Protecting keys using a TPM

Nikos Mavrogiannopoulos n.mavrogiannopoulos at
Fri Mar 8 10:15:27 PST 2013

On 03/08/2013 04:51 PM, Stef Walter wrote:

>> How could that work, I mean as simply as loading a PKCS #11 URL? 
> Well it wouldn't work as URL. PKCS#11 URLs refer to stuff in tokens.
> It doesn't work in the same way that you can't (at least not today,
> correct me if I'm wrong) pass a PKCS#11 URL pointing to an RSA key
> sitting in a PEM encoded file on your disk to gnutls and have it work.

We do that for TPM keys. A tpmkey url is of the forms:

While David's format with the TSS BLOB header can be detected it is a
non-standard format and header. The standard TSS format for that key is
some raw data with no header, i.e. cannot be detected by a file loading
mechanism. That is why I placed that under the tpmkey url as well.

> Yes, that's why we should define the files to live in a standard
> location by default. The URI's then refer to the PKCS#11 objects that
> the p11-tpm module exposes for these files.

I think a standard location for a tpm-pkcs11 may just suffice in the
end. After all it is a convenience module, not a full blown TPM key
storage. If anyone wants to use non-standard locations he'd have to do
it some other way.

> This is really about how to tell gnutls to load a file instead of use a
> key in a standard store, right?  Only supporting files isn't a general
> purpose solution here anyway. So I would assume that these callers with
> keys in future non-standard locations (files or otherwise) would just
> import the key (as you would with an RSA key today) and then use it. The
> only difference being is that in order to use the TSS blob, gnutls has
> to turn around and have TSS involved (via a TPM PKCS#11 module's
> C_Unwrap, in the future).

That may be an option for the files with the header, indeed.


More information about the p11-glue mailing list