TechQA.

Get a persistant string in and out of the TPM2 module

1.4k views Asked by At

I'm trying to save a small amount of data in the TPM2 over power cycles. So that this small string will only be tied to one specific machine. Here is what I have working.

# put data in file that is to be sealed
echo "my sealed data" > seal.dat

# create a primary key
tpm2_createprimary -c primary.ctx

# create a child key in public and private parts
tpm2_create -C primary.ctx -u obj.pub -r obj.priv

# create a sealed object
tpm2_create -C primary.ctx -i seal.dat -u obj.pub -r obj.priv

# load the private and public portions into the TPM
tpm2_load -C primary.ctx -u obj.pub -r obj.priv -c key.ctx

# unseal the data
tpm2_unseal -c key.ctx

But after a power cycle if I enter: 'tpm2_unseal -c key.ctx' I get the following error:

WARNING:esys:src/tss2-esys/api/Esys_ContextLoad.c:279:Esys_ContextLoad_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_ContextLoad.c:93:Esys_ContextLoad() Esys Finish ErrorCode (0x000001df) ERROR: Esys_ContextLoad(0x1DF) - tpm:parameter(1):integrity check failed ERROR: Invalid item handle authorization ERROR: Unable to run tpm2_unseal

I am using the tpm_server (emulator) if that makes any difference.

So what is the best way to load a small string into the tpm2 and have power loss persistence?

tpm tpm-2.0
Original Q&A
2

There are 2 answers

0
efocht On

You forgot one command that persists the information in the TPM: tpm2_evictcontrol. In the example below the value is persisted to the persistent handle 0x81010001.

# tpm2_createprimary -Q -C o -c prim.ctx

# echo "mytestkey12345678abcdefg" | tpm2_create -Q -g sha256 -u seal.pub -r seal.priv -i- -C prim.ctx

# tpm2_load -Q -C prim.ctx -u seal.pub -r seal.priv -n seal.name -c seal.ctx

# tpm2_evictcontrol -C o -c seal.ctx 0x81010001
persistent-handle: 0x81010001
action: persisted

# tpm2_unseal -Q -c 0x81010001
mytestkey12345678abcdefg

The persisted value can be removed by calling

# tpm2_evictcontrol -C o -c 0x81010001

There is a nice explanation involving also PCR policies here.

0
mnistic On

Sealing an object does not store anything in the TPM's NV memory. It encrypts the data with a key that's only accessible to the TPM, but it is saved in two files on your file system -- nothing is saved in the TPM.

To store some data in the TPM's memory, you would define the memory index and then save to it, for example:

tpm2_nvdefine -Q $nv_test_index -C o -s 32 -a "ownerread|policywrite|ownerwrite"
echo "please123abc" > nv.test_w
tpm2_nvwrite -Q $nv_test_index -C o -i nv.test_w

And then to read the data back:

tpm2_nvread -Q $nv_test_index -C o -s 32 -o 0

(sample code from tpm2-tools test script)

Related Questions in TPM

Related Questions in TPM-2.0

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions