All of lore.kernel.org
 help / color / mirror / Atom feed
* [tpm2] tpm2-pkcs11 : import config from the deprecated tpm2-pk11 project
@ 2021-09-23  5:37 Emmanuel Deloget
  0 siblings, 0 replies; only message in thread
From: Emmanuel Deloget @ 2021-09-23  5:37 UTC (permalink / raw)
  To: tpm2

[-- Attachment #1: Type: text/plain, Size: 1834 bytes --]

Hello y'all,

I'm trying to import my PKCS11 configuration from the old, fully deprecated
project tpm2-pk11. In this setup, the tpm2 holds persistent RSA keys and
associate them with adequately named certificates located on the file
system. I understand that this should have been done a lot earlier (but
then, even a lot earlier would not have change much as the development and
even the first distributed products predated the very first commit of
tpm2-pkcs11) ; unfortunately days are limited and my todo list is way too
long.

Keys were generated using tpm2_create a long, long time ago.

Since this is a really old setup, I no longer have the key.pub and key.priv
files available (they were trashed, as they are no longer useful). I can
get the public key through tpm2_readpublic but that won't help me much.

Now, the "Interoperability with Existing TPM2 Objects" document proposes a
way to init tpm2-pkcs11 using keys that were created with tpm2_create.
Unfortunatly, it seems it also requires two things I cannot provide it:

  * pincodes, for /tpm2_ptool addtoken/ (this is an embedded platform; no
pin codes; if I'm forced to add them they'll end up as environment vars
anyway so there is no real interest for pincode in this situation)
  * the key files, for /tpm2_ptool link/ (key.pub and key.priv are no
longer available)

Is there any other way to import my configuration into tpm2-pkcs11 ? Not
being able to do it means that some of our oldest customers will have a
bricked hardware (one of the current token is used to identify the hardware
and is set during production, so not being able to reload it essentially
means that this hardware will not be able to identify itself to our
services and will not work at all), and this is a hard sell...

Best regards,

-- Emmanuel Deloget

[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 3207 bytes --]

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2021-09-23  5:37 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-23  5:37 [tpm2] tpm2-pkcs11 : import config from the deprecated tpm2-pk11 project Emmanuel Deloget

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.