On 8/29/2016 3:05 PM, Jarkko Sakkinen wrote: > After LSS2016 I got this idea of having hardened trusted keys for TPM2 > where the key material is never exposed to kernel. Child keys of a > hardened trusted key would be unsealed using TPM2_EncryptDecrypt > operation.
Beware that the TPM2_EncryptDecrypt command is optional. I know of at least one TPM vendor that does not implement the command due to export restrictions. Why not seal to a parent symmetric key and use TPM2_Unseal? Unseal is just a restricted decryption operation. ------------------------------------------------------------------------------ _______________________________________________ tpmdd-devel mailing list tpmdd-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tpmdd-devel