- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
We are have an embedded system that is running vxworks 7 with the SLB9670VQ20FW785 TPM.
And we are currently investigating how to implement a software for provisioning our systems during manufacturing according to IEEE 802.1ar.
So I would like to know if it's feasible to store the Attestation Key certificate and the IDevID certificate on the TPM nvram?
I have no prior experience working with PKI/TPM/certificates and would greatly appreciate all the help I can get.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @dawa ,
TPM SLB9670VQ20FW785 has a minimum of 6962 bytes of free NV memory apart from the pre-provisioned certificates that are stored in NVM.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @dawa ,
The IDevID Certificate is issued by the Platform Manufacturer and should be signed by the Platform Manufacturer. Please refer to Table 2 of this spec for Reserved Handles in NV Memory associated with IDevID Certificate.
For storing an AK certificate, you can define an NVRAM space (tpm2_nvdefine) with the size of the certificate you wish to store and then write the certificate (tpm2_nvwrite) into the defined NV area. 'tpm2_evictcontrol' will make the key handle persistent.
Thanks,
Sneha
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Sneha
Do you know if there is room on the SLB9670VQ20 nvram for storing two (AK and IDevID) certificates?
I have read trough the specifications of the TPM and it says a minimum of 6K free space, I have to admit that I have no idea when it comes to the size of the certificates.
Best regards
Daniel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @dawa ,
Yes, you can store both AK and IDevID certificates belonging to the keys stored on the chip on NVM.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok great, one last question an then I'm done.
In the specification of the TPM it says "Minimum of 6962 bytes free NV memory" do you know if that number includes the two certificates installed by Infineon (EK cert and some other cert).
[vxWorks *]# tpm2_nvlist.vxe
0x1c00002:
hash algorithm:
friendly: sha256
value: 0xB
attributes:
friendly: ppwrite|writedefine|ppread|ownerread|authread|no_da|written|platformcreate
value: 0x1200762
size: 1171
0x1c0000a:
hash algorithm:
friendly: sha256
value: 0xB
attributes:
friendly: ppwrite|writedefine|ppread|ownerread|authread|no_da|written|platformcreate
value: 0x1200762
size: 775
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @dawa ,
TPM SLB9670VQ20FW785 has a minimum of 6962 bytes of free NV memory apart from the pre-provisioned certificates that are stored in NVM.