• Registered: 2025-03-04
  • Posts: 3

Topic: Using PolicyPCR

Hello,
I'm trying to authenticate the use of a child key using a PolicyPCR.

In essence what im trying to achieve is the following

tpm2_startauthsession -S session.ctx
tpm2_policypcr -S session.ctx -l sha256:16 -L pcr_policy.digest

tpm2_createprimary -c primary.ctx
tpm2_create -C primary.ctx -G aes256 -u key.pub -r key.priv -L pcr_policy.digest
tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx

tpm2_startauthsession --policy-session -S session.ctx
tpm2_policypcr -S session.ctx -l sha256:16 
tpm2_encryptdecrypt -c key.ctx -o encrypted.dat  -p session:session.ctx plaintext.dat

Using WolfTPM, I managed to compute the policyDigest using wolfTPM2_PCRGetDigest and wolfTPM2_PolicyPCRMake.
I could confirm that the digest is correct.
Next I created a new key using wolfTPM2_CreateKey, and set the digest in the .authPolicy field.
I also made sure that the TPMA_OBJECT_userWithAuth is not set.
Next after loading the key I create a new session using wolfTPM2_StartSession with TPM_SE_POLICY.
Then I called wolfTPM2_PolicyPCR, and passed the PCR index.
But everytime when calliing wolftTPM2_EncryptDecrypt im getting the error "TPM2_EncryptDecrypt2 failed 0x12f: TPM_RC_AUTH_UNAVAILABLE: The authValue or authPolicy is not available for selected entity"

I believe I am still missing some core TPM concepts. Could you please point out what am I missing.
Thanks!

Share

  • Registered: 2021-08-12
  • Posts: 128

Re: Using PolicyPCR

Hello Bijak Dawid,

My name is Anthony and I am a member of the wolfSSL team.  Please have a look at https://github.com/wolfSSL/wolfTPM/blob … ive_test.c for examples of how to use TPM2_EncryptDecrypt2().  You can search for that function name in there.

Let me know if this advice helps or if you need more details.

In the meantime, can you let me know a bit about yourself and your project?

- what are your goals?
- where you are located?
- is this out of personal, academic or professional interest?

Warm regards, Anthony
Warm regards, Anthony

Share

  • Registered: 2015-10-07
  • Posts: 438

Re: Using PolicyPCR

Hi Bijak Dawid,

Perhaps you can share your code, so I can attempt to reproduce with wolfTPM? Does the tpm2-tools sequence work correctly? If you'd like to keep your code private you can email support at wolfssl dot com.

The most similar examples are probably:
* examples/nvram/policy_nv.c
* examples/boot/secret_seal.c

Thanks,
David Garske, wolfSSL

Share

  • Registered: 2025-03-04
  • Posts: 3

Re: Using PolicyPCR

anthony wrote:

Hello Bijak Dawid,

My name is Anthony and I am a member of the wolfSSL team.  Please have a look at https://github.com/wolfSSL/wolfTPM/blob … ive_test.c for examples of how to use TPM2_EncryptDecrypt2().  You can search for that function name in there.

Hi Anthony, thanks for the quick reply. Regarding the native_test.c example - I was kinda hoping that I could use the higher level WolfTPM API instead of having to use the native API.

anthony wrote:

- what are your goals?
- where you are located?
- is this out of personal, academic or professional interest?

I am looking into the WolfTPM Library in order to determine if it's fit for our project.

Thanks, Dawid

Share

  • Registered: 2025-03-04
  • Posts: 3

Re: Using PolicyPCR

dgarske wrote:

Hi Bijak Dawid,

Perhaps you can share your code, so I can attempt to reproduce with wolfTPM? Does the tpm2-tools sequence work correctly? If you'd like to keep your code private you can email support at wolfssl dot com.

The most similar examples are probably:
* examples/nvram/policy_nv.c
* examples/boot/secret_seal.c

Thanks,
David Garske, wolfSSL

Hi David,
Thank you for the quick answer! Ok, I would rather send the code per email.

Share

  • Registered: 2025-03-24
  • Posts: 2

Re: Using PolicyPCR

bijak.dawid wrote:

Hello,
I'm trying to authenticate the use of a child key using a PolicyPCR.

In essence what im trying to achieve is the following

tpm2_startauthsession -S session.ctx
tpm2_policypcr -S session.ctx -l sha256:16 -L pcr_policy.digest

tpm2_createprimary -c primary.ctx
tpm2_create -C primary.ctx -G aes256 -u key.pub -r key.priv -L pcr_policy.digest
tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx

tpm2_startauthsession --policy-session -S session.ctx
tpm2_policypcr -S session.ctx -l sha256:16 
tpm2_encryptdecrypt -c key.ctx -o encrypted.dat  -p session:session.ctx plaintext.dat

Using WolfTPM, I managed to compute the policyDigest using wolfTPM2_PCRGetDigest and wolfTPM2_PolicyPCRMake.
I could confirm that the digest is correct.
Next I created a new key using wolfTPM2_CreateKey, and set the digest in the .authPolicy field.
I also made sure that the TPMA_OBJECT_userWithAuth is not set.
Next after loading the key I create a new session using wolfTPM2_StartSession with TPM_SE_POLICY.
Then I called wolfTPM2_PolicyPCR, and passed the PCR index.
But everytime when calliing wolftTPM2_EncryptDecrypt im getting the error "TPM2_EncryptDecrypt2 failed 0x12f: TPM_RC_AUTH_UNAVAILABLE: The authValue or authPolicy is not available for selected entity"

I believe I am still missing some core TPM concepts. Could you please point out what am I missing.
Thanks!


Hi Dawid,

It looks like you've correctly set up the PolicyPCR and ensured the digest matches expectations. However, the TPM_RC_AUTH_UNAVAILABLE error suggests that the policy session might not be properly established when calling wolfTPM2_EncryptDecrypt. A few things to check:

    Session Type: Ensure that the session used for wolfTPM2_PolicyPCR is indeed a policy session (TPM_SE_POLICY).

    Session Binding: After calling wolfTPM2_PolicyPCR, verify that the session is still active when invoking wolfTPM2_EncryptDecrypt.

    AuthPolicy Presence: Confirm that the authPolicy is correctly set in the key object before loading it.

    TPM2-Tools Validation: Since your tpm2-tools sequence works, try running tpm2_getsession after wolfTPM2_PolicyPCR to confirm the session state.

If these steps don’t resolve the issue, it might help to enable debug logging in wolfTPM to see where the failure occurs. Also, sending your code privately to the wolfSSL team could be beneficial for further troubleshooting.

OllyBe's Website

Share