Re: [Ibmtpm20tss-users] [openssl-tpm2-engine] ibmtss

Doug Fraser
 

Morning Ken.

I apologize for my mixed up terminology on this topic. If I am using the wrong terms, point it out, and if possible, reference a section in an existing document.
I have been reading like a fiend and porting/coding as I go.

Isn't the openssl engine dynamically loading the tpm key dynamically each time it uses it?
I thought the key that we generated was just related to the internal key for validation reasons to associate the key with that physical initialized TPM?

From an earlier email I sent to James: (direct quote)

====
It gets shoved into a JSON in base64 format for storage on the device.
The device-tree hooks convert that back to native key text format for presentation in /proc space

From device initialization code (runs just once....)

echo "Generating new unit key..."
send_station "Generating new unit key..."

# use the TPM to create the key…
create_tpm2_key -p 81000001 --ecc prime256v1 /tmp/openssl-key.tpm

jq ".unit.\"tpm2_key#\" = \"$(cat /tmp/openssl-key.tpm | base64 -w0)\"" /tmp/upd.json > /tmp/upd-new.json

json2upd.py --json /tmp/upd-new.json --increment --upd "${FLASH}p$UPD_PRI"
dd "if=${FLASH}p$UPD_PRI" "of=${FLASH}p$UPD_BAK" bs=1M
====

So we have a key that we created on our initialized TPM stored into raw device storage, that get instantiated in /proc device space as its own text representation.

It seems to be keeping openssl (via the engine) completely happy at this point.
I have tested by reinitializing the TPM hardware so the key no longer matched the device, and the engine fails, until I go back and generate a new key.

Douglas Fraser

Join openssl-tpm2-engine@groups.io to automatically receive all group messages.