Preventing chained duplication using tpm2_policyduplicationselect #3391
Comments
|
That is exactly correct and it would be great to have this be added to documentation. |
|
a small side comment about having an example of policies on duplication: you can use these restrictions to also clarify the controls around using TPMs for authentication to cloud provider from on-prem hardware or remote systems. for example if you can control duplication of rsa or hmac keys, you enable some usecases for auth i looked at earler:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The default end-to-end example in tpm2_duplicate describes a way to Transfer from
A->Bhowever, you can also repeat that process to further propagate the key from
a->b->c.here's an example:
but what i really want is for the key to get used ONLY on B and prevent this chain and it seem tpm2_policyduplicationselect is whats needed somewhere.
the procedure i came up with seems to work but it'd be great if someone can confirm it ( if confirmed and there's interest in adding to to docs is warranted, i'll file the doc PR).
the thing i tried is replace tpm2_policycommandcode with tpm2_policyduplicationselect (i'm not sure if that is legit to do or not and the failed duplication could well be for some other reason and not the one i'm after..)
here's the procedure:
The text was updated successfully, but these errors were encountered: