On 11/29/2020 5:20 PM, James Bottomley wrote:
Note this is both and enhancement and a potential bug fix. The TPM 2.0 spec requires us to strip leading zeros, meaning empyty authorization is a zero length HMAC whereas we're currently passing in 20 bytes of zeros. A lot of TPMs simply accept this as OK, but the Microsoft TPM emulator rejects it with TPM_RC_BAD_AUTH, so this patch makes the Microsoft TPM emulator work with trusted keys.
1 - To be precise, it strips trailing zeros, but 20 bytes of zero results in an empty buffer either way. " Part 1 19.6.4.3 Authorization Size Convention Trailing octets of zero are to be removed from any string before it is used as an authValue. " 2 - If you have a test case for the MS simulator, post it and I'll give it a try. I did a quick test, power cycle to set platform auth to empty, than create primary with a parent password 20 bytes of zero, and the SW TPM accepted it. This was a password session, not an HMAC session.
