[openssl-dev cut; they're likely not interested in this] On Wed, 2016-12-21 at 20:55 -0800, James Bottomley wrote: > There's also another problem in that a primary asymmetric key of the > SPS must be provisioned every time we perform this operation (which > is time consuming and annoying). I think we need to do something > about this under Linux, but I'll take that off the openssl list > because they likely won't be interested.
I talked to Microsoft about what they do. Apparently there is an unpublished TPM 2.0 provisioning guide which specifies how the SRK should be handled, and a published one for the EK: http://www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf the SRK template is identical to the EK one except that userWithAuth = 1 adminWithPolicy = 0 noDA = 1 authPolicy = empty policy The persistent handles for these two are EK: 0x81010001; SRK: 0x81000001. Conventionally the SRK is provisioned with empty auth. I think as part of our tpm2 take ownership, we should provision the owner and lockout auth and create these two primary objects if they don't already exist. That would mean I can get rid of the primary object stuff in my tpm2 engine code and simply look for the well known handle. James ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/intel _______________________________________________ tpmdd-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/tpmdd-devel
