Create PKCS11 tools for TPM2.0 device

[liuqun]

A PKCS11 API interface for TPM 2.0 chips is available, written by Iwan Timmer:

• https://github.com/irtimmer/tpm2-pk11

With libtpm2-pk11.so , TPM2.0 device or simulator can work with ssh client just like any other Smart-Card devices. For example:

mkdir ~/.tpm2 && cd ~/.tpm2
tpm2_createprimary -A e -g 0x000b -G 0x0001 -C po.ctx
tpm2_create -c po.ctx -g 0x000b -G 0x0001 -o key.pub -O key.priv
tpm2_load -c po.ctx -u key.pub -r key.priv -n key.name -C obj.ctx
tpm2_evictcontrol -A o -c obj.ctx -S 0x81010010
rm key.name *.ctx

cp config.sample ~/.tpm2/config

ssh-keygen -D libtpm2-pk11.so > ~/.ssh/authorized_keys
ssh -I libtpm2-pk11.so localhost

In TPM 1.2, there is a tool simple-tpm-pk11 that provides PKCS11 API. With the PKCS11 API, TPM1.2 protected RSA private key can be generated and used to work with OpenSSH. See examples from https://github.com/ThomasHabets/simple-tpm-pk11:

sudo apt-get install simple-tpm-pk11
ssh-keygen -D libsimple-tpm-pk11.so > ~/.ssh/authorized_keys
ssh -I libsimple-tpm-pk11.so localhost

---

IBM's TPM1.2 package tpm-tools-pkcs11 (which has recently been split up from tpm-tool/trousers package) provide another 5 tools, to work with it's OpenCryptoki PKCS11 token service:

• tpmtoken_import
• tpmtoken_init
• tpmtoken_objects
• tpmtoken_protect
• tpmtoken_setpasswd

See: Manual page of tpm-tools, http://trousers.sourceforge.net/man.html PKCS 11 Data Management Commands:

https://github.com/opencryptoki/opencryptoki/blob/master/doc/opencryptoki-howto.md#731-trusted-module-platform-tpm

[williamcroberts]

@flihp didn't you find some other (appears to be complete) project that actually does this?

[flihp]

I've had an entry in my TODO to kick the tires on https://github.com/irtimmer/tpm2-pk11 for a month now. Haven't had a chance but it looks really promising. @idesai : have you had a chance to look at this yet?

[martinezjavier]

@liuqun @flihp thanks a lot for sharing this, it's very interesting. A colleague mentioned to me that he wanted to use a TPM2 as a PKCS11 backend, so I'll refer him to this project to see what's his opinion.

Now, regardless this specific issue. If I understand correctly it's a feature request for a simple-tpm2-pk11 tool (using the same naming as the TPM 1.2 mentioned tool) that's a wrapper around libtpm2-pk11.so?

I think that first we have to answer the question about what's the scope for the tpm2-tools project? AFAICT is to have a set of command line utilities to use the operations supported by the System API (and in the future probably also for what's offered by the Enhanced System and Feature APIs).

If that's the case, then I think that the simple-tpm2-pk11 is out of scope. I mean, it's great to have this but none of the TSS API includes a Cryptoki API for PKCS11.

I also don't think that the simple-tpm2-pk11 tool will share a lot of code with the other tools, since it would mostly be a wrapper around the mentioned libtpm2-pk11.so library. Probably the tool should be part of the tpm2-pk11.

I see from the tpm2-pk11 README that the tpm2-tools are used to create the keys and the library is only used to get the keys from the TPM2. Probably what makes the most sense is to extend the library to also have primitives to create keys and let the simple-tpm2-pk11 tool use them.

That way the project will have no dependencies with the tpm2-tools and will also have the side effect that the library could just be a drop-in replacement for applications written for the PKCS11 Cryptoki API.

Does this makes sense to you?

[williamcroberts]

@martinezjavier glad you brought up the scope part. I was pondering where we scope this project, and I think it's to direct tpm commands and sapi/eapi/fapi support tools. I think this is out of scope, so Ill close it. But im glad we have an archived link to that github project that has the pkcs11 shared object.

[arunvigneshks]

Is there any alternative command for tpmtoken_init for TPM 2.0? After taking ownership of TPM 2.0 and running tpmtoken_init it gives error "PKCS11 TPM token is not present" or am I doing anything wrong?

[williamcroberts]

@arunvigneshks I have no idea, never used it. Better to ask that project.

[liuqun]

@arunvigneshks TPM2.0 do not have tpmtoken_init command yet. Your would simply get unknown error messages when trying to use this TPM1.2 command on a TPM2.0 chip.

For TPM 1.2, there are two different project that supports PKCS11 API.

• One is called simple-tpm-pk11 who provides a stand alone PKCS11 API.
• The other one is IBM's TrouSerS and OpenCryptoki. Command tpmtoken_init belongs to tpm-tools-pkcs11, and it is a part of Trousers.

[PeterHuewe]

Since we now have that more tpm2-software umbrella namespace - would it make sense to "invite" the pkcs11 project over?

[williamcroberts]

@PeterHuewe we did. Their was some licensing issues at first and most of the design was quite limited. So we started a new one, but would like to consolidate the communities at some point and get folks working together. You can see our new, in progress tpm2-pkcs11 project here: https://github.com/tpm2-software/tpm2-pkcs11