2:09 a.m.
Folks,
Sorry for what is probably an obvious question ...
I tried the examples in the tpm2_duplicate(1) and
tpm2_policyduplicationselect(1) man pages. Afterwards, I just wanted to
try out the duplicated keys. So I tried tpm2_rsaencrypt followed by
tpm2_rsadecrypt. But when doing the latter, I got:
WARNING:esys:src/tss2-esys/api/Esys_RSA_Decrypt.c:305:Esys_RSA_Decrypt_Finish()
Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_RSA_Decrypt.c:102:Esys_RSA_Decrypt()
Esys Finish ErrorCode (0x0000012f)
ERROR: Esys_RSA_Decrypt(0x12F) - tpm:error(2.0): authValue or authPolicy
is not available for selected entity
ERROR: Unable to run tpm2_rsadecrypt
Which I guess means I didn't satisfy the policy for the object. But if I
try to run tpm2_startauthsession like those man page examples show, I
get this error:
WARNING:esys:src/tss2-esys/api/Esys_RSA_Decrypt.c:305:Esys_RSA_Decrypt_Finish()
Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_RSA_Decrypt.c:102:Esys_RSA_Decrypt()
Esys Finish ErrorCode (0x000009a4)
ERROR: Esys_RSA_Decrypt(0x9A4) - tpm:session(1):the commandCode in the
policy is not the commandCode of the command or the command code in a
policy command references a command that is not implemented
ERROR: Unable to run tpm2_rsadecrypt
And so, I am confused now about what I need to do to get these
duplicated keys to work with tpm2_rsadecrypt.
Thanks,
-ted
--
Ted H. Kim, PhD
ted.h.kim(a)oracle.com
+1 310-258-7515
4:09 p.m.
+ Imran,
Can you help him out?
Also, can you add to the manpages so theirs examples of using the duplicated key?
> -----Original Message-----
> From: ted.h.kim(a)oracle.com [mailto:ted.h.kim@oracle.com]
> Sent: Tuesday, May 19, 2020 8:10 PM
> To: tpm2(a)lists.01.org
> Subject: [tpm2] trying duplication and then rsa_en/decrypt
>
> Folks,
>
> Sorry for what is probably an obvious question ...
>
> I tried the examples in the tpm2_duplicate(1) and
> tpm2_policyduplicationselect(1) man pages. Afterwards, I just wanted to try out
> the duplicated keys. So I tried tpm2_rsaencrypt followed by tpm2_rsadecrypt.
> But when doing the latter, I got:
>
> WARNING:esys:src/tss2-
> esys/api/Esys_RSA_Decrypt.c:305:Esys_RSA_Decrypt_Finish()
> Received TPM Error
> ERROR:esys:src/tss2-esys/api/Esys_RSA_Decrypt.c:102:Esys_RSA_Decrypt()
> Esys Finish ErrorCode (0x0000012f)
> ERROR: Esys_RSA_Decrypt(0x12F) - tpm:error(2.0): authValue or authPolicy is not
> available for selected entity
> ERROR: Unable to run tpm2_rsadecrypt
>
>
> Which I guess means I didn't satisfy the policy for the object. But if I try to
run
> tpm2_startauthsession like those man page examples show, I get this error:
>
> WARNING:esys:src/tss2-
> esys/api/Esys_RSA_Decrypt.c:305:Esys_RSA_Decrypt_Finish()
> Received TPM Error
> ERROR:esys:src/tss2-esys/api/Esys_RSA_Decrypt.c:102:Esys_RSA_Decrypt()
> Esys Finish ErrorCode (0x000009a4)
> ERROR: Esys_RSA_Decrypt(0x9A4) - tpm:session(1):the commandCode in the
> policy is not the commandCode of the command or the command code in a policy
> command references a command that is not implemented
> ERROR: Unable to run tpm2_rsadecrypt
>
>
> And so, I am confused now about what I need to do to get these duplicated keys
> to work with tpm2_rsadecrypt.
>
>
> Thanks,
> -ted
>
>
>
> --
> Ted H. Kim, PhD
> ted.h.kim(a)oracle.com
> +1 310-258-7515
>
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
6:31 p.m.
Hi Ted,
Based on what you said you want to accomplish and your above-mentioned references, I have
a hunch that you have the keys set up incorrectly.
Can you please,
1. Try to create a key with "userwithauth" set in the step in your script that
references policy_duplication man page as in here: "tpm2_create -C src_o.ctx -g
sha256 -G rsa -r dupkey.priv -u dupkey.pub \
-L policydupselect.dat -a "sensitivedataorigin|sign|decrypt|userwithauth" -c
dupkey.ctx -Q"
2. Share your exact steps/ script that you implemented.
3. Share the key properties of the parent and child object you created. You can use
tpm2_readpublic command to dump the key properties.
Thanks
7:03 p.m.
Hi Imran,
Thanks for your reply.
I had two cases, but for now, let's talk about the one in the
tpm2_policyduplicationselect(1) man page. I did the exact steps listed
there in the example. Then after the duplication, I did an import and
load, as follows:
# tpm2_import -Q -C dst_n.ctx -i new_dupkey.priv -u dupkey.pub \
-s dupseed.dat -r imported.priv -L policydupselect.dat
# tpm2_load -Q -C dst_n.ctx -r imported.priv -u dupkey.pub -c imported.ctx
I then tried to do tpm2_rsa_en/decrypt with imported.ctx. The decrypt is
where the policy errors came up.
But as you point out below the "userwithauth" attribute is not part of
the example in that man page. So let me try again with that attribute
added. IIRC, the readpublic on the duplicated/imported key did reference
a policy, which I could not figure out how to satisfy. Will get back to
you shortly after trying again.
Thanks,
-ted
On 5/20/20 10:31 AM, Imran Desai wrote:
Hi Ted,
Based on what you said you want to accomplish and your above-mentioned references, I have
a hunch that you have the keys set up incorrectly.
Can you please,
1. Try to create a key with "userwithauth" set in the step in your script that
references policy_duplication man page as in here: "tpm2_create -C src_o.ctx -g
sha256 -G rsa -r dupkey.priv -u dupkey.pub \
-L policydupselect.dat -a "sensitivedataorigin|sign|decrypt|userwithauth" -c
dupkey.ctx -Q"
2. Share your exact steps/ script that you implemented.
3. Share the key properties of the parent and child object you created. You can use
tpm2_readpublic command to dump the key properties.
Thanks
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org
To unsubscribe send an email to tpm2-leave(a)lists.01.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
--
Ted H. Kim, PhD
ted.h.kim(a)oracle.com
+1 310-258-7515
7:56 p.m.
Imran,
I tried this, but I noticed something that I think is odd.
I added the userwithauth:
# tpm2_create -C src_o.ctx -g sha256 -G rsa -r dupkey.priv -u dupkey.pub \
-L policydupselect.dat \
-a "sensitivedataorigin|sign|decrypt|userwithauth" -c dupkey.ctx -Q
but it does not show up in the readpublic (which is below).
Is this a bug?
FWIW, I am on the 4.1.X branch (just before 4.1.2 came out).
Do I need the 4.1.2 changes?
Thanks,
-ted
# more dupkey.rp-txt
key: dupkey.ctx
name: 000b6894c94c68dd0d379b80c6417130e620e9da317b0033b1cddd1ab542c5a592e6
qualified name:
000bb9be4705c017f1bf8b238b5f53c87487b4a73c86b8345abfdc671014ab5567ff
name-alg:
value: sha256
raw: 0xb
attributes:
value: sensitivedataorigin|decrypt|sign
raw: 0x60020
type:
value: rsa
raw: 0x1
exponent: 0x0
bits: 2048
scheme:
value: null
raw: 0x10
scheme-halg:
value: (null)
raw: 0x0
sym-alg:
value: null
raw: 0x10
sym-mode:
value: (null)
raw: 0x0
sym-keybits: 0
rsa:
cf42bc7b2063618a8e74d9179f263d0b71be412780d09d5f2e876714f5597fe797c97226473
d2f4b23e3ded77af61c6959ae708e3d59e965f928750a56db367fa6f687ab8a107ac7e89b76fb1aa
1cb09008e1d239fe874937e292b447970ab464466ab293df3e473c839dbce360efe92c5bb20eac66
0714e6a7f7f7ce0646eb9a16e2fe80ba148c4bdb591fec14aed763d70f59cfa4d91dbc1515cfe296
4452a897cea0c958d8da3615003a6b1b08318a6ddf8f9181923ba6eb7fc127a6d9a9148bdd60f3b4
663ae246f5216f15f3d5a78b6e69b06e9ce5fbd9d62cf461e088a35da3d41930179839e9984e8976
de8f0a3ecda87812c53771603dca3ffabac01
authorization policy:
389e01e8e7605646e8586acc5270ff210125d040d152c348266c99c441
84f4d2
On 5/20/20 11:03 AM, ted.h.kim(a)oracle.com wrote:
Hi Imran,
Thanks for your reply.
I had two cases, but for now, let's talk about the one in the
tpm2_policyduplicationselect(1) man page. I did the exact steps listed
there in the example. Then after the duplication, I did an import and
load, as follows:
# tpm2_import -Q -C dst_n.ctx -i new_dupkey.priv -u dupkey.pub \
-s dupseed.dat -r imported.priv -L policydupselect.dat
# tpm2_load -Q -C dst_n.ctx -r imported.priv -u dupkey.pub -c
imported.ctx
I then tried to do tpm2_rsa_en/decrypt with imported.ctx. The decrypt
is where the policy errors came up.
But as you point out below the "userwithauth" attribute is not part of
the example in that man page. So let me try again with that attribute
added. IIRC, the readpublic on the duplicated/imported key did
reference a policy, which I could not figure out how to satisfy. Will
get back to you shortly after trying again.
Thanks,
-ted
On 5/20/20 10:31 AM, Imran Desai wrote:
> Hi Ted,
>
> Based on what you said you want to accomplish and your
> above-mentioned references, I have a hunch that you have the keys set
> up incorrectly.
> Can you please,
> 1. Try to create a key with "userwithauth" set in the step in your
> script that references policy_duplication man page as in here:
> "tpm2_create -C src_o.ctx -g sha256 -G rsa -r dupkey.priv -u
> dupkey.pub \
> -L policydupselect.dat -a
> "sensitivedataorigin|sign|decrypt|userwithauth" -c dupkey.ctx -Q"
> 2. Share your exact steps/ script that you implemented.
> 3. Share the key properties of the parent and child object you
> created. You can use tpm2_readpublic command to dump the key properties.
>
> Thanks
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
--
Ted H. Kim, PhD
ted.h.kim(a)oracle.com
+1 310-258-7515
8:15 p.m.
Yes, that looks odd. Can you please file an issue in the tpm2-tools. Also, there is a full
example of a key being duplicated, imported between the TPMs and then used for signing
here --> https://github.com/tpm2-software/tpm2-tools/wiki/Duplicating-Objects.
8:38 p.m.
I have opened an issue in the tracker
https://github.com/tpm2-software/tpm2-tools/issues/2037
8:44 p.m.
I have a PR fixing this issue. If you want to try your script with this branch, it is
here: https://github.com/tpm2-software/tpm2-tools/pull/2038
9:49 p.m.
Imran,
Okay, I will try it out.
Also thanks for the pointer to the example on duplicating objects
between TPMs.
Thanks,
-ted
On 5/20/20 12:44 PM, Imran Desai wrote:
I have a PR fixing this issue. If you want to try your script with
this branch, it is here:
https://urldefense.com/v3/__https://github.com/tpm2-software/tpm2-tools/p...
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org
To unsubscribe send an email to tpm2-leave(a)lists.01.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
--
Ted H. Kim, PhD
ted.h.kim(a)oracle.com
+1 310-258-7515
1:37 a.m.
Imran,
The fix worked -- Thank you.
One other suggestion would be to add "userwithauth" to the tpm2_create
commands in the man page examples for tpm2_duplicate(1) and
tpm2_policyduplicationselect(1). This would make the duplicated keys in
those examples more useful.
Since I am on the 4.1.X branch, should I expect this fix to roll out
with 4.1.3 ?
Thanks,
-ted
On 5/20/20 1:49 PM, ted.h.kim(a)oracle.com wrote:
Imran,
Okay, I will try it out.
Also thanks for the pointer to the example on duplicating objects
between TPMs.
Thanks,
-ted
On 5/20/20 12:44 PM, Imran Desai wrote:
> I have a PR fixing this issue. If you want to try your script with
> this branch, it is here:
>
https://urldefense.com/v3/__https://github.com/tpm2-software/tpm2-tools/p...
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
--
Ted H. Kim, PhD
ted.h.kim(a)oracle.com
+1 310-258-7515
4:08 p.m.
-----Original Message-----
From: ted.h.kim(a)oracle.com [mailto:ted.h.kim@oracle.com]
Sent: Wednesday, May 20, 2020 7:38 PM
To: Desai, Imran <imran.desai(a)intel.com>
Cc: tpm2(a)lists.01.org
Subject: [tpm2] Re: trying duplication and then rsa_en/decrypt
Imran,
The fix worked -- Thank you.
One other suggestion would be to add "userwithauth" to the tpm2_create
commands in the man page examples for tpm2_duplicate(1) and
tpm2_policyduplicationselect(1). This would make the duplicated keys in those
examples more useful.
That patch I had to revert, a similar fix will come out, but we must not turn down
userwith
when someone:
- doesn't provide attributes via -a
- doesn't provide a password
- does provide a policy
If someone specifies a policy and no password without explicitly providing the
attributes,
they likely want the authorization to the object to be controlled via policy, not policy
and
an empty password. So when the tool is choosing attributes that's how it needs to do
it.
So for your example, you'll have to specify userwithauth and then we will update the
manpage to reflect this.
Note that your creating an object with no real auth value (empty password), so keep that
in
mind.
Since I am on the 4.1.X branch, should I expect this fix to roll out with 4.1.3 ?
Why not just bump versions? Everything on 4.X is backwards compat, nothing breaks.
You may need to bump your tss version, but again, backwards compat, should just
Work.
>
> Thanks,
> -ted
>
> On 5/20/20 1:49 PM, ted.h.kim(a)oracle.com wrote:
> > Imran,
> >
> > Okay, I will try it out.
> >
> > Also thanks for the pointer to the example on duplicating objects
> > between TPMs.
> >
> > Thanks,
> > -ted
> >
> > On 5/20/20 12:44 PM, Imran Desai wrote:
> >> I have a PR fixing this issue. If you want to try your script with
> >> this branch, it is here:
> >> https://urldefense.com/v3/__https://github.com/tpm2-software/tpm2-too
> >> ls/pull/2038__;!!GqivPVa7Brio!JgE6G26n2bbDPLYBuJ2jf-Buv9U53CDF_b_5y43
> >> EAj8Q9hiybuldt1D8ZH_RPlQ$
> >> _______________________________________________
> >> tpm2 mailing list -- tpm2(a)lists.01.org To unsubscribe send an email
> >> to tpm2-leave(a)lists.01.org
> >> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> >
> --
> Ted H. Kim, PhD
> ted.h.kim(a)oracle.com
> +1 310-258-7515
>
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
5:18 p.m.
William,
Thanks for your reply.
On 5/21/20 8:08 AM, Roberts, William C wrote:
> -----Original Message-----
> From: ted.h.kim(a)oracle.com [mailto:ted.h.kim@oracle.com]
> Sent: Wednesday, May 20, 2020 7:38 PM
> To: Desai, Imran <imran.desai(a)intel.com>
> Cc: tpm2(a)lists.01.org
> Subject: [tpm2] Re: trying duplication and then rsa_en/decrypt
>
> Imran,
>
> The fix worked -- Thank you.
>
> One other suggestion would be to add "userwithauth" to the tpm2_create
> commands in the man page examples for tpm2_duplicate(1) and
> tpm2_policyduplicationselect(1). This would make the duplicated keys in those
> examples more useful.
That patch I had to revert, a similar fix will come out, but we must not turn down
userwith
when someone:
- doesn't provide attributes via -a
- doesn't provide a password
- does provide a policy
If someone specifies a policy and no password without explicitly providing the
attributes,
they likely want the authorization to the object to be controlled via policy, not policy
and
an empty password. So when the tool is choosing attributes that's how it needs to do
it.
So for your example, you'll have to specify userwithauth and then we will update the
manpage to reflect this.
Note that your creating an object with no real auth value (empty password), so keep that
in
mind.
understand, looking forward to the final fix
> Since I am on the 4.1.X branch, should I expect this fix to roll
out with 4.1.3 ?
Why not just bump versions? Everything on 4.X is backwards compat, nothing breaks.
You may need to bump your tss version, but again, backwards compat, should just
Work.
I will eventually do that.
But for the moment, I don't have the time. I know using tpm2-tools-4.2.X
requires tpm2-tss-2.4.x which for my environment has some missing
dependencies which I have yet to resolve.
Thanks,
-ted
> Thanks,
> -ted
>
> On 5/20/20 1:49 PM, ted.h.kim(a)oracle.com wrote:
>> Imran,
>>
>> Okay, I will try it out.
>>
>> Also thanks for the pointer to the example on duplicating objects
>> between TPMs.
>>
>> Thanks,
>> -ted
>>
>> On 5/20/20 12:44 PM, Imran Desai wrote:
>>> I have a PR fixing this issue. If you want to try your script with
>>> this branch, it is here:
>>> https://urldefense.com/v3/__https://github.com/tpm2-software/tpm2-too
>>> ls/pull/2038__;!!GqivPVa7Brio!JgE6G26n2bbDPLYBuJ2jf-Buv9U53CDF_b_5y43
>>> EAj8Q9hiybuldt1D8ZH_RPlQ$
>>> _______________________________________________
>>> tpm2 mailing list -- tpm2(a)lists.01.org To unsubscribe send an email
>>> to tpm2-leave(a)lists.01.org
>>> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> --
> Ted H. Kim, PhD
> ted.h.kim(a)oracle.com
> +1 310-258-7515
>
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
--
Ted H. Kim, PhD
ted.h.kim(a)oracle.com
+1 310-258-7515
6:06 p.m.
-----Original Message-----
From: ted.h.kim(a)oracle.com [mailto:ted.h.kim@oracle.com]
Sent: Thursday, May 21, 2020 11:19 AM
To: Roberts, William C <william.c.roberts(a)intel.com>
Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
Subject: Re: [tpm2] Re: trying duplication and then rsa_en/decrypt
William,
Thanks for your reply.
On 5/21/20 8:08 AM, Roberts, William C wrote:
>> -----Original Message-----
>> From: ted.h.kim(a)oracle.com [mailto:ted.h.kim@oracle.com]
>> Sent: Wednesday, May 20, 2020 7:38 PM
>> To: Desai, Imran <imran.desai(a)intel.com>
>> Cc: tpm2(a)lists.01.org
>> Subject: [tpm2] Re: trying duplication and then rsa_en/decrypt
>>
>> Imran,
>>
>> The fix worked -- Thank you.
>>
>> One other suggestion would be to add "userwithauth" to the
>> tpm2_create commands in the man page examples for tpm2_duplicate(1)
>> and tpm2_policyduplicationselect(1). This would make the duplicated
>> keys in those examples more useful.
> That patch I had to revert, a similar fix will come out, but we must
> not turn down userwith when someone:
> - doesn't provide attributes via -a
> - doesn't provide a password
> - does provide a policy
>
> If someone specifies a policy and no password without explicitly
> providing the attributes, they likely want the authorization to the
> object to be controlled via policy, not policy and an empty password. So when
the tool is choosing attributes that's how it needs to do it.
> So for your example, you'll have to specify userwithauth and then we
> will update the manpage to reflect this.
>
> Note that your creating an object with no real auth value (empty
> password), so keep that in mind.
understand, looking forward to the final fix
>> Since I am on the 4.1.X branch, should I expect this fix to roll out with 4.1.3
?
> Why not just bump versions? Everything on 4.X is backwards compat, nothing
breaks.
> You may need to bump your tss version, but again, backwards compat,
> should just Work.
I will eventually do that.
But for the moment, I don't have the time. I know using tpm2-tools-4.2.X
requires tpm2-tss-2.4.x which for my environment has some missing
dependencies which I have yet to resolve.
No worries, we should be able to do a backport fix for you. We have a milestone here:
https://github.com/tpm2-software/tpm2-tools/milestone/20
Hopefully Monday we can cut RC0 and then a week form that have a full release.
Thanks,
-ted
>> Thanks,
>> -ted
>>
>> On 5/20/20 1:49 PM, ted.h.kim(a)oracle.com wrote:
>>> Imran,
>>>
>>> Okay, I will try it out.
>>>
>>> Also thanks for the pointer to the example on duplicating objects
>>> between TPMs.
>>>
>>> Thanks,
>>> -ted
>>>
>>> On 5/20/20 12:44 PM, Imran Desai wrote:
>>>> I have a PR fixing this issue. If you want to try your script with
>>>> this branch, it is here:
>>>> https://urldefense.com/v3/__https://github.com/tpm2-software/tpm2-t
>>>> oo
>>>> ls/pull/2038__;!!GqivPVa7Brio!JgE6G26n2bbDPLYBuJ2jf-Buv9U53CDF_b_5y
>>>> 43
>>>> EAj8Q9hiybuldt1D8ZH_RPlQ$
>>>> _______________________________________________
>>>> tpm2 mailing list -- tpm2(a)lists.01.org To unsubscribe send an email
>>>> to tpm2-leave(a)lists.01.org
>>>> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>> --
>> Ted H. Kim, PhD
>> ted.h.kim(a)oracle.com
>> +1 310-258-7515
>>
>> _______________________________________________
>> tpm2 mailing list -- tpm2(a)lists.01.org To unsubscribe send an email
>> to tpm2-leave(a)lists.01.org
>> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
--
Ted H. Kim, PhD
ted.h.kim(a)oracle.com
+1 310-258-7515
768
days inactive
769
days old
12 comments
3 participants
participants (3)
-
Imran Desai -
Roberts, William C -
ted.h.kim@oracle.com