On Tue, 2020-12-22 at 18:01 -0500, Ken Goldman wrote: > On 11/29/2020 5:20 PM, James Bottomley wrote: > > Note this is both and enhancement and a potential bug fix. The TPM > > 2.0 spec requires us to strip leading zeros, meaning empyty > > authorization is a zero length HMAC whereas we're currently passing > > in 20 bytes of zeros. A lot of TPMs simply accept this as OK, but > > the Microsoft TPM emulator rejects it with TPM_RC_BAD_AUTH, so this > > patch makes the Microsoft TPM emulator work with trusted keys. > > 1 - To be precise, it strips trailing zeros, but 20 bytes of zero > results in an empty buffer either way. > > " > Part 1 19.6.4.3 Authorization Size Convention > > Trailing octets of zero are to be removed from any string before it > is used as an authValue. > " > > > 2 - If you have a test case for the MS simulator, post it and I'll > give it a try. > > I did a quick test, power cycle to set platform auth to empty, than > create primary with a parent password 20 bytes of zero, and the > SW TPM accepted it. > > This was a password session, not an HMAC session. I reported it to Microsoft as soon as I found the problem, so, since this patch set has been languishing for years, I'd hope it would be fixed by now. It is still, however, possible there still exist TPM implementations based on the unfixed Microsoft reference platform. James
