heads icon indicating copy to clipboard operation
heads copied to clipboard

Published 20 hours ago verified publisher icon linuxboot

Support Canokey under Qemu+tpm - fastpath?

Open tlaurion opened this issue 3 years ago • 5 comments
trafficstars

https://qemu.readthedocs.io/en/latest/system/devices/canokey.html#canokey

tlaurion avatar Aug 28 '22 22:08 tlaurion

Idea here would be to have a fully hardware independent testing platform, where no hotp implementation (no hardware keys) would be needed, while permitting to extend Heads features for testers and contributers, and test variations between yubikey/Nitrokey/Librem Key and Canokey implementation, since we already had issues in the past with default being different and having different behaviors (yubikey != Nitrokey reference implementation)

Related to: #1076 and merged #1188 (without additional hardware requirements)

@jans23 @daringer @JonathonHall-Purism

tlaurion avatar Aug 28 '22 22:08 tlaurion

Looks like a very promising idea, although I have no experience with it and cannot tell if it comes with or without further challenges... The nitrokey 3 firmware also runs on top of vsmartcard but it's also not yet equipped with HOTP support and qemu integration as canonkey has it might be another obstacle...

daringer avatar Aug 29 '22 09:08 daringer

Small update from https://docs.canokeys.org/userguide/openpgp/#supported-algorithm no RSA4096 nor RSA3076. Meh.

Can be imported (copy to card) though.

tlaurion avatar Jun 05 '23 00:06 tlaurion

no RSA4096 nor RSA3076. Meh.

The doc is only for the actual hardware. The virtual card actually supports RSA3072 now and generating private keys on card is possible (with small code modification) against the MbedTLS crypto backend. The hardware does not have the new firmware installed and its crypto backend is not capable of generating RSA private key of such length so in the doc we do not say it supports that.

ZenithalHourlyRate avatar Jun 05 '23 17:06 ZenithalHourlyRate

no RSA4096 nor RSA3076. Meh.

The doc is only for the actual hardware. The virtual card actually supports RSA3072 now and generating private keys on card is possible (with small code modification) against the MbedTLS crypto backend. The hardware does not have the new firmware installed and its crypto backend is not capable of generating RSA private key of such length so in the doc we do not say it supports that.

Thank you.

Once we move to nix layer, we will add a qemu-coreboot-tpm1/2 testing board supporting canokey virtual card. Maybe sooner then that.

tlaurion avatar Jun 07 '23 01:06 tlaurion