Open alexey3nemckovich opened 2 years ago
alexey3nemckovich
commented
2 years ago It fails on attempt to load created key with error = TPM_RC::SIZE
TPM_HANDLE aesHandle = tpm[sess].Load(prim, aesKey.outPrivate, aesKey.outPublic);
If do this actions (key creation, making it persistent, encryption/decryption) without session everything works fine. But I need somehow to encrypt parameters passed to TPM.
alexey3nemckovich
commented
2 years ago I realised, that EncryptDecrypt command can't be crypted, because it doesn't have TPM2B parameter first. So, I tried to use RSA encryption instread. It supports encryption session. But unfortunately I got another error Sample of my code `
// At the time of writing only unseeded and unbound session enc and dec are supported.
// First set up a session that encrypts communications TO the TPM. To do this
// we tell the TPM to decrypt via TPMA_SESSION::decrypt.
AUTH_SESSION sess = tpm.StartAuthSession(TPM_SE::HMAC, TPM_ALG_ID::SHA256,
TPMA_SESSION::continueSession | TPMA_SESSION::decrypt,
TPMT_SYM_DEF(TPM_ALG_ID::AES, 128, TPM_ALG_ID::CFB));
AUTH_SESSION encSess = tpm.StartAuthSession(TPM_SE::HMAC, TPM_ALG_ID::SHA1,
TPMA_SESSION::continueSession | TPMA_SESSION::encrypt,
TPMT_SYM_DEF(TPM_ALG_ID::AES, 128, TPM_ALG_ID::CFB));
Announce("RsaEncryptDecrypt");
// This sample demostrates the use of the TPM for RSA operations.
// We will make a key in the "null hierarchy".
TPMT_PUBLIC primTempl(TPM_ALG_ID::SHA1,
TPMA_OBJECT::decrypt | TPMA_OBJECT::userWithAuth | TPMA_OBJECT::sensitiveDataOrigin,
null, // No policy
TPMS_RSA_PARMS(null, TPMS_SCHEME_OAEP(TPM_ALG_ID::SHA1), 2048, 65537),
TPM2B_PUBLIC_KEY_RSA());
// Set the use-auth for the nex key. Note the second parameter is
// NULL because we are asking the TPM to create a new key.
ByteVec userAuth = { 1, 2, 3, 4 };
TPMS_SENSITIVE_CREATE sensCreate(userAuth, null);
// Create the key
auto storagePrimary = tpm[sess].CreatePrimary(TPM_RH::OWNER, sensCreate, primTempl, null, null);
TPM_HANDLE& keyHandle = storagePrimary.handle;
// We can put the primary key into NV with EvictControl
TPM_HANDLE persistentHandle = TPM_HANDLE::Persistent(1000);
persistentHandle.SetName(userAuth);
persistentHandle.SetAuth(userAuth);
// First delete anything that might already be there
tpm._AllowErrors().EvictControl(TPM_RH::OWNER, persistentHandle, persistentHandle);
// Make our primary persistent
tpm.EvictControl(TPM_RH::OWNER, storagePrimary.handle, persistentHandle);
//// Flush the old one
tpm.FlushContext(storagePrimary.handle);
// ReadPublic of the new persistent one
auto persistentPub = tpm.ReadPublic(persistentHandle);
cout << "Public part of persistent primary" << endl << persistentPub.ToString(false);
ByteVec dataToEncrypt = { '1', '2', '3', '\0' };//TPM_HASH::FromHashOfString(TPM_ALG_ID::SHA1, "secret");
cout << "Data to encrypt: " << dataToEncrypt << endl;
auto enc = tpm[sess].RSA_Encrypt(persistentHandle, dataToEncrypt, TPMS_NULL_ASYM_SCHEME(), null);
cout << "RSA-encrypted data: " << enc << endl;
auto dec = tpm[encSess].RSA_Decrypt(persistentHandle, enc, TPMS_NULL_ASYM_SCHEME(), null);
cout << "decrypted data: " << dec << endl;
if (dec == dataToEncrypt)
cout << "Decryption worked" << endl;
_ASSERT(dataToEncrypt == dec);
tpm.FlushContext(keyHandle);`Here program fails on RSA_Encrypt command with code BAD_AUTH.
Hello, @Prakhar314 and @sicario001 . Your project is really useful to dive into TPM2 API, it has a really lot of nice samples. But maybe you could help to understand what i am doing wrong here. I want to create a session for encrypting/decrypting tpm commands and responses. And in context of this session create aes key, make it persistent and perform some encryption/decryption with it. But unfortunately that doesn't work. Could you help me to figure it out? Here is sample code of how I am trying to do it.