Configurable Hierarchy

[joylatten]

TPM2 has several hierarchies. But it seems only Owner hierarchy currently supported. Is it possible to support the other hierarchies?

[gotthardp]

I think that the other hierarchies are supported. The owner hierarchy is the default one, but using the parent parameter you can use any other hierarchy, see https://github.com/tpm2-software/tpm2-openssl/blob/master/docs/keys.md#key-generation.

[joylatten]

Yes, I noted this. But it seems I need an index to specify the parent. And I think i can only get one if I make the object persistent. I am using the NULL hierarchy, so I cannot do that. Can I specify the parent with a TPM2 saved context?

[gotthardp]

I see. Could loading an serialized object be a solution for you? https://github.com/tpm2-software/tpm2-openssl/blob/master/docs/keys.md#using-a-serialized-object You would have to generate the key outside, but it may enable you to use the generated key in openssl functions.

[joylatten]

Yes, I saw that too. But it seems the serialized object is just another representation of the persistent handle. So you would be using tpm2_evictcontrol to create a persistent handle but output in another representation of the handle.

Let me try TSS PEM file. I would need to first figure how to ASN1 my tpm2 wrapped keys and parent context....

[gotthardp]

I don't think that will work either-- the TSS PEM includes the parent handle only.

[gotthardp]

Could you please write down the tpm2 commands you use to generate the key you want to use with openssl?

[joylatten]

Thank you for looking. I just realized the TSS PEM has parent as a handle.
The keys are not generated in the TPM. I would like to import externally generated keys into tpm and use openssl tpm2 engine for crypto using the keys.

My steps:

• openssl genrsa to generate the key
• tpm2_createprimary to create a primary key in NULL hierarchy
• tpm2_import to import the openssl key
• tpm2_load to load the keys into tpm memory in the NULL hierarchy.

[joylatten]

Currently, this won't work with NULL Hierarchy since everything is transient in this hierarchy.

[gotthardp]

Understood. I will try to implement loading of the context files, which should enable you working with the NULL hierarchy. This may take some time because I am facing some openssl issues.

[joylatten]

@gotthardp thank you. And please let me know if or what I can help with.

[gotthardp]

Alright. I created a branch ctxload (https://github.com/tpm2-software/tpm2-openssl/tree/ctxload) that can load the tpm2 context files produced by tpm2-tools. There is also an example https://github.com/tpm2-software/tpm2-openssl/blob/ctxload/test/rsa_import_null_sign.sh that demonstrates the the steps you described above.

Please check and let me know if this is what you expect. I need to improve the code a bit, but I will keep that branch in a working state until it gets merged to the master branch.

[joylatten]

thank you, I will give it a try