Skip to content

Key templates and on disk format

Jump to bottom
Andreas Fuchs edited this page Oct 5, 2018 · 3 revisions

Engine parameters

  • -inkey
    • Mapped to keyId inside the engine
    • Parameter is parsable to a hex number with 81 as high-byte: use that key [tpm2-engine ???, tpm2-tss-engine tbd]
    • Parameter is parsable to a filename and file exists: use that key [tpm2-engine yes, tpm2-tss-engine yes]

Parent keys

  • A parent key can be specified during creation as a parameter
    • Parameter is parsable to a hex number with 81 as high-byte: use that key [tpm2-engine yes, tpm2-tss-engine tbd]
    • Parameter is parsable to a filename and file exists: use that key [tpm2-engine ???, tpm2-tss-engine no]
  • If no parent is specified, a default parent is selected:
    • Parent key is 0x81000001 if it exists [tss2-engine yes, tpm2-tss-engine tbd]
    • Parent key is created as follows:
      • Primary Key under the storage hierarchy [tss2-engine yes, tpm2-tss-engine yes]
      • inSensitive.data.size = 0 [tss2-engine ???, tpm2-tss-engine yes]
      • inSensitive.userAuth.size = 0 [tss2-engine ???, tpm2-tss-engine yes]
      • outsideInfo.size = 0 [tss2-engine ???, tpm2-tss-engine yes]
      • creationPCR.size = 0 [tss2-engine ???, tpm2-tss-engine yes]
      • publicArea:
        • .type = TPM2_ALG_ECC, nameAlg = TPM2_ALG_SHA256 [tss2-engine ???, tpm2-tss-engine yes]
        • .objectAttributes = (TPMA_OBJECT_USERWITHAUTH | TPMA_OBJECT_RESTRICTED | TPMA_OBJECT_DECRYPT | TPMA_OBJECT_FIXEDTPM | TPMA_OBJECT_FIXEDPARENT | TPMA_OBJECT_SENSITIVEDATAORIGIN) [tss2-engine ???, tpm2-tss-engine yes]
        • .authPolicy.size = 0 [tss2-engine ???, tpm2-tss-engine yes]
        • .parameters.eccDetail:
          • .symmetric = { .algorithm = TPM2_ALG_AES, .keyBits.aes = 128, .mode.aes = TPM2_ALG_CFB } [tss2-engine ???, tpm2-tss-engine yes]
          • .scheme = { .scheme = TPM2_ALG_NULL, .details = {} } [tss2-engine ???, tpm2-tss-engine yes]
          • .curveID = TPM2_ECC_NIST_P256 [tss2-engine ???, tpm2-tss-engine yes]
          • .kdf = { .scheme = TPM2_ALG_NULL, .details = {} } [tss2-engine ???, tpm2-tss-engine yes]
        • .unique.ecc.x.size = 0, .unique.ecc.y.size = 0 [tss2-engine ???, tpm2-tss-engine yes]

On-Disk Format

  • TPMKey ::= SEQUENCE {
    • type OBJECT IDENTIFIER
      • OID=???.???.??? [tss2-engine yes, tpm2-tss-engine tbd]
    • emptyAuth [0] EXPLICIT BOOLEAN OPTIONAL
      • Is an auth value required ? [tss2-engine yes, tpm2-tss-engine tbd]
    • parent [1] EXPLICIT INTEGER OPTIONAL
      • Only 0x81 prefixed handles of TPM-persistent parent keys or all kind of keys ??? [tss2-engine ???, tpm2-tss-engine no]
    • pubkey [2] EXPLICIT OCTET STRING OPTIONAL
      • TPM2B_PUBLIC marshalled according to TPM spec [tss2-engine ???, tpm2-tss-engine yes]
    • policy [3] EXPLICIT SEQUENCE OF TPMPolicy OPTIONAL
      • Will not be supported by tpm2-tss-engine atm, in favour of FAPI based keys [tss2-engine yes, tpm2-tss-engine]
    • `privkey OCTET STRING
      • TPM2B_PRIVATE marshalled according to TPM spec [tss2-engine ???, tpm2-tss-engine yes]
  • }
  • tss2-engine only:
TPMPolicy ::= SEQUENCE {
        CommandCode             [0] EXPLICIT INTEGER
        CommandPolicy           [1] EXPLICIT OCTET STRING
        /* Ken's policymaker format */
}

Default key parameters

tbd

Clone this wiki locally