tpm2 policy creation tools without TCTI #2761
Description
Is there a reason to require a TCTI for policy tools that do not interact with the TPM when they are not invoked with --policy-session? I need to build an policy for create a duplicate object and do not want to be throttled by talking to the physical TPM.
As a workaround I can pre-compute the policy hash and hard-code it in the scripts, but that is not as flexible:
echo 'fd32fa22c52cfc8e1a0c29eb38519f87084cab0b04b0d8f020a4d38b2f4e223e' \
| xxd -p -r > policy.dat
tpm2 duplicate \
--tcti none \
-U ek.pub \
-G rsa \
-L policy.dat" \
-k transport-priv.pem \
-u transport.pub \
-r transport.dpriv \
-s transport.seed
This is likely unrelated, but using a 64-byte hex dump instead of the 32-byte binary file "works" for tpm2 duplicate, but the tpm2 import fails with an HMAC size error:
WARNING:esys:src/tss2-esys/api/Esys_Import.c:323:Esys_Import_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Import.c:110:Esys_Import() Esys Finish ErrorCode (0x000002d5)
ERROR: Esys_HMAC(0x2D5) - tpm:parameter(2):structure is the wrong size
ERROR: Unable to run import