From: Andreas T. <an...@th...> - 2014-01-27 17:57:28
|
Hi Ken, Am 27.1.2014 18:41, schrieb Ken Goldman: > I don't see anything wrong with what you're trying to do. Good. That was my first worry that I had misunderstood one of the essentials... > Can you switch from the hardware TPM to the SW TPM? > > You can then get a trace of the TPM internals. This would tell you > whether the problem is in the tools, in the TSS, or perhaps even in the > TPM. > > I can't imagine debugging any application with the HW TPM, but of > course > I wrote the SW TPM. :-) I haven't tried swtpm yet but let me give it a try. I'll be back with some results in a bit. cheers, andreas > On 1/26/2014 3:18 PM, Andreas Thienemann wrote: >> Hi, >> >> I've been trying to create a NVRAM area I can keep a key in which is >> sealed to certain PCRs. >> >> If I have the following setting, I am being asked for the nvram >> password >> before being able to read the nvram area. >> >> [root@foo ~]# tpm_nvinfo -i 2 >> NVRAM index : 0x00000002 (2) >> PCR read selection: >> PCRs : 4, 5, 8, 9, 12, 14 >> Localities : ALL >> Hash : 51522172b46ed13a34ca45f445472291c9675ef5 >> PCR write selection: >> Localities : ALL >> Permissions : 0x0040004 (AUTHREAD|AUTHWRITE) >> bReadSTClear : FALSE >> bWriteSTClear : FALSE >> bWriteDefine : FALSE >> Size : 32 (0x20) >> >> [root@foo ~]# >> >> If my PCRs change I am unable to access this nvram area with my nvram >> password. So far so good. >> >> I am now trying to have access to this nvram area without having to >> type >> in any passwords as long as the PCR registers are the same. >> >> When defining the permission as only AUTHWRITE I do have access to the >> nvnram area without a password but it seems to me that the nvram area >> is >> not sealed anymore. If the PCRs change, I can still read out the data >> from the nvram area which shouldn't be the case. >> >> [root@foo ~]# tpm_nvread -i 2 > /dev/null >> [root@foo ~]# echo $? >> 0 >> [root@foo ~]# tpm_nvinfo -i 2 >> NVRAM index : 0x00000002 (2) >> PCR read selection: >> PCRs : 4, 5, 8, 9, 12, 14 >> Localities : ALL >> Hash : 51522172b46ed13a34ca45f445472291c9675ef5 >> PCR write selection: >> Localities : ALL >> Permissions : 0x00000004 (AUTHWRITE) >> bReadSTClear : FALSE >> bWriteSTClear : FALSE >> bWriteDefine : FALSE >> Size : 32 (0x20) >> >> [root@foo ~]# >> >> Any idea how to achieve what I want? > >> > > > > ------------------------------------------------------------------------------ > CenturyLink Cloud: The Leader in Enterprise Cloud Services. > Learn Why More Businesses Are Choosing CenturyLink Cloud For > Critical Workloads, Development Environments & Everything In Between. > Get a Quote or Start a Free Trial Today. > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk > _______________________________________________ > TrouSerS-users mailing list > Tro...@li... > https://lists.sourceforge.net/lists/listinfo/trousers-users |