Skip to content

Commit

Permalink
Merge pull request #361 from dgarske/idevid
Browse files Browse the repository at this point in the history 
Fixes for latest ST33KTPM IAK/IDevID provisioning
  • Loading branch information
@embhorn
embhorn authored Jul 26, 2024
2 parents 4b0e42c + dc2b91d commit b36f792
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 8 deletions.
8 changes: 8 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -823,6 +823,14 @@ Connection: close
</html>
```

## Device Identity and Attestation Keys

The TCG published a specification for TPM manufacture guidance on setting up keys that can be used for device identiy and attestation.

This feature has been tested with the ST33KTPM and is enabled with `WOLFTPM_MFG_IDENTITY`. The ST33KTPM samples are provisioned with a default master password enabled with `TEST_SAMPLE`. To define your own master password use `TPM2_IAK_SAMPLE_MASTER_PASSWORD`. The master password is hashed along with the device serial number to produce authentication for accessing these keys.

The default keys are ECDSA SECP384R1 with SHA2-384 and stored in NV Index defined by `TPM2_IAK_KEY_HANDLE`, `TPM2_IAK_CERT_HANDLE`, `TPM2_IDEVID_KEY_HANDLE` and `TPM2_IDEVID_CERT_HANDLE`.


### TPM Endorsement Key Certificates

Expand Down
27 changes: 19 additions & 8 deletions wolftpm/tpm2_wrap.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3756,16 +3756,27 @@ WOLFTPM_API int wolfTPM2_PolicyAuthValue(WOLFTPM2_DEV* dev,



/* pre-provisioned IAK and IDevID key/cert from TPM vendor */
/* Pre-provisioned IAK and IDevID key/cert from TPM vendor */
/* Tested with ST33KTPM devices */
/* Default assumes: ECDSA SECP384R1, SHA2-384 */
#ifdef WOLFTPM_MFG_IDENTITY

/* Initial attestation key (IAK) and an initial device ID (IDevID) */
/* Default is: ECDSA SECP384P1, SHA2-384 */
#define TPM2_IAK_KEY_HANDLE 0x81080000
#define TPM2_IAK_CERT_HANDLE 0x1C20100

#define TPM2_IDEVID_KEY_HANDLE 0x81080001
#define TPM2_IDEVID_CERT_HANDLE 0x1C20101
/* Initial Attestation Key (IAK):
* Restrictive: Can only sign data generated by the TPM like a TPM2_Quote */
#ifndef TPM2_IAK_KEY_HANDLE
#define TPM2_IAK_KEY_HANDLE 0x81020001
#endif
#ifndef TPM2_IAK_CERT_HANDLE
#define TPM2_IAK_CERT_HANDLE 0x1C90100
#endif
/* Initial Device ID (IDevID):
* Non-Restrictive: Can sign external data */
#ifndef TPM2_IDEVID_KEY_HANDLE
#define TPM2_IDEVID_KEY_HANDLE 0x81020000
#endif
#ifndef TPM2_IDEVID_CERT_HANDLE
#define TPM2_IDEVID_CERT_HANDLE 0x1C90200
#endif

WOLFTPM_API int wolfTPM2_SetIdentityAuth(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* handle,
uint8_t* masterPassword, uint16_t masterPasswordSz);
Expand Down

0 comments on commit b36f792

Please sign in to comment.