• Registered: 2025-03-04
  • Posts: 3

Topic: Using PolicyPCR

Hello,
I'm trying to authenticate the use of a child key using a PolicyPCR.

In essence what im trying to achieve is the following

tpm2_startauthsession -S session.ctx
tpm2_policypcr -S session.ctx -l sha256:16 -L pcr_policy.digest

tpm2_createprimary -c primary.ctx
tpm2_create -C primary.ctx -G aes256 -u key.pub -r key.priv -L pcr_policy.digest
tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx

tpm2_startauthsession --policy-session -S session.ctx
tpm2_policypcr -S session.ctx -l sha256:16 
tpm2_encryptdecrypt -c key.ctx -o encrypted.dat  -p session:session.ctx plaintext.dat

Using WolfTPM, I managed to compute the policyDigest using wolfTPM2_PCRGetDigest and wolfTPM2_PolicyPCRMake.
I could confirm that the digest is correct.
Next I created a new key using wolfTPM2_CreateKey, and set the digest in the .authPolicy field.
I also made sure that the TPMA_OBJECT_userWithAuth is not set.
Next after loading the key I create a new session using wolfTPM2_StartSession with TPM_SE_POLICY.
Then I called wolfTPM2_PolicyPCR, and passed the PCR index.
But everytime when calliing wolftTPM2_EncryptDecrypt im getting the error "TPM2_EncryptDecrypt2 failed 0x12f: TPM_RC_AUTH_UNAVAILABLE: The authValue or authPolicy is not available for selected entity"

I believe I am still missing some core TPM concepts. Could you please point out what am I missing.
Thanks!

Share

  • Registered: 2021-08-12
  • Posts: 124

Re: Using PolicyPCR

Hello Bijak Dawid,

My name is Anthony and I am a member of the wolfSSL team.  Please have a look at https://github.com/wolfSSL/wolfTPM/blob … ive_test.c for examples of how to use TPM2_EncryptDecrypt2().  You can search for that function name in there.

Let me know if this advice helps or if you need more details.

In the meantime, can you let me know a bit about yourself and your project?

- what are your goals?
- where you are located?
- is this out of personal, academic or professional interest?

Warm regards, Anthony
Warm regards, Anthony

Share

  • Registered: 2015-10-07
  • Posts: 438

Re: Using PolicyPCR

Hi Bijak Dawid,

Perhaps you can share your code, so I can attempt to reproduce with wolfTPM? Does the tpm2-tools sequence work correctly? If you'd like to keep your code private you can email support at wolfssl dot com.

The most similar examples are probably:
* examples/nvram/policy_nv.c
* examples/boot/secret_seal.c

Thanks,
David Garske, wolfSSL

Share

  • Registered: 2025-03-04
  • Posts: 3

Re: Using PolicyPCR

anthony wrote:

Hello Bijak Dawid,

My name is Anthony and I am a member of the wolfSSL team.  Please have a look at https://github.com/wolfSSL/wolfTPM/blob … ive_test.c for examples of how to use TPM2_EncryptDecrypt2().  You can search for that function name in there.

Hi Anthony, thanks for the quick reply. Regarding the native_test.c example - I was kinda hoping that I could use the higher level WolfTPM API instead of having to use the native API.

anthony wrote:

- what are your goals?
- where you are located?
- is this out of personal, academic or professional interest?

I am looking into the WolfTPM Library in order to determine if it's fit for our project.

Thanks, Dawid

Share

  • Registered: 2025-03-04
  • Posts: 3

Re: Using PolicyPCR

dgarske wrote:

Hi Bijak Dawid,

Perhaps you can share your code, so I can attempt to reproduce with wolfTPM? Does the tpm2-tools sequence work correctly? If you'd like to keep your code private you can email support at wolfssl dot com.

The most similar examples are probably:
* examples/nvram/policy_nv.c
* examples/boot/secret_seal.c

Thanks,
David Garske, wolfSSL

Hi David,
Thank you for the quick answer! Ok, I would rather send the code per email.

Share