tpm.dev.tutorials/Attestation/TPM2_ActivateCredential.md
2021-04-30 11:29:55 -05:00

1.6 KiB

TPM2_ActivateCredential()

TPM2_ActivateCredential() decrypts a ciphertext made by TPM2_MakeCredential() and checks that the caller has access to the object named by the caller of TPM2_MakeCredential(), and if so then TPM2_ActivateCredential() outputs the small secret provided by the caller of TPM2_MakeCredential(), otherwise TPM2_ActivateCredential() fails.

Together with TPM2_MakeCredential(), this function can be used to implement attestation protocols.

Inputs

  • TPMI_DH_OBJECT activateHandle (e.g., handle for an AK)
  • TPMI_DH_OBJECT keyHandle (e.g., handle for an EK corresponding to the EKpub encrypted to by TPM2_MakeCredential())
  • TPM2B_ID_OBJECT credentialBlob (output of TPM2_MakeCredential())
  • TPM2B_ENCRYPTED_SECRET secret (output of TPM2_MakeCredential())

Outputs (success case)

  • TPM2B_DIGEST certInfo (not necessarily a digest, but a small [digest-sized] secret that was input to TPM2_MakeCredential())

References