7:02 a.m.
Hi All,
What does it mean when Esys_ActivateCredential returns 0x2c4? I don't see
this error defined anywhere.
Thanks,
Rahul
7:36 a.m.
The error codes encode a bunch of values, so you won't see that value via a straight
grep.
But you can use tpm2_rc_decode from the tpm2-tools project, like so:
$ tpm2_rc_decode 0x2c4
tpm:parameter(2):value is out of range or is not correct for the contex
See the tools project:
https://github.com/tpm2-software/tpm2-tools
Note that the commands specification will show you what parameter 2 is:
https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-C...
Everything after the triple line starts the parameters starting at index 1.
So in this case the secret parameter is wrong.
Note that since TSS version 2.3.0 a software library was also added
for converting these return codes to more human understandable strings,
The header file is here:
https://github.com/tpm2-software/tpm2-tss/blob/master/include/tss2/tss2_rc.h
and then you just link against lib tss2-rc, just in case you needed this built into
your program.
Bill
-----Original Message-----
From: Rahul Hardikar [mailto:rahulhardikar@gmail.com]
Sent: Tuesday, March 10, 2020 5:02 PM
To: tpm2(a)lists.01.org
Subject: [tpm2] ESys_ActivateCredential
Hi All,
What does it mean when Esys_ActivateCredential returns 0x2c4? I don't see this
error defined anywhere.
Thanks,
Rahul
8:22 a.m.
Thanks Bill.
Wondering why this would fail. The external make credential API, I have
taken from tss2 GitHub only why would secret fail? When I ran all of this
locally it worked, the moment I moved the make external credential to the
server Im hitting this?
Can it be because of OpenSSL 1.1.0 required in tss2 and 1.0.2 version
running on my server?
Thanks
Rahul
On Tue, Mar 10, 2020 at 3:36 PM Roberts, William C <
william.c.roberts(a)intel.com> wrote:
The error codes encode a bunch of values, so you won't see that
value via
a straight grep.
But you can use tpm2_rc_decode from the tpm2-tools project, like so:
$ tpm2_rc_decode 0x2c4
tpm:parameter(2):value is out of range or is not correct for the contex
See the tools project:
https://github.com/tpm2-software/tpm2-tools
Note that the commands specification will show you what parameter 2 is:
https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-C...
Everything after the triple line starts the parameters starting at index 1.
So in this case the secret parameter is wrong.
Note that since TSS version 2.3.0 a software library was also added
for converting these return codes to more human understandable strings,
The header file is here:
https://github.com/tpm2-software/tpm2-tss/blob/master/include/tss2/tss2_rc.h
and then you just link against lib tss2-rc, just in case you needed this
built into
your program.
Bill
> -----Original Message-----
> From: Rahul Hardikar [mailto:rahulhardikar@gmail.com]
> Sent: Tuesday, March 10, 2020 5:02 PM
> To: tpm2(a)lists.01.org
> Subject: [tpm2] ESys_ActivateCredential
>
>
> Hi All,
> What does it mean when Esys_ActivateCredential returns 0x2c4? I don't
see this
> error defined anywhere.
>
> Thanks,
> Rahul
9:52 a.m.
I noticed the same changes when its run as a single process, the remote
attestation method works, the moment i move the make external credential
part to the server I hit this issue.
Wondering what could go wrong? Do the AK keys get flushed out?
On the client side, I have the EKCERT and EK and AK keys loaded in the
tpm2, I save the handle of EK and AK for future use when I receive the
credential blob and secret, so basically i fork out a thread to send the
data (and create EK/AK) and then fork another thread to handle the
receive part, but EK/AK handles are global and saved and no other process
touches the TPM!
Why would I get 0x2c4 in Esys_ActivateCredential () but works perfectly
fine when everything is run as one thread?
Thanks,
Rahul
On Tue, Mar 10, 2020 at 4:22 PM Rahul Hardikar <rahulhardikar(a)gmail.com>
wrote:
Thanks Bill.
Wondering why this would fail. The external make credential API, I have
taken from tss2 GitHub only why would secret fail? When I ran all of this
locally it worked, the moment I moved the make external credential to the
server Im hitting this?
Can it be because of OpenSSL 1.1.0 required in tss2 and 1.0.2 version
running on my server?
Thanks
Rahul
On Tue, Mar 10, 2020 at 3:36 PM Roberts, William C <
william.c.roberts(a)intel.com> wrote:
> The error codes encode a bunch of values, so you won't see that value via
> a straight grep.
>
> But you can use tpm2_rc_decode from the tpm2-tools project, like so:
> $ tpm2_rc_decode 0x2c4
> tpm:parameter(2):value is out of range or is not correct for the contex
>
> See the tools project:
> https://github.com/tpm2-software/tpm2-tools
>
> Note that the commands specification will show you what parameter 2 is:
>
>
https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-C...
>
> Everything after the triple line starts the parameters starting at index
> 1.
> So in this case the secret parameter is wrong.
>
> Note that since TSS version 2.3.0 a software library was also added
> for converting these return codes to more human understandable strings,
> The header file is here:
>
> https://github.com/tpm2-software/tpm2-tss/blob/master/include/tss2/tss2_rc.h
>
> and then you just link against lib tss2-rc, just in case you needed this
> built into
> your program.
>
> Bill
>
> > -----Original Message-----
> > From: Rahul Hardikar [mailto:rahulhardikar@gmail.com]
> > Sent: Tuesday, March 10, 2020 5:02 PM
> > To: tpm2(a)lists.01.org
> > Subject: [tpm2] ESys_ActivateCredential
> >
> >
> > Hi All,
> > What does it mean when Esys_ActivateCredential returns 0x2c4? I don't
> see this
> > error defined anywhere.
> >
> > Thanks,
> > Rahul
>
2:22 a.m.
Any idea folks?
On Thu, Mar 12, 2020 at 5:52 PM Rahul Hardikar <rahulhardikar(a)gmail.com>
wrote:
I noticed the same changes when its run as a single process, the
remote
attestation method works, the moment i move the make external credential
part to the server I hit this issue.
Wondering what could go wrong? Do the AK keys get flushed out?
On the client side, I have the EKCERT and EK and AK keys loaded in the
tpm2, I save the handle of EK and AK for future use when I receive the
credential blob and secret, so basically i fork out a thread to send the
data (and create EK/AK) and then fork another thread to handle the
receive part, but EK/AK handles are global and saved and no other process
touches the TPM!
Why would I get 0x2c4 in Esys_ActivateCredential () but works perfectly
fine when everything is run as one thread?
Thanks,
Rahul
On Tue, Mar 10, 2020 at 4:22 PM Rahul Hardikar <rahulhardikar(a)gmail.com>
wrote:
> Thanks Bill.
> Wondering why this would fail. The external make credential API, I have
> taken from tss2 GitHub only why would secret fail? When I ran all of this
> locally it worked, the moment I moved the make external credential to the
> server Im hitting this?
> Can it be because of OpenSSL 1.1.0 required in tss2 and 1.0.2 version
> running on my server?
> Thanks
> Rahul
>
> On Tue, Mar 10, 2020 at 3:36 PM Roberts, William C <
> william.c.roberts(a)intel.com> wrote:
>
>> The error codes encode a bunch of values, so you won't see that value
>> via a straight grep.
>>
>> But you can use tpm2_rc_decode from the tpm2-tools project, like so:
>> $ tpm2_rc_decode 0x2c4
>> tpm:parameter(2):value is out of range or is not correct for the contex
>>
>> See the tools project:
>> https://github.com/tpm2-software/tpm2-tools
>>
>> Note that the commands specification will show you what parameter 2 is:
>>
>>
https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-C...
>>
>> Everything after the triple line starts the parameters starting at index
>> 1.
>> So in this case the secret parameter is wrong.
>>
>> Note that since TSS version 2.3.0 a software library was also added
>> for converting these return codes to more human understandable strings,
>> The header file is here:
>>
>> https://github.com/tpm2-software/tpm2-tss/blob/master/include/tss2/tss2_rc.h
>>
>> and then you just link against lib tss2-rc, just in case you needed this
>> built into
>> your program.
>>
>> Bill
>>
>> > -----Original Message-----
>> > From: Rahul Hardikar [mailto:rahulhardikar@gmail.com]
>> > Sent: Tuesday, March 10, 2020 5:02 PM
>> > To: tpm2(a)lists.01.org
>> > Subject: [tpm2] ESys_ActivateCredential
>> >
>> >
>> > Hi All,
>> > What does it mean when Esys_ActivateCredential returns 0x2c4? I don't
>> see this
>> > error defined anywhere.
>> >
>> > Thanks,
>> > Rahul
>>
>
7:42 a.m.
One last attempt...wondering if AK needs to be loaded in this case
Thread 1 in client .. creates EK and AK and sends to server
Server creates credential externally sends secret and credential blob
Thread 2 in client - Calls ActivateCredential (it has access to the global
ESYS_CONTEXT structures, ak_handles and ek_handles that thread 1 created)
Question: Are AK keys still present in the TPM? Will the ESAPI structures
still work even after few seconds or are they flushed?
I'm trying to understand why if I run all these methods in a single thread,
it works!
Thanks
Rahul
On Fri, Mar 13, 2020 at 10:22 AM Rahul Hardikar <rahulhardikar(a)gmail.com>
wrote:
Any idea folks?
On Thu, Mar 12, 2020 at 5:52 PM Rahul Hardikar <rahulhardikar(a)gmail.com>
wrote:
> I noticed the same changes when its run as a single process, the remote
> attestation method works, the moment i move the make external credential
> part to the server I hit this issue.
> Wondering what could go wrong? Do the AK keys get flushed out?
> On the client side, I have the EKCERT and EK and AK keys loaded in the
> tpm2, I save the handle of EK and AK for future use when I receive the
> credential blob and secret, so basically i fork out a thread to send the
> data (and create EK/AK) and then fork another thread to handle the
> receive part, but EK/AK handles are global and saved and no other process
> touches the TPM!
>
> Why would I get 0x2c4 in Esys_ActivateCredential () but works perfectly
> fine when everything is run as one thread?
>
> Thanks,
> Rahul
>
> On Tue, Mar 10, 2020 at 4:22 PM Rahul Hardikar <rahulhardikar(a)gmail.com>
> wrote:
>
>> Thanks Bill.
>> Wondering why this would fail. The external make credential API, I have
>> taken from tss2 GitHub only why would secret fail? When I ran all of this
>> locally it worked, the moment I moved the make external credential to the
>> server Im hitting this?
>> Can it be because of OpenSSL 1.1.0 required in tss2 and 1.0.2 version
>> running on my server?
>> Thanks
>> Rahul
>>
>> On Tue, Mar 10, 2020 at 3:36 PM Roberts, William C <
>> william.c.roberts(a)intel.com> wrote:
>>
>>> The error codes encode a bunch of values, so you won't see that value
>>> via a straight grep.
>>>
>>> But you can use tpm2_rc_decode from the tpm2-tools project, like so:
>>> $ tpm2_rc_decode 0x2c4
>>> tpm:parameter(2):value is out of range or is not correct for the contex
>>>
>>> See the tools project:
>>> https://github.com/tpm2-software/tpm2-tools
>>>
>>> Note that the commands specification will show you what parameter 2 is:
>>>
>>>
https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-C...
>>>
>>> Everything after the triple line starts the parameters starting at
>>> index 1.
>>> So in this case the secret parameter is wrong.
>>>
>>> Note that since TSS version 2.3.0 a software library was also added
>>> for converting these return codes to more human understandable strings,
>>> The header file is here:
>>>
>>> https://github.com/tpm2-software/tpm2-tss/blob/master/include/tss2/tss2_rc.h
>>>
>>> and then you just link against lib tss2-rc, just in case you needed
>>> this built into
>>> your program.
>>>
>>> Bill
>>>
>>> > -----Original Message-----
>>> > From: Rahul Hardikar [mailto:rahulhardikar@gmail.com]
>>> > Sent: Tuesday, March 10, 2020 5:02 PM
>>> > To: tpm2(a)lists.01.org
>>> > Subject: [tpm2] ESys_ActivateCredential
>>> >
>>> >
>>> > Hi All,
>>> > What does it mean when Esys_ActivateCredential returns 0x2c4? I
don't
>>> see this
>>> > error defined anywhere.
>>> >
>>> > Thanks,
>>> > Rahul
>>>
>>
10:06 p.m.
-----Original Message-----
From: Rahul Hardikar [mailto:rahulhardikar@gmail.com]
Sent: Monday, March 16, 2020 5:43 PM
To: Roberts, William C <william.c.roberts(a)intel.com>
Cc: tpm2(a)lists.01.org
Subject: Re: [tpm2] ESys_ActivateCredential
One last attempt...wondering if AK needs to be loaded in this case Thread 1 in
client .. creates EK and AK and sends to server Server creates credential
externally sends secret and credential blob Thread 2 in client - Calls
ActivateCredential (it has access to the global ESYS_CONTEXT structures,
ak_handles and ek_handles that thread 1 created)
Question: Are AK keys still present in the TPM? Will the ESAPI structures still work
even after few seconds or are they flushed?
I'm trying to understand why if I run all these methods in a single thread, it
works!
They should work, all of this would work if done properly. The ESYS/TCTI contexts are
not thread safe IIUC, so you can't share without locking or ensuring mutual
exclusion.
If you're using a RM, it should just be seeing a connection from a process, it has
no
Idea if you have multiple threads, and thus doesn't care. Nothing will get flushed
from
The TPM unless your application or an RM does it. So all the handles, etc should remain
valid until one of those events occur.
Thanks
Rahul
On Fri, Mar 13, 2020 at 10:22 AM Rahul Hardikar <rahulhardikar(a)gmail.com
<mailto:rahulhardikar@gmail.com> > wrote:
Any idea folks?
On Thu, Mar 12, 2020 at 5:52 PM Rahul Hardikar
<rahulhardikar(a)gmail.com <mailto:rahulhardikar@gmail.com> > wrote:
I noticed the same changes when its run as a single process, the
remote attestation method works, the moment i move the make external
credential part to the server I hit this issue.
Wondering what could go wrong? Do the AK keys get flushed
out?
On the client side, I have the EKCERT and EK and AK keys loaded
in the tpm2, I save the handle of EK and AK for future use when I receive the
credential blob and secret, so basically i fork out a thread to send the data (and
create EK/AK) and then fork another thread to handle the receive part, but
EK/AK handles are global and saved and no other process touches the TPM!
Why would I get 0x2c4 in Esys_ActivateCredential () but works
perfectly fine when everything is run as one thread?
Thanks,
Rahul
On Tue, Mar 10, 2020 at 4:22 PM Rahul Hardikar
<rahulhardikar(a)gmail.com <mailto:rahulhardikar@gmail.com> > wrote:
Thanks Bill.
Wondering why this would fail. The external make
credential API, I have taken from tss2 GitHub only why would secret fail? When I
ran all of this locally it worked, the moment I moved the make external credential
to the server Im hitting this?
Can it be because of OpenSSL 1.1.0 required in tss2 and
1.0.2 version running on my server?
Thanks
Rahul
On Tue, Mar 10, 2020 at 3:36 PM Roberts, William C
<william.c.roberts(a)intel.com <mailto:william.c.roberts@intel.com> > wrote:
The error codes encode a bunch of values, so you
won't see that value via a straight grep.
But you can use tpm2_rc_decode from the tpm2-
tools project, like so:
$ tpm2_rc_decode 0x2c4
tpm:parameter(2):value is out of range or is not
correct for the contex
See the tools project:
https://github.com/tpm2-software/tpm2-tools
Note that the commands specification will show
you what parameter 2 is:
https://trustedcomputinggroup.org/wp-
content/uploads/TPM-Rev-2.0-Part-3-Commands-01.38.pdf
Everything after the triple line starts the
parameters starting at index 1.
So in this case the secret parameter is wrong.
Note that since TSS version 2.3.0 a software
library was also added
for converting these return codes to more human
understandable strings,
The header file is here:
https://github.com/tpm2-software/tpm2-
tss/blob/master/include/tss2/tss2_rc.h
and then you just link against lib tss2-rc, just in
case you needed this built into
your program.
Bill
> -----Original Message-----
> From: Rahul Hardikar
[mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> ]
> Sent: Tuesday, March 10, 2020 5:02 PM
> To: tpm2(a)lists.01.org
<mailto:tpm2@lists.01.org>
> Subject: [tpm2] ESys_ActivateCredential
>
>
> Hi All,
> What does it mean when
Esys_ActivateCredential returns 0x2c4? I don't see this
> error defined anywhere.
>
> Thanks,
> Rahul
10:20 p.m.
Set this up with all handles in use made persistent. If you still see issues, gdb-break or
turn on debug logging at the Esys call and compare the function arguments.
11:02 a.m.
Thanks guys, I'll try this but i also wanted to know if there is a way to
know if the TPM still has the EK and AK keys loaded? I have the EK handle
and AK handle (not made it persistent) but I want to make sure it's present
as these are necessary for ActivateCredential to succeed
ESys_ActivateCredential complaining about secret parameter doesn't make
sense to me, I tested on server side, ak_name is same as that sent and so
is EK_PUB object as well as EK_Cert in nvram, I call the same
external_makecredential call that's in the GitHub to create secret and made
sure secret,credblob matches on the client side when received from server.
Thanks,
Rahul
On Tue, Mar 17, 2020 at 6:19 AM Imran Desai <imran.desai(a)intel.com> wrote:
Set this up with all handles in use made persistent. If you still
see
issues, gdb-break or turn on debug logging at the Esys call and compare the
function arguments.
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org
To unsubscribe send an email to tpm2-leave(a)lists.01.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
1:17 a.m.
How do I know if RM is being used?
When I do ESys_Initialize, I see these WARNINGs, wondering if it's okay for
multi-thread
WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could
not load TCTI file: libtss2-tcti-default.so
libtss2-tcti-default.so
WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could
not load TCTI file: libtss2-tcti-tabrmd.so
In my single threaded process, everything works so smoothly
[root]# ./tpm
WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could
not load TCTI file: libtss2-tcti-default.so
WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could
not load TCTI file: libtss2-tcti-tabrmd.so
ESYS Initialization: Pass
Read TPM EK Certificate: Pass
TPM EK Certificate Root-CA Verification: Pass
Clear TPM State: Pass
Created EK Primary object: Pass
#####Handle 0x418368
Create Attestation Key: Pass
#####Ak_Handle 0x41836b
Original Credential="deadbeefdeadbeefdead"
Make Credential: Pass
#####Encrypted Credential
Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a45c412864f020a7f1bbcab7a34f0"
#####Encrypted
Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aece0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d830794775dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f1406612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687e1eb9fcc1759c184972779bfc"
Activating Credential: Pass
#####Recovered Credential="deadbeefdeadbeefdead"
[root]#
On Wed, Apr 8, 2020 at 7:02 PM Rahul Hardikar <rahulhardikar(a)gmail.com>
wrote:
Thanks guys, I'll try this but i also wanted to know if there is
a way to
know if the TPM still has the EK and AK keys loaded? I have the EK handle
and AK handle (not made it persistent) but I want to make sure it's present
as these are necessary for ActivateCredential to succeed
ESys_ActivateCredential complaining about secret parameter doesn't make
sense to me, I tested on server side, ak_name is same as that sent and so
is EK_PUB object as well as EK_Cert in nvram, I call the same
external_makecredential call that's in the GitHub to create secret and made
sure secret,credblob matches on the client side when received from server.
Thanks,
Rahul
On Tue, Mar 17, 2020 at 6:19 AM Imran Desai <imran.desai(a)intel.com> wrote:
> Set this up with all handles in use made persistent. If you still see
> issues, gdb-break or turn on debug logging at the Esys call and compare the
> function arguments.
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>
2:23 a.m.
-----Original Message-----
From: Rahul Hardikar [mailto:rahulhardikar@gmail.com]
Sent: Thursday, April 9, 2020 11:18 AM
To: Desai, Imran <imran.desai(a)intel.com>
Cc: tpm2(a)lists.01.org
Subject: [tpm2] Re: ESys_ActivateCredential
How do I know if RM is being used?
If you set the tcti to the device tcti, it will open /dev/tpm0 by default. And that wont
Be an RM. You can also give it an option. Esys_Initialize() takes a tcti as an option,
NULL will cause it to use the default search behavior of the Tss2_TctiLdr, see:
https://github.com/tpm2-software/tpm2-tss/blob/master/man/Tss2_TctiLdr_In...
https://github.com/tpm2-software/tpm2-tss/blob/master/man/Tss2_Tcti_Devic...
https://github.com/tpm2-software/tpm2-tss/blob/master/man/tss2-tcti-devic...
You can use man locally if you prefer as well:
man 3 Tss2_TctiLdr_Initialize
man 7 tss2-tcti-device
man 3 Tss2_Tcti_Device_Init
Note that
https://github.com/tpm2-software/tpm2-tss/blob/master/man/Tss2_Tcti_Devic...
Has sample code in it.
If you're using the tools, it supports explicitly choosing the TCTI:
https://github.com/tpm2-software/tpm2-tools/blob/master/man/common/tcti.md
Also note that the /dev/tpmrm0 (Notice the RM) is an in-kernel resource manager.
When I do ESys_Initialize, I see these WARNINGs, wondering if
it's okay for multi-
thread
WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not
load TCTI file: libtss2-tcti-default.so <http://libtss2-tcti-default.so/>
libtss2-tcti-
default.so <http://libtss2-tcti-default.so/>
WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not
load TCTI file: libtss2-tcti-tabrmd.so <http://libtss2-tcti-tabrmd.so/>
In my single threaded process, everything works so smoothly [root]# ./tpm
WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not
load TCTI file: libtss2-tcti-default.so <http://libtss2-tcti-default.so/>
WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not
load TCTI file: libtss2-tcti-tabrmd.so <http://libtss2-tcti-tabrmd.so/> ESYS
Initialization: Pass
Read TPM EK Certificate: Pass
TPM EK Certificate Root-CA Verification: Pass
Clear TPM State: Pass
Created EK Primary object: Pass
#####Handle 0x418368
Create Attestation Key: Pass
#####Ak_Handle 0x41836b
Original Credential="deadbeefdeadbeefdead"
Make Credential: Pass
#####Encrypted Credential
Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
45c412864f020a7f1bbcab7a34f0"
#####Encrypted
Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
e1eb9fcc1759c184972779bfc"
Activating Credential: Pass
#####Recovered Credential="deadbeefdeadbeefdead"
[root]#
On Wed, Apr 8, 2020 at 7:02 PM Rahul Hardikar <rahulhardikar(a)gmail.com
<mailto:rahulhardikar@gmail.com> > wrote:
Thanks guys, I'll try this but i also wanted to know if there is a way to
know if the TPM still has the EK and AK keys loaded? I have the EK handle and AK
handle (not made it persistent) but I want to make sure it's present as these are
necessary for ActivateCredential to succeed
ESys_ActivateCredential complaining about secret parameter doesn't
make sense to me, I tested on server side, ak_name is same as that sent and so is
EK_PUB object as well as EK_Cert in nvram, I call the same
external_makecredential call that's in the GitHub to create secret and made sure
secret,credblob matches on the client side when received from server.
Thanks,
Rahul
On Tue, Mar 17, 2020 at 6:19 AM Imran Desai <imran.desai(a)intel.com
<mailto:imran.desai@intel.com> > wrote:
Set this up with all handles in use made persistent. If you still see
issues, gdb-break or turn on debug logging at the Esys call and compare the
function arguments.
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org <mailto:tpm2@lists.01.org>
To unsubscribe send an email to tpm2-leave(a)lists.01.org
<mailto:tpm2-leave@lists.01.org>
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
4:50 a.m.
Thanks Bill. I use this
Esys_Initialize( &ectx, NULL, NULL);
so i'm assuming it would take the default libtss2-tcti-tabrmd.so.0.
If I need to debug Esys_ActivateCredential more, how can I do it, these
APIs are no more standalone, I have integrated it in a bigger code base and
added the esys-tss2 and other libs in my poky build, so now it runs as
different process that invokes this function, I can gdb into the process
but I can't seem to gdb into Esys_Activate..( )
Thanks,
Rahul
On Thu, Apr 9, 2020 at 10:23 AM Roberts, William C <
william.c.roberts(a)intel.com> wrote:
> -----Original Message-----
> From: Rahul Hardikar [mailto:rahulhardikar@gmail.com]
> Sent: Thursday, April 9, 2020 11:18 AM
> To: Desai, Imran <imran.desai(a)intel.com>
> Cc: tpm2(a)lists.01.org
> Subject: [tpm2] Re: ESys_ActivateCredential
>
> How do I know if RM is being used?
If you set the tcti to the device tcti, it will open /dev/tpm0 by default.
And that wont
Be an RM. You can also give it an option. Esys_Initialize() takes a tcti
as an option,
NULL will cause it to use the default search behavior of the Tss2_TctiLdr,
see:
https://github.com/tpm2-software/tpm2-tss/blob/master/man/Tss2_TctiLdr_In...
https://github.com/tpm2-software/tpm2-tss/blob/master/man/Tss2_Tcti_Devic...
https://github.com/tpm2-software/tpm2-tss/blob/master/man/tss2-tcti-devic...
You can use man locally if you prefer as well:
man 3 Tss2_TctiLdr_Initialize
man 7 tss2-tcti-device
man 3 Tss2_Tcti_Device_Init
Note that
https://github.com/tpm2-software/tpm2-tss/blob/master/man/Tss2_Tcti_Devic...
Has sample code in it.
If you're using the tools, it supports explicitly choosing the TCTI:
https://github.com/tpm2-software/tpm2-tools/blob/master/man/common/tcti.md
Also note that the /dev/tpmrm0 (Notice the RM) is an in-kernel resource
manager.
> When I do ESys_Initialize, I see these WARNINGs, wondering if it's okay
for multi-
> thread
> WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file()
Could not
> load TCTI file: libtss2-tcti-default.so <http://libtss2-tcti-default.so/>
libtss2-tcti-
> default.so <http://libtss2-tcti-default.so/>
> WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file()
Could not
> load TCTI file: libtss2-tcti-tabrmd.so <http://libtss2-tcti-tabrmd.so/>
>
> In my single threaded process, everything works so smoothly [root]# ./tpm
> WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file()
Could not
> load TCTI file: libtss2-tcti-default.so <http://libtss2-tcti-default.so/
>
> WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file()
Could not
> load TCTI file: libtss2-tcti-tabrmd.so <http://libtss2-tcti-tabrmd.so/>
ESYS
> Initialization: Pass
>
> Read TPM EK Certificate: Pass
>
> TPM EK Certificate Root-CA Verification: Pass
>
> Clear TPM State: Pass
>
> Created EK Primary object: Pass
> #####Handle 0x418368
>
> Create Attestation Key: Pass
> #####Ak_Handle 0x41836b
>
> Original Credential="deadbeefdeadbeefdead"
>
> Make Credential: Pass
> #####Encrypted Credential
> Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> 45c412864f020a7f1bbcab7a34f0"
>
> #####Encrypted
> Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
> 76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
> e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
> 077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
> 5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
> 06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
> fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> e1eb9fcc1759c184972779bfc"
>
> Activating Credential: Pass
> #####Recovered Credential="deadbeefdeadbeefdead"
>
> [root]#
>
>
>
> On Wed, Apr 8, 2020 at 7:02 PM Rahul Hardikar <rahulhardikar(a)gmail.com
> <mailto:rahulhardikar@gmail.com> > wrote:
>
>
> Thanks guys, I'll try this but i also wanted to know if there is
a way to
> know if the TPM still has the EK and AK keys loaded? I have the EK
handle and AK
> handle (not made it persistent) but I want to make sure it's present as
these are
> necessary for ActivateCredential to succeed
> ESys_ActivateCredential complaining about secret parameter doesn't
> make sense to me, I tested on server side, ak_name is same as that sent
and so is
> EK_PUB object as well as EK_Cert in nvram, I call the same
> external_makecredential call that's in the GitHub to create secret and
made sure
> secret,credblob matches on the client side when received from server.
>
> Thanks,
> Rahul
>
> On Tue, Mar 17, 2020 at 6:19 AM Imran Desai <imran.desai(a)intel.com
> <mailto:imran.desai@intel.com> > wrote:
>
>
> Set this up with all handles in use made persistent. If
you still see
> issues, gdb-break or turn on debug logging at the Esys call and compare
the
> function arguments.
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org <mailto:
tpm2(a)lists.01.org>
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> <mailto:tpm2-leave@lists.01.org>
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>
12:16 a.m.
-----Original Message-----
From: Rahul Hardikar [mailto:rahulhardikar@gmail.com]
Sent: Thursday, April 9, 2020 2:51 PM
To: Roberts, William C <william.c.roberts(a)intel.com>
Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
Subject: Re: [tpm2] Re: ESys_ActivateCredential
Thanks Bill. I use this
Esys_Initialize( &ectx, NULL, NULL);
so i'm assuming it would take the default libtss2-tcti-tabrmd.so.0.
This should do it for you:
TSS2_RC
Tss2_TctiLdr_Initialize (const char *nameConf,
TSS2_TCTI_CONTEXT **context);
Set nameConf to the string "tabrmd", that should give you a tcti pointer you
can
pass wot Esys_Initialize()
If I need to debug Esys_ActivateCredential more, how can I do it, these APIs are
no more standalone, I have integrated it in a bigger code base and added the
esys-tss2 and other libs in my poky build, so now it runs as different process that
invokes this function, I can gdb into the process but I can't seem to gdb into
Esys_Activate..( )
Did you build tpm2-tss with debug symbols?
Add --enable-debug
Thanks,
Rahul
On Thu, Apr 9, 2020 at 10:23 AM Roberts, William C <william.c.roberts(a)intel.com
<mailto:william.c.roberts@intel.com> > wrote:
> -----Original Message-----
> From: Rahul Hardikar [mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> ]
> Sent: Thursday, April 9, 2020 11:18 AM
> To: Desai, Imran <imran.desai(a)intel.com
<mailto:imran.desai@intel.com> >
> Cc: tpm2(a)lists.01.org <mailto:tpm2@lists.01.org>
> Subject: [tpm2] Re: ESys_ActivateCredential
>
> How do I know if RM is being used?
If you set the tcti to the device tcti, it will open /dev/tpm0 by default. And
that wont
Be an RM. You can also give it an option. Esys_Initialize() takes a tcti as an
option,
NULL will cause it to use the default search behavior of the Tss2_TctiLdr,
see:
https://github.com/tpm2-software/tpm2-
tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
https://github.com/tpm2-software/tpm2-
tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
https://github.com/tpm2-software/tpm2-tss/blob/master/man/tss2-
tcti-device.7.in
You can use man locally if you prefer as well:
man 3 Tss2_TctiLdr_Initialize
man 7 tss2-tcti-device
man 3 Tss2_Tcti_Device_Init
Note that https://github.com/tpm2-software/tpm2-
tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
Has sample code in it.
If you're using the tools, it supports explicitly choosing the TCTI:
https://github.com/tpm2-software/tpm2-
tools/blob/master/man/common/tcti.md
Also note that the /dev/tpmrm0 (Notice the RM) is an in-kernel resource
manager.
> When I do ESys_Initialize, I see these WARNINGs, wondering if it's okay
for multi-
> thread
> WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file()
Could not
> load TCTI file: libtss2-tcti-default.so <http://libtss2-tcti-default.so/>
libtss2-tcti-
> default.so <http://libtss2-tcti-default.so/>
> WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file()
Could not
> load TCTI file: libtss2-tcti-tabrmd.so <http://libtss2-tcti-tabrmd.so/>
>
> In my single threaded process, everything works so smoothly [root]#
./tpm
> WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file()
Could not
> load TCTI file: libtss2-tcti-default.so <http://libtss2-tcti-default.so/>
> WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file()
Could not
> load TCTI file: libtss2-tcti-tabrmd.so <http://libtss2-tcti-tabrmd.so/>
ESYS
> Initialization: Pass
>
> Read TPM EK Certificate: Pass
>
> TPM EK Certificate Root-CA Verification: Pass
>
> Clear TPM State: Pass
>
> Created EK Primary object: Pass
> #####Handle 0x418368
>
> Create Attestation Key: Pass
> #####Ak_Handle 0x41836b
>
> Original Credential="deadbeefdeadbeefdead"
>
> Make Credential: Pass
> #####Encrypted Credential
>
Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> 45c412864f020a7f1bbcab7a34f0"
>
> #####Encrypted
>
Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
>
76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
>
e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
>
077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
>
5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
>
06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
>
fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> e1eb9fcc1759c184972779bfc"
>
> Activating Credential: Pass
> #####Recovered Credential="deadbeefdeadbeefdead"
>
> [root]#
>
>
>
> On Wed, Apr 8, 2020 at 7:02 PM Rahul Hardikar
<rahulhardikar(a)gmail.com <mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> wrote:
>
>
> Thanks guys, I'll try this but i also wanted to know if there is a way
to
> know if the TPM still has the EK and AK keys loaded? I have the EK
handle and AK
> handle (not made it persistent) but I want to make sure it's present as
these are
> necessary for ActivateCredential to succeed
> ESys_ActivateCredential complaining about secret parameter
doesn't
> make sense to me, I tested on server side, ak_name is same as that
sent and so is
> EK_PUB object as well as EK_Cert in nvram, I call the same
> external_makecredential call that's in the GitHub to create secret and
made sure
> secret,credblob matches on the client side when received from server.
>
> Thanks,
> Rahul
>
> On Tue, Mar 17, 2020 at 6:19 AM Imran Desai
<imran.desai(a)intel.com <mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
wrote:
>
>
> Set this up with all handles in use made persistent. If you still
see
> issues, gdb-break or turn on debug logging at the Esys call and compare
the
> function arguments.
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
<mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
<mailto:tpm2-leave@lists.01.org>
> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> >
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>
3:07 a.m.
Thanks Bill, trying that.
I did not get debug build tpm2_tss, isn't it all prebuilt ? I will have to
see how to do it in poky.
On Fri, Apr 10, 2020 at 8:16 AM Roberts, William C <
william.c.roberts(a)intel.com> wrote:
> -----Original Message-----
> From: Rahul Hardikar [mailto:rahulhardikar@gmail.com]
> Sent: Thursday, April 9, 2020 2:51 PM
> To: Roberts, William C <william.c.roberts(a)intel.com>
> Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
> Subject: Re: [tpm2] Re: ESys_ActivateCredential
>
> Thanks Bill. I use this
> Esys_Initialize( &ectx, NULL, NULL);
>
> so i'm assuming it would take the default libtss2-tcti-tabrmd.so.0.
This should do it for you:
TSS2_RC
Tss2_TctiLdr_Initialize (const char *nameConf,
TSS2_TCTI_CONTEXT **context);
Set nameConf to the string "tabrmd", that should give you a tcti pointer
you can
pass wot Esys_Initialize()
>
>
> If I need to debug Esys_ActivateCredential more, how can I do it, these
APIs are
> no more standalone, I have integrated it in a bigger code base and added
the
> esys-tss2 and other libs in my poky build, so now it runs as different
process that
> invokes this function, I can gdb into the process but I can't seem to
gdb into
> Esys_Activate..( )
Did you build tpm2-tss with debug symbols?
Add --enable-debug
>
>
> Thanks,
> Rahul
>
>
>
>
> On Thu, Apr 9, 2020 at 10:23 AM Roberts, William C <
william.c.roberts(a)intel.com
> <mailto:william.c.roberts@intel.com> > wrote:
>
>
> > -----Original Message-----
> > From: Rahul Hardikar [mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> ]
> > Sent: Thursday, April 9, 2020 11:18 AM
> > To: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai@intel.com> >
> > Cc: tpm2(a)lists.01.org <mailto:tpm2@lists.01.org>
> > Subject: [tpm2] Re: ESys_ActivateCredential
> >
> > How do I know if RM is being used?
>
>
> If you set the tcti to the device tcti, it will open /dev/tpm0 by
default. And
> that wont
> Be an RM. You can also give it an option. Esys_Initialize() takes
a tcti as an
> option,
> NULL will cause it to use the default search behavior of the
Tss2_TctiLdr,
> see:
>
> https://github.com/tpm2-software/tpm2-
> tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
> https://github.com/tpm2-software/tpm2-
> tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> https://github.com/tpm2-software/tpm2-tss/blob/master/man/tss2-
> tcti-device.7.in
>
> You can use man locally if you prefer as well:
> man 3 Tss2_TctiLdr_Initialize
> man 7 tss2-tcti-device
> man 3 Tss2_Tcti_Device_Init
>
> Note that https://github.com/tpm2-software/tpm2-
> tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> Has sample code in it.
>
> If you're using the tools, it supports explicitly choosing the
TCTI:
> https://github.com/tpm2-software/tpm2-
> tools/blob/master/man/common/tcti.md
>
> Also note that the /dev/tpmrm0 (Notice the RM) is an in-kernel
resource
> manager.
>
>
> > When I do ESys_Initialize, I see these WARNINGs, wondering if
it's okay
> for multi-
> > thread
> >
WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file()
> Could not
> > load TCTI file: libtss2-tcti-default.so <
http://libtss2-tcti-default.so/>
> libtss2-tcti-
> > default.so <http://libtss2-tcti-default.so/>
> >
WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file()
> Could not
> > load TCTI file: libtss2-tcti-tabrmd.so <
http://libtss2-tcti-tabrmd.so/>
> >
> > In my single threaded process, everything works so smoothly
[root]#
> ./tpm
> >
WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file()
> Could not
> > load TCTI file: libtss2-tcti-default.so <
http://libtss2-tcti-default.so/>
> >
WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file()
> Could not
> > load TCTI file: libtss2-tcti-tabrmd.so <
http://libtss2-tcti-tabrmd.so/>
> ESYS
> > Initialization: Pass
> >
> > Read TPM EK Certificate: Pass
> >
> > TPM EK Certificate Root-CA Verification: Pass
> >
> > Clear TPM State: Pass
> >
> > Created EK Primary object: Pass
> > #####Handle 0x418368
> >
> > Create Attestation Key: Pass
> > #####Ak_Handle 0x41836b
> >
> > Original Credential="deadbeefdeadbeefdead"
> >
> > Make Credential: Pass
> > #####Encrypted Credential
> >
> Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> > 45c412864f020a7f1bbcab7a34f0"
> >
> > #####Encrypted
> >
> Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
> >
> 76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
> >
> e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
> >
> 077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
> >
> 5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
> >
> 06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
> >
> fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> > e1eb9fcc1759c184972779bfc"
> >
> > Activating Credential: Pass
> > #####Recovered Credential="deadbeefdeadbeefdead"
> >
> > [root]#
> >
> >
> >
> > On Wed, Apr 8, 2020 at 7:02 PM Rahul Hardikar
> <rahulhardikar(a)gmail.com <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> > wrote:
> >
> >
> > Thanks guys, I'll try this but i also wanted to know if
there is a way to
> > know if the TPM still has the EK and AK keys loaded? I have the
EK
> handle and AK
> > handle (not made it persistent) but I want to make sure it's
present as
> these are
> > necessary for ActivateCredential to succeed
> > ESys_ActivateCredential complaining about secret parameter
> doesn't
> > make sense to me, I tested on server side, ak_name is same as
that
> sent and so is
> > EK_PUB object as well as EK_Cert in nvram, I call the same
> > external_makecredential call that's in the GitHub to create
secret and
> made sure
> > secret,credblob matches on the client side when received from
server.
> >
> > Thanks,
> > Rahul
> >
> > On Tue, Mar 17, 2020 at 6:19 AM Imran Desai
> <imran.desai(a)intel.com <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> >
> wrote:
> >
> >
> > Set this up with all handles in use made
persistent. If you still see
> > issues, gdb-break or turn on debug logging at the Esys call and
compare
> the
> > function arguments.
> > _______________________________________________
> > tpm2 mailing list -- tpm2(a)lists.01.org <mailto:
tpm2(a)lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > To unsubscribe send an email to
tpm2-leave(a)lists.01.org
> <mailto:tpm2-leave@lists.01.org>
> > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-leave@lists.01.org>
>
> >
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> >
>
>
3:33 a.m.
-----Original Message-----
From: Rahul Hardikar [mailto:rahulhardikar@gmail.com]
Sent: Friday, April 10, 2020 1:08 PM
To: Roberts, William C <william.c.roberts(a)intel.com>
Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
Subject: Re: [tpm2] Re: ESys_ActivateCredential
Thanks Bill, trying that.
I did not get debug build tpm2_tss, isn't it all prebuilt ? I will have to see how
to
do it in poky.
If you're getting it from a package manager, yes. But there's nothing stopping
you
from using source builds. Some distro's will package debug symbols for their
packages.
On Fri, Apr 10, 2020 at 8:16 AM Roberts, William C <william.c.roberts(a)intel.com
<mailto:william.c.roberts@intel.com> > wrote:
> -----Original Message-----
> From: Rahul Hardikar [mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> ]
> Sent: Thursday, April 9, 2020 2:51 PM
> To: Roberts, William C <william.c.roberts(a)intel.com
<mailto:william.c.roberts@intel.com> >
> Cc: Desai, Imran <imran.desai(a)intel.com
<mailto:imran.desai@intel.com> >; tpm2(a)lists.01.org
<mailto:tpm2@lists.01.org>
> Subject: Re: [tpm2] Re: ESys_ActivateCredential
>
> Thanks Bill. I use this
> Esys_Initialize( &ectx, NULL, NULL);
>
> so i'm assuming it would take the default libtss2-tcti-tabrmd.so.0.
This should do it for you:
TSS2_RC
Tss2_TctiLdr_Initialize (const char *nameConf,
TSS2_TCTI_CONTEXT **context);
Set nameConf to the string "tabrmd", that should give you a tcti pointer
you can
pass wot Esys_Initialize()
>
>
> If I need to debug Esys_ActivateCredential more, how can I do it, these
APIs are
> no more standalone, I have integrated it in a bigger code base and
added the
> esys-tss2 and other libs in my poky build, so now it runs as different
process that
> invokes this function, I can gdb into the process but I can't seem to gdb
into
> Esys_Activate..( )
Did you build tpm2-tss with debug symbols?
Add --enable-debug
>
>
> Thanks,
> Rahul
>
>
>
>
> On Thu, Apr 9, 2020 at 10:23 AM Roberts, William C
<william.c.roberts(a)intel.com <mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > wrote:
>
>
> > -----Original Message-----
> > From: Rahul Hardikar [mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
]
> > Sent: Thursday, April 9, 2020 11:18 AM
> > To: Desai, Imran <imran.desai(a)intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> > Cc: tpm2(a)lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > Subject: [tpm2] Re: ESys_ActivateCredential
> >
> > How do I know if RM is being used?
>
>
> If you set the tcti to the device tcti, it will open /dev/tpm0 by
default. And
> that wont
> Be an RM. You can also give it an option. Esys_Initialize() takes a tcti
as an
> option,
> NULL will cause it to use the default search behavior of the
Tss2_TctiLdr,
> see:
>
> https://github.com/tpm2-software/tpm2-
> tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
<http://Tss2_TctiLdr_Initialize.3.in>
> https://github.com/tpm2-software/tpm2-
> tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
<http://Tss2_Tcti_Device_Init.3.in>
> https://github.com/tpm2-software/tpm2-
tss/blob/master/man/tss2-
> tcti-device.7.in <http://tcti-device.7.in>
>
> You can use man locally if you prefer as well:
> man 3 Tss2_TctiLdr_Initialize
> man 7 tss2-tcti-device
> man 3 Tss2_Tcti_Device_Init
>
> Note that https://github.com/tpm2-software/tpm2-
> tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
<http://Tss2_Tcti_Device_Init.3.in>
> Has sample code in it.
>
> If you're using the tools, it supports explicitly choosing the TCTI:
> https://github.com/tpm2-software/tpm2-
> tools/blob/master/man/common/tcti.md
>
> Also note that the /dev/tpmrm0 (Notice the RM) is an in-kernel
resource
> manager.
>
>
> > When I do ESys_Initialize, I see these WARNINGs, wondering if it's
okay
> for multi-
> > thread
> > WARNING:esys:src/tss2-
esys/esys_tcti_default.c:137:tcti_from_file()
> Could not
> > load TCTI file: libtss2-tcti-default.so <http://libtss2-tcti-
default.so/>
> libtss2-tcti-
> > default.so <http://libtss2-tcti-default.so/>
> > WARNING:esys:src/tss2-
esys/esys_tcti_default.c:137:tcti_from_file()
> Could not
> > load TCTI file: libtss2-tcti-tabrmd.so <http://libtss2-tcti-
tabrmd.so/>
> >
> > In my single threaded process, everything works so smoothly
[root]#
> ./tpm
> > WARNING:esys:src/tss2-
esys/esys_tcti_default.c:137:tcti_from_file()
> Could not
> > load TCTI file: libtss2-tcti-default.so <http://libtss2-tcti-
default.so/>
> > WARNING:esys:src/tss2-
esys/esys_tcti_default.c:137:tcti_from_file()
> Could not
> > load TCTI file: libtss2-tcti-tabrmd.so <http://libtss2-tcti-
tabrmd.so/>
> ESYS
> > Initialization: Pass
> >
> > Read TPM EK Certificate: Pass
> >
> > TPM EK Certificate Root-CA Verification: Pass
> >
> > Clear TPM State: Pass
> >
> > Created EK Primary object: Pass
> > #####Handle 0x418368
> >
> > Create Attestation Key: Pass
> > #####Ak_Handle 0x41836b
> >
> > Original Credential="deadbeefdeadbeefdead"
> >
> > Make Credential: Pass
> > #####Encrypted Credential
> >
>
Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> > 45c412864f020a7f1bbcab7a34f0"
> >
> > #####Encrypted
> >
>
Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
> >
>
76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
> >
>
e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
> >
>
077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
> >
>
5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
> >
>
06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
> >
>
fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> > e1eb9fcc1759c184972779bfc"
> >
> > Activating Credential: Pass
> > #####Recovered Credential="deadbeefdeadbeefdead"
> >
> > [root]#
> >
> >
> >
> > On Wed, Apr 8, 2020 at 7:02 PM Rahul Hardikar
> <rahulhardikar(a)gmail.com <mailto:rahulhardikar@gmail.com>
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> > wrote:
> >
> >
> > Thanks guys, I'll try this but i also wanted to know if there
is a
way to
> > know if the TPM still has the EK and AK keys loaded? I have the EK
> handle and AK
> > handle (not made it persistent) but I want to make sure it's
present as
> these are
> > necessary for ActivateCredential to succeed
> > ESys_ActivateCredential complaining about secret parameter
> doesn't
> > make sense to me, I tested on server side, ak_name is same as
that
> sent and so is
> > EK_PUB object as well as EK_Cert in nvram, I call the same
> > external_makecredential call that's in the GitHub to create secret
and
> made sure
> > secret,credblob matches on the client side when received from
server.
> >
> > Thanks,
> > Rahul
> >
> > On Tue, Mar 17, 2020 at 6:19 AM Imran Desai
> <imran.desai(a)intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > > >
> wrote:
> >
> >
> > Set this up with all handles in use made persistent. If
you
still see
> > issues, gdb-break or turn on debug logging at the Esys call and
compare
> the
> > function arguments.
> >
_______________________________________________
> > tpm2 mailing list -- tpm2(a)lists.01.org
<mailto:tpm2@lists.01.org> <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > To unsubscribe send an email to tpm2-leave(a)lists.01.org
<mailto:tpm2-leave@lists.01.org>
> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> >
> > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-leave@lists.01.org>
<mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> > >
> > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> >
>
>
6:15 a.m.
Hi Bill,
I have this on my system: Is tpmrm0 same as tabrmd? I believe mine is using
this right now , i'm changing it to what you mentioned to see if it helps.
[root@nfvis ~]# ls -l /dev/tpm*
crw-rw----. 1 tss root 10, 224 Apr 8 23:19 /dev/tpm0
crw-rw----. 1 tss tss 254, 65536 Apr 8 23:19 /dev/tpmrm0
Thanks,
Rahul
On Fri, Apr 10, 2020 at 11:33 AM Roberts, William C <
william.c.roberts(a)intel.com> wrote:
> -----Original Message-----
> From: Rahul Hardikar [mailto:rahulhardikar@gmail.com]
> Sent: Friday, April 10, 2020 1:08 PM
> To: Roberts, William C <william.c.roberts(a)intel.com>
> Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
> Subject: Re: [tpm2] Re: ESys_ActivateCredential
>
> Thanks Bill, trying that.
> I did not get debug build tpm2_tss, isn't it all prebuilt ? I will have
to see how to
> do it in poky.
If you're getting it from a package manager, yes. But there's nothing
stopping you
from using source builds. Some distro's will package debug symbols for
their
packages.
>
> On Fri, Apr 10, 2020 at 8:16 AM Roberts, William C <
william.c.roberts(a)intel.com
> <mailto:william.c.roberts@intel.com> > wrote:
>
>
>
>
> > -----Original Message-----
> > From: Rahul Hardikar [mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> ]
> > Sent: Thursday, April 9, 2020 2:51 PM
> > To: Roberts, William C <william.c.roberts(a)intel.com
> <mailto:william.c.roberts@intel.com> >
> > Cc: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai@intel.com> >; tpm2(a)lists.01.org
> <mailto:tpm2@lists.01.org>
> > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> >
> > Thanks Bill. I use this
> > Esys_Initialize( &ectx, NULL, NULL);
> >
> > so i'm assuming it would take the default
libtss2-tcti-tabrmd.so.0.
>
> This should do it for you:
> TSS2_RC
> Tss2_TctiLdr_Initialize (const char *nameConf,
> TSS2_TCTI_CONTEXT **context);
>
> Set nameConf to the string "tabrmd", that should give you a tcti
pointer
> you can
> pass wot Esys_Initialize()
>
> >
> >
> > If I need to debug Esys_ActivateCredential more, how can I do
it, these
> APIs are
> > no more standalone, I have integrated it in a bigger code base
and
> added the
> > esys-tss2 and other libs in my poky build, so now it runs as
different
> process that
> > invokes this function, I can gdb into the process but I can't
seem to gdb
> into
> > Esys_Activate..( )
>
> Did you build tpm2-tss with debug symbols?
> Add --enable-debug
>
> >
> >
> > Thanks,
> > Rahul
> >
> >
> >
> >
> > On Thu, Apr 9, 2020 at 10:23 AM Roberts, William C
> <william.c.roberts(a)intel.com <mailto:william.c.roberts@intel.com>
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> > > wrote:
> >
> >
> > > -----Original Message-----
> > > From: Rahul Hardikar [mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> ]
> > > Sent: Thursday, April 9, 2020 11:18 AM
> > > To: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> >
> > > Cc: tpm2(a)lists.01.org <mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > > Subject: [tpm2] Re: ESys_ActivateCredential
> > >
> > > How do I know if RM is being used?
> >
> >
> > If you set the tcti to the device tcti, it will open
/dev/tpm0 by
> default. And
> > that wont
> > Be an RM. You can also give it an option.
Esys_Initialize() takes a tcti
> as an
> > option,
> > NULL will cause it to use the default search behavior of
the
> Tss2_TctiLdr,
> > see:
> >
> > https://github.com/tpm2-software/tpm2-
> > tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
> <http://Tss2_TctiLdr_Initialize.3.in>
> > https://github.com/tpm2-software/tpm2-
> > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> <http://Tss2_Tcti_Device_Init.3.in>
> > https://github.com/tpm2-software/tpm2-
> tss/blob/master/man/tss2-
> > tcti-device.7.in <http://tcti-device.7.in>
> >
> > You can use man locally if you prefer as well:
> > man 3 Tss2_TctiLdr_Initialize
> > man 7 tss2-tcti-device
> > man 3 Tss2_Tcti_Device_Init
> >
> > Note that https://github.com/tpm2-software/tpm2-
> > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> <http://Tss2_Tcti_Device_Init.3.in>
> > Has sample code in it.
> >
> > If you're using the tools, it supports explicitly choosing
the TCTI:
> > https://github.com/tpm2-software/tpm2-
> > tools/blob/master/man/common/tcti.md
> >
> > Also note that the /dev/tpmrm0 (Notice the RM) is an
in-kernel
> resource
> > manager.
> >
> >
> > > When I do ESys_Initialize, I see these WARNINGs,
wondering if it's
> okay
> > for multi-
> > > thread
> > > WARNING:esys:src/tss2-
> esys/esys_tcti_default.c:137:tcti_from_file()
> > Could not
> > > load TCTI file: libtss2-tcti-default.so <
http://libtss2-tcti-
> default.so/>
> > libtss2-tcti-
> > > default.so <http://libtss2-tcti-default.so/>
> > > WARNING:esys:src/tss2-
> esys/esys_tcti_default.c:137:tcti_from_file()
> > Could not
> > > load TCTI file: libtss2-tcti-tabrmd.so <
http://libtss2-tcti-
> tabrmd.so/>
> > >
> > > In my single threaded process, everything works so
smoothly
> [root]#
> > ./tpm
> > > WARNING:esys:src/tss2-
> esys/esys_tcti_default.c:137:tcti_from_file()
> > Could not
> > > load TCTI file: libtss2-tcti-default.so <
http://libtss2-tcti-
> default.so/>
> > > WARNING:esys:src/tss2-
> esys/esys_tcti_default.c:137:tcti_from_file()
> > Could not
> > > load TCTI file: libtss2-tcti-tabrmd.so <
http://libtss2-tcti-
> tabrmd.so/>
> > ESYS
> > > Initialization: Pass
> > >
> > > Read TPM EK Certificate: Pass
> > >
> > > TPM EK Certificate Root-CA Verification: Pass
> > >
> > > Clear TPM State: Pass
> > >
> > > Created EK Primary object: Pass
> > > #####Handle 0x418368
> > >
> > > Create Attestation Key: Pass
> > > #####Ak_Handle 0x41836b
> > >
> > > Original Credential="deadbeefdeadbeefdead"
> > >
> > > Make Credential: Pass
> > > #####Encrypted Credential
> > >
> >
> Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> > > 45c412864f020a7f1bbcab7a34f0"
> > >
> > > #####Encrypted
> > >
> >
> Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
> > >
> >
> 76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
> > >
> >
> e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
> > >
> >
> 077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
> > >
> >
> 5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
> > >
> >
> 06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
> > >
> >
> fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> > > e1eb9fcc1759c184972779bfc"
> > >
> > > Activating Credential: Pass
> > > #####Recovered Credential="deadbeefdeadbeefdead"
> > >
> > > [root]#
> > >
> > >
> > >
> > > On Wed, Apr 8, 2020 at 7:02 PM Rahul Hardikar
> > <rahulhardikar(a)gmail.com <mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> > >
> > > wrote:
> > >
> > >
> > > Thanks guys, I'll try this but i also wanted to
know if there is a
> way to
> > > know if the TPM still has the EK and AK keys loaded? I
have the EK
> > handle and AK
> > > handle (not made it persistent) but I want to make sure
it's
> present as
> > these are
> > > necessary for ActivateCredential to succeed
> > > ESys_ActivateCredential complaining about secret
parameter
> > doesn't
> > > make sense to me, I tested on server side, ak_name is
same as
> that
> > sent and so is
> > > EK_PUB object as well as EK_Cert in nvram, I call the
same
> > > external_makecredential call that's in the GitHub to
create secret
> and
> > made sure
> > > secret,credblob matches on the client side when received
from
> server.
> > >
> > > Thanks,
> > > Rahul
> > >
> > > On Tue, Mar 17, 2020 at 6:19 AM Imran Desai
> > <imran.desai(a)intel.com <mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > > <mailto:imran.desai@intel.com <mailto:
imran.desai(a)intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
>
> > wrote:
> > >
> > >
> > > Set this up with all handles in use made
persistent. If you
> still see
> > > issues, gdb-break or turn on debug logging at the Esys
call and
> compare
> > the
> > > function arguments.
> > >
> _______________________________________________
> > > tpm2 mailing list -- tpm2(a)lists.01.org
> <mailto:tpm2@lists.01.org> <mailto:tpm2@lists.01.org
> <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > > To unsubscribe send an email to
tpm2-leave(a)lists.01.org
> <mailto:tpm2-leave@lists.01.org>
> > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-leave@lists.01.org>
>
> > > <mailto:tpm2-leave@lists.01.org <mailto:
tpm2-leave(a)lists.01.org>
> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> > >
> > >
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> > >
> >
> >
>
>
11:20 p.m.
-----Original Message-----
From: Rahul Hardikar [mailto:rahulhardikar@gmail.com]
Sent: Friday, April 10, 2020 4:15 PM
To: Roberts, William C <william.c.roberts(a)intel.com>
Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
Subject: Re: [tpm2] Re: ESys_ActivateCredential
Hi Bill,
I have this on my system: Is tpmrm0 same as tabrmd? I believe mine is using this
right now , i'm changing it to what you mentioned to see if it helps.
[root@nfvis ~]# ls -l /dev/tpm*
crw-rw----. 1 tss root 10, 224 Apr 8 23:19 /dev/tpm0
crw-rw----. 1 tss tss 254, 65536 Apr 8 23:19 /dev/tpmrm0 Thanks, Rahul
In theory, yes. In practice no.
/dev/tpmrm0 is the in kernel resource manager
tpm2-abrmd is the userspace resource manager
tpm2-abrmd has a few features tpmrm0 doesn't have, but unless you're
using policy sessions with tpm2-tools, you shouldn't notice a difference.
On Fri, Apr 10, 2020 at 11:33 AM Roberts, William C <william.c.roberts(a)intel.com
<mailto:william.c.roberts@intel.com> > wrote:
> -----Original Message-----
> From: Rahul Hardikar [mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> ]
> Sent: Friday, April 10, 2020 1:08 PM
> To: Roberts, William C <william.c.roberts(a)intel.com
<mailto:william.c.roberts@intel.com> >
> Cc: Desai, Imran <imran.desai(a)intel.com
<mailto:imran.desai@intel.com> >; tpm2(a)lists.01.org
<mailto:tpm2@lists.01.org>
> Subject: Re: [tpm2] Re: ESys_ActivateCredential
>
> Thanks Bill, trying that.
> I did not get debug build tpm2_tss, isn't it all prebuilt ? I will have to
see
how to
> do it in poky.
If you're getting it from a package manager, yes. But there's nothing
stopping you
from using source builds. Some distro's will package debug symbols for
their
packages.
>
> On Fri, Apr 10, 2020 at 8:16 AM Roberts, William C
<william.c.roberts(a)intel.com <mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > wrote:
>
>
>
>
> > -----Original Message-----
> > From: Rahul Hardikar [mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
]
> > Sent: Thursday, April 9, 2020 2:51 PM
> > To: Roberts, William C <william.c.roberts(a)intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > >
> > Cc: Desai, Imran <imran.desai(a)intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >;
tpm2(a)lists.01.org <mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> >
> > Thanks Bill. I use this
> > Esys_Initialize( &ectx, NULL, NULL);
> >
> > so i'm assuming it would take the default
libtss2-tcti-tabrmd.so.0.
>
> This should do it for you:
> TSS2_RC
> Tss2_TctiLdr_Initialize (const char *nameConf,
> TSS2_TCTI_CONTEXT **context);
>
> Set nameConf to the string "tabrmd", that should give you a tcti
pointer
> you can
> pass wot Esys_Initialize()
>
> >
> >
> > If I need to debug Esys_ActivateCredential more, how can I do it,
these
> APIs are
> > no more standalone, I have integrated it in a bigger code base and
> added the
> > esys-tss2 and other libs in my poky build, so now it runs as
different
> process that
> > invokes this function, I can gdb into the process but I can't seem
to
gdb
> into
> > Esys_Activate..( )
>
> Did you build tpm2-tss with debug symbols?
> Add --enable-debug
>
> >
> >
> > Thanks,
> > Rahul
> >
> >
> >
> >
> > On Thu, Apr 9, 2020 at 10:23 AM Roberts, William C
> <william.c.roberts(a)intel.com <mailto:william.c.roberts@intel.com>
<mailto:william.c.roberts@intel.com <mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > > wrote:
> >
> >
> > > -----Original Message-----
> > > From: Rahul Hardikar [mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> ]
> > > Sent: Thursday, April 9, 2020 11:18 AM
> > > To: Desai, Imran <imran.desai(a)intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > > >
> > > Cc: tpm2(a)lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > > Subject: [tpm2] Re: ESys_ActivateCredential
> > >
> > > How do I know if RM is being used?
> >
> >
> > If you set the tcti to the device tcti, it will open /dev/tpm0
by
> default. And
> > that wont
> > Be an RM. You can also give it an option. Esys_Initialize() takes
a
tcti
> as an
> > option,
> > NULL will cause it to use the default search behavior of the
> Tss2_TctiLdr,
> > see:
> >
> > https://github.com/tpm2-software/tpm2-
> > tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
<http://Tss2_TctiLdr_Initialize.3.in>
> <http://Tss2_TctiLdr_Initialize.3.in>
> > https://github.com/tpm2-software/tpm2-
> > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
<http://Tss2_Tcti_Device_Init.3.in>
> <http://Tss2_Tcti_Device_Init.3.in>
> > https://github.com/tpm2-software/tpm2-
> tss/blob/master/man/tss2-
> > tcti-device.7.in <http://tcti-device.7.in>
<http://tcti-device.7.in>
> >
> > You can use man locally if you prefer as well:
> > man 3 Tss2_TctiLdr_Initialize
> > man 7 tss2-tcti-device
> > man 3 Tss2_Tcti_Device_Init
> >
> > Note that https://github.com/tpm2-software/tpm2-
> > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
<http://Tss2_Tcti_Device_Init.3.in>
> <http://Tss2_Tcti_Device_Init.3.in>
> > Has sample code in it.
> >
> > If you're using the tools, it supports explicitly choosing the
TCTI:
> > https://github.com/tpm2-software/tpm2-
> > tools/blob/master/man/common/tcti.md
> >
> > Also note that the /dev/tpmrm0 (Notice the RM) is an in-kernel
> resource
> > manager.
> >
> >
> > > When I do ESys_Initialize, I see these WARNINGs, wondering
if it's
> okay
> > for multi-
> > > thread
> > > WARNING:esys:src/tss2-
> esys/esys_tcti_default.c:137:tcti_from_file()
> > Could not
> > > load TCTI file: libtss2-tcti-default.so
<http://libtss2-tcti-
> default.so/ <http://default.so/> >
> > libtss2-tcti-
> > > default.so <http://libtss2-tcti-default.so/>
> > > WARNING:esys:src/tss2-
> esys/esys_tcti_default.c:137:tcti_from_file()
> > Could not
> > > load TCTI file: libtss2-tcti-tabrmd.so
<http://libtss2-tcti-
> tabrmd.so/ <http://tabrmd.so/> >
> > >
> > > In my single threaded process, everything works so smoothly
> [root]#
> > ./tpm
> > > WARNING:esys:src/tss2-
> esys/esys_tcti_default.c:137:tcti_from_file()
> > Could not
> > > load TCTI file: libtss2-tcti-default.so
<http://libtss2-tcti-
> default.so/ <http://default.so/> >
> > > WARNING:esys:src/tss2-
> esys/esys_tcti_default.c:137:tcti_from_file()
> > Could not
> > > load TCTI file: libtss2-tcti-tabrmd.so
<http://libtss2-tcti-
> tabrmd.so/ <http://tabrmd.so/> >
> > ESYS
> > > Initialization: Pass
> > >
> > > Read TPM EK Certificate: Pass
> > >
> > > TPM EK Certificate Root-CA Verification: Pass
> > >
> > > Clear TPM State: Pass
> > >
> > > Created EK Primary object: Pass
> > > #####Handle 0x418368
> > >
> > > Create Attestation Key: Pass
> > > #####Ak_Handle 0x41836b
> > >
> > > Original Credential="deadbeefdeadbeefdead"
> > >
> > > Make Credential: Pass
> > > #####Encrypted Credential
> > >
> >
>
Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> > > 45c412864f020a7f1bbcab7a34f0"
> > >
> > > #####Encrypted
> > >
> >
>
Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
> > >
> >
>
76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
> > >
> >
>
e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
> > >
> >
>
077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
> > >
> >
>
5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
> > >
> >
>
06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
> > >
> >
>
fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> > > e1eb9fcc1759c184972779bfc"
> > >
> > > Activating Credential: Pass
> > > #####Recovered Credential="deadbeefdeadbeefdead"
> > >
> > > [root]#
> > >
> > >
> > >
> > > On Wed, Apr 8, 2020 at 7:02 PM Rahul Hardikar
> > <rahulhardikar(a)gmail.com <mailto:rahulhardikar@gmail.com>
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> > >
> > > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> >
> > > wrote:
> > >
> > >
> > > Thanks guys, I'll try this but i also wanted to
know if there
is a
> way to
> > > know if the TPM still has the EK and AK keys loaded? I have
the EK
> > handle and AK
> > > handle (not made it persistent) but I want to make sure
it's
> present as
> > these are
> > > necessary for ActivateCredential to succeed
> > > ESys_ActivateCredential complaining about secret
parameter
> > doesn't
> > > make sense to me, I tested on server side, ak_name is same
as
> that
> > sent and so is
> > > EK_PUB object as well as EK_Cert in nvram, I call the same
> > > external_makecredential call that's in the GitHub to
create
secret
> and
> > made sure
> > > secret,credblob matches on the client side when received
from
> server.
> > >
> > > Thanks,
> > > Rahul
> > >
> > > On Tue, Mar 17, 2020 at 6:19 AM Imran Desai
> > <imran.desai(a)intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> > > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com> <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com> >
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > > >
>
> > wrote:
> > >
> > >
> > > Set this up with all handles in use made
persistent. If
you
> still see
> > > issues, gdb-break or turn on debug logging at the Esys call
and
> compare
> > the
> > > function arguments.
> > >
> _______________________________________________
> > > tpm2 mailing list -- tpm2(a)lists.01.org
<mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > >
> > > To unsubscribe send an email to tpm2-
leave(a)lists.01.org <mailto:tpm2-leave@lists.01.org>
> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> >
> > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-leave@lists.01.org>
<mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> > >
> > > <mailto:tpm2-leave@lists.01.org <mailto:tpm2-
leave(a)lists.01.org> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-
leave(a)lists.01.org> >
> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org>
<mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> > >
>
> > >
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> > >
> >
> >
>
>
4:31 a.m.
Ok, got it. I'm using ESAPI C APIs. But its pretty much the same as the
tpm2 tools implementation.
How do i add debugs in my poky directory? I have tpm2.0-tss_2.1.4.bb file.
Also, how to add compile-time log flags to my src file that uses ESAPI
calls? Running separately was easy, I just called
TSS2_LOG="all+ERROR,tcti+DEBUG"
On Mon, Apr 13, 2020 at 7:20 AM Roberts, William C <
william.c.roberts(a)intel.com> wrote:
> -----Original Message-----
> From: Rahul Hardikar [mailto:rahulhardikar@gmail.com]
> Sent: Friday, April 10, 2020 4:15 PM
> To: Roberts, William C <william.c.roberts(a)intel.com>
> Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
> Subject: Re: [tpm2] Re: ESys_ActivateCredential
>
> Hi Bill,
> I have this on my system: Is tpmrm0 same as tabrmd? I believe mine is
using this
> right now , i'm changing it to what you mentioned to see if it helps.
> [root@nfvis ~]# ls -l /dev/tpm*
> crw-rw----. 1 tss root 10, 224 Apr 8 23:19 /dev/tpm0
> crw-rw----. 1 tss tss 254, 65536 Apr 8 23:19 /dev/tpmrm0 Thanks, Rahul
In theory, yes. In practice no.
/dev/tpmrm0 is the in kernel resource manager
tpm2-abrmd is the userspace resource manager
tpm2-abrmd has a few features tpmrm0 doesn't have, but unless you're
using policy sessions with tpm2-tools, you shouldn't notice a difference.
>
> On Fri, Apr 10, 2020 at 11:33 AM Roberts, William C <
william.c.roberts(a)intel.com
> <mailto:william.c.roberts@intel.com> > wrote:
>
>
>
>
> > -----Original Message-----
> > From: Rahul Hardikar [mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> ]
> > Sent: Friday, April 10, 2020 1:08 PM
> > To: Roberts, William C <william.c.roberts(a)intel.com
> <mailto:william.c.roberts@intel.com> >
> > Cc: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai@intel.com> >; tpm2(a)lists.01.org
> <mailto:tpm2@lists.01.org>
> > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> >
> > Thanks Bill, trying that.
> > I did not get debug build tpm2_tss, isn't it all prebuilt ? I
will have to see
> how to
> > do it in poky.
>
> If you're getting it from a package manager, yes. But there's
nothing
> stopping you
> from using source builds. Some distro's will package debug symbols
for
> their
> packages.
>
> >
> > On Fri, Apr 10, 2020 at 8:16 AM Roberts, William C
> <william.c.roberts(a)intel.com <mailto:william.c.roberts@intel.com>
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> > > wrote:
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Rahul Hardikar [mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> ]
> > > Sent: Thursday, April 9, 2020 2:51 PM
> > > To: Roberts, William C <william.c.roberts(a)intel.com
> <mailto:william.c.roberts@intel.com>
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> > >
> > > Cc: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
>
>;
> tpm2(a)lists.01.org <mailto:tpm2@lists.01.org>
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> > >
> > > Thanks Bill. I use this
> > > Esys_Initialize( &ectx, NULL, NULL);
> > >
> > > so i'm assuming it would take the default
libtss2-tcti-tabrmd.so.0.
> >
> > This should do it for you:
> > TSS2_RC
> > Tss2_TctiLdr_Initialize (const char *nameConf,
> > TSS2_TCTI_CONTEXT **context);
> >
> > Set nameConf to the string "tabrmd", that should give
you
a tcti
> pointer
> > you can
> > pass wot Esys_Initialize()
> >
> > >
> > >
> > > If I need to debug Esys_ActivateCredential more, how can
I do it,
> these
> > APIs are
> > > no more standalone, I have integrated it in a bigger
code base and
> > added the
> > > esys-tss2 and other libs in my poky build, so now it
runs as
> different
> > process that
> > > invokes this function, I can gdb into the process but I
can't seem to
> gdb
> > into
> > > Esys_Activate..( )
> >
> > Did you build tpm2-tss with debug symbols?
> > Add --enable-debug
> >
> > >
> > >
> > > Thanks,
> > > Rahul
> > >
> > >
> > >
> > >
> > > On Thu, Apr 9, 2020 at 10:23 AM Roberts, William C
> > <william.c.roberts(a)intel.com <mailto:william.c.roberts@intel.com
>
> <mailto:william.c.roberts@intel.com <mailto:william.c.roberts@intel.com>
>
> > > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com>
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> > > > wrote:
> > >
> > >
> > > > -----Original Message-----
> > > > From: Rahul Hardikar [mailto:
rahulhardikar(a)gmail.com
> <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> > > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> > >
> > ]
> > > > Sent: Thursday, April 9, 2020 11:18 AM
> > > > To: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
>
> > > <mailto:imran.desai@intel.com <mailto:
imran.desai(a)intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
>
> > > > Cc: tpm2(a)lists.01.org
<mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > > > Subject: [tpm2] Re: ESys_ActivateCredential
> > > >
> > > > How do I know if RM is being used?
> > >
> > >
> > > If you set the tcti to the device tcti, it will
open /dev/tpm0 by
> > default. And
> > > that wont
> > > Be an RM. You can also give it an option.
Esys_Initialize() takes a
> tcti
> > as an
> > > option,
> > > NULL will cause it to use the default search
behavior of the
> > Tss2_TctiLdr,
> > > see:
> > >
> > > https://github.com/tpm2-software/tpm2-
> > > tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
> <http://Tss2_TctiLdr_Initialize.3.in>
> > <http://Tss2_TctiLdr_Initialize.3.in>
> > > https://github.com/tpm2-software/tpm2-
> > > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> <http://Tss2_Tcti_Device_Init.3.in>
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > https://github.com/tpm2-software/tpm2-
> > tss/blob/master/man/tss2-
> > > tcti-device.7.in <http://tcti-device.7.in> <
http://tcti-device.7.in>
> > >
> > > You can use man locally if you prefer as well:
> > > man 3 Tss2_TctiLdr_Initialize
> > > man 7 tss2-tcti-device
> > > man 3 Tss2_Tcti_Device_Init
> > >
> > > Note that https://github.com/tpm2-software/tpm2-
> > > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> <http://Tss2_Tcti_Device_Init.3.in>
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > Has sample code in it.
> > >
> > > If you're using the tools, it supports explicitly
choosing the TCTI:
> > > https://github.com/tpm2-software/tpm2-
> > > tools/blob/master/man/common/tcti.md
> > >
> > > Also note that the /dev/tpmrm0 (Notice the RM) is
an in-kernel
> > resource
> > > manager.
> > >
> > >
> > > > When I do ESys_Initialize, I see these WARNINGs,
wondering
> if it's
> > okay
> > > for multi-
> > > > thread
> > > > WARNING:esys:src/tss2-
> > esys/esys_tcti_default.c:137:tcti_from_file()
> > > Could not
> > > > load TCTI file: libtss2-tcti-default.so <
http://libtss2-tcti-
> > default.so/ <http://default.so/> >
> > > libtss2-tcti-
> > > > default.so <http://libtss2-tcti-default.so/>
> > > > WARNING:esys:src/tss2-
> > esys/esys_tcti_default.c:137:tcti_from_file()
> > > Could not
> > > > load TCTI file: libtss2-tcti-tabrmd.so <
http://libtss2-tcti-
> > tabrmd.so/ <http://tabrmd.so/> >
> > > >
> > > > In my single threaded process, everything works
so smoothly
> > [root]#
> > > ./tpm
> > > > WARNING:esys:src/tss2-
> > esys/esys_tcti_default.c:137:tcti_from_file()
> > > Could not
> > > > load TCTI file: libtss2-tcti-default.so <
http://libtss2-tcti-
> > default.so/ <http://default.so/> >
> > > > WARNING:esys:src/tss2-
> > esys/esys_tcti_default.c:137:tcti_from_file()
> > > Could not
> > > > load TCTI file: libtss2-tcti-tabrmd.so <
http://libtss2-tcti-
> > tabrmd.so/ <http://tabrmd.so/> >
> > > ESYS
> > > > Initialization: Pass
> > > >
> > > > Read TPM EK Certificate: Pass
> > > >
> > > > TPM EK Certificate Root-CA Verification: Pass
> > > >
> > > > Clear TPM State: Pass
> > > >
> > > > Created EK Primary object: Pass
> > > > #####Handle 0x418368
> > > >
> > > > Create Attestation Key: Pass
> > > > #####Ak_Handle 0x41836b
> > > >
> > > > Original
Credential="deadbeefdeadbeefdead"
> > > >
> > > > Make Credential: Pass
> > > > #####Encrypted Credential
> > > >
> > >
> >
> Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> > > > 45c412864f020a7f1bbcab7a34f0"
> > > >
> > > > #####Encrypted
> > > >
> > >
> >
> Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
> > > >
> > >
> >
> 76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
> > > >
> > >
> >
> e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
> > > >
> > >
> >
> 077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
> > > >
> > >
> >
> 5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
> > > >
> > >
> >
> 06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
> > > >
> > >
> >
> fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> > > > e1eb9fcc1759c184972779bfc"
> > > >
> > > > Activating Credential: Pass
> > > > #####Recovered
Credential="deadbeefdeadbeefdead"
> > > >
> > > > [root]#
> > > >
> > > >
> > > >
> > > > On Wed, Apr 8, 2020 at 7:02 PM Rahul Hardikar
> > > <rahulhardikar(a)gmail.com
<mailto:rahulhardikar@gmail.com
>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> > >
> > > > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> > >
> > > > wrote:
> > > >
> > > >
> > > > Thanks guys, I'll try this but i also
wanted to know if there
> is a
> > way to
> > > > know if the TPM still has the EK and AK keys
loaded? I have
> the EK
> > > handle and AK
> > > > handle (not made it persistent) but I want to
make sure it's
> > present as
> > > these are
> > > > necessary for ActivateCredential to succeed
> > > > ESys_ActivateCredential complaining about
secret
> parameter
> > > doesn't
> > > > make sense to me, I tested on server side,
ak_name is same
> as
> > that
> > > sent and so is
> > > > EK_PUB object as well as EK_Cert in nvram, I
call the same
> > > > external_makecredential call that's in the
GitHub to create
> secret
> > and
> > > made sure
> > > > secret,credblob matches on the client side when
received
> from
> > server.
> > > >
> > > > Thanks,
> > > > Rahul
> > > >
> > > > On Tue, Mar 17, 2020 at 6:19 AM Imran Desai
> > > <imran.desai(a)intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> > > > <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com> <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > > >
>
> > > wrote:
> > > >
> > > >
> > > > Set this up with all handles in
use made persistent. If
> you
> > still see
> > > > issues, gdb-break or turn on debug logging at
the Esys call and
> > compare
> > > the
> > > > function arguments.
> > > >
> > _______________________________________________
> > > > tpm2 mailing list --
tpm2(a)lists.01.org
> <mailto:tpm2@lists.01.org>
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > >
> > > > To unsubscribe send an email to
tpm2-
> leave(a)lists.01.org <mailto:tpm2-leave@lists.01.org>
> > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-leave@lists.01.org>
>
> > > <mailto:tpm2-leave@lists.01.org <mailto:
tpm2-leave(a)lists.01.org>
> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> > >
> > > > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-
> leave(a)lists.01.org> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-
> leave(a)lists.01.org> >
> > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-leave@lists.01.org>
> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> > >
>
> > > >
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> > > >
> > >
> > >
> >
> >
>
>
8:38 a.m.
Looks like the version I have is old, the file tss2_tctildr.h does not exist
On Mon, Apr 13, 2020 at 12:31 PM Rahul Hardikar <rahulhardikar(a)gmail.com>
wrote:
Ok, got it. I'm using ESAPI C APIs. But its pretty much the same
as the
tpm2 tools implementation.
How do i add debugs in my poky directory? I have tpm2.0-tss_2.1.4.bb
file.
Also, how to add compile-time log flags to my src file that uses ESAPI
calls? Running separately was easy, I just called
TSS2_LOG="all+ERROR,tcti+DEBUG"
On Mon, Apr 13, 2020 at 7:20 AM Roberts, William C <
william.c.roberts(a)intel.com> wrote:
> > -----Original Message-----
> > From: Rahul Hardikar [mailto:rahulhardikar@gmail.com]
> > Sent: Friday, April 10, 2020 4:15 PM
> > To: Roberts, William C <william.c.roberts(a)intel.com>
> > Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
> > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> >
> > Hi Bill,
> > I have this on my system: Is tpmrm0 same as tabrmd? I believe mine is
> using this
> > right now , i'm changing it to what you mentioned to see if it helps.
> > [root@nfvis ~]# ls -l /dev/tpm*
> > crw-rw----. 1 tss root 10, 224 Apr 8 23:19 /dev/tpm0
> > crw-rw----. 1 tss tss 254, 65536 Apr 8 23:19 /dev/tpmrm0 Thanks, Rahul
>
> In theory, yes. In practice no.
> /dev/tpmrm0 is the in kernel resource manager
> tpm2-abrmd is the userspace resource manager
>
> tpm2-abrmd has a few features tpmrm0 doesn't have, but unless you're
> using policy sessions with tpm2-tools, you shouldn't notice a difference.
>
> >
> > On Fri, Apr 10, 2020 at 11:33 AM Roberts, William C <
> william.c.roberts(a)intel.com
> > <mailto:william.c.roberts@intel.com> > wrote:
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Rahul Hardikar [mailto:rahulhardikar@gmail.com
> > <mailto:rahulhardikar@gmail.com> ]
> > > Sent: Friday, April 10, 2020 1:08 PM
> > > To: Roberts, William C <william.c.roberts(a)intel.com
> > <mailto:william.c.roberts@intel.com> >
> > > Cc: Desai, Imran <imran.desai(a)intel.com
> > <mailto:imran.desai@intel.com> >; tpm2(a)lists.01.org
> > <mailto:tpm2@lists.01.org>
> > > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> > >
> > > Thanks Bill, trying that.
> > > I did not get debug build tpm2_tss, isn't it all prebuilt ? I
> will have to see
> > how to
> > > do it in poky.
> >
> > If you're getting it from a package manager, yes. But there's
> nothing
> > stopping you
> > from using source builds. Some distro's will package debug
> symbols for
> > their
> > packages.
> >
> > >
> > > On Fri, Apr 10, 2020 at 8:16 AM Roberts, William C
> > <william.c.roberts(a)intel.com <mailto:william.c.roberts@intel.com>
> > > <mailto:william.c.roberts@intel.com
> > <mailto:william.c.roberts@intel.com> > > wrote:
> > >
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Rahul Hardikar [mailto:rahulhardikar@gmail.com
> > <mailto:rahulhardikar@gmail.com>
> > > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> >
> > ]
> > > > Sent: Thursday, April 9, 2020 2:51 PM
> > > > To: Roberts, William C <william.c.roberts(a)intel.com
> > <mailto:william.c.roberts@intel.com>
> > > <mailto:william.c.roberts@intel.com
> > <mailto:william.c.roberts@intel.com> > >
> > > > Cc: Desai, Imran <imran.desai(a)intel.com
> > <mailto:imran.desai@intel.com>
> > > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
>
> >;
> > tpm2(a)lists.01.org <mailto:tpm2@lists.01.org>
> > > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > > > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> > > >
> > > > Thanks Bill. I use this
> > > > Esys_Initialize( &ectx, NULL, NULL);
> > > >
> > > > so i'm assuming it would take the default
> libtss2-tcti-tabrmd.so.0.
> > >
> > > This should do it for you:
> > > TSS2_RC
> > > Tss2_TctiLdr_Initialize (const char *nameConf,
> > > TSS2_TCTI_CONTEXT **context);
> > >
> > > Set nameConf to the string "tabrmd", that should give
you
> a tcti
> > pointer
> > > you can
> > > pass wot Esys_Initialize()
> > >
> > > >
> > > >
> > > > If I need to debug Esys_ActivateCredential more, how
> can I do it,
> > these
> > > APIs are
> > > > no more standalone, I have integrated it in a bigger
> code base and
> > > added the
> > > > esys-tss2 and other libs in my poky build, so now it
> runs as
> > different
> > > process that
> > > > invokes this function, I can gdb into the process but I
> can't seem to
> > gdb
> > > into
> > > > Esys_Activate..( )
> > >
> > > Did you build tpm2-tss with debug symbols?
> > > Add --enable-debug
> > >
> > > >
> > > >
> > > > Thanks,
> > > > Rahul
> > > >
> > > >
> > > >
> > > >
> > > > On Thu, Apr 9, 2020 at 10:23 AM Roberts, William C
> > > <william.c.roberts(a)intel.com <mailto:
> william.c.roberts(a)intel.com>
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> >
> > > > <mailto:william.c.roberts@intel.com
> > <mailto:william.c.roberts@intel.com>
> > > <mailto:william.c.roberts@intel.com
> > <mailto:william.c.roberts@intel.com> > > > wrote:
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Rahul Hardikar [mailto:
> rahulhardikar(a)gmail.com
> > <mailto:rahulhardikar@gmail.com>
> > > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> >
> > > > <mailto:rahulhardikar@gmail.com
> > <mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
> > <mailto:rahulhardikar@gmail.com> > >
> > > ]
> > > > > Sent: Thursday, April 9, 2020 11:18 AM
> > > > > To: Desai, Imran <imran.desai(a)intel.com
> > <mailto:imran.desai@intel.com>
> > > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
>
> > > > <mailto:imran.desai@intel.com <mailto:
> imran.desai(a)intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
>
> > > > > Cc: tpm2(a)lists.01.org
<mailto:tpm2@lists.01.org
> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > > > > Subject: [tpm2] Re: ESys_ActivateCredential
> > > > >
> > > > > How do I know if RM is being used?
> > > >
> > > >
> > > > If you set the tcti to the device tcti, it will
> open /dev/tpm0 by
> > > default. And
> > > > that wont
> > > > Be an RM. You can also give it an option.
> Esys_Initialize() takes a
> > tcti
> > > as an
> > > > option,
> > > > NULL will cause it to use the default search
> behavior of the
> > > Tss2_TctiLdr,
> > > > see:
> > > >
> > > > https://github.com/tpm2-software/tpm2-
> > > > tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
> > <http://Tss2_TctiLdr_Initialize.3.in>
> > > <http://Tss2_TctiLdr_Initialize.3.in>
> > > > https://github.com/tpm2-software/tpm2-
> > > > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > https://github.com/tpm2-software/tpm2-
> > > tss/blob/master/man/tss2-
> > > > tcti-device.7.in <http://tcti-device.7.in> <
> http://tcti-device.7.in>
> > > >
> > > > You can use man locally if you prefer as well:
> > > > man 3 Tss2_TctiLdr_Initialize
> > > > man 7 tss2-tcti-device
> > > > man 3 Tss2_Tcti_Device_Init
> > > >
> > > > Note that https://github.com/tpm2-software/tpm2-
> > > > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > Has sample code in it.
> > > >
> > > > If you're using the tools, it supports
explicitly
> choosing the TCTI:
> > > > https://github.com/tpm2-software/tpm2-
> > > > tools/blob/master/man/common/tcti.md
> > > >
> > > > Also note that the /dev/tpmrm0 (Notice the RM) is
> an in-kernel
> > > resource
> > > > manager.
> > > >
> > > >
> > > > > When I do ESys_Initialize, I see these
> WARNINGs, wondering
> > if it's
> > > okay
> > > > for multi-
> > > > > thread
> > > > > WARNING:esys:src/tss2-
> > > esys/esys_tcti_default.c:137:tcti_from_file()
> > > > Could not
> > > > > load TCTI file: libtss2-tcti-default.so <
> http://libtss2-tcti-
> > > default.so/ <http://default.so/> >
> > > > libtss2-tcti-
> > > > > default.so
<http://libtss2-tcti-default.so/>
> > > > > WARNING:esys:src/tss2-
> > > esys/esys_tcti_default.c:137:tcti_from_file()
> > > > Could not
> > > > > load TCTI file: libtss2-tcti-tabrmd.so <
> http://libtss2-tcti-
> > > tabrmd.so/ <http://tabrmd.so/> >
> > > > >
> > > > > In my single threaded process, everything
works
> so smoothly
> > > [root]#
> > > > ./tpm
> > > > > WARNING:esys:src/tss2-
> > > esys/esys_tcti_default.c:137:tcti_from_file()
> > > > Could not
> > > > > load TCTI file: libtss2-tcti-default.so <
> http://libtss2-tcti-
> > > default.so/ <http://default.so/> >
> > > > > WARNING:esys:src/tss2-
> > > esys/esys_tcti_default.c:137:tcti_from_file()
> > > > Could not
> > > > > load TCTI file: libtss2-tcti-tabrmd.so <
> http://libtss2-tcti-
> > > tabrmd.so/ <http://tabrmd.so/> >
> > > > ESYS
> > > > > Initialization: Pass
> > > > >
> > > > > Read TPM EK Certificate: Pass
> > > > >
> > > > > TPM EK Certificate Root-CA Verification: Pass
> > > > >
> > > > > Clear TPM State: Pass
> > > > >
> > > > > Created EK Primary object: Pass
> > > > > #####Handle 0x418368
> > > > >
> > > > > Create Attestation Key: Pass
> > > > > #####Ak_Handle 0x41836b
> > > > >
> > > > > Original
Credential="deadbeefdeadbeefdead"
> > > > >
> > > > > Make Credential: Pass
> > > > > #####Encrypted Credential
> > > > >
> > > >
> > >
> > Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> > > > > 45c412864f020a7f1bbcab7a34f0"
> > > > >
> > > > > #####Encrypted
> > > > >
> > > >
> > >
> > Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
> > > > >
> > > >
> > >
> > 76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
> > > > >
> > > >
> > >
> > e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
> > > > >
> > > >
> > >
> > 077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
> > > > >
> > > >
> > >
> > 5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
> > > > >
> > > >
> > >
> > 06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
> > > > >
> > > >
> > >
> > fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> > > > > e1eb9fcc1759c184972779bfc"
> > > > >
> > > > > Activating Credential: Pass
> > > > > #####Recovered
Credential="deadbeefdeadbeefdead"
> > > > >
> > > > > [root]#
> > > > >
> > > > >
> > > > >
> > > > > On Wed, Apr 8, 2020 at 7:02 PM Rahul Hardikar
> > > > <rahulhardikar(a)gmail.com <mailto:
> rahulhardikar(a)gmail.com>
> > <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com
> >
> > <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
>
> > > > > <mailto:rahulhardikar@gmail.com
> > <mailto:rahulhardikar@gmail.com>
> > > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> >
> > <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> > > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> >
> > > >
> > > > > wrote:
> > > > >
> > > > >
> > > > > Thanks guys, I'll try this but i
also
> wanted to know if there
> > is a
> > > way to
> > > > > know if the TPM still has the EK and AK keys
> loaded? I have
> > the EK
> > > > handle and AK
> > > > > handle (not made it persistent) but I want to
> make sure it's
> > > present as
> > > > these are
> > > > > necessary for ActivateCredential to succeed
> > > > > ESys_ActivateCredential complaining
about
> secret
> > parameter
> > > > doesn't
> > > > > make sense to me, I tested on server side,
> ak_name is same
> > as
> > > that
> > > > sent and so is
> > > > > EK_PUB object as well as EK_Cert in nvram, I
> call the same
> > > > > external_makecredential call that's in the
> GitHub to create
> > secret
> > > and
> > > > made sure
> > > > > secret,credblob matches on the client side
when
> received
> > from
> > > server.
> > > > >
> > > > > Thanks,
> > > > > Rahul
> > > > >
> > > > > On Tue, Mar 17, 2020 at 6:19 AM Imran
> Desai
> > > > <imran.desai(a)intel.com
<mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> > > > > <mailto:imran.desai@intel.com
> > <mailto:imran.desai@intel.com> <mailto:imran.desai@intel.com
> > <mailto:imran.desai@intel.com> >
> > > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> >
> > > > wrote:
> > > > >
> > > > >
> > > > > Set this up with all handles in
> use made persistent. If
> > you
> > > still see
> > > > > issues, gdb-break or turn on debug logging at
> the Esys call and
> > > compare
> > > > the
> > > > > function arguments.
> > > > >
> > > _______________________________________________
> > > > > tpm2 mailing list --
> tpm2(a)lists.01.org
> > <mailto:tpm2@lists.01.org>
> > > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> > > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
>
> > > > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org>
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > >
> > > > > To unsubscribe send an email to
> tpm2-
> > leave(a)lists.01.org <mailto:tpm2-leave@lists.01.org>
> > > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-leave@lists.01.org>
> >
> > > > <mailto:tpm2-leave@lists.01.org <mailto:
> tpm2-leave(a)lists.01.org>
> > <mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> >
>
> > > > > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-
> > leave(a)lists.01.org> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-
> > leave(a)lists.01.org> >
> > > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-leave@lists.01.org
> >
> > <mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> >
> >
> > > > >
> > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
8:54 a.m.
What is the latest stable release for tpm2_tss ?
Thanks,
Rahul
On Mon, Apr 13, 2020 at 4:38 PM Rahul Hardikar <rahulhardikar(a)gmail.com>
wrote:
Looks like the version I have is old, the file tss2_tctildr.h does
not
exist
On Mon, Apr 13, 2020 at 12:31 PM Rahul Hardikar <rahulhardikar(a)gmail.com>
wrote:
> Ok, got it. I'm using ESAPI C APIs. But its pretty much the same as the
> tpm2 tools implementation.
> How do i add debugs in my poky directory? I have tpm2.0-tss_2.1.4.bb
> file.
> Also, how to add compile-time log flags to my src file that uses ESAPI
> calls? Running separately was easy, I just called
> TSS2_LOG="all+ERROR,tcti+DEBUG"
>
> On Mon, Apr 13, 2020 at 7:20 AM Roberts, William C <
> william.c.roberts(a)intel.com> wrote:
>
>> > -----Original Message-----
>> > From: Rahul Hardikar [mailto:rahulhardikar@gmail.com]
>> > Sent: Friday, April 10, 2020 4:15 PM
>> > To: Roberts, William C <william.c.roberts(a)intel.com>
>> > Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
>> > Subject: Re: [tpm2] Re: ESys_ActivateCredential
>> >
>> > Hi Bill,
>> > I have this on my system: Is tpmrm0 same as tabrmd? I believe mine is
>> using this
>> > right now , i'm changing it to what you mentioned to see if it helps.
>> > [root@nfvis ~]# ls -l /dev/tpm*
>> > crw-rw----. 1 tss root 10, 224 Apr 8 23:19 /dev/tpm0
>> > crw-rw----. 1 tss tss 254, 65536 Apr 8 23:19 /dev/tpmrm0 Thanks,
>> Rahul
>>
>> In theory, yes. In practice no.
>> /dev/tpmrm0 is the in kernel resource manager
>> tpm2-abrmd is the userspace resource manager
>>
>> tpm2-abrmd has a few features tpmrm0 doesn't have, but unless you're
>> using policy sessions with tpm2-tools, you shouldn't notice a difference.
>>
>> >
>> > On Fri, Apr 10, 2020 at 11:33 AM Roberts, William C <
>> william.c.roberts(a)intel.com
>> > <mailto:william.c.roberts@intel.com> > wrote:
>> >
>> >
>> >
>> >
>> > > -----Original Message-----
>> > > From: Rahul Hardikar [mailto:rahulhardikar@gmail.com
>> > <mailto:rahulhardikar@gmail.com> ]
>> > > Sent: Friday, April 10, 2020 1:08 PM
>> > > To: Roberts, William C <william.c.roberts(a)intel.com
>> > <mailto:william.c.roberts@intel.com> >
>> > > Cc: Desai, Imran <imran.desai(a)intel.com
>> > <mailto:imran.desai@intel.com> >; tpm2(a)lists.01.org
>> > <mailto:tpm2@lists.01.org>
>> > > Subject: Re: [tpm2] Re: ESys_ActivateCredential
>> > >
>> > > Thanks Bill, trying that.
>> > > I did not get debug build tpm2_tss, isn't it all prebuilt ?
I
>> will have to see
>> > how to
>> > > do it in poky.
>> >
>> > If you're getting it from a package manager, yes. But there's
>> nothing
>> > stopping you
>> > from using source builds. Some distro's will package debug
>> symbols for
>> > their
>> > packages.
>> >
>> > >
>> > > On Fri, Apr 10, 2020 at 8:16 AM Roberts, William C
>> > <william.c.roberts(a)intel.com <mailto:william.c.roberts@intel.com>
>> > > <mailto:william.c.roberts@intel.com
>> > <mailto:william.c.roberts@intel.com> > > wrote:
>> > >
>> > >
>> > >
>> > >
>> > > > -----Original Message-----
>> > > > From: Rahul Hardikar [mailto:rahulhardikar@gmail.com
>> > <mailto:rahulhardikar@gmail.com>
>> > > <mailto:rahulhardikar@gmail.com <mailto:
>> rahulhardikar(a)gmail.com> >
>> > ]
>> > > > Sent: Thursday, April 9, 2020 2:51 PM
>> > > > To: Roberts, William C
<william.c.roberts(a)intel.com
>> > <mailto:william.c.roberts@intel.com>
>> > > <mailto:william.c.roberts@intel.com
>> > <mailto:william.c.roberts@intel.com> > >
>> > > > Cc: Desai, Imran <imran.desai(a)intel.com
>> > <mailto:imran.desai@intel.com>
>> > > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
>> > >;
>> > tpm2(a)lists.01.org <mailto:tpm2@lists.01.org>
>> > > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
>
>> > > > Subject: Re: [tpm2] Re: ESys_ActivateCredential
>> > > >
>> > > > Thanks Bill. I use this
>> > > > Esys_Initialize( &ectx, NULL, NULL);
>> > > >
>> > > > so i'm assuming it would take the default
>> libtss2-tcti-tabrmd.so.0.
>> > >
>> > > This should do it for you:
>> > > TSS2_RC
>> > > Tss2_TctiLdr_Initialize (const char *nameConf,
>> > > TSS2_TCTI_CONTEXT **context);
>> > >
>> > > Set nameConf to the string "tabrmd", that should
give
>> you a tcti
>> > pointer
>> > > you can
>> > > pass wot Esys_Initialize()
>> > >
>> > > >
>> > > >
>> > > > If I need to debug Esys_ActivateCredential more, how
>> can I do it,
>> > these
>> > > APIs are
>> > > > no more standalone, I have integrated it in a bigger
>> code base and
>> > > added the
>> > > > esys-tss2 and other libs in my poky build, so now it
>> runs as
>> > different
>> > > process that
>> > > > invokes this function, I can gdb into the process but
>> I can't seem to
>> > gdb
>> > > into
>> > > > Esys_Activate..( )
>> > >
>> > > Did you build tpm2-tss with debug symbols?
>> > > Add --enable-debug
>> > >
>> > > >
>> > > >
>> > > > Thanks,
>> > > > Rahul
>> > > >
>> > > >
>> > > >
>> > > >
>> > > > On Thu, Apr 9, 2020 at 10:23 AM Roberts, William C
>> > > <william.c.roberts(a)intel.com <mailto:
>> william.c.roberts(a)intel.com>
>> > <mailto:william.c.roberts@intel.com <mailto:
>> william.c.roberts(a)intel.com> >
>> > > > <mailto:william.c.roberts@intel.com
>> > <mailto:william.c.roberts@intel.com>
>> > > <mailto:william.c.roberts@intel.com
>> > <mailto:william.c.roberts@intel.com> > > > wrote:
>> > > >
>> > > >
>> > > > > -----Original Message-----
>> > > > > From: Rahul Hardikar [mailto:
>> rahulhardikar(a)gmail.com
>> > <mailto:rahulhardikar@gmail.com>
>> > > <mailto:rahulhardikar@gmail.com <mailto:
>> rahulhardikar(a)gmail.com> >
>> > > > <mailto:rahulhardikar@gmail.com
>> > <mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
>> > <mailto:rahulhardikar@gmail.com> > >
>> > > ]
>> > > > > Sent: Thursday, April 9, 2020 11:18 AM
>> > > > > To: Desai, Imran <imran.desai(a)intel.com
>> > <mailto:imran.desai@intel.com>
>> > > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com> >
>> > > > <mailto:imran.desai@intel.com <mailto:
>> imran.desai(a)intel.com>
>> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> >
>> > > > > Cc: tpm2(a)lists.01.org <mailto:
>> tpm2(a)lists.01.org>
>> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
>> > > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
>> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
>> > > > > Subject: [tpm2] Re:
ESys_ActivateCredential
>> > > > >
>> > > > > How do I know if RM is being used?
>> > > >
>> > > >
>> > > > If you set the tcti to the device tcti, it will
>> open /dev/tpm0 by
>> > > default. And
>> > > > that wont
>> > > > Be an RM. You can also give it an option.
>> Esys_Initialize() takes a
>> > tcti
>> > > as an
>> > > > option,
>> > > > NULL will cause it to use the default search
>> behavior of the
>> > > Tss2_TctiLdr,
>> > > > see:
>> > > >
>> > > > https://github.com/tpm2-software/tpm2-
>> > > > tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
>> > <http://Tss2_TctiLdr_Initialize.3.in>
>> > > <http://Tss2_TctiLdr_Initialize.3.in>
>> > > > https://github.com/tpm2-software/tpm2-
>> > > > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
>> > <http://Tss2_Tcti_Device_Init.3.in>
>> > > <http://Tss2_Tcti_Device_Init.3.in>
>> > > > https://github.com/tpm2-software/tpm2-
>> > > tss/blob/master/man/tss2-
>> > > > tcti-device.7.in <http://tcti-device.7.in>
<
>> http://tcti-device.7.in>
>> > > >
>> > > > You can use man locally if you prefer as well:
>> > > > man 3 Tss2_TctiLdr_Initialize
>> > > > man 7 tss2-tcti-device
>> > > > man 3 Tss2_Tcti_Device_Init
>> > > >
>> > > > Note that
https://github.com/tpm2-software/tpm2-
>> > > > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
>> > <http://Tss2_Tcti_Device_Init.3.in>
>> > > <http://Tss2_Tcti_Device_Init.3.in>
>> > > > Has sample code in it.
>> > > >
>> > > > If you're using the tools, it supports
>> explicitly choosing the TCTI:
>> > > > https://github.com/tpm2-software/tpm2-
>> > > > tools/blob/master/man/common/tcti.md
>> > > >
>> > > > Also note that the /dev/tpmrm0 (Notice the RM)
>> is an in-kernel
>> > > resource
>> > > > manager.
>> > > >
>> > > >
>> > > > > When I do ESys_Initialize, I see these
>> WARNINGs, wondering
>> > if it's
>> > > okay
>> > > > for multi-
>> > > > > thread
>> > > > > WARNING:esys:src/tss2-
>> > > esys/esys_tcti_default.c:137:tcti_from_file()
>> > > > Could not
>> > > > > load TCTI file: libtss2-tcti-default.so
<
>> http://libtss2-tcti-
>> > > default.so/ <http://default.so/> >
>> > > > libtss2-tcti-
>> > > > > default.so
<http://libtss2-tcti-default.so/>
>> > > > > WARNING:esys:src/tss2-
>> > > esys/esys_tcti_default.c:137:tcti_from_file()
>> > > > Could not
>> > > > > load TCTI file: libtss2-tcti-tabrmd.so
<
>> http://libtss2-tcti-
>> > > tabrmd.so/ <http://tabrmd.so/> >
>> > > > >
>> > > > > In my single threaded process, everything
>> works so smoothly
>> > > [root]#
>> > > > ./tpm
>> > > > > WARNING:esys:src/tss2-
>> > > esys/esys_tcti_default.c:137:tcti_from_file()
>> > > > Could not
>> > > > > load TCTI file: libtss2-tcti-default.so
<
>> http://libtss2-tcti-
>> > > default.so/ <http://default.so/> >
>> > > > > WARNING:esys:src/tss2-
>> > > esys/esys_tcti_default.c:137:tcti_from_file()
>> > > > Could not
>> > > > > load TCTI file: libtss2-tcti-tabrmd.so
<
>> http://libtss2-tcti-
>> > > tabrmd.so/ <http://tabrmd.so/> >
>> > > > ESYS
>> > > > > Initialization: Pass
>> > > > >
>> > > > > Read TPM EK Certificate: Pass
>> > > > >
>> > > > > TPM EK Certificate Root-CA Verification:
Pass
>> > > > >
>> > > > > Clear TPM State: Pass
>> > > > >
>> > > > > Created EK Primary object: Pass
>> > > > > #####Handle 0x418368
>> > > > >
>> > > > > Create Attestation Key: Pass
>> > > > > #####Ak_Handle 0x41836b
>> > > > >
>> > > > > Original
Credential="deadbeefdeadbeefdead"
>> > > > >
>> > > > > Make Credential: Pass
>> > > > > #####Encrypted Credential
>> > > > >
>> > > >
>> > >
>> > Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
>> > > > > 45c412864f020a7f1bbcab7a34f0"
>> > > > >
>> > > > > #####Encrypted
>> > > > >
>> > > >
>> > >
>> >
Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
>> > > > >
>> > > >
>> > >
>> > 76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
>> > > > >
>> > > >
>> > >
>> > e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
>> > > > >
>> > > >
>> > >
>> > 077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
>> > > > >
>> > > >
>> > >
>> > 5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
>> > > > >
>> > > >
>> > >
>> > 06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
>> > > > >
>> > > >
>> > >
>> > fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
>> > > > > e1eb9fcc1759c184972779bfc"
>> > > > >
>> > > > > Activating Credential: Pass
>> > > > > #####Recovered
>> Credential="deadbeefdeadbeefdead"
>> > > > >
>> > > > > [root]#
>> > > > >
>> > > > >
>> > > > >
>> > > > > On Wed, Apr 8, 2020 at 7:02 PM Rahul
Hardikar
>> > > > <rahulhardikar(a)gmail.com <mailto:
>> rahulhardikar(a)gmail.com>
>> > <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
>
>> > > <mailto:rahulhardikar@gmail.com <mailto:
>> rahulhardikar(a)gmail.com>
>> > <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> >
>> > > > > <mailto:rahulhardikar@gmail.com
>> > <mailto:rahulhardikar@gmail.com>
>> > > <mailto:rahulhardikar@gmail.com <mailto:
>> rahulhardikar(a)gmail.com> >
>> > <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
>> > > <mailto:rahulhardikar@gmail.com <mailto:
>> rahulhardikar(a)gmail.com> >
>> > > >
>> > > > > wrote:
>> > > > >
>> > > > >
>> > > > > Thanks guys, I'll try this but i
also
>> wanted to know if there
>> > is a
>> > > way to
>> > > > > know if the TPM still has the EK and AK
keys
>> loaded? I have
>> > the EK
>> > > > handle and AK
>> > > > > handle (not made it persistent) but I want
to
>> make sure it's
>> > > present as
>> > > > these are
>> > > > > necessary for ActivateCredential to
succeed
>> > > > > ESys_ActivateCredential complaining
>> about secret
>> > parameter
>> > > > doesn't
>> > > > > make sense to me, I tested on server side,
>> ak_name is same
>> > as
>> > > that
>> > > > sent and so is
>> > > > > EK_PUB object as well as EK_Cert in nvram,
I
>> call the same
>> > > > > external_makecredential call that's in
the
>> GitHub to create
>> > secret
>> > > and
>> > > > made sure
>> > > > > secret,credblob matches on the client side
>> when received
>> > from
>> > > server.
>> > > > >
>> > > > > Thanks,
>> > > > > Rahul
>> > > > >
>> > > > > On Tue, Mar 17, 2020 at 6:19 AM
Imran
>> Desai
>> > > > <imran.desai(a)intel.com
<mailto:imran.desai@intel.com>
>> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
>> > > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
>> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
>
>> > > > > <mailto:imran.desai@intel.com
>> > <mailto:imran.desai@intel.com> <mailto:imran.desai@intel.com
>> > <mailto:imran.desai@intel.com> >
>> > > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
>> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > >
>> > > > wrote:
>> > > > >
>> > > > >
>> > > > > Set this up with all handles
in
>> use made persistent. If
>> > you
>> > > still see
>> > > > > issues, gdb-break or turn on debug logging
at
>> the Esys call and
>> > > compare
>> > > > the
>> > > > > function arguments.
>> > > > >
>> > > _______________________________________________
>> > > > > tpm2 mailing list --
>> tpm2(a)lists.01.org
>> > <mailto:tpm2@lists.01.org>
>> > > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
>
>> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
>> > > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> >
>> > > > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org>
>> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
>> > > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
>> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
>
>> > > > > To unsubscribe send an email
to
>> tpm2-
>> > leave(a)lists.01.org <mailto:tpm2-leave@lists.01.org>
>> > > <mailto:tpm2-leave@lists.01.org <mailto:
>> tpm2-leave(a)lists.01.org> >
>> > > > <mailto:tpm2-leave@lists.01.org <mailto:
>> tpm2-leave(a)lists.01.org>
>> > <mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org>
> >
>> > > > > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-
>> > leave(a)lists.01.org> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-
>> > leave(a)lists.01.org> >
>> > > <mailto:tpm2-leave@lists.01.org <mailto:
>> tpm2-leave(a)lists.01.org>
>> > <mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org>
> > >
>> > > > >
>> > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>> > > > >
>> > > >
>> > > >
>> > >
>> > >
>> >
>> >
>>
>>
12:25 a.m.
-----Original Message-----
From: Rahul Hardikar [mailto:rahulhardikar@gmail.com]
Sent: Monday, April 13, 2020 6:55 PM
To: Roberts, William C <william.c.roberts(a)intel.com>
Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
Subject: Re: [tpm2] Re: ESys_ActivateCredential
What is the latest stable release for tpm2_tss ?
Really? Github has a releases tab, use it.
https://github.com/tpm2-software/tpm2-tss/releases
Thanks,
Rahul
On Mon, Apr 13, 2020 at 4:38 PM Rahul Hardikar <rahulhardikar(a)gmail.com
<mailto:rahulhardikar@gmail.com> > wrote:
Looks like the version I have is old, the file tss2_tctildr.h does not exist
On Mon, Apr 13, 2020 at 12:31 PM Rahul Hardikar
<rahulhardikar(a)gmail.com <mailto:rahulhardikar@gmail.com> > wrote:
Ok, got it. I'm using ESAPI C APIs. But its pretty much the same as
the tpm2 tools implementation.
How do i add debugs in my poky directory? I have tpm2.0-
tss_2.1.4.bb <http://tpm2.0-tss_2.1.4.bb> file.
Also, how to add compile-time log flags to my src file that uses
ESAPI calls? Running separately was easy, I just called
TSS2_LOG="all+ERROR,tcti+DEBUG"
On Mon, Apr 13, 2020 at 7:20 AM Roberts, William C
<william.c.roberts(a)intel.com <mailto:william.c.roberts@intel.com> > wrote:
> -----Original Message-----
> From: Rahul Hardikar [mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> ]
> Sent: Friday, April 10, 2020 4:15 PM
> To: Roberts, William C <william.c.roberts(a)intel.com
<mailto:william.c.roberts@intel.com> >
> Cc: Desai, Imran <imran.desai(a)intel.com
<mailto:imran.desai@intel.com> >; tpm2(a)lists.01.org
<mailto:tpm2@lists.01.org>
> Subject: Re: [tpm2] Re: ESys_ActivateCredential
>
> Hi Bill,
> I have this on my system: Is tpmrm0 same as tabrmd? I
believe mine is using this
> right now , i'm changing it to what you mentioned to
see if it helps.
> [root@nfvis ~]# ls -l /dev/tpm*
> crw-rw----. 1 tss root 10, 224 Apr 8 23:19 /dev/tpm0
> crw-rw----. 1 tss tss 254, 65536 Apr 8 23:19
/dev/tpmrm0 Thanks, Rahul
In theory, yes. In practice no.
/dev/tpmrm0 is the in kernel resource manager
tpm2-abrmd is the userspace resource manager
tpm2-abrmd has a few features tpmrm0 doesn't have,
but unless you're
using policy sessions with tpm2-tools, you shouldn't
notice a difference.
>
> On Fri, Apr 10, 2020 at 11:33 AM Roberts, William C
<william.c.roberts(a)intel.com <mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > wrote:
>
>
>
>
> > -----Original Message-----
> > From: Rahul Hardikar
[mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > ]
> > Sent: Friday, April 10, 2020 1:08 PM
> > To: Roberts, William C
<william.c.roberts(a)intel.com <mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > >
> > Cc: Desai, Imran <imran.desai(a)intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com> > >; tpm2(a)lists.01.org
<mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
>
> > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> >
> > Thanks Bill, trying that.
> > I did not get debug build tpm2_tss, isn't it all
prebuilt ? I will have to see
> how to
> > do it in poky.
>
> If you're getting it from a package manager, yes. But
there's nothing
> stopping you
> from using source builds. Some distro's will package
debug symbols for
> their
> packages.
>
> >
> > On Fri, Apr 10, 2020 at 8:16 AM Roberts, William C
> <william.c.roberts(a)intel.com
<mailto:william.c.roberts@intel.com> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > > wrote:
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Rahul Hardikar
[mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> ]
> > > Sent: Thursday, April 9, 2020 2:51 PM
> > > To: Roberts, William C
<william.c.roberts(a)intel.com <mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > >
> > > Cc: Desai, Imran <imran.desai(a)intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com> <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com> > > >;
> tpm2(a)lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org> <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org> > >
> > > Subject: Re: [tpm2] Re:
ESys_ActivateCredential
> > >
> > > Thanks Bill. I use this
> > > Esys_Initialize( &ectx, NULL, NULL);
> > >
> > > so i'm assuming it would take the default
libtss2-tcti-tabrmd.so.0.
> >
> > This should do it for you:
> > TSS2_RC
> > Tss2_TctiLdr_Initialize (const char *nameConf,
> > TSS2_TCTI_CONTEXT **context);
> >
> > Set nameConf to the string "tabrmd", that
should give you a tcti
> pointer
> > you can
> > pass wot Esys_Initialize()
> >
> > >
> > >
> > > If I need to debug Esys_ActivateCredential
more, how can I do it,
> these
> > APIs are
> > > no more standalone, I have integrated it in a
bigger code base and
> > added the
> > > esys-tss2 and other libs in my poky build, so
now it runs as
> different
> > process that
> > > invokes this function, I can gdb into the
process but I can't seem to
> gdb
> > into
> > > Esys_Activate..( )
> >
> > Did you build tpm2-tss with debug symbols?
> > Add --enable-debug
> >
> > >
> > >
> > > Thanks,
> > > Rahul
> > >
> > >
> > >
> > >
> > > On Thu, Apr 9, 2020 at 10:23 AM Roberts,
William C
> > <william.c.roberts(a)intel.com
<mailto:william.c.roberts@intel.com> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > >
> > > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > > > wrote:
> > >
> > >
> > > > -----Original Message-----
> > > > From: Rahul Hardikar
[mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> > > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > > >
> > ]
> > > > Sent: Thursday, April 9, 2020 11:18 AM
> > > > To: Desai, Imran <imran.desai(a)intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com> <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com> > >
> > > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com> <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com> >
> <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com> <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com> > > > >
> > > > Cc: tpm2(a)lists.01.org
<mailto:tpm2@lists.01.org> <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org> <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > >
> > > > Subject: [tpm2] Re:
ESys_ActivateCredential
> > > >
> > > > How do I know if RM is being used?
> > >
> > >
> > > If you set the tcti to the device tcti, it will
open /dev/tpm0 by
> > default. And
> > > that wont
> > > Be an RM. You can also give it an option.
Esys_Initialize() takes a
> tcti
> > as an
> > > option,
> > > NULL will cause it to use the default search
behavior of the
> > Tss2_TctiLdr,
> > > see:
> > >
> > > https://github.com/tpm2-software/tpm2-
> > >
tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
<http://Tss2_TctiLdr_Initialize.3.in>
> <http://Tss2_TctiLdr_Initialize.3.in>
> > <http://Tss2_TctiLdr_Initialize.3.in>
> > > https://github.com/tpm2-software/tpm2-
> > >
tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
<http://Tss2_Tcti_Device_Init.3.in>
> <http://Tss2_Tcti_Device_Init.3.in>
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > https://github.com/tpm2-software/tpm2-
> > tss/blob/master/man/tss2-
> > > tcti-device.7.in <http://tcti-device.7.in>
<http://tcti-device.7.in> <http://tcti-device.7.in>
> > >
> > > You can use man locally if you prefer as
well:
> > > man 3 Tss2_TctiLdr_Initialize
> > > man 7 tss2-tcti-device
> > > man 3 Tss2_Tcti_Device_Init
> > >
> > > Note that https://github.com/tpm2-
software/tpm2-
> > >
tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
<http://Tss2_Tcti_Device_Init.3.in>
> <http://Tss2_Tcti_Device_Init.3.in>
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > Has sample code in it.
> > >
> > > If you're using the tools, it supports
explicitly choosing the TCTI:
> > > https://github.com/tpm2-software/tpm2-
> > > tools/blob/master/man/common/tcti.md
> > >
> > > Also note that the /dev/tpmrm0 (Notice
the RM) is an in-kernel
> > resource
> > > manager.
> > >
> > >
> > > > When I do ESys_Initialize, I see these
WARNINGs, wondering
> if it's
> > okay
> > > for multi-
> > > > thread
> > > > WARNING:esys:src/tss2-
> > esys/esys_tcti_default.c:137:tcti_from_file()
> > > Could not
> > > > load TCTI file: libtss2-tcti-default.so
<http://libtss2-tcti-
> > default.so/ <http://default.so/>
<http://default.so/> >
> > > libtss2-tcti-
> > > > default.so <http://libtss2-tcti-
default.so/>
> > > > WARNING:esys:src/tss2-
> > esys/esys_tcti_default.c:137:tcti_from_file()
> > > Could not
> > > > load TCTI file: libtss2-tcti-tabrmd.so
<http://libtss2-tcti-
> > tabrmd.so/ <http://tabrmd.so/>
<http://tabrmd.so/> >
> > > >
> > > > In my single threaded process,
everything works so smoothly
> > [root]#
> > > ./tpm
> > > > WARNING:esys:src/tss2-
> > esys/esys_tcti_default.c:137:tcti_from_file()
> > > Could not
> > > > load TCTI file: libtss2-tcti-default.so
<http://libtss2-tcti-
> > default.so/ <http://default.so/>
<http://default.so/> >
> > > > WARNING:esys:src/tss2-
> > esys/esys_tcti_default.c:137:tcti_from_file()
> > > Could not
> > > > load TCTI file: libtss2-tcti-tabrmd.so
<http://libtss2-tcti-
> > tabrmd.so/ <http://tabrmd.so/>
<http://tabrmd.so/> >
> > > ESYS
> > > > Initialization: Pass
> > > >
> > > > Read TPM EK Certificate: Pass
> > > >
> > > > TPM EK Certificate Root-CA Verification:
Pass
> > > >
> > > > Clear TPM State: Pass
> > > >
> > > > Created EK Primary object: Pass
> > > > #####Handle 0x418368
> > > >
> > > > Create Attestation Key: Pass
> > > > #####Ak_Handle 0x41836b
> > > >
> > > > Original
Credential="deadbeefdeadbeefdead"
> > > >
> > > > Make Credential: Pass
> > > > #####Encrypted Credential
> > > >
> > >
> >
>
Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> > > > 45c412864f020a7f1bbcab7a34f0"
> > > >
> > > > #####Encrypted
> > > >
> > >
> >
>
Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
> > > >
> > >
> >
>
76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
> > > >
> > >
> >
>
e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
> > > >
> > >
> >
>
077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
> > > >
> > >
> >
>
5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
> > > >
> > >
> >
>
06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
> > > >
> > >
> >
>
fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> > > > e1eb9fcc1759c184972779bfc"
> > > >
> > > > Activating Credential: Pass
> > > > #####Recovered
Credential="deadbeefdeadbeefdead"
> > > >
> > > > [root]#
> > > >
> > > >
> > > >
> > > > On Wed, Apr 8, 2020 at 7:02 PM Rahul
Hardikar
> > > <rahulhardikar(a)gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> >
> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> >
> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > > >
> > > > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> > >
> > > > wrote:
> > > >
> > > >
> > > > Thanks guys, I'll try this but i
also
wanted to know if there
> is a
> > way to
> > > > know if the TPM still has the EK and AK
keys loaded? I have
> the EK
> > > handle and AK
> > > > handle (not made it persistent) but I
want to make sure it's
> > present as
> > > these are
> > > > necessary for ActivateCredential to
succeed
> > > > ESys_ActivateCredential complaining
about secret
> parameter
> > > doesn't
> > > > make sense to me, I tested on server
side, ak_name is same
> as
> > that
> > > sent and so is
> > > > EK_PUB object as well as EK_Cert in
nvram, I call the same
> > > > external_makecredential call that's in the
GitHub to create
> secret
> > and
> > > made sure
> > > > secret,credblob matches on the client
side when received
> from
> > server.
> > > >
> > > > Thanks,
> > > > Rahul
> > > >
> > > > On Tue, Mar 17, 2020 at 6:19 AM Imran
Desai
> > > <imran.desai(a)intel.com
<mailto:imran.desai@intel.com> <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com> >
> <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com> <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com> > >
> > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com> <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com> >
> <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com> <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com> > > >
> > > > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com> > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com> > >
> > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com> <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com> >
> <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com> <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com> > > > > >
> > > wrote:
> > > >
> > > >
> > > > Set this up with all handles in
use
made persistent. If
> you
> > still see
> > > > issues, gdb-break or turn on debug
logging at the Esys call and
> > compare
> > > the
> > > > function arguments.
> > > >
> >
_______________________________________________
> > > > tpm2 mailing list --
tpm2(a)lists.01.org <mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
>
> > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org> <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org> > >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org> <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org> > > >
> > > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org> <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org> <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > > >
> > > > To unsubscribe send an email to
tpm2-
> leave(a)lists.01.org <mailto:leave@lists.01.org>
<mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> >
> > <mailto:tpm2-leave@lists.01.org <mailto:tpm2-
leave(a)lists.01.org> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-
leave(a)lists.01.org> > >
> > > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-leave@lists.01.org> <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-leave@lists.01.org> >
> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-
leave(a)lists.01.org> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-
leave(a)lists.01.org> > > >
> > > > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-leave@lists.01.org> <mailto:tpm2- <mailto:tpm2->
> leave(a)lists.01.org <mailto:leave@lists.01.org> >
<mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org>
<mailto:tpm2- <mailto:tpm2->
> leave(a)lists.01.org <mailto:leave@lists.01.org> > >
> > <mailto:tpm2-leave@lists.01.org <mailto:tpm2-
leave(a)lists.01.org> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-
leave(a)lists.01.org> >
> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-
leave(a)lists.01.org> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-
leave(a)lists.01.org> > > > >
> > > >
>
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> > > >
> > >
> > >
> >
> >
>
>
3:05 a.m.
Thanks Bill. I am taking help from the poky team on this.
Getting back to the Activate Credential issue, since my code worked fine as
a single application as well as being run inside another process but as a
single thread (including makeCredential and activateCred).
My guess for failing is:
1. When server sends secret/credBlob, they dont match ---> But i ran gdb
and checked all bytes and they match, so thats not an issue, server is
running same OpenSSL as client, so no mismatch in version for
single-threaded vs multi-threaded
2. Probably AK key or EK key is not loaded or changed
--> to prove this, i would need to use Esys_ReadPublic , if it fails,
implies its not loaded, if it succeeds, I need to verify ek_pub and ak_name
is same when we created it
Assuming I have the ESYS_CONTEXT saved as well as the ESYS_TR handle for
both AK and EK saved, Esys_ReadPublic should still work right, as it only
needs these 2?
Any other reason for failing?
Thanks,
Rahul
On Wed, Apr 15, 2020 at 8:25 AM Roberts, William C <
william.c.roberts(a)intel.com> wrote:
> -----Original Message-----
> From: Rahul Hardikar [mailto:rahulhardikar@gmail.com]
> Sent: Monday, April 13, 2020 6:55 PM
> To: Roberts, William C <william.c.roberts(a)intel.com>
> Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
> Subject: Re: [tpm2] Re: ESys_ActivateCredential
>
> What is the latest stable release for tpm2_tss ?
Really? Github has a releases tab, use it.
https://github.com/tpm2-software/tpm2-tss/releases
>
> Thanks,
> Rahul
>
> On Mon, Apr 13, 2020 at 4:38 PM Rahul Hardikar <rahulhardikar(a)gmail.com
> <mailto:rahulhardikar@gmail.com> > wrote:
>
>
> Looks like the version I have is old, the file tss2_tctildr.h does
not exist
>
>
> On Mon, Apr 13, 2020 at 12:31 PM Rahul Hardikar
> <rahulhardikar(a)gmail.com <mailto:rahulhardikar@gmail.com> > wrote:
>
>
> Ok, got it. I'm using ESAPI C APIs. But its pretty much
the same as
> the tpm2 tools implementation.
> How do i add debugs in my poky directory? I have tpm2.0-
> tss_2.1.4.bb <http://tpm2.0-tss_2.1.4.bb> file.
> Also, how to add compile-time log flags to my src file
that uses
> ESAPI calls? Running separately was easy, I just called
> TSS2_LOG="all+ERROR,tcti+DEBUG"
>
> On Mon, Apr 13, 2020 at 7:20 AM Roberts, William C
> <william.c.roberts(a)intel.com <mailto:william.c.roberts@intel.com> >
wrote:
>
>
> > -----Original Message-----
> > From: Rahul Hardikar [mailto:
rahulhardikar(a)gmail.com
> <mailto:rahulhardikar@gmail.com> ]
> > Sent: Friday, April 10, 2020 4:15 PM
> > To: Roberts, William C <
william.c.roberts(a)intel.com
> <mailto:william.c.roberts@intel.com> >
> > Cc: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai@intel.com> >; tpm2(a)lists.01.org
> <mailto:tpm2@lists.01.org>
> > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> >
> > Hi Bill,
> > I have this on my system: Is tpmrm0 same as
tabrmd? I
> believe mine is using this
> > right now , i'm changing it to what you
mentioned to
> see if it helps.
> > [root@nfvis ~]# ls -l /dev/tpm*
> > crw-rw----. 1 tss root 10, 224 Apr 8 23:19
/dev/tpm0
> > crw-rw----. 1 tss tss 254, 65536 Apr 8 23:19
> /dev/tpmrm0 Thanks, Rahul
>
> In theory, yes. In practice no.
> /dev/tpmrm0 is the in kernel resource manager
> tpm2-abrmd is the userspace resource manager
>
> tpm2-abrmd has a few features tpmrm0 doesn't have,
> but unless you're
> using policy sessions with tpm2-tools, you
shouldn't
> notice a difference.
>
> >
> > On Fri, Apr 10, 2020 at 11:33 AM Roberts,
William C
> <william.c.roberts(a)intel.com <mailto:william.c.roberts@intel.com>
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> > > wrote:
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Rahul Hardikar
> [mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> > ]
> > > Sent: Friday, April 10, 2020 1:08 PM
> > > To: Roberts, William C
> <william.c.roberts(a)intel.com <mailto:william.c.roberts@intel.com>
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> > >
> > > Cc: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com> > >; tpm2(a)lists.01.org
> <mailto:tpm2@lists.01.org>
> > <mailto:tpm2@lists.01.org <mailto:
tpm2(a)lists.01.org>
> >
> > > Subject: Re: [tpm2] Re:
ESys_ActivateCredential
> > >
> > > Thanks Bill, trying that.
> > > I did not get debug build tpm2_tss,
isn't it all
> prebuilt ? I will have to see
> > how to
> > > do it in poky.
> >
> > If you're getting it from a package
manager, yes. But
> there's nothing
> > stopping you
> > from using source builds. Some distro's
will package
> debug symbols for
> > their
> > packages.
> >
> > >
> > > On Fri, Apr 10, 2020 at 8:16 AM Roberts,
William C
> > <william.c.roberts(a)intel.com
> <mailto:william.c.roberts@intel.com> <mailto:
william.c.roberts(a)intel.com
> <mailto:william.c.roberts@intel.com> >
> > > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com>
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> > > > wrote:
> > >
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Rahul Hardikar
> [mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> >
> > > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> > >
> > ]
> > > > Sent: Thursday, April 9, 2020
2:51 PM
> > > > To: Roberts, William C
> <william.c.roberts(a)intel.com <mailto:william.c.roberts@intel.com>
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> >
> > > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com>
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> > > >
> > > > Cc: Desai, Imran <
imran.desai(a)intel.com
> <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com> >
> > > <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com> <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com> > > >;
> > tpm2(a)lists.01.org <mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > > <mailto:tpm2@lists.01.org
> <mailto:tpm2@lists.01.org> <mailto:tpm2@lists.01.org
> <mailto:tpm2@lists.01.org> > >
> > > > Subject: Re: [tpm2] Re:
> ESys_ActivateCredential
> > > >
> > > > Thanks Bill. I use this
> > > > Esys_Initialize( &ectx, NULL,
NULL);
> > > >
> > > > so i'm assuming it would take
the default
> libtss2-tcti-tabrmd.so.0.
> > >
> > > This should do it for you:
> > > TSS2_RC
> > > Tss2_TctiLdr_Initialize (const
char *nameConf,
> > >
TSS2_TCTI_CONTEXT **context);
> > >
> > > Set nameConf to the string
"tabrmd", that
> should give you a tcti
> > pointer
> > > you can
> > > pass wot Esys_Initialize()
> > >
> > > >
> > > >
> > > > If I need to debug
Esys_ActivateCredential
> more, how can I do it,
> > these
> > > APIs are
> > > > no more standalone, I have
integrated it in a
> bigger code base and
> > > added the
> > > > esys-tss2 and other libs in my
poky build, so
> now it runs as
> > different
> > > process that
> > > > invokes this function, I can gdb
into the
> process but I can't seem to
> > gdb
> > > into
> > > > Esys_Activate..( )
> > >
> > > Did you build tpm2-tss with debug
symbols?
> > > Add --enable-debug
> > >
> > > >
> > > >
> > > > Thanks,
> > > > Rahul
> > > >
> > > >
> > > >
> > > >
> > > > On Thu, Apr 9, 2020 at 10:23 AM
Roberts,
> William C
> > > <william.c.roberts(a)intel.com
> <mailto:william.c.roberts@intel.com> <mailto:
william.c.roberts(a)intel.com
> <mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> <mailto:
william.c.roberts(a)intel.com
> <mailto:william.c.roberts@intel.com> > >
> > > > <mailto:
william.c.roberts(a)intel.com
> <mailto:william.c.roberts@intel.com>
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> >
> > > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com>
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> > > > > wrote:
> > > >
> > > >
> > > > > -----Original
Message-----
> > > > > From: Rahul Hardikar
> [mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> >
> > > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> > >
> > > > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> > > >
> > > ]
> > > > > Sent: Thursday, April
9,
2020 11:18 AM
> > > > > To: Desai, Imran <
imran.desai(a)intel.com
> <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com> >
> > > <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com> <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com> > >
> > > > <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com> <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com> <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com> > > > >
> > > > > Cc: tpm2(a)lists.01.org
> <mailto:tpm2@lists.01.org> <mailto:tpm2@lists.01.org
> <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:
tpm2(a)lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > > <mailto:tpm2@lists.01.org
> <mailto:tpm2@lists.01.org> <mailto:tpm2@lists.01.org
> <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:
tpm2(a)lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > >
> > > > > Subject: [tpm2] Re:
> ESys_ActivateCredential
> > > > >
> > > > > How do I know if RM is
being used?
> > > >
> > > >
> > > > If you set the tcti to the
device tcti, it will
> open /dev/tpm0 by
> > > default. And
> > > > that wont
> > > > Be an RM. You can also
give it an option.
> Esys_Initialize() takes a
> > tcti
> > > as an
> > > > option,
> > > > NULL will cause it to use
the default search
> behavior of the
> > > Tss2_TctiLdr,
> > > > see:
> > > >
> > > >
https://github.com/tpm2-software/tpm2-
> > > >
> tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
> <http://Tss2_TctiLdr_Initialize.3.in>
> > <http://Tss2_TctiLdr_Initialize.3.in>
> > > <http://Tss2_TctiLdr_Initialize.3.in>
> > > >
https://github.com/tpm2-software/tpm2-
> > > >
> tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> <http://Tss2_Tcti_Device_Init.3.in>
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > <http://Tss2_Tcti_Device_Init.3.in>
> > > >
https://github.com/tpm2-software/tpm2-
> > > tss/blob/master/man/tss2-
> > > > tcti-device.7.in <
http://tcti-device.7.in>
> <http://tcti-device.7.in> <http://tcti-device.7.in>
> > > >
> > > > You can use man locally if
you prefer as
> well:
> > > > man 3
Tss2_TctiLdr_Initialize
> > > > man 7 tss2-tcti-device
> > > > man 3 Tss2_Tcti_Device_Init
> > > >
> > > > Note that
https://github.com/tpm2-
> software/tpm2-
> > > >
> tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> <http://Tss2_Tcti_Device_Init.3.in>
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > Has sample code in it.
> > > >
> > > > If you're using the
tools,
it supports
> explicitly choosing the TCTI:
> > > >
https://github.com/tpm2-software/tpm2-
> > > >
tools/blob/master/man/common/tcti.md
> > > >
> > > > Also note that the
/dev/tpmrm0 (Notice
> the RM) is an in-kernel
> > > resource
> > > > manager.
> > > >
> > > >
> > > > > When I do
ESys_Initialize, I see these
> WARNINGs, wondering
> > if it's
> > > okay
> > > > for multi-
> > > > > thread
> > > > > WARNING:esys:src/tss2-
> > >
esys/esys_tcti_default.c:137:tcti_from_file()
> > > > Could not
> > > > > load TCTI file:
libtss2-tcti-default.so
> <http://libtss2-tcti-
> > > default.so/ <http://default.so/>
> <http://default.so/> >
> > > > libtss2-tcti-
> > > > > default.so <
http://libtss2-tcti-
> default.so/>
> > > > > WARNING:esys:src/tss2-
> > >
esys/esys_tcti_default.c:137:tcti_from_file()
> > > > Could not
> > > > > load TCTI file:
libtss2-tcti-tabrmd.so
> <http://libtss2-tcti-
> > > tabrmd.so/ <http://tabrmd.so/>
> <http://tabrmd.so/> >
> > > > >
> > > > > In my single threaded
process,
> everything works so smoothly
> > > [root]#
> > > > ./tpm
> > > > > WARNING:esys:src/tss2-
> > >
esys/esys_tcti_default.c:137:tcti_from_file()
> > > > Could not
> > > > > load TCTI file:
libtss2-tcti-default.so
> <http://libtss2-tcti-
> > > default.so/ <http://default.so/>
> <http://default.so/> >
> > > > > WARNING:esys:src/tss2-
> > >
esys/esys_tcti_default.c:137:tcti_from_file()
> > > > Could not
> > > > > load TCTI file:
libtss2-tcti-tabrmd.so
> <http://libtss2-tcti-
> > > tabrmd.so/ <http://tabrmd.so/>
> <http://tabrmd.so/> >
> > > > ESYS
> > > > > Initialization: Pass
> > > > >
> > > > > Read TPM EK
Certificate:
Pass
> > > > >
> > > > > TPM EK Certificate
Root-CA Verification:
> Pass
> > > > >
> > > > > Clear TPM State: Pass
> > > > >
> > > > > Created EK Primary
object: Pass
> > > > > #####Handle 0x418368
> > > > >
> > > > > Create Attestation Key:
Pass
> > > > > #####Ak_Handle 0x41836b
> > > > >
> > > > > Original
> Credential="deadbeefdeadbeefdead"
> > > > >
> > > > > Make Credential: Pass
> > > > > #####Encrypted
Credential
> > > > >
> > > >
> > >
> >
> Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> > > > >
45c412864f020a7f1bbcab7a34f0"
> > > > >
> > > > > #####Encrypted
> > > > >
> > > >
> > >
> >
> Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
> > > > >
> > > >
> > >
> >
> 76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
> > > > >
> > > >
> > >
> >
> e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
> > > > >
> > > >
> > >
> >
> 077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
> > > > >
> > > >
> > >
> >
> 5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
> > > > >
> > > >
> > >
> >
> 06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
> > > > >
> > > >
> > >
> >
> fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> > > > >
e1eb9fcc1759c184972779bfc"
> > > > >
> > > > > Activating Credential:
Pass
> > > > > #####Recovered
> Credential="deadbeefdeadbeefdead"
> > > > >
> > > > > [root]#
> > > > >
> > > > >
> > > > >
> > > > > On Wed, Apr 8, 2020 at
7:02 PM Rahul
> Hardikar
> > > > <rahulhardikar(a)gmail.com
> <mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> > >
> > > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> > > >
> > > > > <mailto:
rahulhardikar(a)gmail.com
> <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> >
> > > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> > >
> > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> >
> > > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> > >
> > > >
> > > > > wrote:
> > > > >
> > > > >
> > > > > Thanks guys,
I'll
try this but i also
> wanted to know if there
> > is a
> > > way to
> > > > > know if the TPM still
has the EK and AK
> keys loaded? I have
> > the EK
> > > > handle and AK
> > > > > handle (not made it
persistent) but I
> want to make sure it's
> > > present as
> > > > these are
> > > > > necessary for
ActivateCredential to
> succeed
> > > > >
ESys_ActivateCredential complaining
> about secret
> > parameter
> > > > doesn't
> > > > > make sense to me, I
tested on server
> side, ak_name is same
> > as
> > > that
> > > > sent and so is
> > > > > EK_PUB object as well
as EK_Cert in
> nvram, I call the same
> > > > > external_makecredential
call that's in the
> GitHub to create
> > secret
> > > and
> > > > made sure
> > > > > secret,credblob matches
on the client
> side when received
> > from
> > > server.
> > > > >
> > > > > Thanks,
> > > > > Rahul
> > > > >
> > > > > On Tue, Mar 17,
2020 at 6:19 AM Imran
> Desai
> > > > <imran.desai(a)intel.com
> <mailto:imran.desai@intel.com> <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com> <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com> > >
> > > <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com> <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com> <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com> > > >
> > > > > <mailto:
imran.desai(a)intel.com
> <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com> > <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com> > >
> > > <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com> <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com> <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com> > > > > >
> > > > wrote:
> > > > >
> > > > >
> > > > > Set this
up with all handles in use
> made persistent. If
> > you
> > > still see
> > > > > issues, gdb-break or
turn on debug
> logging at the Esys call and
> > > compare
> > > > the
> > > > > function arguments.
> > > > >
> > >
> _______________________________________________
> > > > > tpm2
mailing list --
> tpm2(a)lists.01.org <mailto:tpm2@lists.01.org>
> > <mailto:tpm2@lists.01.org <mailto:
tpm2(a)lists.01.org>
> >
> > > <mailto:tpm2@lists.01.org
> <mailto:tpm2@lists.01.org> <mailto:tpm2@lists.01.org
> <mailto:tpm2@lists.01.org> > >
> > <mailto:tpm2@lists.01.org <mailto:
tpm2(a)lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > > <mailto:tpm2@lists.01.org
> <mailto:tpm2@lists.01.org> <mailto:tpm2@lists.01.org
> <mailto:tpm2@lists.01.org> > > >
> > > > <mailto:tpm2@lists.01.org
> <mailto:tpm2@lists.01.org> <mailto:tpm2@lists.01.org
> <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:
tpm2(a)lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > > <mailto:tpm2@lists.01.org
> <mailto:tpm2@lists.01.org> <mailto:tpm2@lists.01.org
> <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:
tpm2(a)lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > > >
> > > > > To
unsubscribe send an email to
> tpm2-
> > leave(a)lists.01.org <mailto:leave@lists.01.org>
> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> >
> > > <mailto:tpm2-leave@lists.01.org
<mailto:
tpm2-
> leave(a)lists.01.org> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-
> leave(a)lists.01.org> > >
> > > > <mailto:tpm2-leave@lists.01.org
> <mailto:tpm2-leave@lists.01.org> <mailto:tpm2-leave@lists.01.org
> <mailto:tpm2-leave@lists.01.org> >
> > <mailto:tpm2-leave@lists.01.org <mailto:tpm2-
> leave(a)lists.01.org> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-
> leave(a)lists.01.org> > > >
> > > > > <mailto:
tpm2-leave(a)lists.01.org
> <mailto:tpm2-leave@lists.01.org> <mailto:tpm2- <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave@lists.01.org>
>
> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org>
> <mailto:tpm2- <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave@lists.01.org>
> >
> > > <mailto:tpm2-leave@lists.01.org
<mailto:
tpm2-
> leave(a)lists.01.org> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-
> leave(a)lists.01.org> >
> > <mailto:tpm2-leave@lists.01.org <mailto:tpm2-
> leave(a)lists.01.org> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-
> leave(a)lists.01.org> > > > >
> > > > >
> >
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
2:34 a.m.
-----Original Message-----
From: Rahul Hardikar [mailto:rahulhardikar@gmail.com]
Sent: Wednesday, April 15, 2020 1:06 PM
To: Roberts, William C <william.c.roberts(a)intel.com>
Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
Subject: Re: [tpm2] Re: ESys_ActivateCredential
Thanks Bill. I am taking help from the poky team on this.
Getting back to the Activate Credential issue, since my code worked fine as a
single application as well as being run inside another process but as a single
thread (including makeCredential and activateCred).
My guess for failing is:
1. When server sends secret/credBlob, they dont match ---> But i ran gdb and
checked all bytes and they match, so thats not an issue, server is running same
OpenSSL as client, so no mismatch in version for single-threaded vs multi-
threaded 2. Probably AK key or EK key is not loaded or changed
--> to prove this, i would need to use Esys_ReadPublic , if it fails,
--> implies its not loaded, if it succeeds, I need to verify ek_pub and
--> ak_name is same when we created it
Assuming I have the ESYS_CONTEXT saved as well as the ESYS_TR handle for both
AK and EK saved, Esys_ReadPublic should still work right, as it only needs these
2?
What do you mean ESYS_CONTEXT saved? I may be misunderstanding you here,
But you can't save those, it's a pointer so it has the same lifecycle as the
process.
Also, AFIAK, they are not thread safe. Each thread needs its own ESYS_CONTEXT
from Esys_Initialize().
For Esys_ReadPublic(), you need an ESYS_CONTEXT and an ESYS_TR. Like ESYS_CONTEXT
Pointers that cannot be shared, ESYS_TR's are handle's that eventually get turned
into a
pointer under the hood, so you can't share those either. You can serialize and
reserialize to
pass from thread A to B.
If you want to use the same ESYS_CONTEXT and ESYS_TR from thread A and B, you need
to lock ALL ESYS CALLS. But if you're going to do that, does multi-threading really
get
you any benefit.
Any other reason for failing?
Thanks,
Rahul
On Wed, Apr 15, 2020 at 8:25 AM Roberts, William C <william.c.roberts(a)intel.com
<mailto:william.c.roberts@intel.com> > wrote:
> -----Original Message-----
> From: Rahul Hardikar [mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> ]
> Sent: Monday, April 13, 2020 6:55 PM
> To: Roberts, William C <william.c.roberts(a)intel.com
<mailto:william.c.roberts@intel.com> >
> Cc: Desai, Imran <imran.desai(a)intel.com
<mailto:imran.desai@intel.com> >; tpm2(a)lists.01.org
<mailto:tpm2@lists.01.org>
> Subject: Re: [tpm2] Re: ESys_ActivateCredential
>
> What is the latest stable release for tpm2_tss ?
Really? Github has a releases tab, use it.
https://github.com/tpm2-software/tpm2-tss/releases
>
> Thanks,
> Rahul
>
> On Mon, Apr 13, 2020 at 4:38 PM Rahul Hardikar
<rahulhardikar(a)gmail.com <mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> wrote:
>
>
> Looks like the version I have is old, the file tss2_tctildr.h does not
exist
>
>
> On Mon, Apr 13, 2020 at 12:31 PM Rahul Hardikar
> <rahulhardikar(a)gmail.com <mailto:rahulhardikar@gmail.com>
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> > >
wrote:
>
>
> Ok, got it. I'm using ESAPI C APIs. But its pretty much the same
as
> the tpm2 tools implementation.
> How do i add debugs in my poky directory? I have tpm2.0-
> tss_2.1.4.bb <http://tss_2.1.4.bb> <http://tpm2.0-tss_2.1.4.bb>
file.
> Also, how to add compile-time log flags to my src file that uses
> ESAPI calls? Running separately was easy, I just called
> TSS2_LOG="all+ERROR,tcti+DEBUG"
>
> On Mon, Apr 13, 2020 at 7:20 AM Roberts, William C
> <william.c.roberts(a)intel.com <mailto:william.c.roberts@intel.com>
<mailto:william.c.roberts@intel.com <mailto:william.c.roberts@intel.com> >
>
wrote:
>
>
> > -----Original Message-----
> > From: Rahul Hardikar [mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
]
> > Sent: Friday, April 10, 2020 4:15 PM
> > To: Roberts, William C <william.c.roberts(a)intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > >
> > Cc: Desai, Imran <imran.desai(a)intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >;
tpm2(a)lists.01.org <mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> >
> > Hi Bill,
> > I have this on my system: Is tpmrm0 same as tabrmd? I
> believe mine is using this
> > right now , i'm changing it to what you mentioned
to
> see if it helps.
> > [root@nfvis ~]# ls -l /dev/tpm*
> > crw-rw----. 1 tss root 10, 224 Apr 8 23:19
/dev/tpm0
> > crw-rw----. 1 tss tss 254, 65536 Apr 8 23:19
> /dev/tpmrm0 Thanks, Rahul
>
> In theory, yes. In practice no.
> /dev/tpmrm0 is the in kernel resource manager
> tpm2-abrmd is the userspace resource manager
>
> tpm2-abrmd has a few features tpmrm0 doesn't have,
> but unless you're
> using policy sessions with tpm2-tools, you shouldn't
> notice a difference.
>
> >
> > On Fri, Apr 10, 2020 at 11:33 AM Roberts, William C
> <william.c.roberts(a)intel.com <mailto:william.c.roberts@intel.com>
<mailto:william.c.roberts@intel.com <mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > > wrote:
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Rahul Hardikar
> [mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> ]
> > > Sent: Friday, April 10, 2020 1:08 PM
> > > To: Roberts, William C
> <william.c.roberts(a)intel.com <mailto:william.c.roberts@intel.com>
<mailto:william.c.roberts@intel.com <mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > >
> > > Cc: Desai, Imran <imran.desai(a)intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
>;
tpm2(a)lists.01.org <mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> >
> > > Subject: Re: [tpm2] Re:
ESys_ActivateCredential
> > >
> > > Thanks Bill, trying that.
> > > I did not get debug build tpm2_tss,
isn't it all
> prebuilt ? I will have to see
> > how to
> > > do it in poky.
> >
> > If you're getting it from a package manager,
yes. But
> there's nothing
> > stopping you
> > from using source builds. Some distro's will
package
> debug symbols for
> > their
> > packages.
> >
> > >
> > > On Fri, Apr 10, 2020 at 8:16 AM Roberts,
William C
> > <william.c.roberts(a)intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > >
> > > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > > > wrote:
> > >
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Rahul Hardikar
> [mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
>
> > > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> >
> > ]
> > > > Sent: Thursday, April 9, 2020 2:51
PM
> > > > To: Roberts, William C
> <william.c.roberts(a)intel.com <mailto:william.c.roberts@intel.com>
<mailto:william.c.roberts@intel.com <mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > >
> > > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > > >
> > > > Cc: Desai, Imran
<imran.desai(a)intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> > > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
>
>;
> > tpm2(a)lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > >
> > > > Subject: Re: [tpm2] Re:
> ESys_ActivateCredential
> > > >
> > > > Thanks Bill. I use this
> > > > Esys_Initialize( &ectx, NULL,
NULL);
> > > >
> > > > so i'm assuming it would take
the default
> libtss2-tcti-tabrmd.so.0.
> > >
> > > This should do it for you:
> > > TSS2_RC
> > > Tss2_TctiLdr_Initialize (const char
*nameConf,
> > >
TSS2_TCTI_CONTEXT **context);
> > >
> > > Set nameConf to the string
"tabrmd", that
> should give you a tcti
> > pointer
> > > you can
> > > pass wot Esys_Initialize()
> > >
> > > >
> > > >
> > > > If I need to debug
Esys_ActivateCredential
> more, how can I do it,
> > these
> > > APIs are
> > > > no more standalone, I have
integrated it in a
> bigger code base and
> > > added the
> > > > esys-tss2 and other libs in my
poky build, so
> now it runs as
> > different
> > > process that
> > > > invokes this function, I can gdb
into the
> process but I can't seem to
> > gdb
> > > into
> > > > Esys_Activate..( )
> > >
> > > Did you build tpm2-tss with debug
symbols?
> > > Add --enable-debug
> > >
> > > >
> > > >
> > > > Thanks,
> > > > Rahul
> > > >
> > > >
> > > >
> > > >
> > > > On Thu, Apr 9, 2020 at 10:23 AM
Roberts,
> William C
> > > <william.c.roberts(a)intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > >
> > > >
<mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > >
> > > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > > > > wrote:
> > > >
> > > >
> > > > > -----Original
Message-----
> > > > > From: Rahul Hardikar
> [mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
>
> > > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> >
> > > >
<mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > >
> > > ]
> > > > > Sent: Thursday, April
9, 2020 11:18 AM
> > > > > To: Desai, Imran
<imran.desai(a)intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> > > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
>
> > > > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> >
>
> > > > > Cc: tpm2(a)lists.01.org
<mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > >
> > > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > > >
> > > > > Subject: [tpm2] Re:
> ESys_ActivateCredential
> > > > >
> > > > > How do I know if RM is
being used?
> > > >
> > > >
> > > > If you set the tcti to the
device tcti, it will
> open /dev/tpm0 by
> > > default. And
> > > > that wont
> > > > Be an RM. You can also give
it an option.
> Esys_Initialize() takes a
> > tcti
> > > as an
> > > > option,
> > > > NULL will cause it to use
the default search
> behavior of the
> > > Tss2_TctiLdr,
> > > > see:
> > > >
> > > >
https://github.com/tpm2-software/tpm2-
> > > >
> tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
<http://Tss2_TctiLdr_Initialize.3.in>
> <http://Tss2_TctiLdr_Initialize.3.in>
> > <http://Tss2_TctiLdr_Initialize.3.in>
> > > <http://Tss2_TctiLdr_Initialize.3.in>
> > > >
https://github.com/tpm2-software/tpm2-
> > > >
> tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
<http://Tss2_Tcti_Device_Init.3.in>
> <http://Tss2_Tcti_Device_Init.3.in>
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > <http://Tss2_Tcti_Device_Init.3.in>
> > > >
https://github.com/tpm2-software/tpm2-
> > > tss/blob/master/man/tss2-
> > > > tcti-device.7.in
<http://tcti-device.7.in>
<http://tcti-device.7.in>
> <http://tcti-device.7.in> <http://tcti-device.7.in>
> > > >
> > > > You can use man locally if
you prefer as
> well:
> > > > man 3
Tss2_TctiLdr_Initialize
> > > > man 7 tss2-tcti-device
> > > > man 3
Tss2_Tcti_Device_Init
> > > >
> > > > Note that
https://github.com/tpm2-
> software/tpm2-
> > > >
> tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
<http://Tss2_Tcti_Device_Init.3.in>
> <http://Tss2_Tcti_Device_Init.3.in>
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > Has sample code in it.
> > > >
> > > > If you're using the
tools, it supports
> explicitly choosing the TCTI:
> > > >
https://github.com/tpm2-software/tpm2-
> > > >
tools/blob/master/man/common/tcti.md
> > > >
> > > > Also note that the
/dev/tpmrm0 (Notice
> the RM) is an in-kernel
> > > resource
> > > > manager.
> > > >
> > > >
> > > > > When I do
ESys_Initialize, I see these
> WARNINGs, wondering
> > if it's
> > > okay
> > > > for multi-
> > > > > thread
> > > > >
WARNING:esys:src/tss2-
> > >
esys/esys_tcti_default.c:137:tcti_from_file()
> > > > Could not
> > > > > load TCTI file:
libtss2-tcti-default.so
> <http://libtss2-tcti-
> > > default.so/ <http://default.so/>
<http://default.so/>
> <http://default.so/> >
> > > > libtss2-tcti-
> > > > > default.so
<http://libtss2-tcti-
> default.so/ <http://default.so/> >
> > > > >
WARNING:esys:src/tss2-
> > >
esys/esys_tcti_default.c:137:tcti_from_file()
> > > > Could not
> > > > > load TCTI file:
libtss2-tcti-tabrmd.so
> <http://libtss2-tcti-
> > > tabrmd.so/ <http://tabrmd.so/>
<http://tabrmd.so/>
> <http://tabrmd.so/> >
> > > > >
> > > > > In my single threaded
process,
> everything works so smoothly
> > > [root]#
> > > > ./tpm
> > > > >
WARNING:esys:src/tss2-
> > >
esys/esys_tcti_default.c:137:tcti_from_file()
> > > > Could not
> > > > > load TCTI file:
libtss2-tcti-default.so
> <http://libtss2-tcti-
> > > default.so/ <http://default.so/>
<http://default.so/>
> <http://default.so/> >
> > > > >
WARNING:esys:src/tss2-
> > >
esys/esys_tcti_default.c:137:tcti_from_file()
> > > > Could not
> > > > > load TCTI file:
libtss2-tcti-tabrmd.so
> <http://libtss2-tcti-
> > > tabrmd.so/ <http://tabrmd.so/>
<http://tabrmd.so/>
> <http://tabrmd.so/> >
> > > > ESYS
> > > > > Initialization: Pass
> > > > >
> > > > > Read TPM EK
Certificate: Pass
> > > > >
> > > > > TPM EK Certificate
Root-CA Verification:
> Pass
> > > > >
> > > > > Clear TPM State: Pass
> > > > >
> > > > > Created EK Primary
object: Pass
> > > > > #####Handle 0x418368
> > > > >
> > > > > Create Attestation Key:
Pass
> > > > > #####Ak_Handle
0x41836b
> > > > >
> > > > > Original
> Credential="deadbeefdeadbeefdead"
> > > > >
> > > > > Make Credential: Pass
> > > > > #####Encrypted
Credential
> > > > >
> > > >
> > >
> >
>
Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> > > > >
45c412864f020a7f1bbcab7a34f0"
> > > > >
> > > > > #####Encrypted
> > > > >
> > > >
> > >
> >
>
Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
> > > > >
> > > >
> > >
> >
>
76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
> > > > >
> > > >
> > >
> >
>
e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
> > > > >
> > > >
> > >
> >
>
077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
> > > > >
> > > >
> > >
> >
>
5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
> > > > >
> > > >
> > >
> >
>
06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
> > > > >
> > > >
> > >
> >
>
fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> > > > >
e1eb9fcc1759c184972779bfc"
> > > > >
> > > > > Activating Credential:
Pass
> > > > > #####Recovered
> Credential="deadbeefdeadbeefdead"
> > > > >
> > > > > [root]#
> > > > >
> > > > >
> > > > >
> > > > > On Wed, Apr 8, 2020 at
7:02 PM Rahul
> Hardikar
> > > > <rahulhardikar(a)gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> >
> > > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > >
> > > > >
<mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
>
> > > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
>
> > > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> >
> > > >
> > > > > wrote:
> > > > >
> > > > >
> > > > > Thanks guys,
I'll try this but i also
> wanted to know if there
> > is a
> > > way to
> > > > > know if the TPM still
has the EK and AK
> keys loaded? I have
> > the EK
> > > > handle and AK
> > > > > handle (not made it
persistent) but I
> want to make sure it's
> > > present as
> > > > these are
> > > > > necessary for
ActivateCredential to
> succeed
> > > > >
ESys_ActivateCredential complaining
> about secret
> > parameter
> > > > doesn't
> > > > > make sense to me, I
tested on server
> side, ak_name is same
> > as
> > > that
> > > > sent and so is
> > > > > EK_PUB object as well
as EK_Cert in
> nvram, I call the same
> > > > > external_makecredential
call that's in the
> GitHub to create
> > secret
> > > and
> > > > made sure
> > > > > secret,credblob matches
on the client
> side when received
> > from
> > > server.
> > > > >
> > > > > Thanks,
> > > > > Rahul
> > > > >
> > > > > On Tue, Mar 17,
2020 at 6:19 AM Imran
> Desai
> > > > <imran.desai(a)intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
>
> > > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> >
> > > > >
<mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
>
> > > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> >
> >
> > > > wrote:
> > > > >
> > > > >
> > > > > Set this
up with all handles in use
> made persistent. If
> > you
> > > still see
> > > > > issues, gdb-break or
turn on debug
> logging at the Esys call and
> > > compare
> > > > the
> > > > > function arguments.
> > > > >
> > >
> _______________________________________________
> > > > > tpm2
mailing list --
> tpm2(a)lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> >
> > > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > >
> > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > > >
> > > > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > >
> > > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > > > >
> > > > > To
unsubscribe send an email to
> tpm2-
> > leave(a)lists.01.org <mailto:leave@lists.01.org>
<mailto:leave@lists.01.org <mailto:leave@lists.01.org> >
> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org>
<mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> > >
> > > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-
leave(a)lists.01.org> <mailto:tpm2- <mailto:tpm2->
> leave(a)lists.01.org <mailto:leave@lists.01.org> > <mailto:tpm2-
leave(a)lists.01.org <mailto:tpm2-leave@lists.01.org> <mailto:tpm2-
<mailto:tpm2->
> leave(a)lists.01.org <mailto:leave@lists.01.org> > > >
> > > > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-
leave(a)lists.01.org>
> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> >
<mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org>
> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> >
>
> > <mailto:tpm2-leave@lists.01.org <mailto:tpm2-
leave(a)lists.01.org> <mailto:tpm2- <mailto:tpm2->
> leave(a)lists.01.org <mailto:leave@lists.01.org> > <mailto:tpm2-
leave(a)lists.01.org <mailto:tpm2-leave@lists.01.org> <mailto:tpm2-
<mailto:tpm2->
> leave(a)lists.01.org <mailto:leave@lists.01.org> > > > >
> > > > >
<mailto:tpm2-leave@lists.01.org
<mailto:tpm2-leave@lists.01.org>
> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> >
<mailto:tpm2- <mailto:tpm2-> <mailto:tpm2- <mailto:tpm2-> >
> > leave(a)lists.01.org <mailto:leave@lists.01.org>
<mailto:leave@lists.01.org <mailto:leave@lists.01.org> > >
> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org>
<mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> >
> <mailto:tpm2- <mailto:tpm2-> <mailto:tpm2- <mailto:tpm2-> >
> > leave(a)lists.01.org <mailto:leave@lists.01.org>
<mailto:leave@lists.01.org <mailto:leave@lists.01.org> > > >
> > > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-
leave(a)lists.01.org> <mailto:tpm2- <mailto:tpm2->
> leave(a)lists.01.org <mailto:leave@lists.01.org> > <mailto:tpm2-
leave(a)lists.01.org <mailto:tpm2-leave@lists.01.org> <mailto:tpm2-
<mailto:tpm2->
> leave(a)lists.01.org <mailto:leave@lists.01.org> > >
> > <mailto:tpm2-leave@lists.01.org <mailto:tpm2-
leave(a)lists.01.org> <mailto:tpm2- <mailto:tpm2->
> leave(a)lists.01.org <mailto:leave@lists.01.org> > <mailto:tpm2-
leave(a)lists.01.org <mailto:tpm2-leave@lists.01.org> <mailto:tpm2-
<mailto:tpm2->
> leave(a)lists.01.org <mailto:leave@lists.01.org> > > > > >
> > > > >
> >
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
4:08 a.m.
Hi Bill,
So the main thread does a lot of other stuff, tpm2 is just one of them, in
order to avoid blocking main thread, I create another pthread.
This is my logic:
global variables are ESYS_CONTEXT etcx, ESYS_TR ekHandle, ESYS_TR akHandle
so all threads can see this
main_thread():
Calls Esys_initialize() and saves the context
Reads EK_CERT and stores in global variable
creates a new pthread, T_1 and continues with its other work
T_1():
Checks if ectx is not null and
creates EK --saves the handle (ESYS_TR ekHandle) and EK_PUB object
creates AK -- saves the handle (ESYS_TR akhandle) and another global
variable for ak_name
sends EK_CERT, EK_PUB,AK_NAME in a buffer to server (marshaled)
thread exits
Server side again has main thread that accepts it and creates a new thread
S_1() to handle this, S_1() only does external_make_credential(),
(basically GitHub code) and sends SECRET and CREDBLOB back to client
Clients main_thread copies the SECRET/CREDBLOB to a global var and again
creates a new thread T_2 to handle this,
T_2():
T_2 makes sure T_1 is done (which is always done)
Now since ectx,ekHandle,akHandle are all global, it just calls
Esys_ActivateCredential() (after creating the necessary session, of course
)
Esys_Activate...() fails returning 0x2c4 (always..ran it 20times...always)
Now if I do all this in one thread, i.e main, T_1,S_1,T_2 ,it works like a
charm!
Now I see you mentioned that each thread needs its own Esys_Initialize()!!
If that's the case, then I would HAVE to make them persistent, no?
Thanks,
Rahul
On Thu, Apr 16, 2020 at 10:34 AM Roberts, William C <
william.c.roberts(a)intel.com> wrote:
> -----Original Message-----
> From: Rahul Hardikar [mailto:rahulhardikar@gmail.com]
> Sent: Wednesday, April 15, 2020 1:06 PM
> To: Roberts, William C <william.c.roberts(a)intel.com>
> Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
> Subject: Re: [tpm2] Re: ESys_ActivateCredential
>
> Thanks Bill. I am taking help from the poky team on this.
> Getting back to the Activate Credential issue, since my code worked fine
as a
> single application as well as being run inside another process but as a
single
> thread (including makeCredential and activateCred).
> My guess for failing is:
> 1. When server sends secret/credBlob, they dont match ---> But i ran gdb
and
> checked all bytes and they match, so thats not an issue, server is
running same
> OpenSSL as client, so no mismatch in version for single-threaded vs
multi-
> threaded 2. Probably AK key or EK key is not loaded or changed
> --> to prove this, i would need to use Esys_ReadPublic , if it fails,
> --> implies its not loaded, if it succeeds, I need to verify ek_pub and
> --> ak_name is same when we created it
> Assuming I have the ESYS_CONTEXT saved as well as the ESYS_TR handle for
both
> AK and EK saved, Esys_ReadPublic should still work right, as it only
needs these
> 2?
What do you mean ESYS_CONTEXT saved? I may be misunderstanding you here,
But you can't save those, it's a pointer so it has the same lifecycle as
the process.
Also, AFIAK, they are not thread safe. Each thread needs its own
ESYS_CONTEXT
from Esys_Initialize().
For Esys_ReadPublic(), you need an ESYS_CONTEXT and an ESYS_TR. Like
ESYS_CONTEXT
Pointers that cannot be shared, ESYS_TR's are handle's that eventually get
turned into a
pointer under the hood, so you can't share those either. You can serialize
and reserialize to
pass from thread A to B.
If you want to use the same ESYS_CONTEXT and ESYS_TR from thread A and B,
you need
to lock ALL ESYS CALLS. But if you're going to do that, does
multi-threading really get
you any benefit.
>
> Any other reason for failing?
> Thanks,
> Rahul
>
> On Wed, Apr 15, 2020 at 8:25 AM Roberts, William C <
william.c.roberts(a)intel.com
> <mailto:william.c.roberts@intel.com> > wrote:
>
>
> > -----Original Message-----
> > From: Rahul Hardikar [mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com> ]
> > Sent: Monday, April 13, 2020 6:55 PM
> > To: Roberts, William C <william.c.roberts(a)intel.com
> <mailto:william.c.roberts@intel.com> >
> > Cc: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai@intel.com> >; tpm2(a)lists.01.org
> <mailto:tpm2@lists.01.org>
> > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> >
> > What is the latest stable release for tpm2_tss ?
>
> Really? Github has a releases tab, use it.
> https://github.com/tpm2-software/tpm2-tss/releases
>
>
> >
> > Thanks,
> > Rahul
> >
> > On Mon, Apr 13, 2020 at 4:38 PM Rahul Hardikar
> <rahulhardikar(a)gmail.com <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> > wrote:
> >
> >
> > Looks like the version I have is old, the file
tss2_tctildr.h does not
> exist
> >
> >
> > On Mon, Apr 13, 2020 at 12:31 PM Rahul Hardikar
> > <rahulhardikar(a)gmail.com <mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> > >
wrote:
> >
> >
> > Ok, got it. I'm using ESAPI C APIs. But its pretty
much the same as
> > the tpm2 tools implementation.
> > How do i add debugs in my poky directory? I have
tpm2.0-
> > tss_2.1.4.bb <http://tss_2.1.4.bb>
<http://tpm2.0-tss_2.1.4.bb>
file.
> > Also, how to add compile-time log flags to my src
file that uses
> > ESAPI calls? Running separately was easy, I just called
> > TSS2_LOG="all+ERROR,tcti+DEBUG"
> >
> > On Mon, Apr 13, 2020 at 7:20 AM Roberts, William C
> > <william.c.roberts(a)intel.com <mailto:william.c.roberts@intel.com
>
> <mailto:william.c.roberts@intel.com <mailto:william.c.roberts@intel.com>
> >
> wrote:
> >
> >
> > > -----Original Message-----
> > > From: Rahul Hardikar [mailto:
rahulhardikar(a)gmail.com
> <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> ]
> > > Sent: Friday, April 10, 2020 4:15 PM
> > > To: Roberts, William C <
william.c.roberts(a)intel.com
> <mailto:william.c.roberts@intel.com>
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> > >
> > > Cc: Desai, Imran <imran.desai(a)intel.com
> <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
>
>;
> tpm2(a)lists.01.org <mailto:tpm2@lists.01.org>
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > > Subject: Re: [tpm2] Re:
ESys_ActivateCredential
> > >
> > > Hi Bill,
> > > I have this on my system: Is tpmrm0 same
as tabrmd? I
> > believe mine is using this
> > > right now , i'm changing it to what you
mentioned to
> > see if it helps.
> > > [root@nfvis ~]# ls -l /dev/tpm*
> > > crw-rw----. 1 tss root 10, 224 Apr 8
23:19 /dev/tpm0
> > > crw-rw----. 1 tss tss 254, 65536 Apr 8
23:19
> > /dev/tpmrm0 Thanks, Rahul
> >
> > In theory, yes. In practice no.
> > /dev/tpmrm0 is the in kernel resource
manager
> > tpm2-abrmd is the userspace resource
manager
> >
> > tpm2-abrmd has a few features tpmrm0
doesn't have,
> > but unless you're
> > using policy sessions with tpm2-tools, you
shouldn't
> > notice a difference.
> >
> > >
> > > On Fri, Apr 10, 2020 at 11:33 AM
Roberts, William C
> > <william.c.roberts(a)intel.com <mailto:william.c.roberts@intel.com
>
> <mailto:william.c.roberts@intel.com <mailto:william.c.roberts@intel.com>
>
> > > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com>
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> > > > wrote:
> > >
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Rahul Hardikar
> > [mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> > ]
> > > > Sent: Friday, April 10, 2020
1:08 PM
> > > > To: Roberts, William C
> > <william.c.roberts(a)intel.com <mailto:william.c.roberts@intel.com
>
> <mailto:william.c.roberts@intel.com <mailto:william.c.roberts@intel.com>
>
> > > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com>
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> > > >
> > > > Cc: Desai, Imran <
imran.desai(a)intel.com
> <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
>
> > > <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
>
> >;
> tpm2(a)lists.01.org <mailto:tpm2@lists.01.org>
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > > <mailto:tpm2@lists.01.org <mailto:
tpm2(a)lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > >
> > > > Subject: Re: [tpm2] Re:
ESys_ActivateCredential
> > > >
> > > > Thanks Bill, trying that.
> > > > I did not get debug build
tpm2_tss, isn't it all
> > prebuilt ? I will have to see
> > > how to
> > > > do it in poky.
> > >
> > > If you're getting it from a
package manager, yes. But
> > there's nothing
> > > stopping you
> > > from using source builds. Some
distro's will package
> > debug symbols for
> > > their
> > > packages.
> > >
> > > >
> > > > On Fri, Apr 10, 2020 at 8:16 AM
Roberts, William C
> > > <william.c.roberts(a)intel.com
> <mailto:william.c.roberts@intel.com>
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> > <mailto:
william.c.roberts(a)intel.com
> <mailto:william.c.roberts@intel.com>
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> > >
> > > > <mailto:
william.c.roberts(a)intel.com
> <mailto:william.c.roberts@intel.com>
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> >
> > > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com>
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> > > > > wrote:
> > > >
> > > >
> > > >
> > > >
> > > > > -----Original
Message-----
> > > > > From: Rahul Hardikar
> > [mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> >
> > > > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> > >
> > > ]
> > > > > Sent: Thursday, April
9,
2020 2:51 PM
> > > > > To: Roberts, William C
> > <william.c.roberts(a)intel.com <mailto:william.c.roberts@intel.com
>
> <mailto:william.c.roberts@intel.com <mailto:william.c.roberts@intel.com>
>
> > > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com>
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> > >
> > > > <mailto:
william.c.roberts(a)intel.com
> <mailto:william.c.roberts@intel.com>
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> >
> > > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com>
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> > > > >
> > > > > Cc: Desai, Imran <
imran.desai(a)intel.com
> <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
>
> > > <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> >
> > > > <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
>
> >
> >;
> > > tpm2(a)lists.01.org <mailto:
tpm2(a)lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > > > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org>
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
>
> > > > > Subject: Re: [tpm2] Re:
> > ESys_ActivateCredential
> > > > >
> > > > > Thanks Bill. I use this
> > > > > Esys_Initialize(
&ectx,
NULL, NULL);
> > > > >
> > > > > so i'm assuming it
would
take the default
> > libtss2-tcti-tabrmd.so.0.
> > > >
> > > > This should do it for you:
> > > > TSS2_RC
> > > > Tss2_TctiLdr_Initialize
(const char *nameConf,
> > > >
TSS2_TCTI_CONTEXT **context);
> > > >
> > > > Set nameConf to the string
"tabrmd", that
> > should give you a tcti
> > > pointer
> > > > you can
> > > > pass wot Esys_Initialize()
> > > >
> > > > >
> > > > >
> > > > > If I need to debug
Esys_ActivateCredential
> > more, how can I do it,
> > > these
> > > > APIs are
> > > > > no more standalone, I
have integrated it in a
> > bigger code base and
> > > > added the
> > > > > esys-tss2 and other
libs
in my poky build, so
> > now it runs as
> > > different
> > > > process that
> > > > > invokes this function,
I
can gdb into the
> > process but I can't seem to
> > > gdb
> > > > into
> > > > > Esys_Activate..( )
> > > >
> > > > Did you build tpm2-tss
with debug symbols?
> > > > Add --enable-debug
> > > >
> > > > >
> > > > >
> > > > > Thanks,
> > > > > Rahul
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On Thu, Apr 9, 2020 at
10:23 AM Roberts,
> > William C
> > > > <william.c.roberts(a)intel.com
> <mailto:william.c.roberts@intel.com>
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> > <mailto:
william.c.roberts(a)intel.com
> <mailto:william.c.roberts@intel.com>
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> > >
> > > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com>
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> > <mailto:
william.c.roberts(a)intel.com
> <mailto:william.c.roberts@intel.com>
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> > > >
> > > > > <mailto:
william.c.roberts(a)intel.com
> <mailto:william.c.roberts@intel.com>
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> >
> > > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com>
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> > >
> > > > <mailto:
william.c.roberts(a)intel.com
> <mailto:william.c.roberts@intel.com>
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> >
> > > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com>
> > <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com> > > > > > wrote:
> > > > >
> > > > >
> > > > > >
-----Original
Message-----
> > > > > > From: Rahul
Hardikar
> > [mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> >
> > > > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> > >
> > > > > <mailto:
rahulhardikar(a)gmail.com
> <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> > > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> > <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> > > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> > > >
> > > > ]
> > > > > > Sent:
Thursday,
April 9, 2020 11:18 AM
> > > > > > To: Desai,
Imran
<imran.desai(a)intel.com
> <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
>
> > > <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> >
> > > > <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
>
> >
> > > > > <mailto:
imran.desai(a)intel.com
> <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> >
> > > <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
>
> > >
> >
> > > > > > Cc:
tpm2(a)lists.01.org
> <mailto:tpm2@lists.01.org>
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > > <mailto:tpm2@lists.01.org <mailto:
tpm2(a)lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > >
> > > > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org>
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > > <mailto:tpm2@lists.01.org <mailto:
tpm2(a)lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > > >
> > > > > > Subject:
[tpm2]
Re:
> > ESys_ActivateCredential
> > > > > >
> > > > > > How do I
know
if RM is being used?
> > > > >
> > > > >
> > > > > If you set the
tcti to the device tcti, it will
> > open /dev/tpm0 by
> > > > default. And
> > > > > that wont
> > > > > Be an RM. You can
also give it an option.
> > Esys_Initialize() takes a
> > > tcti
> > > > as an
> > > > > option,
> > > > > NULL will cause
it
to use the default search
> > behavior of the
> > > > Tss2_TctiLdr,
> > > > > see:
> > > > >
> > > > >
https://github.com/tpm2-software/tpm2-
> > > > >
> > tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
> <http://Tss2_TctiLdr_Initialize.3.in>
> > <http://Tss2_TctiLdr_Initialize.3.in>
> > > <http://Tss2_TctiLdr_Initialize.3.in>
> > > > <
http://Tss2_TctiLdr_Initialize.3.in>
> > > > >
https://github.com/tpm2-software/tpm2-
> > > > >
> > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> <http://Tss2_Tcti_Device_Init.3.in>
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > <
http://Tss2_Tcti_Device_Init.3.in>
> > > > >
https://github.com/tpm2-software/tpm2-
> > > > tss/blob/master/man/tss2-
> > > > > tcti-device.7.in <
http://tcti-device.7.in>
> <http://tcti-device.7.in>
> > <http://tcti-device.7.in> <http://tcti-device.7.in>
> > > > >
> > > > > You can use man
locally if you prefer as
> > well:
> > > > > man 3
Tss2_TctiLdr_Initialize
> > > > > man 7
tss2-tcti-device
> > > > > man 3
Tss2_Tcti_Device_Init
> > > > >
> > > > > Note that
https://github.com/tpm2-
> > software/tpm2-
> > > > >
> > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
> <http://Tss2_Tcti_Device_Init.3.in>
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > <http://Tss2_Tcti_Device_Init.3.in>
> > > > <
http://Tss2_Tcti_Device_Init.3.in>
> > > > > Has sample code
in
it.
> > > > >
> > > > > If you're
using
the tools, it supports
> > explicitly choosing the TCTI:
> > > > >
https://github.com/tpm2-software/tpm2-
> > > > >
tools/blob/master/man/common/tcti.md
> > > > >
> > > > > Also note that
the
/dev/tpmrm0 (Notice
> > the RM) is an in-kernel
> > > > resource
> > > > > manager.
> > > > >
> > > > >
> > > > > > When I do
ESys_Initialize, I see these
> > WARNINGs, wondering
> > > if it's
> > > > okay
> > > > > for multi-
> > > > > > thread
> > > > > >
WARNING:esys:src/tss2-
> > > >
esys/esys_tcti_default.c:137:tcti_from_file()
> > > > > Could not
> > > > > > load TCTI
file:
libtss2-tcti-default.so
> > <http://libtss2-tcti-
> > > > default.so/
<http://default.so/>
<http://default.so/>
> > <http://default.so/> >
> > > > > libtss2-tcti-
> > > > > > default.so
<
http://libtss2-tcti-
> > default.so/ <http://default.so/> >
> > > > > >
WARNING:esys:src/tss2-
> > > >
esys/esys_tcti_default.c:137:tcti_from_file()
> > > > > Could not
> > > > > > load TCTI
file:
libtss2-tcti-tabrmd.so
> > <http://libtss2-tcti-
> > > > tabrmd.so/
<http://tabrmd.so/>
> <http://tabrmd.so/>
> > <http://tabrmd.so/> >
> > > > > >
> > > > > > In my single
threaded process,
> > everything works so smoothly
> > > > [root]#
> > > > > ./tpm
> > > > > >
WARNING:esys:src/tss2-
> > > >
esys/esys_tcti_default.c:137:tcti_from_file()
> > > > > Could not
> > > > > > load TCTI
file:
libtss2-tcti-default.so
> > <http://libtss2-tcti-
> > > > default.so/
<http://default.so/>
<http://default.so/>
> > <http://default.so/> >
> > > > > >
WARNING:esys:src/tss2-
> > > >
esys/esys_tcti_default.c:137:tcti_from_file()
> > > > > Could not
> > > > > > load TCTI
file:
libtss2-tcti-tabrmd.so
> > <http://libtss2-tcti-
> > > > tabrmd.so/
<http://tabrmd.so/>
> <http://tabrmd.so/>
> > <http://tabrmd.so/> >
> > > > > ESYS
> > > > > >
Initialization:
Pass
> > > > > >
> > > > > > Read TPM EK
Certificate: Pass
> > > > > >
> > > > > > TPM EK
Certificate Root-CA Verification:
> > Pass
> > > > > >
> > > > > > Clear TPM
State:
Pass
> > > > > >
> > > > > > Created EK
Primary object: Pass
> > > > > > #####Handle
0x418368
> > > > > >
> > > > > > Create
Attestation Key: Pass
> > > > > >
#####Ak_Handle
0x41836b
> > > > > >
> > > > > > Original
> > Credential="deadbeefdeadbeefdead"
> > > > > >
> > > > > > Make
Credential:
Pass
> > > > > >
#####Encrypted
Credential
> > > > > >
> > > > >
> > > >
> > >
> >
> Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> > > > > >
45c412864f020a7f1bbcab7a34f0"
> > > > > >
> > > > > >
#####Encrypted
> > > > > >
> > > > >
> > > >
> > >
> >
> Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
> > > > > >
> > > > >
> > > >
> > >
> >
> 76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
> > > > > >
> > > > >
> > > >
> > >
> >
> e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
> > > > > >
> > > > >
> > > >
> > >
> >
> 077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
> > > > > >
> > > > >
> > > >
> > >
> >
> 5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
> > > > > >
> > > > >
> > > >
> > >
> >
> 06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
> > > > > >
> > > > >
> > > >
> > >
> >
> fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> > > > > >
e1eb9fcc1759c184972779bfc"
> > > > > >
> > > > > > Activating
Credential: Pass
> > > > > >
#####Recovered
> > Credential="deadbeefdeadbeefdead"
> > > > > >
> > > > > > [root]#
> > > > > >
> > > > > >
> > > > > >
> > > > > > On Wed, Apr
8,
2020 at 7:02 PM Rahul
> > Hardikar
> > > > >
<rahulhardikar(a)gmail.com
> <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> >
> > > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> > >
> > > > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> >
> > > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> > > >
> > > > > > <mailto:
rahulhardikar(a)gmail.com
> <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> > > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> >
> > > > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> > >
> > > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> >
> > > > <mailto:rahulhardikar@gmail.com
> <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
>
> > >
> > > > >
> > > > > > wrote:
> > > > > >
> > > > > >
> > > > > > Thanks
guys, I'll try this but i also
> > wanted to know if there
> > > is a
> > > > way to
> > > > > > know if the
TPM
still has the EK and AK
> > keys loaded? I have
> > > the EK
> > > > > handle and AK
> > > > > > handle (not
made
it persistent) but I
> > want to make sure it's
> > > > present as
> > > > > these are
> > > > > > necessary
for
ActivateCredential to
> > succeed
> > > > > >
ESys_ActivateCredential complaining
> > about secret
> > > parameter
> > > > > doesn't
> > > > > > make sense
to
me, I tested on server
> > side, ak_name is same
> > > as
> > > > that
> > > > > sent and so is
> > > > > > EK_PUB object
as
well as EK_Cert in
> > nvram, I call the same
> > > > > >
external_makecredential call that's in the
> > GitHub to create
> > > secret
> > > > and
> > > > > made sure
> > > > > >
secret,credblob
matches on the client
> > side when received
> > > from
> > > > server.
> > > > > >
> > > > > >
Thanks,
> > > > > > Rahul
> > > > > >
> > > > > > On
Tue,
Mar 17, 2020 at 6:19 AM Imran
> > Desai
> > > > >
<imran.desai(a)intel.com
> <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> >
> > > <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
>
> >
> > > > <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> >
> > > <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
>
> > >
> > > > > > <mailto:
imran.desai(a)intel.com
> <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
>
> > > <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> >
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
>
> > > <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
>
> >
> > > > <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> >
> > > <mailto:imran.desai@intel.com
> <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
>
> > >
> > >
> > > > > wrote:
> > > > > >
> > > > > >
> > > > > >
Set this up with all handles in use
> > made persistent. If
> > > you
> > > > still see
> > > > > > issues,
gdb-break or turn on debug
> > logging at the Esys call and
> > > > compare
> > > > > the
> > > > > > function
arguments.
> > > > > >
> > > >
> > _______________________________________________
> > > > > >
tpm2 mailing list --
> > tpm2(a)lists.01.org <mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > > <mailto:tpm2@lists.01.org <mailto:
tpm2(a)lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > >
> > > > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org>
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
>
> > > <mailto:tpm2@lists.01.org <mailto:
tpm2(a)lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > > > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org>
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> >
> > > > > <mailto:
tpm2(a)lists.01.org
> <mailto:tpm2@lists.01.org>
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > > <mailto:tpm2@lists.01.org <mailto:
tpm2(a)lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > >
> > > > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org>
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > > <mailto:tpm2@lists.01.org <mailto:
tpm2(a)lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > > >
>
> > > > > >
To
unsubscribe send an email to
> > tpm2-
> > > leave(a)lists.01.org <mailto:
leave(a)lists.01.org>
> <mailto:leave@lists.01.org <mailto:leave@lists.01.org> >
> > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-leave@lists.01.org>
> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> > >
> > > > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-
> leave(a)lists.01.org> <mailto:tpm2- <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave@lists.01.org> >
<mailto:tpm2-
> leave(a)lists.01.org <mailto:tpm2-leave@lists.01.org> <mailto:tpm2-
> <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave@lists.01.org> > > >
> > > > > <mailto:
tpm2-leave(a)lists.01.org <mailto:tpm2-
> leave(a)lists.01.org>
> > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-leave@lists.01.org>
>
> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org>
> > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-leave@lists.01.org>
> >
> > > <mailto:tpm2-leave@lists.01.org
<mailto:
tpm2-
> leave(a)lists.01.org> <mailto:tpm2- <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave@lists.01.org> >
<mailto:tpm2-
> leave(a)lists.01.org <mailto:tpm2-leave@lists.01.org> <mailto:tpm2-
> <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave@lists.01.org> > > > >
> > > > > > <mailto:
tpm2-leave(a)lists.01.org
> <mailto:tpm2-leave@lists.01.org>
> > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-leave@lists.01.org>
>
> <mailto:tpm2- <mailto:tpm2-> <mailto:tpm2- <mailto:tpm2-> >
> > > leave(a)lists.01.org <mailto:
leave(a)lists.01.org>
> <mailto:leave@lists.01.org <mailto:leave@lists.01.org> > >
> > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-leave@lists.01.org>
> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> >
> > <mailto:tpm2- <mailto:tpm2-> <mailto:tpm2-
<mailto:tpm2-> >
> > > leave(a)lists.01.org <mailto:
leave(a)lists.01.org>
> <mailto:leave@lists.01.org <mailto:leave@lists.01.org> > > >
> > > > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-
> leave(a)lists.01.org> <mailto:tpm2- <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave@lists.01.org> >
<mailto:tpm2-
> leave(a)lists.01.org <mailto:tpm2-leave@lists.01.org> <mailto:tpm2-
> <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave@lists.01.org> > >
> > > <mailto:tpm2-leave@lists.01.org
<mailto:
tpm2-
> leave(a)lists.01.org> <mailto:tpm2- <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave@lists.01.org> >
<mailto:tpm2-
> leave(a)lists.01.org <mailto:tpm2-leave@lists.01.org> <mailto:tpm2-
> <mailto:tpm2->
> > leave(a)lists.01.org <mailto:leave@lists.01.org> > > > >
>
> > > > > >
> > >
> > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
6:37 a.m.
-----Original Message-----
From: Rahul Hardikar [mailto:rahulhardikar@gmail.com]
Sent: Thursday, April 16, 2020 2:08 PM
To: Roberts, William C <william.c.roberts(a)intel.com>
Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
Subject: Re: [tpm2] Re: ESys_ActivateCredential
Hi Bill,
So the main thread does a lot of other stuff, tpm2 is just one of them, in order to
avoid blocking main thread, I create another pthread.
This is exactly what the async API is for. You can call the async API and then
select()/poll() on the
FD's Esys_GetPollHandles()
/* this won't block */
TSS2_RC
Esys_GetRandom_Async(
ESYS_CONTEXT *esysContext,
ESYS_TR shandle1,
ESYS_TR shandle2,
ESYS_TR shandle3,
UINT16 bytesRequested);
Main thread does stuff..... it sounds like an event loop (gui thread?), so it would
call Select() with a super low timeout.
If fd is ready:
Esys_GetRandom_Finish(
ESYS_CONTEXT *esysContext,
TPM2B_DIGEST **randomBytes);
}
This is my logic:
global variables are ESYS_CONTEXT etcx, ESYS_TR ekHandle, ESYS_TR akHandle so
all threads can see this
main_thread():
Calls Esys_initialize() and saves the context
Reads EK_CERT and stores in global variable
creates a new pthread, T_1 and continues with its other work
T_1():
Checks if ectx is not null and
creates EK --saves the handle (ESYS_TR ekHandle) and EK_PUB object
creates AK -- saves the handle (ESYS_TR akhandle) and another global variable for
ak_name
sends EK_CERT, EK_PUB,AK_NAME in a buffer to server (marshaled)
thread exits
Server side again has main thread that accepts it and creates a new thread S_1()
to handle this, S_1() only does external_make_credential(), (basically GitHub
code) and sends SECRET and CREDBLOB back to client
Clients main_thread copies the SECRET/CREDBLOB to a global var and again
creates a new thread T_2 to handle this,
T_2():
T_2 makes sure T_1 is done (which is always done)
Now since ectx,ekHandle,akHandle are all global, it just calls
Esys_ActivateCredential() (after creating the necessary session, of course )
Esys_Activate...() fails returning 0x2c4 (always..ran it 20times...always)
Now if I do all this in one thread, i.e main, T_1,S_1,T_2 ,it works like a charm!
Somewhere something must not be as described, have you ran your program through ASAN
To make sure it's not memory corruption? If it's not that, something somewhere
must be stomping
on the state.
Why not just make T_1 perform T_2 task as well. Start T1, it sends to server and waits for
response,
Gets response and does the activate credential. This would avoid you having to fire up
additional
threads, which is slow.
Now I see you mentioned that each thread needs its own Esys_Initialize()!! If
that's the case, then I would HAVE to make them persistent, no?
No its more of how you share data and design it. I typically use a message passing
design,
I have a thread sleeping on a message queue and wake up that thread with a task, and
then
In my main event loop check the result queue to see if I have anything to do. Thiers
lots
of ways to do this. But typically firing off a thread every time isn't the best
approach even if
it works. If you want your main thread responsive on a busy system, its best not to ask
for
a new thread everytime.
But in the sake of completeness, I have a skeleton multi-threaded application that does
something
Similar:
Main - esys init
T1 - Creates key
Main - does stuff (like go to a server)
T2 - Signs with key
https://gist.github.com/williamcroberts/a3966e2131ba7e0adbf3ea757d36f15d
How are you synchronizing your threads? Everything must be mutually exclusive for
ESYS....
Im making sure that T1 starts after ESYS_Initialize and that T2 waits on T1 and that main,
which
Destroys everything waits on T2.
Thanks,
Rahul
On Thu, Apr 16, 2020 at 10:34 AM Roberts, William C <william.c.roberts(a)intel.com
<mailto:william.c.roberts@intel.com> > wrote:
> -----Original Message-----
> From: Rahul Hardikar [mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> ]
> Sent: Wednesday, April 15, 2020 1:06 PM
> To: Roberts, William C <william.c.roberts(a)intel.com
<mailto:william.c.roberts@intel.com> >
> Cc: Desai, Imran <imran.desai(a)intel.com
<mailto:imran.desai@intel.com> >; tpm2(a)lists.01.org
<mailto:tpm2@lists.01.org>
> Subject: Re: [tpm2] Re: ESys_ActivateCredential
>
> Thanks Bill. I am taking help from the poky team on this.
> Getting back to the Activate Credential issue, since my code worked
fine as a
> single application as well as being run inside another process but as a
single
> thread (including makeCredential and activateCred).
> My guess for failing is:
> 1. When server sends secret/credBlob, they dont match ---> But i ran
gdb and
> checked all bytes and they match, so thats not an issue, server is
running same
> OpenSSL as client, so no mismatch in version for single-threaded vs
multi-
> threaded 2. Probably AK key or EK key is not loaded or changed
> --> to prove this, i would need to use Esys_ReadPublic , if it fails,
> --> implies its not loaded, if it succeeds, I need to verify ek_pub and
> --> ak_name is same when we created it
> Assuming I have the ESYS_CONTEXT saved as well as the ESYS_TR
handle for both
> AK and EK saved, Esys_ReadPublic should still work right, as it only
needs these
> 2?
What do you mean ESYS_CONTEXT saved? I may be misunderstanding
you here,
But you can't save those, it's a pointer so it has the same lifecycle as the
process.
Also, AFIAK, they are not thread safe. Each thread needs its own
ESYS_CONTEXT
from Esys_Initialize().
For Esys_ReadPublic(), you need an ESYS_CONTEXT and an ESYS_TR. Like
ESYS_CONTEXT
Pointers that cannot be shared, ESYS_TR's are handle's that eventually
get turned into a
pointer under the hood, so you can't share those either. You can serialize
and reserialize to
pass from thread A to B.
If you want to use the same ESYS_CONTEXT and ESYS_TR from thread A
and B, you need
to lock ALL ESYS CALLS. But if you're going to do that, does multi-
threading really get
you any benefit.
>
> Any other reason for failing?
> Thanks,
> Rahul
>
> On Wed, Apr 15, 2020 at 8:25 AM Roberts, William C
<william.c.roberts(a)intel.com <mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > wrote:
>
>
> > -----Original Message-----
> > From: Rahul Hardikar [mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
]
> > Sent: Monday, April 13, 2020 6:55 PM
> > To: Roberts, William C <william.c.roberts(a)intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > >
> > Cc: Desai, Imran <imran.desai(a)intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >;
tpm2(a)lists.01.org <mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> >
> > What is the latest stable release for tpm2_tss ?
>
> Really? Github has a releases tab, use it.
> https://github.com/tpm2-software/tpm2-tss/releases
>
>
> >
> > Thanks,
> > Rahul
> >
> > On Mon, Apr 13, 2020 at 4:38 PM Rahul Hardikar
> <rahulhardikar(a)gmail.com <mailto:rahulhardikar@gmail.com>
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> > wrote:
> >
> >
> > Looks like the version I have is old, the file tss2_tctildr.h
does
not
> exist
> >
> >
> > On Mon, Apr 13, 2020 at 12:31 PM Rahul Hardikar
> > <rahulhardikar(a)gmail.com <mailto:rahulhardikar@gmail.com>
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> > >
>
wrote:
> >
> >
> > Ok, got it. I'm using ESAPI C APIs. But its pretty
much the
same as
> > the tpm2 tools implementation.
> > How do i add debugs in my poky directory? I have
tpm2.0-
> > tss_2.1.4.bb <http://tss_2.1.4.bb> <http://tss_2.1.4.bb>
<http://tpm2.0-tss_2.1.4.bb> file.
> > Also, how to add compile-time log flags to my src file
that
uses
> > ESAPI calls? Running separately was easy, I just called
> > TSS2_LOG="all+ERROR,tcti+DEBUG"
> >
> > On Mon, Apr 13, 2020 at 7:20 AM Roberts, William C
> > <william.c.roberts(a)intel.com
<mailto:william.c.roberts@intel.com> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > >
> wrote:
> >
> >
> > > -----Original Message-----
> > > From: Rahul Hardikar
[mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> ]
> > > Sent: Friday, April 10, 2020 4:15 PM
> > > To: Roberts, William C
<william.c.roberts(a)intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > >
> > > Cc: Desai, Imran <imran.desai(a)intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > > >;
> tpm2(a)lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > > Subject: Re: [tpm2] Re:
ESys_ActivateCredential
> > >
> > > Hi Bill,
> > > I have this on my system: Is tpmrm0 same as
tabrmd?
I
> > believe mine is using this
> > > right now , i'm changing it to what you
mentioned to
> > see if it helps.
> > > [root@nfvis ~]# ls -l /dev/tpm*
> > > crw-rw----. 1 tss root 10, 224 Apr 8
23:19 /dev/tpm0
> > > crw-rw----. 1 tss tss 254, 65536 Apr 8
23:19
> > /dev/tpmrm0 Thanks, Rahul
> >
> > In theory, yes. In practice no.
> > /dev/tpmrm0 is the in kernel resource manager
> > tpm2-abrmd is the userspace resource manager
> >
> > tpm2-abrmd has a few features tpmrm0 doesn't
have,
> > but unless you're
> > using policy sessions with tpm2-tools, you
shouldn't
> > notice a difference.
> >
> > >
> > > On Fri, Apr 10, 2020 at 11:33 AM Roberts,
William C
> > <william.c.roberts(a)intel.com
<mailto:william.c.roberts@intel.com> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > >
> > > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > > > wrote:
> > >
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Rahul Hardikar
> > [mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> >
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> > >
> > > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> > ]
> > > > Sent: Friday, April 10, 2020 1:08
PM
> > > > To: Roberts, William C
> > <william.c.roberts(a)intel.com
<mailto:william.c.roberts@intel.com> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > >
> > > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > > >
> > > > Cc: Desai, Imran
<imran.desai(a)intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> > > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > > >
>;
> tpm2(a)lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > >
> > > > Subject: Re: [tpm2] Re:
ESys_ActivateCredential
> > > >
> > > > Thanks Bill, trying that.
> > > > I did not get debug build
tpm2_tss, isn't it all
> > prebuilt ? I will have to see
> > > how to
> > > > do it in poky.
> > >
> > > If you're getting it from a package
manager, yes.
But
> > there's nothing
> > > stopping you
> > > from using source builds. Some
distro's will package
> > debug symbols for
> > > their
> > > packages.
> > >
> > > >
> > > > On Fri, Apr 10, 2020 at 8:16 AM
Roberts, William C
> > > <william.c.roberts(a)intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > >
<mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > >
> > > >
<mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > >
> > > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > > > > wrote:
> > > >
> > > >
> > > >
> > > >
> > > > > -----Original
Message-----
> > > > > From: Rahul Hardikar
> > [mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> >
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> > >
> > > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> >
> > > >
<mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> > >
> > > ]
> > > > > Sent: Thursday, April
9, 2020 2:51 PM
> > > > > To: Roberts, William
C
> > <william.c.roberts(a)intel.com
<mailto:william.c.roberts@intel.com> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > >
> > > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > >
> > > >
<mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > >
> > > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > > > >
> > > > > Cc: Desai, Imran
<imran.desai(a)intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> > > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > > >
> > > > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > > >
>
> >;
> > > tpm2(a)lists.01.org
<mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > >
> > > > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org> <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > > >
> > > > > Subject: Re: [tpm2]
Re:
> > ESys_ActivateCredential
> > > > >
> > > > > Thanks Bill. I use
this
> > > > > Esys_Initialize(
&ectx, NULL, NULL);
> > > > >
> > > > > so i'm assuming it
would take the default
> > libtss2-tcti-tabrmd.so.0.
> > > >
> > > > This should do it for you:
> > > > TSS2_RC
> > > > Tss2_TctiLdr_Initialize
(const char *nameConf,
> > > >
TSS2_TCTI_CONTEXT **context);
> > > >
> > > > Set nameConf to the string
"tabrmd", that
> > should give you a tcti
> > > pointer
> > > > you can
> > > > pass wot Esys_Initialize()
> > > >
> > > > >
> > > > >
> > > > > If I need to debug
Esys_ActivateCredential
> > more, how can I do it,
> > > these
> > > > APIs are
> > > > > no more standalone, I
have integrated it in a
> > bigger code base and
> > > > added the
> > > > > esys-tss2 and other
libs in my poky build, so
> > now it runs as
> > > different
> > > > process that
> > > > > invokes this function,
I can gdb into the
> > process but I can't seem to
> > > gdb
> > > > into
> > > > > Esys_Activate..( )
> > > >
> > > > Did you build tpm2-tss with
debug symbols?
> > > > Add --enable-debug
> > > >
> > > > >
> > > > >
> > > > > Thanks,
> > > > > Rahul
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On Thu, Apr 9, 2020 at
10:23 AM Roberts,
> > William C
> > > > <william.c.roberts(a)intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > >
<mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > >
> > > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > >
<mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > > >
> > > > >
<mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > >
> > > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > >
> > > >
<mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > >
> > > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > > > > > wrote:
> > > > >
> > > > >
> > > > > >
-----Original Message-----
> > > > > > From: Rahul
Hardikar
> > [mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> >
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> > >
> > > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> >
> > > >
<mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> > >
> > > > >
<mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> > > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> > <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> > > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> > > >
> > > > ]
> > > > > > Sent:
Thursday, April 9, 2020 11:18 AM
> > > > > > To: Desai,
Imran
<imran.desai(a)intel.com <mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> > > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > > >
> > > > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > > >
>
> > > > >
<mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > > >
> > > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > > > >
>
> >
> > > > > > Cc:
tpm2(a)lists.01.org
<mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > >
> > > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > > >
> > > > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org> <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > >
> > > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > > > >
> > > > > > Subject:
[tpm2] Re:
> > ESys_ActivateCredential
> > > > > >
> > > > > > How do I
know if RM is being used?
> > > > >
> > > > >
> > > > > If you set the
tcti to the device tcti, it will
> > open /dev/tpm0 by
> > > > default. And
> > > > > that wont
> > > > > Be an RM. You can
also give it an option.
> > Esys_Initialize() takes a
> > > tcti
> > > > as an
> > > > > option,
> > > > > NULL will cause
it to use the default
search
> > behavior of the
> > > > Tss2_TctiLdr,
> > > > > see:
> > > > >
> > > > >
https://github.com/tpm2-
software/tpm2-
> > > > >
> > tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
<http://Tss2_TctiLdr_Initialize.3.in>
> <http://Tss2_TctiLdr_Initialize.3.in>
> > <http://Tss2_TctiLdr_Initialize.3.in>
> > > <http://Tss2_TctiLdr_Initialize.3.in>
> > > >
<http://Tss2_TctiLdr_Initialize.3.in>
> > > > >
https://github.com/tpm2-
software/tpm2-
> > > > >
> > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
<http://Tss2_Tcti_Device_Init.3.in>
> <http://Tss2_Tcti_Device_Init.3.in>
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > <http://Tss2_Tcti_Device_Init.3.in>
> > > >
<http://Tss2_Tcti_Device_Init.3.in>
> > > > >
https://github.com/tpm2-
software/tpm2-
> > > > tss/blob/master/man/tss2-
> > > > > tcti-device.7.in
<http://tcti-device.7.in>
<http://tcti-device.7.in>
> <http://tcti-device.7.in>
> > <http://tcti-device.7.in> <http://tcti-device.7.in>
> > > > >
> > > > > You can use man
locally if you prefer as
> > well:
> > > > > man 3
Tss2_TctiLdr_Initialize
> > > > > man 7
tss2-tcti-device
> > > > > man 3
Tss2_Tcti_Device_Init
> > > > >
> > > > > Note that
https://github.com/tpm2-
> > software/tpm2-
> > > > >
> > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
<http://Tss2_Tcti_Device_Init.3.in>
> <http://Tss2_Tcti_Device_Init.3.in>
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > <http://Tss2_Tcti_Device_Init.3.in>
> > > >
<http://Tss2_Tcti_Device_Init.3.in>
> > > > > Has sample code
in it.
> > > > >
> > > > > If you're
using the tools, it supports
> > explicitly choosing the TCTI:
> > > > >
https://github.com/tpm2-
software/tpm2-
> > > > >
tools/blob/master/man/common/tcti.md
> > > > >
> > > > > Also note that
the /dev/tpmrm0 (Notice
> > the RM) is an in-kernel
> > > > resource
> > > > > manager.
> > > > >
> > > > >
> > > > > > When I do
ESys_Initialize, I see these
> > WARNINGs, wondering
> > > if it's
> > > > okay
> > > > > for multi-
> > > > > > thread
> > > > > >
WARNING:esys:src/tss2-
> > > >
esys/esys_tcti_default.c:137:tcti_from_file()
> > > > > Could not
> > > > > > load TCTI
file: libtss2-tcti-default.so
> > <http://libtss2-tcti-
> > > > default.so/
<http://default.so/>
<http://default.so/> <http://default.so/>
> > <http://default.so/> >
> > > > > libtss2-tcti-
> > > > > > default.so
<http://libtss2-tcti-
> > default.so/ <http://default.so/> <http://default.so/>
>
> > > > > >
WARNING:esys:src/tss2-
> > > >
esys/esys_tcti_default.c:137:tcti_from_file()
> > > > > Could not
> > > > > > load TCTI
file: libtss2-tcti-tabrmd.so
> > <http://libtss2-tcti-
> > > > tabrmd.so/
<http://tabrmd.so/>
<http://tabrmd.so/>
> <http://tabrmd.so/>
> > <http://tabrmd.so/> >
> > > > > >
> > > > > > In my single
threaded process,
> > everything works so smoothly
> > > > [root]#
> > > > > ./tpm
> > > > > >
WARNING:esys:src/tss2-
> > > >
esys/esys_tcti_default.c:137:tcti_from_file()
> > > > > Could not
> > > > > > load TCTI
file: libtss2-tcti-default.so
> > <http://libtss2-tcti-
> > > > default.so/
<http://default.so/>
<http://default.so/> <http://default.so/>
> > <http://default.so/> >
> > > > > >
WARNING:esys:src/tss2-
> > > >
esys/esys_tcti_default.c:137:tcti_from_file()
> > > > > Could not
> > > > > > load TCTI
file: libtss2-tcti-tabrmd.so
> > <http://libtss2-tcti-
> > > > tabrmd.so/
<http://tabrmd.so/>
<http://tabrmd.so/>
> <http://tabrmd.so/>
> > <http://tabrmd.so/> >
> > > > > ESYS
> > > > > >
Initialization: Pass
> > > > > >
> > > > > > Read TPM EK
Certificate: Pass
> > > > > >
> > > > > > TPM EK
Certificate Root-CA Verification:
> > Pass
> > > > > >
> > > > > > Clear TPM
State: Pass
> > > > > >
> > > > > > Created EK
Primary object: Pass
> > > > > > #####Handle
0x418368
> > > > > >
> > > > > > Create
Attestation Key: Pass
> > > > > >
#####Ak_Handle 0x41836b
> > > > > >
> > > > > > Original
> > Credential="deadbeefdeadbeefdead"
> > > > > >
> > > > > > Make
Credential: Pass
> > > > > >
#####Encrypted Credential
> > > > > >
> > > > >
> > > >
> > >
> >
>
Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> > > > > >
45c412864f020a7f1bbcab7a34f0"
> > > > > >
> > > > > >
#####Encrypted
> > > > > >
> > > > >
> > > >
> > >
> >
>
Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
> > > > > >
> > > > >
> > > >
> > >
> >
>
76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
> > > > > >
> > > > >
> > > >
> > >
> >
>
e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
> > > > > >
> > > > >
> > > >
> > >
> >
>
077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
> > > > > >
> > > > >
> > > >
> > >
> >
>
5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
> > > > > >
> > > > >
> > > >
> > >
> >
>
06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
> > > > > >
> > > > >
> > > >
> > >
> >
>
fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> > > > > >
e1eb9fcc1759c184972779bfc"
> > > > > >
> > > > > > Activating
Credential: Pass
> > > > > >
#####Recovered
> > Credential="deadbeefdeadbeefdead"
> > > > > >
> > > > > > [root]#
> > > > > >
> > > > > >
> > > > > >
> > > > > > On Wed, Apr
8, 2020 at 7:02 PM Rahul
> > Hardikar
> > > > >
<rahulhardikar(a)gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> >
> > > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> > >
> > > >
<mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> >
> > > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> > > >
> > > > > >
<mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> > > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> >
> > > >
<mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> > >
> > > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> >
> > > >
<mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> > >
> > > > >
> > > > > > wrote:
> > > > > >
> > > > > >
> > > > > > Thanks
guys, I'll try this but i also
> > wanted to know if there
> > > is a
> > > > way to
> > > > > > know if the
TPM still has the EK and AK
> > keys loaded? I have
> > > the EK
> > > > > handle and AK
> > > > > > handle (not
made it persistent) but I
> > want to make sure it's
> > > > present as
> > > > > these are
> > > > > > necessary
for ActivateCredential to
> > succeed
> > > > > >
ESys_ActivateCredential complaining
> > about secret
> > > parameter
> > > > > doesn't
> > > > > > make sense
to me, I tested on server
> > side, ak_name is same
> > > as
> > > > that
> > > > > sent and so is
> > > > > > EK_PUB
object as well as EK_Cert in
> > nvram, I call the same
> > > > > >
external_makecredential call that's in
the
> > GitHub to create
> > > secret
> > > > and
> > > > > made sure
> > > > > >
secret,credblob matches on the client
> > side when received
> > > from
> > > > server.
> > > > > >
> > > > > >
Thanks,
> > > > > >
Rahul
> > > > > >
> > > > > > On
Tue, Mar 17, 2020 at 6:19 AM
Imran
> > Desai
> > > > >
<imran.desai(a)intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > > >
> > > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > > >
>
> > > > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > > >
> > > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > > > >
>
> > > > > >
<mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> > > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > > >
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> > > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > > >
>
> > > > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > > >
> > > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > > > >
>
> > >
> > > > > wrote:
> > > > > >
> > > > > >
> > > > > >
Set this up with all handles in use
> > made persistent. If
> > > you
> > > > still see
> > > > > > issues,
gdb-break or turn on debug
> > logging at the Esys call and
> > > > compare
> > > > > the
> > > > > > function
arguments.
> > > > > >
> > > >
> > _______________________________________________
> > > > > >
tpm2 mailing list --
> > tpm2(a)lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > >
> > > > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org> <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > > >
> > > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > >
> > > > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org> <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > > > >
> > > > >
<mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > >
> > > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > > >
> > > > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org> <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > >
> > > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > > > >
>
> > > > > >
To unsubscribe send an email to
> > tpm2-
> > > leave(a)lists.01.org
<mailto:leave@lists.01.org>
<mailto:leave@lists.01.org <mailto:leave@lists.01.org> >
> <mailto:leave@lists.01.org <mailto:leave@lists.01.org>
<mailto:leave@lists.01.org <mailto:leave@lists.01.org> > >
> > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-leave@lists.01.org>
<mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> >
> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org>
<mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> > >
>
> > > > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-
leave(a)lists.01.org> <mailto:tpm2- <mailto:tpm2->
> leave(a)lists.01.org <mailto:leave@lists.01.org> > <mailto:tpm2-
<mailto:tpm2-> <mailto:tpm2- <mailto:tpm2-> >
> > leave(a)lists.01.org <mailto:leave@lists.01.org>
<mailto:leave@lists.01.org <mailto:leave@lists.01.org> > >
<mailto:tpm2-
<mailto:tpm2->
> leave(a)lists.01.org <mailto:leave@lists.01.org> <mailto:tpm2-
leave(a)lists.01.org <mailto:tpm2-leave@lists.01.org> > <mailto:tpm2-
<mailto:tpm2->
> <mailto:tpm2- <mailto:tpm2-> >
> > leave(a)lists.01.org <mailto:leave@lists.01.org>
<mailto:leave@lists.01.org <mailto:leave@lists.01.org> > > > >
> > > > >
<mailto:tpm2-leave@lists.01.org
<mailto:tpm2-leave@lists.01.org> <mailto:tpm2- <mailto:tpm2->
> leave(a)lists.01.org <mailto:leave@lists.01.org> >
> > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-leave@lists.01.org>
<mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> > >
> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org>
<mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> >
> > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-leave@lists.01.org>
<mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> > >
>
> > > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-
leave(a)lists.01.org> <mailto:tpm2- <mailto:tpm2->
> leave(a)lists.01.org <mailto:leave@lists.01.org> > <mailto:tpm2-
<mailto:tpm2-> <mailto:tpm2- <mailto:tpm2-> >
> > leave(a)lists.01.org <mailto:leave@lists.01.org>
<mailto:leave@lists.01.org <mailto:leave@lists.01.org> > >
<mailto:tpm2-
<mailto:tpm2->
> leave(a)lists.01.org <mailto:leave@lists.01.org> <mailto:tpm2-
leave(a)lists.01.org <mailto:tpm2-leave@lists.01.org> > <mailto:tpm2-
<mailto:tpm2->
> <mailto:tpm2- <mailto:tpm2-> >
> > leave(a)lists.01.org <mailto:leave@lists.01.org>
<mailto:leave@lists.01.org <mailto:leave@lists.01.org> > > > >
>
> > > > > >
<mailto:tpm2-leave@lists.01.org
<mailto:tpm2-leave@lists.01.org>
> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> >
> > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-leave@lists.01.org>
<mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> > >
> <mailto:tpm2- <mailto:tpm2-> <mailto:tpm2- <mailto:tpm2-> >
<mailto:tpm2- <mailto:tpm2-> <mailto:tpm2- <mailto:tpm2-> > >
> > > leave(a)lists.01.org
<mailto:leave@lists.01.org>
<mailto:leave@lists.01.org <mailto:leave@lists.01.org> >
> <mailto:leave@lists.01.org <mailto:leave@lists.01.org>
<mailto:leave@lists.01.org <mailto:leave@lists.01.org> > > >
> > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-leave@lists.01.org>
<mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> >
> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org>
<mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> > >
> > <mailto:tpm2- <mailto:tpm2-> <mailto:tpm2-
<mailto:tpm2-> >
<mailto:tpm2- <mailto:tpm2-> <mailto:tpm2- <mailto:tpm2-> > >
> > > leave(a)lists.01.org
<mailto:leave@lists.01.org>
<mailto:leave@lists.01.org <mailto:leave@lists.01.org> >
> <mailto:leave@lists.01.org <mailto:leave@lists.01.org>
<mailto:leave@lists.01.org <mailto:leave@lists.01.org> > > > >
> > > > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-
leave(a)lists.01.org> <mailto:tpm2- <mailto:tpm2->
> leave(a)lists.01.org <mailto:leave@lists.01.org> > <mailto:tpm2-
<mailto:tpm2-> <mailto:tpm2- <mailto:tpm2-> >
> > leave(a)lists.01.org <mailto:leave@lists.01.org>
<mailto:leave@lists.01.org <mailto:leave@lists.01.org> > >
<mailto:tpm2-
<mailto:tpm2->
> leave(a)lists.01.org <mailto:leave@lists.01.org> <mailto:tpm2-
leave(a)lists.01.org <mailto:tpm2-leave@lists.01.org> > <mailto:tpm2-
<mailto:tpm2->
> <mailto:tpm2- <mailto:tpm2-> >
> > leave(a)lists.01.org <mailto:leave@lists.01.org>
<mailto:leave@lists.01.org <mailto:leave@lists.01.org> > > >
> > > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-
leave(a)lists.01.org> <mailto:tpm2- <mailto:tpm2->
> leave(a)lists.01.org <mailto:leave@lists.01.org> > <mailto:tpm2-
<mailto:tpm2-> <mailto:tpm2- <mailto:tpm2-> >
> > leave(a)lists.01.org <mailto:leave@lists.01.org>
<mailto:leave@lists.01.org <mailto:leave@lists.01.org> > >
<mailto:tpm2-
<mailto:tpm2->
> leave(a)lists.01.org <mailto:leave@lists.01.org> <mailto:tpm2-
leave(a)lists.01.org <mailto:tpm2-leave@lists.01.org> > <mailto:tpm2-
<mailto:tpm2->
> <mailto:tpm2- <mailto:tpm2-> >
> > leave(a)lists.01.org <mailto:leave@lists.01.org>
<mailto:leave@lists.01.org <mailto:leave@lists.01.org> > > > > >
>
> > > > > >
> > >
> > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
12:23 a.m.
-----Original Message-----
From: Rahul Hardikar [mailto:rahulhardikar@gmail.com]
Sent: Monday, April 13, 2020 2:32 PM
To: Roberts, William C <william.c.roberts(a)intel.com>
Cc: Desai, Imran <imran.desai(a)intel.com>; tpm2(a)lists.01.org
Subject: Re: [tpm2] Re: ESys_ActivateCredential
Ok, got it. I'm using ESAPI C APIs. But its pretty much the same as the tpm2 tools
implementation.
How do i add debugs in my poky directory? I have tpm2.0-tss_2.1.4.bb
<http://tpm2.0-tss_2.1.4.bb> file.
I've never touched Yocto, so we're probably not going to be able to help
much there.
Also, how to add compile-time log flags to my src file that uses
ESAPI calls?
Running separately was easy, I just called TSS2_LOG="all+ERROR,tcti+DEBUG"
That’s not a compile time flag, it's in the environment. All programs have access to
The environment, via getenv and setenv calls. See: https://linux.die.net/man/5/environ
So you could call setenv() in the program. However, usually if you're not staring
The program directly on the shell, some type of execution environment, like init
or system will allow you to add these values in. This sounds very yocto specific on
how to do that, thus you would probably want to discuss that on the Yocto project
mailing lists.
The log messages go to stderr and stdout, so you could redirect them. Doing it in C:
https://stackoverflow.com/questions/584868/rerouting-stdin-and-stdout-from-c
But it would probably be easier just to alter the execution environment of the program,
How to do that is system specific.
On Mon, Apr 13, 2020 at 7:20 AM Roberts, William C <william.c.roberts(a)intel.com
<mailto:william.c.roberts@intel.com> > wrote:
> -----Original Message-----
> From: Rahul Hardikar [mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> ]
> Sent: Friday, April 10, 2020 4:15 PM
> To: Roberts, William C <william.c.roberts(a)intel.com
<mailto:william.c.roberts@intel.com> >
> Cc: Desai, Imran <imran.desai(a)intel.com
<mailto:imran.desai@intel.com> >; tpm2(a)lists.01.org
<mailto:tpm2@lists.01.org>
> Subject: Re: [tpm2] Re: ESys_ActivateCredential
>
> Hi Bill,
> I have this on my system: Is tpmrm0 same as tabrmd? I believe mine is
using this
> right now , i'm changing it to what you mentioned to see if it helps.
> [root@nfvis ~]# ls -l /dev/tpm*
> crw-rw----. 1 tss root 10, 224 Apr 8 23:19 /dev/tpm0
> crw-rw----. 1 tss tss 254, 65536 Apr 8 23:19 /dev/tpmrm0 Thanks, Rahul
In theory, yes. In practice no.
/dev/tpmrm0 is the in kernel resource manager
tpm2-abrmd is the userspace resource manager
tpm2-abrmd has a few features tpmrm0 doesn't have, but unless you're
using policy sessions with tpm2-tools, you shouldn't notice a difference.
>
> On Fri, Apr 10, 2020 at 11:33 AM Roberts, William C
<william.c.roberts(a)intel.com <mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > wrote:
>
>
>
>
> > -----Original Message-----
> > From: Rahul Hardikar [mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
]
> > Sent: Friday, April 10, 2020 1:08 PM
> > To: Roberts, William C <william.c.roberts(a)intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > >
> > Cc: Desai, Imran <imran.desai(a)intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >;
tpm2(a)lists.01.org <mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> >
> > Thanks Bill, trying that.
> > I did not get debug build tpm2_tss, isn't it all prebuilt ? I will
have
to see
> how to
> > do it in poky.
>
> If you're getting it from a package manager, yes. But there's
nothing
> stopping you
> from using source builds. Some distro's will package debug symbols
for
> their
> packages.
>
> >
> > On Fri, Apr 10, 2020 at 8:16 AM Roberts, William C
> <william.c.roberts(a)intel.com <mailto:william.c.roberts@intel.com>
<mailto:william.c.roberts@intel.com <mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > > wrote:
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Rahul Hardikar [mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> ]
> > > Sent: Thursday, April 9, 2020 2:51 PM
> > > To: Roberts, William C <william.c.roberts(a)intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > >
> > > Cc: Desai, Imran <imran.desai(a)intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > > >;
> tpm2(a)lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > > Subject: Re: [tpm2] Re: ESys_ActivateCredential
> > >
> > > Thanks Bill. I use this
> > > Esys_Initialize( &ectx, NULL, NULL);
> > >
> > > so i'm assuming it would take the default
libtss2-tcti-
tabrmd.so.0.
> >
> > This should do it for you:
> > TSS2_RC
> > Tss2_TctiLdr_Initialize (const char *nameConf,
> > TSS2_TCTI_CONTEXT **context);
> >
> > Set nameConf to the string "tabrmd", that should give
you a tcti
> pointer
> > you can
> > pass wot Esys_Initialize()
> >
> > >
> > >
> > > If I need to debug Esys_ActivateCredential more, how can I
do
it,
> these
> > APIs are
> > > no more standalone, I have integrated it in a bigger code
base
and
> > added the
> > > esys-tss2 and other libs in my poky build, so now it runs
as
> different
> > process that
> > > invokes this function, I can gdb into the process but I
can't
seem to
> gdb
> > into
> > > Esys_Activate..( )
> >
> > Did you build tpm2-tss with debug symbols?
> > Add --enable-debug
> >
> > >
> > >
> > > Thanks,
> > > Rahul
> > >
> > >
> > >
> > >
> > > On Thu, Apr 9, 2020 at 10:23 AM Roberts, William C
> > <william.c.roberts(a)intel.com
<mailto:william.c.roberts@intel.com> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > >
> > > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> >
> > <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com>
> <mailto:william.c.roberts@intel.com
<mailto:william.c.roberts@intel.com> > > > > wrote:
> > >
> > >
> > > > -----Original Message-----
> > > > From: Rahul Hardikar
[mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> > > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> >
> > ]
> > > > Sent: Thursday, April 9, 2020 11:18 AM
> > > > To: Desai, Imran <imran.desai(a)intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> > > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com> <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com> >
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > > >
>
> > > > Cc: tpm2(a)lists.01.org
<mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > >
> > > > Subject: [tpm2] Re: ESys_ActivateCredential
> > > >
> > > > How do I know if RM is being used?
> > >
> > >
> > > If you set the tcti to the device tcti, it will open
/dev/tpm0
by
> > default. And
> > > that wont
> > > Be an RM. You can also give it an option.
Esys_Initialize()
takes a
> tcti
> > as an
> > > option,
> > > NULL will cause it to use the default search behavior
of the
> > Tss2_TctiLdr,
> > > see:
> > >
> > > https://github.com/tpm2-software/tpm2-
> > > tss/blob/master/man/Tss2_TctiLdr_Initialize.3.in
<http://Tss2_TctiLdr_Initialize.3.in>
> <http://Tss2_TctiLdr_Initialize.3.in>
> > <http://Tss2_TctiLdr_Initialize.3.in>
> > > https://github.com/tpm2-software/tpm2-
> > > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
<http://Tss2_Tcti_Device_Init.3.in>
> <http://Tss2_Tcti_Device_Init.3.in>
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > https://github.com/tpm2-software/tpm2-
> > tss/blob/master/man/tss2-
> > > tcti-device.7.in <http://tcti-device.7.in>
<http://tcti-
device.7.in> <http://tcti-device.7.in>
> > >
> > > You can use man locally if you prefer as well:
> > > man 3 Tss2_TctiLdr_Initialize
> > > man 7 tss2-tcti-device
> > > man 3 Tss2_Tcti_Device_Init
> > >
> > > Note that https://github.com/tpm2-software/tpm2-
> > > tss/blob/master/man/Tss2_Tcti_Device_Init.3.in
<http://Tss2_Tcti_Device_Init.3.in>
> <http://Tss2_Tcti_Device_Init.3.in>
> > <http://Tss2_Tcti_Device_Init.3.in>
> > > Has sample code in it.
> > >
> > > If you're using the tools, it supports explicitly
choosing the
TCTI:
> > > https://github.com/tpm2-software/tpm2-
> > > tools/blob/master/man/common/tcti.md
> > >
> > > Also note that the /dev/tpmrm0 (Notice the RM) is an
in-
kernel
> > resource
> > > manager.
> > >
> > >
> > > > When I do ESys_Initialize, I see these WARNINGs,
wondering
> if it's
> > okay
> > > for multi-
> > > > thread
> > > > WARNING:esys:src/tss2-
> > esys/esys_tcti_default.c:137:tcti_from_file()
> > > Could not
> > > > load TCTI file: libtss2-tcti-default.so
<http://libtss2-tcti-
> > default.so/ <http://default.so/> <http://default.so/>
>
> > > libtss2-tcti-
> > > > default.so
<http://libtss2-tcti-default.so/>
> > > > WARNING:esys:src/tss2-
> > esys/esys_tcti_default.c:137:tcti_from_file()
> > > Could not
> > > > load TCTI file: libtss2-tcti-tabrmd.so
<http://libtss2-tcti-
> > tabrmd.so/ <http://tabrmd.so/> <http://tabrmd.so/> >
> > > >
> > > > In my single threaded process, everything works
so
smoothly
> > [root]#
> > > ./tpm
> > > > WARNING:esys:src/tss2-
> > esys/esys_tcti_default.c:137:tcti_from_file()
> > > Could not
> > > > load TCTI file: libtss2-tcti-default.so
<http://libtss2-tcti-
> > default.so/ <http://default.so/> <http://default.so/>
>
> > > > WARNING:esys:src/tss2-
> > esys/esys_tcti_default.c:137:tcti_from_file()
> > > Could not
> > > > load TCTI file: libtss2-tcti-tabrmd.so
<http://libtss2-tcti-
> > tabrmd.so/ <http://tabrmd.so/> <http://tabrmd.so/> >
> > > ESYS
> > > > Initialization: Pass
> > > >
> > > > Read TPM EK Certificate: Pass
> > > >
> > > > TPM EK Certificate Root-CA Verification: Pass
> > > >
> > > > Clear TPM State: Pass
> > > >
> > > > Created EK Primary object: Pass
> > > > #####Handle 0x418368
> > > >
> > > > Create Attestation Key: Pass
> > > > #####Ak_Handle 0x41836b
> > > >
> > > > Original
Credential="deadbeefdeadbeefdead"
> > > >
> > > > Make Credential: Pass
> > > > #####Encrypted Credential
> > > >
> > >
> >
>
Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> > > > 45c412864f020a7f1bbcab7a34f0"
> > > >
> > > > #####Encrypted
> > > >
> > >
> >
>
Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
> > > >
> > >
> >
>
76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
> > > >
> > >
> >
>
e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
> > > >
> > >
> >
>
077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
> > > >
> > >
> >
>
5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
> > > >
> > >
> >
>
06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
> > > >
> > >
> >
>
fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> > > > e1eb9fcc1759c184972779bfc"
> > > >
> > > > Activating Credential: Pass
> > > > #####Recovered
Credential="deadbeefdeadbeefdead"
> > > >
> > > > [root]#
> > > >
> > > >
> > > >
> > > > On Wed, Apr 8, 2020 at 7:02 PM Rahul Hardikar
> > > <rahulhardikar(a)gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> >
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> > >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> >
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> > >
>
> > > > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com>
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> <mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com>
<mailto:rahulhardikar@gmail.com <mailto:rahulhardikar@gmail.com> >
> > <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> <mailto:rahulhardikar@gmail.com
<mailto:rahulhardikar@gmail.com> > >
> > >
> > > > wrote:
> > > >
> > > >
> > > > Thanks guys, I'll try this but i also
wanted to know if
there
> is a
> > way to
> > > > know if the TPM still has the EK and AK keys
loaded? I
have
> the EK
> > > handle and AK
> > > > handle (not made it persistent) but I want to make
sure
it's
> > present as
> > > these are
> > > > necessary for ActivateCredential to succeed
> > > > ESys_ActivateCredential complaining about
secret
> parameter
> > > doesn't
> > > > make sense to me, I tested on server side, ak_name
is
same
> as
> > that
> > > sent and so is
> > > > EK_PUB object as well as EK_Cert in nvram, I call
the
same
> > > > external_makecredential call that's in the
GitHub to
create
> secret
> > and
> > > made sure
> > > > secret,credblob matches on the client side when
received
> from
> > server.
> > > >
> > > > Thanks,
> > > > Rahul
> > > >
> > > > On Tue, Mar 17, 2020 at 6:19 AM Imran
Desai
> > > <imran.desai(a)intel.com
<mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > > >
> > > > <mailto:imran.desai@intel.com
<mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > >
> > <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> >
> <mailto:imran.desai@intel.com <mailto:imran.desai@intel.com>
<mailto:imran.desai@intel.com <mailto:imran.desai@intel.com> > > > >
>
> > > wrote:
> > > >
> > > >
> > > > Set this up with all handles in use
made persistent.
If
> you
> > still see
> > > > issues, gdb-break or turn on debug logging at the
Esys call
and
> > compare
> > > the
> > > > function arguments.
> > > >
> > _______________________________________________
> > > > tpm2 mailing list --
tpm2(a)lists.01.org
<mailto:tpm2@lists.01.org>
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > >
> > > <mailto:tpm2@lists.01.org
<mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > >
> > <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> >
> <mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org>
<mailto:tpm2@lists.01.org <mailto:tpm2@lists.01.org> > > > >
> > > > To unsubscribe send an email to
tpm2-
> leave(a)lists.01.org <mailto:leave@lists.01.org> <mailto:tpm2-
leave(a)lists.01.org <mailto:tpm2-leave@lists.01.org> >
> > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-leave@lists.01.org>
<mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> > >
> > > <mailto:tpm2-leave@lists.01.org <mailto:tpm2-
leave(a)lists.01.org> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-
leave(a)lists.01.org> >
> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org>
<mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> > >
>
> > > > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-
leave(a)lists.01.org> <mailto:tpm2- <mailto:tpm2->
> leave(a)lists.01.org <mailto:leave@lists.01.org> > <mailto:tpm2-
leave(a)lists.01.org <mailto:tpm2-leave@lists.01.org> <mailto:tpm2-
<mailto:tpm2->
> leave(a)lists.01.org <mailto:leave@lists.01.org> > >
> > <mailto:tpm2-leave@lists.01.org
<mailto:tpm2-leave@lists.01.org>
<mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> >
> <mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org>
<mailto:tpm2-leave@lists.01.org <mailto:tpm2-leave@lists.01.org> > > >
>
> > > >
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> > > >
> > >
> > >
> >
> >
>
>
320
days inactive
357
days old
25 comments
3 participants
participants (3)
-
Imran Desai -
Rahul Hardikar -
Roberts, William C