使用的是海光 CPU 提供的基于固件的 FTPM,错误原因是海光没有给 TPM 提供相应的 EK 证书。从而导致Fapi_Provision()接口无法通过证书的校验。关于Fapi_Provision()接口的功能,官网提到是:
Retrieve the EK template, nonce and certificate, verify that they match the TPM’s EK and store them in the
key store. A FAPI implementation SHALL verify the EK certificate against the vendor CA unless overridden
by its configuration. A FAPI implementation MAY allow overriding of EK certificate verification via its
configuration.
因此当前只能选择跳过证书校验这步。解决方法就是在 /usr/local/etc/tpm2-tss/fapi-config.json文件中,添加取消校验的配置,即 ek_cert_file 和 ek_cert_less 两项,修改完后该文件内容如下:
{
"profile_name": "P_ECCP256SHA256",
"profile_dir": "/usr/local/etc/tpm2-tss/fapi-profiles/",
"user_dir": "~/.local/share/tpm2-tss/user/keystore",
"system_dir": "/usr/local/var/lib/tpm2-tss/system/keystore",
"tcti": "",
"system_pcrs" : [],
"ek_cert_file": "",
"ek_cert_less": "YES",
"log_dir" : "/usr/local/var/run/tpm2-tss/eventlog/",
"firmware_log_file": "/sys/kernel/security/tpm0/binary_bios_measurements",
"ima_log_file": "/sys/kernel/security/ima/binary_runtime_measurements"
}
重新执行tss2_provision通过,即证明成功。
浙公网安备 33010602011771号