From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Tom Lendacky <thomas.lendacky@amd.com>,
"linux-coco@lists.linux.dev" <linux-coco@lists.linux.dev>,
"amd-sev-snp@lists.suse.com" <amd-sev-snp@lists.suse.com>
Subject: Re: SVSM Attestation and vTPM specification additions - v0.60
Date: Wed, 11 Jan 2023 09:56:27 -0500 [thread overview]
Message-ID: <48a2dfb1e8618c0032b9285d2fa33db462c30a90.camel@HansenPartnership.com> (raw)
In-Reply-To: <73a7ef36-2613-e75c-8f30-f2166c2a346f@amd.com>
On Wed, 2023-01-11 at 08:49 -0600, Tom Lendacky wrote:
> On 1/10/23 17:09, James Bottomley wrote:
> > On Tue, 2023-01-10 at 17:00 -0600, Tom Lendacky wrote:
> > > A GUID still works, though, to describe that the TPMT_PUBLIC
> > > supplied is for the EK - unless you want to go with the known
> > > handles, e.g. 0x81010001 for the EK RSA handle or 0x81010002 for
> > > the EK EC handle, etc.
> >
> > You should probably use the hierarchy handle for that case:
> > 0x40000001 for the Owner (storage) seed and 0x40000006 for the
> > endorsement seed.
>
> Looking at the spec, do you mean 0x4000000B for the endorsement seed?
>
> Table 28 of the TPM 2.0 Structures document has TPM_RH_EK
> (0x40000006) as "not used", but TPM_RH_ENDORSEMENT (0x4000000B) as
> "references the Endorsement Primary Seed (EPS), endorsementAuth, and
> endorsementPolicy"
Yes, probably ... I don't really ever use it except as input the the
command line tsscreateprimary -hi e or create_tpm2_key --parent
endorsement.
But I still say don't bother: the endorsement key is all that needs to
be attested because there are well known processes to use it to attest
every other TPM key. If you're using the SVSM vTPM because you care
about measurements, you need the endorsement key not the storage key
(you only need the latter if you're inserting other keys).
James
next prev parent reply other threads:[~2023-01-11 14:56 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-10 18:54 SVSM Attestation and vTPM specification additions - v0.60 Tom Lendacky
2023-01-10 19:37 ` Tom Lendacky
2023-01-10 19:40 ` Dionna Amalie Glaze
2023-01-10 21:03 ` Tom Lendacky
2023-01-10 22:14 ` James Bottomley
2023-01-10 22:45 ` Tom Lendacky
2023-01-10 23:52 ` James Bottomley
2023-01-11 9:15 ` Christophe de Dinechin Dupont de Dinechin
2023-01-10 20:29 ` James Bottomley
2023-01-10 20:37 ` James Bottomley
2023-01-10 21:33 ` Tom Lendacky
2023-01-10 21:32 ` Tom Lendacky
2023-01-10 21:47 ` James Bottomley
2023-01-10 23:00 ` Tom Lendacky
2023-01-10 23:09 ` James Bottomley
2023-01-11 14:49 ` Tom Lendacky
2023-01-11 14:56 ` James Bottomley [this message]
2023-01-10 23:14 ` James Bottomley
2023-01-11 16:39 ` Christophe de Dinechin
2023-01-11 23:00 ` Tom Lendacky
2023-01-12 1:27 ` [EXTERNAL] " Jon Lange
2023-01-13 16:10 ` Tom Lendacky
2023-01-12 13:57 ` James Bottomley
2023-01-12 15:13 ` Tom Lendacky
2023-01-12 15:24 ` James Bottomley
2023-01-13 16:12 ` Tom Lendacky
2023-01-12 8:19 ` Dov Murik
2023-01-12 12:18 ` James Bottomley
2023-01-13 16:16 ` Tom Lendacky
2023-01-13 11:50 ` Nicolai Stange
2023-01-13 17:20 ` Tom Lendacky
2023-01-24 9:35 ` Jörg Rödel
2023-01-26 14:36 ` Tom Lendacky
2023-01-26 16:45 ` Christophe de Dinechin Dupont de Dinechin
2023-02-01 10:50 ` Jörg Rödel
2023-02-20 15:10 ` Tom Lendacky
2023-01-24 9:45 ` Jörg Rödel
2023-01-26 14:51 ` Tom Lendacky
2023-01-26 16:49 ` Christophe de Dinechin Dupont de Dinechin
2023-01-26 17:33 ` [EXTERNAL] " Jon Lange
2023-01-27 8:35 ` Jörg Rödel
2023-01-27 16:11 ` Jon Lange
2023-01-30 11:29 ` Jörg Rödel
2023-01-31 4:44 ` Jon Lange
2023-01-31 15:06 ` Tom Lendacky
2023-01-31 15:34 ` Jon Lange
2023-02-01 15:20 ` [EXTERNAL] " Christophe de Dinechin Dupont de Dinechin
2023-02-02 6:04 ` Jon Lange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48a2dfb1e8618c0032b9285d2fa33db462c30a90.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=amd-sev-snp@lists.suse.com \
--cc=linux-coco@lists.linux.dev \
--cc=thomas.lendacky@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).