Closed lcp closed 1 year ago
Thank you! I merged your patch, and added a bit of information to the manpage. I also added tpm2key.c to Makefile.in :-)
Please review my merge (as I did it on top of some other changes I already had sitting in my queue). I'd also appreciate if you could review the manpage and improve it where needed. An update to test-authorized.sh that lets me test both the old and the new key format would be super helpful!
Unsealing the new key format is not implemented in pcr-oracle yet. Will send another patch to add the unseal function and update test-authorized.sh.
With '--key-format tpm2.0', 'seal-secret' outputs a sealed key in TPM 2.0 Key File format, and 'sign' prepends the new signed policy to the authPolicy sequence.
To seal a secret with a PCR policy against PCR 0,2,4,7:
$ pcr-oracle \ --key-format=tpm2.0 \ --input secret \ --output sealed-pcr.tpm \ seal-secret 0,2,4,7
To seal a secret for an authorized policy:
$ pcr-oracle \ --key-format=tpm2.0 \ --auth authorized.policy \ --input secret \ --output sealed-auth.tpm \ seal-secret
To sign the policy against PCR 0,2,4,7 for sealed-auth.tpm:
$ pcr-oracle \ --key-format=tpm2.0 \ --private-key policy-key.pem \ --input sealed-auth.tpm \ --output sealed-auth-signed.tpm \ sign 0,2,4,7