Capability

A Capability is an attribute that can be given to an Object allowing specific operations to be performed on or with it. Commands like digital signature generation and data decryption require (and check) for a predetermined set of Capabilities to be present on an Object. Further below is the list of existing Capabilities.

It is important to know that there are no restrictions on which Capabilities can be set on an Object. Specifically, this means that it is possible to assign meaningless Capabilities to Objects that will never be able to use them, for example it is possible to have an Asymmetric Object with the capability hmac_verify. Such a Capability only makes sense for Hmackey Objects, but the device will allow defining a superset. Lack of Capabilities required for a specific operation will cause a command requiring that Capability to fail.

Delegated Capabilities

Every Object stored on the device has an associated set of Capabilities. There is a second set of so-called Delegated Capabilities that only Authkeys and Wrapkeys have. This is used to capture the indirection that Authkeys and Wrapkeys can be used as a means of storing more Objects on a device. In both cases Delegated Capabilities are used as a filter.

For Authkeys, Delegated Capabilities define the set of Capabilities that can be set or "bestowed" onto an Object created by the Authkey. Any operation attempting to create Objects with a Capability outside of this set will fail.

For Wrapkeys, Delegated Capabilities define the set of Capabilities that an Object can have when imported or exported using the Wrapkey. A larger set of Capabilities will cause the import operation to fail.

Protocol details

A Set of Capabilities is an 8-byte value. Each capability is identified by a specific bit, as shown in the Hex Mask column below.

Name Hex Mask Applicable Objects Description

get_opaque

0x0000000000000001

Authkey

Read Opaque Objects

put_opaque

0x0000000000000002

Authkey

Write Opaque Objects

put_authkey

0x0000000000000004

Authkey

Write Authkey Objects

put_asymmetric

0x0000000000000008

Authkey

Write Asymmetric Objects

asymmetric_gen

0x0000000000000010

Authkey

Generate Asymmetric Objects

asymmetric_sign_pkcs

0x0000000000000020

Authkey, Asymmetric

Compute signatures using RSA-PKCS1v1.5

asymmetric_sign_pss

0x0000000000000040

Authkey, Asymmetric

Compute digital signatures using using RSA-PSS

asymmetric_sign_ecdsa

0x0000000000000080

Authkey, Asymmetric

Compute digital signatures using ECDSA

asymmetric_sign_eddsa

0x0000000000000100

Authkey, Asymmetric

Compute digital signatures using EDDSA

asymmetric_decrypt_pkcs

0x0000000000000200

Authkey, Asymmetric

Decrypt data using RSA-PKCS1v1.5

asymmetric_decrypt_oaep

0x0000000000000400

Authkey, Asymmetric

Decrypt data using RSA-OAEP

asymmetric_decrypt_ecdh

0x0000000000000800

Authkey, Asymmetric

Perform ECDH

export_wrapped

0x0000000000001000

Authkey, Wrapkey

Export other Objects under wrap

import_wrapped

0x0000000000002000

Authkey, Wrapkey

Import wrapped Objects

put_wrapkey

0x0000000000004000

Authkey

Write Wrapkey Objects

generate_wrapkey

0x0000000000008000

Authkey

Generate Wrapkey Objects

export_under_wrap

0x0000000000010000

all

Mark an Object as exportable under wrap

put_option

0x0000000000020000

Authkey

Write device-global options

get_option

0x0000000000040000

Authkey

Read device-global options

get_randomness

0x0000000000080000

Authkey

Extract random bytes

put_hmackey

0x0000000000100000

Authkey

Write Hmackey Objects

hmackey_generate

0x0000000000200000

Authkey

Generate Hmackey Objects

hmac_data

0x0000000000400000

Authkey, Hmackey

Compute HMAC of data

hmac_verify

0x0000000000800000

Authkey, Hmackey

Verify HMAC of data

audit

0x0000000001000000

Authkey

Read the Log Store

ssh_certify

0x0000000002000000

Authkey, Asymmetric

Sign SSH certificates

get_template

0x0000000004000000

Authkey

Read Template Objects

put_template

0x0000000008000000

Authkey

Write Template Objects

reset

0x0000000010000000

Authkey

Perform a factory reset on the device

otp_decrypt

0x0000000020000000

Authkey, Otpaeadkey

Decrypt OTP

otp_aead_create

0x0000000040000000

Authkey, Otpaeadkey

Create an OTP AEAD

otp_aead_random

0x0000000080000000

Authkey, Otpaeadkey

Create an OTP AEAD from random data

otp_aead_rewrap_from

0x0000000100000000

Authkey, Otpaeadkey

Rewrap AEADs from one Otpaeadkey Object to another

otp_aead_rewrap_to

0x0000000200000000

Authkey, Otpaeadkey

Rewrap AEADs to one Otpaeadkey Object from another

attest

0x0000000400000000

Authkey, Asymmetric

Attest properties of an Asymmetric Objects

put_otp_aead_key

0x0000000800000000

Authkey

Write Otpaeadkey Objects

generate_otp_aead_key

0x0000001000000000

Authkey

Generate Otpaeadkey Objects

wrap_data

0x0000002000000000

Authkey, Wrapkey

Wrap user-provided data

unwrap_data

0x0000004000000000

Authkey, Wrapkey

Unwrap user-provided data

delete_opaque

0x0000008000000000

Authkey

Delete Opaque Objects

delete_authkey

0x0000010000000000

Authkey

Delete Authkey Objects

delete_asymmetric

0x0000020000000000

Authkey

Delete Asymmetric Objects

delete_wrap_key

0x0000040000000000

Authkey

Delete Wrapkey Objects

delete_hmac_key

0x0000080000000000

Authkey

Delete Hmackey Objects

delete_template

0x0000100000000000

Authkey

Delete Template Objects

delete_otp_aead_key

0x0000200000000000

Authkey

Delete Otpaeadkey Objects