One can point to a software TPM to implement these, naturally, but then one really needs to start, set up and tear down connections to the software TPM, and stop the software TPM, then set up a connection to an actual dTPM/fTPM. A software implementation of TPM2_Duplicate() and TPM2_MakeCredential() would avoid all that.
We use software TPM2_Duplicate() and TPM2_MakeCredential() in Safeboot, for example.
Another thing that would be useful to have in software is a function to construct the cryptographic name of a public key object given its raw public key (e.g., in a PEM file or a PEM string) and its attributes and policy digest and so on. After all, a software TPM2_MakeCredential() needs the cryptographic name of the activation object!
dgarske
commented
1 month ago
One can point to a software TPM to implement these, naturally, but then one really needs to start, set up and tear down connections to the software TPM, and stop the software TPM, then set up a connection to an actual dTPM/fTPM. A software implementation of
TPM2_Duplicate()andTPM2_MakeCredential()would avoid all that.We use software
TPM2_Duplicate()andTPM2_MakeCredential()in Safeboot, for example.Another thing that would be useful to have in software is a function to construct the cryptographic name of a public key object given its raw public key (e.g., in a PEM file or a PEM string) and its attributes and policy digest and so on. After all, a software
TPM2_MakeCredential()needs the cryptographic name of the activation object!