Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RFC: Add user-level mu-api call for key derivation #2101

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

cplappert
Copy link
Member

This commit introduces a new user-level mu-api call
(Tss2_MU_TPMT_PUBLIC_DERIVE_Marshal) that allows to
create a Derived Object with the command TPM2_CreateLoaded.

The rationale for a dedicated user-level call is that from a library
perspective it cannot be determined if a regular keyed-hash object
should be created or a derived object since the Marshalling API
(Tss2_MU_TPMU_PUBLIC_ID_Marshal) selects the dedicated marshalling
method based on the algorithm type which is in both cases TPM2_ALG_KEYEDHASH
(s. code snippet below).

TPMU_MARSHAL2(TPMU_PUBLIC_ID,
    TPM2_ALG_KEYEDHASH, ADDR, keyedHash, Tss2_MU_TPM2B_DIGEST_Marshal,
    TPM2_ALG_SYMCIPHER, ADDR, sym, Tss2_MU_TPM2B_DIGEST_Marshal,
    TPM2_ALG_RSA, ADDR, rsa, Tss2_MU_TPM2B_PUBLIC_KEY_RSA_Marshal,
    TPM2_ALG_ECC, ADDR, ecc, Tss2_MU_TPMS_ECC_POINT_Marshal)

Then we would need to add something like

 TPM2_ALG_KEYEDHASH, ADDR, derive, Tss2_MU_TPMS_DERIVE_Marshal,

which results in a duplicate case value.

Since the user knows which type of object he wants to create, I implemented the new
user-level call.

Any feedback on this approach?

Signed-off-by: Christian Plappert [email protected]

@cplappert cplappert marked this pull request as draft June 22, 2021 11:17
@cplappert
Copy link
Member Author

Alternative: Could also be a candidate for the utility library (#1587)? But I do not know the status there.

@cplappert
Copy link
Member Author

Another possibility: TPM2 Specification Part 2 (01.59, 12.2.3.2 TPMU_PUBLIC_ID, p.140) does not specify a selector for derive. A new selector (e.g., TPM_ALG_DERIVE or TPM_ALG_KEYEDHASH_DERIVE) would make the user level call obsolete.

@AndreasFuchsTPM
Copy link
Member

But then we'd have a mismatch in the type selector of the surrounding TPMT_PUBLIC structure.
So TPMT_PUBLIC_DERIVE_mashall would still be needed, correct ?

@williamcroberts
Copy link
Member

Alternative: Could also be a candidate for the utility library (#1587)? But I do not know the status there.

We're looking at it in the TSS WG now, I think this would be a candidate for the utility library. I'm confused at what the problem this is solving. Isn't a derived object one in where you specify the seed in the template and have sensitiveDataOrigin clear?

Copy link

codecov bot commented Mar 20, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 0.00%. Comparing base (a516076) to head (eb2ad37).

❗ Current head eb2ad37 differs from pull request most recent head e50ee38. Consider uploading reports for the commit e50ee38 to get more accurate results

Additional details and impacted files
@@      Coverage Diff       @@
##   master   #2101   +/-   ##
==============================
==============================

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@cplappert cplappert force-pushed the add-kdf-support branch 2 times, most recently from 2a5adec to a08bc15 Compare March 22, 2024 06:59
@cplappert cplappert force-pushed the add-kdf-support branch 3 times, most recently from 3be1527 to cb5b8ef Compare July 3, 2024 21:14
This commit introduces a new user-level mu-api call
(Tss2_MU_TPMT_PUBLIC_DERIVE_Marshal) that allows to
create a Derived Object with the command TPM2_CreateLoaded.

Signed-off-by: Christian Plappert <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants