[TrouSerS-users] NVRAM permissions and sealing

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi,

I've been trying to create a NVRAM area I can keep a key in which is 
sealed to certain PCRs.

If I have the following setting, I am being asked for the nvram password 
before being able to read the nvram area.

[root@foo ~]# tpm_nvinfo -i 2
NVRAM index   : 0x00000002 (2)
PCR read  selection:
  PCRs    : 4, 5, 8, 9, 12, 14
  Localities   : ALL
  Hash    : 51522172b46ed13a34ca45f445472291c9675ef5
PCR write selection:
  Localities   : ALL
Permissions   : 0x0040004 (AUTHREAD|AUTHWRITE)
bReadSTClear  : FALSE
bWriteSTClear : FALSE
bWriteDefine  : FALSE
Size          : 32 (0x20)

[root@foo ~]#

If my PCRs change I am unable to access this nvram area with my nvram 
password. So far so good.

I am now trying to have access to this nvram area without having to type 
in any passwords as long as the PCR registers are the same.

When defining the permission as only AUTHWRITE I do have access to the 
nvnram area without a password but it seems to me that the nvram area is 
not sealed anymore. If the PCRs change, I can still read out the data 
from the nvram area which shouldn't be the case.

[root@foo ~]# tpm_nvread -i 2 > /dev/null
[root@foo ~]# echo $?
0
[root@foo ~]# tpm_nvinfo -i 2
NVRAM index   : 0x00000002 (2)
PCR read  selection:
  PCRs    : 4, 5, 8, 9, 12, 14
  Localities   : ALL
  Hash    : 51522172b46ed13a34ca45f445472291c9675ef5
PCR write selection:
  Localities   : ALL
Permissions   : 0x00000004 (AUTHWRITE)
bReadSTClear  : FALSE
bWriteSTClear : FALSE
bWriteDefine  : FALSE
Size          : 32 (0x20)

[root@foo ~]#

Any idea how to achieve what I want?

cheers,
  andreas