Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Seal keys to NV INDEX according to PCR values #3414

Open
dadiestfish2077 opened this issue Jul 20, 2024 · 1 comment
Open

Seal keys to NV INDEX according to PCR values #3414

dadiestfish2077 opened this issue Jul 20, 2024 · 1 comment

Comments

@dadiestfish2077
Copy link

Ide like to seal a private key to the tpm nv index. Ide like to only be able to read it out if the PCR values match the right PCR policy.

I am performing these commands but getting invalid authorizaton, and I do not know why.

tpm2_changeauth -c o 246
tpm2_pcrread sha256:10 -o pcr.bin
tpm2_createpolicy --policy-pcr -l sha256:10 -f pcr.bin -L pcr.policy
tpm2_nvdefine -C o -p writepassword -a "authwrite|policyread" -L pcr.bin -L pcr.policy -P 245

tpm2_startauthsession --policy-session -S session.ctx
tpm2_policypcr -S session.ctx -l sha256:10 -L policy.pcr
tpm2_nvread 0x1000000 -P session:session.ctx

the error is tpm:session(1): a policy check failed.

I have no idea why this fails. any help would be very much appreciated.

@JuergenReppSIT
Copy link
Member

JuergenReppSIT commented Jul 24, 2024

I changed your example a little (wrong password for owner hierarchy, length specification for nv read to avoid need of multiple reads, removed -L pcr.bin, add write operation before read) and it worked:

tpm2_changeauth -c o 246
tpm2_pcrread sha256:10 -o pcr.bin
tpm2_createpolicy --policy-pcr -l sha256:10 -f pcr.bin -L pcr.policy
tpm2_nvdefine -C o -p writepassword -a "authwrite|policyread" -L pcr.policy -P 246
echo -n 123 | tpm2_nvwrite 0x1000000 -i-  -P writepassword
tpm2_startauthsession --policy-session -S session.ctx
tpm2_policypcr -S session.ctx -l sha256:10 -L policy.pcr
tpm2_nvread 0x1000000 -P session:session.ctx  -s 3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants