* [tpm2] Re: Programatically obtaining session handle - tpm2_session_get_handle()
@ 2021-04-14 20:03 Roberts, William C
0 siblings, 0 replies; 3+ messages in thread
From: Roberts, William C @ 2021-04-14 20:03 UTC (permalink / raw
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 2840 bytes --]
The function ESYS_TR tpm2_session_get_handle(tpm2_session *session), returns an ESYS_TR object. Which is an opaque handle, so you cant use the various masks to figure out what it is.
However, you can pass that ESYS_TR to
TSS2_RC Esys_TR_GetTpmHandle(ESYS_CONTEXT * esys_context, ESYS_TR esys_handle,
TPM2_HANDLE * tpm_handle)
Which will return the RAW tpm handle you could pass to the kernel keyring.
There is a tool called tpm2_sessionconfig I added this feature there:
https://github.com/tpm2-software/tpm2-tools/pull/2700
I asked Imran to stage it for 5.1, lets see if that's possible.
-------------------------
From: João Lima <jlima(a)cloudflare.com>
Sent: Friday, April 9, 2021 11:38 AM
To: tpm2(a)lists.01.org <tpm2(a)lists.01.org>
Subject: [tpm2] Programatically obtaining session handle - tpm2_session_get_handle()
Hello folks!
I've been trying to cobble together an implementation for a ContextLoad and ContextSave tpm2_tool, so that one can save a session context to the TPM and get the session handle for it. The reasoning is to have a way to manipulate policy validation using tpm2_tools, but then have the saved session context be converted to the TPM handle, so that it can be passed to the kernel keyring trusted keys subsystem.
It seems I have most of it working (was really a matter of just copying what's done on other commands), except for the bit where I get the session handle itself. I was expecting to get the session handle through the tpm2_session_get_handle() command, but instead I'm getting a handle on the permanent object handle space (MSO 0x40).
This is the verbose output I get for tpm2_startauthsession:
tpm2_startauthsession --policy-session -S session.dat -V
INFO on line: "403" in file: "lib/tpm2_session.c": Saved session: ESYS_TR(0x40418477)
INFO on line: "246" in file: "lib/files.c": Save TPMS_CONTEXT->savedHandle: 0x3000000
This is the verbose output for the new command (tpm2_contextload):
tpm2_contextload -S session.dat -V
INFO on line: "418" in file: "lib/files.c": Assuming tpm context file
INFO on line: "349" in file: "lib/files.c": load: TPMS_CONTEXT->savedHandle: 0x3000000
INFO on line: "306" in file: "lib/tpm2_session.c": Restored session: ESYS_TR(0x40418477) attrs(0x1)
session handle: 0x40418477
I'm calling tpm2_get_session_handle() over the tpm2_session object, expecting to get the 0x3000000 but am getting 0x40418477 instead. Here's the commit for reference: https://github.com/jopelima/tpm2-tools/commit/be3d011d86531f45cc820d244329c451e246034f
Can anyone help me get the right handle here?
Thanks in advance.
Kind regards,
João Lima | Infrastructure Security Engineer
jlima(a)cloudflare.com
cell: (+351) 914 907 591
1 888 99 FLARE | www.cloudflare.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* [tpm2] Re: Programatically obtaining session handle - tpm2_session_get_handle()
@ 2021-04-14 21:58 Roberts, William C
0 siblings, 0 replies; 3+ messages in thread
From: Roberts, William C @ 2021-04-14 21:58 UTC (permalink / raw
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 3424 bytes --]
Also, if you can confirm it works as expected in a reply or on github, that would be helpful.
________________________________
From: Roberts, William C <william.c.roberts(a)intel.com>
Sent: Wednesday, April 14, 2021 3:03 PM
To: João Lima <jlima(a)cloudflare.com>; tpm2(a)lists.01.org <tpm2(a)lists.01.org>
Subject: [tpm2] Re: Programatically obtaining session handle - tpm2_session_get_handle()
The function ESYS_TR tpm2_session_get_handle(tpm2_session *session), returns an ESYS_TR object. Which is an opaque handle, so you cant use the various masks to figure out what it is.
However, you can pass that ESYS_TR to
TSS2_RC Esys_TR_GetTpmHandle(ESYS_CONTEXT * esys_context, ESYS_TR esys_handle,
TPM2_HANDLE * tpm_handle)
Which will return the RAW tpm handle you could pass to the kernel keyring.
There is a tool called tpm2_sessionconfig I added this feature there:
https://github.com/tpm2-software/tpm2-tools/pull/2700
I asked Imran to stage it for 5.1, lets see if that's possible.
-------------------------
From: João Lima <jlima(a)cloudflare.com>
Sent: Friday, April 9, 2021 11:38 AM
To: tpm2(a)lists.01.org <tpm2(a)lists.01.org>
Subject: [tpm2] Programatically obtaining session handle - tpm2_session_get_handle()
Hello folks!
I've been trying to cobble together an implementation for a ContextLoad and ContextSave tpm2_tool, so that one can save a session context to the TPM and get the session handle for it. The reasoning is to have a way to manipulate policy validation using tpm2_tools, but then have the saved session context be converted to the TPM handle, so that it can be passed to the kernel keyring trusted keys subsystem.
It seems I have most of it working (was really a matter of just copying what's done on other commands), except for the bit where I get the session handle itself. I was expecting to get the session handle through the tpm2_session_get_handle() command, but instead I'm getting a handle on the permanent object handle space (MSO 0x40).
This is the verbose output I get for tpm2_startauthsession:
tpm2_startauthsession --policy-session -S session.dat -V
INFO on line: "403" in file: "lib/tpm2_session.c": Saved session: ESYS_TR(0x40418477)
INFO on line: "246" in file: "lib/files.c": Save TPMS_CONTEXT->savedHandle: 0x3000000
This is the verbose output for the new command (tpm2_contextload):
tpm2_contextload -S session.dat -V
INFO on line: "418" in file: "lib/files.c": Assuming tpm context file
INFO on line: "349" in file: "lib/files.c": load: TPMS_CONTEXT->savedHandle: 0x3000000
INFO on line: "306" in file: "lib/tpm2_session.c": Restored session: ESYS_TR(0x40418477) attrs(0x1)
session handle: 0x40418477
I'm calling tpm2_get_session_handle() over the tpm2_session object, expecting to get the 0x3000000 but am getting 0x40418477 instead. Here's the commit for reference: https://github.com/jopelima/tpm2-tools/commit/be3d011d86531f45cc820d244329c451e246034f
Can anyone help me get the right handle here?
Thanks in advance.
Kind regards,
João Lima | Infrastructure Security Engineer
jlima(a)cloudflare.com
cell: (+351) 914 907 591
1 888 99 FLARE | www.cloudflare.com
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org
To unsubscribe send an email to tpm2-leave(a)lists.01.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 4680 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* [tpm2] Re: Programatically obtaining session handle - tpm2_session_get_handle()
@ 2021-04-15 15:37
0 siblings, 0 replies; 3+ messages in thread
From: @ 2021-04-15 15:37 UTC (permalink / raw
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 4078 bytes --]
Thanks William,
The Esys_TR_GetTpmHandle() tip works, I'll proceed with the discussion on
github regarding your enhancement to tpm2_sessionconfig.
Kind regards,
*João Lima* | Infrastructure Security Engineer
jlima(a)cloudflare.com
cell: (+351) 914 907 591 <(+351)+914+907+591>
<https://www.cloudflare.com/>
1 888 99 FLARE | www.cloudflare.com
On Wed, Apr 14, 2021 at 10:58 PM Roberts, William C <
william.c.roberts(a)intel.com> wrote:
> Also, if you can confirm it works as expected in a reply or on github,
> that would be helpful.
> ------------------------------
> *From:* Roberts, William C <william.c.roberts(a)intel.com>
> *Sent:* Wednesday, April 14, 2021 3:03 PM
> *To:* João Lima <jlima(a)cloudflare.com>; tpm2(a)lists.01.org <
> tpm2(a)lists.01.org>
> *Subject:* [tpm2] Re: Programatically obtaining session handle -
> tpm2_session_get_handle()
>
> The function ESYS_TR tpm2_session_get_handle(tpm2_session *session),
> returns an ESYS_TR object. Which is an opaque handle, so you cant use the
> various masks to figure out what it is.
>
> However, you can pass that ESYS_TR to
>
> TSS2_RC Esys_TR_GetTpmHandle(ESYS_CONTEXT * esys_context, ESYS_TR
> esys_handle,
> TPM2_HANDLE * tpm_handle)
>
> Which will return the RAW tpm handle you could pass to the kernel keyring.
>
>
> There is a tool called tpm2_sessionconfig I added this feature there:
> https://github.com/tpm2-software/tpm2-tools/pull/2700
>
> I asked Imran to stage it for 5.1, lets see if that's possible.
>
> -------------------------
>
>
> From: João Lima <jlima(a)cloudflare.com>
> Sent: Friday, April 9, 2021 11:38 AM
> To: tpm2(a)lists.01.org <tpm2(a)lists.01.org>
> Subject: [tpm2] Programatically obtaining session handle -
> tpm2_session_get_handle()
>
> Hello folks!
>
> I've been trying to cobble together an implementation for a ContextLoad
> and ContextSave tpm2_tool, so that one can save a session context to the
> TPM and get the session handle for it. The reasoning is to have a way to
> manipulate policy validation using tpm2_tools, but then have the saved
> session context be converted to the TPM handle, so that it can be passed to
> the kernel keyring trusted keys subsystem.
>
> It seems I have most of it working (was really a matter of just copying
> what's done on other commands), except for the bit where I get the session
> handle itself. I was expecting to get the session handle through the
> tpm2_session_get_handle() command, but instead I'm getting a handle on the
> permanent object handle space (MSO 0x40).
>
> This is the verbose output I get for tpm2_startauthsession:
>
> tpm2_startauthsession --policy-session -S session.dat -V
> INFO on line: "403" in file: "lib/tpm2_session.c": Saved session:
> ESYS_TR(0x40418477)
> INFO on line: "246" in file: "lib/files.c": Save
> TPMS_CONTEXT->savedHandle: 0x3000000
>
> This is the verbose output for the new command (tpm2_contextload):
>
> tpm2_contextload -S session.dat -V
> INFO on line: "418" in file: "lib/files.c": Assuming tpm context file
> INFO on line: "349" in file: "lib/files.c": load:
> TPMS_CONTEXT->savedHandle: 0x3000000
> INFO on line: "306" in file: "lib/tpm2_session.c": Restored session:
> ESYS_TR(0x40418477) attrs(0x1)
> session handle: 0x40418477
>
> I'm calling tpm2_get_session_handle() over the tpm2_session object,
> expecting to get the 0x3000000 but am getting 0x40418477 instead. Here's
> the commit for reference:
> https://github.com/jopelima/tpm2-tools/commit/be3d011d86531f45cc820d244329c451e246034f
>
> Can anyone help me get the right handle here?
>
> Thanks in advance.
>
> Kind regards,
> João Lima | Infrastructure Security Engineer
> jlima(a)cloudflare.com
> cell: (+351) 914 907 591
>
> 1 888 99 FLARE | www.cloudflare.com
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 6608 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-04-15 15:37 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-04-14 21:58 [tpm2] Re: Programatically obtaining session handle - tpm2_session_get_handle() Roberts, William C
-- strict thread matches above, loose matches on Subject: below --
2021-04-15 15:37
2021-04-14 20:03 Roberts, William C
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.