-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
20240604 506 create loaded #529
base: main
Are you sure you want to change the base?
20240604 506 create loaded #529
Conversation
// Create Derivation Parent | ||
// - How to mark an object as a derivation parent? From what I read | ||
// in the spec, a derivation parent is just when != (primary || storage) | ||
let derive_parent_object_attributes = ObjectAttributesBuilder::new() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is really not my area of expertise but it seems to me as it is not as simple as setting the object attributes of the key. The kind of object you create will depend on the object attributes of its parent not only the object attributes of the object it self.
Look at TCG TPM2, r1p59, Part3 Commands, Section 12.9.1
Hrmm but the error code suggests:
TPM_RC_SCHEME
inconsistent attributes decrypt, sign, restricted and key's scheme ID;
or hash algorithm is inconsistent with the scheme ID for keyed hash
object
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes I did read that section. The problem I hit was that part 3 12.9.1 doesn't actually define a derivation parent - that's actually defined in part 1 4.19 as "loadable key used to derive other keys; a TPM_ALG_KEYEDHASH Parent Key" and part 1 25.1.5 table 24 states "Asymmetric keys and
symmetric keys with these attributes are Storage Parents, and hash objects with these attributes are
Derivation Parents. " where the attributes are sign=clear, decrypt=set, restricted=set.
I think the comment I wrote here needs to be updated to reflect this, but I still think the attributes I used on the key were correct :)
Fixes #506
Start on created loaded.
Create loaded appears to work in the base case, but when using it for key derivation, it appears to be failing with:
I'm pretty sure I'm making a mistake in the derive_parent_public PublicBuilder parameters that I'm setting. Per the spec, this does need to be keyed hash, but I think given the parameters I've set, I think that we need to set the KDF1SP800_108 as the scheme when we create this key - currently though I think that's not possible as KeyHashSchemes are just for Xor and Hmac, not derivation.
So any advice would be more than welcome on how to proceed next :)