUTES="restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda"
DEFAULT_PERSISTENT_HANDLE="0x81010001"
PARENT_PERSISTENT_HANDLE="0x81010002"
tpm2_createprimary --hierarchy=$DEFAULT_HIERARCHY
--auth-hierarchy="$OWNER_PASSWORD" --object-attributes=$DEFAULT_ATTRIBUTES
--halg sha256 --kalg rsa2048:aes128cfb --out-context-name=$PRIMARY_CONTEXT
tpm2_evictcontrol --hierarchy=$DEFAULT_HIERARCHY --context=$PRIMARY_CONTEXT
--auth-hierarchy=$OWNER_PASSWORD --persistent=$DEFAULT_PERSISTENT_HANDLE
tpm2_create --context-parent=$PRIMARY_CONTEXT
--object-attributes=$DEFAULT_ATTRIBUTES --pubfile=$PUBFILE
--privfile=$PRIVFILE --halg sha256 --kalg rsa2048:aes128cfb
tpm2_load --quiet --context=$PRIMARY_CONTEXT --pubfile=$PUBFILE
--privfile=$PRIVFILE --out-context=$PARENT_CONTEXT
tpm2_evictcontrol --hierarchy=$DEFAULT_HIERARCHY --context=$PARENT_CONTEXT
--auth-hierarchy=$OWNER_PASSWORD --persistent=$PARENT_PERSISTENT_HANDLE
All of that is working great; a call to tpm2_listpersistent shows the two
keys and their persistent handle.
Then I try to add an AES key to that hierarchy. I want this key to be
usable only if some policy is satisfied:
tpm2_create --context-parent=$PARENT_CONTEXT --kalg=aes --pubfile=$PUBFILE
--privfile=$PRIVFILE --policy-file=$AUTHORIZED_POLICY
This call returns the following:
WARNING:esys:src/tss2-esys/api/Esys_Create.c:412:Esys_Create_Finish()
Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Create.c:156:Esys_Create() Esys Finish
ErrorCode (0x000002c4)
ERROR: Esys_Create(0x2C4) - tpm:parameter(2):value is out of range or is
not correct for the context
ERROR: Unable to run tpm2_create
I then tried with "aes128" as key algorithm, instead of just "aes":
WARNING:esys:src/tss2-esys/api/Esys_Create.c:412:Esys_Create_Finish()
Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Create.c:156:Esys_Create() Esys Finish
ErrorCode (0x000002c9)
ERROR: Esys_Create(0x2C9) - tpm:parameter(2):mode of operation not supported
ERROR: Unable to run tpm2_create
I also tried to specify a mode instead ("aes128cfb"):
WARNING:esys:src/tss2-esys/api/Esys_Create.c:412:Esys_Create_Finish()
Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Create.c:156:Esys_Create() Esys Finish
ErrorCode (0x000002c2)
ERROR: Esys_Create(0x2C2) - tpm:parameter(2):inconsistent attributes
ERROR: Unable to run tpm2_create
After having read all the MAN pages twice, I still have no idea what is
going on or what I did wrong. Most if not all of those commands were merely
copy/pasted from the MAN pages at
https://github.com/tpm2-software/tpm2-tools/tree/master/man .
I'm using a Lenovo X1 Carbon (3rd gen) with Intel PTT enabled, so the
system sees a TPM2.0 device. I can provide more information if needed.
I would greatly appreciate if someone could provide some guidance on this
issue; the TPM world being fascinating so far, I wouldn't want to be stuck
on that problem.
Thanks in advance for your help,
Regards,
Nicolas
11:57 a.m.
-----Original Message-----
From: tpm2 [mailto:tpm2-bounces@lists.01.org] On Behalf Of Nicolas Broquet
Sent: Sunday, April 21, 2019 12:07 PM
To: tpm2(a)lists.01.org
Subject: [tpm2] Help needed to setup an AES key
Hello everyone,
New to the TPM world, I've been reading various docs and forums the past two
weeks and I am now attempting to put all the learning into practice.
More specifically, I'm trying to have the TPM create an AES key.
Here is what I did so far:
DEFAULT_HIERARCHY="o"
DEFAULT_ATTRIBUTES="restricted|decrypt|fixedtpm|fixedparent|sensi
tivedataorigin|userwithauth|noda"
DEFAULT_PERSISTENT_HANDLE="0x81010001"
PARENT_PERSISTENT_HANDLE="0x81010002"
tpm2_createprimary --hierarchy=$DEFAULT_HIERARCHY --auth-
hierarchy="$OWNER_PASSWORD" --object-attributes=$DEFAULT_ATTRIBUTES --
halg sha256 --kalg rsa2048:aes128cfb --out-context-name=$PRIMARY_CONTEXT
tpm2_evictcontrol --hierarchy=$DEFAULT_HIERARCHY --
context=$PRIMARY_CONTEXT --auth-hierarchy=$OWNER_PASSWORD --
persistent=$DEFAULT_PERSISTENT_HANDLE
tpm2_create --context-parent=$PRIMARY_CONTEXT --object-
attributes=$DEFAULT_ATTRIBUTES --pubfile=$PUBFILE --privfile=$PRIVFILE --halg
sha256 --kalg rsa2048:aes128cfb
tpm2_load --quiet --context=$PRIMARY_CONTEXT --pubfile=$PUBFILE --
privfile=$PRIVFILE --out-context=$PARENT_CONTEXT
tpm2_evictcontrol --hierarchy=$DEFAULT_HIERARCHY --
context=$PARENT_CONTEXT --auth-hierarchy=$OWNER_PASSWORD --
persistent=$PARENT_PERSISTENT_HANDLE
All of that is working great; a call to tpm2_listpersistent shows the two keys and
their persistent handle.
Then I try to add an AES key to that hierarchy. I want this key to be usable only if
some policy is satisfied:
tpm2_create --context-parent=$PARENT_CONTEXT --kalg=aes --
pubfile=$PUBFILE --privfile=$PRIVFILE --policy-file=$AUTHORIZED_POLICY
Where did you get policy-file from?
This call returns the following:
WARNING:esys:src/tss2-
esys/api/Esys_Create.c:412:Esys_Create_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Create.c:156:Esys_Create() Esys
Finish ErrorCode (0x000002c4)
ERROR: Esys_Create(0x2C4) - tpm:parameter(2):value is out of range or is
not correct for the context
ERROR: Unable to run tpm2_create
FYI there is a scheme in the commands document where there is a thick line that
indicates
The parameter section for a command. In your case parameter 2 is the public object
template.
Doesn't seem to like it.
https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-C...
You're likely just hitting different checks within the TPM and not really fixing the
above issue. Those checks
have wildly complex interactions and I am by no means an expert. I have found the best way
is to:
1. see if you can replicate on the software simulator.
2. place software simulator in debugger and figure out what exact check is failing.
I then tried with "aes128" as key algorithm, instead of just "aes":
WARNING:esys:src/tss2-
esys/api/Esys_Create.c:412:Esys_Create_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Create.c:156:Esys_Create() Esys
Finish ErrorCode (0x000002c9)
ERROR: Esys_Create(0x2C9) - tpm:parameter(2):mode of operation not
supported
ERROR: Unable to run tpm2_create
I also tried to specify a mode instead ("aes128cfb"):
WARNING:esys:src/tss2-
esys/api/Esys_Create.c:412:Esys_Create_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Create.c:156:Esys_Create() Esys
Finish ErrorCode (0x000002c2)
ERROR: Esys_Create(0x2C2) - tpm:parameter(2):inconsistent attributes
ERROR: Unable to run tpm2_create
After having read all the MAN pages twice, I still have no idea what is going on or
what I did wrong. Most if not all of those commands were merely copy/pasted
from the MAN pages at https://github.com/tpm2-software/tpm2-
tools/tree/master/man .
I'm using a Lenovo X1 Carbon (3rd gen) with Intel PTT enabled, so the system
sees a TPM2.0 device. I can provide more information if needed.
I would greatly appreciate if someone could provide some guidance on this issue;
the TPM world being fascinating so far, I wouldn't want to be stuck on that
problem.
Thanks in advance for your help,
Regards,
Nicolas
12:48 p.m.
The policy was created according to the example at
https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_policyau...
DEFAULT_MEASURED_PCRS="sha1:0,2,3,7,10,14"
DEFAULT_EXTERNAL_ATTRIBUTES="restricted|fixedtpm|fixedparent|noda"
tpm2_pcrlist --sel-list=$DEFAULT_MEASURED_PCRS --out-file=$MEASUREMENTS
tpm2_startauthsession --session=$SESSION
tpm2_policypcr --session=$SESSION --set-list=$DEFAULT_MEASURED_PCRS
--pcr-input-file=$MEASUREMENTS --out-policy-file=$POLICY
yubico-piv-tool -a read-certificate -s 9c | openssl x509 -pubkey -noout >
$PUBLIC_KEY
OPENSSL_CONF=engine.conf openssl dgst -engine pkcs11 -keyform engine
-sha256 -sign 2 -out $POLICY_SIGNATURE $POLICY
tpm2_loadexternal --hierarchy=$DEFAULT_HIERARCHY --key-alg=rsa
--pubfile=$PUBLIC_KEY --object-attributes=$DEFAULT_EXTERNAL_ATTRIBUTES
--out-context=$SIGNING_CONTEXT --name=$SIGNING_KEY_NAME
tpm2_policyauthorize --session=$SESSION --in-policy-file=$POLICY
--out-policy-file=$AUTHORIZED_POLICY --name=$SIGNING_KEY_NAME
tpm2_flushcontext --session=$SESSION
That executes without any errors.
On Thu, Apr 25, 2019, 17:57 Roberts, William C <william.c.roberts(a)intel.com>
wrote:
> -----Original Message-----
> From: tpm2 [mailto:tpm2-bounces@lists.01.org] On Behalf Of Nicolas
Broquet
> Sent: Sunday, April 21, 2019 12:07 PM
> To: tpm2(a)lists.01.org
> Subject: [tpm2] Help needed to setup an AES key
>
> Hello everyone,
>
>
> New to the TPM world, I've been reading various docs and forums the past
two
> weeks and I am now attempting to put all the learning into practice.
> More specifically, I'm trying to have the TPM create an AES key.
> Here is what I did so far:
>
>
>
>
> DEFAULT_HIERARCHY="o"
> DEFAULT_ATTRIBUTES="restricted|decrypt|fixedtpm|fixedparent|sensi
> tivedataorigin|userwithauth|noda"
> DEFAULT_PERSISTENT_HANDLE="0x81010001"
> PARENT_PERSISTENT_HANDLE="0x81010002"
>
> tpm2_createprimary --hierarchy=$DEFAULT_HIERARCHY --auth-
> hierarchy="$OWNER_PASSWORD" --object-attributes=$DEFAULT_ATTRIBUTES --
> halg sha256 --kalg rsa2048:aes128cfb --out-context-name=$PRIMARY_CONTEXT
>
>
> tpm2_evictcontrol --hierarchy=$DEFAULT_HIERARCHY --
> context=$PRIMARY_CONTEXT --auth-hierarchy=$OWNER_PASSWORD --
> persistent=$DEFAULT_PERSISTENT_HANDLE
>
>
> tpm2_create --context-parent=$PRIMARY_CONTEXT --object-
> attributes=$DEFAULT_ATTRIBUTES --pubfile=$PUBFILE --privfile=$PRIVFILE
--halg
> sha256 --kalg rsa2048:aes128cfb
>
>
> tpm2_load --quiet --context=$PRIMARY_CONTEXT --pubfile=$PUBFILE --
> privfile=$PRIVFILE --out-context=$PARENT_CONTEXT
>
>
> tpm2_evictcontrol --hierarchy=$DEFAULT_HIERARCHY --
> context=$PARENT_CONTEXT --auth-hierarchy=$OWNER_PASSWORD --
> persistent=$PARENT_PERSISTENT_HANDLE
>
>
>
> All of that is working great; a call to tpm2_listpersistent shows the
two keys and
> their persistent handle.
>
>
> Then I try to add an AES key to that hierarchy. I want this key to be
usable only if
> some policy is satisfied:
>
>
>
> tpm2_create --context-parent=$PARENT_CONTEXT --kalg=aes --
> pubfile=$PUBFILE --privfile=$PRIVFILE --policy-file=$AUTHORIZED_POLICY
Where did you get policy-file from?
>
>
> This call returns the following:
>
>
>
> WARNING:esys:src/tss2-
> esys/api/Esys_Create.c:412:Esys_Create_Finish() Received TPM Error
> ERROR:esys:src/tss2-esys/api/Esys_Create.c:156:Esys_Create() Esys
> Finish ErrorCode (0x000002c4)
> ERROR: Esys_Create(0x2C4) - tpm:parameter(2):value is out of range
or is
> not correct for the context
> ERROR: Unable to run tpm2_create
FYI there is a scheme in the commands document where there is a thick line
that indicates
The parameter section for a command. In your case parameter 2 is the
public object template.
Doesn't seem to like it.
https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-C...
You're likely just hitting different checks within the TPM and not really
fixing the above issue. Those checks
have wildly complex interactions and I am by no means an expert. I have
found the best way is to:
1. see if you can replicate on the software simulator.
2. place software simulator in debugger and figure out what exact check is
failing.
>
>
> I then tried with "aes128" as key algorithm, instead of just
"aes":
>
> WARNING:esys:src/tss2-
> esys/api/Esys_Create.c:412:Esys_Create_Finish() Received TPM Error
> ERROR:esys:src/tss2-esys/api/Esys_Create.c:156:Esys_Create() Esys
> Finish ErrorCode (0x000002c9)
> ERROR: Esys_Create(0x2C9) - tpm:parameter(2):mode of operation not
> supported
> ERROR: Unable to run tpm2_create
>
>
> I also tried to specify a mode instead ("aes128cfb"):
>
> WARNING:esys:src/tss2-
> esys/api/Esys_Create.c:412:Esys_Create_Finish() Received TPM Error
> ERROR:esys:src/tss2-esys/api/Esys_Create.c:156:Esys_Create() Esys
> Finish ErrorCode (0x000002c2)
> ERROR: Esys_Create(0x2C2) - tpm:parameter(2):inconsistent
attributes
> ERROR: Unable to run tpm2_create
>
>
>
>
>
> After having read all the MAN pages twice, I still have no idea what is
going on or
> what I did wrong. Most if not all of those commands were merely
copy/pasted
> from the MAN pages at https://github.com/tpm2-software/tpm2-
> tools/tree/master/man .
>
>
> I'm using a Lenovo X1 Carbon (3rd gen) with Intel PTT enabled, so the
system
> sees a TPM2.0 device. I can provide more information if needed.
> I would greatly appreciate if someone could provide some guidance on
this issue;
> the TPM world being fascinating so far, I wouldn't want to be stuck on
that
> problem.
>
> Thanks in advance for your help,
> Regards,
>
>
> Nicolas
>
>
>
>
>
>
>
>
>
>
>
679
days inactive
684
days old
2 comments
2 participants
participants (2)
-
Nicolas Broquet -
Roberts, William C