fmaury/tpm.dev.tutorials
1
0
Fork 0
mirror of https://github.com/tpm2dev/tpm.dev.tutorials.git synced 2024-09-19 20:32:11 +00:00
Code Issues Projects Releases Packages Wiki Activity
tpm.dev.tutorials/Attestation/Decrypt-only-EK.md
Nico Williams 8aefd1c7ba Initial attestation tutorial
2021-04-28 21:42:43 -05:00

873 B
Raw Blame History

Endorsement Keys are (Generally) Decrypt-Only

All TPMs (2.0) must have decrypt-only Endorsement Keys (EKs).

Some TPMs may have signing-only EKs. E.g., Google cloud vTPMs have signing-only EKs as well as decrypt-only EKs.

Somehow one must make do with decrypt-only EKs to authenticate a TPM. The obvious answer is to make the TPM prove possession of an EK by sending a challenge encrypted to the EK's public key (EKpub).

This is what TPM2_MakeCredential() (encrypt) and TPM2_ActivateCredential() (decrypt) are all about, except that they add some structure to the plaintext and semantics to the decryption function.

See README for details of how TPM2_MakeCredential() and TPM2_ActivateCredential() are used in attestation protocols.