+ Imran

> I think creating a loaded key in a persistent handle is a separate
> optional command not every TPM implements. 

the command is TPM2_EvictControl to make a handle persistent. The command is mandatory per the PC Client Spec:

>  I don't know why the tool
> doesn't just use getcap to figure this out and make a multi step
> create-load-evict process when the one-step command is unavailable but
> there you are.

I think you're referring to the -c option on tpm2_create, which doesn't create a persistent object, but rather invokes the createloaded command.
and returns a transient object that is loaded.

That was actually a bad decision on my part, because when it comes to creating cphash's for policies, we know are invoking a different command,
which also has different inputs and outputs to tpm2_create and tpm2_load.

I thought their was bug in tpm2-tools to implement this feature, but perhaps it got dropped or completed. Imran, plans on this?

On Sun, Nov 7, 2021 at 11:38 PM Christian Plappert
<christian.plappert@sit.fraunhofer.de> wrote:
>
> Hi,
>
> for me it looks like that you use the fapi tools (tss2 command prefix)
> with the swtpm and the esapi tools (tpm2 command prefix) with the device
> tpm (since you did not specify anything). If you call the esapi tools
> with the swtpm as TCTI (-T swtpm), all commands should target the swtpm.
>
>
> I tried your commands like this and it works for me ("-T swtpm" for the
> esapi tools is important):
>
>
> ```
> - tss2_provision
> - tpm2_getcap -T swtpm handles-persistent
> - tss2_createkey --path="/P_ECCP256SHA256/HS/SRK/device_key"
> --type="sign, decrypt, noDa, 0x81020001" --authValue=""
> - tpm2_getcap -T swtpm handles-persistent
> ``
>
> Best,
> Christian
>
>
>
>
>
> On 02.11.21 05:41, z4pu@pm.me wrote:
> > Hello everyone
> >
> > I am having issues using the Feature_API to create a key under the `/P_ECCP256SHA256/HS/SRK/` path. This is using `tss2_createkey` as well as using the Feature API programmatically. The issue is that I am able to generate a key at the path, but I am never able to set a persistent handle for it.
> >
> > I would like to set a persistent handle for my child key as I am looking to use https://github.com/tpm2-software/tpm2-tss-engine/ programmatically. When loading a key using the engine library, according to https://github.com/tpm2-software/tpm2-tss-engine/blob/89327fa8b51962348c46ddc659fb8c3636336a60/src/tpm2-tss-engine.c#L190-L191, I can  load a key by:
> > - specifying the persistent handle or
> > - providing the path to the encrypted TSS key file.
> >
> > I am using the following:
> > - Ubuntu 20.04
> > - swtpm --version: TPM emulator version 0.7.0, Copyright (c) 2014-2021 IBM Corp. This is running in a Docker container exposing ports 2322 and 2321 using `docker run --name swtpm -p 2322:2322 -p 2321:2321 --rm --detach swtpm:latest`
> > - https://github.com/tpm2-software/tpm2-tss: latest master branch, based on release 2.4.6
> > - https://github.com/tpm2-software/tpm2-tools: latest master branch, based on 5.2 2021-09-28
> >
> > fapi-config.json :
> > ```
> > {
> >       "profile_name": "P_ECCP256SHA256",
> >       "profile_dir": "/usr/local/etc/tpm2-tss/fapi-profiles/",
> >       "user_dir": "~/.local/share/tpm2-tss/user/keystore",
> >       "system_dir": "/usr/local/var/lib/tpm2-tss/system/keystore",
> >       "tcti": "swtpm:port=2321",
> >       "ek_cert_less":"YES",
> >       "system_pcrs" : [],
> >       "log_dir" : "/usr/local/var/run/tpm2-tss/eventlog/"
> > }
> > ```
> > The profiles at /usr/local/etc/tpm2-tss/fapi-profiles are the defaults:
> > ```
> > cat /usr/local/etc/tpm2-tss/fapi-profiles/P_ECCP256SHA256.json
> > {
> >      "type": "TPM2_ALG_ECC",
> >      "nameAlg":"TPM2_ALG_SHA256",
> >      "srk_template": "system,restricted,decrypt,0x81000001",
> >      "srk_description": "Storage root key SRK",
> >      "srk_persistent": 0,
> >      "ek_template":  "system,restricted,decrypt",
> >      "ek_description": "Endorsement key EK",
> >      "ecc_signing_scheme": {
> >          "scheme":"TPM2_ALG_ECDSA",
> >          "details":{
> >              "hashAlg":"TPM2_ALG_SHA256"
> >          },
> >      },
> >      "sym_mode":"TPM2_ALG_CFB",
> >      "sym_parameters": {
> >          "algorithm":"TPM2_ALG_AES",
> >          "keyBits":"128",
> >          "mode":"TPM2_ALG_CFB"
> >      },
> >      "sym_block_size": 16,
> >      "pcr_selection": [
> >         { "hash": "TPM2_ALG_SHA1",
> >           "pcrSelect": [ ],
> >         },
> >         { "hash": "TPM2_ALG_SHA256",
> >           "pcrSelect": [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ]
> >         }
> >      ],
> >      "curveID": "TPM2_ECC_NIST_P256",
> >      "ek_policy": {
> >          "description": "Endorsement hierarchy used for policy secret.",
> >          "policy":[
> >              {
> >                  "type":"POLICYSECRET",
> >                  "objectName": "4000000b",
> >              }
> >          ]
> >      }
> > }
> > ```
> > I'm also making sure to remove the following folders in between my experiments:
> > - /usr/local/var/lib/tpm2-tss/system/keystore/P_ECCP256SHA256
> > -  /root/.local/share/tpm2-tss/user/keystore/P_ECCP256SHA256 (as my Docker container is running as root)
> > - ~/.local/share/tpm2-tss/user/keystore/P_ECCP256SHA256
> >
> > The handle I am choosing for the child key is `0x81020001`, based on my reading of Table 7 of and the surrounding text at https://www.trustedcomputinggroup.org/wp-content/uploads/131011-Registry-of-reserved-TPM2-handles-and-localities.pdf
> >
> > The sequence of commands I am running as root is:
> > - tss2_provision to provision the TPM
> > - tpm2_getcap handles-persistent to list the used handles: Output is `- 0x81800000 - 0x81800001`
> > - tss2_list to confirm that the keys under the hierarchies have been created. Output is `/P_ECCP256SHA256/HN:/P_ECCP256SHA256/HE:/P_ECCP256SHA256/HE/EK:/P_ECCP256SHA256/LOCKOUT:/P_ECCP256SHA256/HS/SRK:/P_ECCP256SHA256/HS`
> > - tss2_createkey --path="/P_ECCP256SHA256/HS/SRK/device_key"  --type="sign, decrypt, noDa, 0x81020001" --authValue=""
> > - tss2_list again, Output is `/P_ECCP256SHA256/HN:/P_ECCP256SHA256/HE:/P_ECCP256SHA256/HE/EK:/P_ECCP256SHA256/LOCKOUT:/P_ECCP256SHA256/HS/SRK:/P_ECCP256SHA256/HS:/P_ECCP256SHA256/HS/SRK/device_key`
> > - tpm2_getcap handles-persistent does not list the requested handle: Output is `- 0x81800000 - 0x81800001`
> >
> > However, when I restart the TPM, and do not provision it, I can run the following commands as root to generate a child key and the parent key with a persistent handle:
> > - tpm2_getcap handles-persistent: Output is `- 0x81800000 - 0x81800001`
> > - tpm2_createprimary --hierarchy=o --key-algorithm=ecc256 --key-context=owner_primary.ctx --format=pem --output=owner_primary_public_key.pem
> > output is
> > ```
> > name-alg:
> >    value: sha256
> >    raw: 0xb
> > attributes:
> >    value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|decrypt
> >    raw: 0x30072
> > type:
> >    value: ecc
> >    raw: 0x23
> > curve-id:
> >    value: NIST p256
> >    raw: 0x3
> > kdfa-alg:
> >    value: null
> >    raw: 0x10
> > kdfa-halg:
> >    value: (null)
> >    raw: 0x0
> > scheme:
> >    value: null
> >    raw: 0x10
> > scheme-halg:
> >    value: (null)
> >    raw: 0x0
> > sym-alg:
> >    value: aes
> >    raw: 0x6
> > sym-mode:
> >    value: cfb
> >    raw: 0x43
> > sym-keybits: 128
> > x: 9eecfa05a9a8ddadc8adabe4c9ce3d34b60afe0fd35cc799e28badc638cae6ad
> > y: 30dfc43266c2aa3480f31366ac5d189abf793dae100f30b50b344b7207f03994
> > ```
> > - tpm2_create --parent-context=owner_primary.ctx --key-algorithm=ecc256 --public=child_public.key --private=child_private.key
> > Output is
> > ```
> > name-alg:
> >    value: sha256
> >    raw: 0xb
> > attributes:
> >    value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt|sign
> >    raw: 0x60072
> > type:
> >    value: ecc
> >    raw: 0x23
> > curve-id:
> >    value: NIST p256
> >    raw: 0x3
> > kdfa-alg:
> >    value: null
> >    raw: 0x10
> > kdfa-halg:
> >    value: (null)
> >    raw: 0x0
> > scheme:
> >    value: null
> >    raw: 0x10
> > scheme-halg:
> >    value: (null)
> >    raw: 0x0
> > sym-alg:
> >    value: null
> >    raw: 0x10
> > sym-mode:
> >    value: (null)
> >    raw: 0x0
> > sym-keybits: 0
> > x: 801553461b62972e1e3894e1baa1d56196774f829285f714a163c63a57a219de
> > y: ebfd148f186f2560a0a6713b5f6f50bfaa39b7a320304f8620c36bdee4dfa379
> > ```
> > - tpm2_load --parent-context=owner_primary.ctx --public=child_public.key --private=child_private.key --key-context=child_key.ctx
> > Output is `name: 000b18738b4a5366d3f863920c7b98db696c723fd88e030b7cad32e1d3ac33e6fb6c`
> > - tpm2_evictcontrol --hierarchy=o --object-context=child_key.ctx 0x81020001
> > Output is
> > ```
> > persistent-handle: 0x81020001
> > action: persisted
> > ```
> > - tpm2_evictcontrol --hierarchy=o --object-context=owner_primary.ctx 0x81010001
> > Output is
> > ```
> > persistent-handle: 0x81010001
> > action: persisted
> > ```
> > - tpm2_getcap handles-persistent
> > Output is
> > ```
> > - 0x81010001
> > - 0x81020001
> > - 0x81800000
> > - 0x81800001
> > ```
> > - tss2_list
> > Output is an error message
> > ```
> > WARNING:fapi:src/tss2-fapi/api/Fapi_List.c:216:Fapi_List_Finish() Path not found:
> > ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:81:Fapi_List() ErrorCode (0x00060034) Entities_List
> > Fapi_List(0x60034) - fapi:Provisioning was not executed.
> > ```
> > There isn't anything in `/usr/local/var/run/tpm2-tss/eventlog/` for me to look at, possibly because of the Dockerised setup.
> >
> > I can later delete these persistent handles using e.g. tpm2_evictcontrol --hierarchy=o --object-context=0x81020001
> >
> > Thanks very much in advance
> >
> > Cheers
> > z.
> > _______________________________________________
> > tpm2 mailing list -- tpm2@lists.01.org
> > To unsubscribe send an email to tpm2-leave@lists.01.org
> > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> >
> _______________________________________________
> tpm2 mailing list -- tpm2@lists.01.org
> To unsubscribe send an email to tpm2-leave@lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
_______________________________________________
tpm2 mailing list -- tpm2@lists.01.org
To unsubscribe send an email to tpm2-leave@lists.01.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s