search

stefanberger / libtpms

The libtpms library provides software emulation of a Trusted Platform Module (TPM 1.2 and TPM 2.0)
Other
219 stars 95 forks source link

TPM2_Create returns 0x2d2 #254

Closed JerryDevis closed 3 years ago

JerryDevis commented 3 years ago

Hello, I have another question, when I run the following tpm command using tpm2-tools, I got 0x2d2. tpm2 create -C primary.ctxt -g sha256 -G rsa -r key.prv -u key.pub -L policy.dat -a "sensitivedataorigin" I found it returns this error code in PublicAttributesValidation function:

    // See if sign and decrypt are the same
    if(IS_ATTRIBUTE(attributes, TPMA_OBJECT, sign)
       == IS_ATTRIBUTE(attributes, TPMA_OBJECT, decrypt))
    {
        // a restricted key cannot have both SET or both CLEAR
        if(IS_ATTRIBUTE(attributes, TPMA_OBJECT, restricted))
        return TPM_RC_ATTRIBUTES;
        // only a data object may have both sign and decrypt CLEAR
        // BTW, since we know that decrypt==sign, no need to check both
        if(publicArea->type != TPM_ALG_KEYEDHASH
           && !IS_ATTRIBUTE(attributes, TPMA_OBJECT, sign))
        **return TPM_RC_ATTRIBUTES; // error code return**
    }

However, in Trusted Platform Module Library Part 1: Architecture, there are the following descriptions: Revision 148 Reworked the attestation key certification to indicate that an encrypted challenge response is a more likely use case than an encrypted certificate. Field upgrade should not affect TPM2_CreatePrimary() outputs under certain conditions. The reset of the TIme circuit is related to TPM power, not TPM_Init. MAX_SYM_DATA 128 changed from shall to should. sign and decrypt both CLEAR or SET and scheme not TPM_ALG_NULL returns TPM_RC_SCHEME. TPM2_PCR_Allocate() takes effect at _TPM_Init(), not TPM2_Startup().

so is whether the error code inconsistent with the TCG standard?

stefanberger commented 3 years ago

You are referring to PublicAttributesValidation() in Object_spt.c. This function's code is original from the TCG reference code I would say.

Please check this document for rev 164: https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM2_r1p64_Part4_SupportingRoutines_code_15may2021.pdf

PDF page 306 shows the same code as you quote, but this is for rev 164.

I think you should direct your question to the source, which is TCG in this case.

JerryDevis commented 3 years ago

OK. I will try to communicate with the TCG members about this.

stefanberger commented 3 years ago

If this is an indeed issue then it's a TCG spec/reference issue and not a libtpms issue. I think we should close this issue here.

JerryDevis commented 3 years ago

OK