From: Hal F. <hal...@gm...> - 2007-08-24 17:14:26
|
Hi Jun - I don't understand migration all that well, but here is how I think it works. You can look at the testsuite, tcg/highlevel/key/Tspi_Key_ConvertMigrationBlob02.c for an example of using the TSS_MS_MIGRATE scheme. Here you are using the TSS_MS_REWRAP scheme, which is supposed to be simpler. When using TSS_MS_REWRAP, Tspi_TPM_AuthorizeMigrationTicket should be called with the new parent key. It should be the key that will be the parent of the new child key that will be the result of the migration. In your case the new parent would be the SRK. It will be the parent of key B, which will be the new child key. You should not do Tspi_Key_CreateKey on the new key B. Instead you should set the public and private blob data, and then just do Tspi_Key_LoadKey under the parent key you specified above, in this case the SRK. In summary I would suggest changing hMigrationAuthorityKey to hSRK, and take out Tspi_Key_CreateKey. That looks like it might work. However again I must admit that I have no actual experience with these functions, and the descriptions in the documents are not too clear. Hal On 8/22/07, JG...@wi... <JG...@wi...> wrote: > Hi Kent, > > Recently, I am testing the migration feature with Trousers 0.2.9.1. My > test plan is to bind the data with a key A of migration usage and then > the key A migrate to the key B, finally unbind the data with the key B. > Here is my process: > ... > Tspi_Context_LoadKeyByUUID(hContext, TSS_PS_TYPE_SYSTEM, SRK_UUID, > &hSRK); > Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_RSAKEY, > TSS_KEY_TYPE_BIND|TSS_KEY_SIZE_2048|TSS_KEY_NO_AUTHORIZATION, > &hMigrationAuthorityKey); > Tspi_Key_CreateKey(hMigrationAuthorityKey, hSRK, 0); > > //Create the object for Key A. > Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_RSAKEY, > TSS_KEY_TYPE_BIND | TSS_KEY_SIZE_2048 |TSS_KEY_NO_AUTHORIZATION | > TSS_KEY_MIGRATABLE, &hKeyA); > > //Set the migration Policy. > Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_POLICY, > TSS_POLICY_MIGRATION, &hMigPolicy); > Tspi_Policy_SetSecret(hMigPolicy, KEY_SECRET_MODE, SECRET_LEN, SECRET); > Tspi_Policy_AssignToObject(hMigPolicy, hKeyA); > > //Create the key and get the public part of the Key A. > Tspi_Key_CreateKey(hKeyA, hSRK, 0); > Tspi_Key_LoadKey(hKeyA,hSRK); > Tspi_GetAttribData(hKeyA, TSS_TSPATTRIB_KEY_BLOB, > TSS_TSPATTRIB_KEYBLOB_PUBLIC_KEY, &BlobLength, &Blob); > > //Bind the data. > Tspi_Context_CreateObject( hContext, TSS_OBJECT_TYPE_ENCDATA, > TSS_ENCDATA_BIND, &hEncData ); > Tspi_Data_Bind( hEncData, hKeyA, DataLength, rgbDataToBind ); > > //Create ticket and migration blob. > Tspi_TPM_AuthorizeMigrationTicket(hTPM, hMigrationAuthorityKey, > TSS_MS_REWRAP, &TicketLength, &MigTicket); > Tspi_Key_CreateMigrationBlob(hKeyA, hSRK, TicketLength, MigTicket, > &randomLength, &randomData, &migBlobLength, &migBlob); > > //Create the object for Key B. > Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_RSAKEY, > TSS_KEY_TYPE_BIND | TSS_KEY_SIZE_2048|TSS_KEY_NO_AUTHORIZATION | > TSS_KEY_NOT_MIGRATABLE, &hKeyB); > > //Set the attribute data for Key B. > Tspi_SetAttribData(hKeyB, TSS_TSPATTRIB_KEY_BLOB, > TSS_TSPATTRIB_KEYBLOB_PRIVATE_KEY, migBlobLength, migBlob); > Tspi_SetAttribData(hKeyB, TSS_TSPATTRIB_KEY_BLOB, > TSS_TSPATTRIB_KEYBLOB_PUBLIC_KEY, BlobLength, Blob); > > //Create the Key B under SRK. > Tspi_Key_CreateKey(hKeyB,hSRK,0); > Tspi_Key_LoadKey(hKeyB,hSRK); > > //Unbind the data. > Tspi_Data_Unbind( hEncData, hKeyB, &pulDataLength, &prgbDataToUnBind ); > ... > When I run the test, it fails to unbind the data with the error code > TCPA_E_DECRYPT_ERROR at the last step. > Could you give me any suggestions about my process? I think something is > wrong or missing after I have created the migration blob. > And how can I validate the migration policy during the process? > > Best regards, > Gong Jun |