TPM operations in v2.3
andrew at lists.savchenko.net
Sun Apr 11 03:22:36 CEST 2021
Just read about the v2.3 release; TPM feature is straight from the "dreams
come true" category, massive update!
1. When the key is unsealed, which PCRs registers are queried to ensure that
measurements are the same as when the key was sealed?
2. Is there ability to change which PCRs are used during the `keytotpm` phase?
My very generic understanding of the process, please correct if the
assumptions below are false:
1. Key is generated on the target host
2. Key is sealed in TPM using user-supplied password and PCR registers
P.S. At the beginning of the blog-post, James says: "...is the ability to use
a TPM 2.0 (which comes with all reasonably recent laptops) to protect all
the private keys".
This can be changed to "reasonably recent anything", as these days TPMs
can be found in desktops, servers and CPUs. Either fTPM or dTPM, all
conforming to TPM v2.0 standard.
More information about the Gnupg-users