On Tue, 2023-04-04 at 13:43 -0500, William Roberts wrote: [...] > > The final part of the puzzle is that the machine owner must have a > > fixed idea of the EK of their TPM and should have certified this > > with the TPM manufacturer. On every boot, the certified EK public > > key should be used to do a make credential/activate credential > > attestation key insertion and then the null key certified with the > > attestation key. We can follow a trust on first use model where an > > OS installation will extract and verify a public EK and save it to > > a read only file. > > Ahh I was wondering how you were going to bootstrap trust using the > NULL hierarchy. Well, actually, I changed my mind on the details of this one: the make credential/activate credential round trip is a huge faff given that there's no privacy issue. I think what we should do is simply store the name of a known signing EK on first install (using the standard P- 256 derivation of the EK template but with TPMA_OBJECT_SIGN additionally set). Then you can use the signing EK to certify the NULL key directly and merely check the signing EK name against the stored value to prove everything is correct. James
