[PATCH v3 0/5] Add TPM2 support to gnupg 2.3

Werner Koch wk at gnupg.org
Thu Mar 11 09:19:23 CET 2021

On Wed, 10 Mar 2021 10:04, James Bottomley said:

> Unfortunately debian doesn't package a software TPM ... I don't know
> why, most other distributions do.  I have one here in deb format:
> https://build.opensuse.org/package/show/home:jejb1:TPM/swtpm2


> For the Intel TSS on debian you need libtss2-dev from the tpm2-tss
> source package.  The version on stable is too old (2.1.0) but the
> version in testing will work (3.0.3).

I deinstalled the IBM stack and the Intel code works with the opther patch.

> But I own copyright in all the base files I've added to your repo, so
> I'm happy for them to remain under GPLv3 going forward.  Since they had
> to be modified to support gcrypt, I don't think there's much direct
> reuse outside of the GPLv3 licence.

If there is ever a need we can easily chnage back to LGPL for tehse
parts.  I pushed my proposed patch with a link to your mail.

We plan to do Debian packages; do you have any advise which stack we
should prefer?  I guess IBM, becuase that one is tried first in

> Well, stuff takes a while, thanks for adding it.  Since it was always
> targetted at 2.3, there's no real delay anyway.

Now with TPM support in place, do you think that we could now go after
the passpharse caching code which states:

/* The encryption context.  This is the only place where the
   encryption key for all cached entries is available.  It would be nice
   to keep this (or just the key) in some hardware device, for example
   a TPM.  Libgcrypt could be extended to provide such a service.
   With the current scheme it is easy to retrieve the cached entries
   if access to Libgcrypt's memory is available.  The encryption
   merely avoids grepping for clear texts in the memory.  Nevertheless
   the encryption provides the necessary infrastructure to make it
   more secure.  */
static gcry_cipher_hd_t encryption_handle;

It would be sufficent if we could limit the time this symmetric
encryption key is exposed in memory to a minimum by encrypting the key
with the tpm.  Any ideas how to best integrate this?

And a last thing: It would be supercool if you could do a short writeup
on how to use the system in practise; for example as an article in our
blob.  Just if you can find some spare time (good joke, I know).



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20210311/547a3e87/attachment.sig>

More information about the Gnupg-devel mailing list