On 09/28/2017 09:54 AM, Slash Wu wrote: There's still no support for it. Please take a look to this issue: https://github.com/01org/tpm2-tools/issues/348 There's currently a very long discussion about sessions support for the tools in general. Please take a look to this issue: https://github.com/01org/tpm2-tools/issues/510 The tpm2_unseal has some basic session support (basically the tool starts a new session and calculates the PCR policy to be used for TPM2_Unseal). This is not an ideal solution, but it works for simple cases. It shouldn't be hard to do the same for tpm2_nv{read,write}, and I believe that is something we need to support. Best regards, -- Javier Martinez Canillas Software Engineer - Desktop Hardware Enablement Red Hat

Hello Slash, On 09/29/2017 06:33 AM, Slash Wu wrote: TPM2_Unseal doesn't write to the TPM2 but instead returns the data in a loaded Sealed Data Object. So in a way, it's similar to what TPM2_NV_Read does. Also, the Handle space is split for the different TPM2 resources. So for example, NV Index Areas start at 0x01000000, Transient Objects at 0x80000000 and Persistent Objects at 0x81000000. This means that each set of commands are only supposed to be used within the Handle range of the resources that they manage. The similar operation to what you want to do (TPM2_NV_Write), would be to create a Sealed Data Object with TPM2_Create, load it to the TPM with TPM2_Load and then read it with TPM2_Unseal. You define your PCR policy when the object is created and can only later be unsealed (read) if the PCR state satisfies that policy. You can take a look to the test/system/test_tpm2_unseal.sh for an example on how this is done. Unless you have a reason to not store the Sealed Data Object outside the TPM2, I would suggest to do something like what that test does. If you really want to store the Sealed Data Object in the TPM2, then you could do something like the following: # Create PCR policy for SHA-1 bank PCR7 $ tpm2_pcrlist -L sha1:7 -o pcr.bin $ tpm2_createpolicy -P -L sha1:7 -F pcr.bin -f pcr.policy # Create a Data Object and seal "mysecret" using the PCR policy $ tpm2_createprimary -A o -g sha256 -G ecc -C primary.context $ tpm2_create -g sha256 -G keyedhash -u obj.pub -r obj.priv -I- \ -c primary.context -L pcr.policy -E <<< mysecret # Load the object and make a persistent copy in the TPM with Handle 0x81000000 $ tpm2_load -c primary.context -u obj.pub -r obj.priv -C load.context $ tpm2_evictcontrol -A o -c load.context -S 0x81000000 At this point you can delete the obj.{pub,priv} since a copy was made persistent in the TPM. So now to unseal it, you just need to get the PCR hashes for the PCR used for sealing, and call TPM2_Unseal passing the Persistent Object Handle, i.e $ tpm2_pcrlist -L sha1:7 -o pcr.bin $ tpm2_unseal -H 0x81000000 -L sha1:7 -F pcr.bin mysecret Best regards, -- Javier Martinez Canillas Software Engineer - Desktop Hardware Enablement Red Hat