The TPM feature for parameter encryption and HMAC verification has been added to wolfTPM! The TCG TPM 2.0 specification allows protection of the first parameter of a command or response using parameter encryption. When using an authenticated session it also adds HMAC validation to prove the TPM entity is trusted and integrity of command and response.
Encryption is supported using AES CFB or XOR. The authenticated sessions now support salted unbound sessions with HMAC or Policy type.
The effort was integrated in this GitHub pull request: https://github.com/wolfSSL/wolfTPM/pull/129 and is in the wolfTPM v2.0 release.
Features:
- Added AES CFB support
- Added calculation of command hash and HMAC for sessions
- Added response HMAC validation
- Fixes and cleanups for KDFa
- Added KDFa unit test (passes)
- Inlined the param encryption buffers
- Added “-aes” and “-xor” options to most examples to enable parameter encryption
- Refactor of the session authentication
- Fixes for nonce and auth count
- Added support for encrypted RSA salt and salted-unbounded session
- Added innerWrap and outerWrap support for sensitive to private
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.