[PATCH tpm-work 0/3] move the tpm-work branch to an assuan based tpm handling daemon

James Bottomley James.Bottomley at HansenPartnership.com
Mon Jul 30 22:54:08 CEST 2018

On Mon, 2018-07-30 at 21:44 +0200, Wiktor Kwapisiewicz via Gnupg-devel
> Hi James,
> I'm very interested in your TPM patches (as a user).
> Could I ask you some questions on how does it work?
> I would like to have keys wrapped by TPM in such a way that the
> change  in system configuration would render the key useless. As far
> as I've  seen it's possible to do that by utilizing Platform
> Configuration Registers (PCRs). Would keys created by your TPM code
> have this property?

The current gpg2 code just does secure handling for the key, meaning it
ties the key to being only released on a single platform, so it
currently doesn't do a policy based on the PCR values.  That said,
there's no reason why it couldn't and if you look at the
openssl_tpm2_engine code, it does precisely do this (you can specify a
PCR and password policy for the key):


The difficulty I have with adding PCR policy to TPM protected gpg keys
is that PCR policy handling is a very esoteric function and it's
difficult to see value beyond the current platform locking the TPM
already does since the user would have to understand when the PCR
values changed and how to update the keys with new PCR values, which
would really put a kink in usability.


More information about the Gnupg-devel mailing list