tpm2-pk11 icon indicating copy to clipboard operation
tpm2-pk11 copied to clipboard

Published 20 hours ago verified publisher icon irtimmer

Unable to use OpenSSH with TPM

Open MMaiero opened this issue 5 years ago • 2 comments

I'm trying to test this project using the following environment:

  • Raspberry pi 3 loaded with the latest Raspbian
  • Infineon OPTIGA SLB 9670XQ2.0
  • Patched kernel to enable the TPM usage.

I'm currently able to access and manage the TPM using the TSS libraries. I've created the TPM key following the provided guide, copied the default config.sample file to ~/.tpm2/config but when I try to extract the public key using ssh-keygen I get the following error:

C_Initialize for provider /usr/lib/arm-linux-gnueabihf/pkcs11/libtpm2-pk11.so failed: 5
cannot read public key from pkcs11

Do you have any idea why this happens? Thanks

MMaiero avatar Sep 14 '18 12:09 MMaiero

Please configure a log file in config and set the log level to 5 (debug) and upload the log file after running ssh-keygen. Could you also run tpm2_listpersistent so I have a overview of the available keys in the tpm?

irtimmer avatar Sep 17 '18 18:09 irtimmer

Hi, this is what I get when invoking tpm2_listpersistent:

pi@raspberrypi:~/temp $ tpm2_listpersistent
persistent-handle[0]:0x81010010 key-alg:rsa hash-alg:sha256 object-attr:fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt|sign

Regarding the log file, I have not found documentation about it. I've just found an issue that suggested to setup the config file like this:

# Type can be device/socket/tabrmd
type device
# Hostname to connect when using socket
hostname localhost
# Port number of TPM socket to connect to
port 2321
# Device to use as TPM
device /dev/tpm0
# Sign using encrypt in case TPM doesn't support hash format
# For example SSH use SHA512 which isn't supported by all TPM's
# Enabling this option requires key's to be encryption keys instead of signing only keys
sign-using-encrypt true
# Set login_required in case keys are protected by a password
# Notice currently only a single password for all keys is supported
# Depending on the TPM settings, providing wrong passwords can lead to a lockout
login-required false
# Logging settings
# Supported log levels:
#   0=>None(no messages at all by default)
#   1=>Infomation(only errors and warning are recorded)
#   2=>Verbose(including errors, warnings and verbose logs)
#   3=>Debug(including errors, warnings and all debugging messages)
# The following lines will enable this experimental logging feature.
log-level 5
log /var/log/pk11.log
# Built-in keywords stderr and stdout may be used here.
# If you want to print the log messages directly on command line,
# change the "log /path/to/file.log" line like this:
# log stderr

is it correct? Because I'm getting no log file.

MMaiero avatar Sep 20 '18 15:09 MMaiero