Google Git
Sign in
qemu / skiboot / a9bc782c843250a17255236acc210fbbe16ddf78 / . / libstb / tss2 / ibmtpm20tss / utils / regtests / testpolicy.bat
blob: 8ec32e26f014162d5d14a466d31782ca2c15550b [file] [log] [blame]
REM #############################################################################
REM # #
REM # TPM2 regression test #
REM # Written by Ken Goldman #
REM # IBM Thomas J. Watson Research Center #
REM # #
REM # (c) Copyright IBM Corporation 2015 - 2020 #
REM # #
REM # All rights reserved. #
REM # #
REM # Redistribution and use in source and binary forms, with or without #
REM # modification, are permitted provided that the following conditions are #
REM # met: #
REM # #
REM # Redistributions of source code must retain the above copyright notice, #
REM # this list of conditions and the following disclaimer. #
REM # #
REM # Redistributions in binary form must reproduce the above copyright #
REM # notice, this list of conditions and the following disclaimer in the #
REM # documentation and/or other materials provided with the distribution. #
REM # #
REM # Neither the names of the IBM Corporation nor the names of its #
REM # contributors may be used to endorse or promote products derived from #
REM # this software without specific prior written permission. #
REM # #
REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #
REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #
REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR #
REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT #
REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, #
REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT #
REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, #
REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY #
REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT #
REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE #
REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
REM # #
REM #############################################################################
REM # used for the name in policy ticket
REM if [ -z $TPM_DATA_DIR ]; then
REM TPM_DATA_DIR=.
REM fi
setlocal enableDelayedExpansion
echo ""
echo "Policy Command Code"
echo ""
echo "Create a signing key under the primary key - policy command code - sign"
%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Load the signing key under the primary key"
%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest"
%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
REM sign with correct policy command code
echo "Start a policy session"
%TPM_EXE_PATH%startauthsession -se p > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest - policy, should fail"
%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Policy command code - sign"
%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest - policy and wrong password"
%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 -pwdk xxx > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest - policy, should fail, session used "
%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
REM quote with bad policy or bad command
REM echo "Start a policy session"
REM ./startauthsession -se p > run.out
REM IF !ERRORLEVEL! NEQ 0 (
REM exit /B 1
REM )
echo "Policy command code - sign"
%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Quote - PWAP"
%TPM_EXE_PATH%quote -hp 0 -hk 80000001 -os sig.bin -pwdk sig > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Quote - policy, should fail"
%TPM_EXE_PATH%quote -hp 0 -hk 80000001 -os sig.bin -se0 03000000 1 > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Policy restart, set back to zero"
%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
REM # echo "Flush the session"
REM # ./flushcontext -ha 03000000 > run.out
REM # IF !ERRORLEVEL! NEQ 0 (
REM exit /B 1
REM )
REM # echo "Start a policy session"
REM # ./startauthsession -se p > run.out
REM # IF !ERRORLEVEL! NEQ 0 (
REM exit /B 1
REM )
echo "Policy command code - quote"
%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 158 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Quote - policy, should fail"
%TPM_EXE_PATH%quote -hp 0 -hk 80000001 -os sig.bin -se0 03000000 1 > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
REM # echo "Flush the session"
REM # ./flushcontext -ha 03000000 > run.out
REM # IF !ERRORLEVEL! NEQ 0 (
REM exit /B 1
REM )
echo "Flush the signing key"
%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo ""
echo "Policy Command Code and Policy Password / Authvalue"
echo ""
echo "Create a signing key under the primary key - policy command code - sign, auth"
%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign-auth.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Load the signing key under the primary key"
%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
REM # policypassword
echo "Policy restart, set back to zero"
%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest - policy, should fail"
%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Policy command code - sign"
%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest - policy, should fail"
%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Policy password"
%TPM_EXE_PATH%policypassword -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest - policy, no password should fail"
%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Sign a digest - policy, password"
%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 -pwdk sig > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
REM # policyauthvalue
REM # echo "Start a policy session"
REM # startauthsession -se p > run.out
REM # IF !ERRORLEVEL! NEQ 0 (
REM exit /B 1
REM )
echo "Policy command code - sign"
%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy authvalue"
%TPM_EXE_PATH%policyauthvalue -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest - policy, no password should fail"
%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Sign a digest - policy, password"
%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 -pwdk sig > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush the signing key"
%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo ""
echo "Policy Password and Policy Authvalue flags"
echo ""
for %%C in (policypassword policyauthvalue) do (
echo "Create a signing key under the primary key - policy command code - sign, auth"
%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign-auth.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Load the signing key under the primary key"
%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Start a policy session"
%TPM_EXE_PATH%startauthsession -se p > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy command code - sign"
%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy %%C"
%TPM_EXE_PATH%%%C -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest - policy, password"
%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 -pwdk sig > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush signing key"
%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Create a signing key under the primary key - policy command code - sign"
%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Load the signing key under the primary key"
%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy command code - sign"
%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest - policy and wrong password"
%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 -pwdk xxx > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush signing key"
%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush policy session"
%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
)
echo ""
echo "Policy Signed"
echo ""
REM # create rsaprivkey.pem
REM # > openssl genrsa -out rsaprivkey.pem -aes256 -passout pass:rrrr 2048
REM # extract the public key
REM # > openssl pkey -inform pem -outform pem -in rsaprivkey.pem -passin pass:rrrr -pubout -out rsapubkey.pem
REM # sign a test message msg.bin
REM # > openssl dgst -sha1 -sign rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin
REM #
REM # create the policy:
REM # use loadexternal -ns to get the name
REM
REM # sha1
REM # 00044234c24fc1b9de6693a62453417d2734d7538f6f
REM # sha256
REM # 000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
REM # sha384
REM # 000ca8bfb42e75b4c22b366b372cd9994bafe8558aa182cf12c258406d197dab63ac46f5a5255b1deb2993a4e9fc92b1e26c
REM # sha512
REM # 000d0c36b2a951eccc7e3e12d03175a71304dc747f222a02af8fa2ac8b594ef973518d20b9a5452d0849e325710f587d8a55082e7ae321173619bc12122f3ad71466
REM
REM # 00000160 plus the above name as text, add a blank line for empty policyRef
REM # to create policies/policysigned$HALG.txt
REM #
REM # 0000016000044234c24fc1b9de6693a62453417d2734d7538f6f
REM # 00000160000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
REM # 00000160000ca8bfb42e75b4c22b366b372cd9994bafe8558aa182cf12c258406d197dab63ac46f5a5255b1deb2993a4e9fc92b1e26c
REM # 00000160000d0c36b2a951eccc7e3e12d03175a71304dc747f222a02af8fa2ac8b594ef973518d20b9a5452d0849e325710f587d8a55082e7ae321173619bc12122f3ad71466
REM #
REM # use sha256 policies, policymaker default (policy session digest
REM # algorithm is separate from Name and signature hash algorithm)
REM #
REM # > policymaker -if policies/policysigned$HALG.txt -of policies/policysigned$HALG.bin -pr
REM #
REM # sha1
REM # 9d 81 7a 4e e0 76 eb b5 cf ee c1 82 05 cc 4c 01
REM # b3 a0 5e 59 a9 b9 65 a1 59 af 1e cd 3d bf 54 fb
REM # sha256
REM # de bf 9d fa 3c 98 08 0b f1 7d d1 d0 7b 54 fd e1
REM # 07 93 7f e5 40 50 9e 70 96 aa 73 27 53 b3 83 31
REM # sha384
REM # 45 c5 da 90 76 92 3a 70 03 6f df 56 ea e7 df db
REM # 41 e2 01 75 24 49 54 94 66 93 6b c4 fc 88 ab 5c
REM # sha512
REM # cd 34 96 08 39 ea 40 88 5e fa 7f 37 8b a7 21 f1
REM # 78 6d 52 bb 93 47 9c 73 45 88 3c dc 1f 09 06 6f
REM #
REM # 80000000 primary key
REM # 80000001 verification public key
REM # 80000002 signing key with policy
REM # 03000000 policy session
for %%H in (%ITERATE_ALGS%) do (
echo "Load external just the public part of PEM at 80000001 - %%H"
%TPM_EXE_PATH%loadexternal -halg %%H -nalg %%H -ipem policies/rsapubkey.pem -ns > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a test message with openssl - %%H"
openssl dgst -%%H -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin
echo "Verify the signature with 80000001 - %%H"
%TPM_EXE_PATH%verifysignature -hk 80000001 -halg %%H -if msg.bin -is pssig.bin -raw > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Create a signing key under the primary key - policy signed - %%H"
%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policysigned%%H.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Load the signing key under the primary key at 80000002"
%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Start a policy session"
%TPM_EXE_PATH%startauthsession -se p > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest - policy, should fail"
%TPM_EXE_PATH%sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Policy signed - sign with PEM key - %%H"
%TPM_EXE_PATH%policysigned -hk 80000001 -ha 03000000 -sk policies/rsaprivkey.pem -halg %%H -pwdk rrrr > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Get policy digest"
%TPM_EXE_PATH%policygetdigest -ha 03000000 -of tmppol.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest - policy signed"
%TPM_EXE_PATH%sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy restart, set back to zero"
%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign just expiration (uint32_t 4 zeros) with openssl - %%H"
openssl dgst -%%H -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policies/zero4.bin
echo "Policy signed, signature generated externally - %%H"
%TPM_EXE_PATH%policysigned -hk 80000001 -ha 03000000 -halg %%H -is pssig.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest - policy signed"
%TPM_EXE_PATH%sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Start a policy session - save nonceTPM"
%TPM_EXE_PATH%startauthsession -se p -on noncetpm.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy signed with nonceTPM and expiration, create a ticket - %%H"
%TPM_EXE_PATH%policysigned -hk 80000001 -ha 03000000 -sk policies/rsaprivkey.pem -halg %%H -pwdk rrrr -in noncetpm.bin -exp -200 -tk tkt.bin -to to.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest - policy signed"
%TPM_EXE_PATH%sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Start a policy session"
%TPM_EXE_PATH%startauthsession -se p > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy ticket"
%TPM_EXE_PATH%policyticket -ha 03000000 -to to.bin -na h80000001.bin -tk tkt.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest - policy ticket"
%TPM_EXE_PATH%sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush the verification public key"
%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush the signing key"
%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
)
REM # getcapability -cap 1 -pr 80000000
REM # getcapability -cap 1 -pr 02000000
REM # getcapability -cap 1 -pr 03000000
REM # exit 0
echo ""
echo "Policy Secret"
echo ""
REM # 4000000c platform
REM # 80000000 primary key
REM # 80000001 signing key with policy
REM # 03000000 policy session
REM # 02000001 hmac session
echo "Change platform hierarchy auth"
%TPM_EXE_PATH%hierarchychangeauth -hi p -pwdn ppp > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Create a signing key under the primary key - policy secret using platform auth"
%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policysecretp.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Load the signing key under the primary key"
%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Start a policy session"
%TPM_EXE_PATH%startauthsession -se p -on noncetpm.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest - policy, should fail"
%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Policy Secret with PWAP session, create a ticket"
%TPM_EXE_PATH%policysecret -ha 4000000c -hs 03000000 -pwde ppp -in noncetpm.bin -exp -200 -tk tkt.bin -to to.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest - policy secret"
%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Start a policy session"
%TPM_EXE_PATH%startauthsession -se p -on noncetpm.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy Secret using primary key, create a ticket"
%TPM_EXE_PATH%policysecret -ha 4000000c -hs 03000000 -pwde ppp -in noncetpm.bin -exp -200 -tk tkt.bin -to to.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest - policy secret"
%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Start a policy session"
%TPM_EXE_PATH%startauthsession -se p > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy ticket"
%TPM_EXE_PATH%policyticket -ha 03000000 -to to.bin -hi p -tk tkt.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest - policy ticket"
%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Start a policy session"
%TPM_EXE_PATH%startauthsession -se p -on noncetpm.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Start an HMAC session"
%TPM_EXE_PATH%startauthsession -se h > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy Secret with HMAC session"
%TPM_EXE_PATH%policysecret -ha 4000000c -hs 03000000 -pwde ppp -se0 02000001 0 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest - policy secret"
%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Change platform hierarchy auth back to null"
%TPM_EXE_PATH%hierarchychangeauth -hi p -pwda ppp > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush the signing key"
%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo ""
echo "Policy Secret with NV Auth"
echo ""
REM Name is
REM 00 0b e0 65 10 81 c2 fc da 30 69 93 da 43 d1 de
REM 5b 24 be 42 6e 2d 61 90 7b 42 83 54 69 13 6c 97
REM 68 1f
REM
REM Policy is
REM c6 93 f9 b0 ef 1a b7 1e ca ae 00 af 1f 0b f4 88
REM 37 9e ab 16 c1 f8 0d 9f f9 6d 90 41 4e 2f c6 b3
echo "NV Define Space 0100000"
%TPM_EXE_PATH%nvdefinespace -hi p -ha 01000000 -pwdn nnn -sz 16 -pwdn nnn > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Create a signing key under the primary key - policy secret NV auth"
%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policysecretnv.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Load the signing key under the primary key"
%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Start a policy session"
%TPM_EXE_PATH%startauthsession -se p -on noncetpm.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest - policy, should fail"
%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Policy Secret with PWAP session"
%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn -in noncetpm.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest - policy secret"
%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush the signing key"
%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "NV Undefine Space 0100000"
%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo ""
echo "Policy Secret with Object"
echo ""
REM # Use a externally generated object so that the Name is known and thus
REM # the policy can be precalculated
REM # Name
REM # 00 0b 64 ac 92 1a 03 5c 72 b3 aa 55 ba 7d b8 b5
REM # 99 f1 72 6f 52 ec 2f 68 20 42 fc 0e 0d 29 fa e8
REM # 17 99
REM # 000001151 plus the above name as text, add a blank line for empty policyRef
REM # to create policies/policysecretsha256.txt
REM # 00000151000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
REM # 4b 7f ca c2 b7 c3 ac a2 7c 5c da 9c 71 e6 75 28
REM # 63 d2 87 d2 33 ec 49 0e 7a be 88 f1 ef 94 5d 5c
echo "Load the RSA openssl key pair in the NULL hierarchy 80000001"
%TPM_EXE_PATH%loadexternal -rsa -ider policies/rsaprivkey.der -pwdk rrrr > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Create a signing key under the primary key - policy secret of object 80000001"
%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -uwa -pol policies/policysecretsha256.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Load the signing key under the primary key 80000002"
%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest - password auth - should fail"
%TPM_EXE_PATH%sign -hk 80000002 -if policies/aaa -pwdk sig > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Start a policy session 03000000"
%TPM_EXE_PATH%startauthsession -se p > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy Secret with PWAP session"
%TPM_EXE_PATH%policysecret -ha 80000001 -hs 03000000 -pwde rrrr > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest - policy secret"
%TPM_EXE_PATH%sign -hk 80000002 -if msg.bin -se0 03000000 1 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush the policysecret key"
%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Load the RSA openssl key pair in the NULL hierarchy, userWithAuth false 80000001"
%TPM_EXE_PATH%loadexternal -rsa -ider policies/rsaprivkey.der -pwdk rrrr -uwa > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy Secret with PWAP session - should fail"
%TPM_EXE_PATH%policysecret -ha 80000001 -hs 03000000 -pwde rrrr > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Flush the policysecret key"
%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush the signing key"
%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush the session"
%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo ""
echo "Policy Authorize"
echo ""
REM # 80000000 primary
REM # 80000001 verification public key, openssl
REM # 80000002 signing key
REM # 03000000 policy session
REM # Name for 80000001 0004 4234 c24f c1b9 de66 93a6 2453 417d 2734 d753 8f6f
REM #
REM # policyauthorizesha256.txt
REM # 0000016a000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
REM #
REM # (need blank line for policyRef)
REM #
REM # > policymaker -if policies/policyauthorizesha256.txt -of policies/policyauthorizesha256.bin -pr
REM #
REM # eb a3 f9 8c 5e af 1e a8 f9 4f 51 9b 4d 2a 31 83
REM # ee 79 87 66 72 39 8e 23 15 d9 33 c2 88 a8 e5 03
echo "Create a signing key with policy authorize"
%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyauthorizesha256.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Load external just the public part of PEM authorizing key"
%TPM_EXE_PATH%loadexternal -hi p -halg sha256 -nalg sha256 -ipem policies/rsapubkey.pem > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Load the signing key under the primary key"
%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Start a policy session"
%TPM_EXE_PATH%startauthsession -se p > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Get policy digest, should be zero"
%TPM_EXE_PATH%policygetdigest -ha 03000000 -of policyapproved.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy command code - sign"
%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Get policy digest, should be policy to approve, aHash input"
%TPM_EXE_PATH%policygetdigest -ha 03000000 -of policyapproved.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Openssl generate aHash"
openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policyapproved.bin
echo "Verify the signature to generate ticket"
%TPM_EXE_PATH%verifysignature -hk 80000001 -halg sha256 -if policyapproved.bin -is pssig.bin -raw -tk tkt.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy authorize using the ticket"
%TPM_EXE_PATH%policyauthorize -ha 03000000 -appr policyapproved.bin -skn h80000001.bin -tk tkt.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Get policy digest, should be policy authorize"
%TPM_EXE_PATH%policygetdigest -ha 03000000 -of policyapproved.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest"
%TPM_EXE_PATH%sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush the verification public key"
%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush the signing key"
%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
REM # getcapability -cap 1 -pr 80000000
REM # getcapability -cap 1 -pr 02000000
REM # getcapability -cap 1 -pr 03000000
REM # exit 0
echo ""
echo "Set Primary Policy"
echo ""
echo "Platform policy empty"
%TPM_EXE_PATH%setprimarypolicy -hi p > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Platform policy empty, bad password"
%TPM_EXE_PATH%setprimarypolicy -hi p -pwda ppp > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Set platform hierarchy auth"
%TPM_EXE_PATH%hierarchychangeauth -hi p -pwdn ppp > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Platform policy empty, bad password"
%TPM_EXE_PATH%setprimarypolicy -hi p > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Platform policy empty"
%TPM_EXE_PATH%setprimarypolicy -hi p -pwda ppp > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Platform policy to policy secret platform auth"
%TPM_EXE_PATH%setprimarypolicy -hi p -pwda ppp -halg sha256 -pol policies/policysecretp.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Start a policy session"
%TPM_EXE_PATH%startauthsession -se p > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy Secret with PWAP session"
%TPM_EXE_PATH%policysecret -ha 4000000c -hs 03000000 -pwde ppp > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Change platform hierarchy auth to null with policy secret"
%TPM_EXE_PATH%hierarchychangeauth -hi p -se0 03000000 0 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo ""
echo "Policy PCR no select"
echo ""
REM # create AND term for policy PCR
REM # > policymakerpcr -halg sha1 -bm 0 -v -pr -of policies/policypcr.txt
REM # 0000017f00000001000403000000da39a3ee5e6b4b0d3255bfef95601890afd80709
REM
REM # convert to binary policy
REM # > policymaker -halg sha1 -if policies/policypcr.txt -of policies/policypcrbm0.bin -pr -v
REM
REM # 6d 38 49 38 e1 d5 8b 56 71 92 55 94 3f 06 69 66
REM # b6 fa 2c 23
echo "Create a signing key with policy PCR no select"
%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -nalg sha1 -pol policies/policypcrbm0.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Load the signing key under the primary key"
%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Start a policy session"
%TPM_EXE_PATH%startauthsession -halg sha1 -se p > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy PCR, update with the correct digest"
%TPM_EXE_PATH%policypcr -ha 03000000 -halg sha1 -bm 0 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy get digest - should be 6d 38 49 38 ... "
%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign, should succeed"
%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy restart, set back to zero"
%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy PCR, update with the correct digest"
%TPM_EXE_PATH%policypcr -ha 03000000 -halg sha1 -bm 0 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "PCR extend PCR 0, updates pcr counter"
%TPM_EXE_PATH%pcrextend -ha 0 -halg sha1 -if policies/aaa > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign, should fail"
%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Flush the policy session"
%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush the key"
%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
REM # policypcr0.txt has 20 * 00
REM # create AND term for policy PCR
REM # > policymakerpcr -halg sha1 -bm 10000 -if policies/policypcr0.txt -v -pr -of policies/policypcr.txt
REM # convert to binary policy
REM # > policymaker -halg sha1 -if policies/policypcr.txt -of policies/policypcr.bin -pr -v
echo ""
echo "Policy PCR"
echo ""
echo "Create a signing key with policy PCR PCR 16 zero"
%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -nalg sha1 -pol policies/policypcr.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Load the signing key under the primary key"
%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Reset PCR 16 back to zero"
%TPM_EXE_PATH%pcrreset -ha 16 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Read PCR 16, should be 00 00 00 00 ..."
%TPM_EXE_PATH%pcrread -ha 16 -halg sha1 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Start a policy session"
%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign, policy not satisfied - should fail"
%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Policy PCR, update with the correct digest"
%TPM_EXE_PATH%policypcr -ha 03000000 -halg sha1 -bm 10000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy get digest - should be 85 33 11 83"
%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign, should succeed"
%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "PCR extend PCR 16"
%TPM_EXE_PATH%pcrextend -ha 16 -halg sha1 -if policies/aaa > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Read PCR 0, should be 1d 47 f6 8a ..."
%TPM_EXE_PATH%pcrread -ha 16 -halg sha1 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Start a policy session"
%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy PCR, update with the wrong digest"
%TPM_EXE_PATH%policypcr -ha 03000000 -halg sha1 -bm 10000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy get digest - should be 66 dd e5 e3"
%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign - should fail"
%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Flush the policy session"
%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush the key"
%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
REM # 01000000 authorizing ndex
REM # 01000001 authorized index
REM # 03000000 policy session
REM #
REM # 4 byte NV index
REM # policynv.txt
REM # policy CC_PolicyNV || args || Name
REM #
REM # policynvargs.txt (binary)
REM # args = hash of 0000 0000 0000 0000 | 0000 | 0000 (eight bytes of zero | offset | op ==)
REM # hash -hi n -halg sha1 -if policies/policynvargs.txt -v
REM # openssl dgst -sha1 policies/policynvargs.txt
REM # 2c513f149e737ec4063fc1d37aee9beabc4b4bbf
REM #
REM # NV authorizing index
REM #
REM # after defining index and NV write to set written, use
REM # nvreadpublic -ha 01000000 -nalg sha1
REM # to get name
REM # 00042234b8df7cdf8605ee0a2088ac7dfe34c6566c5c
REM #
REM # append Name to policynvnv.txt
REM #
REM # convert to binary policy
REM # > policymaker -halg sha1 -if policies/policynvnv.txt -of policies/policynvnv.bin -pr -v
REM # bc 9b 4c 4f 7b 00 66 19 5b 1d d9 9c 92 7e ad 57 e7 1c 2a fc
REM #
REM # file zero8.bin has 8 bytes of hex zero
echo ""
echo "Policy NV, NV index authorizing"
echo ""
echo "Define a setbits index, authorizing index"
%TPM_EXE_PATH%nvdefinespace -hi p -nalg sha1 -ha 01000000 -pwdn nnn -ty b > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "NV Read public, get Name, not written"
%TPM_EXE_PATH%nvreadpublic -ha 01000000 -nalg sha1 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "NV setbits to set written"
%TPM_EXE_PATH%nvsetbits -ha 01000000 -pwdn nnn > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "NV Read public, get Name, written"
%TPM_EXE_PATH%nvreadpublic -ha 01000000 -nalg sha1 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "NV Read, should be zero"
%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 8 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Define an ordinary index, authorized index, policyNV"
%TPM_EXE_PATH%nvdefinespace -hi p -nalg sha1 -ha 01000001 -pwdn nnn -sz 2 -ty o -pol policies/policynvnv.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "NV Read public, get Name, not written"
%TPM_EXE_PATH%nvreadpublic -ha 01000001 -nalg sha1 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "NV write to set written"
%TPM_EXE_PATH%nvwrite -ha 01000001 -pwdn nnn -ic aa > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Start policy session"
%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "NV write, policy not satisfied - should fail"
%TPM_EXE_PATH%nvwrite -ha 01000001 -ic aa -se0 03000000 1 > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Policy get digest, should be 0"
%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy NV to satisfy the policy"
%TPM_EXE_PATH%policynv -ha 01000000 -pwda nnn -hs 03000000 -if policies/zero8.bin -op 0 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy get digest, should be bc 9b 4c 4f ..."
%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "NV write, policy satisfied"
%TPM_EXE_PATH%nvwrite -ha 01000001 -ic aa -se0 03000000 1 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Set bit in authorizing NV index"
%TPM_EXE_PATH%nvsetbits -ha 01000000 -pwdn nnn -bit 0 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "NV Read, should be 1"
%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 8 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy NV to satisfy the policy - should fail"
%TPM_EXE_PATH%policynv -ha 01000000 -pwda nnn -hs 03000000 -if policies/zero8.bin -op 0 > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Policy get digest, should be 00 00 00 00 ..."
%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "NV Undefine authorizing index"
%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "NV Undefine authorized index"
%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000001 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush policy session"
%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo ""
echo "Policy NV Written"
echo ""
echo "Define an ordinary index, authorized index, policyNV"
%TPM_EXE_PATH%nvdefinespace -hi p -nalg sha1 -ha 01000000 -pwdn nnn -sz 2 -ty o -pol policies/policywrittenset.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "NV Read public, get Name, not written"
%TPM_EXE_PATH%nvreadpublic -ha 01000000 -nalg sha1 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Start policy session"
%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "NV write, policy not satisfied - should fail"
%TPM_EXE_PATH%nvwrite -ha 01000000 -ic aa -se0 03000000 1 > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Policy NV Written no, does not satisfy policy"
%TPM_EXE_PATH%policynvwritten -hs 03000000 -ws n > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "NV write, policy not satisfied - should fail"
%TPM_EXE_PATH%nvwrite -ha 01000000 -ic aa -se0 03000000 1 > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Flush policy session"
%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Start policy session"
%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy NV Written yes, satisfy policy"
%TPM_EXE_PATH%policynvwritten -hs 03000000 -ws y > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "NV write, policy satisfied but written clear - should fail"
%TPM_EXE_PATH%nvwrite -ha 01000000 -ic aa -se0 03000000 1 > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Flush policy session"
%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "NV write using password, set written"
%TPM_EXE_PATH%nvwrite -ha 01000000 -ic aa -pwdn nnn > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Start policy session"
%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy NV Written yes, satisfy policy"
%TPM_EXE_PATH%policynvwritten -hs 03000000 -ws y > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "NV write, policy satisfied"
%TPM_EXE_PATH%nvwrite -ha 01000000 -ic aa -se0 03000000 1 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush policy session"
%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Start policy session"
%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy NV Written no"
%TPM_EXE_PATH%policynvwritten -hs 03000000 -ws n > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy NV Written yes - should fail"
%TPM_EXE_PATH%policynvwritten -hs 03000000 -ws y > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Flush policy session"
%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "NV Undefine authorizing index"
%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo ""
echo "Policy Signed externally signed cpHash"
echo ""
REM # NV Index 01000000 has policy OR
REM
REM # Policy A - provisioning: policy written false + policysigned
REM # demo: authorizer signs NV write all zero
REM
REM # Policy B - application: policy written true + policysigned
REM # demo: authorizer signs NV write abcdefgh
echo "Load external just the public part of PEM at 80000001"
%TPM_EXE_PATH%loadexternal -ipem policies/rsapubkey.pem > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Get the Name of the signing key at 80000001"
%TPM_EXE_PATH%readpublic -ho 80000001 -ns > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
REM # 000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
REM
REM # construct policy A
REM
REM # policies/policywrittenclrsigned.txt
REM # 0000018f00
REM # 00000160000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
REM # Add the extra blank line here for policyRef
REM
REM # policymaker -if policies/policywrittenclrsigned.txt -of policies/policywrittenclrsigned.bin -pr -ns -v
REM # intermediate policy digest length 32
REM # 3c 32 63 23 67 0e 28 ad 37 bd 57 f6 3b 4c c3 4d
REM # 26 ab 20 5e f2 2f 27 5c 58 d4 7f ab 24 85 46 6e
REM # intermediate policy digest length 32
REM # 6b 0d 2d 2b 55 4d 68 ec bc 6c d5 b8 c0 96 c1 70
REM # 57 5a 95 25 37 56 38 7e 83 d7 76 d9 5b 1b 8e f3
REM # intermediate policy digest length 32
REM # 48 0b 78 2e 02 82 c2 40 88 32 c4 df 9c 0e be 87
REM # 18 6f 92 54 bd e0 5b 0c 2e a9 52 48 3e b7 69 f2
REM # policy digest length 32
REM # 48 0b 78 2e 02 82 c2 40 88 32 c4 df 9c 0e be 87
REM # 18 6f 92 54 bd e0 5b 0c 2e a9 52 48 3e b7 69 f2
REM # policy digest:
REM # 480b782e0282c2408832c4df9c0ebe87186f9254bde05b0c2ea952483eb769f2
REM
REM # construct policy B
REM
REM # policies/policywrittensetsigned.txt
REM # 0000018f01
REM # 00000160000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
REM # Add the extra blank line here for policyRef
REM
REM # policymaker -if policies/policywrittensetsigned.txt -of policies/policywrittensetsigned.bin -pr -ns -v
REM # intermediate policy digest length 32
REM # f7 88 7d 15 8a e8 d3 8b e0 ac 53 19 f3 7a 9e 07
REM # 61 8b f5 48 85 45 3c 7a 54 dd b0 c6 a6 19 3b eb
REM # intermediate policy digest length 32
REM # 7d c2 8f b0 dd 4f ee 97 78 2b 55 43 b1 dc 6b 1e
REM # e2 bc 79 05 d4 a1 f6 8d e2 97 69 5f a9 aa 78 5f
REM # intermediate policy digest length 32
REM # 09 43 ba 3c 3b 4d b1 c8 3f c3 97 85 f9 dc 0a 82
REM # 49 f6 79 4a 04 38 e6 45 0a 50 56 8f b4 eb d2 46
REM # policy digest length 32
REM # 09 43 ba 3c 3b 4d b1 c8 3f c3 97 85 f9 dc 0a 82
REM # 49 f6 79 4a 04 38 e6 45 0a 50 56 8f b4 eb d2 46
REM # policy digest:
REM # 0943ba3c3b4db1c83fc39785f9dc0a8249f6794a0438e6450a50568fb4ebd246
REM
REM # construct the Policy OR of A and B
REM
REM # policyorwrittensigned.txt - command code plus two policy digests
REM # 00000171480b782e0282c2408832c4df9c0ebe87186f9254bde05b0c2ea952483eb769f20943ba3c3b4db1c83fc39785f9dc0a8249f6794a0438e6450a50568fb4ebd246
REM # policymaker -if policies/policyorwrittensigned.txt -of policies/policyorwrittensigned.bin -pr
REM # policy digest length 32
REM # 06 00 ae 34 7a 30 b0 67 36 d3 32 85 a0 cc ad 46
REM # 54 1e 62 71 f5 d0 85 10 a7 ff 0e 90 30 54 d6 c9
echo "Define index 01000000 with the policy OR"
%TPM_EXE_PATH%nvdefinespace -ha 01000000 -hi o -sz 8 -pwdn "" -pol policies/policyorwrittensigned.bin -at aw > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Get the Name of the NV index not written, should be 00 0b ... bb 0b"
%TPM_EXE_PATH%nvreadpublic -ha 01000000 -ns > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
REM # 000b366258674dcf8aa16d344f24dde1c799fc60f9427a7286bb8cd1e4e9fd1fbb0b
echo "Start a policy session 03000000"
%TPM_EXE_PATH%startauthsession -se p > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo ""
echo "Policy A - not written"
echo ""
REM # construct cpHash for Policy A - not written, writing zeros
REM
REM # (commandCode || authHandle Name || NV Index Name || data + offset) - data 8 bytes of 0's at offset 0000
REM # For index auth, authHandle Name and index Name are the same
REM # policies/nvwritecphasha.txt
REM # 00000137000b366258674dcf8aa16d344f24dde1c799fc60f9427a7286bb8cd1e4e9fd1fbb0b000b366258674dcf8aa16d344f24dde1c799fc60f9427a7286bb8cd1e4e9fd1fbb0b000800000000000000000000
REM # policymaker -nz -if policies/nvwritecphasha.txt -of policies/nvwritecphasha.bin -pr -ns
REM # policy digest length 32
REM # cf 98 1e ee 68 04 3b dd ee 0c ab bc 75 b3 63 be
REM # 3c f9 ee 22 2a 78 b8 26 3f 06 7b b3 55 2c a6 11
REM # policy digest:
REM # cf981eee68043bddee0cabbc75b363be3cf9ee222a78b8263f067bb3552ca611
REM
REM # construct aHash for Policy A
REM
REM # expiration + cpHashA
REM # policies/nvwriteahasha.txt
REM # 00000000cf981eee68043bddee0cabbc75b363be3cf9ee222a78b8263f067bb3552ca611
REM # just convert to binary, because openssl does the hash before signing
REM # xxd -r -p policies/nvwriteahasha.txt policies/nvwriteahasha.bin
echo "Policy NV Written no, satisfy policy"
%TPM_EXE_PATH%policynvwritten -hs 03000000 -ws n > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Should be policy A first intermediate value 3c 32 63 23 ..."
%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign aHash with openssl 8813 6530 ..."
openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out sig.bin policies/nvwriteahasha.bin
echo ""
echo "Policy signed, signature generated externally"
%TPM_EXE_PATH%policysigned -hk 80000001 -ha 03000000 -halg sha256 -cp policies/nvwritecphasha.bin -is sig.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Should be policy A final value 48 0b 78 2e ..."
%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy OR"
%TPM_EXE_PATH%policyor -ha 03000000 -if policies/policywrittenclrsigned.bin -if policies/policywrittensetsigned.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Should be policy OR final value 06 00 ae 34 "
%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "NV write to set written"
%TPM_EXE_PATH%nvwrite -ha 01000000 -if policies/zero8.bin -se0 03000000 1 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo ""
echo "Policy B - written"
echo ""
echo "Get the new (written) Name of the NV index not written, should be 00 0b f5 75"
%TPM_EXE_PATH%nvreadpublic -ha 01000000 -ns > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
REM # 000bf575f09107d38c4cb82e8ec054b1aca9a91e40a06ec074b578bdd9cdaf4b76c8
REM
REM # construct cpHash for Policy B
REM
REM # (commandCode || authHandle Name || NV Index Name || data + offset) - data 8 bytes of abcdefgh at offset 00000
REM # For index auth, authHandle Name and index Name are the same
REM # policies/nvwritecphashb.txt
REM # 00000137000bf575f09107d38c4cb82e8ec054b1aca9a91e40a06ec074b578bdd9cdaf4b76c8000bf575f09107d38c4cb82e8ec054b1aca9a91e40a06ec074b578bdd9cdaf4b76c8000861626364656667680000
REM # policymaker -nz -if policies/nvwritecphashb.txt -of policies/nvwritecphashb.bin -pr -ns
REM # policy digest length 32
REM # df 58 08 f9 ab cb 23 7f 8c d7 c9 09 1c 86 12 2d
REM # 88 6f 02 d4 6e db 53 c8 da 39 bf a2 d6 cf 07 63
REM # policy digest:
REM # df5808f9abcb237f8cd7c9091c86122d886f02d46edb53c8da39bfa2d6cf0763
REM
REM # construct aHash for Policy B
REM
REM # expiration + cpHashA
REM # policies/nvwriteahashb.txt
REM # 00000000df5808f9abcb237f8cd7c9091c86122d886f02d46edb53c8da39bfa2d6cf0763
REM # just convert to binary, because openssl does the hash before signing
REM # xxd -r -p policies/nvwriteahashb.txt policies/nvwriteahashb.bin
echo "Policy NV Written yes, satisfy policy"
%TPM_EXE_PATH%policynvwritten -hs 03000000 -ws y > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Should be policy A first intermediate value f7 88 7d 15 ..."
%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign aHash with openssl 3700 0a91 ..."
openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out sig.bin policies/nvwriteahashb.bin > run.out
echo ""
echo "Policy signed, signature generated externally"
%TPM_EXE_PATH%policysigned -hk 80000001 -ha 03000000 -halg sha256 -cp policies/nvwritecphashb.bin -is sig.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Should be policy B final value 09 43 ba 3c ..."
%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy OR"
%TPM_EXE_PATH%policyor -ha 03000000 -if policies/policywrittenclrsigned.bin -if policies/policywrittensetsigned.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Should be policy OR final value 06 00 ae 34 "
%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "NV write new data"
%TPM_EXE_PATH%nvwrite -ha 01000000 -ic abcdefgh -se0 03000000 1 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo ""
echo "Cleanup"
echo ""
echo "Flush the policy session 03000000"
%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush the signature verification key 80000001"
%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Undefine the NV Index 01000000"
%TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
REM # test using clockrateadjust
REM # policycphashhash.txt is (hex) 00000130 4000000c 000
REM # hash -if policycphashhash.txt -oh policycphashhash.bin -halg sha1 -v
REM # openssl dgst -sha1 policycphashhash.txt
REM # cpHash is
REM # b5f919bbc01f0ebad02010169a67a8c158ec12f3
REM # append to policycphash.txt 00000163 + cpHash
REM # policymaker -halg sha1 -if policies/policycphash.txt -of policies/policycphash.bin -pr
REM # 06 e4 6c f9 f3 c7 0f 30 10 18 7c a6 72 69 b0 84 b4 52 11 6f
echo ""
echo "Policy cpHash"
echo ""
echo "Set the platform policy to policy cpHash"
%TPM_EXE_PATH%setprimarypolicy -hi p -pol policies/policycphash.bin -halg sha1 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Clockrate adjust using wrong password - should fail"
%TPM_EXE_PATH%clockrateadjust -hi p -pwdp ppp -adj 0 > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Start policy session"
%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Clockrate adjust, policy not satisfied - should fail"
%TPM_EXE_PATH%clockrateadjust -hi p -pwdp ppp -adj 0 -se0 03000000 1 > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Policy cpHash, satisfy policy"
%TPM_EXE_PATH%policycphash -ha 03000000 -cp policies/policycphashhash.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy get digest, should be 06 e4 6c f9"
%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Clockrate adjust, policy satisfied but bad command params - should fail"
%TPM_EXE_PATH%clockrateadjust -hi p -pwdp ppp -adj 1 -se0 03000000 1 > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Clockrate adjust, policy satisfied"
%TPM_EXE_PATH%clockrateadjust -hi p -pwdp ppp -adj 0 -se0 03000000 1 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Clear the platform policy"
%TPM_EXE_PATH%setprimarypolicy -hi p > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush policy session"
%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo ""
echo "Policy Duplication Select with includeObject FALSE"
echo ""
REM # These tests uses a new parent and object to be duplicated generated
REM # externally. This makes the Names repeatable and permits the
REM # policy to be pre-calculated and static.
REM
REM # command code 00000188
REM # newParentName
REM # 000b 1a5d f667 7533 4527 37bc 79a5 5ab6
REM # d9fa 9174 5c03 3dfe 3f82 cdf0 903b a9d6
REM # 55f1
REM # includeObject 00
REM # policymaker -if policies/policydupsel-no.txt -of policies/policydupsel-no.bin -pr -v
REM # 5f 55 ba 2b 69 0f b0 38 ac 15 ff 2a 86 ef 65 66
REM # be a8 23 68 43 97 4c 3f a7 36 37 72 56 ec bc 45
REM
REM # 80000000 SK storage primary key
REM # 80000001 NP new parent, the target of the duplication
REM # 80000002 SI signing key, duplicate from SK to NP
REM # 03000000 policy session
echo "Import the new parent storage key NP under the primary key"
%TPM_EXE_PATH%importpem -hp 80000000 -pwdp sto -ipem policies/rsaprivkey.pem -st -pwdk rrrr -opu tmpstpub.bin -opr tmpstpriv.bin -halg sha256 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Load the new parent TPM storage key NP at 80000001"
%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipu tmpstpub.bin -ipr tmpstpriv.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Import a signing key SI under the primary key 80000000, with policy duplication select"
%TPM_EXE_PATH%importpem -hp 80000000 -pwdp sto -ipem policies/rsaprivkey.pem -si -pwdk rrrr -opr tmpsipriv.bin -opu tmpsipub.bin -pol policies/policydupsel-no.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Load the signing key SI at 80000002"
%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipu tmpsipub.bin -ipr tmpsipriv.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest"
%TPM_EXE_PATH%sign -hk 80000002 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Verify the signature"
%TPM_EXE_PATH%verifysignature -hk 80000002 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Start a policy session 03000000"
%TPM_EXE_PATH%startauthsession -se p > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy duplication select, object SI 80000002 to new parent NP 80000001"
%TPM_EXE_PATH%policyduplicationselect -ha 03000000 -inpn h80000001.bin -ion h80000002.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Get policy digest, should be 5f 55 ba 2b ...."
%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Duplicate signing key SI at 80000002 under new parent TPM storage key NP 80000001"
%TPM_EXE_PATH%duplicate -ho 80000002 -hp 80000001 -od tmpdup.bin -oss tmpss.bin -se0 03000000 0 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush the original SI at 80000002 to free object slot for import"
%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Import signing key SI under new parent TPM storage key NP 80000001"
%TPM_EXE_PATH%import -hp 80000001 -pwdp rrrr -ipu tmpsipub.bin -id tmpdup.bin -iss tmpss.bin -opr tmpsipriv1.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Load the signing key SI at 80000002"
%TPM_EXE_PATH%load -hp 80000001 -pwdp rrrr -ipu tmpsipub.bin -ipr tmpsipriv1.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest"
%TPM_EXE_PATH%sign -hk 80000002 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Verify the signature"
%TPM_EXE_PATH%verifysignature -hk 80000002 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush the duplicated SI at 80000002"
%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo ""
echo "Policy Duplication Select with includeObject TRUE"
echo ""
REM # command code 00000188
REM # SI objectName
REM # 000b 6319 28da 1624 3135 3a59 c03a 2ca7
REM # dbb7 0989 1440 4236 3c7f a838 39d9 da6c
REM # 437a
REM # HP newParentName
REM # 000b
REM # 1a5d f667 7533 4527 37bc 79a5 5ab6 d9fa
REM # 9174 5c03 3dfe 3f82 cdf0 903b a9d6 55f1
REM # includeObject 01
REM
REM # policymaker -if policies/policydupsel-yes.txt -of policies/policydupsel-yes.bin -pr -v
REM # 14 64 06 4c 80 cb e3 4f f5 03 82 15 38 62 43 17
REM # 93 94 8f f1 e8 8a c6 23 4d d1 b0 c5 4c 05 f7 3b
REM
REM # 80000000 SK storage primary key
REM # 80000001 NP new parent, the target of the duplication
REM # 80000002 SI signing key, duplicate from SK to NP
REM # 03000000 policy session
echo "Import a signing key SI under the primary key 80000000, with policy authorize"
%TPM_EXE_PATH%importpem -hp 80000000 -pwdp sto -ipem policies/rsaprivkey.pem -si -pwdk rrrr -opr tmpsipriv.bin -opu tmpsipub.bin -pol policies/policyauthorizesha256.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Load the signing key SI with objectName 000b 6319 28da at 80000002"
%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipu tmpsipub.bin -ipr tmpsipriv.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest"
%TPM_EXE_PATH%sign -hk 80000002 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Verify the signature"
%TPM_EXE_PATH%verifysignature -hk 80000002 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Start a policy session 03000000"
%TPM_EXE_PATH%startauthsession -se p > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy duplication select, object SI 80000002 to new parent NP 80000001 with includeObject"
%TPM_EXE_PATH%policyduplicationselect -ha 03000000 -inpn h80000001.bin -ion h80000002.bin -io > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Get policy digest,should be policy to approve, aHash input 14 64 06 4c same as policies/policydupsel-yes.bin"
%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush the original SI at 80000002 to free object slot for loadexternal "
%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Openssl generate and sign aHash (empty policyRef)"
openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policies/policydupsel-yes.bin
echo "Load external just the public part of PEM authorizing key 80000002"
%TPM_EXE_PATH%loadexternal -hi p -halg sha256 -nalg sha256 -ipem policies/rsapubkey.pem > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Verify the signature against 80000002 to generate ticket"
%TPM_EXE_PATH%verifysignature -hk 80000002 -halg sha256 -if policies/policydupsel-yes.bin -is pssig.bin -raw -tk tkt.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy authorize using the ticket"
%TPM_EXE_PATH%policyauthorize -ha 03000000 -appr policies/policydupsel-yes.bin -skn h80000002.bin -tk tkt.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Get policy digest"
%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush the PEM authorizing verification key at 80000002 to free object slot for import"
%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Load the original signing key SI at 80000002"
%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipu tmpsipub.bin -ipr tmpsipriv.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Duplicate signing key SI at 80000002 under new parent TPM storage key NP 80000001 000b 1a5d f667"
%TPM_EXE_PATH%duplicate -ho 80000002 -hp 80000001 -od tmpdup.bin -oss tmpss.bin -se0 03000000 0 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush the original SI at 80000002 to free object slot for import"
%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Import signing key SI under new parent TPM storage key NP 80000001"
%TPM_EXE_PATH%import -hp 80000001 -pwdp rrrr -ipu tmpsipub.bin -id tmpdup.bin -iss tmpss.bin -opr tmpsipriv1.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Load the signing key SI at 80000002"
%TPM_EXE_PATH%load -hp 80000001 -pwdp rrrr -ipu tmpsipub.bin -ipr tmpsipriv1.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest"
%TPM_EXE_PATH%sign -hk 80000002 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Verify the signature"
%TPM_EXE_PATH%verifysignature -hk 80000002 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush the duplicated SI at 80000002"
%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush the new parent TPM storage key NP 80000001"
%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo ""
echo "Policy Name Hash"
echo ""
REM # signing key SI Name
REM # 000b
REM # 6319 28da 1624 3135 3a59 c03a 2ca7 dbb7
REM # 0989 1440 4236 3c7f a838 39d9 da6c 437a
REM
REM # compute nameHash
REM
REM # nameHash - just a hash, not an extend
REM # policymaker -if policies/pnhnamehash.txt -of policies/pnhnamehash.bin -nz -pr -v -ns
REM # 18 e0 0c 62 77 18 d9 fc 81 22 3d 8a 56 33 7e eb
REM # 0e 7d 98 28 bd 7b c7 29 1d 3c 27 3f 7a c4 04 f1
REM # 18e00c627718d9fc81223d8a56337eeb0e7d9828bd7bc7291d3c273f7ac404f1
REM
REM # compute policy (based on
REM
REM # 00000170 TPM_CC_PolicyNameHash
REM # signing key SI Name
REM # 18e00c627718d9fc81223d8a56337eeb0e7d9828bd7bc7291d3c273f7ac404f1
REM
REM # policymaker -if policies/policynamehash.txt -of policies/policynamehash.bin -pr -v
REM # 96 30 f9 00 c3 4c 66 09 c1 c5 92 41 78 c1 b2 3d
REM # 9f d4 93 f4 f9 c2 98 c8 30 4a e3 0f 97 a2 fd 49
REM
REM # 80000000 SK storage primary key
REM # 80000001 SI signing key
REM # 80000002 Authorizing public key
REM # 03000000 policy session
echo "Import a signing key SI under the primary key 80000000, with policy authorize"
%TPM_EXE_PATH%importpem -hp 80000000 -pwdp sto -ipem policies/rsaprivkey.pem -si -pwdk rrrr -opr tmpsipriv.bin -opu tmpsipub.bin -pol policies/policyauthorizesha256.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Load the signing key SI at 80000001"
%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipu tmpsipub.bin -ipr tmpsipriv.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest using the password"
%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Verify the signature"
%TPM_EXE_PATH%verifysignature -hk 80000001 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Start a policy session 03000000"
%TPM_EXE_PATH%startauthsession -se p > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy name hash, object SI 80000001"
%TPM_EXE_PATH%policynamehash -ha 03000000 -nh policies/pnhnamehash.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Get policy digest, should be policy to approve, 96 30 f9 00"
%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Openssl generate and sign aHash (empty policyRef)"
openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policies/policynamehash.bin
echo "Load external just the public part of PEM authorizing key 80000002"
%TPM_EXE_PATH%loadexternal -hi p -halg sha256 -nalg sha256 -ipem policies/rsapubkey.pem > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Verify the signature against 80000002 to generate ticket"
%TPM_EXE_PATH%verifysignature -hk 80000002 -halg sha256 -if policies/policynamehash.bin -is pssig.bin -raw -tk tkt.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy authorize using the ticket"
%TPM_EXE_PATH%policyauthorize -ha 03000000 -appr policies/policynamehash.bin -skn h80000002.bin -tk tkt.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Get policy digest, should be eb a3 f9 8c ...."
%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest using the policy"
%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if policies/aaa -os tmpsig.bin -se0 03000000 0 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Verify the signature"
%TPM_EXE_PATH%verifysignature -hk 80000001 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush the signing key at 80000001"
%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush the authorizing key 80000002"
%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
REM # test using clockrateadjust and platform policy
REM # operand A time is 64 bits at offset 0, operation GT (2)
REM # 0000016d 0000 0000 0000 0000 | 0000 | 0002
REM #
REM # convert to binary policy
REM # > policymaker -halg sha1 -if policies/policycountertimer.txt -of policies/policycountertimer.bin -pr -v
REM # e6 84 81 27 55 c0 39 d3 68 63 21 c8 93 50 25 dd
REM # aa 26 42 9a
echo ""
echo "Policy Counter Timer"
echo ""
echo "Set the platform policy to policy "
%TPM_EXE_PATH%setprimarypolicy -hi p -pol policies/policycountertimer.bin -halg sha1 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Clockrate adjust using wrong password - should fail"
%TPM_EXE_PATH%clockrateadjust -hi p -pwdp ppp -adj 0 > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Start policy session"
%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Clockrate adjust, policy not satisfied - should fail"
%TPM_EXE_PATH%clockrateadjust -hi p -adj 0 -se0 03000000 1 > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Policy counter timer, zero operandB, op EQ satisfy policy - should fail"
%TPM_EXE_PATH%policycountertimer -ha 03000000 -if policies/zero8.bin -op 0 > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Policy counter timer, zero operandB, op GT satisfy policy"
%TPM_EXE_PATH%policycountertimer -ha 03000000 -if policies/zero8.bin -op 2 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy get digest, should be e6 84 81 27"
%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Clockrate adjust, policy satisfied"
%TPM_EXE_PATH%clockrateadjust -hi p -adj 0 -se0 03000000 1 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Clear the platform policy"
%TPM_EXE_PATH%setprimarypolicy -hi p > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush policy session"
%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
REM # policyccsign.txt 0000016c 0000015d (policy command code | sign)
REM # policyccquote.txt 0000016c 00000158 (policy command code | quote)
REM #
REM # > policymaker -if policies/policyccsign.txt -of policies/policyccsign.bin -pr -v
REM # cc6918b226273b08f5bd406d7f10cf160f0a7d13dfd83b7770ccbcd1aa80d811
REM #
REM # > policymaker -if policies/policyccquote.txt -of policies/policyccquote.bin -pr -v
REM # a039cad5fe68870688f8233c3e3ee3cf27aac9e2efe3486aeb4e304c0e90cd27
REM #
REM # policyor.txt is CC_PolicyOR || digests
REM # 00000171 | cc69 ... | a039 ...
REM # > policymaker -if policies/policyor.txt -of policies/policyor.bin -pr -v
REM # 6b fe c2 3a be 57 b0 2a ce 39 dd 13 bb 60 fa 39
REM # 4d ac 7b 38 96 56 57 84 b3 73 fc 61 92 94 29 db
echo ""
echo "PolicyOR"
echo ""
echo "Create an unrestricted signing key, policy command code sign or quote"
%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyor.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Load the signing key"
%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Start policy session"
%TPM_EXE_PATH%startauthsession -se p > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy get digest"
%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign a digest - should fail"
%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Quote - should fail"
%TPM_EXE_PATH%quote -hp 0 -hk 80000001 -se0 03000000 1 > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Get time - should fail, policy not set"
%TPM_EXE_PATH%gettime -hk 80000001 -qd policies/aaa -se1 03000000 1 > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Policy OR - should fail"
%TPM_EXE_PATH%policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Policy Command code - sign"
%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 0000015d > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy get digest, should be cc 69 18 b2"
%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy OR"
%TPM_EXE_PATH%policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy get digest, should be 6b fe c2 3a"
%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Sign with policy OR"
%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy Command code - sign"
%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 0000015d > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy OR"
%TPM_EXE_PATH%policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Quote - should fail, wrong command code"
%TPM_EXE_PATH%quote -hp 0 -hk 80000001 -se0 03000000 1 > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Policy restart, set back to zero"
%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy Command code - quote, digest a0 39 ca d5"
%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 00000158 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy OR, digest 6b fe c2 3a"
%TPM_EXE_PATH%policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Quote with policy OR"
%TPM_EXE_PATH%quote -hp 0 -hk 80000001 -se0 03000000 1 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy Command code - gettime 7a 3e bd aa"
%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 0000014c > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Policy OR, gettime not an AND term - should fail"
%TPM_EXE_PATH%policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out
IF !ERRORLEVEL! EQU 0 (
exit /B 1
)
echo "Flush policy session"
%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush signing key"
%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
REM # There are times that a policy creator has TPM, PEM, or DER format
REM # information, but does not have access to a TPM. The publicname
REM # utility accepts these inputs and outputs the name in the 'no spaces'
REM # format suitable for pasting into a policy.
echo ""
echo "publicname RSA"
echo ""
for %%H in (%ITERATE_ALGS%) do (
echo "Create an rsa %%H key under the primary key"
%TPM_EXE_PATH%create -hp 80000000 -rsa 2048 -nalg %%H -si -opr tmppriv.bin -opu tmppub.bin -pwdp sto > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Load the rsa %%H key 80000001"
%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Compute the TPM2B_PUBLIC Name"
%TPM_EXE_PATH%publicname -ipu tmppub.bin -on tmp.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Verify the TPM2B_PUBLIC result"
diff tmp.bin h80000001.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Convert the rsa public key to PEM format"
%TPM_EXE_PATH%readpublic -ho 80000001 -opem tmppub.pem > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush the rsa %%H key"
%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "loadexternal the rsa PEM public key"
%TPM_EXE_PATH%loadexternal -ipem tmppub.pem -si -rsa -nalg %%H -halg %%H -scheme rsassa > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Compute the PEM Name"
%TPM_EXE_PATH%publicname -ipem tmppub.pem -rsa -si -nalg %%H -halg %%H -on tmp.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Verify the PEM result"
diff tmp.bin h80000001.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Convert the TPM PEM key to DER"
openssl pkey -inform pem -outform der -in tmppub.pem -out tmppub.der -pubin
echo "INFO:"
echo "Compute the DER Name"
%TPM_EXE_PATH%publicname -ider tmppub.der -rsa -si -nalg %%H -halg %%H -on tmp.bin -v > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Verify the DER result"
diff tmp.bin h80000001.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush the rsa %%H key"
%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
)
echo ""
echo "publicname ECC"
echo ""
for %%H in (%ITERATE_ALGS%) do (
echo "Create an ecc nistp256 %%H key under the primary key"
%TPM_EXE_PATH%create -hp 80000000 -ecc nistp256 -nalg %%H -si -opr tmppriv.bin -opu tmppub.bin -pwdp sto > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Load the ecc %%H key 80000001"
%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Compute the TPM2B_PUBLIC Name"
%TPM_EXE_PATH%publicname -ipu tmppub.bin -on tmp.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Verify the TPM2B_PUBLIC result"
diff tmp.bin h80000001.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Convert the ecc public key to PEM format"
%TPM_EXE_PATH%readpublic -ho 80000001 -opem tmppub.pem > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush the ecc %%H key"
%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "loadexternal the ecc PEM public key"
%TPM_EXE_PATH%loadexternal -ipem tmppub.pem -si -ecc -nalg %%H -halg %%H > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Compute the PEM Name"
%TPM_EXE_PATH%publicname -ipem tmppub.pem -ecc -si -nalg %%H -halg %%H -on tmp.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Verify the PEM result"
diff tmp.bin h80000001.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Convert the TPM PEM key to DER"
openssl pkey -inform pem -outform der -in tmppub.pem -out tmppub.der -pubin -pubout
echo "INFO:"
echo "Compute the DER Name"
%TPM_EXE_PATH%publicname -ider tmppub.der -ecc -si -nalg %%H -halg %%H -on tmp.bin -v > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Verify the DER result"
diff tmp.bin h80000001.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Flush the ecc %%H key"
%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
)
echo ""
echo "publicname NV"
echo ""
for %%H in (%ITERATE_ALGS%) do (
echo "NV Define Space %%H"
%TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -sz 16 -nalg %%H > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "NV Read Public"
%TPM_EXE_PATH%nvreadpublic -ha 01000000 -opu tmppub.bin -on tmpname.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Compute the NV Index Name"
%TPM_EXE_PATH%publicname -invpu tmppub.bin -on tmp.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "Verify the NV Index result"
diff tmp.bin tmpname.bin > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
echo "NV Undefine Space"
%TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 > run.out
IF !ERRORLEVEL! NEQ 0 (
exit /B 1
)
)
rm pssig.bin
rm run.out
rm sig.bin
rm tkt.bin
rm tmp.bin
rm tmpdup.bin
rm tmphkey.bin
rm tmpname.bin
rm tmppol.bin
rm tmppriv.bin
rm tmppub.bin
rm tmppub.der
rm tmppub.pem
rm tmpsig.bin
rm tmpsipriv.bin
rm tmpsipriv1.bin
rm tmpsipub.bin
rm tmpss.bin
rm tmpstpriv.bin
rm tmpstpub.bin
exit /B 0
REM # getcapability -cap 1 -pr 80000000
REM # getcapability -cap 1 -pr 01000000
REM # getcapability -cap 1 -pr 02000000
REM # getcapability -cap 1 -pr 03000000