I believe you are in luck here because Infineon is, in my experience, maybe
the ONE manufacturer that does this and also puts the EK cert on the chips
when the build them: I'm working with some supermicro boards as well that
have infineons.
http://www.infineon.com/cms/en/product/promopages/optiga_tpm_certificates/#SLB9665xx2.0
That's a link to certs for the 9665 chip which, with any luck, you can link
to your part. That's assuming you even need this, maybe just for the sake
of knowledge.
Disclaimer: I have not done this process, that is authenticating against a
manufacturer's certs, so I can't guarantee this will be helpful and I don't
really know in detail how/if it would work, I just know the general idea.
Hope this is useful.
-Tadd
On Wed, Jun 15, 2016 at 10:46 AM Jan Schermer <[email protected]> wrote:
> Hmm, and do they really publish their CAs? I haven't found any in the past.
> Also there a Privacy CA when it comes to attestation, so you don't use the
> provided keys or certificate directly.
>
> Jan
>
>
> On 15 Jun 2016, at 19:43, Tadd Seiff <[email protected]> wrote:
>
> "Public" really means anyone who "trusts" the manufacturer of the chip.
> If they have a root-of-trust that you can link to the EK cert they put on
> your chip during manufacturing, you can convince an arbitrary person (the
> public) that your chip is an authentic TPM. The manufacturer, because they
> publish the root certificates, becomes a sort of "CA".
>
> If there is no cert on the chip when you get it, you can't establish this
> chain of trust. You can create your EK, and create your own cert, but then
> the root-of-trust stops with you.
>
> -Tadd
>
> On Wed, Jun 15, 2016 at 10:37 AM Jan Schermer <[email protected]> wrote:
>
>> I got the tools, looks like I can to everything using tpm_nvdefine if
>> needed.
>>
>> What do you mean trusted by public? EK is not really a "public"
>> certificate in the sense SSL certificates are, there's no CA, just the
>> public portion should be provided by the OEM...
>>
>> Jan
>>
>> > On 15 Jun 2016, at 19:05, Ken Goldman <[email protected]> wrote:
>> >
>> > On 6/14/2016 4:55 AM, Jan Schermer wrote:
>> >>
>> >> Does anybody know whether this is something I can do using only
>> >> tpm-tools? Can I create all the needed indexes and set the nvLocked
>> >> bit and get it working properly? (= with TXT working) Or do I
>> >> absolutely need this Intel utility because I does something magical
>> >> I'm not aware of?
>> >
>> > You can definitely set nvLocked through the API.
>> >
>> > I don't know about the TXT indexes.
>> >
>> > I also wonder if it comes with an EK certificate? If it doesn't, you
>> > can provision your own, but it won't be trusted by the public.
>> >
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > What NetFlow Analyzer can do for you? Monitors network bandwidth and
>> traffic
>> > patterns at an interface-level. Reveals which users, apps, and
>> protocols are
>> > consuming the most bandwidth. Provides multi-vendor support for NetFlow,
>> > J-Flow, sFlow and other flows. Make informed decisions using capacity
>> planning
>> > reports.
>> http://pubads.g.doubleclick.net/gampad/clk?id=1444514421&iu=/41014381
>> > _______________________________________________
>> > TrouSerS-users mailing list
>> > [email protected]
>> > https://lists.sourceforge.net/lists/listinfo/trousers-users
>>
>>
>>
>> ------------------------------------------------------------------------------
>> What NetFlow Analyzer can do for you? Monitors network bandwidth and
>> traffic
>> patterns at an interface-level. Reveals which users, apps, and protocols
>> are
>> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
>> J-Flow, sFlow and other flows. Make informed decisions using capacity
>> planning
>> reports.
>> http://pubads.g.doubleclick.net/gampad/clk?id=1444514421&iu=/41014381
>> _______________________________________________
>> TrouSerS-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/trousers-users
>>
>
>
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports. http://pubads.g.doubleclick.net/gampad/clk?id=1444514421&iu=/41014381
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
