Protecting keys using a TPM

Kent Yoder shpedoikal at
Fri Mar 15 14:27:25 PDT 2013

On Fri, Mar 8, 2013 at 6:20 AM, Nikos Mavrogiannopoulos
<n.mavrogiannopoulos at> wrote:
> On Fri, Mar 8, 2013 at 12:46 PM, David Woodhouse <dwmw2 at> wrote:
>>> > I was looking at the same issue a while ago. The OpenCryptoKI TPM-PKCS
>>> > #11 module was so hard to setup for that didn't seem like a solution
>>> > one could suggest to its users. I gave up and made a special type of
>>> > URI, "tpmkey". It is simple and directly maps into TPM expected
>>> > properties. This key type is now supported by gnutls 3.1.x.
>>> With the caveat that it can't be enabled due to license
>>> incompatibilities? [1]
>> Someone at IBM really ought to be shot for that. Releasing the TSS
>> library under a licence which prevents people from using it in GPL'd
>> programs is insane.
>> Kent, is there anything we can do about that?
> I believe Kent is working on it.

  Yes, I'm working to get this changed now.


>>> Should we write a simple PKCS#11 read-only TPM module which just works?
>>> I wouldn't mind giving that a shot.
>> That might be useful, if we'd be happy with the subset of TPM
>> functionality that can sanely be exported that way. If indeed it *is* a
>> subset.
> I also agree that this would be nice, nevertheless I don't know how
> practical that could be (with respect to loading keys from file).
> You'd need to create a standard over the TPM standard and ensure every
> TPM user/application to follow. There are few applications using TPM
> now, and each has its own way of loading those things.
> regards,
> Nikos
> _______________________________________________
> p11-glue mailing list
> p11-glue at

More information about the p11-glue mailing list