tpm2-tools
tpm2-tools copied to clipboard
Published
20 hours ago •
tpm2-software
tpm2-software
`sensitivedataorigin` attribute set for `tpm2_import`
This is more of a question about why you can set sensitivedataorigin while importing an external key tpm2_import.
pg 63: "8.3.3.5 Bit[5] – sensitiveDataOrigin" here
AFAIK, you should only be able have that flag set if the sensitive bit is generated inside a TPM....but i can set this on import too where i supply the key
just a bit confused about how this is possible though.
The following will generate an aes key and run a tpm_import on it ...i'm explictly setting the "sensitivedataorigin" attribute though
dd if=/dev/urandom of=sym.key bs=1 count=16
echo "foo" > secret.dat
openssl rand -out iv.bin 16
$ tpm2_createprimary -C o -c primary.ctx
$ tpm2_import -C primary.ctx -G aes -i sym.key -u key.pub -r key.priv -a "sensitivedataorigin|userwithauth|decrypt|sign"
name-alg:
value: sha256
raw: 0xb
attributes:
value: sensitivedataorigin|userwithauth|decrypt|sign
raw: 0x60060
type:
value: symcipher
raw: 0x25
sym-alg:
value: aes
raw: 0x6
sym-mode:
value: null
raw: 0x10
sym-keybits: 128
symcipher: 5b8be7a6cf55fe26d6105b3e68181a67a6f940656511eb7bb724bfa97e18a83b
$ tpm2_load -C primary.ctx -u key.pub -r key.priv -n key.name -c decrypt.ctx
$ tpm2_readpublic -c decrypt.ctx
name: 000bf9df343e0bb9b8e6c6a16b505e128af3bbab4e90e9cc5444a5e455662bfd8837
qualified name: 000beebfe701c93e85962169123d20b39d5a419ab9d20b96efb4daf3500a40f17bd1
name-alg:
value: sha256
raw: 0xb
attributes:
value: sensitivedataorigin|userwithauth|decrypt|sign
raw: 0x60060
type:
value: symcipher
raw: 0x25
sym-alg:
value: aes
raw: 0x6
sym-mode:
value: null
raw: 0x10
sym-keybits: 128
symcipher: 5b8be7a6cf55fe26d6105b3e68181a67a6f940656511eb7bb724bfa97e18a83b
$ tpm2_encryptdecrypt -Q --iv iv.bin -c decrypt.ctx -o encrypt.out secret.dat
$ tpm2_encryptdecrypt -Q --iv iv.bin -c decrypt.ctx -d -o decrypt.out encrypt.out
