Does policy secret actually work #650
Description
Sample code:
def main():
e = ESAPI(os.environ.get("TPM2TOOLS_TCTI"))
# Get the SRK - Parent Key
with open("/home/tpmuser/srk.tr", "rb") as f:
srk_tr = ESYS_TR.deserialize(e, f.read())
p_sens = TPM2B_SENSITIVE_CREATE(TPMS_SENSITIVE_CREATE(userAuth=b"password"))
phandle = e.create_primary(p_sens)[0]
print(f"phandle: {phandle}")
policy_json = DD("""
{
"description":"Policy Secret for arbitrary primary key",
"policy":[
{
"type": "POLICYSECRET",
"objectPath": "/OWNER/my_key",
}
]
}
""")
p = policy(policy_json, TPM2_ALG.SHA256)
d = p.get_calculated_digest()
print(f"Calculated policy: {d}")
e.flush_context(s)But it results in:
Traceback (most recent call last):
File "/home/tpmuser/labs/./lab6b.py", line 69, in <module>
main()
~~~~^^
File "/home/tpmuser/labs/./lab6b.py", line 32, in main
d = p.get_calculated_digest()
File "/usr/local/lib64/python3.13/site-packages/tpm2_pytss/policy.py", line 596, in get_calculated_digest
_chkrc(lib.Tss2_PolicyGetCalculatedDigest(self._ctx, dig))
~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib64/python3.13/site-packages/tpm2_pytss/internal/utils.py", line 176, in _chkrc
raise TSS2_Exception(rc)
tpm2_pytss.TSS2_Exception.TSS2_Exception: policy:Provisioning was not executed.
Which makes me think there is some internal routine that maps fapi paths thats not in a callback. We really want a callback that can take an arbitrary path and map it to whatever the user wants. @AndreasFuchsTPM or @cplappert or @JuergenReppSIT do you have any insight into that?