tpm2-tools icon indicating copy to clipboard operation
tpm2-tools copied to clipboard

Published 20 hours ago verified publisher icon tpm2-software

IDevID creation fails with ECC keys when unique-data is set to the TCG required string

Open MMaiero opened this issue 1 year ago • 1 comments

Hello, I am trying to create a new ECC primary key under the endorsement hierarchy. The device I am running has a Yocto based distribution with TPM2 Tools 5.2 and a SLB9670 TPM.

Up until now I was generating the IDevID primary key using RSA 2048, with the following command:

tpm2_createprimary -C e \
    -a "fixedtpm|fixedparent|sensitivedataorigin|userwithauth|adminwithpolicy|sign|decrypt|noda" \
    -G rsa2048 -g sha256 \
    -L policy-idevid.pol \
    -u idevid.dat \
    -c idevid.ctx

where the idivid.dat is set as:

echo -n -e "\x00\x01\x49\x44\x45\x56\x49\x44" > idevid.dat

following the TCG guidelines: image

Unfortunately, when trying to switch to ECC 256, the command return with an error:

tpm2_createprimary -C e     -a "fixedtpm|fixedparent|sensitivedataorigin|userwithauth|adminwithpolicy|sign|decrypt|noda"     -G ecc     -L policy-idevid.pol     -u idevid.dat     -c idevid.ctx
WARNING:marshal:../tpm2-tss-3.0.3/src/tss2-mu/tpm2b-types.c:326:Tss2_MU_TPM2B_ECC_PARAMETER_Marshal() size: 256 for buffer of TPM2B_ECC_PARAMETER is larger than max length of buffer: 128
ERROR:esys:../tpm2-tss-3.0.3/src/tss2-esys/api/Esys_CreatePrimary.c:221:Esys_CreatePrimary_Async() SAPI Prepare returned error. ErrorCode (0x00090010)
ERROR:esys:../tpm2-tss-3.0.3/src/tss2-esys/api/Esys_CreatePrimary.c:110:Esys_CreatePrimary() Error in async function ErrorCode (0x00090010)
ERROR: Esys_CreatePrimary(0x90010) - mu:If size of a parameter is incorrect
ERROR: Unable to run tpm2_createprimary

If I run the same command removing the -u parameter the key generation succeeds.

Any help or hint in understanding what I am doing wrong? Looking at the TCG specification, the above idivid.dat string is needed for both RSA and ECC keys.

Thanks for the support

MMaiero avatar Feb 14 '24 12:02 MMaiero

The man page of tpm2_createprimary states:

If the data is specified as a file, the user is responsible for ensuring that this buffer is formatted per TPMU_PUBLIC_ID union. The unique data can also be retrieved from stdin buffer by specifying "-" as the --unique-data option value and the tool will parse the key type and associate the input data with the unique data buffer associated with the key type.

So in your example you could use echo -n -e "\x00\x01\x49\x44\x45\x56\x49\x44" | tpm2_createprimary -u- .... In this case the first 4 bytes would be copied do x the second 4 bytes to y.

JuergenReppSIT avatar Mar 05 '24 09:03 JuergenReppSIT

Hello, sorry for the delay, but thanks for the response.

I can confirm that your suggestion solves the issue.

Best regards

MMaiero avatar Apr 10 '24 11:04 MMaiero