tpm2-openssl icon indicating copy to clipboard operation
tpm2-openssl copied to clipboard

Published 20 hours ago verified publisher icon tpm2-software

Configurable Hierarchy

Open joylatten opened this issue 2 years ago • 12 comments

TPM2 has several hierarchies. But it seems only Owner hierarchy currently supported. Is it possible to support the other hierarchies?

joylatten avatar Oct 20 '23 14:10 joylatten

I think that the other hierarchies are supported. The owner hierarchy is the default one, but using the parent parameter you can use any other hierarchy, see https://github.com/tpm2-software/tpm2-openssl/blob/master/docs/keys.md#key-generation.

gotthardp avatar Oct 20 '23 15:10 gotthardp

Yes, I noted this. But it seems I need an index to specify the parent. And I think i can only get one if I make the object persistent. I am using the NULL hierarchy, so I cannot do that. Can I specify the parent with a TPM2 saved context?

joylatten avatar Oct 20 '23 15:10 joylatten

I see. Could loading an serialized object be a solution for you? https://github.com/tpm2-software/tpm2-openssl/blob/master/docs/keys.md#using-a-serialized-object You would have to generate the key outside, but it may enable you to use the generated key in openssl functions.

gotthardp avatar Oct 20 '23 16:10 gotthardp

Yes, I saw that too. But it seems the serialized object is just another representation of the persistent handle. So you would be using tpm2_evictcontrol to create a persistent handle but output in another representation of the handle.

Let me try TSS PEM file. I would need to first figure how to ASN1 my tpm2 wrapped keys and parent context....

joylatten avatar Oct 20 '23 17:10 joylatten

I don't think that will work either-- the TSS PEM includes the parent handle only.

gotthardp avatar Oct 20 '23 17:10 gotthardp

Could you please write down the tpm2 commands you use to generate the key you want to use with openssl?

gotthardp avatar Oct 20 '23 17:10 gotthardp

Thank you for looking. I just realized the TSS PEM has parent as a handle. The keys are not generated in the TPM. I would like to import externally generated keys into tpm and use openssl tpm2 engine for crypto using the keys.

My steps:

  • openssl genrsa to generate the key
  • tpm2_createprimary to create a primary key in NULL hierarchy
  • tpm2_import to import the openssl key
  • tpm2_load to load the keys into tpm memory in the NULL hierarchy.

joylatten avatar Oct 20 '23 20:10 joylatten

Currently, this won't work with NULL Hierarchy since everything is transient in this hierarchy.

joylatten avatar Oct 20 '23 21:10 joylatten

Understood. I will try to implement loading of the context files, which should enable you working with the NULL hierarchy. This may take some time because I am facing some openssl issues.

gotthardp avatar Oct 24 '23 08:10 gotthardp

@gotthardp thank you. And please let me know if or what I can help with.

joylatten avatar Oct 24 '23 14:10 joylatten

Alright. I created a branch ctxload (https://github.com/tpm2-software/tpm2-openssl/tree/ctxload) that can load the tpm2 context files produced by tpm2-tools. There is also an example https://github.com/tpm2-software/tpm2-openssl/blob/ctxload/test/rsa_import_null_sign.sh that demonstrates the the steps you described above.

Please check and let me know if this is what you expect. I need to improve the code a bit, but I will keep that branch in a working state until it gets merged to the master branch.

gotthardp avatar Nov 05 '23 19:11 gotthardp

thank you, I will give it a try

joylatten avatar Nov 17 '23 19:11 joylatten