RFC: Add user-level mu-api call for key derivation #2101

cplappert · 2021-06-22T11:17:10Z

This commit introduces a new user-level mu-api call
(Tss2_MU_TPMT_PUBLIC_DERIVE_Marshal) that allows to
create a Derived Object with the command TPM2_CreateLoaded.

The rationale for a dedicated user-level call is that from a library
perspective it cannot be determined if a regular keyed-hash object
should be created or a derived object since the Marshalling API
(Tss2_MU_TPMU_PUBLIC_ID_Marshal) selects the dedicated marshalling
method based on the algorithm type which is in both cases TPM2_ALG_KEYEDHASH
(s. code snippet below).

TPMU_MARSHAL2(TPMU_PUBLIC_ID,
    TPM2_ALG_KEYEDHASH, ADDR, keyedHash, Tss2_MU_TPM2B_DIGEST_Marshal,
    TPM2_ALG_SYMCIPHER, ADDR, sym, Tss2_MU_TPM2B_DIGEST_Marshal,
    TPM2_ALG_RSA, ADDR, rsa, Tss2_MU_TPM2B_PUBLIC_KEY_RSA_Marshal,
    TPM2_ALG_ECC, ADDR, ecc, Tss2_MU_TPMS_ECC_POINT_Marshal)

Then we would need to add something like

 TPM2_ALG_KEYEDHASH, ADDR, derive, Tss2_MU_TPMS_DERIVE_Marshal,

which results in a duplicate case value.

Since the user knows which type of object he wants to create, I implemented the new
user-level call.

Any feedback on this approach?

Signed-off-by: Christian Plappert christian.plappert@sit.fraunhofer.de

cplappert · 2021-07-01T11:11:43Z

Alternative: Could also be a candidate for the utility library (#1587)? But I do not know the status there.

cplappert · 2021-07-29T08:04:42Z

Another possibility: TPM2 Specification Part 2 (01.59, 12.2.3.2 TPMU_PUBLIC_ID, p.140) does not specify a selector for derive. A new selector (e.g., TPM_ALG_DERIVE or TPM_ALG_KEYEDHASH_DERIVE) would make the user level call obsolete.

AndreasFuchsTPM · 2021-09-21T14:46:26Z

But then we'd have a mismatch in the type selector of the surrounding TPMT_PUBLIC structure.
So TPMT_PUBLIC_DERIVE_mashall would still be needed, correct ?

williamcroberts · 2021-11-11T20:21:21Z

Alternative: Could also be a candidate for the utility library (#1587)? But I do not know the status there.

We're looking at it in the TSS WG now, I think this would be a candidate for the utility library. I'm confused at what the problem this is solving. Isn't a derived object one in where you specify the seed in the template and have sensitiveDataOrigin clear?

codecov · 2024-03-20T16:02:51Z

Codecov Report

All modified and coverable 8000 lines are covered by tests ✅

Project coverage is 0.00%. Comparing base (a516076) to head (eb2ad37).

❗ Current head eb2ad37 differs from pull request most recent head e50ee38. Consider uploading reports for the commit e50ee38 to get more accurate results

Additional details and impacted files

@@      Coverage Diff       @@
##   master   #2101   +/-   ##
==============================
==============================

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

This commit introduces a new user-level mu-api call (Tss2_MU_TPMT_PUBLIC_DERIVE_Marshal) that allows to create a Derived Object with the command TPM2_CreateLoaded. Signed-off-by: Christian Plappert <christian.plappert@sit.fraunhofer.de>

cplappert marked this pull request as draft June 22, 2021 11:17

cplappert force-pushed the add-kdf-support branch from 99c8095 to de8616f Compare November 9, 2022 14:12

cplappert force-pushed the add-kdf-support branch from 25f50ed to 84c1107 Compare November 16, 2022 18:53

cplappert force-pushed the add-kdf-support branch from 84c1107 to 08249bc Compare December 15, 2022 22:04

cplappert force-pushed the add-kdf-support branch 3 times, most recently from c7d5a42 to e50ee38 Compare March 20, 2024 16:02

cplappert force-pushed the add-kdf-support branch 2 times, most recently from 2a5adec to a08bc15 Compare March 22, 2024 06:59

cplappert force-pushed the add-kdf-support branch 3 times, most recently from 3be1527 to cb5b8ef Compare July 3, 2024 21:14

Add user-level mu-api call for key derivation

19487f5

This commit introduces a new user-level mu-api call (Tss2_MU_TPMT_PUBLIC_DERIVE_Marshal) that allows to create a Derived Object with the command TPM2_CreateLoaded. Signed-off-by: Christian Plappert <christian.plappert@sit.fraunhofer.de>

cplappert force-pushed the add-kdf-support branch from cb5b8ef to 19487f5 Compare July 3, 2024 21:35

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

RFC: Add user-level mu-api call for key derivation #2101

RFC: Add user-level mu-api call for key derivation #2101

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

RFC: Add user-level mu-api call for key derivation #2101

Are you sure you want to change the base?

RFC: Add user-level mu-api call for key derivation #2101

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Codecov Report

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants