From: tpm2 [mailto:email@example.com] On Behalf Of Peter Magnusson
Sent: Wednesday, August 1, 2018 3:55 AM
Subject: [tpm2] AIK Enrollment Process implementations using tpm2-tools or
Is there any AIK Enrollment / POP examples available using tpm2-tools (or other
open source tools, code bases)?
I had some success with tpm2-tools based attestation, e.g. generating AIK,
extracting EKpub and EKCert from TPM, performing the tpm2 quotation, etc.
However, my understanding of the relevant spec's is that for TPM2 User Devices
(and many other devices), the EK is limited to performing the Enrolment
Processes (Proof of Possession). So to complete a meaningful Remote
Attestation flow, there is a need to get AIKCert externally using AIK Enrollment
Process against an Attestation CA (formerly known as Privacy CA).
I fail to find public examples (tools, example code, etc) of the enrolment step.
Most of what I find when googling, for example strongswan's TPM pages,
appears to skip the AIK Enrollment Process / POP and just issue the the certificate
without any proof of possession.
Any links or insights would be appreciated =)
. Section 2.3.
tpm2 mailing list