From: Frederick Gotham [mailto:email@example.com]
Sent: Wednesday, December 4, 2019 2:04 PM
To: Roberts, William C <william.c.roberts(a)intel.com>; tpm2
Subject: Re: Check to see if signature is okay, then reboot
You need to call tpm2_loadexternal again to load the public portion of the
The TPM or you need to mark the pubic object persistent with
However, I would urge against that. Just load the object when you need
it. A RM
Should take care of flushing "transient" objects when your don't with
them, or if
Using the TPM directly, tpm2_flushcontext.
Against all logic or rationale, I simply have to fulfill one of the requirements that
my boss has given me (which was handed down to him from another person).
The requirement is that no RSA keys are stored on the hard disk. Therefore a
public key must be loaded into the TPM2 chip once in the factory where is to be
stored persistently and used to verify signatures.
You can't persist a public only portion of a key. Per the spec:
If objectHandle references a Transient Object:
The TPM shall return TPM_RC_ATTRIBUTES if
1) it is in the hierarchy of TPM_RH_NULL,
2) only the public portion of the object is loaded, or
3) the stClear is SET in the object or in an ancestor key.
So how should I go about this?
To do this, which makes no sense. Unless your gating access to a secret/private on the
via policy/password or using attestation features, it doesn't make sense. But anyways,
use nvram to store it, and then use the key externally with openssl or call
assuming you have a certificate or whatever as public.pem
size=$(wc -c public.pem | cut -d' ' -f1-1)
# NOTE: you can pick the nvindex by passing an argument starting at 0 or the actual tpm
tpm2_nvdefine -s $size
tpm2_nvwrite -i public.pem 0
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
You could tpm2_loadexternal that back If you desire.
That will get it loaded in, but again it’s a public key, thus you just assume everyone
has it, that’s how PKI works.
A better way, would be that FW is not released from a server unless an attestation
Is done with a key gated on policysignature using at least a pcr policy. The key could
Tied to the manufacturer certificate/EndorsmentCRredential or part of the endorsement
hierarchy. A quote could be exchanged with the server, so the server can validate the
is in a known state, and then release the firmware encrypted with that machines public
and sent to the client. That private key, which is gated on policy, can then be used to
I'm not sure if this is the best way, but it's better than storing a public key
for verification in the TPM,
That doesn't buy you anything except persistence against accidental file system
Should I do "createprimary", then follow it with "loadexternal" to
load the public
key into the chip? What should I do next? Should I use "evictcontrol" to move
into non-volatile storage? I tried using evictcontrol today to move it into non-
volatile storage but I couldn't find the handle for the public key when I queried
Those files used in the -C and -c options are context files. Between
The tools save the object context for re-use during, essentially, that boot
of the TPM.
After reboot, you need to re-get a context file, in your case
How do I get a context file for a key that's already stored persistently inside the
Context files are only for transient objects, if it's loaded persistently you can
the raw handle (which is a TPM address) or better yet an ESYS_TR handle file. The
ESYS_TR's contain metadata so you cannot be MITM by an attacker intercepting calls
(perhaps bus snooping) and giving you the wrong object.