"Steven Clark" <davolfman(a)gmail.com> wrote on 08/02/2021 01:26:56 PM:
I think it may be an optional standard but my TPM has some certs
permanently stored in nv-indices in the 0x1c0000x range that can be
checked against the manufacturer cert. I haven't learned how to
leverage those into trusted parameter encryption keys yet but they
should be able to verify there's a real TPM at the other end at the
very least (and more if you learn to use them correctly).
The EK certificates in NV are in theory optional, but every TPM
I have encountered has them.
Checking the certificate against the manufacturer's CA is
a standard crypto library function.
Once you have an authentic EK, create a salted session using
the EK.
Once you have the salted session, set the encrypt and/or decrypt bit
when running the command.
Underneath, there's some complicated crypto, but it's all
hidden from the application.