On Wed, Dec 23, 2020 at 11:58:17AM -0800, James Bottomley wrote:

On Tue, 2020-12-22 at 18:01 -0500, Ken Goldman wrote:

quoted

On 11/29/2020 5:20 PM, James Bottomley wrote:

quoted

Note this is both and enhancement and a potential bug fix.  The TPM
2.0 spec requires us to strip leading zeros, meaning empyty
authorization is a zero length HMAC whereas we're currently passing
in 20 bytes of zeros.  A lot of TPMs simply accept this as OK, but
the Microsoft TPM emulator rejects it with TPM_RC_BAD_AUTH, so this
patch makes the Microsoft TPM emulator work with trusted keys.

1 - To be precise, it strips trailing zeros, but 20 bytes of zero
results in an empty buffer either way.

"
Part 1 19.6.4.3	Authorization Size Convention

Trailing octets of zero are to be removed from any string before it
is used as an authValue.
"


2 - If you have a test case for the MS simulator, post it and I'll
give it a try.

I did a quick test, power cycle to set platform auth to empty, than
create primary with a parent password 20 bytes of zero, and the
SW TPM accepted it.

This was a password session, not an HMAC session.

I reported it to Microsoft as soon as I found the problem, so, since
this patch set has been languishing for years, I'd hope it would be
fixed by now.  It is still, however, possible there still exist TPM
implementations based on the unfixed Microsoft reference platform.

James

One year :-) A bit over but by all practical means... [*]

BTW, can you use my kernel org address for v15? 

[*] https://lore.kernel.org/linux-integrity/1575781600.14069.8.camel@HansenPartnership.com/ (local)

/Jarkko