search

irtimmer / tpm2-pk11

[DEPRECATED] PKCS#11 Module for TPM 2.0
BSD 2-Clause "Simplified" License
68 stars 24 forks source link

Unable to use OpenSSH with TPM #82

Open MMaiero opened 6 years ago

MMaiero commented 6 years ago

I'm trying to test this project using the following environment:

I'm currently able to access and manage the TPM using the TSS libraries. I've created the TPM key following the provided guide, copied the default config.sample file to ~/.tpm2/config but when I try to extract the public key using ssh-keygen I get the following error:

C_Initialize for provider /usr/lib/arm-linux-gnueabihf/pkcs11/libtpm2-pk11.so failed: 5
cannot read public key from pkcs11

Do you have any idea why this happens? Thanks

irtimmer commented 6 years ago

Please configure a log file in config and set the log level to 5 (debug) and upload the log file after running ssh-keygen. Could you also run tpm2_listpersistent so I have a overview of the available keys in the tpm?

MMaiero commented 6 years ago

Hi, this is what I get when invoking tpm2_listpersistent:

pi@raspberrypi:~/temp $ tpm2_listpersistent
persistent-handle[0]:0x81010010 key-alg:rsa hash-alg:sha256 object-attr:fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt|sign

Regarding the log file, I have not found documentation about it. I've just found an issue that suggested to setup the config file like this:

# Type can be device/socket/tabrmd
type device
# Hostname to connect when using socket
hostname localhost
# Port number of TPM socket to connect to
port 2321
# Device to use as TPM
device /dev/tpm0
# Sign using encrypt in case TPM doesn't support hash format
# For example SSH use SHA512 which isn't supported by all TPM's
# Enabling this option requires key's to be encryption keys instead of signing only keys
sign-using-encrypt true
# Set login_required in case keys are protected by a password
# Notice currently only a single password for all keys is supported
# Depending on the TPM settings, providing wrong passwords can lead to a lockout
login-required false
# Logging settings
# Supported log levels:
#   0=>None(no messages at all by default)
#   1=>Infomation(only errors and warning are recorded)
#   2=>Verbose(including errors, warnings and verbose logs)
#   3=>Debug(including errors, warnings and all debugging messages)
# The following lines will enable this experimental logging feature.
log-level 5
log /var/log/pk11.log
# Built-in keywords stderr and stdout may be used here.
# If you want to print the log messages directly on command line,
# change the "log /path/to/file.log" line like this:
# log stderr

is it correct? Because I'm getting no log file.