Changes between Version 15 and Version 16 of tpm


Ignore:
Timestamp:
05/15/2026 07:10:27 PM (32 hours ago)
Author:
Ryan Erb
Comment:

add ek section

Legend:

Unmodified
Added
Removed
Modified

  • tpm

    v15 v16  
    327327 - [https://bootlin.com/blog/measured-boot-with-a-tpm-2-0-in-u-boot/ Measured boot with a TPM 2.0 in U-Boot]
    328328
     329== Endorsement Keys
     330
     331The TPM has endorsement keys (EK) but does not have certificates signed by Microchip, but rather expects you to sign your own.
     332
     333Microchip classifies the TPM SKU (ATTPM20P-H6MA1-10) as an "Industrial - Pre-gen EK" model. This means the Endorsement Keypair (the raw RSA and ECC cryptographic keys) is permanently generated and locked into the silicon at the factory. However, it does not include an X.509 certificate signed by Microchip's Certificate Authority (CA). 
     334
     335It expects you to use the existing hardware keys to generate and sign your own certificates via an internal Public Key Infrastructure (PKI) if your threat model requires EK attestation.
     336
     337Many high-security environments actually prefer this method over factory-provisioned certificates. In this case, you won't be relying on certificates from Microchip and you have more strict control. You can also potentially embed more custom metadata into the certificate.
     338
    329339== Additional Resources
    330340 * Gateworks Venice Secure Boot Wiki:  [wiki:venice/secure_boot Gateworks TPM Wiki when used with Secure Boot]