Yes, sessions (no matter if policy or hmac or trial) are not virtualized.

I assume tpm2-abrmd to be conforming to the spec.
If you find any deviation, they'll most happily fix them


From: Yasuhiro Hosoda [hosoda-yasuhiro@ntt-el.com]
Sent: Wednesday, April 11, 2018 10:38
To: Fuchs, Andreas; tpm2@lists.01.org
Subject: Re: [tpm2] tpm2-tss question

Thank you very much for your answer.

I understand that the spec. is that the handles of policy session are
not virtualized

I check the source programs of the resource managers.
(TPM2,0-TSS-1.0 and tpm2-abrmd-1.2.0)
It seems that HMAC sessions and Policy sessions are handled
in the same way. Do you have any comment comment about
implementations?

According to the spec, only key and sequence handles are virtualized.

Thus for PolicySecret, the virtual and TPM handles for policySession shall be the same.

For keys and sequences (such as authHandle in PolicySecret) the virtual and TPM handles differ.
But instead of the handle the key's / sequence's public name is used within the hmac calculation.

Hope this helps...


From: tpm2 [tpm2-bounces@lists.01.org] on behalf of Yasuhiro Hosoda [hosoda-yasuhiro@ntt-el.com]
Sent: Wednesday, April 11, 2018 08:11
To: william.c.roberts@intel.com; tpm2@lists.01.org
Subject: Re: [tpm2] tpm2-tss question

I have one finding about the RM and PolicySecret command,

It says in page 10 of the following document
"TCG TSS 2.0 TAB and Resource Manager specification"
https://trustedcomputinggroup.org/wp-content/uploads/TSS-2.0-TAB-Resource-Manager-SpecVer1.0-Rev18_review_END030918.pdf
that
"
The RM performs a mapping from the (unchanging) virtual handle to the (currently assigned) TPM
handle. It replaces the virtual handle with the TPM handle in the TPM command packet.

NOTE: The TPM 2.0 library specification excludes the handle from command stream HMAC calculations to enable this
substitution."
This means that if the virtual handle and the (currently assigned) TPM differs,
the HMAC calculations for most of the commands go well.

But, the PolicySecret command takes the policy handle to extend as a parameter for HMAC.
If, the virtual handle and the (currently assigned) TPM differs, the HMAC calculations
for this command doesn't go well and produces the error code 0x98e.
Is my understanding right?
If so, is there any workaround?

Thank you in advance.