[PATCH 0/4] add restricted parents allowing the same loadable key to be used by different TPMs

James Bottomley

This patch series adds restricted keys, which may be used as storage
keys and have child keys. For wrapped keys, we use the public and
private parameters to create the symmetric seed, thus meaning that the
wrapping of the same private key always has the same symmetric seed.
Since the symmetric seed is used in all child protections, this allows
keys parented to the wrapped key to be transported seamlessly between
different TPMs. The use case for this is the cloud one, where we'd
like to seed a set of physical systems with these wrapped parents such
that a child key may be loaded correctly and used by every such
physical system in the cloud.

James Bottomley (4):
create_tpm2_key: add a --restricted option
Make removal of key files from the temporary directory explicit
load_tpm2_key: add new command to load a key file to a NV handle
Add tests for restricted keys

.gitignore | 1 +
Makefile.am | 10 +-
create_tpm2_key.c | 76 ++++++++++++++-
e_tpm2.c | 3 +-
load_tpm2_key.1.in | 27 ++++++
load_tpm2_key.c | 234 +++++++++++++++++++++++++++++++++++++++++++++
tests/Makefile.am | 1 +
tests/restricted_parent.sh | 63 ++++++++++++
tpm2-common.c | 13 ++-
tpm2-common.h | 3 +-
10 files changed, 418 insertions(+), 13 deletions(-)
create mode 100644 load_tpm2_key.1.in
create mode 100644 load_tpm2_key.c
create mode 100755 tests/restricted_parent.sh


Join openssl-tpm2-engine@groups.io to automatically receive all group messages.