Creating TPM Sealed Object Always Unseals to Empty Buffer

So, I am wanting to create a sealed and being able to unseal it with my python script that is on the ivy board down below is just internal testing on the ivy+ PN 01781000.

my current setup is on a docker container installed the necessary installments in the Dockerfile for TPM tpm2-tools, libtss2-dev.

docker compose.yml
devices:

  - /dev/tpm0:/dev/tpm0

  - /dev/tpmrm0:/dev/tpmrm0

volumes:

  - /home/torizon/config/:/home/torizon/config/:rw

  - /data/tpm:/data/tpm     # make the TPM sealed files visible inside container

  - /dev/tpm0:/dev/tpm0     # direct TPM access

  - /dev/tpmrm0:/dev/tpmrm0 # resource manager

created the primary.ctx

everything is stored in this
/data/tpm folder

we create this seal.json
cat > seal.json << ‘EOF’
{
“parent”: “o”,
“public”: {
“type”: “seal”,
“nameAlg”: “sha256”,
“objectAttributes”: [
“fixedtpm”,
“fixedparent”,
“userwithauth”,
“noda”
]
}
}
EOF

tpm2_getrandom 32 > secret.bin

/*just to test to see if the secret.bin is created
python3 - << ‘EOF’
d = open(“secret.bin”,“rb”).read()
print(“Secret:”, d, “len:”, len(d))
EOF

tpm2_startauthsession --policy-session -S session.ctx
tpm2_policycommandcode -S session.ctx TPM2_CC_Unseal
tpm2_getpolicydigest -S session.ctx -o policy.dat
tpm2_flushcontext session.ctx
rm session.ctx

python3 - << ‘EOF’
d=open(“policy.dat”,“rb”).read()
print(“Policy digest:”, d.hex(), “len:”, len(d))
EOF

**tpm2_create
-C primary.ctx
–template-data=seal.json
-L policy.dat
-i secret.bin
-u seal.pub
-r seal.priv

tpm2_load
-C primary.ctx
-u seal.pub
-r seal.priv
-c seal.ctx**

#attempt to unseal

tpm2_startauthsession --policy-session -S session.ctx

tpm2_policycommandcode -S session.ctx TPM2_CC_Unseal

tpm2_unseal -c seal.ctx -p session:session.ctx | python3 - << ‘EOF’
import sys
d = sys.stdin.buffer.read()
print(“UNSEALED:”, d, “LEN:”, len(d))
EOF

result
UNSEALED: b’’ LEN: 0

if there are any documentation on this process out there, please point me in that direction

Hi, I’m the Toradex AI Assistant.

I might make mistakes or occasionally get you wrong. Our support team will step in if needed.

I can help you troubleshoot your TPM sealing/unsealing issue. First, I need to clarify your exact setup to provide the most accurate guidance.

Setup Clarification Required

Could you please specify which OS and version you’re running on your Ivy+ board? You can get this information by running the tdx-info command on your device. For more details about this command, see: Getting Device Information with Tdx-Info | Toradex Developer Center

TPM Support Context

Based on the available documentation, TPM integration is supported on Toradex hardware. The Mallow Carrier Board features an OPTIGATM TPM SLM 9670 chip for industrial security requirements(1). If you’re developing with TPM functionality, using the Mallow Carrier Board schematics as a reference is highly recommended(1).

Application Development Framework

Your Python application development approach aligns with Torizon’s container-based architecture(2). For Python development specifically, you can reference the Python development guidance(3), and for containerized applications, the Torizon platform provides Docker-based development workflows(2).

Next Steps

Once you provide your OS version information, I can give you more specific guidance for your TPM sealing/unsealing implementation. The exact approach may vary depending on whether you’re using:

• Torizon OS with containers(2)
• BSP-based Linux development(3)
• Specific hardware configurations

For comprehensive TPM implementation details and troubleshooting, the documentation references secure boot implementations(4), though your use case appears to be focused on application-level TPM operations rather than boot-level security.

Please share your OS version details so I can provide more targeted assistance for your specific platform configuration.

Best regards,
Toradex AI Assistant.

Did you like my answer?

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.

@ToradexAI
torizon@verdin-imx8mp-15139628:~/config$ sudo tdx-info

Software summary

Bootloader: U-Boot
Kernel version: 6.6.84-7.3.0-devel-g54d6d91867a1 #1-Torizon SMP PREEMPT Fri May 30 12:17:11 UTC 2025
Kernel command line: root=LABEL=otaroot rootfstype=ext4 quiet logo.nologo vt.global_cursor_default=0 plymouth.ignore-serial-consoles splash fbcon=map:3 ostree=/ostree/boot.1/torizon/a3c7fb4f7610c0452dcf021ad4f61a832408cf224f1c8594b890fcb3d785c02b/0
Distro name: NAME=“Torizon OS”
Distro version: VERSION_ID=7.3.0-devel-202506-build.9
Distro variant: VARIANT=“Docker”
Hostname: verdin-imx8mp-15139628

Hardware info

HW model: Toradex Verdin iMX8M Plus on Ivy
Toradex version: 0058 V1.1A
Serial number: 15139628
Processor arch: aarch64

Troubleshooting Your TPM Seal/Unseal Issue

Thank you for providing the system information! You’re running Torizon OS 7.3.0-devel-202506-build.9 on a Verdin iMX8M Plus V1.1A with the Ivy Carrier Board(1)(2). This setup should support TPM operations properly.

Analysis of Your Current Issue

Your TPM seal/unseal process looks mostly correct, but the empty result (UNSEALED: b'' LEN: 0) suggests an issue with either the policy session or the unsealing process itself. Here are the key areas to investigate:

1. Session Management Issue

The most likely cause is that your policy session isn’t being properly maintained between commands. Try this approach:

# Create and maintain the session properly
tpm2_startauthsession --policy-session -S session.ctx
tpm2_policycommandcode -S session.ctx TPM2_CC_Unseal

# Unseal immediately without breaking the session
tpm2_unseal -c seal.ctx -p session:session.ctx -o unsealed_secret.bin

# Then read the output
python3 -c "
with open('unsealed_secret.bin', 'rb') as f:
    data = f.read()
    print('UNSEALED:', data, 'LEN:', len(data))
"

# Clean up
tpm2_flushcontext session.ctx
rm session.ctx unsealed_secret.bin

2. TPM Hardware Context

Your Ivy Carrier Board setup should have proper TPM support(3). The Verdin iMX8M Plus supports hardware-based security features(1)(2), and your Docker configuration correctly exposes the TPM devices (/dev/tpm0 and /dev/tpmrm0).

3. Verification Steps

Before proceeding with sealing, verify your TPM is working correctly:

# Test basic TPM functionality
tpm2_getrandom 16 | hexdump -C

# Check if your primary context is valid
tpm2_readpublic -c primary.ctx

# Verify the sealed object was created properly
tpm2_readpublic -c seal.ctx

4. Alternative Sealing Approach

Try a simpler sealing approach without complex policies first:

# Create a simple seal without policy
tpm2_create -C primary.ctx -i secret.bin -u simple_seal.pub -r simple_seal.priv
tpm2_load -C primary.ctx -u simple_seal.pub -r simple_seal.priv -c simple_seal.ctx

# Unseal directly
tpm2_unseal -c simple_seal.ctx -o unsealed.bin

Container Configuration Validation

Your Docker Compose configuration looks correct for TPM access(4). The key elements are properly configured:

• Device access to /dev/tpm0 and /dev/tpmrm0
• Volume mounting for persistent TPM data storage
• Read-write access to configuration directories

Next Steps

1. Test the session management fix shown above
2. Verify basic TPM functionality with the verification commands
3. Try the simpler sealing approach to isolate policy-related issues
4. Check TPM logs with dmesg | grep -i tpm for any hardware-related errors

If you continue experiencing issues, the problem might be related to the specific TPM implementation or policy configuration. The Torizon OS platform provides comprehensive support for containerized applications with hardware access(5), so your overall approach is sound.

Best regards,
Toradex AI Assistant.

Did you like my answer?

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.

This seems to fix the issue thanks for the help