On Sun, Dec 07, 2025 at 07:32:10PM +0200, Jarkko Sakkinen wrote: > Extend TPMKey ASN.1 speciication [1] with an optional 'parentName' > attribute containing TPM name of the parent key (in other words, TPMT_HA > blob). > > The life-cycle for trusted keys will now proceed as follows: > > 1. Encode parent's name to the 'paretName' during tpm2_key_encode(). > 2. During tpm2_unseal_trusted, read parent's name from 'parentName'. When > the attribute is not available, fallback on doing tpm2_read_public(). > > In other words, in the common (i.e., not loading a legacy key blob), > tpm2_read_public() will now only happen at the time when a key is first > created. > > In addition, move tpm2_read_public() to 'tpm2-cmd.c' and make its body > unconditional so that the binary format of the saved keys is not dependent > on kernel configuration. > > [1] https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.txt > > Cc: [email protected] > Signed-off-by: Jarkko Sakkinen <[email protected]>
As an alternative workaround I think the following could be possibly done (I need to trial it first though): 1. Maintain a cache where a name gets added at the time of tpm2_seal_trusted(). It is from TPMT_HA to TPMT_HA mapping, mapping TPMT_HA of the key to the TPMT of the parent. 2. At thet time tpm2_unseal_trusted() retrieve name of thet parent from the cache. Capturing TPM2_CreatePrimary would be essentially duct taping the spec but I guess this could be more generally applicable. It neither addresses persistent keys nor secondary parent keys, which we *have to support*, as the kernel interface does. BR, Jarkko
