I don't think so. The TPM is resource constrained. It's designed so that minimal state is on the TPM and other data is stored externally, protected by the TPM.
Back up the sealed data.
Persist the sealed data, but there are only about 7 persistent slots. You can fill them all.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks Ken, any way to check how may slots remining using getcapability and push the sealed data using evcitcontrol command example , If I am not wrong I have clean the data back using same evcitcontrol.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
TPM_PT_HR_PERSISTENT_AVAIL gives a minimum, but a TPM is permitted to return 1 even when more can fit.
The reason it's an estimate is that a small sealed blob with no authorization takes up less space than an RSA 4096 key with a SHA-384 policy and a long password.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
For first time I can use load and push my data 48 bytes inside the TPM, later I will delete the handles deliberately , then i want to recover my data after my hardware reboot.
Hello Ken,
I have these below commands , I want to understand how we can get back the sea.bin if , I delete my tpmpub.bin and tpmpriv.bin.
1) ./createprimary -hi o -pwdp test1 -ecc nistp256
2) ./evictcontrol -hi o -ho 80000000 -hp 81200000
3) ./create -hp 81200000 -bl -if sea.bin -opr tpmpriv.bin -opu tpmpub.bin
4) ./load -hp 81200000 -ipu tpmpub.bin -ipr tpmpriv.bin
5) ./unseal -ha 80000002 -of sec_out.bin
Please let me know, I accidently delete my tpmpriv.bin and tpmpriv.bin, is there way to get data out (sea.bin).
I don't think so. The TPM is resource constrained. It's designed so that minimal state is on the TPM and other data is stored externally, protected by the TPM.
How to persist the sealed data?
Sealed data is an object, and can be persisted using evictcontrol.
However, there are very few TPM slots, so it's better to store the blob externally and back it up like you back up any other data.
Thanks Ken, any way to check how may slots remining using getcapability and push the sealed data using evcitcontrol command example , If I am not wrong I have clean the data back using same evcitcontrol.
TPM_PT_HR_PERSISTENT_AVAIL gives a minimum, but a TPM is permitted to return 1 even when more can fit.
The reason it's an estimate is that a small sealed blob with no authorization takes up less space than an RSA 4096 key with a SHA-384 policy and a long password.
For first time I can use load and push my data 48 bytes inside the TPM, later I will delete the handles deliberately , then i want to recover my data after my hardware reboot.
1)./createprimary -hi o -ecc nistp256 -pwdp test1
.2)/create -hp <primary_handle> -opu sealed_data.pub -opr sealed_data.priv -pwdp test1
.3)/load -hp <primary_handle> -ipu sealed_data.pub -ipr sealed_data.priv -pwdp test1 -c sealed_data.ctx
4)./evictcontrol -hi o -ho <handle_from_load> -hp 0x81010001
5)rm sealed_data.pub sealed_data.priv
6)./flushcontext -ha <primary_handle>
7)Reboot next.
8)./unseal -ha 0x81010001 -opr unsealed_data.bin</primary_handle></handle_from_load></primary_handle></primary_handle>
I am planning to test these commands.
Last edit: CPC 2024-09-11