On Mon, 2024-04-01 at 10:19 -0400, James Bottomley wrote: > So I'm not really sure how to solve this. At the moment the kernel > doesn't use permanent handles for keys, but it should and it should > follow what all of the industry is doing for interoperability (i.e. > zero size points), which means the NULL primary should also follow > it. Actually, it turns out this is already solved by the TCG. The template we're using is the correct one (zero size points). Apparently they regretted their earlier decision to zero fill and issued this guidance: 2.2.1.2.2 EK Template An EK Template is stored in an NV Index as a TPMT_PUBLIC structure marshaled as described in the TPM 2.0 Library Specification [1]. The default EK Templates are defined in annex B. The EK Template NV Index MUST be Populated if non-default values are used. It SHOULD be Absent if default values are used. The EK Template unique field buffer size(s) SHOULD be zero. But since they can't revoke the previous guidance, we now have two templates defined: the L one which has the old n bytes of zeros and the new (and recommended) H one which has zero size unique field. https://trustedcomputinggroup.org/resource/http-trustedcomputinggroup-org-wp-content-uploads-tcg-ek-credential-profile-v-2-5-r2_published-pdf/ So in other words, we're doing the later correct thing and there's no problem. I'll update the ASN.1 draft https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html to state that we MUST use the H template to remove any ambiguity James
