TPM endorsement key and SRK (DPS)

Question

TPM endorsement key and SRK (DPS)

Rajaoui Rachid (LEC) 26

Hi,

Azure DPS can provision devices with TPM if we give it the endorsement key (individual enrollment).
In TPM 1.2 we had only one endorsement key and a storage root key.
But in TPM 2.0 specification, we instead have 4 hierarchy :

1) Endorsement Hierarchy (TPM_RH_ENDORSEMENT)
2) Owner Hierarchy (TPM_RH_OWNER)
3) Platform Hierarchy (TPM_RH_PLATFORM)
4) Null Hierarchy (TPM_RH_NULL)

Each have a dedicated seed, and with this seed we can derive multiple primary keys (RSA, ECC,...) using KDF (Key Derivation Functions).
The question is :

-Regarding TPM 2.0 specification, why do we mean by endorsement key since we can have multiple primary keys in the endorsement hierarchies ?
-Is the SDK (Microsoft.Azure.Provisioning.Security.Tpm) compatible with TPM 2.0 specification ?

Thank you in advance.

AshokPeddakotla-MSFT 35,971 Reputation points Moderator

2022-07-25T10:26:48.553+00:00

@Rajaoui Rachid (LEC) Thanks for your query.

Did you look at this doc already? TPM attestation It has all the information.

Regarding TPM 2.0 specification, why do we mean by endorsement key since we can have multiple primary keys in the endorsement hierarchies ?

TPMs use something called the endorsement key (EK) as the secure root of trust. The EK is unique to the TPM and changing it essentially changes the device into a new one.

There's another type of key that TPMs have, called the storage root key (SRK). An SRK may be generated by the TPM's owner after it takes ownership of the TPM. Taking ownership of the TPM is the TPM-specific way of saying "someone sets a password on the HSM." If a TPM device is sold to a new owner, the new owner can take ownership of the TPM to generate a new SRK. The new SRK generation ensures the previous owner can't use the TPM. Because the SRK is unique to the owner of the TPM, the SRK can be used to seal data into the TPM itself for that owner. The SRK provides a sandbox for the owner to store their keys and provides access revocability if the device or TPM is sold. It's like moving into a new house: taking ownership is changing the locks on the doors and destroying all furniture left by the previous owners (SRK), but you can't change the address of the house (EK).

Once a device has been set up and ready to use, it will have both an EK and an SRK available for use.
Rajaoui Rachid (LEC) 26 Reputation points

2022-07-25T20:05:15.683+00:00

Sorry,

but I know this link, can you look into my question again ?
To sum up, your link explained that we have one endorsement key and one storage root key, but that is the specification of TPM 1.2.

https://lenovopress.lenovo.com/lp0599.pdf

You can also read the TCG specification.
I think you should ask expert to update the documentation to be compatible with TPM 2.0.
For instance I can have in the endorsement hierarchy two primary keys, one implementing RSA and another implement ECC (Elliptic Curve).
Thank you for your answer and your reactivity anyway.

1 answer

Your answer

AshokPeddakotla-MSFT 35,971 Reputation points Moderator

2022-07-25T10:26:48.553+00:00

@Rajaoui Rachid (LEC) Thanks for your query.

Did you look at this doc already? TPM attestation It has all the information.

Regarding TPM 2.0 specification, why do we mean by endorsement key since we can have multiple primary keys in the endorsement hierarchies ?

TPMs use something called the endorsement key (EK) as the secure root of trust. The EK is unique to the TPM and changing it essentially changes the device into a new one.

There's another type of key that TPMs have, called the storage root key (SRK). An SRK may be generated by the TPM's owner after it takes ownership of the TPM. Taking ownership of the TPM is the TPM-specific way of saying "someone sets a password on the HSM." If a TPM device is sold to a new owner, the new owner can take ownership of the TPM to generate a new SRK. The new SRK generation ensures the previous owner can't use the TPM. Because the SRK is unique to the owner of the TPM, the SRK can be used to seal data into the TPM itself for that owner. The SRK provides a sandbox for the owner to store their keys and provides access revocability if the device or TPM is sold. It's like moving into a new house: taking ownership is changing the locks on the doors and destroying all furniture left by the previous owners (SRK), but you can't change the address of the house (EK).

Once a device has been set up and ready to use, it will have both an EK and an SRK available for use.
Rajaoui Rachid (LEC) 26 Reputation points

2022-07-25T20:05:15.683+00:00

Sorry,

but I know this link, can you look into my question again ?
To sum up, your link explained that we have one endorsement key and one storage root key, but that is the specification of TPM 1.2.

https://lenovopress.lenovo.com/lp0599.pdf

You can also read the TCG specification.
I think you should ask expert to update the documentation to be compatible with TPM 2.0.
For instance I can have in the endorsement hierarchy two primary keys, one implementing RSA and another implement ECC (Elliptic Curve).
Thank you for your answer and your reactivity anyway.

Answer 1

Rajaoui Rachid (LEC) 26

Ok I have the answer,
In fact in the SecurityProviderTpmHsm class, you create a new endorsement key in the endorsement hierarchy.
But since the endorsement hierarchy has a dedicated seed and the new key template is always the same, we always get the same key when we recreate it.
It's also the same for the TPM_RH_OWNER hierarchy (storage).
So yeah, actually the SDK is using TPM 2.0 specification.

Thank you.

Share via

TPM endorsement key and SRK (DPS)

1 answer

Your answer