On 1/21/19 9:16 AM, Thibaut Sautereau wrote:
I'm experimenting with TPM 2.0 (using swtpm 0.1.0), tpm2-tools 3.1.3,
tpm2-tss 2.1.0 and the Linux 4.19.16 kernel's trusted keys. I found this
thread  about the "policydigest" and "policyhandle" options added
keyctl but I cannot reproduce the given example  using tpm2-tools
instead of the author's Python testing scripts . I wonder if I do
something wrong by executing the following commands:
Did it work for you when using Jarkko's test scripts?
# I tried fiddling with the object attributes in the following command
# but AIUI the default ones should be OK
tpm2_createprimary --hierarchy=o --halg=sha256 --kalg=rsa \
tpm2_evictcontrol --auth=o --context=/tmp/primary.context \
tpm2_createpolicy --policy-file=/tmp/policy.digest --policy-pcr \
policydigest=$(xxd -p /tmp/policy.digest | tr -d '\n')
keyid=$(keyctl add trusted test \
"new 32 keyhandle=0x81010001 hash=sha256 policydigest=$policydigest" @u)
keyctl link @us @s
keyctl pipe $keyid > /tmp/blob.hex
Until here, everything works fine.
Now for testing I want to reimport the key from the blob file, but I
need a handle to a TPM_SE_POLICY and thus need to directly use the TPM
device, as the in-kernel resource manager I was using so far would
prevent me from keeping a policy session "opened". So I re-export
TPM2TOOLS_TCTI just as Javier Martinez Canillas showed on GitHub :
# --auth-policy-session implies --extend-policy-session
tpm2_createpolicy --policy-pcr --set-list=sha256:0 \
keyctl add trusted test2 \
"load $(cat /tmp/blob.hex) keyhandle=0x81010001 policyhandle=0x03000000" @u
You have the policy handle hardcoded to 0x03000000 here, I guess that's correct
and is the value printed by tpm2_createpolicy in EXTENDED_POLICY_SESSION_HANDLE?
Sorry for saying the obvious, but just in case since I don't see anything wrong
with your commands.
This last command causes: "add_key: Operation not
In kernel logs, I have:
[ 1350.287556] tpm tpm0: A TPM error (2466) occurred unsealing
[ 1350.289856] trusted_key: key_unseal failed (-1)
The TPM error is 0x9a2, i.e. TPM2_RC_BAD_AUTH. I cannot see what I'm
doing wrong. Do you see something obvious?
Thanks a lot for your time and your work!
Javier Martinez Canillas
Software Engineer - Desktop Hardware Enablement