Re: [Trustedjava-support] "Unable to open TPM device" error with aik_create

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Nektarios Ioannides wrote:
> The only explanation I can give is that jTPMTools is trying to use jTSS with
> "aik_create" when it SHOULD have been using TrouSerS and jTSSWrapper...

While in the shower I thought about it again.... ;-)

JTpmTools simulates a full AIK cycle, not only keys but also with certificates.

case a) JTSS contains EK cert handling
case b) JTssWrapper does not (because TrouSerS does not)

a) works because JTpmTools looks for an EK cert on-chip and
if you don't have one builds a fake one on-the-fly.

b) does not work because JTpmTools does not know which stack version is
running (remember, the top level API is the same). JTT tries to fetch
the certificate from the chip, but this method only exists in a native
version (=JTSS code), but running both obviously conflicts with usage of /dev/tpm.

So the solution for the JTssWrapper case is to tell JTT to have faith
that the stack already has an EK cert loaded, or as the command-line docu says:

  --noek                ... EK certificate is already known by TSS (e.g. via tcsd.conf
                            of TrouSerS)

I still cannot reproduce your validation problem...

HTH

-- 
Martin Pirker
IAIK, TU Graz