Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

20240604 506 create loaded #529

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

20240604 506 create loaded #529

wants to merge 5 commits into from

Conversation

Firstyear
Copy link
Contributor

@Firstyear Firstyear commented Jun 5, 2024
edited
Loading

Fixes #506

Start on created loaded.

Create loaded appears to work in the base case, but when using it for key derivation, it appears to be failing with:

[2024-06-05T04:39:58Z ERROR tss_esapi::context::tpm_commands::object_commands] Error in creating derived key: 0x000002D2
thread 'context_tests::tpm_commands::object_commands_tests::test_create_loaded::test_create_loaded_tpm_alg_kdf1_sp800_108' panicked at tss-esapi/tests/integration_tests/context_tests/tpm_commands/object_commands_tests.rs:519:14:
Failed to create derivation parent.: TssError(Tpm(FormatOne(TpmFormatOneResponseCode { error_number: Scheme, argument_number: Parameter(2) })))

I'm pretty sure I'm making a mistake in the derive_parent_public PublicBuilder parameters that I'm setting. Per the spec, this does need to be keyed hash, but I think given the parameters I've set, I think that we need to set the KDF1SP800_108 as the scheme when we create this key - currently though I think that's not possible as KeyHashSchemes are just for Xor and Hmac, not derivation.

So any advice would be more than welcome on how to proceed next :)

@Firstyear Firstyear marked this pull request as draft June 5, 2024 05:01
Superhepper
Superhepper reviewed Jun 9, 2024
View reviewed changes
tss-esapi/tests/integration_tests/context_tests/tpm_commands/object_commands_tests.rs
// Create Derivation Parent
// - How to mark an object as a derivation parent? From what I read
// in the spec, a derivation parent is just when != (primary || storage)
let derive_parent_object_attributes = ObjectAttributesBuilder::new()
Copy link
Collaborator

@Superhepper Superhepper Jun 9, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is really not my area of expertise but it seems to me as it is not as simple as setting the object attributes of the key. The kind of object you create will depend on the object attributes of its parent not only the object attributes of the object it self.

Look at TCG TPM2, r1p59, Part3 Commands, Section 12.9.1

Hrmm but the error code suggests:

TPM_RC_SCHEME

inconsistent attributes decrypt, sign, restricted and key's scheme ID;
or hash algorithm is inconsistent with the scheme ID for keyed hash
object

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I did read that section. The problem I hit was that part 3 12.9.1 doesn't actually define a derivation parent - that's actually defined in part 1 4.19 as "loadable key used to derive other keys; a TPM_ALG_KEYEDHASH Parent Key" and part 1 25.1.5 table 24 states "Asymmetric keys and
symmetric keys with these attributes are Storage Parents, and hash objects with these attributes are
Derivation Parents. " where the attributes are sign=clear, decrypt=set, restricted=set.

I think the comment I wrote here needs to be updated to reflect this, but I still think the attributes I used on the key were correct :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Superhepper Superhepper Superhepper left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support Created Loaded
2 participants
@Firstyear @Superhepper