platform_BootLockbox test fails for tpm 2.0 boards |
|||||
Issue descriptionThe following was seen in the logs for R59-9373.0.0: 2017-03-16T18:51:58.884116-07:00 INFO cryptohomed[2390]: Creating new boot-lockbox key. 2017-03-16T18:52:06.716407-07:00 ERR cryptohomed[2390]: Sign: Error signing digest: Session 1: TPM_RC_POLICY_FAIL 2017-03-16T18:52:06.716606-07:00 ERR cryptohomed[2390]: Error signing: Session 1: TPM_RC_POLICY_FAIL
,
Aug 16 2017
Looks like the issue is with the default PCR value that the signing key is bound to defined as
const unsigned char kPCRValue[20] = {0};
Should be 32 bytes instead for TPM2.0 (or an empty string to auto-detect).
,
Sep 2 2017
Turned out indeed to be just the issue in comment #2. Quick-patching the value to be 32 bytes long for 2.0 (and removing the old key) solved the issue. Preparing a proper CL.
,
Sep 5 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/cd6afc27c56b9144ec36d4d2337f598911b69853 commit cd6afc27c56b9144ec36d4d2337f598911b69853 Author: Andrey Pronin <apronin@chromium.org> Date: Tue Sep 05 20:44:02 2017 cryptohome: use the right PCR size in boot lockbox checks Boot lockbox uses PCR15 to lock key from being used for signing after the lockbox is finalized. TPM 1.2 and 2.0 use PCRs of different sizes. Modify boot lockbox to select the PCR value size based on the tpm model. BUG= chromium:702680 TEST=platform_BootLockbox and unit tests Change-Id: I707cf3d1c0e0f7cb1874635e7faa53d5f51003f8 Reviewed-on: https://chromium-review.googlesource.com/648646 Commit-Ready: Andrey Pronin <apronin@chromium.org> Tested-by: Andrey Pronin <apronin@chromium.org> Reviewed-by: Mattias Nissler <mnissler@chromium.org> [modify] https://crrev.com/cd6afc27c56b9144ec36d4d2337f598911b69853/cryptohome/boot_lockbox.cc [modify] https://crrev.com/cd6afc27c56b9144ec36d4d2337f598911b69853/cryptohome/boot_lockbox.h
,
Sep 11 2017
,
Jan 22 2018
,
Jan 23 2018
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by djkurtz@chromium.org
, Jun 26 2017