After clearing the TPM keys in the BIOS, still could not clear the platform keys using IBM-TSS. Is that problem with the TPM vendor/BIOS or the IBM's TSS?
Platform: Infineon SLB9665TT2.0 TPM version 2.0 on Intel's NUC5i3MYBE
root@bbox:~/Downloads/ibmtss439/utils# ./clear -hi p
clear: failed, rc 000009a2
TPM_RC_BAD_AUTH - authorization failure without DA implications Session number 1
root@bbox:~/Downloads/ibmtss439/utils# ./clear -hi l
**clear: success**
root@bbox:~/Downloads/ibmtss439/utils# uname -a
Linux bbox 4.3.0-rc4 #1 SMP Wed Nov 25 11:30:02 EST 2015 x86_64 x86_64 x86_64 GNU/Linux
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
For the immediate issue, the first command apparently failed because you tried to use platform authorization and you didn't know the platform password. The TSS correctly reported the authorization failure.
The socond command succeeded because you used lockout authorization and the password was evidently empty.
If this doesn't make sense, I suggest you read Part 1 Section 13 TPM Control Domains for a high level explanation of the concepts.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am never able to clear the platform key, but I could clear the other keys with Intel's BIOS. With Intel's TSS, I could create keys (hierarchy e or o) and work on it without any problem but IBM's TSS gives error. I could provide, if you need any further information.
root@bbox:~/Downloads/ibmtss439/utils# ./createprimary -hi o
createprimary: failed, rc 000002c9
TPM_RC_MODE - mode of operation not supported Parameter number 2
(I did not set any password)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks Ken. It worked but failed later in symmetric cipher key test.
Create a symmetric cipher key under the primary key
WARN: Symmetric cipher key may not support sign attribute
Create a rev 116 symmetric cipher key under the primary key
ERROR:
create: failed, rc 000002c9
TPM_RC_MODE - mode of operation not supported Parameter number 2
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I wonder if this TPM doesn't support CBC at all? Could you try make this change to create.c symmetricCipherTemplate() near line 748 and see if it works.
You sould know that symmetric cipher is optional. It could be that this TPM doesn't implement it at all, and so you won't be able to create this type of key.
3 . Remember that the regression test is a TSS test, not a TPM test. You can expect failures if the TPM does not implement optional features. If you've gotten this far, I think you can declare the TSS operational, and move on to developing your application.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
After TPM rev 116, the attributes for symmetric cipher keys was changed slightly. The create utility (remember, this is sample code to help you develop your application) shows how to create 116 and post-116 keys.
I believe that this is unrelated to the mode error.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks Ken,
After changing it to CFB, it creates the key but not encrypting (Error: command code not supported). Is that means, AES is not supported by this module?
AES symmetric key
Start an HMAC auth session
INFO:
Handle 02000001
Load the symmetric cipher key under the primary key
INFO:
Handle 80000001
Encrypt using the symmetric cipher key
ERROR:
encryptdecrypt: failed, rc 00000143
TPM_RC_COMMAND_CODE - command code not supported
Last edit: Ovi 2015-12-02
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Could you please start new threads for new issues. It will make it easier for other people.
If it says command code not supported, it means that the TPM does not support the command - in this case encryptdecrypt.
AES is an algorithm, not a command code. It is mandatory for a PC Client TPM.
To see if a command is supported, you can use getcapability. In this case:
>getcapability -cap 2 -pr 164
asks for all supported command codes starting with 164. If the first one in the response doesn't end with 164, the TPM cannot do encryptdecrypt.
I also note that these are not TSS issues, but I'll try to help as time permits.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thank Ken.
We can close this discussion. I ll create new thread if needed. You have answered the question even though it was out side of TSS. Yes my device is not supprting TPM_CC_EncryptDecrypt (0x00000164). Probably I need to find an alternative command.
After clearing the TPM keys in the BIOS, still could not clear the platform keys using IBM-TSS. Is that problem with the TPM vendor/BIOS or the IBM's TSS?
Platform: Infineon SLB9665TT2.0 TPM version 2.0 on Intel's NUC5i3MYBE
For the immediate issue, the first command apparently failed because you tried to use platform authorization and you didn't know the platform password. The TSS correctly reported the authorization failure.
The socond command succeeded because you used lockout authorization and the password was evidently empty.
If this doesn't make sense, I suggest you read Part 1 Section 13 TPM Control Domains for a high level explanation of the concepts.
Only these commands works fine. Any help ...
It's hard to tell you why other commands are failing if you don't tell us what they are and how they failed.
If you've done a successful clear, the owner password should be empty and commands using it should succeed.
I am never able to clear the platform key, but I could clear the other keys with Intel's BIOS. With Intel's TSS, I could create keys (hierarchy e or o) and work on it without any problem but IBM's TSS gives error. I could provide, if you need any further information.
root@bbox:~/Downloads/ibmtss439/utils# ./createprimary -hi o
createprimary: failed, rc 000002c9
TPM_RC_MODE - mode of operation not supported Parameter number 2
(I did not set any password)
(Could you please start a new thread for new issues. It will make it easier to track them.)
The TPM is supposed to ignore the mode and use CFB. However, I think this change was made recently and your TPM doesn't have it.
Still, I should set the mode to CFB for interoperability.
Could you make these changes and let me know if it works. If so, I'll upload a new version.
createprimary.c near line 281:
create.c near line 609
Last edit: Ken Goldman 2015-11-30
Thanks Ken. It worked but failed later in symmetric cipher key test.
Comments in order of importance:
I wonder if this TPM doesn't support CBC at all? Could you try make this change to create.c symmetricCipherTemplate() near line 748 and see if it works.
You sould know that symmetric cipher is optional. It could be that this TPM doesn't implement it at all, and so you won't be able to create this type of key.
3 . Remember that the regression test is a TSS test, not a TPM test. You can expect failures if the TPM does not implement optional features. If you've gotten this far, I think you can declare the TSS operational, and move on to developing your application.
Also find this in the comment of ./create.sh , anything to do with the TPM support?
After TPM rev 116, the attributes for symmetric cipher keys was changed slightly. The create utility (remember, this is sample code to help you develop your application) shows how to create 116 and post-116 keys.
I believe that this is unrelated to the mode error.
Thanks Ken,
After changing it to CFB, it creates the key but not encrypting (Error: command code not supported). Is that means, AES is not supported by this module?
Last edit: Ovi 2015-12-02
>getcapability -cap 2 -pr 164
asks for all supported command codes starting with 164. If the first one in the response doesn't end with 164, the TPM cannot do encryptdecrypt.
I also note that these are not TSS issues, but I'll try to help as time permits.
Thank Ken.
We can close this discussion. I ll create new thread if needed. You have answered the question even though it was out side of TSS. Yes my device is not supprting TPM_CC_EncryptDecrypt (0x00000164). Probably I need to find an alternative command.