Testing tpm2-pkcs11with KVM vTPM 2.0

phabricator-migrator · February 19, 2024, 5:27pm

Information

ID: 931
PHID: PHID-TASK-cne4wrzhrinuxjw27xek
Author: HulaHoop
Status at Migration Time: invalid
Priority at Migration Time: Normal

Description

KVM supports emulated TPM2 hardware and the version in Bullseye gains the ability to encrypt its secrets [0]. tpm2-pk11 [1] is a program that allows protecting OpenSSH and firefox private keys using the TPM. If the package finds a new upstream maintainer we can test it in Debian stable-next with the virtual TPM hardware.

Debian maintainers will move to tpm2-pkcs11 [3]

[0] KVM virtual TPM aka the "Universal Smartcard"

[1] GitHub - irtimmer/tpm2-pk11: [DEPRECATED] PKCS#11 Module for TPM 2.0 · GitHub

[2] Home · irtimmer/tpm2-pk11 Wiki · GitHub

[3] I Challenge Thee

EDIT:

The above package depends on gnupg-pkcs11-scd which is available in Debian.

only works for TPM 1.2

Opened a RFP for this package which fulfills this ticket in case someone upstream picks it up. I Challenge Thee

The upstream TPM2 project is looking at consolidating the multiple code projects out there into an upstream implementation superseding the projects above.

github.com/tpm2-software/tpm2-tools

Create PKCS11 tools for TPM2.0 device

opened 08:54AM - 21 Sep 17 UTC

closed 06:29PM - 30 Nov 17 UTC

liuqun

A PKCS11 API interface for TPM 2.0 chips is available, written by Iwan Timmer: …- https://github.com/irtimmer/tpm2-pk11 With libtpm2-pk11.so , TPM2.0 device or simulator can work with `ssh` client just like any other Smart-Card devices. For example: ``` mkdir ~/.tpm2 && cd ~/.tpm2 tpm2_createprimary -A e -g 0x000b -G 0x0001 -C po.ctx tpm2_create -c po.ctx -g 0x000b -G 0x0001 -o key.pub -O key.priv tpm2_load -c po.ctx -u key.pub -r key.priv -n key.name -C obj.ctx tpm2_evictcontrol -A o -c obj.ctx -S 0x81010010 rm key.name *.ctx cp config.sample ~/.tpm2/config ssh-keygen -D libtpm2-pk11.so > ~/.ssh/authorized_keys ssh -I libtpm2-pk11.so localhost ``` In TPM 1.2, there is a tool [simple-tpm-pk11](https://github.com/ThomasHabets/simple-tpm-pk11) that provides PKCS11 API. With the PKCS11 API, TPM1.2 protected RSA private key can be generated and used to work with OpenSSH. See examples from https://github.com/ThomasHabets/simple-tpm-pk11: ``` sudo apt-get install simple-tpm-pk11 ssh-keygen -D libsimple-tpm-pk11.so > ~/.ssh/authorized_keys ssh -I libsimple-tpm-pk11.so localhost ``` --- ![image](https://user-images.githubusercontent.com/64795/30998721-35840a5a-a503-11e7-8723-3b0a47a1acdd.png) IBM's TPM1.2 package tpm-tools-pkcs11 (which has recently been split up from tpm-tool/trousers package) provide another 5 tools, to work with it's OpenCryptoki PKCS11 token service: - [tpmtoken_import](http://trousers.sourceforge.net/man/tpmtoken_import.1.html) - [tpmtoken_init](http://trousers.sourceforge.net/man/tpmtoken_init.1.html) - [tpmtoken_objects](http://trousers.sourceforge.net/man/tpmtoken_objects.1.html) - [tpmtoken_protect](http://trousers.sourceforge.net/man/tpmtoken_protect.1.html) - [tpmtoken_setpasswd](http://trousers.sourceforge.net/man/tpmtoken_setpasswd.1.html) See: Manual page of tpm-tools, http://trousers.sourceforge.net/man.html PKCS 11 Data Management Commands: https://github.com/opencryptoki/opencryptoki/blob/master/doc/opencryptoki-howto.md#731-trusted-module-platform-tpm

Comments

HulaHoop

2019-10-07 19:29:21 UTC

HulaHoop

2019-10-10 13:47:52 UTC

Patrick

2023-01-19 10:53:17 UTC