AndreasFuchsTPM
commented
4 years ago In your usecase, you want to "verify a signature on the device" ? That step does not include a private key (which is what the TPM protects) and thus yes, your use case does not fit the TPM. If you're usecase is to store the public key on the device such that it cannot be altered, you want to call tpm2_nvdefinespace/nvwrite/nvread to store the public key PEM file and use openssl without the engine. The engine is for generating signatures with a private key protected by the TPM.
If you need any more consultancy on TPM concepts (since this seems less of a software-bug-helping matter) feel free to contact me via email.
funkcjonusz
I have successfully used the following commands on a device which has a TPM: (taken from other issues of this repo)
1) sudo tpm2tss-genkey -a ecdsa mykey 2) openssl ec -engine tpm2tss -inform engine -in mykey -pubout -outform pem -out mykey.pub 3) sudo openssl dgst -engine tpm2tss -keyform engine -sha256 -sign mykey -out mydatasig mydata 4) openssl dgst -sha256 -keyform pem -verify mykey.pub -signature mydatasig mydata
But thinking about it, I think it is not exactly what I need. The above case shows a case where something is signed on a device with a TPM. But in my case I need the webserver generate the signature, sent the firmware together with the signature file to the device with TPM and verify it on the device with TPM connected.
So I assume step 3 must work without -engine and public key? And step 4 must use -engine and use private key?
I tried step 3 but it tells me it needs the private key. How to change this? Or is my sequence completely wrong?