来自ContextSave();:
首先,我创建了模板,然后创建了签名密钥。然后使用MethodB()保存上下文并将其编组到文件中。
来自ContextLoad();:
我将文件解组,var keyTemplate = new TpmPublic(TpmAlgId.Sha1, // Name algorithm
ObjectAttr.UserWithAuth | ObjectAttr.Sign | // Signing key
ObjectAttr.FixedParent | ObjectAttr.FixedTPM | // Non-migratable
ObjectAttr.SensitiveDataOrigin,
null, // No policy
new RsaParms(new SymDefObject(),
new SchemeRsassa(TpmAlgId.Sha1), 2048, 0),
new Tpm2bPublicKeyRsa());
TpmHandle keyHandle = tpm[ownerAuth].CreatePrimary(
TpmRh.Owner, // In the owner-hierarchy
new SensitiveCreate(keyAuth, null), // With this auth-value
keyTemplate, // Describes key
null, // Extra data for creation ticket
new PcrSelection[0], // Non-PCR-bound
out keyPublic, // PubKey and attributes
out creationData, out creationHash, out creationTicket); // Not used here
在这里执行完整性检查失败。我做错了什么?
我创建了这样的签名密钥:
public static void MethodA()
{
try
{
Tpm2Device tpmDevice = new TcpTpmDevice(tpm_host, tpm_port);
//Tpm2Device tpmDevice = new TbsDevice();
tpmDevice.Connect();
var tpm = new Tpm2(tpmDevice);
if (tpmDevice is TcpTpmDevice)
{
tpmDevice.PowerCycle();
tpm.Startup(Su.Clear);
}
//
// The TPM needs a template that describes the parameters of the key
// or other object to be created. The template below instructs the TPM
// to create a new 2048-bit non-migratable signing key.
//
var keyTemplate = new TpmPublic(TpmAlgId.Sha1, // Name algorithm
ObjectAttr.UserWithAuth | ObjectAttr.Sign | // Signing key
ObjectAttr.FixedParent | ObjectAttr.FixedTPM | // Non-migratable
ObjectAttr.SensitiveDataOrigin,
null, // No policy
new RsaParms(new SymDefObject(),
new SchemeRsassa(TpmAlgId.Sha1), 2048, 0),
new Tpm2bPublicKeyRsa());
//
// AuthValue encapsulates an authorization value: essentially a byte-array.
// OwnerAuth is the owner authorization value of the TPM-under-test. We
// assume that it (and other) auths are set to the default (null) value.
// If running on a real TPM, which has been provisioned by Windows, this
// value will be different. An administrator can retrieve the owner
// authorization value from the registry.
//
//var ownerAuth = new AuthValue();
//
// Authorization for the key we are about to create.
//
var keyAuth = new byte[] { 1, 2, 3 };
TpmPublic keyPublic;
CreationData creationData;
TkCreation creationTicket;
byte[] creationHash;
//
// Ask the TPM to create a new primary RSA signing key.
//
TpmHandle keyHandle = tpm[ownerAuth].CreatePrimary(
TpmRh.Owner, // In the owner-hierarchy
new SensitiveCreate(keyAuth, null), // With this auth-value
keyTemplate, // Describes key
null, // Extra data for creation ticket
new PcrSelection[0], // Non-PCR-bound
out keyPublic, // PubKey and attributes
out creationData, out creationHash, out creationTicket); // Not used here
//
// Print out text-versions of the public key just created
//
//Console.WriteLine("New public key\n" + keyPublic.ToString());
Context ctx = tpm.ContextSave(keyHandle);
File.WriteAllBytes("key.bin", Marshaller.GetTpmRepresentation(ctx));
// Clean up.
tpm.FlushContext(keyHandle);
tpm.Dispose();
}
catch (Exception e)
{
Console.WriteLine("Exception occurred: {0}", e.Message);
}
}
编辑1:
MethodA();
public static void MethodB()
{
try
{
Tpm2Device tpmDevice = new TcpTpmDevice(tpm_host, tpm_port);
//Tpm2Device tpmDevice = new TbsDevice();
tpmDevice.Connect();
var tpm = new Tpm2(tpmDevice);
if (tpmDevice is TcpTpmDevice)
{
tpmDevice.PowerCycle();
tpm.Startup(Su.Clear);
}
Context ctx2 = Marshaller.FromTpmRepresentation<Context>(File.ReadAllBytes("key.bin"));
TpmHandle keyHandle = tpm.ContextLoad(ctx2); //integrity check fail
MethodB():
{{1}}
答案 0 :(得分:0)
此代码同时存在于MethodA()和MethodB()中:
if (tpmDevice is TcpTpmDevice)
{
tpmDevice.PowerCycle();
tpm.Startup(Su.Clear);
}
这是TSS MSR示例中的常见模式。它检查您正在与之交谈的TPM是否为模拟设备,如果是,则在其上执行Clear命令,以确保您使用的是干净的开始。在MethodA()中进行此操作很好,但是在MethodB()中进行此操作,基本上就可以撤消在MethodA()中所做的操作:删除刚创建的密钥并进行完整性检查因此失败。