Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make 0x81000001 the default SRK handle when outputting TSS2 #413

Merged
merged 3 commits into from
Jan 25, 2024
Merged

Make 0x81000001 the default SRK handle when outputting TSS2 #413

merged 3 commits into from
Jan 25, 2024

Conversation

hslatman
Copy link
Member

No description provided.

@hslatman hslatman requested a review from maraino January 24, 2024 19:59
maraino
maraino reviewed Jan 25, 2024
View reviewed changes
Copy link
Contributor

@maraino maraino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change looks good, but some description in this PR of why this change is necessary.

If we run openssl genpkey -provider tpm2 -algorithm RSA -out key.tss2, the parent is 0x40000001.

And in the last version of TCG TSS 2.0 Overview and Common Structures Specification contradicts Registry of Reserved TPM 2.0 Handles and Localities, and still shows:

#define TPM2_RH_OWNER        ((TPM2_RH) 0x40000001)

Note that the other one shows TPM_RH_OWNER, without the 2.

@hslatman
Copy link
Member Author

hslatman commented Jan 25, 2024
edited
Loading

The change looks good, but some description in this PR of why this change is necessary.

If we run openssl genpkey -provider tpm2 -algorithm RSA -out key.tss2, the parent is 0x40000001.

And in the last version of TCG TSS 2.0 Overview and Common Structures Specification contradicts Registry of Reserved TPM 2.0 Handles and Localities, and still shows:

#define TPM2_RH_OWNER        ((TPM2_RH) 0x40000001)

Note that the other one shows TPM_RH_OWNER, without the 2.

Yes, that's correct. When using the TPM2 tools, by default and if you don't specify another parent, it would go directly under the owner handle. I'm not sure a different handle can be provided when using openssl with the tpm2 provider, but you can provide a different handle when using e.g. tpm2_create / tpm2_load. That's effectively what's used in go-tpm and go-attestation: a primary (the SRK) is created under 0x40000001 (with handle 0x81000001), and then all AKs and keys are created under the SRK.

@hslatman hslatman requested a review from maraino January 25, 2024 11:20
maraino
maraino approved these changes Jan 25, 2024
View reviewed changes
Copy link
Contributor

@maraino maraino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Perhaps makes sense to use 0x81000001 as the default.

@hslatman hslatman merged commit c49ba73 into master Jan 25, 2024
11 of 13 checks passed
@hslatman hslatman deleted the herman/fix-tss2-parent branch January 25, 2024 21:00
@hslatman
Copy link
Member Author

As discussed: for external users of the tss2 package, who may have obtained the pub/priv blobs from one of the tpm2-tools, the current default is to use the owner handle as the parent. We're keeping that in line in the tss2 package, and only change it to 0x81000001 for TSS2 exports of our AK and Key types.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maraino maraino maraino approved these changes

Assignees
No one assigned
Labels
needs triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@hslatman @maraino