search

tpm2-software / tpm2-tools

The source repository for the Trusted Platform Module (TPM2.0) tools
https://tpm2-software.github.io
718 stars 378 forks source link

Cannot Import AES 256 Key #3421

Open dadiestfish2077 opened 3 months ago

dadiestfish2077 commented 3 months ago

I need to import an 256 AES key. but I am starting to think my TPM does not support this key length?

I read that the parent key must be bigger than the imported key. so I am running this:

tpm2_createptimary -C o -g sha256 -G aes256cfb -c primary.ctx

but then i get this error: WARNING:esys:src/tss2-esys/api/Esys_CreatePrimary.c:400:Esys_CreatePrimary_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_CreatePrimary.c:135:Esys_CreatePrimary() Esys Finish ErrorCode (0x000002c4) ERROR: Esys_CreatePrimary(0x2C4) - tpm:parameter(2):value is out of range or is not correct for the context ERROR: Unable to run tpm2_createprimary

If i simply run this it works: tpm2_createprimary -G aes -C o -c parent.ctx -P 246

but when i run this it fails (aes.key is 256 bits) tpm2_import -C parent.ctx -G aes -i aes.key -u key.pub -r key.priv

i get this error: ERROR: Cannot handle algorithm, got: symcipher ERROR: Failed Seed Encryption

I've tried different combinations with the -G option -- such as rsa2048:null:aes128cfb. but all of them fail.

here is the output to getcap algorithms on my hardware:

rsa: value: 0x1 asymmetric: 1 symmetric: 0 hash: 0 object: 1 reserved: 0x0 signing: 0 encrypting: 0 method: 0 sha1: value: 0x4 asymmetric: 0 symmetric: 0 hash: 1 object: 0 reserved: 0x0 signing: 0 encrypting: 0 method: 0 hmac: value: 0x5 asymmetric: 0 symmetric: 0 hash: 1 object: 0 reserved: 0x0 signing: 1 encrypting: 0 method: 0 aes: value: 0x6 asymmetric: 0 symmetric: 1 hash: 0 object: 0 reserved: 0x0 signing: 0 encrypting: 0 method: 0 keyedhash: value: 0x8 asymmetric: 0 symmetric: 0 hash: 1 object: 1 reserved: 0x0 signing: 1 encrypting: 1 method: 0 xor: value: 0xA asymmetric: 0 symmetric: 1 hash: 1 object: 0 reserved: 0x0 signing: 0 encrypting: 0 method: 0 sha256: value: 0xB asymmetric: 0 symmetric: 0 hash: 1 object: 0 reserved: 0x0 signing: 0 encrypting: 0 method: 0 rsassa: value: 0x14 asymmetric: 1 symmetric: 0 hash: 0 object: 0 reserved: 0x0 signing: 1 encrypting: 0 method: 0 rsaes: value: 0x15 asymmetric: 1 symmetric: 0 hash: 0 object: 0 reserved: 0x0 signing: 0 encrypting: 1 method: 0 rsapss: value: 0x16 asymmetric: 1 symmetric: 0 hash: 0 object: 0 reserved: 0x0 signing: 1 encrypting: 0 method: 0 oaep: value: 0x17 asymmetric: 1 symmetric: 0 hash: 0 object: 0 reserved: 0x0 signing: 0 encrypting: 1 method: 0 ecdsa: value: 0x18 asymmetric: 1 symmetric: 0 hash: 0 object: 0 reserved: 0x0 signing: 1 encrypting: 0 method: 1 ecdh: value: 0x19 asymmetric: 1 symmetric: 0 hash: 0 object: 0 reserved: 0x0 signing: 0 encrypting: 0 method: 1 ecdaa: value: 0x1A asymmetric: 1 symmetric: 0 hash: 0 object: 0 reserved: 0x0 signing: 1 encrypting: 0 method: 0 kdf1_sp800_56a: value: 0x20 asymmetric: 0 symmetric: 0 hash: 1 object: 0 reserved: 0x0 signing: 0 encrypting: 0 method: 1 kdf1_sp800_108: value: 0x22 asymmetric: 0 symmetric: 0 hash: 1 object: 0 reserved: 0x0 signing: 0 encrypting: 0 method: 1 ecc: value: 0x23 asymmetric: 1 symmetric: 0 hash: 0 object: 1 reserved: 0x0 signing: 0 encrypting: 0 method: 0 symcipher: value: 0x25 asymmetric: 0 symmetric: 0 hash: 0 object: 1 reserved: 0x0 signing: 0 encrypting: 0 method: 0 cfb: value: 0x43 asymmetric: 0 symmetric: 1 hash: 0 object: 0 reserved: 0x0 signing: 0 encrypting: 1 method: 0

This is what the get_cap properties-fixed says about sym size: TPM2_PT_CONTEXT_SYM_SIZE: raw: 0x80

does this mean my TPM cannot import an AES 256 bit key?

JuergenReppSIT commented 3 months ago

From the man page of tpm2_import: It requires that the parent key object be a RSA key.