All of lore.kernel.org
 help / color / mirror / Atom feed
From: Tadeusz Struk <tadeusz.struk at intel.com>
To: tpm2@lists.01.org
Subject: [tpm2] Re: Device Identity Attestation with tpm2-tools
Date: Wed, 15 Jan 2020 11:03:28 -0800	[thread overview]
Message-ID: <9785df44-2ac5-c398-1d96-fd9a56f210d1@intel.com> (raw)
In-Reply-To: 476DC76E7D1DF2438D32BFADF679FC5649E66B7A@ORSMSX101.amr.corp.intel.com

[-- Attachment #1: Type: text/plain, Size: 799 bytes --]

On 1/15/20 6:08 AM, Roberts, William C wrote:
> <snip>
>> working even after the device disk and tpm is cleared.
>> The tpm will always derive the same EK if one provides the same parameters.
> This is true 99+% of the time. However, the spec allows TPMs to to implement the CHANGEEPS
> Command that will cause the endorsement hierarchy seed to change. When this occurs, calls
> to createprimary  with the same templates to produce different keys. While this is rare, I've never
> seen one in the wild, you may wish to check the command interface for changeeps so you know
> what's possible with that TPM. Similar commands exist for other hierarchies as well.

Also keep in mind that tpm2_clear command changes the SPS so any keys in
the storage hierarchy will be invalid.

-- 
Tadeusz

             reply	other threads:[~2020-01-15 19:03 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-15 19:03 Tadeusz Struk [this message]
  -- strict thread matches above, loose matches on Subject: below --
2020-01-15 16:21 [tpm2] Re: Device Identity Attestation with tpm2-tools Roberts, William C
2020-01-15 16:13 nicolasoliver03
2020-01-15 14:08 Roberts, William C
2020-01-14 18:41 Oliver, Dario N
2020-01-09 20:19 Munson, Charles - 0553 - MITLL

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=9785df44-2ac5-c398-1d96-fd9a56f210d1@intel.com \
    --to=tpm2@lists.01.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.