2

I simply want to store one 32 bytes long symmetric key persistently in the NV storage of the TPM and after a power-cycle, use it (without getting it out of the TPM) to encrypt small-sized data.

I've tried to do that in two different ways:

1)

  • Create the key with TPM's random bytes generator
  • Define space in NV and write the key in it
  • Problem: I know how to read it, but how can I load it so I can use it inside the TPM?

2)

  • Create an AES key with TPM2_Create command
  • Make it persistent with TPM2_EvictControl command
  • Through the same power cycle, I have its handle and I can load it and use it
  • Problem: Similar to before, How to load it and use it after the next power cycle?

I scanned TCG's Specs and I even read this free practical guide to TPM2.0 and haven't found any clues to my problems.

What am I missing?

Alex
  • 35
  • 6

1 Answers1

1

TPM2_EncryptDecrypt is meant to be used with symmetric keys. Pass the key handle you obtained with the TPM2_EvictControl as the @keyHandle parameter, and set the decrypt parameter appropriately. Set mode to TPM_ALG_NUL so the default mode is used.

Keep in mind that it's not practical to use the TPM for encrypting large amounts of data (what symmetric keys are typically used for).

mnistic
  • 10,866
  • 2
  • 19
  • 33
  • It works when I do it on the same run, on the next power cycle I need only the NV storage address and the extras if added (user auth, policy, etc) am I correct? – Alex Dec 26 '19 at 15:13
  • No, you just use the key by its handle if your evict control was successful. You will need to satisfy a policy if you attached one to the key, and provide auth if needed. – mnistic Dec 26 '19 at 15:15
  • OK, so for example I have only auth: Creating handle with TPM_HANDLE persistentHandle = TPM_HANDLE::PersistentHandle(addr), then set the auth with persistentHandle.SetAuth(password), and then use the handle? PS. I use Microsoft tss. – Alex Dec 26 '19 at 15:30
  • What is `addr`? There shouldn't be any address involved... make the handle persistent like here: https://github.com/microsoft/TSS.MSR/blob/98a7d56ba81c48d33086db84d7b6bc7b9474e8fc/TSS.CPP/Samples/Samples.cpp#L883 – mnistic Dec 26 '19 at 17:26
  • I meant handle offset, my mistake. Thank you for your help – Alex Dec 29 '19 at 08:18