CIPop
commented
11 months ago @polarina we are aware our implementation does not use the default EK template - this was previously discussed in #2329.
We have decided to deprecate the DPS-TPM authentication mode, and we no longer recommend it for new designs. Instead, we recommend using DPS-X509 with TPMv2 backed private keys (i.e., using the TPM2TSS OpenSSL Engine in Linux):
- https://github.com/Azure/azure-iot-sdk-c#provisioning-client-sdk
- https://github.com/Azure/azure-utpm-c/tree/288c47895e63cc94da3ce60bac671a174137439b#deprecated-.)
If you still decide to use DPS-TPM, you would need to rely on the tpm_device_provision tool that uses the expected EK template.
Closing as won't fix.
https://github.com/Azure/azure-iot-sdk-c/blob/59b7663bb329b64103bb0f22d95162087c01037c/provisioning_client/tests/common_prov_e2e/prov_hsm/tpm_msr.c#L57
The unique field should be 256 bytes of zero-bytes, not 0 bytes, in order to match the default EK template (Template L-1 in https://trustedcomputinggroup.org/wp-content/uploads/TCG_IWG_Credential_Profile_EK_V2.1_R13.pdf).
Because of this, the use of a non-standard EK template, the generated endorsement key does not match the EKcert provided by the TPM manufacturer.
Given these support files:
The following command generates the same EK key as the Azure SDK:
The following command generates an EK key that matches the EKcert (
tpm2_createekcan be used as well to generate the same, correct, key):Compare the RSA keys generated with the EKcert's key:
The former key, Azure SDK's EK, does not match. The latter key does match.