Merge pull request #358 from chrisccoulson/tpm2-stop-using-deprecated…

…-go-tpm2-apis

tpm2: Stop using deprecated go-tpm2 APIs.

PR #357 migrated the tpm2 code to using the new tpm2.TPMDevice abstraction for opening TPM connections.

The go-tpm2 package contains some other deprecated APIs, and in some cases, entire sub-packages have been deprecated (crypto, templates, util). These have been replaced by alternative APIs, and the util package, which was a bit of a dumping ground for APIs that had nowhere else to go, has been split into more focused packages.

This ports secboot to using updated APIs. It's just a straight port for now - we may want to refactor some code to make better use of these APIs in future PRs - particularly those in the `policyutil` sub-package, something that will allow us to create keys with arbitrary policies without having to change the key data format for tpm2 keys (see issue #350).

go.mod

@@ -7,7 +7,7 @@ require (
 	github.com/canonical/go-efilib v1.4.1
 	github.com/canonical/go-sp800.108-kdf v0.0.0-20210315104021-ead800bbf9a0
 	github.com/canonical/go-sp800.90a-drbg v0.0.0-20210314144037-6eeb1040d6c3
-	github.com/canonical/go-tpm2 v1.10.1
+	github.com/canonical/go-tpm2 v1.11.1
 	github.com/canonical/tcglog-parser v0.0.0-20240924110432-d15eaf652981
 	github.com/snapcore/snapd v0.0.0-20220714152900-4a1f4c93fc85
 	golang.org/x/crypto v0.21.0

go.sum

@@ -11,8 +11,8 @@ github.com/canonical/go-sp800.108-kdf v0.0.0-20210315104021-ead800bbf9a0/go.mod
 github.com/canonical/go-sp800.90a-drbg v0.0.0-20210314144037-6eeb1040d6c3 h1:oe6fCvaEpkhyW3qAicT0TnGtyht/UrgvOwMcEgLb7Aw=
 github.com/canonical/go-sp800.90a-drbg v0.0.0-20210314144037-6eeb1040d6c3/go.mod h1:qdP0gaj0QtgX2RUZhnlVrceJ+Qln8aSlDyJwelLLFeM=
 github.com/canonical/go-tpm2 v0.0.0-20210827151749-f80ff5afff61/go.mod h1:vG41hdbBjV4+/fkubTT1ENBBqSkLwLr7mCeW9Y6kpZY=
-github.com/canonical/go-tpm2 v1.10.1 h1:TtCuiJLX5sU8GNIxEycnc51CzsDd3nXUUkin3/My9gg=
-github.com/canonical/go-tpm2 v1.10.1/go.mod h1:zK+qESVwu78XyX+NPhiBdN+zwPPDoKk4rYlQ7VUsRp4=
+github.com/canonical/go-tpm2 v1.11.1 h1:RivdSXfBWWW+eFaFNYQby5+kVgY4km9eEayot1wX/qU=
+github.com/canonical/go-tpm2 v1.11.1/go.mod h1:zK+qESVwu78XyX+NPhiBdN+zwPPDoKk4rYlQ7VUsRp4=
 github.com/canonical/tcglog-parser v0.0.0-20210824131805-69fa1e9f0ad2/go.mod h1:QoW2apR2tBl6T/4czdND/EHjL1Ia9cCmQnIj9Xe0Kt8=
 github.com/canonical/tcglog-parser v0.0.0-20240924110432-d15eaf652981 h1:vrUzSfbhl8mzdXPzjxq4jXZPCCNLv18jy6S7aVTS2tI=
 github.com/canonical/tcglog-parser v0.0.0-20240924110432-d15eaf652981/go.mod h1:ywdPBqUGkuuiitPpVWCfilf2/gq+frhq4CNiNs9KyHU=

tpm2/export_test.go

@@ -127,13 +127,13 @@ type PcrPolicyData_v3 = pcrPolicyData_v3
 
 type PcrPolicyParams = pcrPolicyParams
 
-func NewPcrPolicyParams(key secboot.PrimaryKey, pcrs tpm2.PCRSelectionList, pcrDigests tpm2.DigestList, policyCounterName tpm2.Name, policySequence uint64) *PcrPolicyParams {
+func NewPcrPolicyParams(key secboot.PrimaryKey, pcrs tpm2.PCRSelectionList, pcrDigests tpm2.DigestList, policyCounter *tpm2.NVPublic, policySequence uint64) *PcrPolicyParams {
 	return &PcrPolicyParams{
-		key:               key,
-		pcrs:              pcrs,
-		pcrDigests:        pcrDigests,
-		policyCounterName: policyCounterName,
-		policySequence:    policySequence,
+		key:            key,
+		pcrs:           pcrs,
+		pcrDigests:     pcrDigests,
+		policyCounter:  policyCounter,
+		policySequence: policySequence,
 	}
 }
 

tpm2/key_sealer.go

@@ -20,9 +20,10 @@
 package tpm2
 
 import (
+	"crypto/rand"
+
 	"github.com/canonical/go-tpm2"
-	"github.com/canonical/go-tpm2/templates"
-	"github.com/canonical/go-tpm2/util"
+	"github.com/canonical/go-tpm2/objectutil"
 
 	"golang.org/x/xerrors"
 )
@@ -77,12 +78,17 @@ func (s *sealedObjectKeySealer) CreateSealedObject(data []byte, nameAlg tpm2.Has
 	sensitive := tpm2.SensitiveCreate{Data: data}
 
 	// Define the template
-	template := templates.NewSealedObject(nameAlg)
-	template.Attrs &^= tpm2.AttrUserWithAuth
+	opts := []objectutil.PublicTemplateOption{
+		objectutil.WithNameAlg(nameAlg),
+		objectutil.WithUserAuthMode(objectutil.RequirePolicy),
+		objectutil.WithAuthPolicy(policy),
+	}
 	if noDA {
-		template.Attrs |= tpm2.AttrNoDA
+		opts = append(opts, objectutil.WithoutDictionaryAttackProtection())
+	} else {
+		opts = append(opts, objectutil.WithDictionaryAttackProtection())
 	}
-	template.AuthPolicy = policy
+	template := objectutil.NewSealedObjectTemplate(opts...)
 
 	// Now create the sealed key object. The command is integrity protected so if the object
 	// at the handle we expect the SRK to reside at has a different name (ie, if we're
@@ -105,15 +111,23 @@ type importableObjectKeySealer struct {
 }
 
 func (s *importableObjectKeySealer) CreateSealedObject(data []byte, nameAlg tpm2.HashAlgorithmId, policy tpm2.Digest, noDA bool) (tpm2.Private, *tpm2.Public, tpm2.EncryptedSecret, error) {
-	pub, sensitive := util.NewExternalSealedObject(nameAlg, nil, data)
-	pub.Attrs &^= tpm2.AttrUserWithAuth
+	opts := []objectutil.PublicTemplateOption{
+		objectutil.WithNameAlg(nameAlg),
+		objectutil.WithUserAuthMode(objectutil.RequirePolicy),
+		objectutil.WithAuthPolicy(policy),
+	}
 	if noDA {
-		pub.Attrs |= tpm2.AttrNoDA
+		opts = append(opts, objectutil.WithoutDictionaryAttackProtection())
+	} else {
+		opts = append(opts, objectutil.WithDictionaryAttackProtection())
+	}
+	pub, sensitive, err := objectutil.NewSealedObject(rand.Reader, data, nil, opts...)
+	if err != nil {
+		return nil, nil, nil, xerrors.Errorf("cannot create external sealed object: %w", err)
 	}
-	pub.AuthPolicy = policy
 
 	// Now create the importable sealed key object (duplication object).
-	_, priv, importSymSeed, err := util.CreateDuplicationObject(sensitive, pub, s.tpmKey, nil, nil)
+	_, priv, importSymSeed, err := objectutil.CreateImportable(rand.Reader, sensitive, pub, s.tpmKey, nil, nil)
 	if err != nil {
 		return nil, nil, nil, xerrors.Errorf("cannot create duplication object: %w", err)
 	}

tpm2/key_sealer_test.go

@@ -23,8 +23,9 @@ import (
 	"crypto/rsa"
 
 	"github.com/canonical/go-tpm2"
+	"github.com/canonical/go-tpm2/objectutil"
+	"github.com/canonical/go-tpm2/policyutil"
 	tpm2_testutil "github.com/canonical/go-tpm2/testutil"
-	"github.com/canonical/go-tpm2/util"
 
 	. "gopkg.in/check.v1"
 
@@ -85,7 +86,7 @@ func (s *sealedObjectKeySealerSuite) testCreateSealedObject(c *C, data *testCrea
 					Scheme:  tpm2.KeyedHashSchemeNull,
 					Details: &tpm2.SchemeKeyedHashU{}}}})
 
-	srk, err := s.TPM().CreateResourceContextFromTPM(tcg.SRKHandle)
+	srk, err := s.TPM().NewResourceContext(tcg.SRKHandle)
 	c.Assert(err, IsNil)
 
 	k, err := s.TPM().Load(srk, priv, pub, nil)
@@ -119,7 +120,7 @@ func (s *sealedObjectKeySealerSuite) TestCreateSealedObjectWithNewConnection(c *
 }
 
 func (s *sealedObjectKeySealerSuite) TestCreateSealedObjectMissingSRK(c *C) {
-	srk, err := s.TPM().CreateResourceContextFromTPM(tcg.SRKHandle)
+	srk, err := s.TPM().NewResourceContext(tcg.SRKHandle)
 	c.Assert(err, IsNil)
 	s.EvictControl(c, tpm2.HandleOwner, srk, srk.Handle())
 
@@ -152,16 +153,18 @@ func (s *sealedObjectKeySealerSuite) TestCreateSealedObjectDifferentNameAlg(c *C
 }
 
 func (s *sealedObjectKeySealerSuite) TestCreateSealedObjectDifferentPolicy(c *C) {
-	trial := util.ComputeAuthPolicy(tpm2.HashAlgorithmSHA256)
-	trial.PolicyAuthValue()
+	builder := policyutil.NewPolicyBuilder(tpm2.HashAlgorithmSHA256)
+	builder.RootBranch().PolicyAuthValue()
+	digest, err := builder.Digest()
+	c.Check(err, IsNil)
 
 	session := s.StartAuthSession(c, nil, nil, tpm2.SessionTypePolicy, nil, tpm2.HashAlgorithmSHA256)
 	c.Check(s.TPM().PolicyAuthValue(session), IsNil)
 
 	s.testCreateSealedObject(c, &testCreateSealedObjectData{
 		data:         []byte("foo"),
 		nameAlg:      tpm2.HashAlgorithmSHA256,
-		policyDigest: trial.GetDigest(),
+		policyDigest: digest,
 		noDA:         true,
 		session:      session})
 }
@@ -203,7 +206,7 @@ func (s *importableObjectKeySealerSuite) testCreateSealedObject(c *C, data *test
 			KeyedHashDetail: &tpm2.KeyedHashParams{
 				Scheme: tpm2.KeyedHashScheme{Scheme: tpm2.KeyedHashSchemeNull}}})
 
-	sensitive, err := util.UnwrapDuplicationObject(priv, pub, key, srk.NameAlg, &srk.Params.RSADetail.Symmetric, importSymSeed, nil, nil)
+	sensitive, err := objectutil.UnwrapDuplicated(priv, pub, key, srk.NameAlg, &srk.Params.RSADetail.Symmetric, importSymSeed, nil, nil)
 	c.Assert(err, IsNil)
 
 	c.Check(sensitive.Type, Equals, tpm2.ObjectTypeKeyedHash)
@@ -236,13 +239,15 @@ func (s *importableObjectKeySealerSuite) TestCreateSealedObjectiDifferentNameAlg
 }
 
 func (s *importableObjectKeySealerSuite) TestCreateSealedObjectWithDifferentPolicy(c *C) {
-	trial := util.ComputeAuthPolicy(tpm2.HashAlgorithmSHA256)
-	trial.PolicyAuthValue()
+	builder := policyutil.NewPolicyBuilder(tpm2.HashAlgorithmSHA256)
+	builder.RootBranch().PolicyAuthValue()
+	digest, err := builder.Digest()
+	c.Check(err, IsNil)
 
 	s.testCreateSealedObject(c, &testCreateSealedObjectData{
 		data:         []byte("foo"),
 		nameAlg:      tpm2.HashAlgorithmSHA256,
-		policyDigest: trial.GetDigest(),
+		policyDigest: digest,
 		noDA:         true})
 }
 

tpm2/keydata.go

@@ -193,7 +193,7 @@ func (k *sealedKeyDataBase) validateData(tpm *tpm2.TPMContext, role string) (*tp
 		return nil, keyDataError{errors.New("sealed key object has the wrong attributes")}
 	}
 
-	srk, err := tpm.CreateResourceContextFromTPM(tcg.SRKHandle)
+	srk, err := tpm.NewResourceContext(tcg.SRKHandle)
 	if err != nil {
 		return nil, xerrors.Errorf("cannot create context for SRK: %w", err)
 	}

tpm2/keydata_v0.go

@@ -27,7 +27,7 @@ import (
 
 	"github.com/canonical/go-tpm2"
 	"github.com/canonical/go-tpm2/mu"
-	"github.com/canonical/go-tpm2/util"
+	"github.com/canonical/go-tpm2/policyutil"
 	"github.com/snapcore/secboot"
 
 	"golang.org/x/xerrors"
@@ -107,7 +107,7 @@ func (d *keyData_v0) ValidateData(tpm *tpm2.TPMContext, role []byte) (tpm2.Resou
 	}
 
 	// Obtain the name of the legacy lock NV index.
-	lockNV, err := tpm.CreateResourceContextFromTPM(lockNVHandle)
+	lockNV, err := tpm.NewResourceContext(lockNVHandle)
 	if err != nil {
 		if tpm2.IsResourceUnavailableError(err, lockNVHandle) {
 			return nil, keyDataError{errors.New("lock NV index is unavailable")}
@@ -119,26 +119,18 @@ func (d *keyData_v0) ValidateData(tpm *tpm2.TPMContext, role []byte) (tpm2.Resou
 		return nil, xerrors.Errorf("cannot read public area of lock NV index: %w", err)
 	}
 	lockNVPub.Attrs &^= tpm2.AttrNVReadLocked
-	lockNVName, err := lockNVPub.ComputeName()
-	if err != nil {
-		return nil, xerrors.Errorf("cannot compute name of lock NV index: %w", err)
-	}
 
 	// Validate the type and scheme of the dynamic authorization policy signing key.
 	authPublicKey := d.PolicyData.StaticData.AuthPublicKey
-	authKeyName, err := authPublicKey.ComputeName()
-	if err != nil {
-		return nil, keyDataError{xerrors.Errorf("cannot compute name of dynamic authorization policy key: %w", err)}
-	}
 	if authPublicKey.Type != tpm2.ObjectTypeRSA {
 		return nil, keyDataError{errors.New("public area of dynamic authorization policy signing key has the wrong type")}
 	}
-	authKeyScheme := authPublicKey.Params.AsymDetail(authPublicKey.Type).Scheme
+	authKeyScheme := authPublicKey.AsymDetail().Scheme
 	if authKeyScheme.Scheme != tpm2.AsymSchemeNull {
 		if authKeyScheme.Scheme != tpm2.AsymSchemeRSAPSS {
 			return nil, keyDataError{errors.New("dynamic authorization policy signing key has unexpected scheme")}
 		}
-		if authKeyScheme.Details.Any(authKeyScheme.Scheme).HashAlg != authPublicKey.NameAlg {
+		if authKeyScheme.AnyDetails().HashAlg != authPublicKey.NameAlg {
 			return nil, keyDataError{errors.New("dynamic authorization policy signing key algorithm must match name algorithm")}
 		}
 	}
@@ -148,7 +140,7 @@ func (d *keyData_v0) ValidateData(tpm *tpm2.TPMContext, role []byte) (tpm2.Resou
 	if pcrPolicyCounterHandle.Type() != tpm2.HandleTypeNVIndex {
 		return nil, keyDataError{errors.New("PCR policy counter handle is invalid")}
 	}
-	pcrPolicyCounter, err := tpm.CreateResourceContextFromTPM(pcrPolicyCounterHandle)
+	pcrPolicyCounter, err := tpm.NewResourceContext(pcrPolicyCounterHandle)
 	if err != nil {
 		if tpm2.IsResourceUnavailableError(err, pcrPolicyCounterHandle) {
 			return nil, keyDataError{errors.New("PCR policy counter is unavailable")}
@@ -160,12 +152,16 @@ func (d *keyData_v0) ValidateData(tpm *tpm2.TPMContext, role []byte) (tpm2.Resou
 	if !d.KeyPublic.NameAlg.Available() {
 		return nil, keyDataError{errors.New("cannot determine if static authorization policy matches sealed key object: algorithm unavailable")}
 	}
-	trial := util.ComputeAuthPolicy(d.KeyPublic.NameAlg)
-	trial.PolicyAuthorize(nil, authKeyName)
-	trial.PolicySecret(pcrPolicyCounter.Name(), nil)
-	trial.PolicyNV(lockNVName, nil, 0, tpm2.OpEq)
+	builder := policyutil.NewPolicyBuilder(d.KeyPublic.NameAlg)
+	builder.RootBranch().PolicyAuthorize(nil, authPublicKey)
+	builder.RootBranch().PolicySecret(pcrPolicyCounter, nil)
+	builder.RootBranch().PolicyNV(lockNVPub, nil, 0, tpm2.OpEq)
+	expectedDigest, err := builder.Digest()
+	if err != nil {
+		return nil, keyDataError{fmt.Errorf("cannot compute expected static authorization policy digest: %w", err)}
+	}
 
-	if !bytes.Equal(trial.GetDigest(), d.KeyPublic.AuthPolicy) {
+	if !bytes.Equal(expectedDigest, d.KeyPublic.AuthPolicy) {
 		return nil, keyDataError{errors.New("the sealed key object's authorization policy is inconsistent with the associated metadata or persistent TPM resources")}
 	}
 
@@ -178,7 +174,10 @@ func (d *keyData_v0) ValidateData(tpm *tpm2.TPMContext, role []byte) (tpm2.Resou
 		return nil, keyDataError{errors.New("cannot determine if PCR policy counter has a valid authorization policy: algorithm unavailable")}
 	}
 	pcrPolicyCounterAuthPolicies := d.PolicyData.StaticData.PCRPolicyCounterAuthPolicies
-	expectedPCRPolicyCounterAuthPolicies := computeV0PinNVIndexPostInitAuthPolicies(pcrPolicyCounterPub.NameAlg, authKeyName)
+	expectedPCRPolicyCounterAuthPolicies, err := computeV0PinNVIndexPostInitAuthPolicies(pcrPolicyCounterPub.NameAlg, authPublicKey)
+	if err != nil {
+		return nil, keyDataError{fmt.Errorf("cannot compute OR policy digests for PCR policy counter: %w", err)}
+	}
 	if len(pcrPolicyCounterAuthPolicies)-1 != len(expectedPCRPolicyCounterAuthPolicies) {
 		return nil, keyDataError{errors.New("unexpected number of OR policy digests for PCR policy counter")}
 	}
@@ -188,9 +187,13 @@ func (d *keyData_v0) ValidateData(tpm *tpm2.TPMContext, role []byte) (tpm2.Resou
 		}
 	}
 
-	trial = util.ComputeAuthPolicy(pcrPolicyCounterPub.NameAlg)
-	trial.PolicyOR(pcrPolicyCounterAuthPolicies)
-	if !bytes.Equal(pcrPolicyCounterPub.AuthPolicy, trial.GetDigest()) {
+	builder = policyutil.NewPolicyBuilder(pcrPolicyCounterPub.NameAlg)
+	builder.RootBranch().PolicyOR(pcrPolicyCounterAuthPolicies...)
+	expectedDigest, err = builder.Digest()
+	if err != nil {
+		return nil, keyDataError{fmt.Errorf("cannot compute expected PCR policy counter authorization policy digest: %w", err)}
+	}
+	if !bytes.Equal(pcrPolicyCounterPub.AuthPolicy, expectedDigest) {
 		return nil, keyDataError{errors.New("PCR policy counter has unexpected authorization policy")}
 	}
 

tpm2/keydata_v0_test.go

@@ -25,9 +25,8 @@ import (
 
 	"github.com/canonical/go-tpm2"
 	"github.com/canonical/go-tpm2/mu"
-	"github.com/canonical/go-tpm2/templates"
+	"github.com/canonical/go-tpm2/objectutil"
 	tpm2_testutil "github.com/canonical/go-tpm2/testutil"
-	"github.com/canonical/go-tpm2/util"
 
 	. "gopkg.in/check.v1"
 
@@ -63,11 +62,12 @@ func (s *keyDataV0Suite) newMockKeyData(c *C, pcrPolicyCounterHandle tpm2.Handle
 	authKey, err := rsa.GenerateKey(testutil.RandReader, 2048)
 	c.Assert(err, IsNil)
 
-	authKeyPublic := util.NewExternalRSAPublicKeyWithDefaults(templates.KeyUsageSign, &authKey.PublicKey)
+	authKeyPublic, err := objectutil.NewRSAPublicKey(&authKey.PublicKey)
+	c.Assert(err, IsNil)
 	mu.MustCopyValue(&authKeyPublic, authKeyPublic)
 
 	// Create a mock PCR policy counter
-	policyCounter, count, policyCounterPolicies := s.createMockPcrPolicyCounter(c, pcrPolicyCounterHandle, authKeyPublic.Name())
+	policyCounter, count, policyCounterPolicies := s.createMockPcrPolicyCounter(c, pcrPolicyCounterHandle, authKeyPublic)
 
 	// Create sealed object
 	secret := []byte("secret data")
@@ -139,7 +139,7 @@ func (s *keyDataV0Suite) TestValidateOK2(c *C) {
 func (s *keyDataV0Suite) TestValidateNoLockIndex(c *C) {
 	data, _ := s.newMockKeyData(c, s.NextAvailableHandle(c, 0x01800000))
 
-	index, err := s.TPM().CreateResourceContextFromTPM(LockNVHandle)
+	index, err := s.TPM().NewResourceContext(LockNVHandle)
 	c.Assert(err, IsNil)
 	c.Check(s.TPM().NVUndefineSpace(s.TPM().OwnerHandleContext(), index, nil), IsNil)
 
@@ -155,7 +155,7 @@ func (s *keyDataV0Suite) TestValidateInvalidAuthPublicKeyNameAlg(c *C) {
 
 	_, err := data.ValidateData(s.TPM().TPMContext, nil)
 	c.Check(err, testutil.ConvertibleTo, KeyDataError{})
-	c.Check(err, ErrorMatches, "cannot compute name of dynamic authorization policy key: unsupported name algorithm or algorithm not linked into binary: TPM_ALG_NULL")
+	c.Check(err, ErrorMatches, "cannot compute expected static authorization policy digest: could not build policy: encountered an error when calling PolicyAuthorize: invalid keySign")
 }
 
 func (s *keyDataV0Suite) TestValidateInvalidAuthPublicKeyType(c *C) {
@@ -194,7 +194,7 @@ func (s *keyDataV0Suite) TestValidateInvalidPolicyCounterHandle(c *C) {
 func (s *keyDataV0Suite) TestValidateNoPolicyCounter(c *C) {
 	data, _ := s.newMockKeyData(c, s.NextAvailableHandle(c, 0x01800000))
 
-	index, err := s.TPM().CreateResourceContextFromTPM(data.Policy().PCRPolicyCounterHandle())
+	index, err := s.TPM().NewResourceContext(data.Policy().PCRPolicyCounterHandle())
 	c.Assert(err, IsNil)
 	c.Check(s.TPM().NVUndefineSpace(s.TPM().OwnerHandleContext(), index, nil), IsNil)
 
@@ -218,7 +218,9 @@ func (s *keyDataV0Suite) TestValidateWrongAuthKey(c *C) {
 
 	authKey, err := rsa.GenerateKey(testutil.RandReader, 2048)
 	c.Assert(err, IsNil)
-	data.(*KeyData_v0).PolicyData.StaticData.AuthPublicKey = util.NewExternalRSAPublicKeyWithDefaults(templates.KeyUsageSign, &authKey.PublicKey)
+	authPublicKey, err := objectutil.NewRSAPublicKey(&authKey.PublicKey)
+	c.Assert(err, IsNil)
+	data.(*KeyData_v0).PolicyData.StaticData.AuthPublicKey = authPublicKey
 
 	_, err = data.ValidateData(s.TPM().TPMContext, nil)
 	c.Check(err, testutil.ConvertibleTo, KeyDataError{})
@@ -228,7 +230,7 @@ func (s *keyDataV0Suite) TestValidateWrongAuthKey(c *C) {
 func (s *keyDataV0Suite) TestValidateWrongPolicyCounter(c *C) {
 	data, _ := s.newMockKeyData(c, s.NextAvailableHandle(c, 0x01800000))
 
-	index, err := s.TPM().CreateResourceContextFromTPM(data.Policy().PCRPolicyCounterHandle())
+	index, err := s.TPM().NewResourceContext(data.Policy().PCRPolicyCounterHandle())
 	handle := index.Handle()
 	c.Assert(err, IsNil)
 	c.Check(s.TPM().NVUndefineSpace(s.TPM().OwnerHandleContext(), index, nil), IsNil)
@@ -248,7 +250,7 @@ func (s *keyDataV0Suite) TestValidateWrongPolicyCounter(c *C) {
 func (s *keyDataV0Suite) TestValidateWrongLockIndex(c *C) {
 	data, _ := s.newMockKeyData(c, s.NextAvailableHandle(c, 0x01800000))
 
-	index, err := s.TPM().CreateResourceContextFromTPM(LockNVHandle)
+	index, err := s.TPM().NewResourceContext(LockNVHandle)
 	c.Assert(err, IsNil)
 	c.Check(s.TPM().NVUndefineSpace(s.TPM().OwnerHandleContext(), index, nil), IsNil)