From: Andreas T. <an...@th...> - 2014-01-26 21:05:07
|
Hi, I've been trying to create a NVRAM area I can keep a key in which is sealed to certain PCRs. If I have the following setting, I am being asked for the nvram password before being able to read the nvram area. [root@foo ~]# tpm_nvinfo -i 2 NVRAM index : 0x00000002 (2) PCR read selection: PCRs : 4, 5, 8, 9, 12, 14 Localities : ALL Hash : 51522172b46ed13a34ca45f445472291c9675ef5 PCR write selection: Localities : ALL Permissions : 0x0040004 (AUTHREAD|AUTHWRITE) bReadSTClear : FALSE bWriteSTClear : FALSE bWriteDefine : FALSE Size : 32 (0x20) [root@foo ~]# If my PCRs change I am unable to access this nvram area with my nvram password. So far so good. I am now trying to have access to this nvram area without having to type in any passwords as long as the PCR registers are the same. When defining the permission as only AUTHWRITE I do have access to the nvnram area without a password but it seems to me that the nvram area is not sealed anymore. If the PCRs change, I can still read out the data from the nvram area which shouldn't be the case. [root@foo ~]# tpm_nvread -i 2 > /dev/null [root@foo ~]# echo $? 0 [root@foo ~]# tpm_nvinfo -i 2 NVRAM index : 0x00000002 (2) PCR read selection: PCRs : 4, 5, 8, 9, 12, 14 Localities : ALL Hash : 51522172b46ed13a34ca45f445472291c9675ef5 PCR write selection: Localities : ALL Permissions : 0x00000004 (AUTHWRITE) bReadSTClear : FALSE bWriteSTClear : FALSE bWriteDefine : FALSE Size : 32 (0x20) [root@foo ~]# Any idea how to achieve what I want? cheers, andreas |