Comments (5)
chrisfenner
commented on August 15, 2024
My hazy recollection of the TPM spec is 2 things:
- Some TPMs won't let you make a "general purpose" (signing + decryption) RSA key, and will return E_NOTFIPS TPM response code because it's in FIPS mode and FIPS says don't do that.
- If you do make a "general purpose" key, you may need to specify both a signing and decryption scheme on the key (otherwise, you can fake a signature by doing a textbook no-padding decryption over hand-padded data)
from go-tpm.
lihanshang
commented on August 15, 2024
@chrisfenner
This for the reply:
- I am testing it on the simulator from go-tpm-tools. Not sure if this is an issue.
- Do you mean plus the Sign schema I will need to add the decryption schema in the template like this:
defaultKeyParams = tpm2.Public{ Type: tpm2.AlgRSA, NameAlg: tpm2.AlgSHA256, Attributes: tpm2.FlagDecrypt| tpm2.FlagSign | tpm2.FlagFixedTPM | tpm2.FlagFixedParent | tpm2.FlagSensitiveDataOrigin | tpm2.FlagUserWithAuth, RSAParameters: &tpm2.RSAParams{ Sign: &tpm2.SigScheme{ Alg: tpm2.AlgRSASSA, Hash: tpm2.AlgSHA256, }, Decryption: {.....}, KeyBits: 2048, }, }
which I dont see an Decrytion scheme actually. Is there an example for that ?
Should I try Symmetric: &SymScheme{ Alg: AlgAES, KeyBits: 128, Mode: AlgCFB, }, as the RSA parameter?
Thanks
from go-tpm.
chrisfenner
commented on August 15, 2024
Sorry for my bad memory. It's the opposite: you can't specify a scheme for a "general purpose" key. Here's what the spec says about the scheme:
TPMS_RSA_PARMS
scheme.scheme shall be: for an unrestricted signing key, either TPM_ALG_RSAPSS TPM_ALG_RSASSA or TPM_ALG_NULL
for a restricted signing key, either TPM_ALG_RSAPSS or TPM_ALG_RSASSA
for an unrestricted decryption key, TPM_ALG_RSAES, TPM_ALG_OAEP, or TPM_ALG_NULL unless the object also has the sign attribute
for a restricted decryption key, TPM_ALG_NULL
NOTE When both sign and decrypt are SET, restricted shall be CLEAR and scheme shall be TPM_ALG_NULL.
go-tpm reflects TPMS_RSA_PARMS imperfectly (filed #244), where we only support setting signature schemes on scheme (as Sign)
Lines 204 to 210 in d331077
Does it work if you take out Sign: ... altogether? You can still sign using whatever scheme you want, by passing the scheme to the Sign command in sigScheme.
Line 1703 in d331077
from go-tpm.
lihanshang
commented on August 15, 2024
Thank you very much @chrisfenner. Above method works!
from go-tpm.
chrisfenner
commented on August 15, 2024
I'm so glad to have helped, @lihanshang! Closing this since I opened #244 to track the underlying issue with the library that I think led to trouble. Please re-open if you think there is another issue that is not tracked.
from go-tpm.
Related Issues (20)
- reduce repetitive, nested structs by proving a defaults package HOT 1
- support passing []byte as TPM2B HOT 2
- Add a Compare function
- Load TSS2 Private Key generated with tpm2tss-genkey HOT 2
- Inconsistency between written and read values when accessing PCR HOT 3
- reduce unnecessary overhead of Tbsi_Get_TCG_Log HOT 1
- Missing ExtraData in Quote
- Use `crypto/ecdh` for tpmdirect HOT 5
- Darwin ? HOT 1
- EvictControl missing from new tpm2 HOT 10
- Consider an UnmarshalReader API for types
- HMAC Session not working HOT 2
- Support As(TPMRC) for format-1 errors.
- Support serialization of persistent handles HOT 1
- Support for RSAEncrypt and RSADecrypt commands HOT 1
- TPM Simulator reporting unrecognised command over socket
- Implement TPM2_HMAC_Start
- New Releases ?! HOT 7
- missing Name for 'SignHandle' parameter HOT 2
- cmdAuths not respecting auth value HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from go-tpm.