trustedjava-support

[Trustedjava-support] How to set SRK secret to TSS_WELL_KNOWN_SECRET

[Mudassar A. <mud...@ho...>]

Hi

I have initialized my tpm using tpm.msc utility in windows 7. It allowed me 
to set owner password. But I could not find any way to create/set SRK. I 
tried to execute take ownership code but it says "TPM ownership command is 
disabled". I have tried to list tpm keys using

context_.getRegisteredKeysByUuid(null,TcTssConstants.TSS_PS_TYPE_SYSTEM);

but I get null since SRK is not registered. How can I set SRK to 
TSS_WLL_KNOWN_SECRET?

Regards.

Mudassar.

[Trustedjava-support] How to set SRK secret to TSS_WELL_KNOWN_SECRET

[Mudassar A. <mud...@ho...>]

Hi

SRK secret is one thing, I am actually unable to load srk instance using 
context. Is it possible to load SRK even if it is not registered in system 
PS (this is where I think take_ownership is required)?

Well, I tried to create another key with SRK being its parent key. I used 
following code but get error "No secret set for this policy object" when I 
call createKey(srk, null). Obviously because SRK is not registered.



/*KEY CREATION*/

            //Parent key SRK
            TcIRsaKey srk = 
context.getKeyByUuid(TcTssConstants.TSS_PS_TYPE_SYSTEM,TcUuidFactory.getInstance().getUuidSRK());
            TcIPolicy srkPolicy = 
context.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
            srkPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_SHA1, 
TcBlobData.newByteArray(TcTssConstants.TSS_WELL_KNOWN_SECRET) );
            srkPolicy.assignToObject(srk);


            /*Binding Key*/
            //    Create an empty binding key object
            long keyAttributes =      TcTssConstants.TSS_KEY_SIZE_2048 |
                                 TcTssConstants.TSS_KEY_TYPE_BIND |
                                 TcTssConstants.TSS_KEY_VOLATILE |
                                 TcTssConstants.TSS_KEY_NOT_MIGRATABLE |
                                 TcTssConstants.TSS_KEY_NO_AUTHORIZATION; 
//default

            TcIRsaKey bindKey = context.createRsaKeyObject(keyAttributes);

            // Bind key usage policy
            TcIPolicy bindKeyPolicy = 
context.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
            bindKeyPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, 
Define.BIND_KEY_SECRET);
            bindKeyPolicy.assignToObject(bindKey);

            // Bind key migration policy (just to avoid popup)
            TcIPolicy bindKeyMigrationPolicy = 
context.createPolicyObject(TcTssConstants.TSS_POLICY_MIGRATION);
            bindKeyMigrationPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_NONE, 
null);
            bindKeyMigrationPolicy.assignToObject(bindKey);

            //Parent key SRK
            bindKey.createKey(srk, null);


Regards.
Mudassar. 

Re: [Trustedjava-support] How to set SRK secret to TSS_WELL_KNOWN_SECRET

[Ronald T. <ron...@ia...>]

Hi,

The SRK is not automatically registered in the TSS key database, as it 
is created within the TPM upon taking ownership.

As a trick, you can repeat the taking ownership procedure with jTpmTools 
- the command will not clear the existing ownership and skip the actual 
TPM command to create a new SRK but it will in any case store the SRK in 
the persistent storage.

AFAIR tpm.msc always uses the well known secret for the SRK.

Regards,
Ronald


On 03/09/2011 12:39 PM, Mudassar Aslam wrote:
> Hi
>
> I have initialized my tpm using tpm.msc utility in windows 7. It allowed me
> to set owner password. But I could not find any way to create/set SRK. I
> tried to execute take ownership code but it says "TPM ownership command is
> disabled". I have tried to list tpm keys using
>
> context_.getRegisteredKeysByUuid(null,TcTssConstants.TSS_PS_TYPE_SYSTEM);
>
> but I get null since SRK is not registered. How can I set SRK to
> TSS_WLL_KNOWN_SECRET?
>
> Regards.
>
> Mudassar.
>
>


-- 
Dipl.-Ing. Ronald Tögl          phone +43 316/873-5502
Secure and Correct Systems      fax   +43 316/873-5520
IAIK                            ron...@ia...
Graz University of Technology   http://www.iaik.tugraz.at