How to fix tpm2_ptool tpm:parameter(2):curve not supported

Problem

You’re trying to create a key using tpm2_ptool using a command such as

tpm2_ptool addkey --label=ssh --userpin=zeigh6iraewich1aengip6Dee2bait --algorithm=ecc384

and get the error tpm:parameter(2):curve not supported:

Traceback (most recent call last):
  File "/usr/bin/tpm2_ptool", line 33, in <module>
    sys.exit(load_entry_point('tpm2-pkcs11-tools==1.33.7', 'console_scripts', 'tpm2_ptool')())
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/tpm2_pkcs11/tpm2_ptool.py", line 26, in main
    commandlet.init('A tool for manipulating the tpm2-pkcs11 database')
  File "/usr/lib/python3/dist-packages/tpm2_pkcs11/command.py", line 102, in init
    commandlet.get()[d['which']](d)
  File "/usr/lib/python3/dist-packages/tpm2_pkcs11/commandlets_keys.py", line 295, in __call__
    objects = super(AddKeyCommand, self).__call__(args)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/tpm2_pkcs11/commandlets_keys.py", line 202, in __call__
    tertiarypriv, tertiarypub, tertiarypubdata = self.new_key_create(
                                                 ^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/tpm2_pkcs11/commandlets_keys.py", line 289, in new_key_create
    tertiarypriv, tertiarypub, tertiarypubdata = tpm2.create(
                                                 ^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/tpm2_pkcs11/tpm2.py", line 226, in create
    raise RuntimeError("Could not execute tpm2_create: %s" %
RuntimeError: Could not execute tpm2_create: b'WARNING:esys:src/tss2-esys/api/Esys_Create.c:399:Esys_Create_Finish() Received TPM Error \nERROR:esys:src/tss2-esys/api/Esys_Create.c:134:Esys_Create() Esys Finish ErrorCode (0x000002e6) \nERROR: Esys_Create(0x2E6) - tpm:parameter(2):curve not supported\nERROR: Unable to run tpm2_create\n'

Solution

Your specific TPM implementation does not support the curve you’re trying to use. You can find out which (elliptic) curves

While tpm2_ptool supports the following curves:

ecc224
ecc256
ecc384
ecc521

your TPM implementation (either a physical TPM or a software TPM) may not support all of them.

Typically, when your TPM does not support e.g. a 384 bit curve, it will not support any curve with a higher bit count either. Therefore, I recommend trying the next smaller curve.

tpm2_ptool addkey --label=ssh --userpin=zeigh6iraewich1aengip6Dee2bait --algorithm=ecc256

According to Dell, TPM 2.0-compatible TPMs must support at least ecc256.

Continue trying smaller curves until you find one that works. The best way of finding out which curves are supported is to try them all, trying to look for documentation usually takes much longer and is often not successful at all.

If this post helped you, please consider buying me a coffee or donating via PayPal to support research & publishing of new posts on TechOverflow

Buy me a coffee