TPM endorsement key and SRK (DPS)

Rajaoui Rachid (LEC) 26 Reputation points
2022-07-21T12:36:02.523+00:00

Hi,

Azure DPS can provision devices with TPM if we give it the endorsement key (individual enrollment).
In TPM 1.2 we had only one endorsement key and a storage root key.
But in TPM 2.0 specification, we instead have 4 hierarchy :

1) Endorsement Hierarchy (TPM_RH_ENDORSEMENT)
2) Owner Hierarchy (TPM_RH_OWNER)
3) Platform Hierarchy (TPM_RH_PLATFORM)
4) Null Hierarchy (TPM_RH_NULL)

Each have a dedicated seed, and with this seed we can derive multiple primary keys (RSA, ECC,...) using KDF (Key Derivation Functions).
The question is :

-Regarding TPM 2.0 specification, why do we mean by endorsement key since we can have multiple primary keys in the endorsement hierarchies ?
-Is the SDK (Microsoft.Azure.Provisioning.Security.Tpm) compatible with TPM 2.0 specification ?

Thank you in advance.

Azure IoT Hub
Azure IoT Hub
An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.
1,274 questions
Azure IoT SDK
Azure IoT SDK
An Azure software development kit that facilitates building applications that connect to Azure IoT services.
228 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Rajaoui Rachid (LEC) 26 Reputation points
    2022-07-28T08:20:42.847+00:00

    Ok I have the answer,
    In fact in the SecurityProviderTpmHsm class, you create a new endorsement key in the endorsement hierarchy.
    But since the endorsement hierarchy has a dedicated seed and the new key template is always the same, we always get the same key when we recreate it.
    It's also the same for the TPM_RH_OWNER hierarchy (storage).
    So yeah, actually the SDK is using TPM 2.0 specification.

    Thank you.

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.