1

I'm trying to save a small amount of data in the TPM2 over power cycles. So that this small string will only be tied to one specific machine. Here is what I have working.

# put data in file that is to be sealed
echo "my sealed data" > seal.dat

# create a primary key
tpm2_createprimary -c primary.ctx

# create a child key in public and private parts
tpm2_create -C primary.ctx -u obj.pub -r obj.priv

# create a sealed object
tpm2_create -C primary.ctx -i seal.dat -u obj.pub -r obj.priv

# load the private and public portions into the TPM
tpm2_load -C primary.ctx -u obj.pub -r obj.priv -c key.ctx

# unseal the data
tpm2_unseal -c key.ctx

But after a power cycle if I enter: 'tpm2_unseal -c key.ctx' I get the following error:

WARNING:esys:src/tss2-esys/api/Esys_ContextLoad.c:279:Esys_ContextLoad_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_ContextLoad.c:93:Esys_ContextLoad() Esys Finish ErrorCode (0x000001df) ERROR: Esys_ContextLoad(0x1DF) - tpm:parameter(1):integrity check failed ERROR: Invalid item handle authorization ERROR: Unable to run tpm2_unseal

I am using the tpm_server (emulator) if that makes any difference.

So what is the best way to load a small string into the tpm2 and have power loss persistence?

ᄂ ᄀ
  • 5,669
  • 6
  • 43
  • 57
user846566
  • 373
  • 1
  • 3
  • 12

1 Answers1

1

Sealing an object does not store anything in the TPM's NV memory. It encrypts the data with a key that's only accessible to the TPM, but it is saved in two files on your file system -- nothing is saved in the TPM.

To store some data in the TPM's memory, you would define the memory index and then save to it, for example:

tpm2_nvdefine -Q $nv_test_index -C o -s 32 -a "ownerread|policywrite|ownerwrite"
echo "please123abc" > nv.test_w
tpm2_nvwrite -Q $nv_test_index -C o -i nv.test_w

And then to read the data back:

tpm2_nvread -Q $nv_test_index -C o -s 32 -o 0

(sample code from tpm2-tools test script)

mnistic
  • 10,866
  • 2
  • 19
  • 33