fdo-rs
Questions on fdo-owner-tool #689
Replies: 4 comments
-
|
See the #587 ticket for details of what needs to be done for TPM, the support for creating or reading credentials in tpms is still outstanding When the support was first created the tpm standard didn't exist so the credentials were stored on disk and (I believe - @puiterwijk can confirm) were signed by the tpm. Now there is a standard, but no one has yet implemented either the reading the standardised format, or writing as part of manufacturing, the new standardised format. |
Beta Was this translation helpful? Give feedback.
-
this part of the flow, unfortunately, isn't even covered by the normative fdo spec and hence left to manufacturers/oems to figure out, which causes this kind of tricky situations - the owner-tool itself isn't meant (at all if you ask me) to be run by manufacturers to generate credentials and vouchers but it's meant, for now, as a debugging tool. |
Beta Was this translation helpful? Give feedback.
-
|
If you want to follow what's happening, here's the link to the TPM proposal in the fdo spec too https://fidoalliance.org/specs/FDO/securing-fdo-in-tpm-v1.0-rd-20231010/securing-fdo-in-tpm-v1.0-rd-20231010.html |
Beta Was this translation helpful? Give feedback.
-
|
So today when the device is initialized, where is the device credentials stored? |
Beta Was this translation helpful? Give feedback.
-
Device manufacturer would use fdo-owner-tool to perform device initialization and create ownership voucher for device?
initialize-device command takes device-id as arg, how is the device_id generated?
Does the initialize device need to be run in the device?
I was under the impression that the device credentials can be written on to the TPM. Here it seems like we are specifying a directory path. Don't we have to make sure device credentials are securely stored on the device.
Beta Was this translation helpful? Give feedback.
All reactions