From adaba4b2dfb7c4713bba5843adc25a1debd8a6bc Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Mon, 26 Jul 2021 18:44:50 -0500 Subject: [PATCH] Rename "EK method" to "WK method" Good suggestion by Erik Larsson. --- docs/attest-enroll.md | 4 ++-- sbin/attest-enroll | 10 +++++----- sbin/tpm2-recv | 4 ++-- sbin/tpm2-send | 16 ++++++++-------- 4 files changed, 17 insertions(+), 17 deletions(-) diff --git a/docs/attest-enroll.md b/docs/attest-enroll.md index 177152ac..df899a4b 100644 --- a/docs/attest-enroll.md +++ b/docs/attest-enroll.md @@ -93,14 +93,14 @@ Decryption is implemented by [`sbin/tpm2-recv`](/sbin/tpm2-recv). Two methods are possible for encryption to a target TPM's `EKpub`: - - the "EK" method (our name for it) + - the "WK" method (our name for it) - the "TK" method (our name for it) Both methods support setting a policy on the ciphertext such that any application using the target's TPM to decrypt it must first execute and satisfy that policy. -The "EK" method uses `TPM2_MakeCredential()` via tpm2-tools' `tpm2 +The "WK" method uses `TPM2_MakeCredential()` via tpm2-tools' `tpm2 makecredential` command, using the `none` TCTI (i.e., implemented in software). The target's `EKpub` is used as the `handle` input parameter to `TPM2_MakeCredential()`. A well-known key (`WK`), and the desired policy diff --git a/sbin/attest-enroll b/sbin/attest-enroll index 813fdfaa..3ed1a0c0 100755 --- a/sbin/attest-enroll +++ b/sbin/attest-enroll @@ -36,7 +36,7 @@ DBDIR="$BASEDIR/build/attest" POLICY= ESCROW_POLICY= ESCROW_PUBS_DIR= -TRANSPORT_METHOD=EK +TRANSPORT_METHOD=WK DEFAULT_EK_POLICY= declare -a GENPROGS GENPROGS=(genhostname genrootfskey) @@ -223,7 +223,7 @@ $(configs) names of hard-coded policies, or names of executables (default: POLICIES[rootkey]=pcr11). - TRANSPORT_METHOD should be EK or TK (default: EK). + TRANSPORT_METHOD should be WK or TK (default: WK). NOTE: Until https://github.com/tpm2-software/tpm2-tools/issues/2761 is closed, {$PROG} may require a TPM (simulated will suffice) for @@ -337,14 +337,14 @@ if [[ -n ${DBDIR:-} && -f ${DBDIR:-}/attest-enroll.conf ]]; then configured=true fi fi -[[ ${TRANSPORT_METHOD:-} = @(TK|EK) ]] \ +[[ ${TRANSPORT_METHOD:-} = @(TK|WK) ]] \ || die "TRANSPORT_METHOD must be either 'TK' or 'EK'" [[ -z $ESCROW_PUBS_DIR || -d $ESCROW_PUBS_DIR ]] \ || die "ESCROW_PUBS_DIR -- must be a directory or not given" -# XXX This policy is for the EK method. +# XXX This policy is for the WK method. # -# FIXME We could make policies for EK/TK have the same digest by using +# FIXME We could make policies for WK/TK have the same digest by using # TPM2_PolicyOR: # # tpm2 policy... -L ... diff --git a/sbin/tpm2-recv b/sbin/tpm2-recv index 8d2dc24e..d84857e2 100755 --- a/sbin/tpm2-recv +++ b/sbin/tpm2-recv @@ -19,7 +19,7 @@ Usage: $PROG CIPHERTEXT OUT [POLICY-CMD [ARGS] [;] ...] If {CIPHERTEXT}.tk.pem, {CIPHERTEXT}.tk.dpriv, {CIPHERTEXT}.tk.pub, and {CIPHERTEXT}.tk.seed exist, then the "TK" method of encryption is - assumed. Otherwise the "EK" method of encryption is assumed. + assumed. Otherwise the "WK" method of encryption is assumed. See {tpm2-send} for details of the two encryption-to-TPM methods supported. @@ -93,7 +93,7 @@ tpm2 createek \ --public "${d}/ek.pub" \ || die "tpm2: unable to create ek object" -# Make policyDigest (needed for EK method, when loading the WK) +# Make policyDigest (needed for WK method, when loading the WK) (($# > 0)) && ! $use_tk \ && make_policyDigest "${d}/session" "${d}/policy" $command_code "$@" diff --git a/sbin/tpm2-send b/sbin/tpm2-send index 94b283c6..8d649a5f 100755 --- a/sbin/tpm2-send +++ b/sbin/tpm2-send @@ -39,7 +39,7 @@ Usage: $PROG EK-PUB SECRET OUT # Null policy Options: -h This help message. - -M EK|TK Method to use for encryption to TPM (default: EK). + -M WK|TK Method to use for encryption to TPM (default: WK). -P POLICY Use the named policy or policyDigest. -f Overwrite {OUT}. -x Trace this script. @@ -65,14 +65,14 @@ Usage: $PROG EK-PUB SECRET OUT # Null policy The two methods of encryption to a TPM are: - - EK Uses {TPM2_MakeCredential()} to encrypt an AES key to + - WK Uses {TPM2_MakeCredential()} to encrypt an AES key to the target's EKpub. The target uses {TPM2_ActivateCredential()} to decrypt the AES key. - A well-known key is used as the activation object, and - the given policy is associated with it. + A well-known key ("WK") is used as the activation object, + and the given policy is associated with it. This method produces a single file named {OUT}. - TK Uses {TPM2_Duplicate()} to encrypt an RSA private key to @@ -100,7 +100,7 @@ EOF . "$BASEDIR/../functions.sh" force=false -method=EK +method=WK policy= policyDigest= while getopts +:hfxM:P: opt; do @@ -121,9 +121,9 @@ function err { } case "$method" in -EK) command_code=TPM2_CC_ActivateCredential;; +WK) command_code=TPM2_CC_ActivateCredential;; TK) command_code=TPM2_CC_RSA_Decrypt;; -*) err "METHOD must be \"EK\" or \"TK\"";; +*) err "METHOD must be \"WK\" or \"TK\"";; esac if [[ -n $policy ]] && (($# > 3)); then echo "Error: -P and policy commands are mutually exclusive" 1>&2 @@ -229,7 +229,7 @@ function wkname { } case "$method" in -EK) info "Computing WKname" +WK) info "Computing WKname" wkname=$(wkname "$@") \ || die "unable to compute the MakeCredential activation object's cryptographic name" info "Encrypting to EKpub using TPM2_MakeCredential"