From: James Bottomley <James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
To: tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org,
trousers-tech-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org,
ibmtpm20tss-users-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
Subject: Re: [RFC 0/1] TPM2 engine support for openssl
Date: Thu, 22 Dec 2016 08:42:10 -0800 [thread overview]
Message-ID: <1482424930.2415.35.camel@HansenPartnership.com> (raw)
In-Reply-To: <1482382526.2350.57.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
[openssl-dev cut; they're likely not interested in this]
On Wed, 2016-12-21 at 20:55 -0800, James Bottomley wrote:
> There's also another problem in that a primary asymmetric key of the
> SPS must be provisioned every time we perform this operation (which
> is time consuming and annoying). I think we need to do something
> about this under Linux, but I'll take that off the openssl list
> because they likely won't be interested.
I talked to Microsoft about what they do. Apparently there is an
unpublished TPM 2.0 provisioning guide which specifies how the SRK
should be handled, and a published one for the EK:
http://www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf
the SRK template is identical to the EK one except that
userWithAuth = 1
adminWithPolicy = 0
noDA = 1
authPolicy = empty policy
The persistent handles for these two are EK: 0x81010001; SRK:
0x81000001. Conventionally the SRK is provisioned with empty auth.
I think as part of our tpm2 take ownership, we should provision the
owner and lockout auth and create these two primary objects if they
don't already exist.
That would mean I can get rid of the primary object stuff in my tpm2
engine code and simply look for the well known handle.
James
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
prev parent reply other threads:[~2016-12-22 16:42 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-22 4:55 [RFC 0/1] TPM2 engine support for openssl James Bottomley
2016-12-22 4:56 ` [RFC 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine James Bottomley
[not found] ` <1482382526.2350.57.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-12-22 16:42 ` James Bottomley [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1482424930.2415.35.camel@HansenPartnership.com \
--to=james.bottomley-d9phhud1jfjcxq6kfmz53/egyhegw8jk@public.gmane.org \
--cc=ibmtpm20tss-users-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
--cc=tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
--cc=trousers-tech-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.