From: tpm2 [mailto:email@example.com] On Behalf Of Ralf Schlatterbeck
Sent: Wednesday, April 10, 2019 9:27 AM
Subject: [tpm2] tpm2-tss-engine
I'm testing with a TPM-2 module for the Raspberry-Pi from Infineon running on
an Orange-Pi zero (also a single-board computer a little smaller than the raspi).
I've successfully built tpm2-tss-engine and have the following questions:
- The key generation examples in the README.md create the private key in
a file on the local filesystem. Isn't the purpose of a
hw-security-module that the key stays inside the device and can't be
extracted? Or am I missing something here?
That blob of data that gets stored on disk is sealed to that TPM. So outside of DOS
If someone deletes that keyblob, there's no real way to use it to extract the key
Directly from that blob unless they break the TPMs crypto mechanism used to protect it.
They could load it if they access to the parent objects authorization value, but
able to use the object without satisfying it's authorization value, but the TPM has
attack prevention to prevent brute force guessing, so that helps. TPM DA protection
the object be created with noDA attribute clear.
Theirs other attributes when creating the object that indicate whether or not the
key can ever be exported from the TPM, not sure if those are being set.
Is there a way to create a
protected key inside the device in a way that it cannot be
I think you want fixedtpm and fixedparent.
If we look at the ECC key, we see these being set:
.objectAttributes = (TPMA_OBJECT_USERWITHAUTH |
The code is setting NODA which means someone can load up that object, and very slowly
the auth value.
The auth value seems to be the password directly:
src/tpm2-tss-engine-ecc.c:463: tpm2Data->userauth.size = strlen(password);
So pick a strong one, not sure why they're not embedding a salt/iters in the PEM file
and using a pbkdf routine.
- I'm not familiar with the engine concept of OpenSSL, is there a
use the engine with a software that is not engine-aware? In my case
the mosquitto message broker. Or would I have to modify the software?
I think engines can be loaded via the config file or environment variables.
Dr. Ralf Schlatterbeck Tel: +43/2243/26465-16
Open Source Consulting www: http://www.runtux.com
Reichergasse 131, A-3411 Weidling email: office(a)runtux.com
tpm2 mailing list