Re: [TrouSerS-users] TPM_Seal

[Ken G. <kgo...@us...>]

On 9/23/2013 11:19 PM, 张智 wrote:

>        We may argue that the key that TPM_Seal uses is non-migratable
> and thus the sealed blob migration is not available, what if the
> non-migratable key is wrapped with migratable keys, then it would become
> migratable ?

You cannot wrap a child non-migratable key with a parent migratable key.

See TPM_CreateWrapKey Action 5.

5. If parentHandle -> keyFlags -> migratable is TRUE and keyInfo -> 
keyFlags -> migratable is FALSE then return TPM_INVALID_KEYUSAGE