Currently, the CSR for LDevID creation is unsigned during the provisioning process. Per the TCG specification "TCG TPM 2.0 Keys for Device Identity and Attestation", we will need to:
Certify the LDevID using the same AK on the device's TPM. This will create TPM2B_ATTEST and TPMT_SIGNATURE structures that we can then store, which will be verified by the HIRS portal.
Sign the digest of the entire protobuf structure for the CSR.
Note: The above will only be applicable when an LDevID is present in the request.
Currently, the CSR for LDevID creation is unsigned during the provisioning process. Per the TCG specification "TCG TPM 2.0 Keys for Device Identity and Attestation", we will need to:
Note: The above will only be applicable when an LDevID is present in the request.