Protecting keys using a TPM
dwmw2 at infradead.org
Fri Mar 8 08:51:35 PST 2013
On Fri, 2013-03-08 at 16:25 +0000, Ben Laurie wrote:
> On 8 March 2013 16:22, Ben Laurie <benl at google.com> wrote:
> >> Or is merging PKCS#11 support something we can pull off in
> >> OpenSSL if done right?
> > I think we can pull it off in OpenSSL.
> BTW, I would also be OK with directly supporting the TPM. Or both.
Unlike libtspi, I think the openssl-tpm-engine code *does* have a sane
licence. Well, it has the OpenSSL licence, which perhaps is sufficiently
insane for IBM to have approved it? Whatever, at least it's compatible
for this purpose.
So perhaps we should start by looking at merging the TPM engine into
openssl, and then see what needs doing to better integrate it so that it
doesn't need to be invoked manually by applications? Automatically
recognising its PEM header, etc.
Yes, that would add libtspi as an optional dependency. But I think we
can live with adding libtspi and p11-kit as optional dependencies.
Optional in the sense that any sane distribution should bloody well be
turning them on and building with them so that everything works out of
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 6171 bytes
Desc: not available
More information about the p11-glue