Creating a primary key with the FAPI with an empty "unique" field

[ahllamas]

I'm trying to create the keys based on the TCG specification: https://trustedcomputinggroup.org/wp-content/uploads/TPM-2p0-Keys-for-Device-Identity-and-Attestation_v1_r12_pub10082021.pdf

When creating a primary signing key under the endorsement hierarchy the unique field gets populated automatically. Is there any way to disable this behavior?

[JuergenReppSIT]

If you use the tpm2 tool command tpm2_createprimary you can disable the output with the quiet option -Q.

[JuergenReppSIT]

Sorry I was to fast and didn't read your question correctly. The unique field is initialized according to EK credential profile for the EK (/HE/EK). If you create a primary signing key in the endorsement hierarchy (e.g. /HE/mykey) with the attributes "user,sign" this initialization is not done.

[ahllamas]

I tried doing this and still the unique field being populated for both "restricted, sign, user" and "user, sign". So, the FAPI assumes that any primary key under HE is an EK?

[JuergenReppSIT]

I have created a primary signing key with FAPI: tss2_createkey -p /P_RSA2048SHA256/HE/mykey -t "user,sign" and with the tpm tools: tpm2_createprimary -Grsa2048 -C e -c prim.ctx -a "fixedtpm|fixedparent|sensitivedataorigin|userwithauth|sign In both cases the same public key is produced. The unique field is empty when Esys_CreatPrimary is called. But if the key has to be recreated (e.g. for tss2_sign) the key is incorrectly created under the storage hierarchy. I will create a PR to fix this problem.