The tpm2-pkcs11 project supports two backends:
- The original backend (sqlite3)
- The FAPI backend (file system stores)
Their is a document describing how to set up SSH using the original backend:
https://github.com/tpm2-software/tpm2-pkcs11/blob/master/docs/SSH.md
If you really want to use the FAPI backend, you need to get tss2_provision to work, not
exactly sure what the error is there.
But perhaps others will know.
________________________________
From: scott.r.eisele(a)gmail.com <scott.r.eisele(a)gmail.com>
Sent: Monday, July 19, 2021 10:36 PM
To: tpm2(a)lists.01.org <tpm2(a)lists.01.org>
Subject: [tpm2] TPM for SSH authentication
Hi everyone!
I'm trying to use a TPM to secure ssh keys, following the example here:
https://incenp.org/notes/2020/tpm-based-ssh-key.html
First, is this a standard way to secure ssh keys? Or is there another method that is
preferred?
Assuming this method is acceptable, I made it to the point of extracting the public key
from the PKCS11 token but ran into an issue.
$ ssh-keygen -vvv -D /usr/local/lib/libtpm2_pkcs11.so > tpm2key1.pub
WARNING:fapi:src/tss2-fapi/api/Fapi_List.c:226:Fapi_List_Finish() Profile of path not
provisioned: /HS/SRK
ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:81:Fapi_List() ErrorCode (0x00060034)
Entities_List
ERROR: Listing FAPI token objects failed.
debug1: provider /usr/local/lib/libtpm2_pkcs11.so: manufacturerID
<tpm2-software.github.io> cryptokiVersion 2.40 libraryDescription <TPM2.0
Cryptoki> libraryVersion 0.0
debug1: provider /usr/local/lib/libtpm2_pkcs11.so slot 0: label <firstToken>
manufacturerID <Infineon> model <SLB9670> serial <000000000000000> flags
0x40d
debug1: have 1 keys
debug2: pkcs11_register_provider: ignoring uninitialised token in provider
/usr/local/lib/libtpm2_pkcs11.so slot 1
debug1: pkcs11_k11_free: parent 0xaaaaf0703630 ptr 0xaaaaf06ed350 idx 1
debug1: pkcs11_provider_unref: 0xaaaaf0692300 refcount 2
debug1: pkcs11_provider_finalize: 0xaaaaf0692300 refcount 1 valid 1
debug1: pkcs11_provider_unref: 0xaaaaf0692300 refcount 1
I then tried running Fapi_List() directly:
$ sudo tss2_list
WARNING:fapi:src/tss2-fapi/api/Fapi_List.c:216:Fapi_List_Finish() Path not found:
ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:81:Fapi_List() ErrorCode (0x00060034)
Entities_List
Fapi_List(0x60034) - fapi:Provisioning was not executed.
And assumed that provisioning was required. So I attempted that:
$ sudo tss2_provision
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:520:Fapi_Provision_Finish() ErrorCode
(0x0006000b) SRK persistent handle already defined
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:168:Fapi_Provision() ErrorCode (0x0006000b)
Provision
Fapi_Provision(0x6000B) - fapi:A parameter has a bad value
At this point, I'm at a loss as to what the state of the TPM is and how to properly
provision it and establish the Storage Hierarchy.
I've looked at
https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisi...
but it's not clear to me how to apply it.
Any help would be great. Thanks!
My platform configuration is:
raspberry pi 3b+
Infineon OPTIGA™ TPM SLx 9670
ubuntu 20.04
tpm2-tss-3.1.0
tpm2-tools-5.1.1
tpm2-abrmd-2.4.0
tpm2-pkcs11-1.6.0
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org
To unsubscribe send an email to tpm2-leave(a)lists.01.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s