On Wed, 2023-01-11 at 17:49 +0530, Sughosh Ganu wrote: > On Sat, 7 Jan 2023 at 04:43, William Roberts > <bill.c.roberts@xxxxxxxxx> wrote: [...] > > tpm2_sessionconfig prints the raw handle for this purpose. I think > > we added it when someone specifically needed the raw handle to > > pass to the kernel. > > I tried getting the raw handle using the tpm2_sessionconfig command > on the context file, and I did get the session handle. The session > digest also matches the policy digest that was used at the time of > the trusted key creation. However, when I pass the session handle > value through the policyhandle parameter for the key loading > operation, the unsealing fails. > > I run the following commands for the key load operation. > > # tpm2_startauthsession -S session.ctx --policy-session > # tpm2_policypcr -S session.ctx -l sha256:10 > # tpm2_sessionconfig session.ctx <--- Running this gives me the > session handle. > # keyctl add trusted kmk-trusted "load `cat kmk-trusted.blob` > keyhandle=0x81000001 hash=sha256 policyhandle=0x03000000" @u > > [ 217.219048] tpm tpm0: A TPM error (2328) occurred unsealing Error 2328 is TPM_RC_REFERENCE_S0 - the 1st authorization session handle references a session that is not loaded So it looks like the session is still context saved, pointing to an error in the toolkit. > [ 217.222214] trusted_key: key_unseal failed (-1) > add_key: Operation not permitted > > After running these commands, I get the above error. I am able to get > the key unsealing work with the tss commands from IBM that James had > highlighted earlier. > > -sughosh > > > > > https://github.com/tpm2-software/tpm2-tools/blob/8cbc4bbaebc4fa135e35dabd6d9ab36ac05eb72b/tools/tpm2_sessionconfig.c#L66 > > > > Apologies for any HTML, I have no idea what Gmail on Android does, > > I have no plaintext option. Yes there are other mail clients, and > > yes I think they all suck :-p > > The kernel lists discard email with html parts, which is why none of the rest of us saw this except that there was a reply. James
