Home > front end >  Proper export of TPM 2.0 key handle (in TSS.MSR .NET)
Proper export of TPM 2.0 key handle (in TSS.MSR .NET)

Time:04-20

I have been recently looking into TPM 2.0 technology and I'm trying to figure out how to preserve keyhendle after let's say application rerun. I figured I need to use TPM2_ContextSave as this function wraps and encrypts all the blobs and whatnot so that only TPM that created the context can read it back. This, therefore, should be the correct way to store your "keys" in a file for instance.

Should you need to use this key for decrypting or signing later (PC reboot, app rerun), TPM2_ContextLoad should give u the context (handle if you're loading keyhandle). This is as much as I got from Trusted Computing Group docs.

TSS.MSR is a API with .NET variant. And my question lies with Tpm2ContextSaveRequest and Tpm2ContextLoadRequest.

Tpm2ContextSaveRequest has a constructor for TpmHandle. So this structure should be ok to write into a file and read later.
Tpm2ContextLoadRequest however has only Context constrictor.
Context has some other constructors calling for some other TpmHandle and ulong and it is at this point I'm getting lost in what is going on.

How do I achieve keeping my handle through app reruns?

CodePudding user response:

I have found the answer to it so if any poor soul stumbles upon this, here it is:

you are not supposed to use Tpm2ContextLoadRequest and the Save equivalent. If you wanna use context as a medium, use Tpm2 methods ContextSave and ContextLoad but I haven't found out how to get those objects stored.

Next note on this is to use Persistent key which can be made by EvictControl. What you then want to do is export your Handle ID (uint memberVar). Reruning the app and assigning this ID should make a valid reference for signing, decrypting, etc...

I have implemented the solution here for more details.

  • Related