Store AK and IDevID certificates on TPM nvram (SLB9670VQ20FW785 TPM)

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
dawa
Level 1
Level 1
First like given First reply posted First question asked

Hi!

We are have an embedded system that is running vxworks 7 with the SLB9670VQ20FW785 TPM.

And we are currently investigating how to implement a software for provisioning our systems during manufacturing according to IEEE 802.1ar.

So I would like to know if it's feasible to store the Attestation Key certificate and the IDevID certificate on the TPM nvram?

I have no prior experience working with PKI/TPM/certificates and would greatly appreciate all the help I can get.

 

0 Likes
1 Solution
Sneha_P
Moderator
Moderator
Moderator
250 replies posted 250 sign-ins First comment on blog

Hi @dawa ,

TPM SLB9670VQ20FW785  has a minimum of 6962 bytes of free NV memory apart from the pre-provisioned certificates that are stored in NVM.

 

View solution in original post

5 Replies
Sneha_P
Moderator
Moderator
Moderator
250 replies posted 250 sign-ins First comment on blog

Hi @dawa ,

The IDevID Certificate is issued by the Platform Manufacturer and should be signed by the Platform Manufacturer. Please refer to Table 2 of this spec for Reserved Handles in NV Memory associated with IDevID Certificate.

For storing an AK certificate, you can define an NVRAM space (tpm2_nvdefine) with the size of the certificate you wish to store and then write the certificate (tpm2_nvwrite) into the defined NV area. 'tpm2_evictcontrol' will make the key handle persistent.  

Thanks,

Sneha

0 Likes
dawa
Level 1
Level 1
First like given First reply posted First question asked

Hi Sneha

Do you know if there is room on the SLB9670VQ20 nvram for storing two (AK and IDevID) certificates?

I have read trough the specifications of the TPM and it says a minimum of 6K free space, I have to admit that I have no idea when it comes to the size of the certificates.

Best regards

Daniel 

0 Likes
Sneha_P
Moderator
Moderator
Moderator
250 replies posted 250 sign-ins First comment on blog

Hi @dawa ,

Yes, you can store both AK and IDevID certificates belonging to the keys stored on the chip on NVM.

 

dawa
Level 1
Level 1
First like given First reply posted First question asked

Ok great, one last question an then I'm done.

In the specification of the TPM it says "Minimum of 6962 bytes free NV memory" do you know if that number includes the two certificates installed by Infineon (EK cert and some other cert).

[vxWorks *]# tpm2_nvlist.vxe
0x1c00002:
hash algorithm:
friendly: sha256
value: 0xB
attributes:
friendly: ppwrite|writedefine|ppread|ownerread|authread|no_da|written|platformcreate
value: 0x1200762
size: 1171

0x1c0000a:
hash algorithm:
friendly: sha256
value: 0xB
attributes:
friendly: ppwrite|writedefine|ppread|ownerread|authread|no_da|written|platformcreate
value: 0x1200762
size: 775

 

0 Likes
Sneha_P
Moderator
Moderator
Moderator
250 replies posted 250 sign-ins First comment on blog

Hi @dawa ,

TPM SLB9670VQ20FW785  has a minimum of 6962 bytes of free NV memory apart from the pre-provisioned certificates that are stored in NVM.