Hi, have been playing around with tpm2 tools and tss engine for openssl for awhile.
Also reading Practical Guide to TPM 2.0.
I have found all the resources in the tpm2-tools readme and wiki and beyond quite helping
in getting started.
The book (chapter 10) talks about the primary seeds for the hierarchy, and how any amount
of key hierarchies can be extended from the primary keys. Primary keys are derived from
the primary seeds. My understanding is that the seeds are unique and permanent in the tpm
I was anticipating that tpm2_createprimary could be used to get back to the primary key
(given the same inputs/template) no matter what data is cleared or erased.
Running tpm2_createprimary twice yields same result as evidence by the rsa value, as
yields a totally different key, as can be seen from the resulting rsa value.
This is also consistent with the manpage of tpm2_clear:
"Clears lockout, endorsement and owner hierarchy authorization values." and
"NOTE: All objects created under the respective hierarchies are lost."
This makes tpm2_clear seem like an exceptionally dangerous command, if I run it once
(inadvertently perhaps), I've now destroyed all use of all keys ever created on the
system. Yet, based on what I thought I understood about the primary seeds, I'd always
be able to derive back to a key value.
So, what I am I missing?
Feel free to link in references.
A side question:
I am unable to create a primary Platform key (owner, endorsement, and null work). Looks
like authorization is expected.
Is this an expected result based on how the TPM is configured from the chip vendor? In
this case Infineon
Here is the output:
$ tpm2_createprimary -C p -c platform_primary.ctx
Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_CreatePrimary.c:135:Esys_CreatePrimary() Esys Finish
ERROR: Esys_CreatePrimary(0x9A2) - tpm:session(1):authorization failure without DA
ERROR: Unable to run tpm2_createprimary