The first 5 patches add supporting infrastructure and the next three add the actually attestation command, its man page and its tests. The design is to be able to store a stable copy of the signing EK (done by name) in /etc/eksign.name, which can then be used to verify any on the fly creation of the signing key. The reason for using a signing EK not an AK as the specs usually require is to have the simplicity of a stable key that never changes as the attesting key and because there are no privacy issues in the machine owner knowing it. The command then provides a way to attest this key against the EK certificate (if the TPM has one). If there is no EK certificate, the signing EK name is used on a trust on first use (TOFU) basis. attest_tpm2_primary --eksign > /etc/eksign.name Will create this file once. If an EK certificate exists, the eksign.name file can be attested to that certificate with attest_tpm2_primary --attest tpm-cert.crt --name /etc/eksign.name The above commands should only need to be done once per TPM. Once the Signing EK is known, it can be used on every boot to create and certify the NULL key, which is what the kernel uses and exports from version 6.10 onwards and thus proves to the user that the kernel's reliance on the NULL key during boot was cryptographically justifed. This can be done from a boot script as: attest_tpm2_primary --certify null --name /etc/eksign.name /sys/class/tpm/tpm0/null_name Which will return true if the certification succeeds. If the certification fails, all TPM functions should be considered compromised. Whether boot should continue even with a compromised TPM is a user policy decision. James --- James Bottomley (8): tss: Fix handling of TPM_RH_NULL in intel-tss libcommon: add ability to create a signing primary key libcommon: add bin2hex and tmp2_get_hexname libcommon: add primary creation from template tss: add tpm2_Certify, tpm2_ActivateCredential and tpm2_PolicyOR tools: add new attest_tpm2_primary command attest_tpm2_primary: add man page tests: add tests for attest_tpm2_primary src/include/ibm-tss.h | 84 +++ src/include/intel-tss.h | 95 +++- src/include/tpm2-common.h | 9 + src/libcommon/tpm2-common.c | 93 +++- src/tools/Makefile.am | 11 +- src/tools/attest_tpm2_primary.1.in | 103 ++++ src/tools/attest_tpm2_primary.c | 842 +++++++++++++++++++++++++++++ tests/attestation.sh | 30 + tests/check_importable.sh | 3 +- tests/engine/Makefile.am | 3 +- tests/provider/Makefile.am | 3 +- tests/seal_unseal.sh | 3 +- tests/start_sw_tpm.sh | 2 + 13 files changed, 1230 insertions(+), 51 deletions(-) create mode 100644 src/tools/attest_tpm2_primary.1.in create mode 100644 src/tools/attest_tpm2_primary.c create mode 100755 tests/attestation.sh -- 2.35.3
