search

tpm2-software / tpm2-tools

The source repository for the Trusted Platform Module (TPM2.0) tools
https://tpm2-software.github.io
709 stars 378 forks source link

tpm_create fails with tpm:parameter(1):integrity check failed #2024

Closed jszanto closed 4 years ago

jszanto commented 4 years ago

I'm running tpm2-tools 4.2 on Ubuntu 20.04, when attempting attempting to use tmp2_create to create a PCR sealed object I encounter the following error:

root@ubuntutpmtest:/# tpm2_create -V -g sha256 -u pcr_seal_key.pub -r pcr_seal_key.priv -i disk.key -C prim.ctx -L pcr0.sha256.policy

INFO on line: "362" in file: "lib/files.c": Assuming tpm context file
INFO on line: "293" in file: "lib/files.c": load: TPMS_CONTEXT->savedHandle: 0x80000000
WARNING:esys:src/tss2-esys/api/Esys_ContextLoad.c:279:Esys_ContextLoad_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_ContextLoad.c:93:Esys_ContextLoad() Esys Finish ErrorCode (0x000001df)
ERROR on line: "53" in file: "lib/log.h": Esys_ContextLoad(0x1DF) - tpm:parameter(1):integrity check failed
ERROR on line: "146" in file: "tools/tpm2_tool.c": Unable to run tpm2_create

I've followed the instructions on https://tpm2-software.github.io/2020/04/13/Disk-Encryption.html, which suggest using this command.

williamcroberts commented 4 years ago

so error code 0x1df is:

tpm2_rc_decode 0x1df
tpm:parameter(1):integrity check failed

It's coming from Esys_ContextLoad, which means that the context file cannot be loaded. How did you end up with primary.ctx?

Usually this happens when you try and use a context file after a reboot/tpm reboot occurs, or tpm2_clear command is invoked. You can just recreate the primary key with tpm2_createprimary and then call tpm2_create.

Either you need to persist the primary key, as showcased in that demo, or you need to run tpm2_createprimary.

jszanto commented 4 years ago

I created primary.ctx using tpm2_createprimary -Q -C o -c primary.ctx, but I did do a reboot in the meanwhile which caused the issue I guess.

alexsmartens commented 4 years ago

@jszanto how did you fix your problem?

dylangerdaly commented 4 years ago

Weird, I suspected the "primary" key had some sort of significance, it's weird that you can create a primary key, create a child keypair, reboot.

Recreate the primary key and everything still works?

What exactly is the "primary" key for?

idesai commented 4 years ago

Weird, I suspected the "primary" key had some sort of significance, it's weird that you can create a primary key, create a child keypair, reboot.

Recreate the primary key and everything still works?

What exactly is the "primary" key for?

It depends on key attributes.