Sigrun wrote: > Hi all, > > First : I apologize for my bad english. > > I start using Trousers, and the 'libengine-tpm-openssl' for the > create_tpm_key feature. > > I just want to be sure : does the 'Tspi_Key_CreateKey' really create > the Key from the TPM rng and feature?
Basically, yes. You can use TSS_KEY_TYPE_LEGACY to import keys however. This can be a Bad Thing if you want to be sure that the key isn't "on the outside" too. The sad thing about openssl_tpm_engine (that's how the source repository is called) is that it only works with the legacy type keys. The recommendation is to use SIGNING and BINDING keys instead. Those cannot be imported. Depending on what you need to do, you might be able to use gnutls instead of openssl_tpm_engine as it supports TPMs (via libtspi) and will allow you to create a SIGNING key if requested. If you need a BINDING key, it can be a bit hard. You most likely need your own code to create such a key. Then, if you need to encrypt some data for a TPM in software, it needs to be first put in TPM_BOUND_DATA structure and encrypted with OAEP TCPA padding. The point is that openssl command line tool is not sufficient to encrypt data in a way required for a BINDING key. But you will find code in trousers doing just that. > And how to store a key INSIDE the TPM?? So called "owner evict" key. It seemed to work when I tried it. You don't need to deal with NV memory on your own it this case. I'm not sure about this: http://sourceforge.net/p/trousers/bugs/155/ I had to LoadKeyByUUID such a key. GetKeyByUUID was a no go. Using it (or maybe loading - I don't remember) was slower then for normal keys so I dropped the idea. BTW, keys can be stored in DER files (Tspi_EncodeDER_TssBlob / Tspi_DecodeBER_TssBlob) instead of Persistent Storage. It's a less opaque way to store keys which can be advantageous. Have you seen "Introduction To Trusted Computing" by Ariel Segall? <http://opensecuritytraining.info/IntroToTrustedComputing.html> It's quite enlightening. There is one slide in part 3 stating that legacy keys are not created by the TPM but it doesn't seem to hold true in part 16 (and in trousers). -- kjk ------------------------------------------------------------------------------ _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
