Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EK Cert shall be provisioned with both RSA2048 and ECP384 #100

Open
mxu9 opened this issue Sep 19, 2023 · 1 comment
Open

EK Cert shall be provisioned with both RSA2048 and ECP384 #100

mxu9 opened this issue Sep 19, 2023 · 1 comment
Assignees
@mxu9
Milestone
2023'Q3

Comments

@mxu9
Copy link
Contributor

mxu9 commented Sep 19, 2023

In EK Credential Spec v2.3 Section 2.2.1.5: For TPMs designed to meet Windows [22], the High Range can be used for additional RSA 2048 or ECC NIST P256 keys, but the first RSA 2048 and ECC NIST P256 key MUST be provisioned in the Low Range.
It means EK Cert of RSA2048 is mandatory.

But in EK Credential Spec v2.4 Section 2.2.1.4: NOTE 2: Earlier versions of this specification (V2.1 - V2.3) required that for TPMs designed to meet a specific operating system, the low range had to be used for the RSA 2048 EK and the ECC NIST P256 EK. This has been removed as of version 2.4. The reader should consult their respective operating system requirements.

To be compatible with both rev 2.3 and rev 2.4, EK of RSA2048 and ECP384 shall be both provisioned.
@mxu9 mxu9 self-assigned this Sep 19, 2023
@mxu9 mxu9 added this to the 2023'Q3 milestone Sep 19, 2023
@jyao1
Copy link
Contributor

jyao1 commented Sep 19, 2023

Should we use RSA3072 and ECP384 ? Otherwise it is NOT CNSA compliance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mxu9 mxu9

Labels
None yet
Projects
None yet
Milestone
2023'Q3
Development

No branches or pull requests
2 participants
@jyao1 @mxu9