This is one thing I can't understand.
I want to use RSA key (not persistent). Why should I use NV ?
Is this shared password set for NV index used for generate session key
to read RSA key ?
Could you explain ?
W dniu 2018-03-28 o 09:25, Fuchs, Andreas pisze:
I'd also recommend using ESAPI for this.
Basically, what you do is:
- Esys_TR_Deserialize or Esys_Load some well-known key of the target TPM
- Esys_StartAuthSession() Use the well-known key as tpmkey here. This protects against
Man-in-the-middle attacks on the session itself if you're not using an authValue on
- Esys_TRSess_SetAttribute(session, TPMA_SESSION_DECRYPT, TPMA_SESSION_DECRYPT) This
makes the session use encryption. (Flag names are from the perspective of the TPM)
- Esys_NV_Write() using the session will automatically encrypt your first parameter and
also authenticate the command.
Respectively you can also do:
- Esys_TRSess_SetAttribute(session, TPMA_SESSION_ENCRYPT, TPMA_SESSION_ENCRYPT)
A simple example on talking to NV-Space can be found in
An example for encrypted sessions here:
From: Roberts, William C [william.c.roberts(a)intel.com]
Sent: Wednesday, March 28, 2018 03:56
To: Tomasz Przybysz; tpm2(a)lists.01.org; Fuchs, Andreas
Subject: RE: [tpm2] How to protect and encrypt communication between host and TPM
> -----Original Message-----
> From: tpm2 [mailto:email@example.com] On Behalf Of Tomasz Przybysz
> Sent: Monday, March 26, 2018 11:55 PM
> To: tpm2(a)lists.01.org
> Subject: [tpm2] How to protect and encrypt communication between host and
> Hi, we are working on TPM2.0 integration with our devices.
> We use Infineon TPM 2.0 chip and It works as expect.
> We are using tpm2-tss 1.4.0 library.
> We want to use transient RSA key generated inside device. Key is of course
> protected by its parent password, but we want to protect i2c communication
> between host and tpm chip. We want communication be encrypted, we don't
> want to send parent's password or key's password in clear text.
> We have found good example tpmclient.int.cpp, but there is an example how to
> encrypt access to the NV Index. There is no anything about RSA keys.
> How to call Tss2_Sys_Create for creating RSA key and then set password to use
> with session protected by TPM2_SE_HMAC and password.
If you can work off of master until the next tss release, I think encrypted sessions is
one of the things
that the ESAPI makes easier, Andreas care to elaborate?
> In the example there is StartAuthSessionWithParams and StartAuthSession.
> There is KDFa function called but we need something shared password to create
> session key.
> Which shared keys ? Is this parent's key password or keys password ?
> Thanks in advance,