search

tpm2-software / tpm2-tools

The source repository for the Trusted Platform Module (TPM2.0) tools
https://tpm2-software.github.io
714 stars 377 forks source link

`tpm2_create` ignores `--creation-hash` , `--creation-data` and `--creation-ticket` #3431

Open arianvp opened 1 week ago

arianvp commented 1 week ago

Expected behaviour

devid.hash is created. devid.data is created. devid.ticket is created.

Observed behaviour

Non of the files are created.

Reproducer

tpm2_createprimary --key-context srk.ctx --key-algorithm ecc > srk.yaml

tpm2_create \
    --key-algorithm ecc \
    --key-context devid.ctx \
    --parent-context srk.ctx \
    --attributes 'sign|fixedtpm|fixedparent|sensitivedataorigin|userwithauth' \
    --public devid.pub \
        --creation-data devid.data \
    --creation-hash devid.hash \
    --creation-ticket devid.ticket \
    --pcr-list 'sha256:7,11' \
    --private devid.priv > devid.yaml
arianvp commented 1 week ago

it does work for tpm2_createprimary. Really seems to be a bug

arianvp commented 1 week ago

--creation-data also seems to be broken.

JuergenReppSIT commented 1 week ago

If --key-context is used the context file is created by the tpm2_createloaded command. This option can be used to avoid the normal tpm2_create and tpm2_load command sequences and do it all in one command but the data you expected will not be produced. The files will be produced if --key-context in not used. To create the context you can use tpm2_load. It would not be bad to produce a warning in this case.