From: Robert S. II <rps...@sy...> - 2014-02-25 19:50:58
|
Thanks for the quick reply. Yes, I would like to seal to the SRK. I am also sealing to PCR state. Looking at the TCG command spec for TPM_Seal, I don't understand where I'm supposed to get the inputs from. I know some of the TPM_Seal inputs are outputs of earlier commands, but I don't know which ones. For instance, consider the following inputs to TPM_Seal in the TCG spec: TPM_KEY_HANDLE keyHandle //Handle of a loaded key that can perform seal operations TPM_ENCAUTH encAuth //The encrypted AuthData for the sealed data TPM_PCR_INFO pcrInfo //The PCR selection information TPM_AUTHHANDLE authHandle //The authorization session handle used for keyHandle //authorization. Must be an OSAP session for this command. TPM_AUTHDATA pubAuth //The authorization session digests for inputs and keyHandle Since I am sealing to the SRK, I need keyHandle to be the SRK handle. But which command do I use to obtain the SRK keyHandle? As you said, I can use TPM_PCRREAD to fill in pcrInfo, so I understand that now. It says the authHandle must be OSAP. However, in the TPM_Seal Actions, it says that authHandle indicates the ADIP used to decrypt encAuth. Does this mean I need to execute a command to set authHandle to indicate this ADIP? Looking at the Actions of TPM_Seal, it doesn't use pubAuth anywhere. So what should I put for it? On 02/25/2014 01:53 PM, Ken Goldman wrote: > If you use loadkey, you'll also need createwrapkey to create the key and > flushspecific to unload it. > > However, if you're very early in a boot cycle, perhaps you don't have > disk access yet to get the key. Can seal to the SRK rather than loading > a key? > > What are you sealing to? If it's the current PCR state, you need pcrread. > > Unseal can use osap or oiap. Either way, you might want getrandom to > generate your random nonce. > > Finally, depending upon what ran before you, you might need > continueselftest. > > On 2/25/2014 1:20 PM, Robert Sutton II wrote: >> Which TPM commands does the TPM_Seal and TPM_Unseal command depend on? >> Obviously, Unseal depends on Seal, because you need to Seal something in >> order to Unseal it. But it seems that Seal requires an OSAP session, so >> I need to use TPM_OSAP. And it seems that to start an OSAP session, you >> need to load a key, so I need TPM_LoadKey. An in order to use LoadKey, I >> need to take ownership, so I need TPM_TakeOwnership. So it seems that I >> need to execute the following TPM commands to use Seal and Unseal: >> TPM_TakeOwnership -> TPM_LoadKey -> TPM_OSAP -> TPM_Seal -> TPM_Unseal. >> Is this correct? The spec is not clear in exactly which commands depend >> on other commands, so this is confusing to me. > > > ------------------------------------------------------------------------------ > Flow-based real-time traffic analytics software. Cisco certified tool. > Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer > Customize your own dashboards, set traffic alerts and generate reports. > Network behavioral analysis & security monitoring. All-in-one tool. > http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk > _______________________________________________ > TrouSerS-users mailing list > Tro...@li... > https://lists.sourceforge.net/lists/listinfo/trousers-users |