create_tpm2_key: add a --restricted option
Right at the moment we create unrestricted signing and decryption
keys. These keys are the most useful for cryptographic operations,
but they cannot be used as parents for any other key. The addition of
the --restricted option allows the creation of restricted decryption
keys (aka storage keys) which can be used as parents for other keys.
One of the requirements of storage keys is that they must have a
symmetric seed that can be used to protect the sensitive parts of
child keys. For wrapped keys, we derive the symmetric seed from the
public and private parts of the wrapped key, meaning the same wrapped
key always has the same symmetric seed. This allows child keys of a
wrapped parent to be transported between TPMs.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
1 file changed
