AndreasFuchsTPM
commented
4 years ago tpm2tss engine does not support policies. We want to add support for FAPI which would give you policies. Enabling policies with the current ESYS backend will probably never work, because we cannot inform the engine of the policy.
My goal is to have a TLS key (used by OpenSSL) bound by a wildcard policy based on PCR. The approach is to generate the key and then unlock it using TPM tools, which hopefully would allow OpenSSL to access the unlocked key. I found an example of tpm2-tools key creation and OpenSSL usage in the tss-engine test file ecdsa-handle-flush.sh. I modified that test file to use RSA, and merged in an example from tpm2_policyauthorize. The resulting script is attached as a text file. rsa_pcr_tssengine.txt
The policyauthorize works up to setting the HANDLE, but when executing the first OpenSSL command I get the following error. What am I doing wrong (perhaps the policy session is flushed when the engine takes over)? Can anyone suggest a method of making this work?
+++ openssl pkeyutl -engine tpm2tss -keyform engine -inkey 0x81000000 -sign -in mydata.txt -out mysig -passin stdin ++ R='engine "tpm2tss" set. WARNING:esys:src/tss2-esys/api/Esys_ReadPublic.c:320:Esys_ReadPublic_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_ReadPublic.c:104:Esys_ReadPublic() Esys Finish ErrorCode (0x000009a2) ' ++ grep --color=auto 'ErrorCode (0x000001c4)' ++ echo engine '"tpm2tss"' set. 'WARNING:esys:src/tss2-esys/api/Esys_ReadPublic.c:320:Esys_ReadPublic_Finish()' Received TPM Error 'ERROR:esys:src/tss2-esys/api/Esys_ReadPublic.c:104:Esys_ReadPublic()' Esys Finish ErrorCode '(0x000009a2)'