From eca6a3b7d60df602c16000cb281b2f119e92cb4a Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Tue, 18 May 2021 17:19:17 -0500 Subject: [PATCH] WIP --- Intro/README.md | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/Intro/README.md b/Intro/README.md index 4329f23..d3efdd0 100644 --- a/Intro/README.md +++ b/Intro/README.md @@ -346,6 +346,11 @@ used to authenticate the TPM's legitimacy. The EK's public key ("EKpub") can be used to uniquely identify a TPM, and possibly link to the platform's, and even the platform's user(s)' identities. +The `TPM2_CreatePrimary()` and `TPM2_CreateLoaded()` commands create key +objects deterministically from the hierarchy's seed and the "template" +used to create the key (which includes a "unique" area that provides +"entropy" to the key derivation function). + ## Key Wrapping and Resource Management Key wrapping is encrypting a secret or private key (key encryotion key, @@ -395,11 +400,17 @@ needed. Because primary keys (for any hierarchy other than the null hierarchy) are derived deterministically from a built-in and protected seed, and from a template, they are persistent even when not moved to NV storage -and even when not saved. +and even when not saved as long as the hierarchy's seed is not reset. + +(Resetting the endorsement hierarchy seed is a very dramatic action, as +it changes the EK/EKpub and renders any provisioned EKcert useless. +Resetting the storage hierarchy seed is much less dramatic. The NULL +hierarchy is reset every time the TPM resets.) PCRs always persist, but they get reset on restart. -NV indexes always persist. +NV indexes always persist. (But in disorderly resets/shutdowns a +hybrid NV index may not be sync'ed to NV.) ## Non-Volatile (NV) Indexes