Create endorsement key using TSS with TrouSerS in C
I am writing a program in C, to generate an endorsement key and storage root key. How do I set the key information required to generate the endorsement key and what flags do I need to use?
I am working on two preconfigured virtual machine images in VirtualBox. One of them is simulating a TPM and the other one is housing the C program. These two are connected to each other over the internal network. I can connect to the TPM machine and run TrouSerS tpm_tools over the terminal. I am able to create an endorsement key by running "createek" and also the SRK. However, I am having trouble running Tspi_TPM_CreateEndorsementKey included from trousers/src/include/tss/tspi.h.
TCG Software Stack (TSS) Specification Version 1.10 Golden August 20, 2003 mentions that, "The key information required for creating the endorsement key must be set in the key object by Tspi_SetAttribData( ) before this method is called." when using Tspi_TPM_CreateEndorsementKey. I don't understand how to set this information or what information to use.
This is my approach. "hKey" is the key that is supposed to hold the information required for creating the endorsement key.
#include<stdio.h>
#include<string.h>
#include<stdlib.h>
#include<sys/stat.h>
#include<sys/types.h>
#include<tss/platform.h>
#include<tss/tss_defines.h>
#include<tss/tss_typedef.h>
#include<tss/tss_structs.h>
#include<tss/tspi.h>
#include<trousers/trousers.h>
#include<tss/tss_error.h>
// Macro for debug messages
#define DBG(message , tResult) printf("(Line%d, %s) %s returned 0x%08x. %s.\n", __LINE__, __func__, message, tResult, (char*)Trspi_Error_String(tResult))
// MAIN entry point
int main (int argc, char **argv)
{
TSS_HCONTEXT hContext = 0;
TSS_HTPM hTPM = 0;
TSS_RESULT result;
// Other unrelated attributes
// Create context and get tpm handle
result = Tspi_Context_Create(&hContext);
DBG("Create a context: ", result);
// NULL represents the local TPM)
result = Tspi_Context_Connect(hContext, NULL);
DBG("Connect to TPM: ", result);
result = Tspi_Context_GetTpmObject(hContext, &hTPM);
DBG("Get TPM handle: ", result);
// Create the endorsement key
TSS_VALIDATION pValidationData;
TSS_HKEY hKey = 0;
result = Tspi_TPM_CreateEndorsementKey(hTPM, hKey, &pValidationData);
DBG("Create endorsement key: ", result);
// Get EK public key
TSS_HKEY hEndorsementPubKey;
result = Tspi_TPM_GetPubEndorsementKey(hTPM, FALSE, NULL, &hEndorsementPubKey);
DBG("Get EK public key: ", result);
// START OF APP
// some code
// END OF APP
// Free memory
result = Tspi_Context_FreeMemory(hContext, NULL);
DBG("Tspi Context Free Memory: " , result);
result = Tspi_Context_Close(hContext);
DBG("Tspi Context Close: ", result);
return 0;
}
This is the print out when running the program.
(Line48, main) Create a context: returned 0x00000000. Success.
(Line51, main) Connect to TPM: returned 0x00000000. Success.
(Line53, main) Get TPM handle: returned 0x00000000. Success.
(Line59, main) Create endorsement key: returned 0x00003126. Invalid handle.
----Stuff to do afterwards-----
(Line109, main) Tspi Context Free Memory: returned 0x00000000. Success.
(Line111, main) Tspi Context Close: returned 0x00000000. Success.
The return code "Invalid handle" is used if one of these handles are not valid; hTPM, hKey. I am pretty sure that it's hKey. I am able to use hTPM for other instructions like Tspi_TPM_OwnerGetSRKPubKey when I generate the endorsement key with createek over the terminal.
1 Answer
It looks like you can just create an object of type "TSS_OBJECT_TYPE_RSAKEY" with "TSS_KEY_SIZE_2048" flag, to generate the key. There is no need to set any attributes using setAttribData, as suggested in the documentation. Another thing to think about is to set the "TSS_VALIDATION" parameter in CreateEndorsementKey to a null pointer. This tells the TSS service to handle the validation of the key, so that you don't have to handle it yourself.
AndroBroUser contributions licensed under CC BY-SA 3.0