I'm trying to save a small amount of data in the TPM2 over power cycles. So that this small string will only be tied to one specific machine. Here is what I have working.
# put data in file that is to be sealed
echo "my sealed data" > seal.dat
# create a primary key
tpm2_createprimary -c primary.ctx
# create a child key in public and private parts
tpm2_create -C primary.ctx -u obj.pub -r obj.priv
# create a sealed object
tpm2_create -C primary.ctx -i seal.dat -u obj.pub -r obj.priv
# load the private and public portions into the TPM
tpm2_load -C primary.ctx -u obj.pub -r obj.priv -c key.ctx
# unseal the data
tpm2_unseal -c key.ctx
But after a power cycle if I enter: 'tpm2_unseal -c key.ctx' I get the following error:
WARNING:esys:src/tss2-esys/api/Esys_ContextLoad.c:279:Esys_ContextLoad_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_ContextLoad.c:93:Esys_ContextLoad() Esys Finish ErrorCode (0x000001df) ERROR: Esys_ContextLoad(0x1DF) - tpm:parameter(1):integrity check failed ERROR: Invalid item handle authorization ERROR: Unable to run tpm2_unseal
I am using the tpm_server (emulator) if that makes any difference.
So what is the best way to load a small string into the tpm2 and have power loss persistence?
You forgot one command that persists the information in the TPM: tpm2_evictcontrol. In the example below the value is persisted to the persistent handle 0x81010001.
The persisted value can be removed by calling
There is a nice explanation involving also PCR policies here.