search

tpm2-software / tpm2-totp

Attest the trustworthiness of a device against a human using time-based one-time passwords
https://tpm2-software.github.io
BSD 3-Clause "New" or "Revised" License
164 stars 36 forks source link

Fixes to Readme #112

Open SharkOverBite opened 1 month ago

SharkOverBite commented 1 month ago 
tpm2-totp -P - init
verysecret<CTRL-D>

should be

tpm2-totp -P - init
verysecret<CTRL-D><CTRL-D>

The following is cryptic:

It is not yet possible to specify specific PCR values independent of the currently set PCR values. 
This would allow disabling the password-less calculate operation after booting the device. This 
makes most sense, once a TSS2 FAPI is available that will enable an interface to a canonical PCR event log.

It should perhaps read

The current PCR values are used during `init`. It's not yet possible to explicitly specify the PCR values 
to be used for sealing the secret. Once implemented, we could seal the TOTP secret to an PCR state 
which is only available during boot.  Due to PCR extensions post-boot, any later attempts to unseal
the secret would fail. We can implement this once we implement a TSS2 FAPI interface to a 
canonical PCR event log.