Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Align ek abstraction with TCG EK Credential profile #552

Merged
merged 5 commits into from
Oct 30, 2024

Conversation

THS-on
Copy link
Contributor

@THS-on THS-on commented Oct 18, 2024

The used hashing and symmetric algorithm and authPolicy are different based on the key size/curve.

While the old generated EKs still work, they are not that useful as they don't match the EK found in provisioned EK certificates according to the TCG EK Credential profile. This fixes that.

@THS-on THS-on force-pushed the fix-ecc-ek-abstraction branch from 04e6225 to 40c623f Compare October 18, 2024 20:20
@THS-on THS-on force-pushed the fix-ecc-ek-abstraction branch from 40c623f to a119e8c Compare October 21, 2024 08:20
@THS-on
Copy link
Contributor Author

THS-on commented Oct 21, 2024

What is currently missing is reading the template and potential nonce from NV. Do we need that feature?

Edit: should be possible to implement this via key customization, so not implementing this directly in this PR.

@THS-on THS-on force-pushed the fix-ecc-ek-abstraction branch 2 times, most recently from cb7e1dc to 0da45ee Compare October 21, 2024 09:44
@THS-on THS-on force-pushed the fix-ecc-ek-abstraction branch from 0da45ee to 80f3326 Compare October 21, 2024 09:48
Copy link
Collaborator

@Superhepper Superhepper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!
LGTM.

Copy link
Member

@ionut-arm ionut-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the fix, much needed that someone with more XP on this refreshed it :)

@@ -42,12 +66,19 @@ pub fn create_ek_public_from_default_template<IKC: IntoKeyCustomization>(
) -> Result<Public> {
let key_customization = key_customization.into_key_customization();

// user_with_auth is not set for the lower profiles (RSA 20248 and ECC P256)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit:

Suggested change
// user_with_auth is not set for the lower profiles (RSA 20248 and ECC P256)
// user_with_auth is not set for the lower profiles (RSA 2048 and ECC P256)

@ionut-arm
Copy link
Member

ionut-arm commented Oct 30, 2024

Do we need to backport this to 7.x.y btw?

Nevermind, saw the comment in #546

@Superhepper Superhepper merged commit b16f3fa into parallaxsecond:main Oct 30, 2024
12 checks passed
Superhepper added a commit to Superhepper/rust-tss-esapi that referenced this pull request Nov 7, 2024
This takes the following PRs and from the main
branch and adapts them so that they can be merged
into the 7.x.y branch:

\parallaxsecond#464 (By Ionut Mihalcea <[email protected]>)
\parallaxsecond#414 (By Thore Sommer <[email protected]>)
\parallaxsecond#552 (By Thore Sommer <[email protected]>)

Co-authored-by: Jesper Brynolf <[email protected]>
Co-authored-by: Thore Sommer <[email protected]>
Co-authored-by: Ionut Mihalcea <[email protected]>
Signed-off-by: Jesper Brynolf <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants