[svsm-devel] vTPM service attestation format update
James Bottomley
James.Bottomley at HansenPartnership.com
Fri Feb 21 17:51:33 CET 2025
On Fri, 2025-02-21 at 08:33 -0800, Dionna Amalie Glaze wrote:
> > However, the last sentence about make/activate credential makes me
> > think you're being too traditional about this.
>
> If instead we use TPM2_CreatePrimary with a public key template that
> has its bit 18 set in objectAttributes and use the EK handle for
> TPM2_Quote, then there's a great deal to change in user space.
> tpm2_createek doesn't give this as an option for example. Is adding a
> --non-anonymous-ak (or some such) to the TSS for EK creation part of
> your plan?
Well, I don't use the Intel tools, so I'm not much of an expert there.
However, assuming it's similar to the IBM TSS you don't use createek
(because it's mostly used for TPM resident certificates) you use
tsscreateprimary with -sir as the option instead of -st which tells it
to create the primary signing key instead of the storage one (and you
usually don't bother with the policy).
Since the validation tools for the kernel are now using
attest_tpm2_primary from openssl_tpm2_engine, you can also use that (it
does everything internally and doesn't need you to use the tss
primitives):
attest_tpm2_primary --eksign
Will construct the name of the signing EK which you can save to a file.
Then you use that file to do certifications:
attest_tpm2_primary --certify null --name <eksign name file> /sys/class/tpm/tpm0/null_name
To certify the null storage primary the kernel used (although you can
also get it to certify the storage primary, which is probably what
you'd want).
Regards,
James
More information about the Svsm-devel
mailing list