At a high level: - You only need a migratable key if you plan to ever copy it somewhere else. Examples are key backup, redundant servers. Otherwise, a non-migratable key is OK.
- You need a legacy key if the key also has to sign. For example, do you have to sign the certificate request? - I've never used the "legacy key doesn't need a bound data structure", but your interpretation seems correct. - Seal is different, because you can only seal to a non-migratable key. There are markers in the blob that ensure it was created on the same TPM. You can also authorize the sealed data as well as the parent. Bind has no such protections, so it is done outside the TPM. ~~ Shameless plug: I recommend using a software TPM for application development, because debug is far easier. I don't know Trunks, but Trousers supports this model. http://sourceforge.net/projects/ibmswtpm/ On 7/18/2014 11:18 AM, Johnson, Douglas wrote: > I’m developing software for a daughter card that contains a TPM and a > FPGA. The FPGA will create a soft processor (Altera NIOS) without any > OS running. I’m planning on using Trunks to send and receive the TPM > commands. Here’s what I would like to do. > > 1. Use the TPM to generate a RSA 2048 keypair. > > 2. Extract the public key and send it to a CA to create a x509 > certificate for my device. > > 3. Exchange certificates with an application on a server. > > 4. Receive from that application a message encrypted with my > device’s RSA public key using PKCS#1 v1.5 padding. The encryption will > not be done with a TPM. > > 5. Use the TPM to decrypt the message using a TPM_ORD_UnBind > command and the device’s private RSA key. > > I’ve read the TCG documents, ‘A Practical Guide to Trusted Computing’ > and some google searches. Based on that I think that I need to create a > migratable RSA 2048 legacy key. Does this sound right? My investigate > says that if UnBinding using a Legacy key then no TPM_BOUND_DATA > structure is expected. Also, I see commands for Seal, Unseal, Unbind, > but I don’t see a Bind command. Am I missing it somewhere? ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
