I'm having problems implementing a seal/unseal procedure using the seal to pcr approach. For some reason, the sealed object is released from the TPM with no regrads to the PCR state.... This is a bog problem, as data sealed to the TPM should not be released when the PCR registers do not contains the correct values. I suspect that somehow the seal utils uses password based seal/unseal.
Things to consider:
1. The TPM is "owned", and is TPM2 varient, on an intel motherboard. The TPM is from Intel.
2. The Process was adapted from the testunseal.sh from the test scripts provided in this project.
3. I created a permanent handle at 81000001, as the sealed key will be used between reboots.
Seal and Unseal to PCRs
59a4ea34e5351fe8b35669162fac808c9c10d352
Create a sealed data object sha1
Load the sealed data object
Handle 80000001
PCR 16 Reset
0000000000000000000000000000000000000000
Start a policy session sha1
Handle 03000000
Unseal the data blob - policy failure, policypcr not run
Policy PCR, update with the wrong PCR 16 value
Unseal the data blob - policy failure, PCR 16 incorrect
1234567890abcdef
Extend PCR 16 to correct value
59a4ea34e5351fe8b35669162fac808c9c10d352
Policy restart, set back to zero
Policy PCR, update with the correct PCR 16 value
Unseal the data blob
Verify the unsealed result
1234567890abcdef
Flush the sealed object
Flush the policy session
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I think that you expected ./unseal -ha 80000001 -of tmp.bin to fail because you used a password session rather than the policy session.
If so, the create utility (what you call the seal utility) currently sets the attribute userWithAuth. This says that either password or policy can be used. There are two solutions:
Change the code in objecttemplates to not set userWithAuth.
Give me an email address and I can send you a not-yet-released enhancement that has a command line option to clear the flag.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
First of all - Thanks for the quick reply!
1. I'm not sure how to do that. Do you mean that I need to go find where in the sources this flag is set, patch, and recomplie?
2. Please use oba2cat4 [at] gmail [dot] com.
Thanks again!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Note that this is just a currently missing feature in the sample utilities. The TSS library itself supports all the options.
Did you want a tarball with the updated create utility? It has a -uwa option to clear the flag. If you don't need the option, commenting out the code should be faster for you.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
For my use case (based on this blog post:tpm2-sealed-luks), a recompile will be enough.
But in any case, can you send me the the tarball with the utility in any case?
Thanks!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
There is another odd thing that I encountered, regarding policydigest vs policymakerpcr output. It should be the same, for a preset pcrs values and mask, but it isn't. I will open a new discussion, if I can replicate.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
You are sealing to a policy, but the utility currently creates the sealed blob such that it can be unsealed by either a policy or a password/HMAC session. To remove the "or password" authorization, userWithAuth has to be clear.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The policy digest (output of PolicyGetDigest) will not be the same as the output of policymakerpcr.
policymakerpcr creates an AND term that is used as an input to policymaker. It contains the command code, PCR selection, and digest of the selected PCRs. It's not the final policy digest.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
now the sequence fails with :
TPM_RC_AUTH_UNAVAILABLE - authValue or authPolicy is not available for selected entity.
It seems to me, that commenting out the flag is not enough...
Commenting out the line, recompiling, and using the resulting binaries to create with a policy this way:
Trivial typo:
./unseal -ha 80000001 -se2 03000000 1 -of /dev/stdout
should be -se0
For unseal, the authorization session has to be the first session (-se0). There can be other sessions for response encryption or audit.
In general, the authorization sessions have to be the first sessions, while encrypt, decrypt, and audit sessions come later. The authorization session can also be used for parameter encrypt, decrypt, and sometimes for audit.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
You didn't show the entire script this time. However, I can confirm that when I ran your original script with -se0, the unseal succeeded. -se1 got the same error as -se2. I can't explain why -se0 is trying to do parameter encryption for you.
Suggestions:
Forget -se2. Unseal needs an authorization session. -se0 is correct.
Post the entire script. Use -se0
Post the failing step with -v
Could it be possible that you did some code modifications that you did not undo?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I made modifications to the 966 code, but for this test I used 1013, without any mods. I looked at the code, and 1013 does clear the flag correctly.
Just a small note - to work with my tpm, I made some change to the Makefile. This should not have any effect for this problem. In case you want to review the makefile, I uploaded it here: makefile gist
it is the same script as before. it creates a bl, then trys to unseal witout a session (should fail), then unseal with -se0 (should succed).
I think this is an easy one. It's failing to load the (encrypted) session state.
Did you do the steps in the manual Application Notes section 4.9. Encrypted Session State?
Earlier, it says:
See 4.9 Encrypted Session State for the special case of using the command line utilities. That section is not applicable when using the TSS library in programs.
I'll change the section name to "Command Line Utilities" so hopefully it will be easier to notice.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
It looks be working after I compiled using the -DTPM_ENCRYPT_SESSIONS_DEFAULT="\"0\"" in the makefile. I will do more testing and report.
Thanks very much!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm having problems implementing a seal/unseal procedure using the seal to pcr approach. For some reason, the sealed object is released from the TPM with no regrads to the PCR state.... This is a bog problem, as data sealed to the TPM should not be released when the PCR registers do not contains the correct values. I suspect that somehow the seal utils uses password based seal/unseal.
Things to consider:
1. The TPM is "owned", and is TPM2 varient, on an intel motherboard. The TPM is from Intel.
2. The Process was adapted from the testunseal.sh from the test scripts provided in this project.
3. I created a permanent handle at 81000001, as the sealed key will be used between reboots.
This is the test script:
content of the policy file:
The output:
I think that you expected ./unseal -ha 80000001 -of tmp.bin to fail because you used a password session rather than the policy session.
If so, the create utility (what you call the seal utility) currently sets the attribute userWithAuth. This says that either password or policy can be used. There are two solutions:
First of all - Thanks for the quick reply!
1. I'm not sure how to do that. Do you mean that I need to go find where in the sources this flag is set, patch, and recomplie?
2. Please use oba2cat4 [at] gmail [dot] com.
Thanks again!
Yes, the line is in objecttemplates.c It will look something like this. Comment it out, and recompile.
Note that this is just a currently missing feature in the sample utilities. The TSS library itself supports all the options.
Did you want a tarball with the updated create utility? It has a -uwa option to clear the flag. If you don't need the option, commenting out the code should be faster for you.
For my use case (based on this blog post:tpm2-sealed-luks), a recompile will be enough.
But in any case, can you send me the the tarball with the utility in any case?
Thanks!
Using the example test script, this is the way to create (or "seal") to a Policy. I'm not sure why it is wrong.
this is the line from the testuneal.sh script, where ${HALG} is either sha1 or sha256:
and my create line:
There is another odd thing that I encountered, regarding policydigest vs policymakerpcr output. It should be the same, for a preset pcrs values and mask, but it isn't. I will open a new discussion, if I can replicate.
You are sealing to a policy, but the utility currently creates the sealed blob such that it can be unsealed by either a policy or a password/HMAC session. To remove the "or password" authorization, userWithAuth has to be clear.
The policy digest (output of PolicyGetDigest) will not be the same as the output of policymakerpcr.
policymakerpcr creates an AND term that is used as an input to policymaker. It contains the command code, PCR selection, and digest of the selected PCRs. It's not the final policy digest.
now the sequence fails with :
TPM_RC_AUTH_UNAVAILABLE - authValue or authPolicy is not available for selected entity.
It seems to me, that commenting out the flag is not enough...
Commenting out the line, recompiling, and using the resulting binaries to create with a policy this way:
and the resulting output from the unseal sequence:
verbose output for the create:
and verbose output for the unseal:
Trivial typo:
./unseal -ha 80000001 -se2 03000000 1 -of /dev/stdout
should be -se0
For unseal, the authorization session has to be the first session (-se0). There can be other sessions for response encryption or audit.
In general, the authorization sessions have to be the first sessions, while encrypt, decrypt, and audit sessions come later. The authorization session can also be used for parameter encrypt, decrypt, and sometimes for audit.
That was not a typo. for some reason the se0 and se1 cause a different error:
You didn't show the entire script this time. However, I can confirm that when I ran your original script with -se0, the unseal succeeded. -se1 got the same error as -se2. I can't explain why -se0 is trying to do parameter encryption for you.
Suggestions:
Could it be possible that you did some code modifications that you did not undo?
I made modifications to the 966 code, but for this test I used 1013, without any mods. I looked at the code, and 1013 does clear the flag correctly.
Just a small note - to work with my tpm, I made some change to the Makefile. This should not have any effect for this problem. In case you want to review the makefile, I uploaded it here:
makefile gist
and the verbose output from the failed step:
I think this is an easy one. It's failing to load the (encrypted) session state.
Did you do the steps in the manual Application Notes section 4.9. Encrypted Session State?
Earlier, it says:
See 4.9 Encrypted Session State for the special case of using the command line utilities. That section is not applicable when using the TSS library in programs.
I'll change the section name to "Command Line Utilities" so hopefully it will be easier to notice.
It looks be working after I compiled using the -DTPM_ENCRYPT_SESSIONS_DEFAULT="\"0\"" in the makefile. I will do more testing and report.
Thanks very much!
Tests are now done. All is as it should be. Thanks for the Help!