Using EKhash = H(EKpub), when the EKpub is derived from an EKcert, is problematic #170
Description
In HCP we use Safeboot w/ an EKcert, then we derive an EKpub from the EKcert, then we compute a hash of the EKpub and name the enrollment after that hash. At attestation time the client sends its EKpub and the server looks up the enrollment by EKhash = H(EKpub).
The way the EKcert->EKpub conversion is done is simple:
- validate the EKcert
- extract the subject public key from the EKcert
- load that public key into an swTPM as a public key object with all the attributes expected of an EK (the standard authPolicy, attributes, etc.)
- extract the
TPM2B_PUBLICfor that loaded object from the swTPM
But there are at least two ways in which the TPM2B_PUBLIC of an EK as produced by the TPM where it resides, and as produced by another TPM as used above can differ:
-
if the key is an RSA key, the exponent should be
2^16 + 1, which is the default exponent, and which should be written as the all-zeros value that indicates the default
The swTPM writes all-zeros.
A TPM could write2^16 + 1, and at least one brand does. -
if the key is a restricted, decrypt-only RSA key, then the scheme is required to be OEAP and that is allowed to be expressed as the default scheme (NULL)
We've not observed any TPM writing in the OEAP scheme instead of the NULL scheme, but it could happen.
The upshot is that either we must
- enroll both, an EKcert and an EKpub (checking that the spk matches, naturally),
- send the EKcert during attestation,
or - normalize the the EKpub sent by the client at attestation time.
(Readers should note that enrollment also supports enrolling with an EKpub directly, and this is for the case where virtual TPMs are used where there is a mechanism other than EKcerts for validating the legitimacy of a TPM.)