Our requirement is to encrypt the given data (for example, private key) with TPM key.
As and when required, decrypt the data using the TPM key and use it in the application.
To address this requirement, did the following.
First time initialization:
- Generated primary key under owner hierarchy
- Created the TPM symmetric key (which is used to encrypt/decrypt application data)
under the primary key.
- Used Esys_EvictControl() to store the TPM key handle in the TPM persistent memory
- Used Esys_TR_FromTPMPublic() to fetch existing TPM key handle from the persistent memory
- Used Esys_EncryptDecrypt() to encrypt/decrypt the given data
Is this the right approach?
It worked fine with simulator. However, it failed with "command code not supported" error
with TPM device.
WARNING:esys:src/tss2-esys/api/Esys_EncryptDecrypt.c:324:Esys_EncryptDecrypt_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_EncryptDecrypt.c:110:Esys_EncryptDecrypt() Esys Finish ErrorCode (0x00000143)
versa_tpm2_encrypt_decrypt.382: Esys_EncryptDecrypt failed; rc 0x143
main#568: Wrote 0 bytes of data
[admin@TPM2-VersaCSG-Ashok: ~] $ tpm2_rc_decode 0x143
description: Error produced by the TPM
format 0 error code
description: command code not supported
From the tpm2_dump_capability, looks like Esys_EncryptDecrypt() and Esys_EncryptDecrypt2() are not supported.
For our usecase, what could be the right alternative method to use? Shall we use
Esys_RSA_Encrypt()? In that case, which scheme is better? TPM2_ALG_RSAES or