TPM Meeting notes

# TPM Meeting notes * AP and switch CAs, we are using AP CA (not actively in development) * Remote attestation using TPM * Use TPM to protect device keys ***Attestation*** TCG attestation is not same as authentication * process of rempote device to provide signed list of signatures * PCR, sequence of hashes and corresponding log values. Proves that logs and hashes came from *that* TPM * Sequence of digests proving that event log (boot log) is coming from that device * Moving towards secure boot - more about checking signatures * Measure boot needs hash calc to check signatures, and then use the hash in the TPM * WLAN CA terminology is not current but seems that certs and keys map to general purpose signing key (a.k.a. IDevID key * They are migrating to another CA over time for TPM2.0, must in time be fully utilized as intended * CA does not fully use either TPM1.2 or 2.0 * Key is created in TPM and only usable in TPM if using ordinary keys * Endorsement Key pair on TPM but there is a tpm2_create that uses - Incorrect * Supposed to couple response by using the TPM's own EK. Two commands tpm2_makeidentitiy and tpm2_activateidentity commands are use for this. * There is an EK as well as EK certificate. TPM is provisioned with EK and there should be EK certificate as well. * There is a cert that matches ordinary keys - gives blob back * Earliest TPMs did not come with EK pre-provisioned * Signing key - probably unrestricted (means just creates signature - can be used for TLS or any client cert method; restricted key is one used to sign PCRs) * Restricted key is attestation key * Hierarchies: owner/user (created and destroyed), platform/master (UEFI/pre-boot etc), endorsement. In our context it doesn't matter because only our software will use it and is only interacting with the TPM. Taking ownership is really 1.2 concept, not TPM2.0. Usually this would map to user hierarchy in TPM2.0 * EK, AIK, signed credential entities in our code. * AIK in general has two applications. * Owner password hash: authentication in TPM2.0 is more extensive. * Authentication is split into different realms. TPM2.0 key requires authorisation. Authorisation value should be different on every platform - use hash of MAC or something as authorisation value * Signing key cert * If IDevID cert * CSR from device would be used but not PKCS\#10 because needs some extra info