Giter Club home page Giter Club logo

Comments (4)

chrisfenner avatar chrisfenner commented on May 19, 2024

Hi Ian,

Can you provide a link to the code, or at least

  • the full invocation of Quote with all its parameters?
  • the code or tool invocation that generates the AK and persists it to 81010002

Thanks
Chris

from go-tpm.

iolivergithub avatar iolivergithub commented on May 19, 2024

Using the tpm2_tools from https://github.com/tpm2-software/tpm2-tools, (I'll create everything from scratch here), so here's the EK and AK creation (first line shows the version number)

$ tpm2_createek -v
tool="tpm2_createek" version="4.0-122-g3bd466ca" tctis="libtss2-tctildr" tcti-default=tcti-abrmd
$ tpm2_createek -c 0x81010005 -G rsa -u ek.pub
$ tpm2_getcap handles-persistent
- 0x81010005
$ tpm2_createak -C 0x81010005 -c ak.ctx -G rsa -g sha256 -s rsassa -u ak.pub -f pem -n ak.name 
loaded-key:
  name: 000b187d0d7840ff3f7af4729d04ba8aa3be8acf5fe30f6b87f05707ea4f4a3e7088
$ ls -l ak*
-rw-r--r-- 1 pi pi 1253 Jul 30 19:55 ak.ctx
-rw-r--r-- 1 pi pi   34 Jul 30 19:55 ak.name
-rw-r--r-- 1 pi pi  451 Jul 30 19:55 ak.pub
$ tpm2_evictcontrol -c ak.ctx 0x81010006
persistent-handle: 0x81010006
action: persisted
$ tpm2_getcap handles-persistent
- 0x81010005
- 0x81010006
$ tpm2_quote -c 0x81010006 -l sha256:0 -g sha256
quoted: ff54434780180022000b5ca2bb233a3f9dd07346016e1083fbef3f1531ad7f1e9ba10995289fb326f90300000000000046103bdc000000170000000001000700550011cb0000000001000b030100000020159ce676d07312874e98ef541bfb9e576929e8463313abb60cfe75d875d46ba6
signature:
  alg: rsassa
  sig: 3e95530fdb045e50586595196cee2b8025dc5526bc1e576ac01e161933af605bcc89480a110fa9cf71b94268357565ca1f36885aeb77aa3f4ce1e048cdeaaae0c2f2fe143a1ad8a9e511854ede3d1fb8029c68eccb7f27962dabc40c7aefd8c769d832a0ec054d70c43f66b2166f4119472da28606143eaa44cd04db46c0d7b78782af6c70e56bad2567d1d66b95109cca74c972b72b843f8337d45624d8159aae21fcc40ff5d208f283a82b1ad0e8a6f532c26cfe45624e7650ef2ef1cf7e491ed0632e80a2747f29b5fcb248ba2a5092a05b31007d4d289eba3541ef5b2577c5af8d435462104ad5b250636f1a8957bab6de8a984baf18f6ddfca8c382227e

Then running the Go code from above and just reiterating how I made the call to Quote:

var handle = tpmutil.Handle(0x81010006)
att, sig, err := tpm2.Quote(
                 rwc,
                 handle,
                "",
                "",
                nil,
                tpm2.PCRSelection{ tpm2.AlgSHA256 , []int{0} },
                tpm2.AlgSHA256)

I get the following result. NB: If abrmd is running then it interferes so that service must be stopped or killed otherwise the call to OpenTPM fails. There'a few other fmt.Println statements in my code as you can see from the output.

$ go run quote.go
Handle is 2164326406
Type: tpmutil.Handle
parameter 2, error code 0x12 : unsupported or incompatible scheme
Err is * parameter 2, error code 0x12 : unsupported or incompatible scheme *
length   0
Att [% x]  []

from go-tpm.

chrisfenner avatar chrisfenner commented on May 19, 2024

Thanks Ian,

I filed #201 because the Quote API is incorrectly asking for an Algorithm when instead it should take a SigScheme. Your code passes AlgSHA256 which is not a valid TPMT_SIG_SCHEME.

However, I think your issue should be resolved if you pass AlgNull to Quote, like the unit test does. This works by accident despite the error in the Quote API because AlgNull serializes to something that deserializes as a valid TPMT_SIG_SCHEME.

Passing AlgNull to Quote here tells the TPM "just use the signing scheme this key is supposed to be used with" and I think that most closely corresponds to what you want anyway. This is because you set a signing scheme ("RSASSA" aka PKCS1.5) on the AK when you created it with tpm2_createak ... -s rsassa.

go-tpm/tpm2/test/tpm2_test.go

Lines 1258 to 1279 in ac5b427

func TestQuote(t *testing.T) {
rw := openTPM(t)
defer rw.Close()
params := Public{
Type: AlgRSA,
NameAlg: AlgSHA256,
Attributes: FlagSignerDefault | FlagNoDA,
RSAParameters: &RSAParams{
Sign: &SigScheme{
Alg: AlgRSASSA,
Hash: AlgSHA256,
},
KeyBits: 2048,
},
}
keyHandle, pub, _, _, _, _, err := CreatePrimaryEx(rw, HandleEndorsement, pcrSelection7, emptyPassword, emptyPassword, params)
if err != nil {
t.Fatalf("CreatePrimaryEx failed: %s", err)
}
defer FlushContext(rw, keyHandle)
attestation, signature, err := Quote(rw, keyHandle, emptyPassword, emptyPassword, nil, pcrSelection7, AlgNull)

from go-tpm.

iolivergithub avatar iolivergithub commented on May 19, 2024

Thanks, can confirm, this works:

var handle = tpmutil.Handle(0x81010006)
att, sig, err := tpm2.Quote( rwc, handle,  "",  "",   nil,   tpm2.PCRSelection{ tpm2.AlgSHA256 , []int{0} }, tpm2.AlgNull )

with the result:

$ ./quote 
Handle is 2164326406
Type: tpmutil.Handle
Err is * <nil> *
length   113
Att [% x]  [255 84 67 71 128 24 0 34 0 11 92 162 187 35 58 63 157 208 115 70 1 110 16 131 251 239 63 21 49 173 127 30 155 161 9 149 40 159 179 38 249 3 0 0 0 0 0 0 70 144 26 120 0 0 0 23 0 0 0 0 1 0 7 0 85 0 17 203 0 0 0 0 1 0 11 3 1 0 0 0 32 21 156 230 118 208 115 18 135 78 152 239 84 27 251 158 87 105 41 232 70 51 19 171 182 12 254 117 216 117 212 107 166]

from go-tpm.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.