mirror of
https://github.com/tpm2dev/tpm.dev.tutorials.git
synced 2024-11-24 06:42:11 +00:00
WIP
This commit is contained in:
parent
63f5e96b0f
commit
ca4b14f5a2
1 changed files with 5 additions and 5 deletions
|
@ -52,8 +52,7 @@ TPMs have a very rich set of options for authorization. It's not just
|
|||
restricted keys to allow access only to applications that also have
|
||||
other access.
|
||||
|
||||
Where to start? Let's start with hash extension, which may be the only
|
||||
trivial concept in the world of TPMs!
|
||||
Where to start? Let's start with hash extension.
|
||||
|
||||
## Hash Extension
|
||||
|
||||
|
@ -282,8 +281,8 @@ the platform's, and even the platform's user(s)' identities.
|
|||
|
||||
## Key Wrapping
|
||||
|
||||
The primary key is always a decrypt-only asymmetric private key, and its
|
||||
corresponding public key is therefore encrypt-only. This is largely
|
||||
The primary key is generally a decrypt-only asymmetric private key, and
|
||||
its corresponding public key is therefore encrypt-only. This is largely
|
||||
because of _key wrapping_, where a secret or private key is encrypted to
|
||||
a TPM's EKpub so that it can be safely sent to that TPM so that that TPM
|
||||
can then decrypt and use that secret.
|
||||
|
@ -455,7 +454,8 @@ An unrestricted signing key can be used to sign arbitrary content.
|
|||
|
||||
A restricted signing key can be used to sign only TPM-generated content
|
||||
as part of specific TPM restricted signing commands. Such content
|
||||
always begins with a magic byte sequence.
|
||||
always begins with a magic byte sequence, and the TPM refuses to sign
|
||||
externally generated content that starts with that magic byte sequence.
|
||||
|
||||
A restricted decryption key can only be used to decrypt ciphertexts
|
||||
whose plaintexts have a certain structure. In particular these are used
|
||||
|
|
Loading…
Reference in a new issue