Having a primary key that can sign things is useful for conducting certification and quoting operations without having to go through the makecredential/activatecredential dance, which is unnecessary for a local TPM where you don't need privacy separated attestation keys. Add the ability to use the signing key template to tpm2_load_srk().
Signed-off-by: James Bottomley <[email protected]> --- src/include/tpm2-common.h | 1 + src/libcommon/tpm2-common.c | 23 ++++++++++++++++++----- 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/src/include/tpm2-common.h b/src/include/tpm2-common.h index 4520f76..97b60f2 100644 --- a/src/include/tpm2-common.h +++ b/src/include/tpm2-common.h @@ -23,6 +23,7 @@ enum tpm2_type { TPM2_LOADABLE = 1, TPM2_IMPORTABLE = 2, TPM2_SEALED = 3, + TPM2_SIGNING = 4, }; struct policies { diff --git a/src/libcommon/tpm2-common.c b/src/libcommon/tpm2-common.c index 3b9f785..b70ac27 100644 --- a/src/libcommon/tpm2-common.c +++ b/src/libcommon/tpm2-common.c @@ -743,17 +743,30 @@ TPM_RC tpm2_load_srk(TSS_CONTEXT *tssContext, TPM_HANDLE *h, const char *auth, TPMA_OBJECT_NODA | TPMA_OBJECT_SENSITIVEDATAORIGIN | TPMA_OBJECT_USERWITHAUTH | - TPMA_OBJECT_DECRYPT | TPMA_OBJECT_RESTRICTED; + if (type == TPM2_SIGNING) + VAL(inPublic.publicArea.objectAttributes) |= + TPMA_OBJECT_SIGN; + else + VAL(inPublic.publicArea.objectAttributes) |= + TPMA_OBJECT_DECRYPT; if (type != TPM2_LEGACY) VAL(inPublic.publicArea.objectAttributes) |= TPMA_OBJECT_FIXEDPARENT | TPMA_OBJECT_FIXEDTPM; - inPublic.publicArea.parameters.eccDetail.symmetric.algorithm = TPM_ALG_AES; - inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes = 128; - inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes = TPM_ALG_CFB; - inPublic.publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_NULL; + if (type != TPM2_SIGNING) { + inPublic.publicArea.parameters.eccDetail.symmetric.algorithm = TPM_ALG_AES; + inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes = 128; + inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes = TPM_ALG_CFB; + inPublic.publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_NULL; + } else { + inPublic.publicArea.parameters.eccDetail.symmetric.algorithm = TPM_ALG_NULL; + inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes = 0; + inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes = TPM_ALG_NULL; + inPublic.publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_ECDSA; + inPublic.publicArea.parameters.eccDetail.scheme.details.ecdsa.hashAlg = TPM_ALG_SHA256; + } inPublic.publicArea.parameters.eccDetail.curveID = TPM_ECC_NIST_P256; inPublic.publicArea.parameters.eccDetail.kdf.scheme = TPM_ALG_NULL; -- 2.35.3
