Actually, I have a follow up question.
If I understand the documentation correctly, I should always be able to generate the EK via tpm2_createek. That should (can?) never change.
So, upon initial deployment, first check and store EK.
tpm2_createek -G rsa -u ek.pub -c key.ctx tpm2_getekcertificate -X -o ECcert.bin -u ek.pub \ https://tpm.manufacturer.com/ekcertserver/Right?
Best regards,
Steffen
Dell should keep tab on all Endorsement Certificates that their computers comes with and give you that list.
You then check for a valid Endorsement cert as part of enrollment.
- Niklas