To protect the keys from misuse from unauthorized software, TPMs can enforce authorization checks via policies. A simple way to ensure only the correct boot environment can use a key, one can bind keys to an PCR authorization policy. Without an authorization policy, anyone with access to the TPM can use the key, ignoring measured boots.
In the following example, I generate a primary key, and a certificate key with a PCR policy sha256:0,1,7.
The primary key is persisted at 0x8101ff02, and the certificate key is persisted at 0x8101ff03.
This is simply done to persist the key somewhere, e.g. for embedded firmware.
#!/bin/bash
set -ex
# Temp folder to store stuff
rm -Rf tmp
mkdir tmp
# Make sure we don't run into some resource limits
tpm2_flushcontext -t
tpm2_flushcontext --saved-session
# Create primary key and persist it
tpm2_createprimary -Q -C o -g sha256 -c tmp/primary.ctx -G ecc256
tpm2_evictcontrol -C o -c tmp/primary.ctx 0x8101ff02
# Create the PCR policy from the PCRs with values from the currently running device
tpm2_createpolicy --policy-pcr -l sha256:0,1,7 -L tmp/primary.policy
# Create the certificate key, bound to above policy
tpm2_create -Q -C 0x8101ff02 -G ecc256:ecdsa-sha256:null -g sha256 \
-u tmp/cert.pub -r tmp/cert.priv \
-L tmp/primary.policy \
-a 'fixedtpm|fixedparent|sensitivedataorigin|sign'
# Load it again and persist
tpm2_load -Q -C 0x8101ff02 -u tmp/cert.pub -r tmp/cert.priv -c tmp/cert.ctx
tpm2_evictcontrol -C o -c tmp/cert.ctx 0x8101ff03After that, I want to use the TPM2 OpenSSL provider to generate a CSR:
openssl req \
-provider tpm2 \
-provider default \
-propquery '?provider=tpm2' \
-new \
-subj "/CN=testcert" \
-key 'handle:0x8101FF03' \
-out tmp/cert.csrI did not find a way to make the TPM2 OpenSSL provider start a policy session and authorize via the required PCRs.
Thus, I receive the following expected error: authValue or authPolicy is not available for selected entity
So, the question: Can the TPM2 OpenSSL Provider be configured to start a session, or is it currently impossible? Is support for authorization besides the (already-implemented?) password authorization planned?
For reference, the full error message:
WARNING:esys:src/tss2-esys/api/Esys_Sign.c:311:Esys_Sign_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Sign.c:105:Esys_Sign() Esys Finish ErrorCode (0x0000012f)
4077047A7A7F0000:error:4000000F:tpm2::cannot sign::-1:303 tpm:error(2.0): authValue or authPolicy is not available for selected entity
4077047A7A7F0000:error:06880006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:../crypto/asn1/a_sign.c:277:
To protect the keys from misuse from unauthorized software, TPMs can enforce authorization checks via policies. A simple way to ensure only the correct boot environment can use a key, one can bind keys to an PCR authorization policy. Without an authorization policy, anyone with access to the TPM can use the key, ignoring measured boots.
In the following example, I generate a primary key, and a certificate key with a PCR policy
sha256:0,1,7.The primary key is persisted at
0x8101ff02, and the certificate key is persisted at0x8101ff03.This is simply done to persist the key somewhere, e.g. for embedded firmware.
After that, I want to use the TPM2 OpenSSL provider to generate a CSR:
openssl req \ -provider tpm2 \ -provider default \ -propquery '?provider=tpm2' \ -new \ -subj "/CN=testcert" \ -key 'handle:0x8101FF03' \ -out tmp/cert.csrI did not find a way to make the TPM2 OpenSSL provider start a policy session and authorize via the required PCRs.
Thus, I receive the following expected error:
authValue or authPolicy is not available for selected entitySo, the question: Can the TPM2 OpenSSL Provider be configured to start a session, or is it currently impossible? Is support for authorization besides the (already-implemented?) password authorization planned?
For reference, the full error message: