[gnutls-devel] [PATCH 0/2] Fix TPM key handling
Nikos Mavrogiannopoulos
nmav at gnutls.org
Sun Dec 4 10:08:00 CET 2016
On Sat, 2016-12-03 at 14:31 -0800, James Bottomley wrote:
> It looks like TPM keys requiring authorization have never worked in
> gnutls, partly because of a coding error which is fixed in the first
> patch and partly because of an apparent misunderstanding about the
> way
> trousers works, which is fixed in the second.
>
> It's amusing to note that the concerns about the dictionary attack
> lockout in the second patch are real: I managed to lock up my own TPM
> while debugging the code and, thanks to Nuvoton, I discovered that
> the
> DA lockout survives clearing the TPM, meaning I was left with a TPM
> that was locked out but had no owner authority, meaning no viable way
> of resetting the DA lockout. Fortunately, it agreed to let me back
> in
> the next day.
Thank you. I have applied a different fix on the first issue, i.e., to
ensure that import_tpm_key clears the key on failure (while leaving any
PIN info intact). The second I've applied as is.
Note that I have not yet tested the fixes (unfortunately my test suite
on TPM is manual, and since tpm-emulator no longer runs on modern
systems testing of TPM functionality is not the easiest thing). I've
put the changes on a merge request at:
https://gitlab.com/gnutls/gnutls/merge_requests/171
regards,
Nikos
PS. If you know some mock tspi library, or have some idea testing TPM
functionality without a real TPM, I'm really interested. That's a thing
missing from our CI.
More information about the Gnutls-devel
mailing list