All of lore.kernel.org
 help / color / mirror / Atom feed
* [tpm2] TPM for SSH authentication
@ 2021-07-20  3:36 scott.r.eisele
  0 siblings, 0 replies; only message in thread
From: scott.r.eisele @ 2021-07-20  3:36 UTC (permalink / raw)
  To: tpm2

[-- Attachment #1: Type: text/plain, Size: 2621 bytes --]

Hi everyone!
I'm trying to use a TPM to secure ssh keys, following the example here: https://incenp.org/notes/2020/tpm-based-ssh-key.html
First, is this a standard way to secure ssh keys? Or is there another method that is preferred? 

Assuming this method is acceptable, I made it to the point of extracting the public key from the PKCS11 token but ran into an issue.

$ ssh-keygen -vvv -D /usr/local/lib/libtpm2_pkcs11.so > tpm2key1.pub
WARNING:fapi:src/tss2-fapi/api/Fapi_List.c:226:Fapi_List_Finish() Profile of path not provisioned: /HS/SRK 
ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:81:Fapi_List() ErrorCode (0x00060034) Entities_List 
ERROR: Listing FAPI token objects failed.
debug1: provider /usr/local/lib/libtpm2_pkcs11.so: manufacturerID <tpm2-software.github.io> cryptokiVersion 2.40 libraryDescription <TPM2.0 Cryptoki> libraryVersion 0.0
debug1: provider /usr/local/lib/libtpm2_pkcs11.so slot 0: label <firstToken> manufacturerID <Infineon> model <SLB9670> serial <000000000000000> flags 0x40d
debug1: have 1 keys
debug2: pkcs11_register_provider: ignoring uninitialised token in provider /usr/local/lib/libtpm2_pkcs11.so slot 1
debug1: pkcs11_k11_free: parent 0xaaaaf0703630 ptr 0xaaaaf06ed350 idx 1
debug1: pkcs11_provider_unref: 0xaaaaf0692300 refcount 2
debug1: pkcs11_provider_finalize: 0xaaaaf0692300 refcount 1 valid 1
debug1: pkcs11_provider_unref: 0xaaaaf0692300 refcount 1

I then tried running Fapi_List() directly:

$ sudo tss2_list
WARNING:fapi:src/tss2-fapi/api/Fapi_List.c:216:Fapi_List_Finish() Path not found:  
ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:81:Fapi_List() ErrorCode (0x00060034) Entities_List 
Fapi_List(0x60034) - fapi:Provisioning was not executed.

And assumed that provisioning was required. So I attempted that:

$ sudo tss2_provision 
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:520:Fapi_Provision_Finish() ErrorCode (0x0006000b) SRK persistent handle already defined 
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:168:Fapi_Provision() ErrorCode (0x0006000b) Provision 
Fapi_Provision(0x6000B) - fapi:A parameter has a bad value

At this point, I'm at a loss as to what the state of the TPM is and how to properly provision it and establish the Storage Hierarchy. 
I've looked at https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf
but it's not clear to me how to apply it. 

Any help would be great. Thanks!

My platform configuration is: 
raspberry pi 3b+
Infineon OPTIGA™ TPM SLx 9670
ubuntu 20.04
tpm2-tss-3.1.0
tpm2-tools-5.1.1
tpm2-abrmd-2.4.0
tpm2-pkcs11-1.6.0

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2021-07-20  3:36 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-20  3:36 [tpm2] TPM for SSH authentication scott.r.eisele

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.