"salted session" was the keyword I was looking for!
Really thank you :)

화요일, 03 8월 2021, 03:59오전 +09:00 발신 Kenneth Goldman kgoldman@us.ibm.com:

"Steven Clark" <davolfman@gmail.com> wrote on 08/02/2021 01:26:56 PM:

> I think it may be an optional standard but my TPM has some certs
> permanently stored in nv-indices in the 0x1c0000x range that can be
> checked against the manufacturer cert.  I haven't learned how to
> leverage those into trusted parameter encryption keys yet but they
> should be able to verify there's a real TPM at the other end at the
> very least (and more if you learn to use them correctly).

The EK certificates in NV are in theory optional, but every TPM

I have encountered has them.

Checking the certificate against the manufacturer's CA is
a standard crypto library function.

Once you have an authentic EK, create a salted session using
the EK.

Once you have the salted session, set the encrypt and/or decrypt bit
when running the command.

Underneath, there's some complicated crypto, but it's all
hidden from the application.

tpm2 mailing list -- tpm2@lists.01.org
To unsubscribe send an email to tpm2-leave@lists.01.org