utils

class tpm2_pytss.utils.NVReadEK(ectx, auth_handle=None, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)

NV read callback to be used with create_ek_template

Parameters:

• ectx (ESAPI) – The ESAPI context for reading from NV areas

• auth_handle (ESYS_TR) – Handle indicating the source of the authorization. Defaults to the index being read.

• session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.

• session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

• session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.

exception tpm2_pytss.utils.NoSuchIndex(index)

NV index is not defined exception

Parameters:

index (int) – The NV index requested

tpm2_pytss.utils.create_ek_template(ektype, nv_read_cb)

Creates an Endorsenment Key template which when created matches the EK certificate

The template is created according to TCG EK Credential Profile For TPM Family 2.0: - https://trustedcomputinggroup.org/resource/tcg-ek-credential-profile-for-tpm-family-2-0/

Parameters:

• ektype (str) – The endoresment key type.

• nv_read_cb (Callable[Union[int, TPM2_RH]]) – The callback to use for reading NV areas.

Note

nv_read_cb MUST raise a NoSuchIndex exception if the NV index isn’t defined.

Returns:

A tuple of the certificate (can be None) and the template as a TPM2B_PUBLIC instance

Raises:

ValueError – If ektype is unknown or if a high range certificate is requested but not found.

tpm2_pytss.utils.credential_to_tools(id_object, encrypted_secret)

Converts an encrypted credential and an encrypted secret to a format that TPM2-tools can handle.

The output can be used in the credential-blob parameter of the tpm2_activatecredential command.

Parameters:

• id_object – The encrypted credential area.

• encrypted_secret – The encrypted secret.

Returns:

A credential blob in byte form that can be used by TPM2-tools.

tpm2_pytss.utils.make_credential(public, credential, name)

Encrypts credential for use with activate_credential

Parameters:

• public (TPMT_PUBLIC) – The public area of the activation key

• credential (bytes) – The credential to be encrypted

• name (bytes) – The name of the key associated with the credential

Returns:

A tuple of (TPM2B_ID_OBJECT, TPM2B_ENCRYPTED_SECRET)

Raises:

ValueError – If the public key type is not supported

tpm2_pytss.utils.tools_to_credential(credential_blob)

Convert a TPM2-tools compatible credential blob.

Parameters:

credential_blob – A TPM2-tools compatible credential blob.

Returns:

A tuple of (TPM2B_ID_OBJECT, TPM2B_ENCRYPTED_SECRET)

tpm2_pytss.utils.unmarshal_tools_pcr_values(buf, selections)

Unmarshal PCR digests from tpm2_quote using the values format.

Parameters:

• buf (bytes) – content of tpm2_quote PCR output.

• selections (TPML_PCR_SELECTION) – The selected PCRs.

Returns:

A tuple of the number of bytes consumed from buf and a list of digests.

tpm2_pytss.utils.unwrap(newparentpub, newparentpriv, public, duplicate, outsymseed, symkey=None, symdef=None)

unwraps a key under a TPM key hierarchy. In essence, export key from TPM.

This is the inverse function to the wrap() routine. This is usually performed by the TPM when importing objects, however, if an object is duplicated under a new parent where one has both the public and private keys, the object can be unwrapped.

Parameters:

• newparentpub (TPMT_PUBLIC) – The public area of the parent the key was duplicated/wrapped under.

• newparentpriv (TPMT_SENSITIVE) – The private key of the parent the key was duplicated/wrapped under.

• public (TPM2B_PUBLIC) – The public area of the key to be unwrapped.

• duplicate (TPM2B_PRIVATE) – The private or wrapped key to be unwrapped.

• outsymseed (TPM2B_ENCRYPTED_SECRET) – The output symmetric seed from a wrap or duplicate call.

• symkey (bytes or None) – Symmetric key for inner encryption. Defaults to None. When None and symdef is defined a key will be generated based on the key size for symdef.

• symdef (TPMT_SYM_DEF_OBJECT or None) –

  Symmetric algorithm to be used for inner encryption, defaults to None. If None no inner wrapping is performed, else this should be set to aes128CFB since that is what the TPM supports. To set to aes128cfb, do:

  TPMT_SYM_DEF(
    algorithm=TPM2_ALG.AES,
    keyBits=TPMU_SYM_KEY_BITS(sym=128),
    mode=TPMU_SYM_MODE(sym=TPM2_ALG.CFB),
  )
  

Returns:

A TPM2B_SENSITIVE which contains the raw key material.

Raises:

ValueError – If the public key type or symmetric algorithm are not supported

tpm2_pytss.utils.wrap(newparent, public, sensitive, symkey=None, symdef=None)

Wraps key under a TPM key hierarchy

A key is wrapped following the Duplication protections of the TPM Architecture specification. The architecture specification is found in “Part 1: Architecture” at the following link: - https://trustedcomputinggroup.org/resource/tpm-library-specification/

At the time of this writing, spec 1.59 was most recent and it was under section 23.3, titled “Duplication”.

Parameters:

• newparent (TPMT_PUBLIC) – The public area of the parent

• public (TPM2B_PUBLIC) – The public area of the key

• sensitive (TPM2B_SENSITIVE) – The sensitive area of the key

• symkey (bytes or None) – Symmetric key for inner encryption. Defaults to None. When None and symdef is defined a key will be generated based on the key size for symdef.

• symdef (TPMT_SYM_DEF_OBJECT or None) –

  Symmetric algorithm to be used for inner encryption, defaults to None. If None no inner wrapping is performed, else this should be set to aes128CFB since that is what the TPM supports. To set to aes128cfb, do:

  TPMT_SYM_DEF(
    algorithm=TPM2_ALG.AES,
    keyBits=TPMU_SYM_KEY_BITS(sym=128),
    mode=TPMU_SYM_MODE(sym=TPM2_ALG.CFB),
  )
  

Returns:

A tuple of (TPM2B_DATA, TPM2B_PRIVATE, TPM2B_ENCRYPTED_SECRET) which is the encryption key, the the wrapped duplicate and the encrypted seed.

Raises:

ValueError – If the public key type or symmetric algorithm are not supported