tpm2: Stop using deprecated APIs

PR canonical#357 migrated the tpm2 code to using the new tpm2.TPMDevice
abstraction for opening TPM connections.

The go-tpm2 package contains some other deprecated APIs, and in some
cases, entire packages have been deprecated (crypto, templates, util).
These have been replaced by alternative APIs, and ithe util package,
which was a bit of a dumping ground for APIs that had nowhere else to
go, has been split into more focused packages.

This ports secboot to using updated APIs. It's just a straight port for
now - we may want to refactor some code to make better use of these APIs
in future PRs.

go.mod

@@ -7,7 +7,7 @@ require (
 	github.com/canonical/go-efilib v1.4.1
 	github.com/canonical/go-sp800.108-kdf v0.0.0-20210315104021-ead800bbf9a0
 	github.com/canonical/go-sp800.90a-drbg v0.0.0-20210314144037-6eeb1040d6c3
-	github.com/canonical/go-tpm2 v1.10.1
+	github.com/canonical/go-tpm2 v1.11.1
 	github.com/canonical/tcglog-parser v0.0.0-20240924110432-d15eaf652981
 	github.com/snapcore/snapd v0.0.0-20220714152900-4a1f4c93fc85
 	golang.org/x/crypto v0.21.0

go.sum

@@ -11,8 +11,8 @@ github.com/canonical/go-sp800.108-kdf v0.0.0-20210315104021-ead800bbf9a0/go.mod
 github.com/canonical/go-sp800.90a-drbg v0.0.0-20210314144037-6eeb1040d6c3 h1:oe6fCvaEpkhyW3qAicT0TnGtyht/UrgvOwMcEgLb7Aw=
 github.com/canonical/go-sp800.90a-drbg v0.0.0-20210314144037-6eeb1040d6c3/go.mod h1:qdP0gaj0QtgX2RUZhnlVrceJ+Qln8aSlDyJwelLLFeM=
 github.com/canonical/go-tpm2 v0.0.0-20210827151749-f80ff5afff61/go.mod h1:vG41hdbBjV4+/fkubTT1ENBBqSkLwLr7mCeW9Y6kpZY=
-github.com/canonical/go-tpm2 v1.10.1 h1:TtCuiJLX5sU8GNIxEycnc51CzsDd3nXUUkin3/My9gg=
-github.com/canonical/go-tpm2 v1.10.1/go.mod h1:zK+qESVwu78XyX+NPhiBdN+zwPPDoKk4rYlQ7VUsRp4=
+github.com/canonical/go-tpm2 v1.11.1 h1:RivdSXfBWWW+eFaFNYQby5+kVgY4km9eEayot1wX/qU=
+github.com/canonical/go-tpm2 v1.11.1/go.mod h1:zK+qESVwu78XyX+NPhiBdN+zwPPDoKk4rYlQ7VUsRp4=
 github.com/canonical/tcglog-parser v0.0.0-20210824131805-69fa1e9f0ad2/go.mod h1:QoW2apR2tBl6T/4czdND/EHjL1Ia9cCmQnIj9Xe0Kt8=
 github.com/canonical/tcglog-parser v0.0.0-20240924110432-d15eaf652981 h1:vrUzSfbhl8mzdXPzjxq4jXZPCCNLv18jy6S7aVTS2tI=
 github.com/canonical/tcglog-parser v0.0.0-20240924110432-d15eaf652981/go.mod h1:ywdPBqUGkuuiitPpVWCfilf2/gq+frhq4CNiNs9KyHU=

tpm2/export_test.go

@@ -127,13 +127,13 @@ type PcrPolicyData_v3 = pcrPolicyData_v3
 
 type PcrPolicyParams = pcrPolicyParams
 
-func NewPcrPolicyParams(key secboot.PrimaryKey, pcrs tpm2.PCRSelectionList, pcrDigests tpm2.DigestList, policyCounterName tpm2.Name, policySequence uint64) *PcrPolicyParams {
+func NewPcrPolicyParams(key secboot.PrimaryKey, pcrs tpm2.PCRSelectionList, pcrDigests tpm2.DigestList, policyCounter *tpm2.NVPublic, policySequence uint64) *PcrPolicyParams {
 	return &PcrPolicyParams{
-		key:               key,
-		pcrs:              pcrs,
-		pcrDigests:        pcrDigests,
-		policyCounterName: policyCounterName,
-		policySequence:    policySequence,
+		key:            key,
+		pcrs:           pcrs,
+		pcrDigests:     pcrDigests,
+		policyCounter:  policyCounter,
+		policySequence: policySequence,
 	}
 }
 

tpm2/key_sealer.go

@@ -20,9 +20,10 @@
 package tpm2
 
 import (
+	"crypto/rand"
+
 	"github.com/canonical/go-tpm2"
-	"github.com/canonical/go-tpm2/templates"
-	"github.com/canonical/go-tpm2/util"
+	"github.com/canonical/go-tpm2/objectutil"
 
 	"golang.org/x/xerrors"
 )
@@ -77,12 +78,17 @@ func (s *sealedObjectKeySealer) CreateSealedObject(data []byte, nameAlg tpm2.Has
 	sensitive := tpm2.SensitiveCreate{Data: data}
 
 	// Define the template
-	template := templates.NewSealedObject(nameAlg)
-	template.Attrs &^= tpm2.AttrUserWithAuth
+	opts := []objectutil.PublicTemplateOption{
+		objectutil.WithNameAlg(nameAlg),
+		objectutil.WithUserAuthMode(objectutil.RequirePolicy),
+		objectutil.WithAuthPolicy(policy),
+	}
 	if noDA {
-		template.Attrs |= tpm2.AttrNoDA
+		opts = append(opts, objectutil.WithoutDictionaryAttackProtection())
+	} else {
+		opts = append(opts, objectutil.WithDictionaryAttackProtection())
 	}
-	template.AuthPolicy = policy
+	template := objectutil.NewSealedObjectTemplate(opts...)
 
 	// Now create the sealed key object. The command is integrity protected so if the object
 	// at the handle we expect the SRK to reside at has a different name (ie, if we're
@@ -105,15 +111,23 @@ type importableObjectKeySealer struct {
 }
 
 func (s *importableObjectKeySealer) CreateSealedObject(data []byte, nameAlg tpm2.HashAlgorithmId, policy tpm2.Digest, noDA bool) (tpm2.Private, *tpm2.Public, tpm2.EncryptedSecret, error) {
-	pub, sensitive := util.NewExternalSealedObject(nameAlg, nil, data)
-	pub.Attrs &^= tpm2.AttrUserWithAuth
+	opts := []objectutil.PublicTemplateOption{
+		objectutil.WithNameAlg(nameAlg),
+		objectutil.WithUserAuthMode(objectutil.RequirePolicy),
+		objectutil.WithAuthPolicy(policy),
+	}
 	if noDA {
-		pub.Attrs |= tpm2.AttrNoDA
+		opts = append(opts, objectutil.WithoutDictionaryAttackProtection())
+	} else {
+		opts = append(opts, objectutil.WithDictionaryAttackProtection())
+	}
+	pub, sensitive, err := objectutil.NewSealedObject(rand.Reader, data, nil, opts...)
+	if err != nil {
+		return nil, nil, nil, xerrors.Errorf("cannot create external sealed object: %w", err)
 	}
-	pub.AuthPolicy = policy
 
 	// Now create the importable sealed key object (duplication object).
-	_, priv, importSymSeed, err := util.CreateDuplicationObject(sensitive, pub, s.tpmKey, nil, nil)
+	_, priv, importSymSeed, err := objectutil.CreateImportable(rand.Reader, sensitive, pub, s.tpmKey, nil, nil)
 	if err != nil {
 		return nil, nil, nil, xerrors.Errorf("cannot create duplication object: %w", err)
 	}

tpm2/key_sealer_test.go

@@ -23,8 +23,9 @@ import (
 	"crypto/rsa"
 
 	"github.com/canonical/go-tpm2"
+	"github.com/canonical/go-tpm2/objectutil"
+	"github.com/canonical/go-tpm2/policyutil"
 	tpm2_testutil "github.com/canonical/go-tpm2/testutil"
-	"github.com/canonical/go-tpm2/util"
 
 	. "gopkg.in/check.v1"
 
@@ -85,7 +86,7 @@ func (s *sealedObjectKeySealerSuite) testCreateSealedObject(c *C, data *testCrea
 					Scheme:  tpm2.KeyedHashSchemeNull,
 					Details: &tpm2.SchemeKeyedHashU{}}}})
 
-	srk, err := s.TPM().CreateResourceContextFromTPM(tcg.SRKHandle)
+	srk, err := s.TPM().NewResourceContext(tcg.SRKHandle)
 	c.Assert(err, IsNil)
 
 	k, err := s.TPM().Load(srk, priv, pub, nil)
@@ -119,7 +120,7 @@ func (s *sealedObjectKeySealerSuite) TestCreateSealedObjectWithNewConnection(c *
 }
 
 func (s *sealedObjectKeySealerSuite) TestCreateSealedObjectMissingSRK(c *C) {
-	srk, err := s.TPM().CreateResourceContextFromTPM(tcg.SRKHandle)
+	srk, err := s.TPM().NewResourceContext(tcg.SRKHandle)
 	c.Assert(err, IsNil)
 	s.EvictControl(c, tpm2.HandleOwner, srk, srk.Handle())
 
@@ -152,16 +153,18 @@ func (s *sealedObjectKeySealerSuite) TestCreateSealedObjectDifferentNameAlg(c *C
 }
 
 func (s *sealedObjectKeySealerSuite) TestCreateSealedObjectDifferentPolicy(c *C) {
-	trial := util.ComputeAuthPolicy(tpm2.HashAlgorithmSHA256)
-	trial.PolicyAuthValue()
+	builder := policyutil.NewPolicyBuilder(tpm2.HashAlgorithmSHA256)
+	builder.RootBranch().PolicyAuthValue()
+	digest, err := builder.Digest()
+	c.Check(err, IsNil)
 
 	session := s.StartAuthSession(c, nil, nil, tpm2.SessionTypePolicy, nil, tpm2.HashAlgorithmSHA256)
 	c.Check(s.TPM().PolicyAuthValue(session), IsNil)
 
 	s.testCreateSealedObject(c, &testCreateSealedObjectData{
 		data:         []byte("foo"),
 		nameAlg:      tpm2.HashAlgorithmSHA256,
-		policyDigest: trial.GetDigest(),
+		policyDigest: digest,
 		noDA:         true,
 		session:      session})
 }
@@ -203,7 +206,7 @@ func (s *importableObjectKeySealerSuite) testCreateSealedObject(c *C, data *test
 			KeyedHashDetail: &tpm2.KeyedHashParams{
 				Scheme: tpm2.KeyedHashScheme{Scheme: tpm2.KeyedHashSchemeNull}}})
 
-	sensitive, err := util.UnwrapDuplicationObject(priv, pub, key, srk.NameAlg, &srk.Params.RSADetail.Symmetric, importSymSeed, nil, nil)
+	sensitive, err := objectutil.UnwrapDuplicated(priv, pub, key, srk.NameAlg, &srk.Params.RSADetail.Symmetric, importSymSeed, nil, nil)
 	c.Assert(err, IsNil)
 
 	c.Check(sensitive.Type, Equals, tpm2.ObjectTypeKeyedHash)
@@ -236,13 +239,15 @@ func (s *importableObjectKeySealerSuite) TestCreateSealedObjectiDifferentNameAlg
 }
 
 func (s *importableObjectKeySealerSuite) TestCreateSealedObjectWithDifferentPolicy(c *C) {
-	trial := util.ComputeAuthPolicy(tpm2.HashAlgorithmSHA256)
-	trial.PolicyAuthValue()
+	builder := policyutil.NewPolicyBuilder(tpm2.HashAlgorithmSHA256)
+	builder.RootBranch().PolicyAuthValue()
+	digest, err := builder.Digest()
+	c.Check(err, IsNil)
 
 	s.testCreateSealedObject(c, &testCreateSealedObjectData{
 		data:         []byte("foo"),
 		nameAlg:      tpm2.HashAlgorithmSHA256,
-		policyDigest: trial.GetDigest(),
+		policyDigest: digest,
 		noDA:         true})
 }
 

tpm2/keydata.go

@@ -193,7 +193,7 @@ func (k *sealedKeyDataBase) validateData(tpm *tpm2.TPMContext, role string) (*tp
 		return nil, keyDataError{errors.New("sealed key object has the wrong attributes")}
 	}
 
-	srk, err := tpm.CreateResourceContextFromTPM(tcg.SRKHandle)
+	srk, err := tpm.NewResourceContext(tcg.SRKHandle)
 	if err != nil {
 		return nil, xerrors.Errorf("cannot create context for SRK: %w", err)
 	}

tpm2/keydata_v0.go

@@ -27,7 +27,7 @@ import (
 
 	"github.com/canonical/go-tpm2"
 	"github.com/canonical/go-tpm2/mu"
-	"github.com/canonical/go-tpm2/util"
+	"github.com/canonical/go-tpm2/policyutil"
 	"github.com/snapcore/secboot"
 
 	"golang.org/x/xerrors"
@@ -107,7 +107,7 @@ func (d *keyData_v0) ValidateData(tpm *tpm2.TPMContext, role []byte) (tpm2.Resou
 	}
 
 	// Obtain the name of the legacy lock NV index.
-	lockNV, err := tpm.CreateResourceContextFromTPM(lockNVHandle)
+	lockNV, err := tpm.NewResourceContext(lockNVHandle)
 	if err != nil {
 		if tpm2.IsResourceUnavailableError(err, lockNVHandle) {
 			return nil, keyDataError{errors.New("lock NV index is unavailable")}
@@ -119,26 +119,18 @@ func (d *keyData_v0) ValidateData(tpm *tpm2.TPMContext, role []byte) (tpm2.Resou
 		return nil, xerrors.Errorf("cannot read public area of lock NV index: %w", err)
 	}
 	lockNVPub.Attrs &^= tpm2.AttrNVReadLocked
-	lockNVName, err := lockNVPub.ComputeName()
-	if err != nil {
-		return nil, xerrors.Errorf("cannot compute name of lock NV index: %w", err)
-	}
 
 	// Validate the type and scheme of the dynamic authorization policy signing key.
 	authPublicKey := d.PolicyData.StaticData.AuthPublicKey
-	authKeyName, err := authPublicKey.ComputeName()
-	if err != nil {
-		return nil, keyDataError{xerrors.Errorf("cannot compute name of dynamic authorization policy key: %w", err)}
-	}
 	if authPublicKey.Type != tpm2.ObjectTypeRSA {
 		return nil, keyDataError{errors.New("public area of dynamic authorization policy signing key has the wrong type")}
 	}
-	authKeyScheme := authPublicKey.Params.AsymDetail(authPublicKey.Type).Scheme
+	authKeyScheme := authPublicKey.AsymDetail().Scheme
 	if authKeyScheme.Scheme != tpm2.AsymSchemeNull {
 		if authKeyScheme.Scheme != tpm2.AsymSchemeRSAPSS {
 			return nil, keyDataError{errors.New("dynamic authorization policy signing key has unexpected scheme")}
 		}
-		if authKeyScheme.Details.Any(authKeyScheme.Scheme).HashAlg != authPublicKey.NameAlg {
+		if authKeyScheme.AnyDetails().HashAlg != authPublicKey.NameAlg {
 			return nil, keyDataError{errors.New("dynamic authorization policy signing key algorithm must match name algorithm")}
 		}
 	}
@@ -148,7 +140,7 @@ func (d *keyData_v0) ValidateData(tpm *tpm2.TPMContext, role []byte) (tpm2.Resou
 	if pcrPolicyCounterHandle.Type() != tpm2.HandleTypeNVIndex {
 		return nil, keyDataError{errors.New("PCR policy counter handle is invalid")}
 	}
-	pcrPolicyCounter, err := tpm.CreateResourceContextFromTPM(pcrPolicyCounterHandle)
+	pcrPolicyCounter, err := tpm.NewResourceContext(pcrPolicyCounterHandle)
 	if err != nil {
 		if tpm2.IsResourceUnavailableError(err, pcrPolicyCounterHandle) {
 			return nil, keyDataError{errors.New("PCR policy counter is unavailable")}
@@ -160,12 +152,16 @@ func (d *keyData_v0) ValidateData(tpm *tpm2.TPMContext, role []byte) (tpm2.Resou
 	if !d.KeyPublic.NameAlg.Available() {
 		return nil, keyDataError{errors.New("cannot determine if static authorization policy matches sealed key object: algorithm unavailable")}
 	}
-	trial := util.ComputeAuthPolicy(d.KeyPublic.NameAlg)
-	trial.PolicyAuthorize(nil, authKeyName)
-	trial.PolicySecret(pcrPolicyCounter.Name(), nil)
-	trial.PolicyNV(lockNVName, nil, 0, tpm2.OpEq)
+	builder := policyutil.NewPolicyBuilder(d.KeyPublic.NameAlg)
+	builder.RootBranch().PolicyAuthorize(nil, authPublicKey)
+	builder.RootBranch().PolicySecret(pcrPolicyCounter, nil)
+	builder.RootBranch().PolicyNV(lockNVPub, nil, 0, tpm2.OpEq)
+	expectedDigest, err := builder.Digest()
+	if err != nil {
+		return nil, keyDataError{fmt.Errorf("cannot compute expected static authorization policy digest: %w", err)}
+	}
 
-	if !bytes.Equal(trial.GetDigest(), d.KeyPublic.AuthPolicy) {
+	if !bytes.Equal(expectedDigest, d.KeyPublic.AuthPolicy) {
 		return nil, keyDataError{errors.New("the sealed key object's authorization policy is inconsistent with the associated metadata or persistent TPM resources")}
 	}
 
@@ -178,7 +174,10 @@ func (d *keyData_v0) ValidateData(tpm *tpm2.TPMContext, role []byte) (tpm2.Resou
 		return nil, keyDataError{errors.New("cannot determine if PCR policy counter has a valid authorization policy: algorithm unavailable")}
 	}
 	pcrPolicyCounterAuthPolicies := d.PolicyData.StaticData.PCRPolicyCounterAuthPolicies
-	expectedPCRPolicyCounterAuthPolicies := computeV0PinNVIndexPostInitAuthPolicies(pcrPolicyCounterPub.NameAlg, authKeyName)
+	expectedPCRPolicyCounterAuthPolicies, err := computeV0PinNVIndexPostInitAuthPolicies(pcrPolicyCounterPub.NameAlg, authPublicKey)
+	if err != nil {
+		return nil, keyDataError{fmt.Errorf("cannot compute OR policy digests for PCR policy counter: %w", err)}
+	}
 	if len(pcrPolicyCounterAuthPolicies)-1 != len(expectedPCRPolicyCounterAuthPolicies) {
 		return nil, keyDataError{errors.New("unexpected number of OR policy digests for PCR policy counter")}
 	}
@@ -188,9 +187,13 @@ func (d *keyData_v0) ValidateData(tpm *tpm2.TPMContext, role []byte) (tpm2.Resou
 		}
 	}
 
-	trial = util.ComputeAuthPolicy(pcrPolicyCounterPub.NameAlg)
-	trial.PolicyOR(pcrPolicyCounterAuthPolicies)
-	if !bytes.Equal(pcrPolicyCounterPub.AuthPolicy, trial.GetDigest()) {
+	builder = policyutil.NewPolicyBuilder(pcrPolicyCounterPub.NameAlg)
+	builder.RootBranch().PolicyOR(pcrPolicyCounterAuthPolicies...)
+	expectedDigest, err = builder.Digest()
+	if err != nil {
+		return nil, keyDataError{fmt.Errorf("cannot compute expected PCR policy counter authorization policy digest: %w", err)}
+	}
+	if !bytes.Equal(pcrPolicyCounterPub.AuthPolicy, expectedDigest) {
 		return nil, keyDataError{errors.New("PCR policy counter has unexpected authorization policy")}
 	}
 

tpm2/keydata_v0_test.go

@@ -25,9 +25,8 @@ import (
 
 	"github.com/canonical/go-tpm2"
 	"github.com/canonical/go-tpm2/mu"
-	"github.com/canonical/go-tpm2/templates"
+	"github.com/canonical/go-tpm2/objectutil"
 	tpm2_testutil "github.com/canonical/go-tpm2/testutil"
-	"github.com/canonical/go-tpm2/util"
 
 	. "gopkg.in/check.v1"
 
@@ -63,11 +62,12 @@ func (s *keyDataV0Suite) newMockKeyData(c *C, pcrPolicyCounterHandle tpm2.Handle
 	authKey, err := rsa.GenerateKey(testutil.RandReader, 2048)
 	c.Assert(err, IsNil)
 
-	authKeyPublic := util.NewExternalRSAPublicKeyWithDefaults(templates.KeyUsageSign, &authKey.PublicKey)
+	authKeyPublic, err := objectutil.NewRSAPublicKey(&authKey.PublicKey)
+	c.Assert(err, IsNil)
 	mu.MustCopyValue(&authKeyPublic, authKeyPublic)
 
 	// Create a mock PCR policy counter
-	policyCounter, count, policyCounterPolicies := s.createMockPcrPolicyCounter(c, pcrPolicyCounterHandle, authKeyPublic.Name())
+	policyCounter, count, policyCounterPolicies := s.createMockPcrPolicyCounter(c, pcrPolicyCounterHandle, authKeyPublic)
 
 	// Create sealed object
 	secret := []byte("secret data")
@@ -139,7 +139,7 @@ func (s *keyDataV0Suite) TestValidateOK2(c *C) {
 func (s *keyDataV0Suite) TestValidateNoLockIndex(c *C) {
 	data, _ := s.newMockKeyData(c, s.NextAvailableHandle(c, 0x01800000))
 
-	index, err := s.TPM().CreateResourceContextFromTPM(LockNVHandle)
+	index, err := s.TPM().NewResourceContext(LockNVHandle)
 	c.Assert(err, IsNil)
 	c.Check(s.TPM().NVUndefineSpace(s.TPM().OwnerHandleContext(), index, nil), IsNil)
 
@@ -155,7 +155,7 @@ func (s *keyDataV0Suite) TestValidateInvalidAuthPublicKeyNameAlg(c *C) {
 
 	_, err := data.ValidateData(s.TPM().TPMContext, nil)
 	c.Check(err, testutil.ConvertibleTo, KeyDataError{})
-	c.Check(err, ErrorMatches, "cannot compute name of dynamic authorization policy key: unsupported name algorithm or algorithm not linked into binary: TPM_ALG_NULL")
+	c.Check(err, ErrorMatches, "cannot compute expected static authorization policy digest: could not build policy: encountered an error when calling PolicyAuthorize: invalid keySign")
 }
 
 func (s *keyDataV0Suite) TestValidateInvalidAuthPublicKeyType(c *C) {
@@ -194,7 +194,7 @@ func (s *keyDataV0Suite) TestValidateInvalidPolicyCounterHandle(c *C) {
 func (s *keyDataV0Suite) TestValidateNoPolicyCounter(c *C) {
 	data, _ := s.newMockKeyData(c, s.NextAvailableHandle(c, 0x01800000))
 
-	index, err := s.TPM().CreateResourceContextFromTPM(data.Policy().PCRPolicyCounterHandle())
+	index, err := s.TPM().NewResourceContext(data.Policy().PCRPolicyCounterHandle())
 	c.Assert(err, IsNil)
 	c.Check(s.TPM().NVUndefineSpace(s.TPM().OwnerHandleContext(), index, nil), IsNil)
 
@@ -218,7 +218,9 @@ func (s *keyDataV0Suite) TestValidateWrongAuthKey(c *C) {
 
 	authKey, err := rsa.GenerateKey(testutil.RandReader, 2048)
 	c.Assert(err, IsNil)
-	data.(*KeyData_v0).PolicyData.StaticData.AuthPublicKey = util.NewExternalRSAPublicKeyWithDefaults(templates.KeyUsageSign, &authKey.PublicKey)
+	authPublicKey, err := objectutil.NewRSAPublicKey(&authKey.PublicKey)
+	c.Assert(err, IsNil)
+	data.(*KeyData_v0).PolicyData.StaticData.AuthPublicKey = authPublicKey
 
 	_, err = data.ValidateData(s.TPM().TPMContext, nil)
 	c.Check(err, testutil.ConvertibleTo, KeyDataError{})
@@ -228,7 +230,7 @@ func (s *keyDataV0Suite) TestValidateWrongAuthKey(c *C) {
 func (s *keyDataV0Suite) TestValidateWrongPolicyCounter(c *C) {
 	data, _ := s.newMockKeyData(c, s.NextAvailableHandle(c, 0x01800000))
 
-	index, err := s.TPM().CreateResourceContextFromTPM(data.Policy().PCRPolicyCounterHandle())
+	index, err := s.TPM().NewResourceContext(data.Policy().PCRPolicyCounterHandle())
 	handle := index.Handle()
 	c.Assert(err, IsNil)
 	c.Check(s.TPM().NVUndefineSpace(s.TPM().OwnerHandleContext(), index, nil), IsNil)
@@ -248,7 +250,7 @@ func (s *keyDataV0Suite) TestValidateWrongPolicyCounter(c *C) {
 func (s *keyDataV0Suite) TestValidateWrongLockIndex(c *C) {
 	data, _ := s.newMockKeyData(c, s.NextAvailableHandle(c, 0x01800000))
 
-	index, err := s.TPM().CreateResourceContextFromTPM(LockNVHandle)
+	index, err := s.TPM().NewResourceContext(LockNVHandle)
 	c.Assert(err, IsNil)
 	c.Check(s.TPM().NVUndefineSpace(s.TPM().OwnerHandleContext(), index, nil), IsNil)