On Mon Apr 1, 2024 at 11:54 PM EEST, Jarkko Sakkinen wrote: > On Mon Apr 1, 2024 at 7:55 PM EEST, James Bottomley wrote: > > On Mon, 2024-04-01 at 10:19 -0400, James Bottomley wrote: > > > So I'm not really sure how to solve this. At the moment the kernel > > > doesn't use permanent handles for keys, but it should and it should > > > follow what all of the industry is doing for interoperability (i.e. > > > zero size points), which means the NULL primary should also follow > > > it. > > > > Actually, it turns out this is already solved by the TCG. The template > > we're using is the correct one (zero size points). Apparently they > > regretted their earlier decision to zero fill and issued this guidance: > > > > 2.2.1.2.2 EK Template > > > > An EK Template is stored in an NV Index as a TPMT_PUBLIC structure > > marshaled as described in the TPM 2.0 Library Specification [1]. The > > default EK Templates are defined in annex B. The EK Template NV Index > > MUST be Populated if non-default values are used. It SHOULD be Absent > > if default values are used. > > > > The EK Template unique field buffer size(s) SHOULD be zero. > > > > But since they can't revoke the previous guidance, we now have two > > templates defined: the L one which has the old n bytes of zeros and the > > new (and recommended) H one which has zero size unique field. > > > > https://trustedcomputinggroup.org/resource/http-trustedcomputinggroup-org-wp-content-uploads-tcg-ek-credential-profile-v-2-5-r2_published-pdf/ > > > > So in other words, we're doing the later correct thing and there's no > > problem. I'll update the ASN.1 draft > > > > https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html > > First time I'm seeing this document or URL. Anyway, only thing that we align with is the latest in kernel documentation, outside URL's are ignored. I.e. the legit ref is trusted-encrypted.rst. BR, Jarkko
