Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign CSR for LDevID generation #818

Open
iadgovuser59 opened this issue Aug 5, 2024 · 0 comments
Open

Sign CSR for LDevID generation #818

iadgovuser59 opened this issue Aug 5, 2024 · 0 comments
Assignees
@iadgovuser59
Labels
enhancement New feature or request

Comments

@iadgovuser59
Copy link
Collaborator

iadgovuser59 commented Aug 5, 2024
edited
Loading

Currently, the CSR for LDevID creation is unsigned during the provisioning process. Per the TCG specification "TCG TPM 2.0 Keys for Device Identity and Attestation", we will need to:

  • Certify the LDevID using the same AK on the device's TPM. This will create TPM2B_ATTEST and TPMT_SIGNATURE structures that we can then store, which will be verified by the HIRS portal.
  • Sign the digest of the entire protobuf structure for the CSR.

Note: The above will only be applicable when an LDevID is present in the request.
@iadgovuser59 iadgovuser59 self-assigned this Aug 5, 2024
@iadgovuser59 iadgovuser59 changed the title Add security hardening for LDevID certificate generation Sign CSR for LDevID/AK generation Aug 6, 2024
@iadgovuser59 iadgovuser59 changed the title Sign CSR for LDevID/AK generation Sign CSR for LDevID generation Aug 7, 2024
@iadgovuser59 iadgovuser59 added the enhancement New feature or request label Aug 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@iadgovuser59 iadgovuser59

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@iadgovuser59