How to use device-attest-01 with tpm

[glance-]

I've been playing around with device-attest-01 and tpm's to see what it is usable for.

I feel that it's really under documented and quite hard to figure out.

I've gotten stuck on attestation-ca-url , which as far as I see it is the url to the http service that is supposed to do the challenge against the tpm to verify that the tpm has access to the key, but here I'm stuck. This is supposed to be a http service on /attest that takes a tpmInfo json structure, but I can't find any traces of this anywhere in either the documentation or in the source about which service this is supposed to be.

Are there any more information on what this service is supposed to be?

Are there any example setups on how to use device-attest-01 and tpm's ?

[tashian]

Hi @glance-,

Thanks for the note.
There is no support for device-attest-01 TPM certificate flows in our open source packages.
In open source, we support YubiKey and Apple MDA flows at the moment.
The TPM flow is more complex and it requires an attestation CA.

We are rolling out Linux TPM support (including attestation CAs) for device and client certificates, in our commercial product. If you're interested in that, feel free to reach out and we can show you what we offer there.

And if there's more you'd like to see in open source, feel free to open an enhancement issue so we can track your request.

[glance-]

Is this something that can be expected to eventually end up in the open source packages or is it a feature deliberately kept out of the open source packages?

[tashian]

It's not on our open source roadmap right now, but it has not been deliberately excluded from open source either.

When we consider adding features to open source, one of the things we review is the enhancement issues and their popularity. So, if it's something you'd to see in open source, I suggest adding an enhancement issue to the repo, with a bit more context about your particular use case.

[benlongo]

#1707