TPM wrapped keys turn out to be rather trivial: the TPM encoded key contains the wrapped key to be passed to the TPM (exact structure depends on the TPM, and also there may be a header I haven't looked at in detail). If the PCR values are correct, the TPM unwraps the key and directly returns the 256-bit VMK.
So, for example, with physical access to a machine using TPM mode BitLocker, you can simply sniff the TPM bus and see the wrapped key being sent and the VMK being returned.
I think the best way to handle this would be to add a way for the user to specify a VMK directly, similar to how the user can currently specify a FVEK with -k. Thoughts?
TPM wrapped keys turn out to be rather trivial: the TPM encoded key contains the wrapped key to be passed to the TPM (exact structure depends on the TPM, and also there may be a header I haven't looked at in detail). If the PCR values are correct, the TPM unwraps the key and directly returns the 256-bit VMK.
So, for example, with physical access to a machine using TPM mode BitLocker, you can simply sniff the TPM bus and see the wrapped key being sent and the VMK being returned.
I think the best way to handle this would be to add a way for the user to specify a VMK directly, similar to how the user can currently specify a FVEK with
-k. Thoughts?