Skip to content

Commit b36f792

Browse files
embhornembhorn
authored
Merge pull request #361 from dgarske/idevid
Fixes for latest ST33KTPM IAK/IDevID provisioning
2 parents 4b0e42c + dc2b91d commit b36f792

File tree

2 files changed

+27
-8
lines changed

2 files changed

+27
-8
lines changed

README.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -823,6 +823,14 @@ Connection: close
823823
</html>
824824
```
825825

826+
## Device Identity and Attestation Keys
827+
828+
The TCG published a specification for TPM manufacture guidance on setting up keys that can be used for device identiy and attestation.
829+
830+
This feature has been tested with the ST33KTPM and is enabled with `WOLFTPM_MFG_IDENTITY`. The ST33KTPM samples are provisioned with a default master password enabled with `TEST_SAMPLE`. To define your own master password use `TPM2_IAK_SAMPLE_MASTER_PASSWORD`. The master password is hashed along with the device serial number to produce authentication for accessing these keys.
831+
832+
The default keys are ECDSA SECP384R1 with SHA2-384 and stored in NV Index defined by `TPM2_IAK_KEY_HANDLE`, `TPM2_IAK_CERT_HANDLE`, `TPM2_IDEVID_KEY_HANDLE` and `TPM2_IDEVID_CERT_HANDLE`.
833+
826834

827835
### TPM Endorsement Key Certificates
828836

wolftpm/tpm2_wrap.h

Lines changed: 19 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -3756,16 +3756,27 @@ WOLFTPM_API int wolfTPM2_PolicyAuthValue(WOLFTPM2_DEV* dev,
37563756

37573757

37583758

3759-
/* pre-provisioned IAK and IDevID key/cert from TPM vendor */
3759+
/* Pre-provisioned IAK and IDevID key/cert from TPM vendor */
3760+
/* Tested with ST33KTPM devices */
3761+
/* Default assumes: ECDSA SECP384R1, SHA2-384 */
37603762
#ifdef WOLFTPM_MFG_IDENTITY
37613763

3762-
/* Initial attestation key (IAK) and an initial device ID (IDevID) */
3763-
/* Default is: ECDSA SECP384P1, SHA2-384 */
3764-
#define TPM2_IAK_KEY_HANDLE 0x81080000
3765-
#define TPM2_IAK_CERT_HANDLE 0x1C20100
3766-
3767-
#define TPM2_IDEVID_KEY_HANDLE 0x81080001
3768-
#define TPM2_IDEVID_CERT_HANDLE 0x1C20101
3764+
/* Initial Attestation Key (IAK):
3765+
* Restrictive: Can only sign data generated by the TPM like a TPM2_Quote */
3766+
#ifndef TPM2_IAK_KEY_HANDLE
3767+
#define TPM2_IAK_KEY_HANDLE 0x81020001
3768+
#endif
3769+
#ifndef TPM2_IAK_CERT_HANDLE
3770+
#define TPM2_IAK_CERT_HANDLE 0x1C90100
3771+
#endif
3772+
/* Initial Device ID (IDevID):
3773+
* Non-Restrictive: Can sign external data */
3774+
#ifndef TPM2_IDEVID_KEY_HANDLE
3775+
#define TPM2_IDEVID_KEY_HANDLE 0x81020000
3776+
#endif
3777+
#ifndef TPM2_IDEVID_CERT_HANDLE
3778+
#define TPM2_IDEVID_CERT_HANDLE 0x1C90200
3779+
#endif
37693780

37703781
WOLFTPM_API int wolfTPM2_SetIdentityAuth(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* handle,
37713782
uint8_t* masterPassword, uint16_t masterPasswordSz);

0 commit comments

Comments
 (0)