TPM EK 和 AK
1 min read

TPM EK 和 AK

TPM EK 和 AK
Photo by Slejven Djurakovic / Unsplash

EK

The Endorsement Key (EK) is an asymmetric key pair consisting of a public and private key stored in a Shielded Location on the TPM. The public part of the EK can be read from the TPM while the private part MUST never be exposed. The public key of the EK is included in the EK certificate.

EK 关键点如下:

  • private/public key(RSA 2048, ECC-256)
  • private key stored in Shielded Location
  • public key can be read, private key cannot be exposed
  • TPM command TPM2_CreatePrimary or TPM manufacturer generate and inject into TPM
  • Primary Object in Endorsement hierarchy which has a EPS(endorsement primary seed)
  • primary key generated by kdf + EPS

AK

An Attestation Key, or an AK, is a non-duplicable Restricted signing key. A certificate associated with this key
will be referred to as an AK Certificate.

AK 关键点如下:

  • takeownership to create storage hierarchy key(Storage Root Key, SRK)
  • create AK for attestation with SRK

TPM2.0 密钥初始化

References

  1. TPM 2.0 Library | Trusted Computing Group
  2. TCG TPM2.0 Structure spec
  3. TCG EK Credential Profile for TPM Family 2.0
  4. Remote Attestation | tpm2-software community

Public discussion