Closed Banchio closed 3 years ago
Hi @Banchio - having built the EST client, the documentation can be accessed with:
estclient help -common
for general information on using the configuration file, and:
estclient sampleconfig -tpm
will output a sample configuration file for use with TPM signing keys.
The relevant part of the sample configuration file for the TPM-specific options is:
{
"private_key": {
"tpm": {
"device": "/dev/tpmrm0",
"persistent_handle": 2164391936,
"storage_handle": 2164260865,
"ek_handle": 2164326401,
"key_password": "xyzzy",
"storage_password": "opensesame",
"ek_password": "abracadabra",
"ek_certs": "/path/to/ek/certs/chain.pem",
"public_area": "signing_key.pub",
"private_area": "signing_key.priv"
}
}
}
Note that the EST client won't actually create a signing key on the TPM for you, so it assumes you've already done that and that you have a suitable signing key already available for use.
You don't need to complete all the fields in the TPM section of the configuration file - which fields you complete depends on how your TPM signing key is available:
"device"
field on Linux (it's "/dev/tpm0"
in the page you linked, for example);"persistent_handle"
, which must contain the persistent TPM handle for your signing key; and"key_password"
if your signing key is protected on the TPM by a password"storage_handle"
, which must contain the persistent TPM handle for your storage key;"public_area"
and "private_area"
, which must contain the paths to the public and private area blobs of your signing key that you previously saved; and"key_password"
and/or "storage_password"
if your signing key and/or storage key are protected on the TPM by a passwordThe fields beginning with "ek_
are only used for our non-standard TPM privacy-preserving enrollment protocol, so you probably don't need them for your purpose.
Let me know if you have further questions or encounter problems!
Thank you so much for the detailed explanation, will try in the coming weeks this scenario and update this issue in case of issue. Closing it for now, thanks again!
Ciao, with regards to the following statement:
How do I find the documentation? I would like to test EST server with a virtual TPM like described in https://docs.microsoft.com/en-us/azure/iot-edge/how-to-auto-provision-simulated-device-linux?view=iotedge-2018-06 Thanks!