pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git  about / heads / tags
TPM2 engine and key creation tools for openssl
$ git log --pretty=format:'%h %s (%cs)%d'
84a25d8 Version 4.4.1 (2024-11-05)
	(HEAD -> master, tag: v4.4.1, next)
98d8bef Fix OBS build (2024-11-04)
6ae7fe9 Version 4.4.0 (2024-11-01)
	(tag: v4.4.0)
508060a Fix 32 bit errors (2024-11-01)
19846a6 attest_tpm2_primary: check qualified name (2024-10-31)
6676f28 tss: add VALT() macro (2024-10-31)
43c78d1 lib: check key properties on every create primary (2024-10-31)
99583d7 lib: return public area for non-permanent handles (2024-10-24)
90eecdf Use the NULL seed for salting every session (2024-10-22)
a137f58 Consolidate non-permanent handle handling in tpm2_load_srk (2024-10-22)
...

$ git cat-file blob HEAD:README

 README for the OpenSSL TPM 2.0 engine

 Author: James Bottomley <James.Bottomley@HansenPartnership.com>

 Mailing List: openssl-tpm2-engine@groups.io


ABOUT

  This package contains 2 sets of code, a command-line utility used to
generate a TSS key blob and write it to disk and an OpenSSL engine which
interfaces with the TSS API.  Because this application uses the TPM
cryptographically, it must be build with the IBM TSS:

http://ibmswtpm.sourceforge.net/ibmtss2.html

Prebuilt binaries for a lot of distributions on the Open SUSE Build Service

https://build.opensuse.org/package/show/home:jejb1:TPM/ibmtss

You can also find this package and a range of other TPM tools built at

https://build.opensuse.org/package/show/home:jejb1:TPM

BUILDING

 Requirements: OpenSSL, IBM TSS

 $ configure [--enable-debug] [--with-openssl=/path/to/custom/openssl]
 $ make
 # make install

RUNNING

	create_tpm2_key: create a TPM key and write it to disk
	usage: create_tpm2_key [options] <filename>

	Options:
		-a|--auth          require a password for the key [NO]
		-h|--help          print this help message
		-s|--key-size      key size in bits [2048]
		-n|--name-scheme   name algorithm to use sha1 [sha256] sha384 sha512
		-p|--parent-handle persistent handle of parent key
		-w|--wrap [file]   wrap an existing openssl PEM key
		-c|--key-policy [file] TPM key policy

  For full options see the command help.

  Key auth: Default=none. If -a is specified, you will be prompted on the
command line using OpenSSL for a passphrase. 

  Key enhanced auth (NEW): Default=none. If -c is specified, the new key
  will be associated with the policy provided.

OpenSSL TPM engine

  Included in this package is a sample openssl.cnf file, which can be used
to turn on use of the TPM engine in apps where OpenSSL config support is
compiled in.

Policy File Format

  The policy file should contain a rule for each line, where rules
  can be generated for example with the policymakerpcr tool from IBM TSS.

  Example (PolicyPCR):

  $ tsspolicymakerpcr -bm 10000 -if policypcr16aaasha256.txt -v -pr -of policies/policypcr.txt >> policy.txt

  where policypcr16aaasha256.txt contains the desired value of PCR 16.

  Example (PolicyAuthValue):

  $ echo 0000016b >> policy.txt


USES

Create a self-signed cert using the TPM engine:

0. Good practice is to generate the RSA version of the primary storage
   seed and place it at well known location 81000001 (Microsoft Spec).
   To do this, you need to manipulate the non resource manager
   interface so the keys aren't lost when the process dies:

 # TPM_DEVICE=/dev/tpm0 tsscreateprimary -hi o -st -rsa
 Handle 80000000
 # TPM_DEVICE=/dev/tpm0 tssevictcontrol -hi o -ho 80000000 -hp 81000001
 # TPM_DEVICE=/dev/tpm0 tssflushcontext -ha 80000000

   where 80000000 is the the handle and is always returned by the
   first command. You must do the final tssflushcontext otherwise the
   transient key won't get flushed since you used the non resource
   manager interface.

   Note: tsscreateprimary will take a while to run (50s on my laptop)
   while the TPM derivces an RSA key from the primary seed.  This long
   time is why you want to store a permanent copy of the derived key.

1. Generate an external key and wrap it for the TPM:
 $ openssl genrsa 2048 > <private key>
 $ create_tpm2_key -w <private key> [-p 81000001] <key file>

   Note: specifying the parent is optional (and you need to have
   created it in step 0) but if you leave it out, the key will still
   end up parented to the primary storage seed and the TPM will have
   to re-derive the RSA version of that seed each time you use it
   (possibly taking 50s or more each time)

   Note: because the RSA private key is sent to the TPM encrypted, the
   tss has to have access to the public part of the parent key (if you
   didn't specify a parent, this public part will be created when the
   parent key is derived from the storage primary seed), so you may
   need to do tssreadpublic -p 81000001 before it will work.

2. Make the openssl certificate request:
 $ openssl req -keyform engine -engine tpm2 -key <key file> -new -x509 -days 365 -out <certfilename>

3. Test using openssl:
 $ openssl s_server -cert <certfilename> -www -accept 4433 -keyform engine -engine tpm2 -key <keyfilename>
 $ konqueror https://localhost:4433

# heads (aka `branches'):
$ git for-each-ref --sort=-creatordate refs/heads \
	--format='%(HEAD) %(refname:short) %(subject) (%(creatordate:short))'
* master       Version 4.4.1 (2024-11-05)
  next         Version 4.4.1 (2024-11-05)

# tags:
$ git for-each-ref --sort=-creatordate refs/tags \
	--format='%(refname:short) %(subject) (%(creatordate:short))'
v4.4.1       Version 4.4.1 (2024-11-05) tar.gz
v4.4.0       Version 4.4.0 (2024-11-01) tar.gz
v4.3.0       Version 4.3.0 (2024-08-06) tar.gz
v4.2.0       Version 4.2.0 (2024-07-23) tar.gz
v4.1.2       Version 4.1.2 (2024-04-19) tar.gz
v4.1.1       Version 4.1.1 (2024-01-02) tar.gz
v4.1.0       Version 4.1.0 (2023-12-30) tar.gz
v4.0.2       Version 4.0.2 (2023-12-04) tar.gz
v4.0.1       Version 4.0.1 (2023-07-05) tar.gz
v4.0.0       Version 4.0.0 (new openssl-3 provider) (2023-03-29) tar.gz
...

# associated public inboxes:
# (number on the left is used for dev purposes)
          7 ../../../../../../../lkml
          5 linux-integrity
          5 keyrings
          3 linux-wireless
          3 linux-arm-kernel
          3 dri-devel
          3 dm-devel
          3 u-boot
          2 linux-nfs
          2 qemu-devel
          2 linux-fsdevel
          2 netdev
          2 stable
          2 linux-rdma
          2 dpdk-dev
          2 linux-pci
          2 kvm
          2 linux-sgx
          2 backports
          2 git
          2 intel-gfx
          2 tpmdd-devel
          2 linux-sh
          2 linux-staging
          2 openembedded-core
          2 openembedded-devel
          2 intel-xe
          1 linux-samsung-soc
          1 linux-fscrypt
          1 linux-mtd
          1 cocci
          1 linux-block
          1 linux-riscv
          1 linux-nvme
          1 linux-xfs
          1 live-patching
          1 bpf
          1 linux-mediatek
          1 linux-crypto
          1 linux-efi
          1 linux-acpi
          1 netfilter-devel
          1 linux-edac
          1 linux-cifs
          1 linux-devicetree
          1 linux-arm-msm
          1 linux-amlogic
          1 linux-erofs
          1 linux-mm
          1 linux-nvdimm
          1 linux-iommu
          1 linux-media
          1 xen-devel
          1 linux-snps-arc
          1 linux-mips
          1 fstests
          1 linux-pm
          1 linux-hwmon
          1 linux-rtc
          1 linux-input
          1 alsa-devel
          1 linux-scsi
          1 linux-btrfs
          1 kvmarm
          1 driverdev-devel
          1 linux-usb
          1 linux-renesas-soc
          1 linux-kselftest
          1 selinux
          1 kernel-hardening
          1 linux-clk
          1 linux-iio
          1 linux-gpio
          1 dmaengine
          1 linux-next
          1 linux-parisc
          1 linux-ext4
          1 linux-leds
          1 linux-security-module
          1 linux-f2fs-devel
          1 linuxppc-dev
          1 linux-modules
          1 kernelnewbies
          1 linux-rt-users
          1 linux-bluetooth
          1 linux-ide
          1 linux-serial
          1 linux-watchdog
          1 linux-trace-devel
          1 linux-hyperv
          1 workflows
          1 rcu
          1 selinux-refpolicy
          1 linux-m68k
          1 linux-i3c
          1 util-linux
          1 linux-spdx
          1 linux-wpan
          1 ksummit-discuss
          1 wireguard
          1 io-uring
          1 linux-kernel-mentees
          1 linux-doc
          1 linux-csky
          1 linux-man
          1 linux-mmc
          1 amd-gfx
          1 linux-unionfs
          1 linux-firmware
          1 linux-api
          1 cip-dev
          1 linux-omap
          1 linux-audit
          1 linux-spi
          1 linux-i2c
          1 linux-remoteproc
          1 linux-dash
          1 linux-bcache
          1 linux-sparse
          1 mm-commits
          1 linux-pwm
          1 linux-tegra
          1 lttng-dev
          1 virtualization
          1 linux-kbuild
          1 linux-fpga
          1 ceph-devel
          1 linux-arch
          1 linux-can
          1 containers
          1 linux-rockchip
          1 linux-raid
          1 xdp-newbies
          1 platform-driver-x86
          1 phone-devel
          1 openbmc
          1 linux-hardening
          1 dash
          1 linux-fbdev
          1 linux-sctp
          1 linux-cxl
          1 linux-perf-users
          1 target-devel
          1 lustre-devel
          1 soc
          1 ocfs2-devel
          1 rust-for-linux
          1 ath10k
          1 ath11k
          1 nouveau
          1 linux-phy
          1 linux-s390
          1 kernel-janitors
          1 sparclinux
          1 linux-sunxi
          1 mptcp
          1 linux-coco
          1 regressions
          1 ksummit
          1 b43-dev
          1 nvdimm
          1 linux-nfc
          1 linux-bcachefs
          1 ath9k-devel
          1 buildroot
          1 ntfs3
          1 llvm
          1 fio
          1 iwd
          1 ell
          1 ofono
          1 ltp
          1 yocto
          1 yocto-meta-freescale
          1 yocto-toaster
          1 yocto-meta-arm
          1 yocto-docs
          1 bitbake-devel
          1 linux-patches
          1 yocto-meta-virtualization
          1 chrome-platform
          1 ntb
          1 yocto-meta-ti
          1 yocto-meta-arago
          1 outreachy
          1 xenomai
          1 damon
          1 asahi
          1 openrisc
          1 intel-wired-lan
          1 kexec
          1 loongarch
          1 imx
          1 ath12k
          1 b4-sent
          1 linux-trace-kernel
          1 oe-linux-nfc
          1 oe-kbuild-all
          1 oe-chipsec
          1 batman
          1 linux-um
          1 virtio-dev
          1 virtio-comment
          1 v9fs
          1 ecryptfs
          1 poky
          1 qemu-riscv
          1 linux-ia64
          1 cluster-devel
          1 grub-devel
          1 kbd
          1 autofs
          1 cpufreq
          1 dccp
          1 cgroups
          1 devicetree-spec
          1 devicetree-compiler
          1 initramfs
          1 kvm-ppc
          1 hail-devel
          1 kvm-ia64
          1 linux-8086
          1 kernel-testers
          1 linux-alpha
          1 linux-btrace
          1 linux-embedded
          1 linux-hams
          1 linux-hexagon
          1 linux-hotplug
          1 linux-laptop
          1 linux-sound
          1 trinity
          1 reiserfs-devel
          1 linux-metag
          1 linux-x25
          1 linux-nilfs
          1 lvs-devel
          1 netfilter
          1 linux-oxnas
          1 u-boot-amlogic
          1 lm-sensors
          1 lvm-devel
          1 acpica-devel
          1 perfbook
          1 virtio-fs
          1 smatch
          1 fuego
          1 wireless-regdb
          1 igt-dev
          1 powertop

git clone https://yhbt.net/lore/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git