@@ -237,7 +237,81 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
237237 /* Get Endorsement Public Key template using NV index */
238238 rc = wolfTPM2_GetKeyTemplate_EKIndex (nvIndex , & publicTemplate );
239239 if (rc != 0 ) {
240- printf ("EK Index 0x%08x not valid\n" , nvIndex );
240+ const char * indexType = "Unknown" ;
241+ word32 offset = nvIndex - TPM_20_TCG_NV_SPACE ;
242+
243+ /* Identify the type of NV index based on offset */
244+ if (nvIndex < TPM_20_TCG_NV_SPACE ) {
245+ indexType = "Non-TCG (below TCG NV space)" ;
246+ }
247+ else if (offset >= 0x2 && offset <= 0xC ) {
248+ indexType = "EK Low Range" ;
249+ if (offset == 0x2 ) indexType = "EK Low Range (RSA 2048 Cert)" ;
250+ else if (offset == 0x3 ) indexType = "EK Low Range (RSA 2048 Nonce)" ;
251+ else if (offset == 0x4 ) indexType = "EK Low Range (RSA 2048 Template)" ;
252+ else if (offset == 0xA ) indexType = "EK Low Range (ECC P256 Cert)" ;
253+ else if (offset == 0xB ) indexType = "EK Low Range (ECC P256 Nonce)" ;
254+ else if (offset == 0xC ) indexType = "EK Low Range (ECC P256 Template)" ;
255+ }
256+ else if (offset >= 0x12 && offset < 0x100 ) {
257+ indexType = "EK High Range" ;
258+ if (offset == 0x12 ) indexType = "EK High Range (RSA 2048 Cert)" ;
259+ else if (offset == 0x14 ) indexType = "EK High Range (ECC P256 Cert)" ;
260+ else if (offset == 0x16 ) indexType = "EK High Range (ECC P384 Cert)" ;
261+ else if (offset == 0x18 ) indexType = "EK High Range (ECC P521 Cert)" ;
262+ else if (offset == 0x1A ) indexType = "EK High Range (ECC SM2 Cert)" ;
263+ else if (offset == 0x1C ) indexType = "EK High Range (RSA 3072 Cert)" ;
264+ else if (offset == 0x1E ) indexType = "EK High Range (RSA 4096 Cert)" ;
265+ else if ((offset & 1 ) == 0 ) indexType = "EK High Range (Cert, even index)" ;
266+ else indexType = "EK High Range (Template, odd index)" ;
267+ }
268+ else if (offset >= 0x100 && offset < 0x200 ) {
269+ indexType = "EK Certificate Chain" ;
270+ }
271+ else if (offset >= 0x7F01 && offset <= 0x7F04 ) {
272+ indexType = "EK Policy Index" ;
273+ if (offset == 0x7F01 ) indexType = "EK Policy Index (SHA256)" ;
274+ else if (offset == 0x7F02 ) indexType = "EK Policy Index (SHA384)" ;
275+ else if (offset == 0x7F03 ) indexType = "EK Policy Index (SHA512)" ;
276+ else if (offset == 0x7F04 ) indexType = "EK Policy Index (SM3_256)" ;
277+ }
278+ else if (nvIndex > TPM_20_TCG_NV_SPACE + 0x7FFF ) {
279+ indexType = "Vendor-specific (beyond TCG range)" ;
280+ }
281+
282+ printf ("NV Index 0x%08x: %s (not a recognized EK certificate index)\n" ,
283+ nvIndex , indexType );
284+
285+ /* Try to read the NV public info to show what it contains */
286+ rc = wolfTPM2_NVReadPublic (& dev , nvIndex , & nvPublic );
287+ if (rc == 0 ) {
288+ const char * hashName = TPM2_GetAlgName (nvPublic .nameAlg );
289+ printf (" NV Size: %u bytes, Attributes: 0x%08x, Name Alg: %s\n" ,
290+ nvPublic .dataSize , (unsigned int )nvPublic .attributes , hashName );
291+
292+ /* Check if this looks like a policy digest based on size and hash */
293+ if ((nvPublic .dataSize == 32 && nvPublic .nameAlg == TPM_ALG_SHA256 ) ||
294+ (nvPublic .dataSize == 48 && nvPublic .nameAlg == TPM_ALG_SHA384 ) ||
295+ (nvPublic .dataSize == 64 && nvPublic .nameAlg == TPM_ALG_SHA512 ) ||
296+ (nvPublic .dataSize == 32 && nvPublic .nameAlg == TPM_ALG_SM3_256 )) {
297+ printf (" Content type: Likely a policy digest (%s hash)\n" , hashName );
298+ }
299+ else if (nvPublic .dataSize > 100 ) {
300+ printf (" Content type: Likely a certificate or template (large data)\n" );
301+ }
302+
303+ /* Attempt to read a small amount of data to identify type */
304+ certSz = (nvPublic .dataSize < 32 ) ? nvPublic .dataSize : 32 ;
305+ if (certSz > 0 ) {
306+ rc = wolfTPM2_NVReadAuth (& dev , & nv , nvIndex , certBuf , & certSz , 0 );
307+ if (rc == 0 ) {
308+ printf (" First %u bytes:\n" , certSz );
309+ dump_hex_bytes (certBuf , certSz );
310+ }
311+ }
312+ }
313+
314+ rc = 0 ; /* Reset error code to continue processing */
241315 continue ;
242316 }
243317
0 commit comments