We noticed on GB200 systems that tpm2_getekcertificate would occasionally stop finding any EK certificates, but when using tpm2_nvread we could read the certificates from offsets 0x01c00002 0x01c0000a 0x01c00016. After doing a tpm2_clear we were able to read the EK certs again.
It seems that this TPM had 179 handles, but the call tpm2_getcap used by both tpm2_getekcertificate & tpm2_nvreadpublic is only returning 126. So if the EK certs are further down the list, they don't get found.
For internal testing we made the following patch which fixes both tools, I will raise as a PR.
diff --git a/tools/tpm2_getekcertificate.c b/tools/tpm2_getekcertificate.c
index 80617686..17bbfd63 100644
--- a/tools/tpm2_getekcertificate.c
+++ b/tools/tpm2_getekcertificate.c
@@ -987,9 +987,8 @@ tool_rc get_tpm_properties(ESYS_CONTEXT *ectx) {
}
free(capability_data);
- rc = tpm2_getcap(ectx, TPM2_CAP_HANDLES,
- TPM2_NV_INDEX_FIRST, TPM2_PT_NV_INDEX_MAX, NULL,
- &capability_data);
+ rc = tpm2_capability_get(ectx, TPM2_CAP_HANDLES,
+ TPM2_NV_INDEX_FIRST, TPM2_MAX_CAP_HANDLES, &capability_data);
if (rc != tool_rc_success) {
LOG_ERR("Failed to read capability data for NV indices.");
ctx.is_cert_on_nv = false;
diff --git a/tools/tpm2_nvreadpublic.c b/tools/tpm2_nvreadpublic.c
index 597ff6d1..9fd05ded 100644
--- a/tools/tpm2_nvreadpublic.c
+++ b/tools/tpm2_nvreadpublic.c
@@ -5,6 +5,7 @@
#include "files.h"
#include "tpm2_alg_util.h"
#include "tpm2_attr_util.h"
+#include "tpm2_capability.h"
#include "tpm2_nv_util.h"
#include "tpm2_tool.h"
@@ -209,9 +210,8 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
* 3. Command specific initializations dependent on loaded objects
*/
if (ctx.nv_index == 0 && ctx.is_command_dispatch) {
- rc = tpm2_getcap(ectx, TPM2_CAP_HANDLES,
- TPM2_NV_INDEX_FIRST, TPM2_PT_NV_INDEX_MAX, NULL,
- &ctx.capability_data);
+ rc = tpm2_capability_get(ectx, TPM2_CAP_HANDLES,
+ TPM2_NV_INDEX_FIRST, TPM2_MAX_CAP_HANDLES, &ctx.capability_data);
if (rc != tool_rc_success) {
return rc;
}
We noticed on GB200 systems that tpm2_getekcertificate would occasionally stop finding any EK certificates, but when using tpm2_nvread we could read the certificates from offsets 0x01c00002 0x01c0000a 0x01c00016. After doing a tpm2_clear we were able to read the EK certs again.
It seems that this TPM had 179 handles, but the call tpm2_getcap used by both tpm2_getekcertificate & tpm2_nvreadpublic is only returning 126. So if the EK certs are further down the list, they don't get found.
For internal testing we made the following patch which fixes both tools, I will raise as a PR.