Closed MartinKutz closed 4 years ago
The error code means that a malformed EK is somehow used in the command. Either the public and private parts are from different keys, or the key bits are mangled. This looks like a TPM bug.
Three things to try are: 1) try a different device with the same setup; 2) try a different device with a different TPM type; 3) use the key handle that is passed as the second parameter to ActivateCredential() to encrypt and then decrypt a piece of data. If the decryption operation fails with TPM_RC_BINDING, then something is indeed wrong with the key (or the TPM).
We tried different things, using the official example app for TPM based device provisioning provided by Microsoft.
The following handles are available after running the device provisioning example for the first time:
root@debian:~# tpm2_listpersistent -T device
2 persistent objects defined.
0. Persistent handle: 0x81000001
{
Type: 0x1
Hash algorithm(nameAlg): 0xb
Attributes: 0x30472
}
1. Persistent handle: 0x81010001
{
Type: 0x1
Hash algorithm(nameAlg): 0xb
Attributes: 0x300b2
}
Can you provide us an example how to encrypt/decrypt data on Debian? tpm2-tools are installed.
@bantoni We have successfully tested with Ubuntu Server 16.04 running in Hyper-V with a virtual TPMv2. Two things to try out:
master
and try again (might be fixed by #981 .@CIPop Tried out both of your proposals:
Beside of this we executed the TPM HSM integration tests provided by the TPM2 TSS library. All tests passed.
If the sample and SDK work as expected with the TPM Simulator, but only fail on the actual device, it looks like a TPM bug and there isn't anything the SDK can do about that. I am closing this issue; feel free to re-open if there is an action item for the SDK.
@MartinKutz, @amarochk, @bantoni, @CIPop, @abhipsaMisra, thank you for your contribution to our open-sourced project! Please help us improve by filling out this 2-minute customer satisfaction survey
Description of the issue:
We want to use TPM for provisioning under Linux with .netcore. The call RegisterAsync on the ProvisiongDeviceClient is failing with TpmException "Error {Binding} was returned for command ActivateCredential." The function GetEndorsementKey() on SecurityProviderTpmHsm for example is working.
As transport technology, HTTP is used (ProvisioningTransportHandlerHttp). The application is running in a docker container with mapped TPM device.
Exception details:
HTTP transport exception. (Tpm2Lib.TpmException) Error {Binding} was returned for command ActivateCredential.
Result of "tpm2_rc_decode 0x2E5":