Skip to content

ek: fixup auth policies #594

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

ek: fixup auth policies #594

wants to merge 2 commits into from

Conversation

@baloo
Copy link
Contributor

@baloo baloo commented Nov 6, 2025

For a reason I'm not clear about, the templates used for the EK were incorrect for anything but NistP256 and Rsa2048.

I'm fairly convinced the authPolicy should always be the values of PolicyA (Table 15 in the spec).

@baloo
ek: fixup auth policies
bfce000 
For a reason I'm not clear about, the templates used for the EK were
incorrect for anything but NistP256 and Rsa2048.

I'm fairly convinced the authPolicy should always be the values of
PolicyA (Table 15 in the [spec]).

[spec]: https://trustedcomputinggroup.org/wp-content/uploads/EK-Credential-Profile-For-TPM-Family-2.0-Level-0-V2.5-R1.0_28March2022.pdf#page=55

Signed-off-by: Arthur Gautier <arthur.gautier@arista.com>
@baloo baloo force-pushed the baloo/ek/fixup-auth-policies branch from 5d3fa95 to bfce000 Compare November 6, 2025 07:21
@baloo
Copy link
Contributor Author

baloo commented Nov 6, 2025

This showed up in the tests I've wrote for #585

I'm still not sure I'm reading this correctly, this code seems to be intentional. Please use a mountain of salt when reviewing that PR.

@baloo
ak: fixup session configuration
db7f6cf 
Signed-off-by: Arthur Gautier <arthur.gautier@arista.com>
@baloo baloo force-pushed the baloo/ek/fixup-auth-policies branch from 897217e to db7f6cf Compare November 6, 2025 07:40
@baloo
Copy link
Contributor Author

baloo commented Nov 6, 2025

I think this is a fixup to #552

cc @THS-on

@THS-on
Copy link
Contributor

THS-on commented Nov 6, 2025
edited
Loading

No only the EK low range templates use PolicyA, the high range ones use PolicyB.
See section B of https://trustedcomputinggroup.org/wp-content/uploads/TCG-EK-Credential-Profile-for-TPM-Family-2.0-Level-0-Version-2.6_pub.pdf

Note that PolicyB = (PolicyA || PolicyC)

@baloo
Copy link
Contributor Author

baloo commented Nov 6, 2025
edited
Loading

brrr, I hate TPMs.

Thank you! I completely missed that. That explains why the policysecret to use an EK that was neither of rsa2048 or nist p256 was not enough.

@baloo baloo closed this Nov 6, 2025
@baloo baloo deleted the baloo/ek/fixup-auth-policies branch November 6, 2025 07:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@baloo @THS-on