Thanks Bill. I use this 
Esys_Initialize( &ectx, NULL, NULL);
so i'm assuming it would take the default

If I need to debug Esys_ActivateCredential more, how can I do it, these APIs are no more standalone, I have integrated it in a bigger code base and added the esys-tss2 and other libs in my poky build, so now it runs as different process that invokes this function, I can gdb into the process but I can't seem to gdb into Esys_Activate..( ) 


On Thu, Apr 9, 2020 at 10:23 AM Roberts, William C <> wrote:
> -----Original Message-----
> From: Rahul Hardikar []
> Sent: Thursday, April 9, 2020 11:18 AM
> To: Desai, Imran <>
> Cc:
> Subject: [tpm2] Re: ESys_ActivateCredential
> How do I know if  RM is being used?

If you set the tcti to the device tcti, it will open /dev/tpm0 by default. And that wont
Be an RM. You can also give it an option. Esys_Initialize() takes a tcti as an option,
NULL will cause it to use the default search behavior of the Tss2_TctiLdr, see:

You can use man locally if you prefer as well:
man 3 Tss2_TctiLdr_Initialize
man 7 tss2-tcti-device
man 3 Tss2_Tcti_Device_Init

Note that
Has sample code in it.

If you're using the tools, it supports explicitly choosing the TCTI:

Also note that the /dev/tpmrm0 (Notice the RM) is an in-kernel resource manager.

> When I do ESys_Initialize, I see these WARNINGs, wondering if it's okay for multi-
> thread
> WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not
> load TCTI file: <> libtss2-tcti-
> <>
> WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not
> load TCTI file: <>
> In my single threaded process, everything works so smoothly [root]# ./tpm
> WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not
> load TCTI file: <>
> WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not
> load TCTI file: <> ESYS
> Initialization: Pass
> Read TPM EK Certificate: Pass
> TPM EK Certificate Root-CA Verification: Pass
> Clear TPM State: Pass
> Created EK Primary object: Pass
> #####Handle 0x418368
> Create Attestation Key: Pass
> #####Ak_Handle 0x41836b
> Original Credential="deadbeefdeadbeefdead"
> Make Credential: Pass
> #####Encrypted Credential
> Blob="0020508e439bc6512d044bb8739e8d61c8ce3664d25f3572389b46c8797e562a
> 45c412864f020a7f1bbcab7a34f0"
> #####Encrypted
> Secret="b70689bb0ed9fa8324cfa03d727e6c6795069b4f0943108409b89009b9cc76c
> 76bddb31a5ccf34cfebc5d3fe715899bb725a8a3c8fe4a6046233869123f3e978051aec
> e0d7af0ad6f85164a32fd2c5ad756e8c3b72f6311126de79a30c0d72aa0a6f3f437f6bc
> 077c41d3cc6450c71e803ca6074d34ce3debf5114f4bac2fd7ee6a87ef9f07d83079477
> 5dda4f77e4620cbaf9aeb302040ee2a66a352b9fffaa5447c09a249bb22d9d989b7f14
> 06612a90b8d8bce6bb940fbfd1d50f31398403a2643c73bec336e6fcca46f29f9b6aa87
> fd11d53ec6f145d61b2a61dffc783ae2b2c66184435d633d0b5a420efa01748e39d687
> e1eb9fcc1759c184972779bfc"
> Activating Credential: Pass
> #####Recovered Credential="deadbeefdeadbeefdead"
> [root]#
> On Wed, Apr 8, 2020 at 7:02 PM Rahul Hardikar <
> <> > wrote:
>       Thanks guys, I'll try this but  i also wanted to know if there is a way to
> know if the TPM still has the EK and AK keys loaded? I have the EK handle and AK
> handle (not made it persistent) but I want to make sure it's present as these are
> necessary for ActivateCredential to succeed
>       ESys_ActivateCredential complaining about secret parameter doesn't
> make sense to me, I tested on server side, ak_name is same as that sent and so is
> EK_PUB object as well as  EK_Cert in nvram, I call the same
> external_makecredential call that's in the GitHub to create secret and made sure
> secret,credblob matches on the client side when received from server.
>       Thanks,
>       Rahul
>       On Tue, Mar 17, 2020 at 6:19 AM Imran Desai <
> <> > wrote:
>               Set this up with all handles in use made persistent. If you still see
> issues, gdb-break or turn on debug logging at the Esys call and compare the
> function arguments.
>               _______________________________________________
>               tpm2 mailing list -- <>
>               To unsubscribe send an email to
> <>
>               %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s