Hi James,
On Tue, Jan 16, 2018 at 12:18 AM, James Bottomley <
james.bottom...@hansenpartnership.com> wrote:
> On Tue, 2018-01-16 at 00:07 +0100, Emmanuel Deloget wrote:
> > While the number of required changes were quite small (and have no
> > impact on openvpn), this was quite a journey. I guess some of the
> > merits should go to RSA, Microsoft and Intel, for their incredible
> > effort in building comprehensive industry standards that are as
> > convoluted as they are comprehensive :) (I'm kidding ; I think I
> > begin to enjoy PKCS#11 and I definitely had some fun while playing
> > with my TPM2).
> >
> > Those who are interested can contact me. I will probably try to
> > write something about this somewhere (I don't know where yet).
>
> Just a note that there is an easier way of doing this. The engine key
> patch:
>
> https://sourceforge.net/p/openvpn/mailman/message/36147533/
>
> Achieves the same thing somewhat more simply. You use the tpm2 engine:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/jejb/
> openssl_tpm2_engine.git/
>
> And convert an existing private key into engine format with
> create_tpm2_key and place it in /etc/openvpn/ where the private key
> file usually goes. Then all private key signature transactions go via
> the TPM.
>
The engine is of interest (although it would require me to change all my
scripts to remove the intel TPM2 stack and replace it with IBM tools ;
there is no sane reason to keep both of them in my setup). I missed it when
I tried to find an openssl engine for TPM2. The fact that I choose a
PKCS#11 engine is now final, unfortunately, at least for now. But I'll keep
an eye on it.
For the openvpn patches, I would not go this way for multiple reasons
(number one being: I already have to many patches on many things around ;
it becomes difficult to handle after a while, so I try to be as upstream as
possible) ; but this is interesting as well.
>
> James
>
>
​Thanks for your links,
-- Emmanuel Deloget​
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
