> Spot on. I have one such example from yesterday, where we were
> wondering why generating a symmetric key with tpm2-tools now
> produces private and public part. Eventually, a clean slide would be the
> only viable option left. I personally am a fan of the minimalistic approach.
That's where I can help:
The public parts don't just include public keys but all kinds of public attributes,
such as usage attributes and authorization policy.
The private parts include a cryptographic link to the public parts as well as the
private information, such as private/secret key and authorization value and are
For the tools, we stayed close to the TPM-spec, which is why they are stored in
those separate files; but also because you sometimes want to send out the public
part to others and use only that (e.g. encryption or key property certification).
Hope that clears things up. :-D
On Wed, 2020-05-06 at 18:56 +0000, Dimitar Tomov wrote:
> We have a small community of about 25 TPM enthusiast from companies
> like Nokia Bell Labs, LetsTrust, WolfSSL, etc. We use TPM2 tools and
> discuss various use cases, the TPM implementations, everything, some
> interesting topics arise. We would really appreciate you joining our
> online chats, we have it every Wednesday at 8am PDT -
> https://developers.tpm.dev/events We are thinking about some
> documentation effort of how to use TPM features. Everyone's welcomed.
I'll see if I can join.
With respect to documentation I'd strongly recommend taking the
approach of "if it needs documenting, fix it first. Then document
We should make software as trivial and intuitive as possible for users,
not *just* provide a twisty maze of documentation in the hope that some
of the most persistent will eventually navigate their way through it.
On which topic, I should probably improve the user documentation in
http://www.infradead.org/openconnect/tpm.html — would be good if I
should show users how to import an existing key. Did we actually
implement that in the tpm2-tss-engine yet or do users still have to do
it using the IBM engine?
I am going to try and attend next week. Thanks.
> -----Original Message-----
> From: Dimitar Tomov [mailto:email@example.com]
> Sent: Wednesday, May 6, 2020 1:57 PM
> To: tpm2(a)lists.01.org
> Subject: [tpm2] Hello from a small community of TPM enthusiasts
> Hello everyone,
> We have a small community of about 25 TPM enthusiast from companies like
> Nokia Bell Labs, LetsTrust, WolfSSL, etc. We use TPM2 tools and discuss various
> use cases, the TPM implementations, everything, some interesting topics arise.
> We would really appreciate you joining our online chats, we have it every
> Wednesday at 8am PDT - https://developers.tpm.dev/events We are thinking
> about some documentation effort of how to use TPM features. Everyone's
We have a small community of about 25 TPM enthusiast from companies like Nokia Bell Labs, LetsTrust, WolfSSL, etc. We use TPM2 tools and discuss various use cases, the TPM implementations, everything, some interesting topics arise. We would really appreciate you joining our online chats, we have it every Wednesday at 8am PDT - https://developers.tpm.dev/events We are thinking about some documentation effort of how to use TPM features. Everyone's welcomed.
I need to perform a command that doesn't have a tools executable yet
(TPM2_ECDH_ZGen) and on a persistent object handle that won't be compatible
with the on-disk key-databases of FAPI or PKCS#11. So that means I need to
write my own code in C, and that code needs to use the ESAPI.
I've had a lot of lead time to see this coming so I've done a few little
experiments. They have not improved my confidence in my understanding of
the API. For example I'm still not sure which structures I'm supposed to
access directly and which ones are supposed to be manipulated using
The Specs are either long and theoretical or dry and terse. And both the
tests for TSS and the source files for Tools make use of internal
abstraction layers. I'm having trouble getting a whole-process
picture. Are there any resources out there to help me get my sea-legs on