Is there any AIK Enrollment / POP examples available using tpm2-tools
(or other open source tools, code bases)?
I had some success with tpm2-tools based attestation, e.g. generating
AIK, extracting EKpub and EKCert from TPM, performing the tpm2
However, my understanding of the relevant spec's is that for TPM2 User
Devices (and many other devices), the EK is limited to performing the
Enrolment Processes (Proof of Possession). So to complete a meaningful
Remote Attestation flow, there is a need to get AIKCert externally
using AIK Enrollment Process against an Attestation CA (formerly
known as Privacy CA).
I fail to find public examples (tools, example code, etc) of the
enrolment step. Most of what I find when googling, for example
strongswan's TPM pages, appears to skip the AIK Enrollment Process /
POP and just issue the the certificate without any proof of
Any links or insights would be appreciated =)
. Section 2.3.