TPM EK 和 AK
EK
The Endorsement Key (EK) is an asymmetric key pair consisting of a public and private key stored in a Shielded Location on the TPM. The public part of the EK can be read from the TPM while the private part MUST never be exposed. The public key of the EK is included in the EK certificate.
EK 关键点如下:
- private/public key(RSA 2048, ECC-256)
- private key stored in Shielded Location
- public key can be read, private key cannot be exposed
- TPM command TPM2_CreatePrimary or TPM manufacturer generate and inject into TPM
- Primary Object in Endorsement hierarchy which has a EPS(endorsement primary seed)
- primary key generated by
kdf + EPS
AK
An Attestation Key, or an AK, is a non-duplicable Restricted signing key. A certificate associated with this key
will be referred to as an AK Certificate.
AK 关键点如下:
- takeownership to create storage hierarchy key(Storage Root Key, SRK)
- create AK for attestation with SRK