4Eki
Is it safe to use a non-pcr key after verifying some pcr7 key is working find after os start on tpm2.0?
So the question is: If we reboot a os and wanted to sign something using tpm. And let say we want to secure the boot environment using pcr7 policy crypto key. Is it safe to use non-pcr policy key together with a pcr7 policy key ?
More formally:
- In the program we want to use tpm to sign someting. During its initialization, use pcr7 policy key to verify boot environment doesn't got changed.
- Then the program switch to use a non-policy key to start it's own job. (Do all kinds of stuff : signing , encypt , decrypt ...) The reason I want to use this is I notice that non-policy key has much better performance compare with pcr policy key.