Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add TPM Key Support #74

Open
wants to merge 27 commits into
base: main
Choose a base branch
from
Open

Add TPM Key Support #74

wants to merge 27 commits into from

Conversation

13ajay
Copy link
Contributor

@13ajay 13ajay commented Jun 26, 2024

Description of changes:

This is a continuation of this PR.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

dwmw2 and others added 15 commits July 5, 2023 07:43
This does nothing useful yet, except detecting that we were given a
TSS2 private key blob and reporting that it's not supported. It does
help to ensure that when we come to implement this, we'll get the
user experience right. Which is "just give us the file".

We can do the actual implementation either via OpenSSL with one of
the TPM engines/providers, or by parsing the TSS2 ASN.1 ourselves
and driving the TPM directly. Not sure which is easier from Go.
Just parse the ASN.1 (working around historical bugs and the lack of
BER support in asn1.Unmarshal()). Returns a Signer that won't work yet.
This allows us to use the swtpm, via the unix socket
* Only password-protected TPM signing keys are supported. It isn't
currently possible to use passwords for parents or hierarchies.
* Modify the README appropriately, to convey the above.
* Refactor testing and Makefile, so that TPM tests are in their own
file, and so that they can be run in isolation (without having to set
up SoftHSM, for example).
* Change RSA signing, so that only keys with the sign capability can be
used to perform signatures (note that this is yet to be tested since
it may not be possible to create such keys using the create_tpm2_key
utility.
* Remove some unnecessary code that was previously commented out
* Format code
* Add a few more TPM key tests
* Note that the guidance as written now hasn't been fully tested
13ajay added 12 commits June 27, 2024 20:39
* Check that the TPM used supports the necessary algorithms before
  attempting to sign
* Minor modifications to README and some code cleanup
* Refactor password prompting so that both loading a TPM key and signing
  with a TPM key can be done easily
* Passwords on parent keys are still yet to be tested through unit tests
* Modify Makefile to create primary (parent) keys with passwords
* Add positive and negative tests to verify parent key password support
* Add hacky helper functions to help transform a TPM key blob into a
  Bottomley TPM key file
* Modify TPM tests so that they continue to work
* Fix a bug relating to using certificate chains with TPM keys
* TPM key handles are now supported by the credential helper
* Remove support for parent key passwords; instead, child keys with
  parent passwords will need to be loaded into the TPM and referred to
  by their handle in order to be used with the credential helper
* Add unit tests for TPM key handles
* Add no-tpm-key-password flag for sign-string command
* Partially modify README to include TPM guidance based on Intel tools
* Emulate a subset of functionality provided by the tpm2_create_key
  utility within a bash script of the same name (with a .sh extension)
* Modify Makefile to either use tpm2-tools or tpm2-openssl directly, or
  to use the bash script utility
* Fix no-tpm-key-password intent logic
* Determine whether authorization is required based on key file (in
  which case, there is an `emptyAuth` field) or CLI flag (if a handle is
  used), so as to not cause unnecessary DA lockout
* Refactor tests based on the above
* Fix some Makefile components dealing with hardware TPM keys
* Note customer responsibilities when referencing TPM keys using their
  handles
* Add example of using the credential helper with a TPM key file
* Add further notes on tooling and limitations
* When passwords aren't required by key files (through `emptyAuth`),
  make sure that one isn't provided through the CLI (fail if it is)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants