Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for creating IAK and IDevID keys and certificates #823

Draft
wants to merge 6 commits into
base: master
Choose a base branch
from
Draft

Add support for creating IAK and IDevID keys and certificates #823

wants to merge 6 commits into from

Conversation

stefanberger
Copy link
Owner

@stefanberger stefanberger commented Aug 21, 2023
edited
Loading

This PR extends the tools swtpm_cert, swtpm_localca, and swtpm_setup to create IAK and IDevID keys and certificates.

ToDo:

  • [] swtpm_setup: Check NVRAM area flags
  • [] swtpm_setup: NVRAM indices currently used are wrong. Which ones to use? We need to wait for an update of the specs that show the NVRAM indices for the certs.
  • swtpm_setup: Create serialNumber for subject from <TCG Manuf Code>:<EK Authority Key Id>:<Ek Cert Serial Number>
  • [] swtpm_cert: Is the ASN.1 in the certs ok? Properly nested?
  • man pages
  • test cases

@stefanberger stefanberger force-pushed the stefanberger/iak_idevid branch 9 times, most recently from f0d4dab to f685cdb Compare August 26, 2023 21:19
@stefanberger stefanberger marked this pull request as draft August 26, 2023 22:17
@stefanberger stefanberger force-pushed the stefanberger/iak_idevid branch 3 times, most recently from 6337037 to 1493455 Compare August 30, 2023 16:34
@stefanberger stefanberger force-pushed the stefanberger/iak_idevid branch from 1493455 to e360af6 Compare September 7, 2023 15:49
@stefanberger stefanberger force-pushed the stefanberger/iak_idevid branch from e360af6 to 24d74c9 Compare September 22, 2023 16:32
@stefanberger stefanberger force-pushed the stefanberger/iak_idevid branch from 24d74c9 to 6640fb0 Compare November 3, 2023 13:17
@stefanberger stefanberger force-pushed the stefanberger/iak_idevid branch from 6640fb0 to f85d43c Compare March 19, 2024 20:32
@stefanberger stefanberger force-pushed the stefanberger/iak_idevid branch 2 times, most recently from c873318 to 1877ea1 Compare July 23, 2024 21:22
@stefanberger stefanberger force-pushed the stefanberger/iak_idevid branch from 1877ea1 to 0836cf4 Compare October 3, 2024 01:49
stefanberger
stefanberger commented Oct 18, 2024
View reviewed changes
src/swtpm_localca/swtpm_localca.c
cmd = concat_arrays(cmd,
(const gchar *[]){
"--type", "platform",
"--type", tmp_typ,
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tmp_typ needed?

@stefanberger stefanberger force-pushed the stefanberger/iak_idevid branch from 0836cf4 to e98579f Compare October 18, 2024 19:20
@stefanberger
swtpm_cert: Add support for creating IAK and IDevID certificates
ea22c92 
Add support for certificate types iak and idevid. Both require the new
command line option --tpm-serial-num to be passed.

Add support for creating the ASN.1 for the SAN for the new certificates.

Advertise the support for the new certificate types using the capabilities
JSON with entries "cmdarg-tpm-serial-num" and "supports-iak-idevid".

Add documentation to the man page and extend test cases.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
@stefanberger
swtpm_localca: Add support for --tpm-serial-num command line option
9b68282 
Add support for the --tpm-serial-num command line option to pass it on to
swtpm_cert.

Make the vmid part of the serialNumber of the subject passed to
swtpm_cert (following an email exchange with TCG IWG).

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
@stefanberger
swtpm_localca: Add support for creating IAK and IDevID certs
1d864bc 
Add documentation to the man page.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
@stefanberger
swtpm_setup: Prepare primary EC key creation with 2 different nonces
25450f5 
Prepare the code to allow EC keys to be created with 2 different nonces.
So far always 2 identical nonces were used in all templates.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
@stefanberger
swtpm_setup: Create IAK and IDevID keys and certificates
969f50f 
Extend swtpm_setup to create IAK and IDevID keys and certificates.

Use the same CA for signing the IAK and IDevID certificates as used for
the EK and platform certificates since all these certificates are issued
at the same time anyway.

Add documentation to the man page.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
@stefanberger
swtpm_setup: Create IAK hwSerialNum from data extracted from EK cert
5c4b2ba 
Create the IAK hwSerialNum from the authority key identifier and
serial number extracted from the EK certificate.

Adjust a test script that now needs to use a valid certificate for the EK
so that we can get the authority key identifier and serial from it to
create the serial number for the IAK certificate.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
@stefanberger stefanberger force-pushed the stefanberger/iak_idevid branch from e98579f to 5c4b2ba Compare October 31, 2024 13:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@stefanberger