Hello, 

On Fri, Jan 24, 2020 at 4:52 PM <nicolasoliver03@gmail.com> wrote:

Our assumption is that, if we make the PKCS#11 module work for wpa_supplicant, we will also enable any software that wants to use the TPM by just using the PKCS#11 standard, which is much more easier than implementing specific logic to talk with the TPM in specific platforms (standards are good


In my experience this is mostly true - the key word in that sentence being "mostly". The PKCS#11 is fairly big (http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html) and while it fully describes the interface between the cryptographic system and its user, it does very little to describe how is shall be used. That's where the experience comes in handy: different softwares use different workflows. So given a specific PKCS#11 engine, you may be able to have it work with (for example) OpenVPN, but not with wget (though the PKCS#11 engine for OpenSSL). This will only be true if the specific PKCS#11 engine you use for your device implements everything in the spec.


Additionally, to have this widely available, we need to make this packages available in the target distros (Fedora and Ubuntu for now).
There is a tpm2-pkcs11 package available in Fedora as today: https://pkgs.org/download/tpm2-pkcs11.
I just found that there is a tpm2-pk11 package in Ubuntu as well, that also uses tpm2-tss here https://zoomadmin.com/HowToInstall/UbuntuPackage/tpm2-pk11.

I haven't worked with tpm2-pkcs11 yet so I cannot say much about it (this is planed but I have to find some time to do so ; my goal is to use it over tpm2-pk11 but then I have a specific version where the public certificates are stored as DER in the nvram of the TPM2 instead of being stored in a specific directory). tpm2-pk11 was missing things when I started to use it and I had to add what was missing for my own use case (we have used it for 2 years with OpenVPN, OpenSSL and a handful of other programs).
As regards the tpm2-tss-engine, there is no package for Ubuntu. There is an rpm for Fedora being assembled here https://bugzilla.redhat.com/show_bug.cgi?id=1773855 though.

So I hope that all this exercise makes the process more stable for everybody!

Thanks :)

Best regards, 

--
Emmanuel Deloget