* Using TPM2_LoadExternal() for loading an HMAC key into the TPM?
@ 2024-04-16 13:05 Lennart Poettering
2024-04-16 14:23 ` Juergen Repp
0 siblings, 1 reply; 2+ messages in thread
From: Lennart Poettering @ 2024-04-16 13:05 UTC (permalink / raw
To: tpm2
Hi!
I was wondering, if anyone has an idea how precisely to set up a pair
of TPM2B_PUBLIC and TPM2_SENSITIVE structures for loading an
HMAC-SHA256 key into the TPM via TPM_LoadExternal()?
I am currently setting things up more or less like this:
TPM2B_PUBLIC auth_hmac_public = {
.size = sizeof(TPMT_PUBLIC),
.publicArea = {
.type = TPM2_ALG_KEYEDHASH,
.nameAlg = TPM2_ALG_SHA256,
.objectAttributes = TPMA_OBJECT_DECRYPT | TPMA_OBJECT_SIGN_ENCRYPT /* | TPMA_OBJECT_USERWITHAUTH */,
.parameters.keyedHashDetail.scheme.scheme = TPM2_ALG_SHA256,
.unique.keyedHash.size = buffer.size,
},
};
TPM2B_SENSITIVE auth_hmac_private = {
.size = sizeof(TPMT_SENSITIVE),
.sensitiveArea = {
.sensitiveType = TPM2_ALG_KEYEDHASH,
.sensitive.sym.size = buffer.size,
},
};
memcpy(auth_hmac_private.sensitiveArea.sensitive.sym.buffer, buffer.buffer, buffer.size);
And then use TPM2_LoadExternal() with this, for the NULL hierarchy.
tpm2-tss responds with these errors:
ERROR:esys:src/tss2-esys/api/Esys_LoadExternal.c:184:Esys_LoadExternal_Async() SAPI Prepare returned error. ErrorCode (0x0009000b)
ERROR:esys:src/tss2-esys/api/Esys_LoadExternal.c:85:Esys_LoadExternal() Error in async function ErrorCode (0x0009000b)
But, uh, what am I supposed to make of this?
I figure it's not even the TPM that refuses this, but it's tpm2-tss
already?
Anyone has an idea?
(Background: I am trying to protect an nvindex that I want to use with
TPM2_AuthorizeNV, with an TPM2_PolicySigned access policy. I want to
use an HMAC key for the signature scheme. If you want to know even
more, see → https://github.com/systemd/systemd/pull/31790. The above
is more or less a copy of the topmost commit of that)
Any help appreciated!
Lennart
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Using TPM2_LoadExternal() for loading an HMAC key into the TPM?
2024-04-16 13:05 Using TPM2_LoadExternal() for loading an HMAC key into the TPM? Lennart Poettering
@ 2024-04-16 14:23 ` Juergen Repp
0 siblings, 0 replies; 2+ messages in thread
From: Juergen Repp @ 2024-04-16 14:23 UTC (permalink / raw
To: Lennart Poettering, tpm2
Hello,
the error is caused by:
.parameters.keyedHashDetail.scheme.scheme = TPM2_ALG_SHA256,
TPM2_ALG_HMAC, TPM2_ALG_XOR, and TPM2_ALG_NULL are possible selectors for TPMU_SCHEME_KEYEDHASH.
The hash alg has to be set with:
.parameters.keyedHashDetail.scheme.details.hmac.hashAlg = TPM2_ALG_SHA256,
Unfortunately the error message for this error is only displayed if log level debug is activated.
Juergen
Am 16.04.24 um 15:05 schrieb Lennart Poettering:
> Hi!
>
> I was wondering, if anyone has an idea how precisely to set up a pair
> of TPM2B_PUBLIC and TPM2_SENSITIVE structures for loading an
> HMAC-SHA256 key into the TPM via TPM_LoadExternal()?
>
> I am currently setting things up more or less like this:
>
> TPM2B_PUBLIC auth_hmac_public = {
> .size = sizeof(TPMT_PUBLIC),
> .publicArea = {
> .type = TPM2_ALG_KEYEDHASH,
> .nameAlg = TPM2_ALG_SHA256,
> .objectAttributes = TPMA_OBJECT_DECRYPT | TPMA_OBJECT_SIGN_ENCRYPT /* | TPMA_OBJECT_USERWITHAUTH */,
> .parameters.keyedHashDetail.scheme.scheme = TPM2_ALG_SHA256,
> .unique.keyedHash.size = buffer.size,
> },
> };
>
> TPM2B_SENSITIVE auth_hmac_private = {
> .size = sizeof(TPMT_SENSITIVE),
> .sensitiveArea = {
> .sensitiveType = TPM2_ALG_KEYEDHASH,
> .sensitive.sym.size = buffer.size,
> },
> };
>
> memcpy(auth_hmac_private.sensitiveArea.sensitive.sym.buffer, buffer.buffer, buffer.size);
>
> And then use TPM2_LoadExternal() with this, for the NULL hierarchy.
>
> tpm2-tss responds with these errors:
>
> ERROR:esys:src/tss2-esys/api/Esys_LoadExternal.c:184:Esys_LoadExternal_Async() SAPI Prepare returned error. ErrorCode (0x0009000b)
> ERROR:esys:src/tss2-esys/api/Esys_LoadExternal.c:85:Esys_LoadExternal() Error in async function ErrorCode (0x0009000b)
>
> But, uh, what am I supposed to make of this?
>
> I figure it's not even the TPM that refuses this, but it's tpm2-tss
> already?
>
> Anyone has an idea?
>
> (Background: I am trying to protect an nvindex that I want to use with
> TPM2_AuthorizeNV, with an TPM2_PolicySigned access policy. I want to
> use an HMAC key for the signature scheme. If you want to know even
> more, see → https://github.com/systemd/systemd/pull/31790. The above
> is more or less a copy of the topmost commit of that)
>
> Any help appreciated!
>
> Lennart
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-04-16 14:23 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-04-16 13:05 Using TPM2_LoadExternal() for loading an HMAC key into the TPM? Lennart Poettering
2024-04-16 14:23 ` Juergen Repp
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.