Key generation example for Keyed Hash

examples/README.md

@@ -270,6 +270,22 @@ Reading 198 bytes from keyblob.bin
 Reading the private part of the key
 Loaded key to 0x80000001
 
+$ ./examples/keygen/keygen -keyedhash
+TPM2.0 Key generation example
+	Key Blob: keyblob.bin
+	Algorithm: KEYEDHASH
+	Template: Default
+	Use Parameter Encryption: NULL
+Loading SRK: Storage 0x81000200 (282 bytes)
+Keyed Hash template
+Creating new KEYEDHASH key...
+TPM2_Create key: pub 48, priv 158
+Public Area (size 48):
+  Type: KEYEDHASH (0x8), name: SHA256 (0xB), objAttr: 0x40460, authPolicy sz: 0
+  Keyed Hash: scheme: HMAC (0x5), scheme hash: SHA256 (0xB), unique size 32
+TPM2_Load Key Handle 0x80000001
+New key created and loaded (pub 48, priv 158 bytes)
+Wrote 212 bytes to keyblob.bin
 ```
 
 When filename is not supplied, a default filename "keyblob.bin" is used, therefore `keyload` and `keygen` can be used without additional parameters for quick TPM 2.0 key generation demonstration.

examples/keygen/keygen.c

@@ -55,6 +55,7 @@ static void usage(void)
     printf("* -ecc: Use ECC for asymmetric key generation \n");
     printf("* -sym: Use Symmetric Cipher for key generation\n");
     printf("\tDefault Symmetric Cipher is AES CTR with 256 bits\n");
+    printf("* -keyedhash: Use Keyed Hash for key generation\n");
     printf("* -t: Use default template (otherwise AIK)\n");
     printf("* -aes/xor: Use Parameter Encryption\n");
     printf("* -unique=[value]\n");
@@ -178,6 +179,10 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
             alg = TPM_ALG_SYMCIPHER;
             bAIK = 0;
         }
+        if (XSTRNCMP(argv[argc-1], "-keyedhash", 10) == 0) {
+            alg = TPM_ALG_KEYEDHASH;
+            bAIK = 0;
+        }
         if (XSTRNCMP(argv[argc-1], "-t", 2) == 0) {
             bAIK = 0;
         }
@@ -268,8 +273,9 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
             printf("ECC AIK template\n");
             rc = wolfTPM2_GetKeyTemplate_ECC_AIK(&publicTemplate);
         }
-        else if (alg == TPM_ALG_SYMCIPHER) {
-            printf("AIK are expected to be RSA or ECC, not symmetric keys.\n");
+        else if (alg == TPM_ALG_SYMCIPHER || alg == TPM_ALG_KEYEDHASH) {
+            printf("AIK are expected to be RSA or ECC only, "
+                "not symmetric or keyedhash keys.\n");
             rc = BAD_FUNC_ARG;
         }
         else {
@@ -300,6 +306,11 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
             rc = wolfTPM2_GetKeyTemplate_Symmetric(&publicTemplate, keyBits,
                     algSym, YES, YES);
         }
+        else if (alg == TPM_ALG_KEYEDHASH) {
+            printf("Keyed Hash template\n");
+                rc = wolfTPM2_GetKeyTemplate_KeyedHash(&publicTemplate,
+                    TPM_ALG_SHA256, YES, NO);
+        }
         else {
             rc = BAD_FUNC_ARG;
         }

src/tpm2_wrap.c

@@ -4356,7 +4356,7 @@ int wolfTPM2_GetKeyTemplate_KeyedHash(TPMT_PUBLIC* publicTemplate,
     publicTemplate->type = TPM_ALG_KEYEDHASH;
     publicTemplate->nameAlg = WOLFTPM2_WRAP_DIGEST;
     publicTemplate->objectAttributes = (
-        TPMA_OBJECT_userWithAuth |
+        TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth |
         TPMA_OBJECT_noDA |
         (isSign ? TPMA_OBJECT_sign : 0) |
         (isDecrypt ? TPMA_OBJECT_decrypt : 0));