On Mon Apr 1, 2024 at 7:55 PM EEST, James Bottomley wrote: > On Mon, 2024-04-01 at 10:19 -0400, James Bottomley wrote: > > So I'm not really sure how to solve this. At the moment the kernel > > doesn't use permanent handles for keys, but it should and it should > > follow what all of the industry is doing for interoperability (i.e. > > zero size points), which means the NULL primary should also follow > > it. > > Actually, it turns out this is already solved by the TCG. The template > we're using is the correct one (zero size points). Apparently they > regretted their earlier decision to zero fill and issued this guidance: > > 2.2.1.2.2 EK Template > > An EK Template is stored in an NV Index as a TPMT_PUBLIC structure > marshaled as described in the TPM 2.0 Library Specification [1]. The > default EK Templates are defined in annex B. The EK Template NV Index > MUST be Populated if non-default values are used. It SHOULD be Absent > if default values are used. > > The EK Template unique field buffer size(s) SHOULD be zero. > > But since they can't revoke the previous guidance, we now have two > templates defined: the L one which has the old n bytes of zeros and the > new (and recommended) H one which has zero size unique field. > > https://trustedcomputinggroup.org/resource/http-trustedcomputinggroup-org-wp-content-uploads-tcg-ek-credential-profile-v-2-5-r2_published-pdf/ > > So in other words, we're doing the later correct thing and there's no > problem. I'll update the ASN.1 draft > > https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html First time I'm seeing this document or URL. > > to state that we MUST use the H template to remove any ambiguity > > James BR, Jarkko