Closed liuqun closed 6 years ago
I got a solution to remove persistent keys. For example, I will create another persistent handle 0x81010020 then evict it using tpm2_evictcontrol.
(suppose that the primary object is po.ctx, key objects are saved as key.ctx and key2.ctx here)
$ tpm2_create -c po.ctx -g 0x000b -G 0x0001 -o key2.pub -O key2.priv
$ tpm2_load -c po.ctx -u key2.pub -r key2.priv -n key2.name -C obj2.ctx
$ tpm2_evictcontrol -A o -c obj2.ctx -S 0x81010020
persistentHandle: 0x81010020
At this moment we will have two persistent objects, tpm2_listpersistent and ssh-keygen will show us how many keys are available:
$ tpm2_listpersistent
2 persistent objects defined.
0. Persistent handle: 0x81010010
{
Type: 0x1
Hash algorithm(nameAlg): 0xb
Attributes: 0x60072
}
1. Persistent handle: 0x81010020
{
Type: 0x1
Hash algorithm(nameAlg): 0xb
Attributes: 0x60072
}
$ ssh-keygen -D /usr/local/lib/libtpm2-pk11.so
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCWVkBa+n1RAna6hwkgr+9YsCoy/bz5QPwkQuVcUbrI3wRfmon4u2Dd+Y3Ze97IzPNMiSnGr4LQg7hLjfA2Rws15xuAHoKHOMeyeesIOLRRIs5MgDod6/07X5OiWmCEgoEpd0JOTAvPnjnBFX+C0u3EUYC0ry3xs7PUCdb9cwR17fEM8OoysQq+dLn9rsvnRDWG8vU/gnGCeUqSsCr2iWQIEVqpAbytm1OgVBToEzWBeBQW1NuUHUo9tOPe7ylFrl4tjUWzHQMDzrIVV3WIpjDEenvyHZULWamfr2x9QV1lui6McGZOBxqA1ehzMaaQkJbkkZLinXFna2M44FBxeVOv
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCXJ0YXMaxkwQrtP4z0/RUMUHmu1n7A7CgI2UikRMr8hFsEM4annTqbdsigqI54CChuGJXN65Qa8qNLydsgBpbQqP13K48JkOVXEzvlVoPMx+mHBLs03dfMDf0keIT9pvi/U7v2UOLiuIDhCgANJYnJuIs0yRA7BTROtVQo8m2s32t0kJZ8Hh8IXJ9uA4qJe8ObcgDqqcJiUqfFqCTE1Mym3c0RMuRhxjVYXxl5gfDlZ2s6oxetS8gK2lebUre20LpNv9eQGOsoVrmBx7SSarxyLtaVYj1pY55HKRg6am725OAp9Axjkr+q49vlhkpwLfEIiOpFEwTDBKzKKu5guQqV
The following command will evict object 0x81010020:
$ tpm2_evictcontrol -A o -H 0x81010020 -S 0x81010020
I'm not sure whether option -S should be specified
@liuqun with the tpm2-tools head, the following also works:
tpm2_evictcontrol -A o -H 0x81010020 -p 0x81010020
@kaccardi but does it work for tpm2-tools 4.1?
When more than one persistent keys exist in my TPM chip, how could I remove some of them?
https://github.com/irtimmer/tpm2-pk11/blob/7c64a1f419b2d47e8802c24c248523a302891ec4/README.md#L14-L18
After some tests, I've created too many persistent keys in my device, tpm2_listpersistent shows me that there is 7 keys defined now. How could I evict these keys using tpm2_evictcontrol?
Currently, if I try to call ssh-keygen, 4 RSA public key will be exported:
And I want to keep the 3rd ssh-rsa pub-key and remove the other keys. :thinking: