'Re: [TrouSerS-tech] [RFC 0/1] TPM2 engine support for openssl'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       trousers-tech
Subject:    Re: [TrouSerS-tech] [RFC 0/1] TPM2 engine support for openssl
From:       James Bottomley <James.Bottomley () HansenPartnership ! com>
Date:       2016-12-22 16:42:10
Message-ID: 1482424930.2415.35.camel () HansenPartnership ! com
[Download RAW message or body]

[openssl-dev cut; they're likely not interested in this]
On Wed, 2016-12-21 at 20:55 -0800, James Bottomley wrote:
> There's also another problem in that a primary asymmetric key of the 
> SPS must be provisioned every time we perform this operation (which 
> is time consuming and annoying).  I think we need to do something 
> about this under Linux, but I'll take that off the openssl list 
> because they likely won't be interested.

I talked to Microsoft about what they do.  Apparently there is an
unpublished TPM 2.0 provisioning guide which specifies how the SRK
should be handled, and a published one for the EK:

http://www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf

the SRK template is identical to the EK one except that

userWithAuth = 1
adminWithPolicy = 0
noDA = 1
authPolicy = empty policy

The persistent handles for these two are EK: 0x81010001; SRK:
0x81000001.  Conventionally the SRK is provisioned with empty auth.

I think as part of our tpm2 take ownership, we should provision the
owner and lockout auth and create these two primary objects if they
don't already exist.

That would mean I can get rid of the primary object stuff in my tpm2
engine code and simply look for the well known handle.

James




------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
TrouSerS-tech mailing list
TrouSerS-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/trousers-tech
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic