tpm2_getekcertificate auto-discover TPM manufacturer's server URL

[mdempsky]

tpm2_getekcertificate already has logic for checking the TPM's manufacturer and reporting whether it's going to be able to get a certificate from the server. It might as well also supply a default server URL if known; e.g., "https://ekop.intel.com/ekcertservice/" for INTC.

Users would still need to provide an explicit URL in offline mode, or if the manufacturer is not known.

[idesai]

I wonder if TCG has a registry of these URL's. If not will have to get this information from TPM manufacturers.
@PeterHuewe does Infineon have a backend serving EK certificates?

[mdempsky]

If there's a registry that would be great.

Is the protocol documented somewhere? When I was adding support for requesting ECC certs last night, I just guessed the simplest reasonable request format, and thankfully it was right. I couldn't find anything explaining how it's supposed to work.

[mdempsky]

https://docs.microsoft.com/en-us/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices says:

A device that uses Intel TPM or Qualcomm TPM gets a signed certificate online from the manufacturer that has created the chip and then stores the signed certificate in TPM storage. For the operation to succeed, if you are filtering Internet access from your client devices, you must authorize the following URLs:

• For Intel firmware TPM: https://ekop.intel.com/ekcertservice
• For Qualcomm firmware TPM: https://ekcert.spserv.microsoft.com/

[DomiNic5787]

For Infineon TPM's the EK is stored on the TPM (see TCG_IWG_Credential_Profile_EK_V2.1_R13 chapter 2.2.1)
So, instead of tpm2_getekcertificate, one can use tpm2_nvread to get the EK certificate (NV indices are also described in TCG_IWG_Credential_Profile_EK_V2.1_R13 chapter 2.2.1).

[idesai]

Duplicate #1885