Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enrollment w/ IDevID or IAK certificates #173

Open
nicowilliams opened this issue Nov 14, 2022 · 2 comments
Open

Enrollment w/ IDevID or IAK certificates #173

nicowilliams opened this issue Nov 14, 2022 · 2 comments

Comments

@nicowilliams
Copy link
Contributor

nicowilliams commented Nov 14, 2022

Currently Safeboot has an enrollment protocol where an admin enrolls {hostname, EKcert} (or even {hostname, EKpub} where there is a different way to validate the EKpub).

When systems come with IDevID or IAK certificates, then we could enroll {hostname, serial_number}, and the binding of an EKpub could then happen in an automated protocol where the client sends its IDevID or IAK certificate, and the EKpub, and then the enrollment protocol would encrypt assets for the host to the host's EKpub but with the cryptographic name of the IDevID/IAK as the activation object.

This makes for a simpler manual step than today: instead of having to boot trusted media to extract an EKcert, the admin would only have to copy a serial number from a manifest into an inventory system and assign a hostname.

The part of the protocol where the host sends its IDevID or IAK certs and the EKpub could be run in an isolated lab or in production networks. (In the former case the enrollment servers can be isolated for extra security.)

@nicowilliams
Copy link
Contributor Author

@geoffthorpe

@nicowilliams
Copy link
Contributor Author

So, basically we'd encrypt to the EKpub as in the WK method but with the name of the subject public key from the IDevID/IAK certificate as the activation object.

We don't even need to actually use the private keys for the IDevID/IAK -- the fact that TPM2_ActivateCredential() would require that key object to be loaded would enough.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant