diff options
| author | Gary Lin via groups.io <glin=suse.com@groups.io> | 2024-03-29 22:27:52 +0800 |
|---|---|---|
| committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2024-04-17 16:46:43 -0400 |
| commit | 897d73fca93c2d8cb3b60f929978145cdbb95dcb (patch) | |
| tree | 6d1ce435b668ce392bdd9f3e4896ada616375c6a | |
| parent | b89fe440c71be0ea5a3ee60f58cd6e703bbfc8a1 (diff) | |
| download | openssl_tpm2_engine-897d73fca93c2d8cb3b60f929978145cdbb95dcb.tar.gz | |
doc: add optional rsaParent
Some implementation such as pcr-oracle prefers RSA 2048 to ECC NIST-P256
for the primary key. This commit introduces a new option, rsaParent, to
make it flexible to choose the assymetric algorithm for the primary key.
Signed-off-by: Gary Lin <glin@suse.com>
[jejb: update option to number 5]
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
| -rw-r--r-- | doc/draft-bottomley-tpm2-keys.xml | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/doc/draft-bottomley-tpm2-keys.xml b/doc/draft-bottomley-tpm2-keys.xml index 9fddb5a..960b923 100644 --- a/doc/draft-bottomley-tpm2-keys.xml +++ b/doc/draft-bottomley-tpm2-keys.xml @@ -109,6 +109,7 @@ An alternate method (rfc include) is described in the references. secret [2] EXPLICIT OCTET STRING OPTIONAL, authPolicy [3] EXPLICIT SEQUENCE OF TPMAuthPolicy OPTIONAL, description [4] EXPLICIT UTF8String OPTIONAL, + rsaParent [5] EXPLICIT BOOLEAN OPTIONAL, parent INTEGER, pubkey OCTET STRING, privkey OCTET STRING @@ -205,6 +206,17 @@ An alternate method (rfc include) is described in the references. visible mnemonic for the key. </t> </section> + <section title="rsaParent"> + <t> + This MUST be present and true if the parent is a permanent + handle (MSO 0x40) and RSA 2048 is used for the primary key. + If the parent is not a permanent handle then this MUST NOT + be present. If the parent is a permanent handle and if + P-256 is used for the primary then this MUST NOT be present. + Given that P-256 primary keys are easier to generate, + implementations SHOULD NOT set this flag. + </t> + </section> <section title="parent"> <t> This MUST be present for all keys and specifies the handle @@ -221,7 +233,9 @@ An alternate method (rfc include) is described in the references. using the TCG specified Elliptic Curve template <xref target="TCG-Provision"/> (section 7.5.1 for the Storage and other seeds or 7.4.1 for the endorsement seed) for - the NIST P-256 curve and use the primary key so generated + the NIST P-256 curve if rsaParent is absent or the RSA + template with a key length of 2048 if rsaParent is + present and true and use the primary key so generated as the parent. </t> </section> @@ -777,6 +791,7 @@ An alternate method (rfc include) is described in the references. secret [2] EXPLICIT OCTET STRING OPTIONAL, authPolicy [3] EXPLICIT SEQUENCE OF TPMAuthPolicy OPTIONAL, description [4] EXPLICIT UTF8String OPTIONAL, + rsaParent [5] EXPLICIT BOOLEAN OPTIONAL, parent INTEGER, pubkey OCTET STRING, privkey OCTET STRING |