ID: 931PHID: PHID-TASK-cne4wrzhrinuxjw27xekAuthor: HulaHoopStatus at Migration Time: invalidPriority at Migration Time: Normal
KVM supports emulated TPM2 hardware and the version in Bullseye gains the ability to encrypt its secrets [0]. tpm2-pk11 [1] is a program that allows protecting OpenSSH and firefox private keys using the TPM. If the package finds a new upstream maintainer we can test it in Debian stable-next with the virtual TPM hardware.
Debian maintainers will move to tpm2-pkcs11 [3]
[0] KVM virtual TPM aka the "Universal Smartcard"
[1] GitHub - irtimmer/tpm2-pk11: [DEPRECATED] PKCS#11 Module for TPM 2.0
[2] Home · irtimmer/tpm2-pk11 Wiki · GitHub
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941951#10
EDIT:
The above package depends on gnupg-pkcs11-scd which is available in Debian.
https://packages.debian.org/source/stable/gnupg-pkcs11-scd
only works for TPM 1.2
Opened a RFP for this package which fulfills this ticket in case someone upstream picks it up. https://bugs.debian.org/941951
The upstream TPM2 project is looking at consolidating the multiple code projects out there into an upstream implementation superseding the projects above.
opened 08:54AM - 21 Sep 17 UTC
closed 06:29PM - 30 Nov 17 UTC
A PKCS11 API interface for TPM 2.0 chips is available, written by Iwan Timmer:
… - https://github.com/irtimmer/tpm2-pk11
With libtpm2-pk11.so , TPM2.0 device or simulator can work with `ssh` client just like any other Smart-Card devices. For example:
```
mkdir ~/.tpm2 && cd ~/.tpm2
tpm2_createprimary -A e -g 0x000b -G 0x0001 -C po.ctx
tpm2_create -c po.ctx -g 0x000b -G 0x0001 -o key.pub -O key.priv
tpm2_load -c po.ctx -u key.pub -r key.priv -n key.name -C obj.ctx
tpm2_evictcontrol -A o -c obj.ctx -S 0x81010010
rm key.name *.ctx
cp config.sample ~/.tpm2/config
ssh-keygen -D libtpm2-pk11.so > ~/.ssh/authorized_keys
ssh -I libtpm2-pk11.so localhost
```
In TPM 1.2, there is a tool [simple-tpm-pk11](https://github.com/ThomasHabets/simple-tpm-pk11) that provides PKCS11 API.
With the PKCS11 API, TPM1.2 protected RSA private key can be generated and used to work with OpenSSH. See examples from https://github.com/ThomasHabets/simple-tpm-pk11:
```
sudo apt-get install simple-tpm-pk11
ssh-keygen -D libsimple-tpm-pk11.so > ~/.ssh/authorized_keys
ssh -I libsimple-tpm-pk11.so localhost
```
---
IBM's TPM1.2 package tpm-tools-pkcs11 (which has recently been split up from tpm-tool/trousers package) provide another 5 tools, to work with it's OpenCryptoki PKCS11 token service:
- [tpmtoken_import](http://trousers.sourceforge.net/man/tpmtoken_import.1.html)
- [tpmtoken_init](http://trousers.sourceforge.net/man/tpmtoken_init.1.html)
- [tpmtoken_objects](http://trousers.sourceforge.net/man/tpmtoken_objects.1.html)
- [tpmtoken_protect](http://trousers.sourceforge.net/man/tpmtoken_protect.1.html)
- [tpmtoken_setpasswd](http://trousers.sourceforge.net/man/tpmtoken_setpasswd.1.html)
See:
Manual page of tpm-tools, http://trousers.sourceforge.net/man.html
PKCS 11 Data Management Commands:
https://github.com/opencryptoki/opencryptoki/blob/master/doc/opencryptoki-howto.md#731-trusted-module-platform-tpm
2019-10-07 19:29:21 UTC
2019-10-10 13:47:52 UTC
2023-01-19 10:53:17 UTC