From: Hal F. <hal...@gm...> - 2008-07-29 16:14:01
|
Hi Ram - If I am reading the TPM_CertifyKey implementation instructions correctly, section 13.8 of the "TPM Main Part 3 Commands Specification Version 1.2", certification of a key locked to PCRs can only succeed when the current PCRs match what the key is locked to. This is controlled by the TPM_PCRIGNOREDONREAD flag - the default value of FALSE means that this restriction is in place. If you need to certify a key while in a state that doesn't match the key's PCR restrictions, you will need to set this flag on key creation. This same restriction and flag-override is also in place for Tspi_Key_GetPubKey - if a key uses PCRs, this function won't work unless either the PCRs currently match the key's restrictions, or you set that TPM_PCRIGNOREDONREAD flag when the key was created. That flag only affects these two functions, Certify and GetPubKey - the PCR restrictions of course are still in place as far as actually using the key for signing, unsealing, etc. So if you locked the key to a PCR value that doesn't match what is current, this could explain it. If you did lock it to a current PCR value, this wouldn't seem to be the explanation. Hal Finney On Mon, Jul 28, 2008 at 11:13 PM, Ram Krishnan <pro...@ya...> wrote: > Greetings! > When I create a key that is not bound to any PCR, the certify key > (Tspi_Key_CertifyKey) operation is successful. But certifykey returns error > when the key to be certified is bound to a PCR (say PCR #7). The key however > was created and registered successfully. Specifically, the error seems to > arise from the following part of the tspi_certify.c code from src/tspi: > if ((result = TCS_API(tspContext)->CertifyKey(tspContext, > certifyTCSKeyHandle, > keyTCSKeyHandle, &antiReplay, pCertAuth, > pKeyAuth, &CertifyInfoSize, &CertifyInfo, > &outDataSize, &outData))){ > //my modification for error check > printf("\nreturn certifyinfo\n"); > return result; > } > > Any clue why this is happening? I am beginning to wonder if this is similar > to the problem identified here: > http://sourceforge.net/mailarchive/forum.php?thread_name=20070703220630.44190%40gmx.net&forum_name=trousers-users > > I remember I had the sited problem in trousers version 0.2.9. But certifykey > worked after applying a num_pcrs.patch (or actually hardcoding num_pcrs in > src/obj_pcrs.c to 16). Greatly appreciate any help. Thanks! |