From a26fda653fcd8400df58a582be4c001639dd1996 Mon Sep 17 00:00:00 2001 From: Evgeny Shatokhin Date: Wed, 27 Mar 2024 17:20:25 +1100 Subject: [PATCH] A note for Linux clients of tpm.EKs(). Fix the doc for attest.ActivateCredentialWithEK() as well. --- attest/attest.go | 2 +- attest/tpm.go | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/attest/attest.go b/attest/attest.go index fb9b6b25..b305c8b3 100644 --- a/attest/attest.go +++ b/attest/attest.go @@ -147,7 +147,7 @@ func (k *AK) ActivateCredential(tpm *TPM, in EncryptedCredential) (secret []byte return k.ak.activateCredential(tpm.tpm, in, nil) } -// ActivateCredential decrypts the secret using the key to prove that the AK +// ActivateCredentialWithEK decrypts the secret using the key to prove that the AK // was generated on the same TPM as the EK. This method can be used with TPMs // that have an ECC EK. The 'ek' argument must be one of EKs returned from // TPM.EKs() or TPM.EKCertificates(). diff --git a/attest/tpm.go b/attest/tpm.go index 31217728..e7f121fb 100644 --- a/attest/tpm.go +++ b/attest/tpm.go @@ -365,6 +365,10 @@ func (t *TPM) Close() error { } // EKs returns the endorsement keys burned-in to the platform. +// Note for Linux clients: for historical reasons, the method assumes that +// the TPM has a single EK, and the EK's type is RSA. If the EK's type is ECC +// and the TPM contains an ECC EK Certificate, the EKCertificates() method +// should be used to retrieve the EKs. func (t *TPM) EKs() ([]EK, error) { return t.tpm.eks() }