Cryptohomed is responsible for initialization of the TPM once it has been enabled and activated. Ownership creates a Storage Root Key (SRK) on the TPM, which is necessary to seal user keys (the system-wide cryptohome key and keys used by opencryptoki+tpm are ultimately sealed by the SRK; see http://trousers.sourceforge.net/pkcs11.html for more details on how opencryptoki uses the SRK). The ownership process is in the tpm_init library, separate from cryptohome, but the basic process is as follows:
/sys/class/{misc|tpm}/tpm0/device/owned
is 0 and /sys/class/{misc|tpm}/tpm0/device/enabled
is 1 then the initialize thread will attempt to initialize the TPM.EK
) will be created if it doesn't exist (some vendors do not create one at the factory, as it is not required by the spec).SRK
password. This may take between 10s and 150s.SRK
's password is reset to a NULL string, and its use is unrestricted (in other words, code using the SRK does not need to know the owner password).Cryptohome uses the TPM merely for secure key storage to help protect the user from data loss should their device be lost or compromised. Keys sealed by the TPM can only be used on the TPM itself, meaning that offline or brute-force attacks are difficult.