The tpm2-pkcs11 project supports two backends: - The original backend (sqlite3) - The FAPI backend (file system stores) Their is a document describing how to set up SSH using the original backend: https://github.com/tpm2-software/tpm2-pkcs11/blob/master/docs/SSH.md If you really want to use the FAPI backend, you need to get tss2_provision to work, not exactly sure what the error is there. But perhaps others will know. ________________________________ From: scott.r.eisele(a)gmail.com <scott.r.eisele(a)gmail.com&gt; Sent: Monday, July 19, 2021 10:36 PM To: tpm2(a)lists.01.org <tpm2(a)lists.01.org&gt; Subject: [tpm2] TPM for SSH authentication Hi everyone! I'm trying to use a TPM to secure ssh keys, following the example here: https://incenp.org/notes/2020/tpm-based-ssh-key.html First, is this a standard way to secure ssh keys? Or is there another method that is preferred? Assuming this method is acceptable, I made it to the point of extracting the public key from the PKCS11 token but ran into an issue. $ ssh-keygen -vvv -D /usr/local/lib/libtpm2_pkcs11.so > tpm2key1.pub WARNING:fapi:src/tss2-fapi/api/Fapi_List.c:226:Fapi_List_Finish() Profile of path not provisioned: /HS/SRK ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:81:Fapi_List() ErrorCode (0x00060034) Entities_List ERROR: Listing FAPI token objects failed. debug1: provider /usr/local/lib/libtpm2_pkcs11.so: manufacturerID <tpm2-software.github.io> cryptokiVersion 2.40 libraryDescription <TPM2.0 Cryptoki> libraryVersion 0.0 debug1: provider /usr/local/lib/libtpm2_pkcs11.so slot 0: label <firstToken> manufacturerID <Infineon> model <SLB9670> serial <000000000000000> flags 0x40d debug1: have 1 keys debug2: pkcs11_register_provider: ignoring uninitialised token in provider /usr/local/lib/libtpm2_pkcs11.so slot 1 debug1: pkcs11_k11_free: parent 0xaaaaf0703630 ptr 0xaaaaf06ed350 idx 1 debug1: pkcs11_provider_unref: 0xaaaaf0692300 refcount 2 debug1: pkcs11_provider_finalize: 0xaaaaf0692300 refcount 1 valid 1 debug1: pkcs11_provider_unref: 0xaaaaf0692300 refcount 1 I then tried running Fapi_List() directly: $ sudo tss2_list WARNING:fapi:src/tss2-fapi/api/Fapi_List.c:216:Fapi_List_Finish() Path not found: ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:81:Fapi_List() ErrorCode (0x00060034) Entities_List Fapi_List(0x60034) - fapi:Provisioning was not executed. And assumed that provisioning was required. So I attempted that: $ sudo tss2_provision ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:520:Fapi_Provision_Finish() ErrorCode (0x0006000b) SRK persistent handle already defined ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:168:Fapi_Provision() ErrorCode (0x0006000b) Provision Fapi_Provision(0x6000B) - fapi:A parameter has a bad value At this point, I'm at a loss as to what the state of the TPM is and how to properly provision it and establish the Storage Hierarchy. I've looked at https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisi... but it's not clear to me how to apply it. Any help would be great. Thanks! My platform configuration is: raspberry pi 3b+ Infineon OPTIGA™ TPM SLx 9670 ubuntu 20.04 tpm2-tss-3.1.0 tpm2-tools-5.1.1 tpm2-abrmd-2.4.0 tpm2-pkcs11-1.6.0 _______________________________________________ tpm2 mailing list -- tpm2(a)lists.01.org To unsubscribe send an email to tpm2-leave(a)lists.01.org %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s