search

irtimmer / tpm2-pk11

[DEPRECATED] PKCS#11 Module for TPM 2.0
BSD 2-Clause "Simplified" License
68 stars 24 forks source link

Solved problem: How to flush away an existing persistent key from TPM chip? #43

Closed liuqun closed 6 years ago

liuqun commented 6 years ago

When more than one persistent keys exist in my TPM chip, how could I remove some of them?

https://github.com/irtimmer/tpm2-pk11/blob/7c64a1f419b2d47e8802c24c248523a302891ec4/README.md#L14-L18

After some tests, I've created too many persistent keys in my device, tpm2_listpersistent shows me that there is 7 keys defined now. How could I evict these keys using tpm2_evictcontrol?

$ tpm2_listpersistent 
7 persistent objects defined.

  0. Persistent handle: 0x81010001
  {
    Type: 0x1
    Hash algorithm(nameAlg): 0xb
    Attributes: 0x300b2
  }

  1. Persistent handle: 0x81010002
  {
    Type: 0x1
    Hash algorithm(nameAlg): 0xb
    Attributes: 0x50072
  }

  2. Persistent handle: 0x81010003
  {
    Type: 0x23
    Hash algorithm(nameAlg): 0xb
    Attributes: 0x300b2
  }

  3. Persistent handle: 0x81010010
  {
    Type: 0x1
    Hash algorithm(nameAlg): 0xb
    Attributes: 0x60072
  }

  4. Persistent handle: 0x81010011
  {
    Type: 0x1
    Hash algorithm(nameAlg): 0xb
    Attributes: 0x300b2
  }

  5. Persistent handle: 0x810100ff
  {
    Type: 0x1
    Hash algorithm(nameAlg): 0xb
    Attributes: 0x60072
  }

  6. Persistent handle: 0x81010101
  {
    Type: 0x1
    Hash algorithm(nameAlg): 0xb
    Attributes: 0x300b2
  }

Currently, if I try to call ssh-keygen, 4 RSA public key will be exported:

ssh-keygen -D /usr/local/lib/libtpm2-pk11.so 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCy2x7NXRdJt+pHMe3dqEj1Bx2ejsNvo/imZc5tKR64IHaxc1+Yd3DPuUq6hITPE06pagpRyL28GCDGkrb8XtZRkwOapCkUFceO58DbmzdolZmJXkgbAlKzFDpuaJFVfL+Gt2/qlzU72uve7MeqE6Un8BSTRhO3Te4egsTVvevgJTQQ5JvlyxeiR1B48lka/kxCmrxWYN4ZNx8qjTZahPmPgVlP1XcdlDxCOXgVFtUvsSIk5IYnLhDcmYspkRianCKTrz2bciNI361XfivVOlp1I1zjB2SyZ4g10o9p45xeuIBfydDmhW+9SdTNhrWzfhpDTyWZMkueVYQcVnlpSkYh
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCXJ0YXMaxkwQrtP4z0/RUMUHmu1n7A7CgI2UikRMr8hFsEM4annTqbdsigqI54CChuGJXN65Qa8qNLydsgBpbQqP13K48JkOVXEzvlVoPMx+mHBLs03dfMDf0keIT9pvi/U7v2UOLiuIDhCgANJYnJuIs0yRA7BTROtVQo8m2s32t0kJZ8Hh8IXJ9uA4qJe8ObcgDqqcJiUqfFqCTE1Mym3c0RMuRhxjVYXxl5gfDlZ2s6oxetS8gK2lebUre20LpNv9eQGOsoVrmBx7SSarxyLtaVYj1pY55HKRg6am725OAp9Axjkr+q49vlhkpwLfEIiOpFEwTDBKzKKu5guQqV
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCWVkBa+n1RAna6hwkgr+9YsCoy/bz5QPwkQuVcUbrI3wRfmon4u2Dd+Y3Ze97IzPNMiSnGr4LQg7hLjfA2Rws15xuAHoKHOMeyeesIOLRRIs5MgDod6/07X5OiWmCEgoEpd0JOTAvPnjnBFX+C0u3EUYC0ry3xs7PUCdb9cwR17fEM8OoysQq+dLn9rsvnRDWG8vU/gnGCeUqSsCr2iWQIEVqpAbytm1OgVBToEzWBeBQW1NuUHUo9tOPe7ylFrl4tjUWzHQMDzrIVV3WIpjDEenvyHZULWamfr2x9QV1lui6McGZOBxqA1ehzMaaQkJbkkZLinXFna2M44FBxeVOv
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUJ5mAGqPKNNWHuw9n5cHcqQNbzrgatfnfWZAULARutyvuOtWjyan3EHCqKFigQNEbRM0Mx+JEZOp6DZx/VYqF5LVgaFyl2tDRQ1duTUNnuJjf31rVr706fydiXsW91nF+Dt/POOKMJMABKxZdHnb8lwdZHdRLCTVuv+m5yv4KGrWu6wt/AkpPEj+brF+Qqcu1C6aJ1n4hT++5lq06fj6E4umNZzHVpj4/BedRNENZ1JOUTDX2DUzCTqGD/DA5PZYp+gzULGYx/32jIRnXLl+RkO2jPfLt1jLZ6Y6W6a4Gpazt0pCIrNoUjl/IxDqAMBCwFutyE16nHuak6qrXb78X

And I want to keep the 3rd ssh-rsa pub-key and remove the other keys. :thinking:

liuqun commented 6 years ago

I got a solution to remove persistent keys. For example, I will create another persistent handle 0x81010020 then evict it using tpm2_evictcontrol.

(suppose that the primary object is po.ctx, key objects are saved as key.ctx and key2.ctx here)

$ tpm2_create -c po.ctx -g 0x000b -G 0x0001 -o key2.pub -O key2.priv 
$ tpm2_load -c po.ctx -u key2.pub -r key2.priv -n key2.name -C obj2.ctx 
$ tpm2_evictcontrol -A o -c obj2.ctx -S 0x81010020
persistentHandle: 0x81010020

At this moment we will have two persistent objects, tpm2_listpersistent and ssh-keygen will show us how many keys are available:

$ tpm2_listpersistent 
2 persistent objects defined.

  0. Persistent handle: 0x81010010
  {
    Type: 0x1
    Hash algorithm(nameAlg): 0xb
    Attributes: 0x60072
  }

  1. Persistent handle: 0x81010020
  {
    Type: 0x1
    Hash algorithm(nameAlg): 0xb
    Attributes: 0x60072
  }

$ ssh-keygen -D /usr/local/lib/libtpm2-pk11.so 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCWVkBa+n1RAna6hwkgr+9YsCoy/bz5QPwkQuVcUbrI3wRfmon4u2Dd+Y3Ze97IzPNMiSnGr4LQg7hLjfA2Rws15xuAHoKHOMeyeesIOLRRIs5MgDod6/07X5OiWmCEgoEpd0JOTAvPnjnBFX+C0u3EUYC0ry3xs7PUCdb9cwR17fEM8OoysQq+dLn9rsvnRDWG8vU/gnGCeUqSsCr2iWQIEVqpAbytm1OgVBToEzWBeBQW1NuUHUo9tOPe7ylFrl4tjUWzHQMDzrIVV3WIpjDEenvyHZULWamfr2x9QV1lui6McGZOBxqA1ehzMaaQkJbkkZLinXFna2M44FBxeVOv
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCXJ0YXMaxkwQrtP4z0/RUMUHmu1n7A7CgI2UikRMr8hFsEM4annTqbdsigqI54CChuGJXN65Qa8qNLydsgBpbQqP13K48JkOVXEzvlVoPMx+mHBLs03dfMDf0keIT9pvi/U7v2UOLiuIDhCgANJYnJuIs0yRA7BTROtVQo8m2s32t0kJZ8Hh8IXJ9uA4qJe8ObcgDqqcJiUqfFqCTE1Mym3c0RMuRhxjVYXxl5gfDlZ2s6oxetS8gK2lebUre20LpNv9eQGOsoVrmBx7SSarxyLtaVYj1pY55HKRg6am725OAp9Axjkr+q49vlhkpwLfEIiOpFEwTDBKzKKu5guQqV

The following command will evict object 0x81010020:

$ tpm2_evictcontrol -A o -H 0x81010020 -S 0x81010020

I'm not sure whether option -S should be specified

kaccardi commented 6 years ago

@liuqun with the tpm2-tools head, the following also works:

tpm2_evictcontrol -A o -H 0x81010020 -p 0x81010020

specter119 commented 4 years ago

@kaccardi but does it work for tpm2-tools 4.1?