Some tpm2-tools support--format=pem
. Make sure you're on a 4.0+ version. If you're on master,you can even get the pem file during creation time. I am going to provide what you can do with tpm2-tools,however, there are also tools that start with tss2 prefix that use a higher level API called FAPI. Those toolsmight do what you want with far less steps then the tpm2 prefixed tools. I CC'd Andreas Fuchs so he canadvise on those tools.
# versions >= 4.0tpm2_createprimary -c primary.ctx
tpm2_readpublic --format=pem -o key.pem -c primary.ctx
head key.pem-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtFeWoma5eS7x7XjR1QWp<snip>
# mastertpm2_createprimary -c primary.ctx --format=pem -o key.pem
For keys created with tpm2_create, you can use the readpublic option or use tpm2_print# readpublic exampletpm2_create -C primary.ctx -u key.pub -r key.priv
tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctxtpm2_readpublic --format=pem -o key.pem -c key.ctx
# print exampletpm2 print --type TPM2B_PUBLIC --format=pem key.pub-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwEDts9Y64CGuHPjT/8nC<snip>
For the other portion of your question is "encrypting application secrets" to the TPM.
Thier's a few ways you could do this, but I would suggest using the sealing function.It creates a TPM protected object but instead of it containing a key the tpm knowshow to use, it contains free form userdata, like the application secretes, or if thoseare too large to store in the TPM, an AES key to wrap those with.
I would choose sealing first, it's the simplest. For AES wrapping I would pickAES 256 GCM but the key type and mode is up to you.
To seal a secret, one would use tpm2_create with the -i option:
# read secret from stdin with -i -, or use -i <file> to read from a file.tpm2_create -C primary.ctx -i- -u key.pub -r key.priv <<< 'MY SECRET'
# loadtpm2 load -C primary.ctx -u key.pub -r key.priv -c key.ctx
# unseal secret from TPMtpm2 unseal -c key.ctx
MY SECRET
# for wrapping a secret with an AES Key, just make 'MY SECRET' an AES key and useopenssl commands. Examples can be found here:
You can set passwords and policies on TPM objects as you see fit, and we can helpyou craft a policy.
The man pages for the tools should have examples, you can just view the markdown onthe github wiki as well:
There are also examples in the test directory.
Bill
From: Steven Clark <davolfman@gmail.com>
Sent: Wednesday, June 16, 2021 8:33 PM
To: @rubynerd <x@rubynerd.net>
Cc: tpm2 <tpm2@lists.01.org>
Subject: [tpm2] Re: Sample applicationsOn Wed, Jun 16, 2021 at 3:12 PM @rubynerd <x@rubynerd.net> wrote:
>
> Hi all,
>
> I'm looking to build an application which creates a key on a TPM & uses the TPM to decrypt some application initialisation secrets delivered to the application via a control-plane, which verifies the key the TPM will use is on a TPM.
>
> I'm struggling to find any sample applications/explanations/cookbooks for tmp2-tools to prototype out how this would work — in fact, I can't find an explainer of how to convert a key from "tss" format to PEM format. Is there something I've missed, or is there a sample TPM application or something kicking about I can refer to? I'm aware there are specification PDF's, but these are unapproachable to someone with attention-span disabilities.
>
> Thanks,
> Luke
> _______________________________________________
> tpm2 mailing list -- tpm2@lists.01.org
> To unsubscribe send an email to tpm2-leave@lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
With tpm2-tools it's pretty easy if you've got a remotely up to date
version. Most of the tools that need to interact with outside keys
natively support the SSL key types. So you just interact with them on
the command line.
If you want to actually program using the ESAPI and use outside key
formats my recommendation would be get comfortable reading the
structure definitions in the TPM2 specs (sometimes assisted by the
actual header files from the TSS), the ESAPI spec, and the OpenSSL API
man pages and learn to tear a key down into low level structures in
one API to reassemble in the other format. The math is still the same
after all.
_______________________________________________
tpm2 mailing list -- tpm2@lists.01.org
To unsubscribe send an email to tpm2-leave@lists.01.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s