utils¶
- class tpm2_pytss.utils.NVReadEK(ectx, auth_handle=None, session1=ESYS_TR.PASSWORD, session2=ESYS_TR.NONE, session3=ESYS_TR.NONE)[source]¶
NV read callback to be used with create_ek_template
- Parameters:
ectx (ESAPI) – The ESAPI context for reading from NV areas
auth_handle (ESYS_TR) – Handle indicating the source of the authorization. Defaults to the index being read.
session1 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.PASSWORD.
session2 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
session3 (ESYS_TR) – A session for securing the TPM command (optional). Defaults to ESYS_TR.NONE.
- exception tpm2_pytss.utils.NoSuchIndex(index)[source]¶
NV index is not defined exception
- Parameters:
index (int) – The NV index requested
- tpm2_pytss.utils.create_ek_template(ektype, nv_read_cb)[source]¶
Creates an Endorsenment Key template which when created matches the EK certificate
The template is created according to TCG EK Credential Profile For TPM Family 2.0: - https://trustedcomputinggroup.org/resource/tcg-ek-credential-profile-for-tpm-family-2-0/
- Parameters:
Note
nv_read_cb MUST raise a NoSuchIndex exception if the NV index isn’t defined.
- Returns:
A tuple of the certificate (can be None) and the template as a TPM2B_PUBLIC instance
- Raises:
ValueError – If ektype is unknown or if a high range certificate is requested but not found.
- tpm2_pytss.utils.credential_to_tools(id_object, encrypted_secret)[source]¶
Converts an encrypted credential and an encrypted secret to a format that TPM2-tools can handle.
The output can be used in the credential-blob parameter of the tpm2_activatecredential command.
- Parameters:
id_object – The encrypted credential area.
encrypted_secret – The encrypted secret.
- Returns:
A credential blob in byte form that can be used by TPM2-tools.
- tpm2_pytss.utils.make_credential(public, credential, name)[source]¶
Encrypts credential for use with activate_credential
- Parameters:
public (TPMT_PUBLIC) – The public area of the activation key
credential (bytes) – The credential to be encrypted
name (bytes) – The name of the key associated with the credential
- Returns:
A tuple of (TPM2B_ID_OBJECT, TPM2B_ENCRYPTED_SECRET)
- Raises:
ValueError – If the public key type is not supported
- tpm2_pytss.utils.tools_to_credential(credential_blob)[source]¶
Convert a TPM2-tools compatible credential blob.
- Parameters:
credential_blob – A TPM2-tools compatible credential blob.
- Returns:
A tuple of (TPM2B_ID_OBJECT, TPM2B_ENCRYPTED_SECRET)
- tpm2_pytss.utils.unmarshal_tools_pcr_values(buf, selections)[source]¶
Unmarshal PCR digests from tpm2_quote using the values format.
- Parameters:
buf (bytes) – content of tpm2_quote PCR output.
selections (TPML_PCR_SELECTION) – The selected PCRs.
- Returns:
A tuple of the number of bytes consumed from buf and a list of digests.
- tpm2_pytss.utils.unwrap(newparentpub, newparentpriv, public, duplicate, outsymseed, symkey=None, symdef=None)[source]¶
unwraps a key under a TPM key hierarchy. In essence, export key from TPM.
This is the inverse function to the wrap() routine. This is usually performed by the TPM when importing objects, however, if an object is duplicated under a new parent where one has both the public and private keys, the object can be unwrapped.
- Parameters:
newparentpub (TPMT_PUBLIC) – The public area of the parent the key was duplicated/wrapped under.
newparentpriv (TPMT_SENSITIVE) – The private key of the parent the key was duplicated/wrapped under.
public (TPM2B_PUBLIC) – The public area of the key to be unwrapped.
duplicate (TPM2B_PRIVATE) – The private or wrapped key to be unwrapped.
outsymseed (TPM2B_ENCRYPTED_SECRET) – The output symmetric seed from a wrap or duplicate call.
symkey (bytes or None) – Symmetric key for inner encryption. Defaults to None. When None and symdef is defined a key will be generated based on the key size for symdef.
symdef (TPMT_SYM_DEF_OBJECT or None) –
Symmetric algorithm to be used for inner encryption, defaults to None. If None no inner wrapping is performed, else this should be set to aes128CFB since that is what the TPM supports. To set to aes128cfb, do:
TPMT_SYM_DEF( algorithm=TPM2_ALG.AES, keyBits=TPMU_SYM_KEY_BITS(sym=128), mode=TPMU_SYM_MODE(sym=TPM2_ALG.CFB), )
- Returns:
A TPM2B_SENSITIVE which contains the raw key material.
- Raises:
ValueError – If the public key type or symmetric algorithm are not supported
- tpm2_pytss.utils.wrap(newparent, public, sensitive, symkey=None, symdef=None)[source]¶
Wraps key under a TPM key hierarchy
A key is wrapped following the Duplication protections of the TPM Architecture specification. The architecture specification is found in “Part 1: Architecture” at the following link: - https://trustedcomputinggroup.org/resource/tpm-library-specification/
At the time of this writing, spec 1.59 was most recent and it was under section 23.3, titled “Duplication”.
- Parameters:
newparent (TPMT_PUBLIC) – The public area of the parent
public (TPM2B_PUBLIC) – The public area of the key
sensitive (TPM2B_SENSITIVE) – The sensitive area of the key
symkey (bytes or None) – Symmetric key for inner encryption. Defaults to None. When None and symdef is defined a key will be generated based on the key size for symdef.
symdef (TPMT_SYM_DEF_OBJECT or None) –
Symmetric algorithm to be used for inner encryption, defaults to None. If None no inner wrapping is performed, else this should be set to aes128CFB since that is what the TPM supports. To set to aes128cfb, do:
TPMT_SYM_DEF( algorithm=TPM2_ALG.AES, keyBits=TPMU_SYM_KEY_BITS(sym=128), mode=TPMU_SYM_MODE(sym=TPM2_ALG.CFB), )
- Returns:
A tuple of (TPM2B_DATA, TPM2B_PRIVATE, TPM2B_ENCRYPTED_SECRET) which is the encryption key, the the wrapped duplicate and the encrypted seed.
- Raises:
ValueError – If the public key type or symmetric algorithm are not supported