sbctl icon indicating copy to clipboard operation
sbctl copied to clipboard

Published 20 hours ago verified publisher icon Foxboron

Support for hardware tokens / HSMs (OpenPGP, PKCS#11, etc.)

Open EvilBit opened this issue 3 years ago • 18 comments

A configurable key storage backend (plain files, OpenPGP smartcard, PKCS#11 token/HSM, etc.) would greatly benefit the underlying security model of sbctl and would enable integration into larger PKI infrastructures.

Relying on open standards would enable advanced scenarios, like signing with a remote HSM conditional on prior remote attestation of current system state using a local TPM (i.e. DRTM-based TCB attestation).

EvilBit avatar Jul 14 '21 22:07 EvilBit

This is on my todo. Before a 1.0 release I want native TPM support and go-piv support for yubikey at a minimum. But not sure about PKCS#11 and other engines yet.

I do have a TPM backed signing tool for go-uefi written to test how this would work with sbctl. https://github.com/Foxboron/go-uefi/blob/morten/tpm/cmd/gotpm/main.go

My only usage so far is to store the private key material, but if there are other ideas we can play around with please do share.

Foxboron avatar Jul 15 '21 13:07 Foxboron

This is on my todo.

Nice :) Any specifics on how one can support you with that?

Before a 1.0 release I want native TPM support and go-piv support for yubikey at a minimum. But not sure about PKCS#11 and other engines yet.

From my understanding of the competing crypto standards, PKCS#11 seems to be the most widely supported one - from tokens and smartcards for personal use, to professional HSMs. You can even use a TPM via PKCS#11, or (remote) software-based HSM implementations like SoftHSM or NetHSM. AFAIK the YubiKey PIV is also accessed via PKCS#11.

EvilBit avatar Jul 15 '21 23:07 EvilBit

Any specifics on how one can support you with that?

Well, join me and hack on crazy go-uefi stuff and figure out the abstractions. Test sbctl git master brache. Find issues. If I ask for feedback please engage!

All of this is me hacking a bit when I feel like it and get inspiration between all my other FOSS duties. So things are going to grow slowly :) But my goal is to have a 1.0 out in a month of two.

From my understanding of the competing crypto standards, PKCS#11 seems to be the most widely supported one - from tokens and smartcards for personal use, to professional HSMs. You can even use a TPM via PKCS#11, or (remote) software-based HSM implementations like SoftHSM or NetHSM. AFAIK the YubiKey PIV is also accessed via PKCS#11.

Yes, but I'd prefer native support where possible. PKCS11 is fine for a general "if no other options exist", but I'd strive for native options when possible.

Foxboron avatar Jul 16 '21 13:07 Foxboron

Is there any news re that, any update or estimation or blocker or new insights?

mirko avatar May 13 '24 23:05 mirko

Time is the main blocker.

But I have written TPM software for the past year which is knowledge that can be reused here.

Foxboron avatar May 14 '24 06:05 Foxboron