diff --git a/examples/attestation/README.md b/examples/attestation/README.md index 3ff6cb34..fc5a028d 100644 --- a/examples/attestation/README.md +++ b/examples/attestation/README.md @@ -10,7 +10,8 @@ Complete list of the required examples is shown below: * `./examples/attestation/make_credential`: Used by a server to create a remote attestation challenge * `./examples/attestation/activate_credential`: Used by a client to decrypt the challenge and respond -* `./examples/keygen/keygen`: Used to create a primary key(PK) and attestation key(AK) +* `./examples/attestation/certify`: Used to certify (attest) or prove an object with name is loaded in the TPM. +* `./examples/keygen/create_primary`: Used to create a primary key(PK) and attestation key(AK) Note: All of these example allow the use of the Endorsement Key and Attestation Key under the Endorsement Hierarchy. This is done by adding the `-eh` option when executing any of the three examples above. The advantage of using EK/EH is that the private key material of the EK never leaves the TPM. Anything encrypted using the public part of the EK can be encrypted only internally by the TPM owner of the EK, and EK is unique for every TPM chip. Therefore, creating challenges for Remote Attestation using the EK/EH has greater value in some scenarios. One drawback is that by using the EK the identity of the host under attestation is always known, because the EK private-public key pair identifies the TPM and in some scenarios this might rise privacy concerns. Our remote attestation examples support both AK under SRK and AK under EK. It is up to the developer to decide which one to use. @@ -99,6 +100,45 @@ TPM2_ActivateCredential success The transfer of the challenge response containing the secret in plain (or used as a symmetric key seed) is not part of the `activate_credential` example, because the exchange is also implementation specific. +### Certify Example + +This example creates an RSA or ECC initial device identity and attestation identity keys. These are created under the endorsement heiracry and follow the "TPM 2.0 Keys for Device Identity and Attestation" TCG specification for setting up the primary key policies. The IDevID key can be used for signing. This example signs the IAK (attestation key) using the IDevID (device identity key). + +```sh +% ./examples/keygen/create_primary -rsa -eh -iak -keep +TPM2.0 Primary Key generation example + Algorithm: RSA + Unique: IAK + Store Handle: 0x00000000 + Use Parameter Encryption: NULL +Creating new RSA primary key... + +% ./examples/keygen/create_primary -rsa -eh -idevid -keep +TPM2.0 Primary Key generation example + Algorithm: RSA + Unique: IDEVID + Store Handle: 0x00000000 + Use Parameter Encryption: NULL +Creating new RSA primary key... + +% ./examples/attestation/certify -rsa -certify=0x80000000 -signer=0x80000001 +Certify 0x80000000 with 0x80000001 to generate TPM-signed attestation info +EK Policy Session: Handle 0x3000000 +TPM2_Certify complete +Certify Info 172 +RSA Signature: 256 + +% ./examples/management/flush 0x80000001 +Preparing to free TPM2.0 Resources +Freeing 80000001 object + +% ./examples/management/flush 0x80000000 +Preparing to free TPM2.0 Resources +Freeing 80000000 object +``` + +For ECC use the same steps as above, but replace `-rsa` with `-ecc`. + ## More information Please contact us at facts@wolfssl.com if you are interested in more information about Remote Attestation using wolfTPM. diff --git a/examples/attestation/certify.c b/examples/attestation/certify.c index 7e47acee..f2130867 100644 --- a/examples/attestation/certify.c +++ b/examples/attestation/certify.c @@ -30,7 +30,7 @@ #include -#if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) +#ifndef WOLFTPM2_NO_WRAPPER #include #include @@ -183,20 +183,20 @@ int TPM2_Certify_Example(void* userCtx, int argc, char *argv[]) /******************************************************************************/ /* --- END TPM2.0 Certify example tool -- */ /******************************************************************************/ -#endif /* !WOLFTPM2_NO_WRAPPER && !WOLFTPM2_NO_WOLFCRYPT */ +#endif /* !WOLFTPM2_NO_WRAPPER */ #ifndef NO_MAIN_DRIVER int main(int argc, char *argv[]) { int rc = -1; -#if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) +#ifndef WOLFTPM2_NO_WRAPPER rc = TPM2_Certify_Example(NULL, argc, argv); #else printf("Wrapper or wolfCrypt code not compiled in\n"); (void)argc; (void)argv; -#endif /* !WOLFTPM2_NO_WRAPPER && !WOLFTPM2_NO_WOLFCRYPT */ +#endif /* !WOLFTPM2_NO_WRAPPER */ return rc; }