From a9866d34bb5c302660ebffe450fa58053dac1567 Mon Sep 17 00:00:00 2001
From: zhsh <zhsh@users.noreply.github.com>
Date: Thu, 28 Mar 2024 03:09:08 +1100
Subject: [PATCH] A note for Linux clients of tpm.EKs(). (#368)

Fix the doc for attest.ActivateCredentialWithEK() as well.
---
 attest/attest.go | 2 +-
 attest/tpm.go    | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/attest/attest.go b/attest/attest.go
index fb9b6b2..b305c8b 100644
--- a/attest/attest.go
+++ b/attest/attest.go
@@ -147,7 +147,7 @@ func (k *AK) ActivateCredential(tpm *TPM, in EncryptedCredential) (secret []byte
 	return k.ak.activateCredential(tpm.tpm, in, nil)
 }
 
-// ActivateCredential decrypts the secret using the key to prove that the AK
+// ActivateCredentialWithEK decrypts the secret using the key to prove that the AK
 // was generated on the same TPM as the EK. This method can be used with TPMs
 // that have an ECC EK. The 'ek' argument must be one of EKs returned from
 // TPM.EKs() or TPM.EKCertificates().
diff --git a/attest/tpm.go b/attest/tpm.go
index 3121772..e7f121f 100644
--- a/attest/tpm.go
+++ b/attest/tpm.go
@@ -365,6 +365,10 @@ func (t *TPM) Close() error {
 }
 
 // EKs returns the endorsement keys burned-in to the platform.
+// Note for Linux clients: for historical reasons, the method assumes that
+// the TPM has a single EK, and the EK's type is RSA. If the EK's type is ECC
+// and the TPM contains an ECC EK Certificate, the EKCertificates() method
+// should be used to retrieve the EKs.
 func (t *TPM) EKs() ([]EK, error) {
 	return t.tpm.eks()
 }