tpm2_getekcertificate should support values stored in high range (NVRAM) #3435
Description
By default, tpm2_getekcertificate search EK cert in NVRAM (if there is no search ARGUMENT).
The latest TCG spec encourages vendors to support ECC P384 and RSA 3072 EK certificates, as stated below:
1. If the TPM is pre-provisioned with EK Certificates, it SHALL be provisioned with EK Certificates for an RSA
EK and an ECC EK.
a. The TPM MAY include an EK Certificate for an RSA 3072-bit key.
b. The TPM SHALL be provisioned with either an ECC P384 EK Certificate or an RSA 3072-bit EK
Certificate.
c. All Certificates SHALL comply with the definition in the TCG EK Credential Profile for TPM Family
2.0 [14].
source: 4.5.2.1 Pre-provisioned EK Certificates
The latest TCG Credential Profile EK 2.0 defines where the newest algorithms must be stored (ie. High Range):
The handle values are normative as of version 2.3 of this specification. Defining the NV
index handles as normative simplifies EK certificate validation because it eliminates parsing of
certificate content in order to identify the algorithm (RSA or ECC) and key/curve size.
0x01c00012 RSA 2048 EK Certificate (H-1)
0x01c00014 ECC NIST P256 EK Certificate (H-2)
0x01c00016 ECC NIST P384 EK Certificate (H-3)
0x01c00018 ECC NIST P521 EK Certificate (H-4)
0x01c0001a ECC SM2_P256 EK Certificate (H-5)
0x01c0001c RSA 3072 EK Certificate (H-6)
0x01c0001e RSA 4096 EK Certificate (H-7)
source: 2.2.1.5 High Range
It seems that the current implementation of tpm2_getekcertificate only search in Low Range (see code here). The tool should also support High Range values in order to comply with the latest version of TCG spec.
PS: I'm willing to do a PR on this issue if this ticket is relevant to maintainers.