[gnutls-devel] [PATCH 0/2] Fix TPM key handling
James.Bottomley at HansenPartnership.com
Sun Dec 4 18:03:33 CET 2016
On Sun, 2016-12-04 at 10:08 +0100, Nikos Mavrogiannopoulos wrote:
> On Sat, 2016-12-03 at 14:31 -0800, James Bottomley wrote:
> > It looks like TPM keys requiring authorization have never worked in
> > gnutls, partly because of a coding error which is fixed in the
> > first patch and partly because of an apparent misunderstanding
> > about the way trousers works, which is fixed in the second.
> > It's amusing to note that the concerns about the dictionary attack
> > lockout in the second patch are real: I managed to lock up my own
> > TPM while debugging the code and, thanks to Nuvoton, I discovered
> > that the DA lockout survives clearing the TPM, meaning I was left
> > with a TPM that was locked out but had no owner authority, meaning
> > no viable way of resetting the DA lockout. Fortunately, it agreed
> > to let me back in the next day.
> Thank you. I have applied a different fix on the first issue, i.e.,
> to ensure that import_tpm_key clears the key on failure (while
> leaving any PIN info intact). The second I've applied as is.
That's fine ... clearing the whole thing felt like a bit of a hack.
> Note that I have not yet tested the fixes (unfortunately my test
> suite on TPM is manual, and since tpm-emulator no longer runs on
> modern systems testing of TPM functionality is not the easiest
After my TPM lockout, I convinced myself I need to know how to make an
emulated TPM work. It looks like there is a functional 1.2 one:
But I need to figure out how to integrate it easily. I also need to
find a 2.0 one ..
> I've put the changes on a merge request at:
> PS. If you know some mock tspi library, or have some idea testing TPM
> functionality without a real TPM, I'm really interested. That's a
> thing missing from our CI.
It's high up on my list of things to look at.
More information about the Gnutls-devel