Closed TheBigFish closed 6 months ago
Hi @TheBigFish ,
Thank you for the report. I can reproduce and will investigate. Seems to just be an issue with the endorsement hierarchy .
Can you tell me more about your TPM use case?
% ./examples/keygen/keygen -rsa -eh
TPM2.0 Key generation example
Key Blob: keyblob.bin
Algorithm: RSA
Template: AIK
Use Parameter Encryption: NULL
wolfSSL Entering wolfCrypt_Init
TPM2: Caps 0x00000000, Did 0x0000, Vid 0x0000, Rid 0x 0
TPM2_Startup pass
TPM2_SelfTest pass
TPM2_CreatePrimary: 0x80000000 (314 bytes)
TPM2_StartAuthSession: handle 0x3000002, algorithm NULL
TPM2_StartAuthSession: sessionHandle 0x3000002
policySecret applied on session
RSA AIK template
Creating new RSA key...
TPM2_Create key failed 2466: TPM_RC_BAD_AUTH: Authorization failure without DA implications
wolfTPM2_CreateKey failed
Failure 0x9a2: TPM_RC_BAD_AUTH: Authorization failure without DA implications
TPM2_FlushContext: Closed handle 0x80000000
wolfSSL Entering wolfCrypt_Cleanup
I use the ftpm as a DTA in optee_os as TA1,and use wolftpm and wolfssl in another DTA as TA2。 In TA2, I call keygen with "-rsa -eh"。 Does this information enough?
Hi @TheBigFish ,
The keygen -rsa -eh
successfully creates a primary handle for the EH, however it fails with an auth error when trying to create a child RSA key. I've tried to find some examples of this working with tpm2_tools, but not seeing any. Do you have some working examples of using the EH you can share?
What are you planning to use the child EH key for? Is this a make/activate credential? If so you might have been luck with ./examples/attestation/make_credential
and ./examples/attestation/activate_credential
.
Thanks, David Garske, wolfSSL
Hi @dgarske I just check the README in examples/attestation, and get this:
Note: All of these example allow the use of the Endorsement Key and Attestation Key under the Endorsement Hierarchy. This is done by adding the
-eh
option when executing any of the three examples above.
The first step in "Example usage" is $ ./examples/keygen/keygen -rsa
, so I add -eh
to test it ,then get an error.
Thanks!
Hi @TheBigFish ,
Thank you for pointing that out. I'll continue to investigate.
Thanks, David Garske, wolfSSL
FYI: This issue is now documented in our CI testing here: https://github.com/wolfSSL/wolfTPM/blob/master/examples/run_examples.sh#L105 I plan to work on resolving this next week. It seems the policy secret code around the use of -eh is broken.
Hi @TheBigFish ,
I finally made time to resolve the endorsement key issues. The problem was very minor with a change to not use created loaded and also an issue with not populating the "name" field correctly. Fixes have been pushed to: https://github.com/wolfSSL/wolfTPM/pull/320
Thanks, David Garske, wolfSSL
I try to test wolftpm with ftpm (ms-tpm-20-ref), while
keygen - rsa
it works fine, but add parameter-eh
, askeygen - rsa -eh
, get errosFailure 0x9a2: TPM_RC_BAD_AUTH: Authorization failure without DA implications
:Thanks!