[PATCH 0/5] Add TPM2 support to gnupg
James Bottomley
James.Bottomley at HansenPartnership.com
Sun Jun 14 19:26:44 CEST 2020
I based these patches on the stable-2-2 branch so people can take them
for a spin easily. They seem to upport to master quite well, if that
would be the preferred destination? They also completely supersede
the old tpm-work branch because the code is fully restructured to
segregate all the TPM handling into its own daemon.
The first two patches are code rearrangement precursors. They expose
the shadow key handling functions to the broad code (we need this
because TPM keys become a new type of shadow key and now we need to
change handling based on which type of key we have) and they
restructure the daemon infrastructure. Today, there's only really one
kind of key handling subsidiary: scdaemon, but I need to introduce a
new one (tpm2daemon) and it's much easier to do this if there's a
reusable infrastructure.
The final 3 patches add the actual TPM code itself. To use this you
need to have a copy of the ibmtss library installed. Currently the
configure.ac can use the older tss2 package in sid:
https://packages.debian.org/sid/admin/tss2
But hopefully the new ibmtss package will replace it shortly.
openSUSE and fedora already have the ibmtss version of the package.
To use this you need your PC provisioned with a NV storage key.
Apparently this is falling out of favour and most of the TSS code now
derives an elliptic curve primary if it can't find the NV storage key.
I'll update the code to do this on the next go around. You can see if
you have the NV storage key provisioned by doing
tssreadpublic -ho 0x81000001
If that succeeds, you're fine. If it doesn't you can create one by doing:
key=`tsscreateprimary -hi o -st -rsa|sed 's/Handle //'`
tssevictcontrol -hi o -ho ${key} -hp 81000001
tssflushcontext -ha ${key}
Once created it will persist across reboots, but the complexity of
this is why we've all agreed to move to the rederivation method.
James
---
James Bottomley (5):
agent: expose shadow key type
agent: separate out daemon handling infrastructure for reuse
tpm2d: Add tpm2daemon code
agent: Add new shadow key type and functions to call tpm2daemon
g10: add new command keytotpm to convert a private key to TPM format
Makefile.am | 7 +-
agent/Makefile.am | 6 +
agent/agent.h | 97 ++-
agent/call-daemon.c | 583 +++++++++++++++++
agent/call-scd.c | 552 +---------------
agent/call-tpm2d.c | 248 ++++++++
agent/command-ssh.c | 10 +-
agent/command.c | 82 ++-
agent/divert-tpm2.c | 143 +++++
agent/findkey.c | 5 +-
agent/gpg-agent.c | 26 +-
agent/keyformat.txt | 12 +-
agent/pkdecrypt.c | 8 +-
agent/pksign.c | 14 +-
agent/protect.c | 72 ++-
am/cmacros.am | 3 +
common/homedir.c | 7 +
common/util.h | 1 +
configure.ac | 37 ++
g10/call-agent.c | 22 +
g10/call-agent.h | 3 +
g10/keyedit.c | 45 +-
tools/gpgconf-comp.c | 15 +
tpm2d/Makefile.am | 18 +
tpm2d/command.c | 570 +++++++++++++++++
tpm2d/tpm2.c | 969 ++++++++++++++++++++++++++++
tpm2d/tpm2.h | 39 ++
tpm2d/tpm2daemon.c | 1434 ++++++++++++++++++++++++++++++++++++++++++
tpm2d/tpm2daemon.h | 130 ++++
29 files changed, 4573 insertions(+), 585 deletions(-)
create mode 100644 agent/call-daemon.c
create mode 100644 agent/call-tpm2d.c
create mode 100644 agent/divert-tpm2.c
create mode 100644 tpm2d/Makefile.am
create mode 100644 tpm2d/command.c
create mode 100644 tpm2d/tpm2.c
create mode 100644 tpm2d/tpm2.h
create mode 100644 tpm2d/tpm2daemon.c
create mode 100644 tpm2d/tpm2daemon.h
--
2.26.2
More information about the Gnupg-devel
mailing list