hi Bill, On Sat, 7 Jan 2023 at 04:43, William Roberts <bill.c.roberts@xxxxxxxxx> wrote: > > > > On Fri, Jan 6, 2023, 17:07 James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> wrote: >> >> On Fri, 2023-01-06 at 16:23 -0600, William Roberts wrote: >> > On Fri, Jan 6, 2023, 15:55 Ken Goldman <kgold@xxxxxxxxxxxxx> wrote: >> > > >> > > On 12/28/2022 5:48 PM, James Bottomley wrote: >> > > > The main thing you have to do is connect to the TPM not through >> > > > the >> > > > resource manager so the policy session survives multiple commands >> > > > >> > > > export TPM_DEVICE=/dev/tpm0 >> > > >> > > Just FYI, as James says, command line utilities interact with the >> > > resource manager. When I want to run command line programs through >> > > the >> > > resource manager, I use a proxy to keep the /dev/tpmrm0 session >> > > connected. >> > > >> > > https://github.com/kgoldman/ibmtss/blob/master/utils/tpmproxy.c hol >> > > ds an >> > > open source proxy. >> > > >> > >> > If you need to do this in production that tpmproxy allows anyone to >> > connect to it. So while it's open it would circumvent the permissions >> > on /dev/tpmrm0. You can just use tpm2-tools, which uses contexts and >> > avoids this problem. >> >> The specific issue with this is that using contexts, no-one could >> figure out a way to pass the session into the kernel: >> >> https://lore.kernel.org/linux-integrity/CADg8p94kTNkoByjLhEij3KkigLxhwU8PxnO82cRaO0Ejh7T3Zg@xxxxxxxxxxxxxx/ >> >> How should this be done? > > > tpm2_sessionconfig prints the raw handle for this purpose. I think we added it when someone specifically needed the raw handle to pass to the kernel. I tried getting the raw handle using the tpm2_sessionconfig command on the context file, and I did get the session handle. The session digest also matches the policy digest that was used at the time of the trusted key creation. However, when I pass the session handle value through the policyhandle parameter for the key loading operation, the unsealing fails. I run the following commands for the key load operation. # tpm2_startauthsession -S session.ctx --policy-session # tpm2_policypcr -S session.ctx -l sha256:10 # tpm2_sessionconfig session.ctx <--- Running this gives me the session handle. # keyctl add trusted kmk-trusted "load `cat kmk-trusted.blob` keyhandle=0x81000001 hash=sha256 policyhandle=0x03000000" @u [ 217.219048] tpm tpm0: A TPM error (2328) occurred unsealing [ 217.222214] trusted_key: key_unseal failed (-1) add_key: Operation not permitted After running these commands, I get the above error. I am able to get the key unsealing work with the tss commands from IBM that James had highlighted earlier. -sughosh > > https://github.com/tpm2-software/tpm2-tools/blob/8cbc4bbaebc4fa135e35dabd6d9ab36ac05eb72b/tools/tpm2_sessionconfig.c#L66 > > Apologies for any HTML, I have no idea what Gmail on Android does, I have no plaintext option. Yes there are other mail clients, and yes I think they all suck :-p >> >> >> James >> >>
