tpm2-software/tpm2-tss

JSON files after creation

Closed this issue · 4 comments

Hello team.

I need to create a read only system, and I was wondering: аre the JSON files read-only after creation, or do they change at some point after that?

I am talking about the ones in: /usr/local/var/lib/tpm2-tss/system/keystore/*

P.S.
The only thing we do with the TPM chip, for now, is to create some indexes in the NVRAM before making the OS read-only.
After that we only read and write information to the TPM's NVRAM.

Thanks.

Currently the JSON file of a NV object in the keystore is updated after every write operation. This is actually unnecessary after the first write operation. The content of the file will only be changed after the first write because the NV_WRITTEN bit is set. I could create a PR where the keystore is updated only after the first write? So you could call a dummy write after the object creation before making the OS read-only.
If the auth value of the NV index is changed also a write to the keystore is currently executed.

Hello @JuergenReppSIT.

When I checked out the 6c6812b commit, and when I tried to build it with the make command, it threw an error, saying it could not find the io.c and io.h.
When I manually added those files, the make went well.
I am not sure why this problem occurred.

@JordanLBogdanov I could compile this commit without problems with

git checkout 6c6812b
git clean -xdf
./bootstrap
./configure
make -j

Thank you. I previously had only used:

git checkout 6c6812b
make -j