Re: [Ibmtpm20tss-users] [openssl-tpm2-engine] ibmtss
On Mon, 2019-01-14 at 14:33 +0000, Doug Fraser wrote:toggle quoted message. . .
Morning Ken.Essentially, yes. The file is reduced to the binary key form which is
kept in memory for the lifetime of the engine (so it's not loading a
file each time). But when you ask for a signature (the only universal
operation), the sequence of TPM commands is
So it is loading the key from the memory area each time. This pretty
much corresponds to best practice, even internally to a single
application because you want to keep TPM resources tied up for the
smallest amount of time. In theory it is possible to keep the key and
the session loaded in TPM volatile memory, but this can lead to
resource issues if the application uses more than three keys.
If you're worried about time taken by the TPM operations, then actually
the TPM2_Load isn't the problem one (it's a simple aes128 decryption),
the heavy one is TPM2_StartAuthSession because we use a
cryptographically salted session and that means the TPM has to use the
primary storage key to derive the encrypted salt.
From an earlier email I sent to James: (direct quote)