Skip to content

Dynamic search of ek keys with ekCertificates #468

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
cviecco wants to merge 8 commits into
base: master
Choose a base branch
from
Open

Dynamic search of ek keys with ekCertificates #468

cviecco wants to merge 8 commits into from

Conversation

@cviecco
Copy link

@cviecco cviecco commented Nov 4, 2025
edited
Loading

This patch allows ek keys to be searched in additional persistent key handle locations. And to return the actual Certificate and handle mapping when the keys in the handles do not match the default values.

Unifies creation of EK and allows listing of high certs if present.

Rationale:
During the deployment of some newer lenovo systems the default rsa handle comes with a 3k key which prevents attestation from working as built. Thus the need for the library to create the 2k key in a separate location in case the default location is already occupied and there is no 2k on the standard locations.

Today, there is no support for RSA 3k on the codebase. Among other things there is need for adding the 3k storage EK handles, and their templates. Initial exploration with these returned a bad policy error. 3k issues should be resolved in a different PR

@cviecco
Dynamic search of ek keys with ekCertificates
19560a7 
This patch allows ek keys to be searched in additional
persistent key handle locations. And to return the actual
Certificate and handle mapping when the keys in the handles
do not match the default values.

Unifies creation of EK and allows listing of high certs
if present.

Rationale:
During the deployment of some newer lenovo systems the default
rsa handle comes with a 3k key which prevents attestation
from working as built. Thus the need for the library to create the
2k key in a separate location in case the default location is
already occupied and there is no 2k on the standard locations.
@google-cla
Copy link

google-cla bot commented Nov 4, 2025

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

liamjm
liamjm reviewed Nov 11, 2025
View reviewed changes
liamjm
liamjm reviewed Nov 11, 2025
View reviewed changes
Copy link
Collaborator

@liamjm liamjm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we have some tests of this, using the setupSimulatedTPM() as a starting point?

liamjm
liamjm requested changes Nov 26, 2025
View reviewed changes
Copy link
Collaborator

@liamjm liamjm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work, just some small nits, otherwise LGTM.

@liamjm liamjm mentioned this pull request Nov 26, 2025
Open
@mjg59
Copy link
Collaborator

mjg59 commented Dec 1, 2025

It would be helpful to describe why the 3K certificate attestation fails - that's not made explicit in the description, but would help justify the modifications.

@cviecco
Copy link
Author

cviecco commented Dec 3, 2025

@mjg59 I added some of the issues found around 3k certs in the description. In short:

  1. The current code does not search for the expected 3k (or p384) cert locactions.
  2. Even after adding these and adding the appropiate templates I am still getting failing policy when attempting to do the ActivateCredential call. Since I have only one system with these (and I have been also unable to do it with a squennce of tpm2_tools calls) I am thinking it maybe an issue with the implementation on the harware side. However I am not confident enough on my knowlege to claim this.

I have been able to do self attestation test against with p256 and rsa2048 AK endordorsed by p256 or rsa2048 ek.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@liamjm liamjm liamjm requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cviecco @mjg59 @liamjm