From: <Andreas.Fuchs@infineon.com>
To: <prestwoj@gmail.com>, <jarkko@kernel.org>, <tpm2@lists.linux.dev>
Subject: RE: TPM2_Sign vs TPM2_RSA_Decrypt
Date: Thu, 16 May 2024 14:14:18 +0000 [thread overview]
Message-ID: <4fdcc042a8f74b0e8e5d54a67a1c87e0@infineon.com> (raw)
In-Reply-To: <1107614a-a99d-4997-84f6-e18cc30f5a9a@gmail.com>
TPM2_EncryptDecrypt2 is for Symmetric encryption (i.e. AES) only.
I'd still recommend to go for TPM2_Sign().
Note also that switching may be hard later down the road, since the key usage flags are define during creation.
So backwards compatibility is nasty here.
Feel free to CC me.
I'll do what I can.
-----Original Message-----
From: James Prestwood <prestwoj@gmail.com>
Sent: Donnerstag, 16. Mai 2024 15:59
To: Jarkko Sakkinen <jarkko@kernel.org>; Fuchs Andreas (SMD C3 EMEA TM) <Andreas.Fuchs@infineon.com>; tpm2@lists.linux.dev
Subject: Re: TPM2_Sign vs TPM2_RSA_Decrypt
Caution: This e-mail originated outside Infineon Technologies. Do not click on links or open attachments unless you validate it is safe<https://intranet-content.infineon.com/explore/aboutinfineon/rules/informationsecurity/ug/SocialEngineering/Pages/SocialEngineeringElements_en.aspx>.
On 5/16/24 6:55 AM, Jarkko Sakkinen wrote:
> On Thu May 16, 2024 at 4:44 PM EEST, James Prestwood wrote:
>> To be honest I started with encrypt/decrypt and included the signing
>> operation because it was basically "free" by using
>> tpm2_rsa_decrypt(). I was not aware of this distinction/difference
>> between that and doing signing on the TPM itself. I don't think I
>> ever looked into the signing command on the TPM itself.
> My personal take: I'd start RSA with the working code and just clean
> up the parts for the first round. It is tested code and does the job,
> right? :-)
It was tested then yes, obviously need to verify that after 4 years :)
>
> Then we will weight the odds and cons in the review. That said, if you
> want to use TPM_Sign and TPM2_EncryptDecrypt(2) that is fine too, but
> not demand.
>
> As for ECDSA, it can be part of the patch set, or we can start just
> with the RSA part.
> Andreas, is it OK if the patch set is CC'd to you so you can give your
> feedback/remarks on it?
>
> BR, Jarkko
next prev parent reply other threads:[~2024-05-16 14:14 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-16 10:25 TPM2_Sign vs TPM2_RSA_Decrypt Jarkko Sakkinen
2024-05-16 12:01 ` Andreas.Fuchs
2024-05-16 12:51 ` Jarkko Sakkinen
2024-05-16 13:05 ` Andreas.Fuchs
2024-05-16 13:31 ` Jarkko Sakkinen
2024-05-16 13:33 ` Jarkko Sakkinen
2024-05-16 13:44 ` James Prestwood
2024-05-16 13:55 ` Jarkko Sakkinen
2024-05-16 13:59 ` James Prestwood
2024-05-16 14:14 ` Andreas.Fuchs [this message]
2024-05-16 15:20 ` Jarkko Sakkinen
2024-05-17 17:58 ` Jarkko Sakkinen
2024-05-16 15:18 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4fdcc042a8f74b0e8e5d54a67a1c87e0@infineon.com \
--to=andreas.fuchs@infineon.com \
--cc=jarkko@kernel.org \
--cc=prestwoj@gmail.com \
--cc=tpm2@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox