Discussion:
[TrouSerS-users] Create key
Sigrun
2015-06-16 16:07:51 UTC
Permalink
Hi all,

First : I apologize for my bad english.

I start using Trousers, and the 'libengine-tpm-openssl' for the
create_tpm_key feature.

I just want to be sure : does the 'Tspi_Key_CreateKey' really create the Key
from the TPM rng and feature?

And how to store a key INSIDE the TPM??
I don't understand and have found 0 example of the 'tpm_nvdefine' commande.
My 'tpm_nvinfo -n' juste say :
"the following NVRAM areas have been defined:" and nothing.
I don't want to 'unconfigure' or destroy all the stuff.

Thanks!


Sigrun


------------------------------------------------------------------------------
Ken Goldman
2015-06-17 13:55:06 UTC
Permalink
Post by Sigrun
And how to store a key INSIDE the TPM??
I don't understand and have found 0 example of the 'tpm_nvdefine' commande.
"the following NVRAM areas have been defined:" and nothing.
There are multiple definitions of 'store'.

Loading the key stores the key in the TPM, but it is in volatile memory.
It does not persist through a reboot.

Load followed by key control owner stores the loaded key in non-volatile
memory, but the TPM may have very few of these key slots.

You can define an NV index and store the key persistently there. To the
TPM, it's not a key. It's just a data blob. Again, there is a limited
amount of NV memory.






------------------------------------------------------------------------------
Krzysztof Kotlenga
2015-06-17 22:00:17 UTC
Permalink
Post by Sigrun
Hi all,
First : I apologize for my bad english.
I start using Trousers, and the 'libengine-tpm-openssl' for the
create_tpm_key feature.
I just want to be sure : does the 'Tspi_Key_CreateKey' really create
the Key from the TPM rng and feature?
Basically, yes. You can use TSS_KEY_TYPE_LEGACY to import keys however.
This can be a Bad Thing if you want to be sure that the key isn't "on
the outside" too. The sad thing about openssl_tpm_engine (that's how
the source repository is called) is that it only works with the legacy
type keys. The recommendation is to use SIGNING and BINDING keys
instead. Those cannot be imported. Depending on what you need to do,
you might be able to use gnutls instead of openssl_tpm_engine as it
supports TPMs (via libtspi) and will allow you to create a SIGNING key
if requested.

If you need a BINDING key, it can be a bit hard. You most likely need
your own code to create such a key. Then, if you need to encrypt some
data for a TPM in software, it needs to be first put in TPM_BOUND_DATA
structure and encrypted with OAEP TCPA padding. The point is that
openssl command line tool is not sufficient to encrypt data in a way
required for a BINDING key. But you will find code in trousers doing
just that.
Post by Sigrun
And how to store a key INSIDE the TPM??
So called "owner evict" key. It seemed to work when I tried it. You
don't need to deal with NV memory on your own it this case. I'm
not sure about this: http://sourceforge.net/p/trousers/bugs/155/

I had to LoadKeyByUUID such a key. GetKeyByUUID was a no go. Using it
(or maybe loading - I don't remember) was slower then for normal keys so
I dropped the idea.

BTW, keys can be stored in DER files (Tspi_EncodeDER_TssBlob /
Tspi_DecodeBER_TssBlob) instead of Persistent Storage. It's a less
opaque way to store keys which can be advantageous.


Have you seen "Introduction To Trusted Computing" by Ariel Segall?
<http://opensecuritytraining.info/IntroToTrustedComputing.html>

It's quite enlightening. There is one slide in part 3 stating that
legacy keys are not created by the TPM but it doesn't seem to hold true
in part 16 (and in trousers).
--
kjk

------------------------------------------------------------------------------
Loading...