hi James, On Thu, 29 Dec 2022 at 04:18, James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> wrote: > > On Thu, 2022-12-29 at 02:10 +0530, Sughosh Ganu wrote: > [...] > > Thanks for your reply. For reloading the sealed key, I am trying to > > start a policy session through the tpm2_startauthsession command, > > followed by the tpm2_policypcr command to get the same policy digest. > > However, I am not sure how to get the session handle. As per my > > understanding, the policyhandle is a uint32_t object. However, none > > of the above two commands give back the session handle. I tried the > > tpm2_getcap command with the handles-saved-session, which shows a > > handle once I have run the tpm2_startauthsession command. However, > > providing this value to the keyctl command as policyhandle does not > > work. Can you please point out what I am doing wrong? > > I'm afraid I gave up on the Intel toolkit long ago because of the > constantly changing command options. I can show you how to do it with > the IBM toolkit, though: > > https://build.opensuse.org/package/show/security/ibmtss > > The main thing you have to do is connect to the TPM not through the > resource manager so the policy session survives multiple commands > > export TPM_DEVICE=/dev/tpm0 > > Then you can seal to say PCR7 which simply records the secure boot > state: > > root@testdeb:~# cat /sys/class/tpm/tpm0/pcr-sha256/7 > 65CAF8DD1E0EA7A6347B635D2B379C93B9A1351EDC2AFC3ECDA700E534EB3068 > > So you can now construct the policy exactly and ask policymaker what > its hash is: > > root@testdeb:~# tsspolicymakerpcr -pr -bm 000080 -if /sys/class/tpm/tpm0/pcr-sha256/7 > tmp.policy > root@testdeb:~# tsspolicymaker -if ~/tmp.policy -ns > policy digest: > 4cc48043aedaae487452bb407e8fc21d25c3a412ffc9473cf2552ddc659e97c1 > > So now you know the policy hash, you can create a key > > root@testdeb:~# keyctl add trusted kmk "new 32 keyhandle=0x81000001 hash=sha256 policydigest=4cc48043aedaae487452bb407e8fc21d25c3a412ffc9473cf2552ddc659e97c1" @u > 214245338 > keyctl pipe %trusted:kmk > key.tpm > keyctl unlink %trusted:kmk > 1 links removed > > Now you can reload it if you construct the correct policy > > root@testdeb:~# tssstartauthsession -se p > Handle 03000000 > root@testdeb:~# tsspolicypcr -ha 03000000 -bm 000080 > > Now you can check this policy register matches the hash you have above: > > root@testdeb:~# tsspolicygetdigest -ha 03000000 > policyDigest length 32 > 4c c4 80 43 ae da ae 48 74 52 bb 40 7e 8f c2 1d > 25 c3 a4 12 ff c9 47 3c f2 55 2d dc 65 9e 97 c1 > > And you can now use this policy handle as the reload policy for the > key: > > root@testdeb:~# keyctl add trusted kmk "load `cat ~/key.tpm` policyhandle=0x03000000" @u > 872397032 I am able to unseal and load the key using the tss tools that you pointed to above. Thanks a lot for your help! So the issue seems to be that the Intel tpm2_startauthsession tool does not return the policy handle, which the unseal operation expects. Not sure if I did something wrong in using the tool, but fwiw, these are the steps that I followed. # tpm2_startauthsession -S session.ctx --policy-session # tpm2_policypcr -S session.ctx -l sha256:10 The tpm2_policypcr returns the same policy digest that was generated at the time of policy creation. So that is not an issue. But tpm2_startauthsession does not return any handle value, it just creates the session.ctx file. -sughosh
