Re: [TrouSerS-users] TrouSerS without an OS?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Thanks for the quick reply. Yes, I would like to seal to the SRK. I am 
also sealing to PCR state.

Looking at the TCG command spec for TPM_Seal, I don't understand where 
I'm supposed to get the inputs from. I know some of the TPM_Seal inputs 
are outputs of earlier commands, but I don't know which ones. For 
instance, consider the following inputs to TPM_Seal in the TCG spec:

TPM_KEY_HANDLE keyHandle        //Handle of a loaded key that can 
perform seal operations
TPM_ENCAUTH encAuth        //The encrypted AuthData for the sealed data
TPM_PCR_INFO pcrInfo         //The PCR selection information
TPM_AUTHHANDLE authHandle         //The authorization session handle 
used for keyHandle
//authorization. Must be an OSAP session for this command.
TPM_AUTHDATA pubAuth        //The authorization session digests for 
inputs and keyHandle

Since I am sealing to the SRK, I need keyHandle to be the SRK handle. 
But which command do I use to obtain the SRK keyHandle?

As you said, I can use TPM_PCRREAD to fill in pcrInfo, so I understand 
that now.

It says the authHandle must be OSAP. However, in the TPM_Seal Actions, 
it says that authHandle indicates the ADIP used to decrypt encAuth. Does 
this mean I need to execute a command to set authHandle to indicate this 
ADIP?

Looking at the Actions of TPM_Seal, it doesn't use pubAuth anywhere. So 
what should I put for it?

On 02/25/2014 01:53 PM, Ken Goldman wrote:
> If you use loadkey, you'll also need createwrapkey to create the key and
> flushspecific to unload it.
>
> However, if you're very early in a boot cycle, perhaps you don't have
> disk access yet to get the key.  Can seal to the SRK rather than loading
> a key?
>
> What are you sealing to?  If it's the current PCR state, you need pcrread.
>
> Unseal can use osap or oiap.  Either way, you might want getrandom to
> generate your random nonce.
>
> Finally, depending upon what ran before you, you might need
> continueselftest.
>
> On 2/25/2014 1:20 PM, Robert Sutton II wrote:
>> Which TPM commands does the TPM_Seal and TPM_Unseal command depend on?
>> Obviously, Unseal depends on Seal, because you need to Seal something in
>> order to Unseal it. But it seems that Seal requires an OSAP session, so
>> I need to use TPM_OSAP. And it seems that to start an OSAP session, you
>> need to load a key, so I need TPM_LoadKey. An in order to use LoadKey, I
>> need to take ownership, so I need TPM_TakeOwnership. So it seems that I
>> need to execute the following TPM commands to use Seal and Unseal:
>> TPM_TakeOwnership -> TPM_LoadKey -> TPM_OSAP -> TPM_Seal -> TPM_Unseal.
>> Is this correct? The spec is not clear in exactly which commands depend
>> on other commands, so this is confusing to me.
>
>
> ------------------------------------------------------------------------------
> Flow-based real-time traffic analytics software. Cisco certified tool.
> Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
> Customize your own dashboards, set traffic alerts and generate reports.
> Network behavioral analysis & security monitoring. All-in-one tool.
> http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
> _______________________________________________
> TrouSerS-users mailing list
> Tro...@li...
> https://lists.sourceforge.net/lists/listinfo/trousers-users