Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Too much pcrs to get! try to split into multiple calls... #3436

Open
f-squirrel opened this issue Nov 26, 2024 · 5 comments
Open

Too much pcrs to get! try to split into multiple calls... #3436

f-squirrel opened this issue Nov 26, 2024 · 5 comments

Comments

@f-squirrel
Copy link

f-squirrel commented Nov 26, 2024

Hi,

In the previous versions (e.g., 3.0.4) tpm2_unseal supported unsealing objects by providing a handle:

tpm2_unseal -H 0x8100000 -L "sha1:0,2,4,7" -o file.bin

I am trying to do the same with the version 5.6.1:

TPM2TOOLS_TCTI="device:/dev/tpm0" tpm2 unseal -p "pcr:sha1:0,2,4,7" -c 0x8100000
ERROR: too much pcrs to get! try to split into multiple calls...
ERROR: Invalid item handle authorization
ERROR: Unable to run unseal

The old version succeeds to unseal, both running on the same machine.

TPM2TOOLS version:

tpm2_unseal --version
tool="tpm2_unseal" version="5.6.1" tctis="libtss2-tctildr" tcti-default=tcti-device

TSS VERSION: 4.1.3

  1. How can I achieve the same functionality?
  2. What is the most stable version of the TPM2 Tools, assuming I need the following functionality:
    • tpm2_createpolicy
    • tpm2_createprimary
    • tpm2_getcap
    • tpm2_create
    • tpm2_load
    • tpm2_evictcontrol
    • tpm2_unseal

Note: I am working directly with the device, so I have to make sure I do not use more than three handles at the time :)

EDIT: It works in 5.5.1 without errors. It seems to be a bug.

@f-squirrel f-squirrel changed the title tpm2_unseal does not support working with handles Too much pcrs to get! try to split into multiple calls... Nov 26, 2024
@JuergenReppSIT
Copy link
Member

JuergenReppSIT commented Nov 26, 2024

In the previous versions (e.g., 3.0.4) tpm2_unseal supported unsealing objects by providing a handle:

tpm2_unseal -H 0x8100000 -L "sha1:0,2,4,7" -o file.bin

If -H is not available you can use:

tpm2_unseal -c 0x8100000 -L "sha1:0,2,4,7" -o file.bin

If you work directly with the device autoflush (available from version 5.7) could be useful:
https://github.com/tpm2-software/tpm2-tools/blob/master/man/common/options.md

@f-squirrel
Copy link
Author

In the previous versions (e.g., 3.0.4) tpm2_unseal supported unsealing objects by providing a handle:

tpm2_unseal -H 0x8100000 -L "sha1:0,2,4,7" -o file.bin

If -H is not available you can use:

tpm2_unseal -c 0x8100000 -L "sha1:0,2,4,7" -o file.bin

If you work directly with the device autoflush (available from version 5.7) could be useful: https://github.com/tpm2-software/tpm2-tools/blob/master/man/common/options.md

Thank you for the quick reply, I receive the following error:

TPM2TOOLS_TCTI="device:/dev/tpm0" tpm2 unseal -p "pcr:sha1:0,2,4,7" -c 0x8100000
ERROR: too much pcrs to get! try to split into multiple calls...
ERROR: Invalid item handle authorization
ERROR: Unable to run unseal

Do you know what can be the issue?

@JuergenReppSIT
Copy link
Member

I tried your example with version 5.7 and it worked without problems:

TPM2TOOLS_TCTI="device:/dev/tpm0" tpm2_unseal -c 0x81000003 -p pcr:sha1:0,2,4,7
secret

Which version did you use?

@f-squirrel
Copy link
Author

@JuergenReppSIT it seems there is a bug in 5.6.1, because in 5.5.1 it works as expected.

@JuergenReppSIT
Copy link
Member

@f-squirrel That's strange. I also tried it with version 5.6.1 and it also worked.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants