tpm2-tss
tpm2-tss copied to clipboard
tpm2-software
tss2_provision first try fails, "Invalid PCR selection in profile"
I fetched and built tpm2-tss and tpm2-tools today. First try running tss2_provision yields an error:
ral@archie:/usr/local/src/tpm2-tools$ sudo tss2_provision
WARNING:fapi:src/tss2-fapi/ifapi_io.c:339:ifapi_io_check_create_dir() Directory /root/.local/share/tpm2-tss/user/keystore does not exist, creating
WARNING:fapi:src/tss2-fapi/ifapi_io.c:339:ifapi_io_check_create_dir() Directory /usr/local/var/lib/tpm2-tss/system/keystore/policy does not exist, creating
ERROR:fapi:src/tss2-fapi/ifapi_helpers.c:2215:ifapi_check_profile_pcr_selection() Invalid PCR selection. ErrorCode (0x0006000b)
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:546:Fapi_Provision_Finish() Invalid PCR selection in profile. ErrorCode (0x0006000b)
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:169:Fapi_Provision() ErrorCode (0x0006000b) Provision
Fapi_Provision(0x6000B) - fapi:A parameter has a bad value
This is on an HP Envy laptop running Ubuntu 20. As far as I know the trusted platform module has not been used until now. Any suggestions? Thanks.
Could you please send the output of
tss2_getinfo -o -| grep PCRS -A 60
or
tpm2_pcrread
To compare the result with the pcr selection in your profile.
P.S. It's not necessary to exec the provisioning with sudo if the user is in the group tss.
ral@archie:~$ tss2_getinfo -o -| grep PCRS -A 60 "capability":"PCRS", "data":[ { "hash":"SHA1", "pcrSelect":[ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ] }, { "hash":"SHA256", "pcrSelect":[ ] } ] } }, { "description":"pcr-properties", "info":{ "capability":"PCR_PROPERTIES", "data":[ { "tag":"SAVE", "pcrSelect":[ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, ral@archie:~$ tpm2_pcrread sha1: 0 : 0x17CE573DA6793240ECDE04916434CD3BCBA21A03 1 : 0x87A992F56A283772A65F574C90941E79FED1073D 2 : 0x6DE63E88634094E802842CDE4640060BA101F33A 3 : 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236 4 : 0xBB2DE98CA57A48B97621DA0BD90C24A3A0518DBA 5 : 0x18CDF72F10A3B87188B72B6B897D833109F0EC69 6 : 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236 7 : 0x9A4771EC7B8D90F6C79AEB838BFE81ADE2341CEB 8 : 0x0000000000000000000000000000000000000000 9 : 0x129A123AF10442E8D66C0DD7EEA1F3B782D37E99 10: 0x48EBA20EDA50B9F9E1F4655311A8BE40ED5F5A78 11: 0x0000000000000000000000000000000000000000 12: 0x0000000000000000000000000000000000000000 13: 0x0000000000000000000000000000000000000000 14: 0x0000000000000000000000000000000000000000 15: 0x0000000000000000000000000000000000000000 16: 0x0000000000000000000000000000000000000000 17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 23: 0x0000000000000000000000000000000000000000 sha256: ral@archie:~$
ral@archie:~$ tss2_getinfo -o -| grep PCRS -A 60 "capability":"PCRS", "data":[ { "hash":"SHA1", "pcrSelect":[ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ] }, { "hash":"SHA256", "pcrSelect":[ ] } ] } }, { "description":"pcr-properties", "info":{ "capability":"PCR_PROPERTIES", "data":[ { "tag":"SAVE", "pcrSelect":[ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, ral@archie:~$ tpm2_pcrread sha1: 0 : 0x17CE573DA6793240ECDE04916434CD3BCBA21A03 1 : 0x87A992F56A283772A65F574C90941E79FED1073D 2 : 0x6DE63E88634094E802842CDE4640060BA101F33A 3 : 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236 4 : 0xBB2DE98CA57A48B97621DA0BD90C24A3A0518DBA 5 : 0x18CDF72F10A3B87188B72B6B897D833109F0EC69 6 : 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236 7 : 0x9A4771EC7B8D90F6C79AEB838BFE81ADE2341CEB 8 : 0x0000000000000000000000000000000000000000 9 : 0x129A123AF10442E8D66C0DD7EEA1F3B782D37E99 10: 0x48EBA20EDA50B9F9E1F4655311A8BE40ED5F5A78 11: 0x0000000000000000000000000000000000000000 12: 0x0000000000000000000000000000000000000000 13: 0x0000000000000000000000000000000000000000 14: 0x0000000000000000000000000000000000000000 15: 0x0000000000000000000000000000000000000000 16: 0x0000000000000000000000000000000000000000 17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 23: 0x0000000000000000000000000000000000000000 sha256: ral@archie:~$
Thank you for sending the PCR informations.
Your TPM has no sha256 bank. But only this bank is activated in the default profile.
You should change it in the default profile. You can find the profile directory and profile with:
tss2_getinfo -o -| head -n 10
In the file P_....json you can exchange SHA1 and SHA256 for pcr_selection.
Thanks for your help. I may not have exactly understood your suggestion.
At first I tried just exchanging the arrays (I see 23 elements reported by tpm2_pcrread) so I just exchanged the arrays in the .json files. That led to a different error. Then I tried replacing SHA256 with SHA1 in what looks like algorithm selection definitions. That didn't help. (see below). I attach the updated P_ECCP256SHA256.json and P_RSA2048SHA256.json files (I see SHA256 in the file names but I suppose those are just names, correct me if I'm mistaken).
configs.zip
I'm a little concerned about what I suppose is the lack of SHA256 support in my hardware. Can you point me to documentation explaining this configuration data? Thanks again.
ral@archie:~$ tss2_getinfo -o -| head -n 10
{
"version":"tpm2-tss 3.2.0-20-gb66d7a58",
"fapi_config":{
"profile_dir":"/usr/local/etc/tpm2-tss/fapi-profiles/",
"user_dir":"/home/ral/.local/share/tpm2-tss/user/keystore",
"system_dir":"/usr/local/var/lib/tpm2-tss/system/keystore",
"log_dir":"/usr/local/var/run/tpm2-tss/eventlog/",
"profile_name":"P_ECCP256SHA256",
"tcti":"",
"system_pcrs":[
ral@archie:~$ diff P_ECCP256SHA256.json /usr/local/etc/tpm2-tss/fapi-profiles/
24c24
< "pcrSelect": [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ]
---
> "pcrSelect": [ ],
27c27
< "pcrSelect": [ ],
---
> "pcrSelect": [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ]
ral@archie:~$ sudo cp P_ECCP256SHA256.json /usr/local/etc/tpm2-tss/fapi-profiles/
[sudo] password for ral:
ral@archie:~$ diff P_RSA2048SHA256.json /usr/local/etc/tpm2-tss/fapi-profiles/
30c30
< "pcrSelect": [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ]
---
> "pcrSelect": [ ]
33c33
< "pcrSelect": [ ]
---
> "pcrSelect": [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ]
ral@archie:~$ sudo cp P_RSA2048SHA256.json /usr/local/etc/tpm2-tss/fapi-profiles/
ral@archie:~$ tss2_provision
WARNING:esys:src/tss2-esys/api/Esys_CreatePrimary.c:400:Esys_CreatePrimary_Finish() Received TPM Error
ERROR:fapi:src/tss2-fapi/fapi_util.c:761:ifapi_init_primary_finish() ErrorCode (0x00000185) FAPI Provision
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:582:Fapi_Provision_Finish() Init primary finish ErrorCode (0x00000185)
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:169:Fapi_Provision() ErrorCode (0x00000185) Provision
Fapi_Provision(0x185) - tpm:handle(1):hierarchy is not enabled or is not correct for the use
ral@archie:~$ diff P_ECCP256SHA256.json /usr/local/etc/tpm2-tss/fapi-profiles/
3c3
< "nameAlg":"TPM2_ALG_SHA1",
---
> "nameAlg":"TPM2_ALG_SHA256",
12c12
< "hashAlg":"TPM2_ALG_SHA1"
---
> "hashAlg":"TPM2_ALG_SHA256"
ral@archie:~$ sudo cp P_ECCP256SHA256.json /usr/local/etc/tpm2-tss/fapi-profiles/
ral@archie:~$ diff P_RSA2048SHA256.json /usr/local/etc/tpm2-tss/fapi-profiles/
3c3
< "nameAlg":"TPM2_ALG_SHA1",
---
> "nameAlg":"TPM2_ALG_SHA256",
12c12
< "hashAlg":"TPM2_ALG_SHA1"
---
> "hashAlg":"TPM2_ALG_SHA256"
18c18
< "hashAlg":"TPM2_ALG_SHA1"
---
> "hashAlg":"TPM2_ALG_SHA256"
38c38
< "session_hash_alg": "TPM2_ALG_SHA1",
---
> "session_hash_alg": "TPM2_ALG_SHA256",
ral@archie:~$ sudo cp P_RSA2048SHA256.json /usr/local/etc/tpm2-tss/fapi-profiles/
ral@archie:~$ tss2_provision
WARNING:esys:src/tss2-esys/api/Esys_CreatePrimary.c:400:Esys_CreatePrimary_Finish() Received TPM Error
ERROR:fapi:src/tss2-fapi/fapi_util.c:761:ifapi_init_primary_finish() ErrorCode (0x00000185) FAPI Provision
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:582:Fapi_Provision_Finish() Init primary finish ErrorCode (0x00000185)
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:169:Fapi_Provision() ErrorCode (0x00000185) Provision
Fapi_Provision(0x185) - tpm:handle(1):hierarchy is not enabled or is not correct for the use
ral@archie:~$
The configuration description can be viewed with:
man fapi-profile and man tss2_provision.
With tss2_getinfo you get a list of all capabilities of your TPM.
The error now, after the correct replacement of SHA256 with SHA1, is related to the creation of the endorsement key. Does this error also occur after:
tpm2_createprimary -C e -g sha1 -G ecc -c context.out ?
But if the endorsement hierarchy is really disabled you would need the the authorization for the platform hierarchy to enable it with:
tpm2_hierarchycontrol -C p ehEnable set
Still no joy. sigh
ral@archie:~$ tpm2_createprimary -C e -g sha1 -G ecc -c context.out
WARNING:esys:src/tss2-esys/api/Esys_CreatePrimary.c:400:Esys_CreatePrimary_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_CreatePrimary.c:135:Esys_CreatePrimary() Esys Finish ErrorCode (0x00000185)
ERROR: Esys_CreatePrimary(0x185) - tpm:handle(1):hierarchy is not enabled or is not correct for the use
ERROR: Unable to run tpm2_createprimary
ral@archie:~$ tpm2_hierarchycontrol -C p ehEnable set
WARNING:esys:src/tss2-esys/api/Esys_HierarchyControl.c:311:Esys_HierarchyControl_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_HierarchyControl.c:104:Esys_HierarchyControl() Esys Finish ErrorCode (0x000009a2)
ERROR: Esys_HierarchyControl(0x9A2) - tpm:session(1):authorization failure without DA implications
ERROR: Failed hierarchycontrol operation.
ERROR: Unable to run tpm2_hierarchycontrol
So perhaps you can try to clear the TPM in the bios of your laptop. But clearing erases information stored on the TPM. You will lose all created keys and access to data encrypted by these keys.
I issued a BIOS TPM reset. Exiting the BIOS utility (F10 save and exit) rebooted, then prompted for a confirmation. I told it go ahead. Now tss2_provision says...
ral@archie:~$ tss2_provision
ERROR:fapijson:src/tss2-fapi/tpm_json_deserialize.c:56:ifapi_parse_json() Invalid JSON at line 1 column 1: unexpected character.
ERROR:fapi:src/tss2-fapi/ifapi_get_intl_cert.c:353:ifapi_get_intl_ek_certificate() ErrorCode (0x00060001) Failed to parse EK cert data
ERROR:fapi:src/tss2-fapi/ifapi_get_intl_cert.c:396:ifapi_get_intl_ek_certificate() Get INTEL EK certificate.
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:1470:Fapi_Provision_Finish() ErrorCode (0x00060025) Get certificates
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:169:Fapi_Provision() ErrorCode (0x00060025) Provision
Fapi_Provision(0x60025) - fapi:No certificate
ral@archie:~$
and tss2_list confirms that provision has failed.
ral@archie:~$ tss2_list
WARNING:fapi:src/tss2-fapi/api/Fapi_List.c:216:Fapi_List_Finish() Path not found:
ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:81:Fapi_List() ErrorCode (0x00060034) Entities_List
Fapi_List(0x60034) - fapi:Provisioning was not executed.
ral@archie:~$
Ah, one small step forward, now tpm2_createprimary seems to work. However, even after that, more failure.
ral@archie:~$ tpm2_createprimary -C e -g sha1 -G ecc -c context.out
name-alg:
value: sha1
raw: 0x4
attributes:
value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|decrypt
raw: 0x30072
type:
value: ecc
raw: 0x23
curve-id:
value: NIST p256
raw: 0x3
kdfa-alg:
value: null
raw: 0x10
kdfa-halg:
value: (null)
raw: 0x0
scheme:
value: null
raw: 0x10
scheme-halg:
value: (null)
raw: 0x0
sym-alg:
value: aes
raw: 0x6
sym-mode:
value: cfb
raw: 0x43
sym-keybits: 128
x: 9d41aaf83ed1ac37b5464dd23f400e33fc9e91887a84720dfd48575010bb3d55
y: a3cfe73f50896ed49bd2a726292b748157978cee3d1cf88a1b17d293d4b631f2
ral@archie:~$ tpm2_hierarchycontrol -C p ehEnable set
WARNING:esys:src/tss2-esys/api/Esys_HierarchyControl.c:311:Esys_HierarchyControl_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_HierarchyControl.c:104:Esys_HierarchyControl() Esys Finish ErrorCode (0x000009a2)
ERROR: Esys_HierarchyControl(0x9A2) - tpm:session(1):authorization failure without DA implications
ERROR: Failed hierarchycontrol operation.
ERROR: Unable to run tpm2_hierarchycontrol
ral@archie:~$ tss2_provision
ERROR:fapijson:src/tss2-fapi/tpm_json_deserialize.c:56:ifapi_parse_json() Invalid JSON at line 1 column 1: unexpected character.
ERROR:fapi:src/tss2-fapi/ifapi_get_intl_cert.c:353:ifapi_get_intl_ek_certificate() ErrorCode (0x00060001) Failed to parse EK cert data
ERROR:fapi:src/tss2-fapi/ifapi_get_intl_cert.c:396:ifapi_get_intl_ek_certificate() Get INTEL EK certificate.
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:1470:Fapi_Provision_Finish() ErrorCode (0x00060025) Get certificates
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:169:Fapi_Provision() ErrorCode (0x00060025) Provision
Fapi_Provision(0x60025) - fapi:No certificate
ral@archie:~$
The error produced by tpm2_hierarchycontrol is what I expected because I wrote you would need the auth value of the platform hierarchy to enable the endorsement hierarchy. This auth value is set by the bios. Therefore I suggested to execute tpm2_clear.
Fapi tries to download the EK certificate from the intel web site. The URL is computed from hash of the public data of the endorsement key. It would be nice if you could send the output of:
TSS2_LOG=fapi+info tss2_provison
With this output I could try to check what's the reason for the error.
To skip the certificate check you can add:
"ek_cert_less": "yes"
to the fapi config file (See man fapi-config)
Now the provisioning should work.
Thank you again for all your help. Sure enough, adding "ek_cert_less":"yes" was effective.
Let me explain that I'm working on this as part of a recommendation I'm giving to a client regarding use of a TPM to hold private keys for a device -to- cloud service. I am very grateful for your help and it gives me confidence that if we encounter problems there's a responsive open source community to aid us.
Here's the debug output:
ral@archie:~$ TSS2_LOG=fapi+info tss2_provision
info:fapi:src/tss2-fapi/ifapi_get_intl_cert.c:147:base64_encode() Calculating the base64_encode of the hash of the EndorsementPublic Key:
info:fapi:src/tss2-fapi/ifapi_get_intl_cert.c:341:ifapi_get_intl_ek_certificate() Eny1GbQ2qCcfj-6s5wjAYdWlUgzW6wjEN4fxZXsCBlY%3D
ERROR:fapijson:src/tss2-fapi/tpm_json_deserialize.c:56:ifapi_parse_json() Invalid JSON at line 1 column 1: unexpected character.
ERROR:fapi:src/tss2-fapi/ifapi_get_intl_cert.c:353:ifapi_get_intl_ek_certificate() ErrorCode (0x00060001) Failed to parse EK cert data
ERROR:fapi:src/tss2-fapi/ifapi_get_intl_cert.c:396:ifapi_get_intl_ek_certificate() Get INTEL EK certificate.
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:1470:Fapi_Provision_Finish() ErrorCode (0x00060025) Get certificates
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:169:Fapi_Provision() ErrorCode (0x00060025) Provision
Fapi_Provision(0x60025) - fapi:No certificate
ral@archie:~$
@ral00 Thank you for sending the debug output. Could you please check whether after the clear still only the sha1 bank is available?
tss2_getinfo -o -| grep PCRS -A 60
At last I was able to reproduce the digest signing example in the "Using the TPM..." presentation (https://youtu.be/XwaSyHJIos8). I started over (clearing the TPM via the BIOS). I found that had also to delete the files created in /usr/local/etc/var/lib/tpm2-tss... (the ones owned by my user ID) but after that I was able to create a key and use it to sign a digest. One puzzling thing remains, even after reset and tpm2_clear the tmp2_hierarchycontrol attempt fails but that does not interfere with the example. First, in answer to your request:
ral@archie:~$ tss2_getinfo -o -| grep PCRS -A 60
info:tcti:src/tss2-tcti/tctildr.c:125:tcti_from_info() Initialized TCTI named: tcti-device
"capability":"PCRS",
"data":[
{
"hash":"SHA1",
"pcrSelect":[
0,
1,
2,
3,
4,
5,
6,
7,
8,
9,
10,
11,
12,
13,
14,
15,
16,
17,
18,
19,
20,
21,
22,
23
]
},
{
"hash":"SHA256",
"pcrSelect":[
]
}
]
}
},
{
"description":"pcr-properties",
"info":{
"capability":"PCR_PROPERTIES",
"data":[
{
"tag":"SAVE",
"pcrSelect":[
0,
1,
2,
3,
4,
5,
6,
7,
8,
9,
10,
11,
12,
13,
ral@archie:~$
Next, here is the sequence of events...
ral@archie:~$ ###
ral@archie:~$ ### Reboot after BIOS reset of TPM
ral@archie:~$ ### FYI, the BIOS caused a power-on-reset twice, once
ral@archie:~$ ### after selecting and saving "reset TPM", then again
ral@archie:~$ ### after the confirmation.
ral@archie:~$ ###
ral@archie:~$ uptime
10:36:54 up 31 min, 5 users, load average: 0.79, 1.30, 1.10
ral@archie:~$ # Turn on some debug info
ral@archie:~$ export TSS2_LOG=all+INFO
ral@archie:~$ # Try to start completely clean
ral@archie:~$ tpm2_clear
info:tcti:src/tss2-tcti/tctildr.c:125:tcti_from_info() Initialized TCTI named: tcti-device
ral@archie:~$ tpm2_createprimary -C e -g sha1 -G ecc -c context.out
info:tcti:src/tss2-tcti/tctildr.c:125:tcti_from_info() Initialized TCTI named: tcti-device
name-alg:
value: sha1
raw: 0x4
attributes:
value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|decrypt
raw: 0x30072
type:
value: ecc
raw: 0x23
curve-id:
value: NIST p256
raw: 0x3
kdfa-alg:
value: null
raw: 0x10
kdfa-halg:
value: (null)
raw: 0x0
scheme:
value: null
raw: 0x10
scheme-halg:
value: (null)
raw: 0x0
sym-alg:
value: aes
raw: 0x6
sym-mode:
value: cfb
raw: 0x43
sym-keybits: 128
x: 9d41aaf83ed1ac37b5464dd23f400e33fc9e91887a84720dfd48575010bb3d55
y: a3cfe73f50896ed49bd2a726292b748157978cee3d1cf88a1b17d293d4b631f2
ral@archie:~$ tpm2_hierarchycontrol -C p ehEnable set
info:tcti:src/tss2-tcti/tctildr.c:125:tcti_from_info() Initialized TCTI named: tcti-device
WARNING:esys:src/tss2-esys/api/Esys_HierarchyControl.c:311:Esys_HierarchyControl_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_HierarchyControl.c:104:Esys_HierarchyControl() Esys Finish ErrorCode (0x000009a2)
ERROR: Esys_HierarchyControl(0x9A2) - tpm:session(1):authorization failure without DA implications
ERROR: Failed hierarchycontrol operation.
ERROR: Unable to run tpm2_hierarchycontrol
ral@archie:~$ tss2_provision
info:tcti:src/tss2-tcti/tctildr.c:125:tcti_from_info() Initialized TCTI named: tcti-device
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:241:Fapi_Provision_Async() ErrorCode (0x00060035) Profile P_ECCP256SHA256 was already provisioned.
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:152:Fapi_Provision() ErrorCode (0x00060035) Provision
Fapi_Provision(0x60035) - fapi:Already provisioned
ral@archie:~$ tss2_list
info:tcti:src/tss2-tcti/tctildr.c:125:tcti_from_info() Initialized TCTI named: tcti-device
/P_ECCP256SHA256/HE/EK:/P_ECCP256SHA256/HE:/P_ECCP256SHA256/HN:/P_ECCP256SHA256/HS/SRK:/P_ECCP256SHA256/HS:/P_ECCP256SHA256/LOCKOUTral@archie:~$
ral@archie:~$ tss2_createkey --path "/P_ECCP256SHA256/HS/SRK/test1" --type "noDa,sign"
info:tcti:src/tss2-tcti/tctildr.c:125:tcti_from_info() Initialized TCTI named: tcti-device
New password:
Re-enter new password:
ERROR:fapi:src/tss2-fapi/fapi_util.c:1036:ifapi_load_primary_finish() ErrorCode (0x00060020) The persistent handle 0x81000001 does not exist. The TPM state and the keystore state do not match.
ERROR:fapi:src/tss2-fapi/fapi_util.c:1368:ifapi_get_sessions_finish() Load primary. ErrorCode (0x00060020)
ERROR:fapi:src/tss2-fapi/fapi_util.c:3359:ifapi_key_create() ErrorCode (0x00060020) FAPI create session
ERROR:fapi:src/tss2-fapi/api/Fapi_CreateKey.c:283:Fapi_CreateKey_Finish() Key create ErrorCode (0x00060020)
ERROR:fapi:src/tss2-fapi/api/Fapi_CreateKey.c:116:Fapi_CreateKey() ErrorCode (0x00060020) Key_Create
Fapi_CreateKey(0x60020) - fapi:The key was not found
ral@archie:~$ ls -lRa .local/share/tpm2-tss/
.local/share/tpm2-tss/:
total 12
drwxrwx--- 3 ral ral 4096 Apr 18 07:30 .
drwxr-xr-x 24 ral ral 4096 Apr 24 10:15 ..
drwxrwx--- 3 ral ral 4096 Apr 18 07:30 user
.local/share/tpm2-tss/user:
total 12
drwxrwx--- 3 ral ral 4096 Apr 18 07:30 .
drwxrwx--- 3 ral ral 4096 Apr 18 07:30 ..
drwxrwx--- 2 ral ral 4096 Apr 18 07:30 keystore
.local/share/tpm2-tss/user/keystore:
total 8
drwxrwx--- 2 ral ral 4096 Apr 18 07:30 .
drwxrwx--- 3 ral ral 4096 Apr 18 07:30 ..
ral@archie:~$ ls -lRa /usr/local/var/lib/tpm2-tss/system/keystore
/usr/local/var/lib/tpm2-tss/system/keystore:
total 16
drwxrwsr-x+ 4 tss tss 4096 Apr 24 09:28 .
drwxr-xr-x 3 root root 4096 Apr 18 07:17 ..
drwxrwsr-x+ 6 ral tss 4096 Apr 24 09:28 P_ECCP256SHA256
drwxrwsr-x+ 2 root tss 4096 Apr 18 07:30 policy
/usr/local/var/lib/tpm2-tss/system/keystore/P_ECCP256SHA256:
total 24
drwxrwsr-x+ 6 ral tss 4096 Apr 24 09:28 .
drwxrwsr-x+ 4 tss tss 4096 Apr 24 09:28 ..
drwxrwsr-x+ 3 ral tss 4096 Apr 24 09:28 HE
drwxrwsr-x+ 2 ral tss 4096 Apr 24 09:28 HN
drwxrwsr-x+ 3 ral tss 4096 Apr 24 09:28 HS
drwxrwsr-x+ 2 ral tss 4096 Apr 24 09:28 LOCKOUT
/usr/local/var/lib/tpm2-tss/system/keystore/P_ECCP256SHA256/HE:
total 16
drwxrwsr-x+ 3 ral tss 4096 Apr 24 09:28 .
drwxrwsr-x+ 6 ral tss 4096 Apr 24 09:28 ..
drwxrwsr-x+ 2 ral tss 4096 Apr 24 09:28 EK
-rw-rw-r--+ 1 ral tss 138 Apr 24 09:28 object.json
/usr/local/var/lib/tpm2-tss/system/keystore/P_ECCP256SHA256/HE/EK:
total 12
drwxrwsr-x+ 2 ral tss 4096 Apr 24 09:28 .
drwxrwsr-x+ 3 ral tss 4096 Apr 24 09:28 ..
-rw-rw-r--+ 1 ral tss 2399 Apr 24 09:28 object.json
/usr/local/var/lib/tpm2-tss/system/keystore/P_ECCP256SHA256/HN:
total 12
drwxrwsr-x+ 2 ral tss 4096 Apr 24 09:28 .
drwxrwsr-x+ 6 ral tss 4096 Apr 24 09:28 ..
-rw-rw-r--+ 1 ral tss 131 Apr 24 09:28 object.json
/usr/local/var/lib/tpm2-tss/system/keystore/P_ECCP256SHA256/HS:
total 16
drwxrwsr-x+ 3 ral tss 4096 Apr 24 09:28 .
drwxrwsr-x+ 6 ral tss 4096 Apr 24 09:28 ..
-rw-rw-r--+ 1 ral tss 132 Apr 24 09:28 object.json
drwxrwsr-x+ 2 ral tss 4096 Apr 24 09:28 SRK
/usr/local/var/lib/tpm2-tss/system/keystore/P_ECCP256SHA256/HS/SRK:
total 12
drwxrwsr-x+ 2 ral tss 4096 Apr 24 09:28 .
drwxrwsr-x+ 3 ral tss 4096 Apr 24 09:28 ..
-rw-rw-r--+ 1 ral tss 2069 Apr 24 09:28 object.json
/usr/local/var/lib/tpm2-tss/system/keystore/P_ECCP256SHA256/LOCKOUT:
total 12
drwxrwsr-x+ 2 ral tss 4096 Apr 24 09:28 .
drwxrwsr-x+ 6 ral tss 4096 Apr 24 09:28 ..
-rw-rw-r--+ 1 ral tss 134 Apr 24 09:28 object.json
/usr/local/var/lib/tpm2-tss/system/keystore/policy:
total 8
drwxrwsr-x+ 2 root tss 4096 Apr 18 07:30 .
drwxrwsr-x+ 4 tss tss 4096 Apr 24 09:28 ..
ral@archie:~$ rm -rf /usr/local/var/lib/tpm2-tss/system/keystore/P_ECCP256SHA256
ral@archie:~$ tss2_createkey --path "/P_ECCP256SHA256/HS/SRK/test1" --type "noDa,sign"
info:tcti:src/tss2-tcti/tctildr.c:125:tcti_from_info() Initialized TCTI named: tcti-device
New password:
Re-enter new password:
ERROR:fapi:src/tss2-fapi/ifapi_keystore.c:515:rel_path_to_abs_path() ErrorCode (0x00060034) FAPI not provisioned for path: P_ECCP256SHA256/HS/SRK.
ERROR:fapi:src/tss2-fapi/ifapi_keystore.c:582:ifapi_keystore_load_async() ErrorCode (0x00060034) Object P_ECCP256SHA256/HS/SRK not found.
ERROR:fapi:src/tss2-fapi/fapi_util.c:847:ifapi_load_primary_async() ErrorCode (0x00060034) Could not open: P_ECCP256SHA256/HS/SRK
ERROR:fapi:src/tss2-fapi/fapi_util.c:1309:ifapi_get_sessions_async() ErrorCode (0x00060034) Load EK
ERROR:fapi:src/tss2-fapi/fapi_util.c:3351:ifapi_key_create() ErrorCode (0x00060034) Create sessions
WARNING:esys:src/tss2-esys/api/Esys_FlushContext.c:234:Esys_FlushContext_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_FlushContext.c:89:Esys_FlushContext() Esys Finish ErrorCode (0x000001c4)
ERROR:fapi:src/tss2-fapi/fapi_util.c:1150:ifapi_session_clean() Cleanup Policy Session failed.
ERROR:fapi:src/tss2-fapi/api/Fapi_CreateKey.c:283:Fapi_CreateKey_Finish() Key create ErrorCode (0x00060034)
ERROR:fapi:src/tss2-fapi/api/Fapi_CreateKey.c:116:Fapi_CreateKey() ErrorCode (0x00060034) Key_Create
Fapi_CreateKey(0x60034) - fapi:Provisioning was not executed.
ral@archie:~$ tss2_provision
info:tcti:src/tss2-tcti/tctildr.c:125:tcti_from_info() Initialized TCTI named: tcti-device
ral@archie:~$ tss2_createkey --path "/P_ECCP256SHA256/HS/SRK/test1" --type "noDa,sign"
info:tcti:src/tss2-tcti/tctildr.c:125:tcti_from_info() Initialized TCTI named: tcti-device
New password:
Re-enter new password:
ral@archie:~$ openssl dgst -sha256 -binary -out test1.bin cafl.tar
ral@archie:~$ ls -l test1*
-rw-rw-r-- 1 ral ral 32 Apr 24 10:51 test1.bin
ral@archie:~$ tss2_sign --keyPath "/P_ECCP256SHA256/HS/SRK/test1" --digest test1.bin --publicKey test1_pub.pem --signature test1-sig.bin
info:tcti:src/tss2-tcti/tctildr.c:125:tcti_from_info() Initialized TCTI named: tcti-device
Authorize P_ECCP256SHA256/HS/SRK/test1 "":
ral@archie:~$ openssl dgst -verify test1_pub.pem -signature test1-sig.bin cafl.tar
Verified OK
@ral00 with:
tpm2_getcap properties-variable | grep ehEnable
you can see that the endorsement hierarchy is enabled. Thus tmp2_hierarchycontrol is not needed.
It would be nice to get the output of:
tpm2_getcap properties-fixed
Thank you for the help.
ral@archie:~$ tpm2_getcap properties-variable | grep ehEnable
info:tcti:src/tss2-tcti/tctildr.c:125:tcti_from_info() Initialized TCTI named: tcti-device
ehEnable: 1
ral@archie:~$ tpm2_getcap properties-fixed
info:tcti:src/tss2-tcti/tctildr.c:125:tcti_from_info() Initialized TCTI named: tcti-device
TPM2_PT_FAMILY_INDICATOR:
raw: 0x322E3000
value: "2.0"
TPM2_PT_LEVEL:
raw: 0
TPM2_PT_REVISION:
raw: 0x74
value: 1.16
TPM2_PT_DAY_OF_YEAR:
raw: 0xF
TPM2_PT_YEAR:
raw: 0x7E0
TPM2_PT_MANUFACTURER:
raw: 0x494E5443
value: "INTC"
TPM2_PT_VENDOR_STRING_1:
raw: 0x496E7465
value: "Inte"
TPM2_PT_VENDOR_STRING_2:
raw: 0x6C000000
value: "l"
TPM2_PT_VENDOR_STRING_3:
raw: 0x0
value: ""
TPM2_PT_VENDOR_STRING_4:
raw: 0x0
value: ""
TPM2_PT_VENDOR_TPM_TYPE:
raw: 0x0
TPM2_PT_FIRMWARE_VERSION_1:
raw: 0xB0006
TPM2_PT_FIRMWARE_VERSION_2:
raw: 0x461
TPM2_PT_INPUT_BUFFER:
raw: 0x400
TPM2_PT_HR_TRANSIENT_MIN:
raw: 0x3
TPM2_PT_HR_PERSISTENT_MIN:
raw: 0x7
TPM2_PT_HR_LOADED_MIN:
raw: 0x3
TPM2_PT_ACTIVE_SESSIONS_MAX:
raw: 0x40
TPM2_PT_PCR_COUNT:
raw: 0x18
TPM2_PT_PCR_SELECT_MIN:
raw: 0x3
TPM2_PT_CONTEXT_GAP_MAX:
raw: 0xFFFF
TPM2_PT_NV_COUNTERS_MAX:
raw: 0x10
TPM2_PT_NV_INDEX_MAX:
raw: 0x800
TPM2_PT_MEMORY:
raw: 0x6
TPM2_PT_CLOCK_UPDATE:
raw: 0x1000
TPM2_PT_CONTEXT_HASH:
raw: 0xB
TPM2_PT_CONTEXT_SYM:
raw: 0x6
TPM2_PT_CONTEXT_SYM_SIZE:
raw: 0x80
TPM2_PT_ORDERLY_COUNT:
raw: 0xFF
TPM2_PT_MAX_COMMAND_SIZE:
raw: 0xF80
TPM2_PT_MAX_RESPONSE_SIZE:
raw: 0xF80
TPM2_PT_MAX_DIGEST:
raw: 0x20
TPM2_PT_MAX_OBJECT_CONTEXT:
raw: 0x3A0
TPM2_PT_MAX_SESSION_CONTEXT:
raw: 0xF0
TPM2_PT_PS_FAMILY_INDICATOR:
raw: 0x1
TPM2_PT_PS_LEVEL:
raw: 0x0
TPM2_PT_PS_REVISION:
raw: 0x100
TPM2_PT_PS_DAY_OF_YEAR:
raw: 0x0
TPM2_PT_PS_YEAR:
raw: 0x0
TPM2_PT_SPLIT_MAX:
raw: 0x80
TPM2_PT_TOTAL_COMMANDS:
raw: 0x5F
TPM2_PT_LIBRARY_COMMANDS:
raw: 0x5F
TPM2_PT_VENDOR_COMMANDS:
raw: 0x0
TPM2_PT_NV_BUFFER_MAX:
raw: 0x800
ral@archie:~$
@ral00 @williamcroberts With this Intel TPM the download of the Intel certificate failed. Only sha1 was available on the TPM and the public key of the EK was hashed with sha256 to compute the URL. Should perhaps sha1 used to compute the URL? Any idea? P.S. The computed URL was: https://ekop.intel.com/ekcertservice/Eny1GbQ2qCcfj-6s5wjAYdWlUgzW6wjEN4fxZXsCBlY%3D
@JuergenReppSIT Intel TPM, all versions, support sha256. Can you share the EKpublic?
@idesai All the information @JuergenReppSIT has requested is in this ticket. If there's anything you need me to do please just let me know.
How was the value Eny1GbQ2qCcfj-6s5wjAYdWlUgzW6wjEN4fxZXsCBlY%3D calculated?
Can you email me the output from tpm2_createek -c ek.ctx -G rsa -u ek.pub?
ral@archie:~$ tpm2_createek -c ek.ctx -G rsa -u ek.pub
info:tcti:src/tss2-tcti/tctildr.c:125:tcti_from_info() Initialized TCTI named: tcti-device
ral@archie:~$ cat ek.pub
US#ral@archie:~$ od -x ek.pub
0000000 3a01 0100 0b00 0300 b200 2000 7183 6797
0000020 8444 f8b3 901a 8dcc a546 24d7 52fd 6ed7
0000040 5206 640b a1f2 1bda 1433 aa69 0600 8000
0000060 4300 1000 0008 0000 0000 0001 5698 a67b
0000100 a251 b85e b8f2 c84b f996 4fbe 8724 15ba
0000120 3166 8e86 6a8e 9ca6 e509 9a00 966a 29f6
0000140 2217 f8d1 8a07 08b5 d222 4ce2 28b7 8191
0000160 ca39 be6c e321 8b5d 5abd 93b7 a52d 3850
0000200 09a1 ee34 cf90 31fd 4414 fc18 9e7a 6653
0000220 672c f11b 7479 b2a0 1b64 8c08 e50d 4efa
0000240 85d6 30a1 7880 92a6 e970 b2cc 9de8 4518
0000260 0885 eeb9 4013 4d8d 16b5 bbdb 9756 e826
0000300 e31c 20c8 1914 1eb6 dc9d 7003 7cae ae14
0000320 538d afb6 af35 68d0 e253 a5a3 02e3 3fb6
0000340 530d cdb6 7936 749e acb0 49bf 39b0 21fb
0000360 30c7 038e 4b7b f2f0 b703 8402 d352 7aea
0000400 d20f 07d9 2de5 099e cc44 9ac9 d84c 5d97
0000420 0471 e8fd b496 8d52 56e0 189e 046c 52ac
0000440 0e3a 4a57 897e 844f c641 94d2 84ec 873f
0000460 0bbc 15b2 5762 550d 5305 2384
0000474
ral@archie:~$
ral@archie:~$ od -x ek.ctx
0000000 dcba dec0 0000 0100 0040 0b00 0080 0000
0000020 0000 0000 0000 1300 fe04 0000 0000 8e03
0000040 2000 ac9f 8a46 56f8 6a82 bd81 3072 dded
0000060 fe9d 77e2 3e9b 43de 5796 0467 e43e a026
0000100 3629 f292 815b 112f 88d6 2611 2a5a 91f3
0000120 c0a8 19a7 5872 72f4 b87c c241 38bb 2f64
0000140 2cd1 e0e8 59e6 957c 0d32 cd88 ca81 fc7e
0000160 cd62 98bd 095b a425 e49d dbd6 d568 60f3
0000200 3469 4bd3 2aaa 887e ac65 f4e0 f5f2 1cab
0000220 a11b 04a8 cfe2 e5c1 b78c 04bb 4912 80e0
0000240 bccf 333c 7fbe 24c1 06cb 1b87 299b 1987
0000260 56ad 15f7 9a4f e7c5 e4d5 2f85 225b fbbe
0000300 f063 4af3 8e40 b527 4f41 7fb1 c71b b031
0000320 8626 ed51 7c4c a3dd 09ef 73c0 57d2 82e6
0000340 c21a 9a94 eab6 e217 e6dc b0d2 fe4a b53e
0000360 4142 d9ba 7652 9cd7 100e ee27 8581 2d6f
0000400 71de ca14 2785 2886 18e4 b9ef 2d2f 6d5a
0000420 a656 cc8b cb41 0b84 1b7e 60af 1e84 95f5
0000440 0d0f f9bf ac0f bcf9 f340 b394 2abb 75a8
0000460 87a7 36aa a159 ade3 7207 63fb e4f7 153f
0000500 da19 54d0 9d36 39a8 5184 aff9 df8d 9240
0000520 0cd3 4e56 9cbc a0ee c9b7 bc71 d09a b5ce
0000540 87d0 d898 be62 0381 99f5 4f44 09d8 cc6a
0000560 1490 7972 0699 8f87 845a 442b 1cd4 8dd2
0000600 76c1 bdd1 d7a7 9e53 6b25 56f3 7f43 f930
0000620 28b8 a7eb 112c 8798 c2c3 f5e7 e4dc b5f2
0000640 036a 98db f2ff ae1a 409e 979e b05a 2734
0000660 b9cf 74cc dced 3237 bd91 faf4 efc8 d308
0000700 1e98 9bf6 f577 a440 dbd8 589e c91c 1b00
0000720 cca9 6c74 8773 8f2b 0621 165a 3d79 5ac0
0000740 3307 eb48 e226 aba8 1201 ec7d a451 406d
0000760 bd77 0004 8a25 38d9 5e20 d136 10f7 fbfc
0001000 3930 c78a 7d5b f5c8 917f 55d3 1f6c 6706
0001020 89ef 2425 4a85 a4e2 2211 f553 efe7 8c32
0001040 bf35 24a8 4997 a834 eb4d 9a20 036a 2cc8
0001060 99fb 588f 8036 4b47 e9a2 21cf c8b1 c9e4
0001100 90cc 4995 065c 1bd6 0f49 2ec1 3613 fa12
0001120 a5a7 c193 d853 a790 29bb ea74 928f bdc5
0001140 8100 65e7 dbf6 93ab 097c 83e9 5699 7792
0001160 c893 d735 b3de 48d3 d69b 6928 778b f9c6
0001200 944a c57c 89b6 2373 fc92 fdb7 d54e 454c
0001220 8d0a 7eb0 8ce9 0d9a bab6 6c8b 8bf0 7781
0001240 f27c f0fb dae7 bac0 478e bca6 91cd b8dd
0001260 4c44 0255 7789 48be f6e5 bad3 1e17 2d81
0001300 0ac9 7b68 3554 dd0b 5142 8013 5d2a f043
0001320 6e30 858a f45c e382 fbcc 9d72 c662 6f6f
0001340 bd64 85a1 b2e6 2822 92b3 d53a f017 0b42
0001360 ca01 aa36 3fa5 6e26 ebde a6d4 e679 1342
0001400 ac9b 861a a248 d4bf 943b 5f9a 2320 680d
0001420 30be f1c7 8e01 fdc1 b2cc 0412 5891 4f1a
0001440 c630 c840 e2d0 563e b027 41c3 f8b3 e338
0001460 b049 11ab bb06 227e f4e9 a037 d0c8 587e
0001500 f348 acfb 6e51 cf24 1334 6c05 9df7 3569
0001520 8673 4ea5 9d5c eb39 2b35 4ee1 432d c7f3
0001540 d9e2 76ec 1626 8522 e4aa a15a 21d9 21e9
0001560 bf1b 8fca 20c1 ef1d 77ba 834e 514e 2dbd
0001600 f719 a80c 9d3c 2d95 0e52 0648 e6f2 b87e
0001620 a7fd eae5 12d2 ee37 2e4b 3903 8901 2de4
0001640 c816 3e4e 0b8b de97 6d77 d07e cdba 0000
0001660 ff80 ffff 2200 0b00 20cc b70c 00e4 a573
0001700 47df 8d02 b4a5 55b3 37ad 9300 987f 839d
0001720 be1e 789b e07e faa8 0000 0100 3a01 0100
0001740 0b00 0300 b200 2000 7183 6797 8444 f8b3
0001760 901a 8dcc a546 24d7 52fd 6ed7 5206 640b
0002000 a1f2 1bda 1433 aa69 0600 8000 4300 1000
0002020 0008 0000 0000 0001 5698 a67b a251 b85e
0002040 b8f2 c84b f996 4fbe 8724 15ba 3166 8e86
0002060 6a8e 9ca6 e509 9a00 966a 29f6 2217 f8d1
0002100 8a07 08b5 d222 4ce2 28b7 8191 ca39 be6c
0002120 e321 8b5d 5abd 93b7 a52d 3850 09a1 ee34
0002140 cf90 31fd 4414 fc18 9e7a 6653 672c f11b
0002160 7479 b2a0 1b64 8c08 e50d 4efa 85d6 30a1
0002200 7880 92a6 e970 b2cc 9de8 4518 0885 eeb9
0002220 4013 4d8d 16b5 bbdb 9756 e826 e31c 20c8
0002240 1914 1eb6 dc9d 7003 7cae ae14 538d afb6
0002260 af35 68d0 e253 a5a3 02e3 3fb6 530d cdb6
0002300 7936 749e acb0 49bf 39b0 21fb 30c7 038e
0002320 4b7b f2f0 b703 8402 d352 7aea d20f 07d9
0002340 2de5 099e cc44 9ac9 d84c 5d97 0471 e8fd
0002360 b496 8d52 56e0 189e 046c 52ac 0e3a 4a57
0002400 897e 844f c641 94d2 84ec 873f 0bbc 15b2
0002420 5762 550d 5305 2384
0002430
ral@archie:~$
As for your question about the URL calculation, sorry, @JuergenReppSIT will have to answer, I don't know.
ral@archie:~$ tpm2_createek -c ek.ctx -G rsa -u ek.pub info:tcti:src/tss2-tcti/tctildr.c:125:tcti_from_info() Initialized TCTI named: tcti-device ral@archie:~$ cat ek.pub U�S#ral@archie:~$ od -x ek.pub 0000000 3a01 0100 0b00 0300 b200 2000 7183 6797 0000020 8444 f8b3 901a 8dcc a546 24d7 52fd 6ed7 0000040 5206 640b a1f2 1bda 1433 aa69 0600 8000 0000060 4300 1000 0008 0000 0000 0001 5698 a67b 0000100 a251 b85e b8f2 c84b f996 4fbe 8724 15ba 0000120 3166 8e86 6a8e 9ca6 e509 9a00 966a 29f6 0000140 2217 f8d1 8a07 08b5 d222 4ce2 28b7 8191 0000160 ca39 be6c e321 8b5d 5abd 93b7 a52d 3850 0000200 09a1 ee34 cf90 31fd 4414 fc18 9e7a 6653 0000220 672c f11b 7479 b2a0 1b64 8c08 e50d 4efa 0000240 85d6 30a1 7880 92a6 e970 b2cc 9de8 4518 0000260 0885 eeb9 4013 4d8d 16b5 bbdb 9756 e826 0000300 e31c 20c8 1914 1eb6 dc9d 7003 7cae ae14 0000320 538d afb6 af35 68d0 e253 a5a3 02e3 3fb6 0000340 530d cdb6 7936 749e acb0 49bf 39b0 21fb 0000360 30c7 038e 4b7b f2f0 b703 8402 d352 7aea 0000400 d20f 07d9 2de5 099e cc44 9ac9 d84c 5d97 0000420 0471 e8fd b496 8d52 56e0 189e 046c 52ac 0000440 0e3a 4a57 897e 844f c641 94d2 84ec 873f 0000460 0bbc 15b2 5762 550d 5305 2384 0000474 ral@archie:~$
Can you output as bytes with xxd -p ek.pub
ral@archie:~$ xxd -p ek.pub
013a0001000b000300b20020837197674484b3f81a90cc8d46a5d724fd52
d76e06520b64f2a1da1b331469aa00060080004300100800000000000100
98567ba651a25eb8f2b84bc896f9be4f2487ba156631868e8e6aa69c09e5
009a6a96f6291722d1f8078ab50822d2e24cb728918139ca6cbe21e35d8b
bd5ab7932da55038a10934ee90cffd31144418fc7a9e53662c671bf17974
a0b2641b088c0de5fa4ed685a1308078a69270e9ccb2e89d18458508b9ee
13408d4db516dbbb569726e81ce3c8201419b61e9ddc0370ae7c14ae8d53
b6af35afd06853e2a3a5e302b63f0d53b6cd36799e74b0acbf49b039fb21
c7308e037b4bf0f203b7028452d3ea7a0fd2d907e52d9e0944ccc99a4cd8
975d7104fde896b4528de0569e186c04ac523a0e574a7e894f8441c6d294
ec843f87bc0bb21562570d5505538423
ral@archie:~$
How was the value Eny1GbQ2qCcfj-6s5wjAYdWlUgzW6wjEN4fxZXsCBlY%3D calculated?
The URL was computed in: https://github.com/tpm2-software/tpm2-tss/blob/912acd8b8aeba79f7d284112802e42c383c0ccc9/src/tss2-fapi/ifapi_get_intl_cert.c#L322
- First the sha256 hash of the ek public was computed.
- The base64 data for this has was computed.
- The base64 data was added to theURL