tpm2_create example

[mikzaq]

I am a little confused about how to use tpm2_create to seal a key to the PCRs. I see that I can pass in a policy file, but how do I create a policy file that defines which PCR(s) I wish to seal the data to? Also, what would this policy file look like?

[gwei3]

The policy file for tpm2_create should contain the binary format of the policyAuth. You can create a tools based on TPM2.0-TSS sapi api to create trial session and call policyPCR to update the policyAuth and then export it into a file. You can refer to TPM2.0-TSS/test/tpmclient or tpmtest for how the policyAuth was calculated.

[mikzaq]

I created a policyAuth file, and I am able to use this to create and seal an object, but I am able to simply unseal said object no matter what state the PCRs are in, and this is because I have not created a trial session correct? Are there plans to create a tool to do this? I am not sure I have the technical knowledge to create the trial session myself through the sapi

[mikzaq]

Also, I see that there is a StartAuthSession.c file in /src, but I have so far been unable to compile this

[gwei3]

you need also add "-A 0x20492" (fixedTPM, fixedParent, noDA, decrypt, adminWithPolicy) as the cmdline option to enforce using policy to access the sealed data.

[mikzaq]

Okay, so right now, my method goes as follows: tpm2_createprimary -A o -P <password> -g 0x4 -G 0x1 tpm2_create -H 0x80000000 -g 0x4 -G 0x1 -A 0x20492 -I key.txt -L policypcr16aaasha1.bin -o out.pub -O out.pri but this gives me Errorcode 0x2c2, and changing -G 0x1 to -G 0x8 gives me Errorcode 0x2d2, but I am unsure what these mean, or why I am unable to use tpm2_create when I use the -A argument.

[flihp]

hi @mikzaq, I spent the better part of last week working on a tool to decode these TPM_RC codes. If you've got the time it could use some testing and might help us understand the error code you're seeing better. It looks like @gwei3 just merged this too so it should be in master.

[mikzaq]

Okay thanks, I'll check it out!

[gwei3]

Sorry, my fault. Please change the attribute from 0x20492 to 0x492(fixedTPM, fixedParent, noDA, adminWithPolicy), and make sure store parent key in a context file and use parent context instead of parent handle like below can succeed in my side:

tpm2_createprimary -A o -g 0x4 -G 0x1 -C ctx.pri tpm2_create -c ctx.pri -g 0xb -G 0x1 -A 0x492 -I key.txt -L policypcr16aaasha1.bin -o out.pub -O out.pr

[mikzaq]

It works! Thanks so much for your help! I'm still unable to unseal, but I believe this is due to the fact that I cannot create a policy session, as there is currently no tool for this.

[schoenbo]

I am trying to do the same as mikzaq but creating the object fails. I tried this on two different hardware-TPMs (manuId: AMD, manuId: IFX) on linux-4.4.19. Both give the same error. Am I doing something wrong? Or is the problem somewhere else?

% tpm2_createprimary -A o -g 0x4 -G 0x1 -C ctx.pri
nameAlg = 0x0004
type = 0x0001
contextFile = ctx.pri

CreatePrimary Succeed ! Handle: 0x80000000

% tpm2_create -c ctx.pri -g 0xb -G 0x1 -A 0x492 -I ~/msg.bin -L policies/policypcr16aaasha1.bin -o out.pub -O out.pri
contextParentFile = ctx.pri
nameAlg = 0x000b
type = 0x0001
inSensitive.t.sensitive.data.t.size = 64
ObjectAttribute: 0x00000492

Create Object Failed ! ErrorCode: 0x921