Upload EK certificate into TPM NVRAM

583 views Asked by At

I am trying to use an application that utilizes the TPM EK certificate on the hardware to perform hardware attestation. I am using an UPxtreme i7 board and I noticed there was no EK certificate in the TPM NVRAM. I have been trying unsuccessfully to manually create an EK certificate and upload into the NVRAM. Any ideas on how to go about this?

I am using ubuntu 20.04 on the board and I have installed all the necessary tpm tools.

Steps I took:

  1. tpm2_createek -G rsa -u ek.pub -c key.ctx // to create the ek key
  2. tpm2_getekcertificate -X -o ECcert.bin -u ek.pub https://ekop.intel.com/ekcertservice/ // to get the ek certificate
  3. tpm2_nvdefine 0x01c00002 -C o -s 1033 -a ppwrite|writedefine|write_stclear|ppread|ownerread|authread|no_da|written|platformcreate // to define the NVRAM index. This is where I keep getting errors.

Error:

WARNING:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:344:Esys_NV_DefineSpace_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:122:Esys_NV_DefineSpace() Esys Finish ErrorCode (0x000002c2) ERROR: Failed to define NV area at index 0x1C00002 ERROR: Esys_NV_DefineSpace(0x2C2) - tpm:parameter(2):inconsistent attributes ERROR: Unable to run tpm2_nvdefine

Any ideas on how to successfully define the NVRAM index and upload the certificate. Or if anyone has a better approach to this. Thank you.

1

There are 1 answers

0
Jan Wytze On

The written flag should not be provided, it will be set when an nvwrite is executed, it will cause an inconsistent attributes error when directly set. See Trusted Platform Module Library Part 2: Structures - table 204 for more details about the flags.

The following works for me:

$ tpm2_nvdefine 0x01c00002 -C p -a 'ppwrite|writedefine|ppread|ownerread|authread|no_da|platformcreate'
$ tpm2_nvwrite 0x01c00002 -C p -i ek.cert

Be aware that the 0x01c00002 index is the NV index for a RSA 2048 EK Certificate. Use 0x01c0000a if you want an ECC NIST P256 EK Certificate. See TCG EK Credential Profile - chapter 2.2.1.4.

To finish it up, you should lock the index so the certificate cannot be overriden:

$ tpm2_nvwritelock 0x01c00002 -C p

I hope the answer is complete enough for you :)