Hello, I would like to be able to (generically) read an embedded Endorsement Keys certificate from a TPM's NV memory.
Apparently some TPM vendors do embedded such certificates (in addition to the actual EK key) on the TPM, see e.g. this datasheet: http://www.st.com/internet/com/TECHNICAL_RESOURCES/TECHNICAL_LITERATURE/DATA_BRIEF/DM00037936.pdf ... where we can read: "Provisioned with Endorsement key and Endorsement Key certificate" "NV storage allocated space: 4 Kbytes (1.2 Kbytes used by EK certificate)" Additionally the actual CA and intermediate certificates are published: http://www.st.com/internet/mcu/product/252378.jsp and the Infineon seems to be doing the same: http://www.infineon.com/cms/en/product/chip-card-and-security-ics/embedded-security/trusted-computing/trusted-platform-module-tpm1.2-pc/channel.html?channel=ff80808112ab681d0112ab6921ae011f Unfortunately, the datasheet, nor any other document I was able to find, tells how one could retrieve such a certificate out of the TPM's NV memory. And ideally that this worked for all the TPMs from all sorts of vendors... Of course, without being able to authenticate the EK key, all the Remote Attestation schemes are pretty useless in practice, so I thought this might be a good list to ask this question, as one of the primary applications of tboot is remote attestation actually. Plus, tboot has quite a few tools to talk to the TPM. Thanks, joanna.
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
