mirror of
https://github.com/tpm2dev/tpm.dev.tutorials.git
synced 2024-11-10 01:12:10 +00:00
WIP
This commit is contained in:
parent
63f5e96b0f
commit
ca4b14f5a2
1 changed files with 5 additions and 5 deletions
|
@ -52,8 +52,7 @@ TPMs have a very rich set of options for authorization. It's not just
|
||||||
restricted keys to allow access only to applications that also have
|
restricted keys to allow access only to applications that also have
|
||||||
other access.
|
other access.
|
||||||
|
|
||||||
Where to start? Let's start with hash extension, which may be the only
|
Where to start? Let's start with hash extension.
|
||||||
trivial concept in the world of TPMs!
|
|
||||||
|
|
||||||
## Hash Extension
|
## Hash Extension
|
||||||
|
|
||||||
|
@ -282,8 +281,8 @@ the platform's, and even the platform's user(s)' identities.
|
||||||
|
|
||||||
## Key Wrapping
|
## Key Wrapping
|
||||||
|
|
||||||
The primary key is always a decrypt-only asymmetric private key, and its
|
The primary key is generally a decrypt-only asymmetric private key, and
|
||||||
corresponding public key is therefore encrypt-only. This is largely
|
its corresponding public key is therefore encrypt-only. This is largely
|
||||||
because of _key wrapping_, where a secret or private key is encrypted to
|
because of _key wrapping_, where a secret or private key is encrypted to
|
||||||
a TPM's EKpub so that it can be safely sent to that TPM so that that TPM
|
a TPM's EKpub so that it can be safely sent to that TPM so that that TPM
|
||||||
can then decrypt and use that secret.
|
can then decrypt and use that secret.
|
||||||
|
@ -455,7 +454,8 @@ An unrestricted signing key can be used to sign arbitrary content.
|
||||||
|
|
||||||
A restricted signing key can be used to sign only TPM-generated content
|
A restricted signing key can be used to sign only TPM-generated content
|
||||||
as part of specific TPM restricted signing commands. Such content
|
as part of specific TPM restricted signing commands. Such content
|
||||||
always begins with a magic byte sequence.
|
always begins with a magic byte sequence, and the TPM refuses to sign
|
||||||
|
externally generated content that starts with that magic byte sequence.
|
||||||
|
|
||||||
A restricted decryption key can only be used to decrypt ciphertexts
|
A restricted decryption key can only be used to decrypt ciphertexts
|
||||||
whose plaintexts have a certain structure. In particular these are used
|
whose plaintexts have a certain structure. In particular these are used
|
||||||
|
|
Loading…
Reference in a new issue