Jorge

Hi all, I was wondering if the encrypted sessions are related to avoid sniffing bus communications between CPU and the TPM. I was thinking about how to protect reading a key if the key is transmitted in plain text on the LPC or SPI bus. The encrypted sessions could help? Thanks! Jorge

Hi Ken, Is it possible to run the different tools in a ReadOnly filesystem? I'm using a real device but some commands like 'startauthsession' tries to create a .bin file in the current directory. I've traced to code to TSS_File_Open tssfile.c function. Is it possible to avoid these kind of actions? or maybe is there an argument to set a working directory to force to create all files there. I know I can change to /tmp/ before running anything but I don't know is it possible to avoid any write at all....

Hi Ken! Thanks for your answers! You're right, I'll do the development using the SW TPM! I'm not defining nvdefinespace twice, it was the two options 4.1 or 4.2 I'm just testing and i don't know which fits better. From your 4 suggestion I've been able to restart the session with policyrestart and policypcr. From your 5 suggestion, how do I specify an owner policy? From your 6 suggestion, could you be so kind to specify the needed command to do it? Thanks again! Jorge

Hi all! I've following the steps from the other post with no luck. I'm only using PCR16 to seal the NV index. I'm using a real device (/dev/tpm0) and encrypted sessions. export TPM_ENCRYPT_SESSIONS=1 export TPM_SESSION_ENCKEY=${PREFIX}getrandom -by 16 -ns 1) Set the PCR16 initial value and generate the policy files. ${PREFIX}pcrreset -ha 16 ${PREFIX}pcrextend -halg sha256 -ha 16 -if ${PREFIX}policies/aaa ${PREFIX}pcrread -ha 16 -ns > pcrs ${PREFIX}policymakerpcr -bm 10000 -if pcrs -of pcrs_pol ${PREFIX}policymaker...

How do you solve this issue? Thanks!

Oops, I've found a similar post in this forum... https://sourceforge.net/p/ibmtpm20tss/discussion/general/thread/b3ac57dd/ Is there any test in the software to test this? Sorry for the noise

Hi, I would like to know is it possible to define in TPM2 something related to a NV area only readable when some PCRs are in the correct value? In TPM1.2 I did: tpm_nvdefine -i 1 -o <pass1> -a <pass2> -s 1024 -r 0 -r 1 -r 2 -r 3 -r 4 -r 5 -r 6 -r 7 -r 8 -r 9 -r 10 -r 11 -r 12 -r 13 -p AUTHWRITE to define an NV area of 1367 byte sealed to PCRs 0 to 13. Then to write I did: tpm_nvwrite -i 1 -p<pass2> -n 0 -s 1024 -f /tmp/sealed_key1 and to read: tpm_nvread -i 1 -n 0 -s 1024 -f <fileout> How can I do...