12

The new Skylake processors have integrated TPM 2.0 inside.

Is there any way how to use the TPM 2.0 as a PKCS#11 token on Windows and Linux for symmetric and asymmetric keys?

TPM 1.2 has a PKCS#11 libraries and I am looking for something similar for TPM 2.0 to use its new RSA keys and certificates hierarchy.

user1563721
  • 1,099
  • 11
  • 22

2 Answers2

6

- It's a bit old question, but I managed to found a solution that worked for me.

There's available on Github a module that provides PKCS#11 backend for TPM 2.0 chips.

Usage:

  1. Create TPM Key

    • Create a primary key with hash algorithm sha256 and key algorithm rsa and store the object context in a file (po.ctx).

      tpm2_createprimary -H o -g sha256 -G rsa -C po.ctx

    • Now create an object that can be loaded into the TPM with parent object from file (po.ctx) using hash algorithm SHA256 and key algorithm RSA output the public and private keys to key.pub|priv.

      tpm2_create -c po.ctx -g sha256 -G rsa -u key.pub -r key.priv

    • Load the private and public keys into the TPM's transient memory.

      tpm2_load -c po.ctx -u key.pub -r key.priv -C obj.ctx

    • Make the object persistent, specifying a valid handle.

      tpm2_evictcontrol -A o -c obj.ctx -H 0x81010010

    • Now you can remove all temporarily files.

      rm key.name *.ctx

  2. Install TPM2-PK11 and copy config.sample to ~/.tpm2/config.

  3. Create a certificate (eg. w/ Certtool (GnuTLS)).

  4. Configure your application to use TPM2-PK11 and the created TPM key.

OpenSSH Client:

  • Create configuration file and change it for your setup:

    cp config.sample ~/.tpm2/config

  • Extract public key:

    ssh-keygen -D libtpm2-pk11.so

  • Use your TPM key:

    ssh -I libtpm2-pk11.so ssh.example.com

  • or add the PKCS#11 module to your ssh config in ~/.ssh/config:

    Host *
    PKCS11Provider libtpm2-pk11.so

Firefox:

  • Go to Preferences, Privacy & Security and click on the button Security Devices.
  • Press Load and select the libtpm2-pk11.so installed on your system.
  • After loading the TPM2 PKCS11 Slot should now be listed in the Device Manager and your certificates should be listed when selecting View Certificates under Your Certificates.
mike
  • 552
  • 5
  • 17
3

An alternative TPM2 PKCS#11 implementation is https://github.com/tpm2-software/tpm2-pkcs11. That's part of the TCG's (Trusted Computing Group's) TSS2 (TPM2 Software Stack), which I believe is intended the be the "official" TPM2 software. As such, I guess "you're supposed to" use this rather than the presumably older tpm2-pk11. In fact, I've seen a presentation (https://events19.linuxfoundation.org/wp-content/uploads/2017/12/TPM-Software-Stack-2018-10-25-final_Peter-Huewe.pdf) that states tpm2-pkcs11 is "Based on PKCS#11 TPM2.0 work by irtimmer" (slide 25).

Stephen Warren
  • 246
  • 1
  • 6