Topic: MakeCredential/ActivateCredential Using EK

Hello,

I am working with wolfTPM to perform remote attestation. I ran the "Remote Attestation Examples" provided and it worked. But in my use case I'm working with the EK instead the SRK (wich is the key used in the examples). I had succes using makeCredential with EK Handle, but no success solving the challenge using activateCredential and EK Handle. The response code returned is TPM_RC_AUTH_UNAVAILABLE, more specifically this is the message returned:

TPM2_ActivateCredentials failed 0x12f: TPM_RC_AUTH_UNAVAILABLE: The authValue or authPolicy is not available for selected entity

Here is a code snippet just to make it more clear. I tried to modify the code to guarantee the authorization for EK Handle, but no success. Do you have any idea how to solve this problem?

    /* Activate Credential command */
    XMEMSET(&cmdIn.policyCommandCode, 0, sizeof(cmdIn.policyCommandCode));
    cmdIn.policyCommandCode.policySession = tpmSession.handle.hndl;
    cmdIn.policyCommandCode.code = TPM_CC_ActivateCredential;
    rc = TPM2_PolicyCommandCode(&cmdIn.policyCommandCode);
    if (rc != TPM_RC_SUCCESS) {
        printf("policyCommandCode failed 0x%x: %s\n", rc, TPM2_GetRCString(rc));
        goto exit;
    }
    printf("TPM2_policyCommandCode success\n"); /* No command response payload */

    /* Prepare Key Auths in correct order for ActivateCredential */
    wolfTPM2_SetAuthHandle(&dev, 0, &akKey.handle);
    //wolfTPM2_SetAuthHandle(&dev, 1, &storage.handle);
    wolfTPM2_SetAuthHandle(&dev, 1, &endorse.handle);

    /* Prepare the Activate Credential command */
    XMEMSET(&cmdIn.activCred, 0, sizeof(cmdIn.activCred));
    XMEMSET(&cmdOut.activCred, 0, sizeof(cmdOut.activCred));
    cmdIn.activCred.activateHandle = akKey.handle.hndl;
    cmdIn.activCred.keyHandle = endorse.handle.hndl;

    /* Read credential from server response */
    decodeChallengeFromServerUsingEK(&cmdIn.activCred);
    printf("Read credential and secret from Server response\n");

    /* All required data to verify the credential is prepared */
    rc = TPM2_ActivateCredential(&cmdIn.activCred, &cmdOut.activCred);
    if (rc != TPM_RC_SUCCESS) {
        printf("TPM2_ActivateCredentials failed 0x%x: %s\n", rc,
            TPM2_GetRCString(rc));
        goto exit;
    }
    printf("TPM2_ActivateCredential success\n");
    TPM2_PrintBin(cmdOut.activCred.certInfo.buffer, cmdOut.activCred.certInfo.size);

Thanks in advance,
Messias Filho

Share

2 (edited by dimitom 2021-06-15 05:09:56)

Re: MakeCredential/ActivateCredential Using EK

Hi Messias,

Thank you for reaching out. We can offer a solution.

To use the EK, the TPM requires a Policy Session with Endorsement Auth. This is done using the TPM2_PolicySecret command.

I will try to add an example code for using the EK with Make/ActivateCredential later this week.

In the mean time, you could also try the command in your code.

Let us know if you have more questions.

Thanks,
Dimi

Dimi Tomov,
wolfSSL Engineer and Founder of TPM.dev

Share

Re: MakeCredential/ActivateCredential Using EK

Hi Dimi,

thanks for your help and attention. I started making the changes indicated but got a different response code (TPM_RC_BAD_AUTH: Authorization failure without DA implications). If you can provide a new example showing the use case using EK that would be great. In the meantime I will continue working on these modifications and hope to be able to use the commands correctly.

Thanks,
Messias Filho

Share

Re: MakeCredential/ActivateCredential Using EK

Hi Messias,

Our new wolfTPM version 2.2.0 has fix for this error and improved attestation examples.

https://github.com/wolfSSL/wolfTPM/releases/tag/v2.2.0

Make/ActivateCredential examples can now work with EK using the new "-eh" option.

Please find example output below:

dimitartomov@Dimitars-MacBook-Pro wolfTPM % ./examples/keygen/keygen -eh
TPM2.0 Key generation example
    Key Blob: keyblob.bin
    Algorithm: RSA
    Template: AIK
    Use Parameter Encryption: NULL
RSA AIK template
Creating new RSA key...
New key created and loaded (pub 280, priv 222 bytes)
Wrote 508 bytes to keyblob.bin
Wrote 320 bytes to ek.pub
Wrote AK Name digest


dimitartomov@Dimitars-MacBook-Pro wolfTPM % ./examples/attestation/make_credential -eh
Using keys under the Endorsement Hierarchy
Demo how to create a credential challenge for remote attestation
Credential will be stored in cred.blob
wolfTPM2_Init: success
Reading 320 bytes from ek.pub
Reading the private part of the key
Public key for encryption loaded
Read AK Name digest
TPM2_MakeCredential success
Wrote credential blob and secret to cred.blob, 648 bytes


dimitartomov@Dimitars-MacBook-Pro wolfTPM % ./examples/attestation/activate_credential -eh
Use Endorsement Key
Demo how to create a credential blob for remote attestation
wolfTPM2_Init: success
Credential will be read from cred.blob
EK loaded
Reading 508 bytes from keyblob.bin
Reading the private part of the key
AK loaded at 0x80000001
Read credential blob and secret from cred.blob, 648 bytes
TPM2_ActivateCredential success
Dimi Tomov,
wolfSSL Engineer and Founder of TPM.dev

Share

Re: MakeCredential/ActivateCredential Using EK

Hi Dimi,

Thank you for your help! I'll check this new version and examples.

Cheers,
Messias

Share