Topic: Get endorsement key embedded into a certificate

I'm a newbie in TPM development (using wolfTPM) but I have already some tricky questions :

- is that true that each TMP has its own builtin asymmetric (endorsement) key ? (let's assume yes)
- is it a RSA or a ECC key ? (or one of each)
- is it possible to get the public part of the key ?
- is it possible to get this public key embedded in a certificate ?
  (I didn't find any function in the API to do that)
- if it is possible, which CA certificate signs it ?
- is there a certificate chain ending to the TPM's one ?
  (then what is the auto-signed certificate at the top of this chain ?)

Thanks in advance !

Share

Re: Get endorsement key embedded into a certificate

Hi ZLam,

Thanks for your questions. Can you tell me where you are located and more about your project?

The TPM has endorsements key(s) and certificate(s) provisioned by the manufacture. See: https://trustedcomputinggroup.org/resou … ished-pdf/

It varies by manufacture, but it is typically ECC and RSA. There is a place in NV to get the signed certificate elements. We support using the endorsement key for a few things in wolfTPM: https://github.com/wolfSSL/wolfTPM/blob … edential.c

We will soon be adding support for extracting the EK certificate(s) as well.

You can see some of the EK certificate support in the IBM TSS stack here: https://github.com/kgoldman/ibmtss/blob … /ekutils.c

Thanks,
David Garske, wolfSSL

Share

Re: Get endorsement key embedded into a certificate

captain'flam wrote:

I'm a newbie in TPM development (using wolfTPM) but I have already some tricky questions :

- is that true that each TMP has its own builtin asymmetric (endorsement) key ? (let's assume yes)
- is it a RSA or a ECC key ? (or one of each)
- is it possible to get the public part of the key ?
- is it possible to get this public key embedded in a certificate ?
  (I didn't find any function in the API to do that)
- if it is possible, which CA certificate signs it ?
- is there a certificate chain ending to the TPM's one ?
  (then what is the auto-signed certificate at the top of this chain ?)

Thanks in advance !

I'm also new to TPM and I only answered 1 question which is the first TMP answer that has a worthy asymmetric key reserved and cannot get the declaration part of the certificate. The rest I will choose someone else to answer,

Re: Get endorsement key embedded into a certificate

Hi All,

As a followup to this topic, we did add support for getting the endorsement keys/certificates. You can find an example here:
https://github.com/wolfSSL/wolfTPM/tree … ndorsement

The answer to all of these is yes, but it does vary by TPM manufacture.

Let me know if you have any questions after reviewing the new example and endorsement (EK) support.

Thanks,
David Garske, wolfSSL

Share