I am trying to use an application that utilizes the TPM EK certificate on the hardware to perform hardware attestation. I am using an UPxtreme i7 board and I noticed there was no EK certificate in the TPM NVRAM. I have been trying unsuccessfully to manually create an EK certificate and upload into the NVRAM. Any ideas on how to go about this?
I am using ubuntu 20.04 on the board and I have installed all the necessary tpm tools.
Steps I took:
- tpm2_createek -G rsa -u ek.pub -c key.ctx // to create the ek key
- tpm2_getekcertificate -X -o ECcert.bin -u ek.pub https://ekop.intel.com/ekcertservice/ // to get the ek certificate
- tpm2_nvdefine 0x01c00002 -C o -s 1033 -a ppwrite|writedefine|write_stclear|ppread|ownerread|authread|no_da|written|platformcreate // to define the NVRAM index. This is where I keep getting errors.
Error:
WARNING:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:344:Esys_NV_DefineSpace_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:122:Esys_NV_DefineSpace() Esys Finish ErrorCode (0x000002c2) ERROR: Failed to define NV area at index 0x1C00002 ERROR: Esys_NV_DefineSpace(0x2C2) - tpm:parameter(2):inconsistent attributes ERROR: Unable to run tpm2_nvdefine
Any ideas on how to successfully define the NVRAM index and upload the certificate. Or if anyone has a better approach to this. Thank you.
The
writtenflag should not be provided, it will be set when annvwriteis executed, it will cause aninconsistent attributeserror when directly set. See Trusted Platform Module Library Part 2: Structures - table 204 for more details about the flags.The following works for me:
Be aware that the
0x01c00002index is the NV index for aRSA 2048 EK Certificate. Use0x01c0000aif you want anECC NIST P256 EK Certificate. See TCG EK Credential Profile - chapter 2.2.1.4.To finish it up, you should lock the index so the certificate cannot be overriden:
I hope the answer is complete enough for you :)