On Wed, Dec 23, 2020 at 11:58:17AM -0800, James Bottomley wrote: > On Tue, 2020-12-22 at 18:01 -0500, Ken Goldman wrote: > > On 11/29/2020 5:20 PM, James Bottomley wrote: > > > Note this is both and enhancement and a potential bug fix. The TPM > > > 2.0 spec requires us to strip leading zeros, meaning empyty > > > authorization is a zero length HMAC whereas we're currently passing > > > in 20 bytes of zeros. A lot of TPMs simply accept this as OK, but > > > the Microsoft TPM emulator rejects it with TPM_RC_BAD_AUTH, so this > > > patch makes the Microsoft TPM emulator work with trusted keys. > > > > 1 - To be precise, it strips trailing zeros, but 20 bytes of zero > > results in an empty buffer either way. > > > > " > > Part 1 19.6.4.3 Authorization Size Convention > > > > Trailing octets of zero are to be removed from any string before it > > is used as an authValue. > > " > > > > > > 2 - If you have a test case for the MS simulator, post it and I'll > > give it a try. > > > > I did a quick test, power cycle to set platform auth to empty, than > > create primary with a parent password 20 bytes of zero, and the > > SW TPM accepted it. > > > > This was a password session, not an HMAC session. > > I reported it to Microsoft as soon as I found the problem, so, since > this patch set has been languishing for years, I'd hope it would be > fixed by now. It is still, however, possible there still exist TPM > implementations based on the unfixed Microsoft reference platform. > > James One year :-) A bit over but by all practical means... [*] BTW, can you use my kernel org address for v15? [*] https://lore.kernel.org/linux-integrity/1575781600.14069.8.camel@xxxxxxxxxxxxxxxxxxxxx/ /Jarkko
