Linking a certificate stored in TPM memory

[nicolatimeus]

Hi,

If I understood correctly, the tpm2_ptool addcert command stores the provided certificate in the database file. Is there any way to expose via PKCS11 a certificate stored in TPM memory?

[williamcroberts]

Hi,

If I understood correctly, the tpm2_ptool addcert command stores the provided certificate in the database file. Is there any way to expose via PKCS11 a certificate stored in TPM memory?

The tpm doesn't store certificates, it stores assymetric and symmetric keys. It can also seal arbitrary user defined data, but it has to be pretty small. Storing a certificate in the TPM would be a waste of space, as it's just a public key and some associated attributes and metadata. What's your use case?

[nicolatimeus]

Hi, sorry for the late reply. Having the certificates stored on the TPM could allow using policies for managing the access, another benefit for having the certificates and the metadata on the TPM could be the fact that it makes possible to wipe the partition without the need of recreating the db.

[williamcroberts]

Hi, sorry for the late reply. Having the certificates stored on the TPM could allow using policies for managing the access,

What's the benefit there? Certificates are public data, so I don't see why controls further than the file access controls on the DB really matter. They only way to store certificates would be NV space, I don't think seal objects will be big enough as certificates are rather large. Using NV space is almost always a bad idea.

another benefit for having the certificates and the metadata on the TPM could be the fact that it makes possible to wipe the partition without the need of recreating the db.

All the objects in use by PKCS11 are non-persistent keys, to not require NV space, as it's very limited. So we would have to store all the data in NV space to make this work. NV space is extremely limited and shouldn't be used unless absolutely required.