You need to swap the "key" and "blob" arguments when you compute the EID. The EID is defined as HMAC_SHA256(den, ekm) where ekm is the modulus of the TPM key. This is confusing, understandably.

See go/zero-touch-id-versions which now has a link to this bug :-)

You can use the print_enterprise_eid.py script to generate test data as it accepts arguments for the device secret and a TPM EK.

Always double check results on a live machine per the first post in this bug. This would have shown that mistake immediately.

The same fix is also required to address:
1) tpm-manager verify_endorsement issues (b/74866346, b/74724786, b/74182165).
2) enrollment issues if device is rebooted between oobe and enrollment (issue 826842)
The issue is the result of the CL crrev.com/c/847472 that has landed in M-66 (10343.0.0). So, we'll need to pick the fix to M-66 as well.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/0bcd9fc0d5b839a367e5a94cae8f22d29fd100ce

commit 0bcd9fc0d5b839a367e5a94cae8f22d29fd100ce
Author: Igor <igorcov@chromium.org>
Date: Thu Mar 29 20:33:02 2018

cryptohome: Fix the calculation of EID

The eid should be HMAC_SHA256(den, ekm). The previous version had
parameters swapped. Also fixed the ekm modulus, which should be the modulus
of endorsement key.

BUG= chromium:822426 
TEST=unit tests and testing on the device with TPM1.2:
Method 1:
localhost ~ # python /tmp/print_enterprise_eid.py
ce376409ce36aba384fe7aeaa8c129cf3f512c581c4298801ef6f0d36ad450df

Method 2:
localhost ~ # cryptohome --action=get_enrollment_id
ce376409ce36aba384fe7aeaa8c129cf3f512c581c4298801ef6f0d36ad450df

Method 3:
Apply patch from https://chromium-review.googlesource.com/c/chromiumos/platform2/+/967722
and deploy on device.
Enroll the device.
localhost ~ # cryptohome --action=tpm_attestation_start_cert_request --profile=enrollment --file=/tmp/cert_request
localhost ~ # curl -v -H "Content-Type: application/octet-stream" --data-binary @/tmp/cert_request -o /tmp/cert_response https://chromeos-ca.gstatic.com/sign
localhost ~ # cryptohome --action=tpm_attestation_finish_cert_request --name=attest-ent-machine --file=/tmp/cert_response
localhost ~ # openssl x509 -in /tmp/cert_response -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:62:24:ec:bc:a8:e6:88:d3:11:39:e7:1b:1c:00:00:00:00:00:00:13:d1
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=Privacy CA Intermediate, OU=Chrome OS, O=Google Inc, L=Mountain View, ST=California, C=US
        Validity
            Not Before: Mar 19 11:05:14 2018 GMT
            Not After : Mar 20 11:05:14 2018 GMT
        Subject: O=Chrome Device Enrollment, CN=ce376409ce36aba384fe7aeaa8c129cf3f512c581c4298801ef6f0d36ad450df

Change-Id: I12ceef45154f9ce8d318cf83ab1cf6492748b296
Reviewed-on: https://chromium-review.googlesource.com/966606
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Igor <igorcov@chromium.org>
Reviewed-by: Igor <igorcov@chromium.org>
Reviewed-by: Yves Arrouye <drcrash@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>

[modify] https://crrev.com/0bcd9fc0d5b839a367e5a94cae8f22d29fd100ce/cryptohome/attestation_unittest.cc
[modify] https://crrev.com/0bcd9fc0d5b839a367e5a94cae8f22d29fd100ce/cryptohome/attestation.cc
[modify] https://crrev.com/0bcd9fc0d5b839a367e5a94cae8f22d29fd100ce/cryptohome/attestation.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/153d687382a3c98f54a2a0a7cf6e5fdd5ded4aa7

commit 153d687382a3c98f54a2a0a7cf6e5fdd5ded4aa7
Author: Igor <igorcov@chromium.org>
Date: Fri Mar 30 04:59:49 2018

attestation: Fix the calculation of EID

The eid should be HMAC_SHA256(den, ekm). The previous version had
parameters swapped.

BUG= chromium:822426 
BUG=chromium:826842
TEST=unit tests and testing on the device with TPM2.0:
Method 1:
localhost ~ # cryptohome --action=get_enrollment_id
7745abcaedf4b22c10595cb42a7dbd6cdbcad079fc1503ab5856b1614320e75e

Method 2:
Apply patch from https://chromium-review.googlesource.com/c/chromiumos/platform2/+/967722
and deploy on device.
Enroll the device.
localhost ~ # cryptohome --action=tpm_attestation_start_cert_request --profile=enrollment --file=/tmp/cert_request
localhost ~ # curl -v -H "Content-Type: application/octet-stream" --data-binary @/tmp/cert_request -o /tmp/cert_response https://chromeos-ca.gstatic.com/sign
localhost ~ # cryptohome --action=tpm_attestation_finish_cert_request --name=attest-ent-machine --file=/tmp/cert_response
localhost ~ # openssl x509 -in /tmp/cert_response -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:62:1c:2e:3e:2f:35:4a:c6:e0:57:e2:d8:91:00:00:00:00:00:00:1c:6b
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=Privacy CA Intermediate, OU=Chrome OS, O=Google Inc, L=Mountain View, ST=California, C=US
        Validity
            Not Before: Mar 19 15:23:23 2018 GMT
            Not After : Mar 20 15:23:23 2018 GMT
        Subject: O=Chrome Device Enrollment, CN=7745abcaedf4b22c10595cb42a7dbd6cdbcad079fc1503ab5856b1614320e75e
CQ-DEPEND=CL:968869

Change-Id: I7ac1464e46a1f0e9012315bce555a6a530774d8c
Reviewed-on: https://chromium-review.googlesource.com/968801
Commit-Ready: Andrey Pronin <apronin@chromium.org>
Tested-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Igor <igorcov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>

[modify] https://crrev.com/153d687382a3c98f54a2a0a7cf6e5fdd5ded4aa7/attestation/server/attestation_service_test.cc
[modify] https://crrev.com/153d687382a3c98f54a2a0a7cf6e5fdd5ded4aa7/attestation/common/tpm_utility_v1.cc
[modify] https://crrev.com/153d687382a3c98f54a2a0a7cf6e5fdd5ded4aa7/attestation/common/tpm_utility_v1.h
[modify] https://crrev.com/153d687382a3c98f54a2a0a7cf6e5fdd5ded4aa7/attestation/common/tpm_utility.h
[modify] https://crrev.com/153d687382a3c98f54a2a0a7cf6e5fdd5ded4aa7/attestation/common/tpm_utility_v2.h
[modify] https://crrev.com/153d687382a3c98f54a2a0a7cf6e5fdd5ded4aa7/attestation/common/tpm_utility_v2.cc
[modify] https://crrev.com/153d687382a3c98f54a2a0a7cf6e5fdd5ded4aa7/attestation/server/attestation_service.cc
[modify] https://crrev.com/153d687382a3c98f54a2a0a7cf6e5fdd5ded4aa7/attestation/common/tpm_utility_v2_test.cc
[modify] https://crrev.com/153d687382a3c98f54a2a0a7cf6e5fdd5ded4aa7/attestation/common/mock_tpm_utility.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/9eac50f3b52f5873a3c493f0efd789e1a2daee76

commit 9eac50f3b52f5873a3c493f0efd789e1a2daee76
Author: Andrey Pronin <apronin@chromium.org>
Date: Fri Mar 30 04:59:50 2018

cryptohome: tpm2: revert GetEndorsementPublicKey to not implemented

CL:827064 incorrectly implemented Tpm2Impl::GetEndorsementPublicKey().
It should return a DER encoded EK, not EK modulus. Now with CL:968869
renaming the underlying trunks function this incorrect implementation
breaks the build. Nobody is using this function for tpm2, so it's
sufficient to revert it back to LOG(ERROR) << "Not implemented" as it
was pre CL:827064.

BUG= chromium:822426 
BUG=chromium:826842
TEST=unit tests

Change-Id: I0594a30822eaa5ef74a62f5c8b189fa0fea77f66
Reviewed-on: https://chromium-review.googlesource.com/985493
Commit-Ready: Andrey Pronin <apronin@chromium.org>
Tested-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Igor <igorcov@chromium.org>
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>

[modify] https://crrev.com/9eac50f3b52f5873a3c493f0efd789e1a2daee76/cryptohome/tpm2_impl.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/9ee8cc67ec0643810d7f0f9d26dbde1c4b229d25

commit 9ee8cc67ec0643810d7f0f9d26dbde1c4b229d25
Author: Igor <igorcov@chromium.org>
Date: Tue Apr 03 22:59:56 2018

attestation: Fix the calculation of EID

This is a cherry pick of CL:968801
The eid should be HMAC_SHA256(den, ekm). The previous version had
parameters swapped.

BUG= chromium:822426 
BUG=chromium:826842
TEST=unit tests and testing on the device with TPM2.0:
Method 1:
localhost ~ # cryptohome --action=get_enrollment_id
7745abcaedf4b22c10595cb42a7dbd6cdbcad079fc1503ab5856b1614320e75e

Method 2:
Apply patch from https://chromium-review.googlesource.com/c/chromiumos/platform2/+/967722
and deploy on device.
Enroll the device.
localhost ~ # cryptohome --action=tpm_attestation_start_cert_request --profile=enrollment --file=/tmp/cert_request
localhost ~ # curl -v -H "Content-Type: application/octet-stream" --data-binary @/tmp/cert_request -o /tmp/cert_response https://chromeos-ca.gstatic.com/sign
localhost ~ # cryptohome --action=tpm_attestation_finish_cert_request --name=attest-ent-machine --file=/tmp/cert_response
localhost ~ # openssl x509 -in /tmp/cert_response -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:62:1c:2e:3e:2f:35:4a:c6:e0:57:e2:d8:91:00:00:00:00:00:00:1c:6b
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=Privacy CA Intermediate, OU=Chrome OS, O=Google Inc, L=Mountain View, ST=California, C=US
        Validity
            Not Before: Mar 19 15:23:23 2018 GMT
            Not After : Mar 20 15:23:23 2018 GMT
        Subject: O=Chrome Device Enrollment, CN=7745abcaedf4b22c10595cb42a7dbd6cdbcad079fc1503ab5856b1614320e75e
CQ-DEPEND=CL:992041

Change-Id: I7ac1464e46a1f0e9012315bce555a6a530774d8c
Reviewed-on: https://chromium-review.googlesource.com/968801
Commit-Ready: Andrey Pronin <apronin@chromium.org>
Tested-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Igor <igorcov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
(cherry picked from commit 153d687382a3c98f54a2a0a7cf6e5fdd5ded4aa7)
Reviewed-on: https://chromium-review.googlesource.com/992040
Commit-Queue: Igor <igorcov@chromium.org>
Tested-by: Igor <igorcov@chromium.org>

[modify] https://crrev.com/9ee8cc67ec0643810d7f0f9d26dbde1c4b229d25/attestation/server/attestation_service_test.cc
[modify] https://crrev.com/9ee8cc67ec0643810d7f0f9d26dbde1c4b229d25/attestation/common/tpm_utility_v1.cc
[modify] https://crrev.com/9ee8cc67ec0643810d7f0f9d26dbde1c4b229d25/attestation/common/tpm_utility_v1.h
[modify] https://crrev.com/9ee8cc67ec0643810d7f0f9d26dbde1c4b229d25/attestation/common/tpm_utility.h
[modify] https://crrev.com/9ee8cc67ec0643810d7f0f9d26dbde1c4b229d25/attestation/common/tpm_utility_v2.h
[modify] https://crrev.com/9ee8cc67ec0643810d7f0f9d26dbde1c4b229d25/attestation/common/tpm_utility_v2.cc
[modify] https://crrev.com/9ee8cc67ec0643810d7f0f9d26dbde1c4b229d25/attestation/server/attestation_service.cc
[modify] https://crrev.com/9ee8cc67ec0643810d7f0f9d26dbde1c4b229d25/attestation/common/tpm_utility_v2_test.cc
[modify] https://crrev.com/9ee8cc67ec0643810d7f0f9d26dbde1c4b229d25/attestation/common/mock_tpm_utility.h

Note that when testing re #12, you shouldn't expect the same EID as printed here. But the EID from method 1 and the CN of the cert received in method 2 should be identical.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/autotest/+/f8e350c44d7a885462b8e07e9ad8e5cd7f1a1e5a

commit f8e350c44d7a885462b8e07e9ad8e5cd7f1a1e5a
Author: Igor <igorcov@chromium.org>
Date: Fri Apr 06 05:12:31 2018

autotest: Add new test to check the get_enrollment_id from cryptohome

BUG= chromium:822426 
TEST=test_that -b ${BOARD} <ip> platform_CryptohomeGetEnrollmentId

Change-Id: I569dcbb1b8f52c630f109e09d3ca97d71fd5129c
Reviewed-on: https://chromium-review.googlesource.com/977962
Commit-Ready: Igor <igorcov@chromium.org>
Tested-by: Igor <igorcov@chromium.org>
Reviewed-by: Igor <igorcov@chromium.org>
Reviewed-by: Yves Arrouye <drcrash@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>

[add] https://crrev.com/f8e350c44d7a885462b8e07e9ad8e5cd7f1a1e5a/client/site_tests/platform_CryptohomeGetEnrollmentId/platform_CryptohomeGetEnrollmentId.py
[add] https://crrev.com/f8e350c44d7a885462b8e07e9ad8e5cd7f1a1e5a/client/site_tests/platform_CryptohomeGetEnrollmentId/control

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/e259292a1fde5cf390c80600ea24a558b144dfd1

commit e259292a1fde5cf390c80600ea24a558b144dfd1
Author: Yves Arrouye <drcrash@google.com>
Date: Fri Apr 06 05:12:30 2018

cryptohome: More robust unit test for the enrollment ID

Use realistic data. Also rewrote the delegate test to check for
the EID on a second login which is where having a delegate really
matters.

Unit tests: P2_TEST_FILTER=*Attestation*Test*EnrollmentId* \
  cros_workon_make --board=$BOARD --test cryptohome

BUG= chromium:822426 
TEST=unit tests

Change-Id: Ib2a878cbd0dd1e94474ebefb823c995731dcee01
Reviewed-on: https://chromium-review.googlesource.com/994738
Commit-Ready: Yves Arrouye <drcrash@chromium.org>
Tested-by: Yves Arrouye <drcrash@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>

[modify] https://crrev.com/e259292a1fde5cf390c80600ea24a558b144dfd1/cryptohome/attestation_unittest.cc
[modify] https://crrev.com/e259292a1fde5cf390c80600ea24a558b144dfd1/cryptohome/attestation.cc
[modify] https://crrev.com/e259292a1fde5cf390c80600ea24a558b144dfd1/cryptohome/attestation.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/cb75fc25c83a2f0e943432e64191225d447b3c2e

commit cb75fc25c83a2f0e943432e64191225d447b3c2e
Author: Igor <igorcov@chromium.org>
Date: Fri Apr 06 21:44:19 2018

chromiumos-overlay: Added platform_CryptohomeGetEnrollmentId autotest

BUG= chromium:822426 
TEST=test_that -b ${BOARD} <ip> platform_CryptohomeGetEnrollmentId
CQ-DEPEND=CL:977962

Change-Id: I63a2c521da9160619a3d6d61f9c9c796af0152cf
Reviewed-on: https://chromium-review.googlesource.com/978102
Commit-Ready: Igor <igorcov@chromium.org>
Tested-by: Igor <igorcov@chromium.org>
Reviewed-by: Igor <igorcov@chromium.org>
Reviewed-by: Yves Arrouye <drcrash@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>

[modify] https://crrev.com/cb75fc25c83a2f0e943432e64191225d447b3c2e/chromeos-base/autotest-tests-cryptohome/autotest-tests-cryptohome-9999.ebuild

The following revision refers to this bug:
  https://chromium.googlesource.com/aosp/platform/system/tpm/+/14ee15054c894e8785bdf65005d456163f41502d

commit 14ee15054c894e8785bdf65005d456163f41502d
Author: Igor <igorcov@chromium.org>
Date: Thu May 31 18:49:29 2018

attestation: Fix the calculation of EID

The eid should be HMAC_SHA256(den, ekm). The previous version had
parameters swapped.

BUG= chromium:822426 
BUG=chromium:826842
TEST=unit tests and testing on the device with TPM2.0:
Method 1:
localhost ~ # cryptohome --action=get_enrollment_id
7745abcaedf4b22c10595cb42a7dbd6cdbcad079fc1503ab5856b1614320e75e

Method 2:
Apply patch from https://chromium-review.googlesource.com/c/chromiumos/platform2/+/967722
and deploy on device.
Enroll the device.
localhost ~ # cryptohome --action=tpm_attestation_start_cert_request --profile=enrollment --file=/tmp/cert_request
localhost ~ # curl -v -H "Content-Type: application/octet-stream" --data-binary @/tmp/cert_request -o /tmp/cert_response https://chromeos-ca.gstatic.com/sign
localhost ~ # cryptohome --action=tpm_attestation_finish_cert_request --name=attest-ent-machine --file=/tmp/cert_response
localhost ~ # openssl x509 -in /tmp/cert_response -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:62:1c:2e:3e:2f:35:4a:c6:e0:57:e2:d8:91:00:00:00:00:00:00:1c:6b
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=Privacy CA Intermediate, OU=Chrome OS, O=Google Inc, L=Mountain View, ST=California, C=US
        Validity
            Not Before: Mar 19 15:23:23 2018 GMT
            Not After : Mar 20 15:23:23 2018 GMT
        Subject: O=Chrome Device Enrollment, CN=7745abcaedf4b22c10595cb42a7dbd6cdbcad079fc1503ab5856b1614320e75e
CQ-DEPEND=CL:968869

Change-Id: I7ac1464e46a1f0e9012315bce555a6a530774d8c
Reviewed-on: https://chromium-review.googlesource.com/968801
Commit-Ready: Andrey Pronin <apronin@chromium.org>
Tested-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Igor <igorcov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>

[modify] https://crrev.com/14ee15054c894e8785bdf65005d456163f41502d/attestation/server/attestation_service_test.cc
[modify] https://crrev.com/14ee15054c894e8785bdf65005d456163f41502d/attestation/common/tpm_utility_v1.cc
[modify] https://crrev.com/14ee15054c894e8785bdf65005d456163f41502d/attestation/common/tpm_utility_v1.h
[modify] https://crrev.com/14ee15054c894e8785bdf65005d456163f41502d/attestation/common/tpm_utility.h
[modify] https://crrev.com/14ee15054c894e8785bdf65005d456163f41502d/attestation/common/tpm_utility_v2.h
[modify] https://crrev.com/14ee15054c894e8785bdf65005d456163f41502d/attestation/common/tpm_utility_v2.cc
[modify] https://crrev.com/14ee15054c894e8785bdf65005d456163f41502d/attestation/server/attestation_service.cc
[modify] https://crrev.com/14ee15054c894e8785bdf65005d456163f41502d/attestation/common/tpm_utility_v2_test.cc
[modify] https://crrev.com/14ee15054c894e8785bdf65005d456163f41502d/attestation/common/mock_tpm_utility.h