In the end, it doesn't really matter who agrees with whom where. I want my keys. How do I get them?
Oh sorry, maybe I should have answered that sooner :)
Get yourself a sophisticated science laboratory and crack / acid-etch the chip open. Then use microscopic probes to extract the key directly out of the silicon circuitry.
Oh, and by the way the chips are explicitly designed to be attack resistant, meaning you have to be really careful the keys don't get damaged/wiped during the process.
Oh, and if you *do* manage to get your keys, you've got to be really careful that no one ever detects you doing anything the Trust system prohibits, like not obeying DRM. The PubEK is the public "name" for your PrivEK, and they can track you by it. They specified a revocation system they can use to effectively kill that key. You then need to go out and buy a new chip (perhaps even buy an entire new computer with a new key and new set of certificates), and crack that that chip open to get a new working key. And of course they'll revoke that key too if/when they detect your computer isn't securely locked down.
The entire point of the Trust system is for you to be able to "trust" that my computer will do what it says it will do, and only what it says it will do, and that my computer is secure against me meddling in that. And vice-versa, that I can trust that your computer is secure against you, and that it will do what I want it to do. For example you could agree to share personal information with some company. Under the Trust system you know that they don't know the Master Key to their own computer, so if their computer says that it will keep your personal information encrypted, then you can Trust that. If their computer says they will only use your personal information in an anonymous way to generate overall statistical data of all their customers, then you can Trust that their computer will enforce that. In theory.
Of course things will virtually always go in the exact opposite direction. A music service will sell you music files, and they will use the Trust system to ensure your computer strictly enforces that DRM against you. You don't have you master key, so when your computer says it will never allow you to read or copy the file (except through the approved DRM-enforcing-music-player), then they can Trust that your computer will never allow you to read or copy your music files. Some company can "rent" software to you, and they can Trust that your computer will never permit you to run that software, except during the paid rental time-span (and the computer would use a secure online date verification to enforce it). And my favorite example, websites using the Trust system to ensure you're not running any ad-blockers and that you can't right-click-save images or other content from the webpage.
The entire point of the Trust system falls apart if owners know or truly control their own computer's master keys. I can no longer Trust your computer, and you could no longer Trust my computer. That's why they set up an elaborate key-tracking and key-revocation revocation system. If you manage any sort of hardware hack to obtain control over your computer they can kill that key and establish your computer is no longer Trusted.
To clarify: The aspect on which BIOS4breakfast and Alsee disgree is that the former feels that there is not a restriction on obtaining keys as long as they are not obtained from the TPM module
You could simply "make up" a completely random key and there are some limited things you can do with it, but in general it isn't going to work. It's not a "valid" or "real" key. It will fail in critical chip operations such as Remote Attestation.
The best comparison is like buying a cellphone without a SIM card. Sure, you can make up your own phone number, and you can program phone numbers into the speed-dial memory and stuff, but in general a cell phone is designed for calling other cell phones, and none of the main phone functions work without a genuine SIM card and genuine phone number for that phone.
The chip comes with a manufacturer's certificate which certifies that the specific PrivEK in the chip actually is a PrivEK. The certificate is like the SIM card, and the genuine PrivEK is like a genuine phone number assigned to that SIM card. The certificate turns that pre-installed key into a genuine and fully functional PrivEK, like a SIM card makes a phone-number into a genuine working number.
Here's the latest TPM Main Specification Level 2 Version 1.2 from the Trusted Computing Group.
5. Endorsement Key Creation
Start of informative comment
The TPM contains a 2048-bit RSA key pair called the endorsement key (EK). The public
portion of the key is the PUBEK and the private portion the PRIVEK. Due to the nature of
this key pair, both the PUBEK and the PRIVEK have privacy and security concerns.
The TPM has the EK generated before the end customer receives the platform.
Later it says:
The PRIVEK SHALL exist only in a TPM-shielded location.
2.
Access to the PRIVEK and PUBEK MUST only be via TPM protected capabilities
and later:
5.1
Controlling Access to PRIVEK
Start of informative comment
Exposure of the PRIVEK is a security concern.
The TPM must ensure that the PRIVEK is not exposed outside of the TPM
End of informative comment
1.
The PRIVEK MUST never be out of the control of a TPM shielded location
So a real (working) PrivEK comes pre-installed in the chip, and the chip is forbidden to give it to you. It is forbidden to exist anywhere outside the chip, so obviously you can't obtain it from anywhere else. You have to crack into the microchip to extract ir.
-