Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pxe-server: transport key should have a policy to prevent misuse #121

Closed
osresearch opened this issue Jun 9, 2021 · 3 comments
Closed
Assignees

Comments

@osresearch
Copy link
Owner

No description provided.

@osresearch
Copy link
Owner Author

requires bumping to new version of tpm2-tools tpm2-software/tpm2-tools#2750

@osresearch
Copy link
Owner Author

also the wrapper should be renamed to transportkey to match the document.

osresearch added a commit that referenced this issue Jun 9, 2021
This creates a policy so that the TK can only be unsealed
if PCR11 (`$POLICY_PCR`) is zero.  Once the TK has been used,
the `bootscript` extends PCR11 so that it is no longer possible
to use the TK.

This also renamed the `wrapper.pub` key to `transport.pub`
to be the same as the documentation.
@osresearch
Copy link
Owner Author

The sealing policy is hard coded to PCR1 == 0, since generating the policy requires a TPM. I've opened an issue to address that tpm2-software/tpm2-tools#2761

osresearch added a commit that referenced this issue Jul 23, 2021
This creates a policy so that the TK can only be unsealed
if PCR11 (`$POLICY_PCR`) is zero.  Once the TK has been used,
the `bootscript` extends PCR11 so that it is no longer possible
to use the TK.

This also renamed the `wrapper.pub` key to `transport.pub`
to be the same as the documentation.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant