I have a follow-up question of sorts to this question: How to encrypt bytes using the TPM (Trusted Platform Module)
I am using Windows 10 for an embedded solution. I would like to use the TPM to store signing keys and perform signatures. However, I do not want to interrupt Windows' ability to using the TPM for secure booting...therefore, I am hesitant to take ownership of the TPM. I have played around with the TSS.NET code samples, and have gotten the TPM to sign data with a blank AuthValue (with a real TPM, not a simulator). But I am not sure what the limitations are here. The TSS.NET sample code has a comment:
If running on a real TPM, which has been provisioned by Windows, this value will be different. An administrator can retrieve the owner authorization value from the registry.
So my question is in two parts:
- When provisioning, am I correct that changing the TPM owner password is ill advised?
- Is it possible to obtain the password in code?
- If I don't have the owner authorization when deploying a device, will I be able to install signing keys?
- If don't have the owner authorization at run time, will I be able to use the TPM for signing?