Key sizes for RSA and curves for ECC are not configurable in ECC abstractions

[THS-on]

Currently the code assumes that the key size for RSA is 2048 and that the ECC P-256 curve is used.
This for example does not work with swtpm's ECC configuration, which uses the P-384 curve when provisioning a ECC EK certificate. This then affects also retrieve_ek_pubcert() because it cannot find the ECC certificate because only at the index for P-384 is one provided and not at the one for P-256.

NV-Indexes for P-384 EK certificates and others are defined in section 2.2.1.5 of TCG EK Credential Profile for TPM Family 2.0; Level 0 Version 2.3 Revision 2.

Minimal reproducer

main.rs

use tss_esapi::*;

fn main() {
    let tcti_name_conf = TctiNameConf::from_environment_variable().expect("Failed to get TCTI");
    let mut ctx = Context::new(tcti_name_conf).expect("Failed to init context");
    abstraction::ek::retrieve_ek_pubcert(&mut ctx, interface_types::algorithm::AsymmetricAlgorithm::Ecc).expect("Failed to get ECC Cert");
}

Starting the TPM

mkdir -p /tmp/emulated_tpm 
sudo swtpm_setup \
    --tpmstate '/tmp/emulated_tpm' --create-ek-cert \
    --create-platform-cert \
    --lock-nvram \
    --tpm2 \
    --ecc

sudo swtpm chardev --vtpm-proxy  --tpmstate dir=/tmp/emulated_tpm  --tpm2

Error message that the index certificate cannot be found.

sudo TCTI="device:/dev/tpmrm1" ./target/debug/minimal-read-ek
WARNING:esys:src/tss2-esys/api/Esys_NV_ReadPublic.c:309:Esys_NV_ReadPublic_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/esys_tr.c:209:Esys_TR_FromTPMPublic_Finish() Error NV_ReadPublic ErrorCode (0x0000018b) 
ERROR:esys:src/tss2-esys/esys_tr.c:320:Esys_TR_FromTPMPublic() Error TR FromTPMPublic ErrorCode (0x0000018b) 
thread 'main' panicked at 'Failed to get ECC Cert: Tss2Error(FormatOne(FormatOneResponseCode { .0: 395, error_number: 11, parameter: false, format_selector: true, number: 1 }))', src/main.rs:6:117
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Note that tpm2_createek also only currently only supports ECC with P-256.

[ionut-arm]

Hey, apologies for the delay - this does sound like an issue, and I assume there are actual TPMs out there that use other algorithms/indexes as well. Maybe an option would be to introduce a very minimal configuration to those functions, but I wouldn't think something very comprehensive - that covers all the possible parameters - would make sense.

Don't know if I have the bandwidth to implement this for now, though.

[THS-on]

I agree that it makes to only cover the most common ones in the spec.

How do you think should the configuration options look like? I can do the implementation when we have defined the API.

[ionut-arm]

Sorry, this fell off my radar.

Maybe a better option would be to replace the current AsymmetricAlgorithm input with a new enum that's defined in this module that covers and defines currently supported configurations. We can then extend it as we go, when we need to.

[THS-on]

I like this idea. I did an initial implementation of this in #414.

Do we want to fully replace AsymmetricAlgorithm or do we just want to default to RSA2048 and ECC P256 respectively for the conversion (similar to tpm2-tools)?