Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes for latest ST33KTPM IAK/IDevID provisioning #361

Merged
merged 1 commit into from
Jul 26, 2024
+27 −8
Merged

Fixes for latest ST33KTPM IAK/IDevID provisioning #361

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -822,6 +822,14 @@ Connection: close
</html>
```

## Device Identity and Attestation Keys

The TCG published a specification for TPM manufacture guidance on setting up keys that can be used for device identiy and attestation.

This feature has been tested with the ST33KTPM and is enabled with `WOLFTPM_MFG_IDENTITY`. The ST33KTPM samples are provisioned with a default master password enabled with `TEST_SAMPLE`. To define your own master password use `TPM2_IAK_SAMPLE_MASTER_PASSWORD`. The master password is hashed along with the device serial number to produce authentication for accessing these keys.

The default keys are ECDSA SECP384R1 with SHA2-384 and stored in NV Index defined by `TPM2_IAK_KEY_HANDLE`, `TPM2_IAK_CERT_HANDLE`, `TPM2_IDEVID_KEY_HANDLE` and `TPM2_IDEVID_CERT_HANDLE`.


## Todo

Expand Down
27 changes: 19 additions & 8 deletions wolftpm/tpm2_wrap.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3718,16 +3718,27 @@ WOLFTPM_API int wolfTPM2_PolicyAuthValue(WOLFTPM2_DEV* dev,



/* pre-provisioned IAK and IDevID key/cert from TPM vendor */
/* Pre-provisioned IAK and IDevID key/cert from TPM vendor */
/* Tested with ST33KTPM devices */
/* Default assumes: ECDSA SECP384R1, SHA2-384 */
#ifdef WOLFTPM_MFG_IDENTITY

/* Initial attestation key (IAK) and an initial device ID (IDevID) */
/* Default is: ECDSA SECP384P1, SHA2-384 */
#define TPM2_IAK_KEY_HANDLE 0x81080000
#define TPM2_IAK_CERT_HANDLE 0x1C20100

#define TPM2_IDEVID_KEY_HANDLE 0x81080001
#define TPM2_IDEVID_CERT_HANDLE 0x1C20101
/* Initial Attestation Key (IAK):
* Restrictive: Can only sign data generated by the TPM like a TPM2_Quote */
#ifndef TPM2_IAK_KEY_HANDLE
#define TPM2_IAK_KEY_HANDLE 0x81020001
#endif
#ifndef TPM2_IAK_CERT_HANDLE
#define TPM2_IAK_CERT_HANDLE 0x1C90100
#endif
/* Initial Device ID (IDevID):
* Non-Restrictive: Can sign external data */
#ifndef TPM2_IDEVID_KEY_HANDLE
#define TPM2_IDEVID_KEY_HANDLE 0x81020000
#endif
#ifndef TPM2_IDEVID_CERT_HANDLE
#define TPM2_IDEVID_CERT_HANDLE 0x1C90200
#endif

WOLFTPM_API int wolfTPM2_SetIdentityAuth(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* handle,
uint8_t* masterPassword, uint16_t masterPasswordSz);
Expand Down
Loading