mirror of
https://github.com/tpm2dev/tpm.dev.tutorials.git
synced 2024-11-05 15:12:10 +00:00
873 B
873 B
Endorsement Keys are (Generally) Decrypt-Only
All TPMs (2.0) must have decrypt-only Endorsement Keys (EKs).
Some TPMs may have signing-only EKs. E.g., Google cloud vTPMs have signing-only EKs as well as decrypt-only EKs.
Somehow one must make do with decrypt-only EKs to authenticate a TPM. The obvious answer is to make the TPM prove possession of an EK by sending a challenge encrypted to the EK's public key (EKpub).
This is what TPM2_MakeCredential()
(encrypt)
and TPM2_ActivateCredential()
(decrypt)
are all about, except that they add some structure to the plaintext and
semantics to the decryption function.
See README for details of how
TPM2_MakeCredential()
and
TPM2_ActivateCredential()
are used in
attestation protocols.