Protecting keys using a TPM

Kent Yoder shpedoikal at gmail.com
Fri Mar 15 14:27:25 PDT 2013


On Fri, Mar 8, 2013 at 6:20 AM, Nikos Mavrogiannopoulos
<n.mavrogiannopoulos at gmail.com> wrote:
> On Fri, Mar 8, 2013 at 12:46 PM, David Woodhouse <dwmw2 at infradead.org> wrote:
>
>>> > I was looking at the same issue a while ago. The OpenCryptoKI TPM-PKCS
>>> > #11 module was so hard to setup for that didn't seem like a solution
>>> > one could suggest to its users. I gave up and made a special type of
>>> > URI, "tpmkey". It is simple and directly maps into TPM expected
>>> > properties. This key type is now supported by gnutls 3.1.x.
>>> With the caveat that it can't be enabled due to license
>>> incompatibilities? [1]
>> Someone at IBM really ought to be shot for that. Releasing the TSS
>> library under a licence which prevents people from using it in GPL'd
>> programs is insane.
>> Kent, is there anything we can do about that?
>
> I believe Kent is working on it.

  Yes, I'm working to get this changed now.

Kent

>>> Should we write a simple PKCS#11 read-only TPM module which just works?
>>> I wouldn't mind giving that a shot.
>> That might be useful, if we'd be happy with the subset of TPM
>> functionality that can sanely be exported that way. If indeed it *is* a
>> subset.
>
> I also agree that this would be nice, nevertheless I don't know how
> practical that could be (with respect to loading keys from file).
> You'd need to create a standard over the TPM standard and ensure every
> TPM user/application to follow. There are few applications using TPM
> now, and each has its own way of loading those things.
>
> regards,
> Nikos
> _______________________________________________
> p11-glue mailing list
> p11-glue at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/p11-glue


More information about the p11-glue mailing list