Default params for tpm2_createprimary

[GlovePuppet]

I have built tpm2_tools, tpm2_tss and tpm2_pkcs11 from the tip of their respective master branches.

When I run ptool init:
$ tpm2_ptool.py init --pobj-pin=mypobjpin --path=/tmp

I get the following error:
Could not execute tpm2_createprimary: ERROR: Tss2_Sys_CreatePrimary(0x2C4) - tpm:parameter(2):value is out of range or is not correct for the context
ERROR: Unable to run tpm2_createprimary

Recreating the cmd line ptool used I get:
$ tpm2_createprimary -p hex:55d15e8bff73005fd860d47191a4192087cfbfa09443c45320e47e4b8e912b64 -o /tmp/tmp4c6Z3M/context.out

This fails with the same error message. However if I specify the algorithm (rsa) the command succeeds
$ tpm2_createprimary -G rsa -p hex:55d15e8bff73005fd860d47191a4192087cfbfa09443c45320e47e4b8e912b64 -o /tmp/tmp4c6Z3M/context.out

Similarly, if I modify the ptool code to add '-G rsa' to the tpm2_createprimary cmd line it works.

The tpm2_createprimary man page suggests the default algorithm will be rsa if it is not specified but the behavior seems different.

Any ideas?

[PeterHuewe]

Hi,
the default value of tpm2_createprimary is rsa2048:aes256 which is a bit different from "rsa" only, as it requires aes256 support by your tpm.
https://github.com/tpm2-software/tpm2-tools/blob/master/tools/tpm2_createprimary.c#L58
So effectively the manpage is not 100% correct. (but it is rsa in contrast to ecc)

Peter

[GlovePuppet]

Right, using my TPM (SLB9665 v1.16) rsa2048:aes128 works but rsa2048:aes256 does not

[PeterHuewe]

Yes, aes256 is not supported by slb9655.
If you fail at later steps, change the aes to rsa2048:aes in the ptool in addtoken.
(Sorry for the brief reply)

[GlovePuppet]

I have modified ptool to pass '-G rsa2048:aes128' to tpm2_createprimary and that seems to work ok.
$ tpm2_ptool.py init --pobj-pin=mypobjpin --path=/tmp
Created a primary object of id: 1

Then create a label:
$ tpm2_ptool.py addtoken --pid=1 --pobj-pin=mypobjpin --sopin=mysopin --userpin=myuserpin --label=label --path /tmp
Created token: label

But the final step fails
$ tpm2_ptool.py addkey --algorithm=aes128 --label=label --userpin=myuserpin --path=/tmp
Could not execute tpm2_create: ERROR: Tss2_Sys_Create(0x18A) - tpm:handle(1):the type of the value is not appropriate for the use

or
$ tpm2_ptool.py addkey --algorithm=aes256 --label=label --userpin=myuserpin --path=/tmp
Could not execute tpm2_create: ERROR: Tss2_Sys_Create(0x2C4) - tpm:parameter(2):value is out of range or is not correct for the context

[PeterHuewe]

In addtoken change
objattrs="restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth"
sobjpriv, sobjpub, sobjpubdata = tpm2.create(pobject['handle'], pobjauthhash, sobjauth, objattrs=objattrs, alg='aes{}'.format(sym_size))
To
objattrs="restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth"
sobjpriv, sobjpub, sobjpubdata = tpm2.create(pobject['handle'], pobjauthhash, sobjauth, objattrs=objattrs, alg='rsa2048:aes128')

[GlovePuppet]

Thanks, that got it working

[williamcroberts]

There's a few bugs here we should document:

1. The incorrect manpage, and perhaps we should change the behavior on master to just "rsa". The code underneath that default will then use the attributes to select what asymmetric parameters to set.

   • See bug: tpm2_createprimary: rsa default incorrect tpm2-tools#1206

2. The code underneath mentioned above, should really be setting the aes key size in symmetric details based on the output of tpm2_getcap.

   • See bug: tpm2_createprimary: rsa default incorrect tpm2-tools#1206

3. Use a different secondary object key algorithm.

   • See bug: tpm2_ptool: choose better defaults #56

@dwmw2 - this seems to line up with the issues you were having.

[williamcroberts]

I'm going to close this as we have concrete bugs filed.