The Endorsement Key (EK) is an asymmetric key pair consisting of a public and private key stored in a Shielded Location on the TPM. The public part of the EK can be read from the TPM while the private part MUST never be exposed. The public key of the EK is included in the EK certificate.
- private/public key(RSA 2048, ECC-256)
- private key stored in Shielded Location
- public key can be read, private key cannot be exposed
- TPM command TPM2_CreatePrimary or TPM manufacturer generate and inject into TPM
- Primary Object in Endorsement hierarchy which has a EPS(endorsement primary seed)
- primary key generated by
kdf + EPS
An Attestation Key, or an AK, is a non-duplicable Restricted signing key. A certificate associated with this key
will be referred to as an AK Certificate.
- takeownership to create storage hierarchy key(Storage Root Key, SRK)
- create AK for attestation with SRK