You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Here is a proposal for importing persistent keys and key objects into a token without relying on third-party software, where it will work with both backends (FAPI/ESYSDB).
If there isn't any opposition, I'll start the implementation soon.
C_GenerateKeyPair: Utilize a key template that contains vendor-specific attributes, linking the key object to either the persistent TPM key or TPM key objects.
For TPM key objects:
CKA_TPM2_PUB_BLOB
CKA_TPM2_PRIV_BLOB
CKA_TPM2_OBJAUTH // The TPM key auth value in plain text
For persistent TPM key:
CKA_TPM2_PERSISTENT_HANDLE // Allows persistent handle only
CKA_TPM2_OBJAUTH
C_GenerateKeyPair:
If either key templates (pub/priv) include the attribute CKA_TPM2_PERSISTENT_HANDLE, indicating that a tpm_persistent_handle is used:
Create two tobjs: pub_tobj and priv_tobj.
Set pub_tobj->tpm_persistent_handle and priv_tobj->tpm_persistent_handle to the value of CKA_TPM2_PERSISTENT_HANDLE.
Leave the x_tobj->priv & pub fields empty.
Set the auth value in x_tobj using tobject_set_auth() to the wrapped value of CKA_TPM2_OBJAUTH.
Store the x_tobj in the backend.
Store the x_tobj in the global variable (token->tobjects).
If the pub key template includes attribute CKA_TPM2_PUB_BLOB and priv key template includes attribute CKA_TPM2_PRIV_BLOB, indicating that TPM key objects are used:
Create two tobjs: pub_tobj and priv_tobj.
Set pub_tobj->pub and priv_tobj->pub & priv to the value of CKA_TPM2_PUB_BLOB and CKA_TPM2_PRIV_BLOB, respectively.
Set the auth value in x_tobj using tobject_set_auth() to the wrapped value of CKA_TPM2_OBJAUTH.
Store the x_tobj in the backend.
Store the x_tobj in the global variable (token->tobjects).
Otherwise, follow the default implementation.
TPM key loading using token_load_object():
Set tobject->tpm_esys_tr according to the rules:
If tobject->tpm_persistent_handle is not empty:
If CKA_CLASS == CKO_PRIVATE_KEY, set tobject->tpm_esys_tr to Esys_TR_FromTPMPublic(tobject->tpm_persistent_handle).
If CKA_CLASS == CKO_PUBLIC_KEY, set tobject->tpm_esys_tr to Esys_LoadExternal(Esys_ReadPublic(tobject->tpm_persistent_handle)).
Otherwise, follow the default implementation.
C_SignInit/C_EncryptInit/C_DecryptInit Operation:
During the initialization operation, the tobj is loaded using token_load_object():
If tobj->tpm_esys_tr is already set, no action is required.
Otherwise:
If pub_tobj->tpm_persistent_handle is not empty, set tobject->tpm_esys_tr according to the above rules.
Otherwise, follow the default implementation to load the TPM key objects.
If the tobj->tpm_esys_tr is set, flush it during C_Logout -> session_ctx_logout.
*this is the default implementation
The text was updated successfully, but these errors were encountered:
Here is a proposal for importing persistent keys and key objects into a token without relying on third-party software, where it will work with both backends (FAPI/ESYSDB).
If there isn't any opposition, I'll start the implementation soon.
Modify
struct tobject
:C_GenerateKeyPair: Utilize a key template that contains vendor-specific attributes, linking the key object to either the persistent TPM key or TPM key objects.
C_GenerateKeyPair:
TPM key loading using token_load_object():
C_SignInit/C_EncryptInit/C_DecryptInit Operation:
*this is the default implementation
The text was updated successfully, but these errors were encountered: