Protecting keys using a TPM

Nikos Mavrogiannopoulos n.mavrogiannopoulos at
Fri Mar 8 04:20:28 PST 2013

On Fri, Mar 8, 2013 at 12:46 PM, David Woodhouse <dwmw2 at> wrote:

>> > I was looking at the same issue a while ago. The OpenCryptoKI TPM-PKCS
>> > #11 module was so hard to setup for that didn't seem like a solution
>> > one could suggest to its users. I gave up and made a special type of
>> > URI, "tpmkey". It is simple and directly maps into TPM expected
>> > properties. This key type is now supported by gnutls 3.1.x.
>> With the caveat that it can't be enabled due to license
>> incompatibilities? [1]
> Someone at IBM really ought to be shot for that. Releasing the TSS
> library under a licence which prevents people from using it in GPL'd
> programs is insane.
> Kent, is there anything we can do about that?

I believe Kent is working on it.

>> Should we write a simple PKCS#11 read-only TPM module which just works?
>> I wouldn't mind giving that a shot.
> That might be useful, if we'd be happy with the subset of TPM
> functionality that can sanely be exported that way. If indeed it *is* a
> subset.

I also agree that this would be nice, nevertheless I don't know how
practical that could be (with respect to loading keys from file).
You'd need to create a standard over the TPM standard and ensure every
TPM user/application to follow. There are few applications using TPM
now, and each has its own way of loading those things.


More information about the p11-glue mailing list