Skip to content

Commit 354e7f4

Browse files
JuergenReppSITAndreasFuchsTPM
JuergenReppSIT
authored and
AndreasFuchsTPM
committed
man tpm2_startauthsession: Add examples related to parameter encryption.
Examples of ways to use parameter encryption have been added. Signed-off-by: Juergen Repp <juergen_repp@web.de>
1 parent f2dcc6f commit 354e7f4

2 files changed

Lines changed: 33 additions & 0 deletions

File tree

man/common/authorizations.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,11 @@ Authorization for use of an object in TPM2.0 can come in 3 different forms:
77

88
**NOTE:** "Authorizations default to the **EMPTY PASSWORD** when not specified".
99

10+
For authentication with auth values, the tool commands implicitly
11+
generate an HMAC session. Thus passwords are not transmitted unencrypted.
12+
This does not apply to passwords defined for objects. In this case, an HMAC
13+
session should be used (see tpm2\_startauthsession(1)).
14+
1015
## Passwords
1116

1217
Passwords are interpreted in the following forms below using prefix identifiers.

man/tpm2_startauthsession.1.md

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -123,8 +123,36 @@ information many users may expect.
123123

124124
[common tcti options](common/tcti.md) collection of options used to configure
125125
the various known TCTI modules.
126+
126127
# EXAMPLES
127128

129+
## Parameter encryption.
130+
131+
Command parameters and responses are not encrypted if no hmac session is used for
132+
commands. A session where the parameter, in this case the password, is
133+
encrypted can be created as follows:
134+
135+
```bash
136+
tpm2_createprimary -c prim.ctx
137+
tpm2_startauthsession -S enc_session.ctx --hmac-session --key-context prim.ctx
138+
tpm2_create -C prim.ctx -c key.ctx -S enc_session.ctx -p password
139+
```
140+
Even without using a key for the session, a session can be used for parameter
141+
encryption:
142+
143+
```bash
144+
tpm2_startauthsession -S enc_session.ctx --hmac-session
145+
tpm2_sessionconfig enc_session.ctx --enable-decrypt
146+
tpm2_create -C prim.ctx -c key.ctx -S enc_session.ctx -p password
147+
```
148+
If the response has to be encrypted, the --enable-encrypt parameter can be used:
149+
150+
```bash
151+
tpm2_startauthsession -S enc_session.ctx --hmac-session
152+
tpm2_sessionconfig enc_session.ctx --enable-encrypt
153+
tpm2_getrandom -S enc_session.ctx -o rand
154+
```
155+
128156
## Start a *trial* session and save the session data to a file
129157
```bash
130158
tpm2_startauthsession -S mysession.ctx

0 commit comments

Comments
 (0)