Improve the certify example documentation.

wolfSSL · Aug 21, 2024 · 76395e0 · 76395e0
1 parent f2b1867
commit 76395e0
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 4 deletions.
diff --git a/examples/attestation/README.md b/examples/attestation/README.md
@@ -102,7 +102,18 @@ The transfer of the challenge response containing the secret in plain (or used a
 
 ### Certify Example
 
-This example creates an RSA or ECC initial device identity and attestation identity keys. These are created under the endorsement heiracry and follow the "TPM 2.0 Keys for Device Identity and Attestation" TCG specification for setting up the primary key policies. The IDevID key can be used for signing. This example signs the IAK (attestation key) using the IDevID (device identity key).
+The certify example shows how to use the `TPM2_Certify` API to sign the attestation info for another key. This can be used to prove that an object with a specific name is loaded into the TPM. A common example of this is using the restricted IAK to sign the attestation information for the IDevID.
+
+The create_primary example support creating RSA or ECC initial device identity (IDevID) and attestation identity (IAK) keys. These are created under the endorsement hierarchy and follow the "TPM 2.0 Keys for Device Identity and Attestation" TCG specification for setting up the primary key policies. Figures 10 and 11 fom this specification shows the IAK/IDevID policy.
+
+![Figure 10: Example IDevID Key Delegation Policy](examples/attestation/tpm_idevid_policy.png)
+
+![Figure 11: Example IAK Key Delegation Policy](examples/attestation/tpm_iak_policy.png)
+
+The IDevID key can be used for external non-restrictive signing.
+The IAK is used for internal attestation.
+
+Here we use the IAK to certify the attestation information for the IDevID key.
 
 ```sh
 % ./examples/keygen/create_primary -rsa -eh -iak -keep
@@ -121,8 +132,8 @@ TPM2.0 Primary Key generation example
         Use Parameter Encryption: NULL
 Creating new RSA primary key...
 
-% ./examples/attestation/certify -rsa -certify=0x80000000 -signer=0x80000001
-Certify 0x80000000 with 0x80000001 to generate TPM-signed attestation info
+% ./examples/attestation/certify -rsa -certify=0x80000001 -signer=0x80000000
+Certify 0x80000001 with 0x80000000 to generate TPM-signed attestation info
 EK Policy Session: Handle 0x3000000
 TPM2_Certify complete
 Certify Info 172

diff --git a/examples/attestation/include.am b/examples/attestation/include.am
@@ -33,4 +33,6 @@ DISTCLEANFILES+= examples/attestation/.libs/make_credential \
                  examples/attestation/.libs/activate_credential \
                  examples/attestation/.libs/certify
 
-EXTRA_DIST+= examples/attestation/README.md
+EXTRA_DIST+= examples/attestation/README.md \
+             examples/attestation/tpm_idevid_policy.png \
+             examples/attestation/tpm_iak_policy.png
diff --git a/examples/attestation/tpm_iak_policy.png b/examples/attestation/tpm_iak_policy.png
diff --git a/examples/attestation/tpm_idevid_policy.png b/examples/attestation/tpm_idevid_policy.png