-
Notifications
You must be signed in to change notification settings - Fork 375
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Problems using the tpm2_encodeobject command #3397
Comments
@williamcroberts Could you help me answer this question? |
You can use I might not have that command correct, but you can do it with read public. You can also use it to generate key.pub, which is the default if one doesn't specify -f. |
@billatarm |
Oh your trying to create the combined pem format not just the public key format. You can't recreate it without the private blob. |
@billatarm |
If you're making the key persistent, you don't need the private key in a pem or .priv file. If you ever want to load the key again, you need the private portion. Remember the private portion of the key is tpm protected, so having it on disk is fine. |
@billatarm @williamcroberts |
@wudiqiang2024, what are you trying to do, what's your end goal? That comment has to do with reconstructing objects to work around an openssl/pkcs11 provider bug. Typically, you don't use any NV space without clear requirements as to why, as NV space is very limited. The SRK primary key is the only key that gets persisted and the rest are loaded dynamically as needed. |
I use the python component paho-mqtt to connect and communicate with the iot hub. The code to establish the mTLS connection is as follows:
The tpm.pem file is generated through the tpm2-tools command:
openssl configured tpm2-openssl
These configurations allow me to use the python language to securely use certificates and key to establish mTLS connections. But I'm thinking, if the tpm.pem file is deleted, how to restore it? |
You don't need to make the second key, the child key, persistent, you should be able to drop these commands: tpm2_load -C 0x81000001 -u key.pub -r key.priv -c key.ctx
tpm2_evictcontrol -c key.ctx 0x81000000 It looks like the python code just interacts with openssl and thus the openssl provider AFAICT.
You can back that pem file up wherever, it's TPM protected. Theirs also more complicates schemes where you could furlough a key from a key server to the device. |
@billatarm I understand, thank you very much for your patient answer. Please allow me to ask a few more questions. What is the purpose of persistent? Why SRK primary key should be persistent? |
By default, when you create an object (like a key), in the TPM using
When you call A side effect is speed, since this key needs to be re-created if not persisted on every boot, if it's an RSA key, that's really slow. By persisting it, we avoid this slow case. |
Thanks, last question |
Yes I have multiple githubs, and didn't realize I was set to billatarm opposed to my other one. Phone vs laptop lol |
tpm2-tool 5.7
tpm2-openssl 1.2.0
tpm2-tss 4.1.2
In step 3 I deleted key.priv and key.pub because I persisted the key in step 2.
My question is, if I delete the tpm.pem file, how do I regenerate the tpm.pem? Because tpm2_encodeobject can only be generated through these two files, the key handle cannot be used.
Or is there any other way to generate tpm.pem file?
The text was updated successfully, but these errors were encountered: