Thore Sommer

I need to check, if I can sign the CLA. This might take longer time. Is it possible to contribute changes without the CLA?

@ansasaki should we just implement the check by parsing the DER structure? I have that code mostly ready anyway for that

Can you check if swtpm can load certificates for ECC, because it looks like that the NV index where the ECC certificate is normally located does not exist? Besides that,...

Hmm that's interesting, thank you for checking. It might be an issue with the upstream library and not us. Yes the index `0x1C00016` is correct according to https://trustedcomputinggroup.org/wp-content/uploads/TCG_IWG_EKCredentialProfile_v2p4_r3.pdf

Ok the issue is that swtpm uses the P-384 curve for ECC and the rust bindings and tpm2-tools use P-256. The question is if we need to make this parameter...

The idea is probably going to be to provide an "auto" option that chooses the best curve (by e.g. checking if we have an EK certificate for that) and a...

We now have the code to handle this in the TSS bindings. Once the next version is released, I'll look into how we implement it in Keylime.

@ansasaki that would be nice! Note that there was a bug in create_ak for ECC keys in some versions, that was only fixed last week: https://github.com/parallaxsecond/rust-tss-esapi/pull/464

@ansasaki have you had the chance to look at this? We at least should make sure that some ECC options work

Right the fix is only in part of the 8.0.0 alpha branch. Do you think this worth trying to ask to backport it into a stable branch?