Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add support for persistent srk #38

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

add support for persistent srk #38

wants to merge 1 commit into from

Conversation

novag
Copy link
Contributor

@novag novag commented Jan 28, 2024
edited
Loading

  • Persisting the SRK allows the creation and use of individual keys without specifying the owner password

Example:

  1. Set an owner password: tpm2_changeauth -c owner myPass
  2. Create SSH key and save SRK to handle ID 0x81000002: ssh-tpm-keygen -o -s 0x81000002
  3. Create another SSH key without entering the owner password: ssh-tpm-keygen -s 0x81000002
  4. Start the SSH agent without entering the owner password: /ssh-tpm-agent -s 0x81000002 -l /var/tmp/tpm.sock

Based on #37

@Foxboron
Copy link
Owner

This lacks a test. You should be able to recreate the flow as you describe through the TPM simulator.

@Foxboron
Copy link
Owner

This is probably not going to work out in it's current form. We need to extend the SRK to the key format and I'm changing this to the ASN.1 key definition.

https://github.com/Foxboron/go-tpm-keyfiles

It should allow us to embed the parent handle into the keyfiles which should offer more flexibility.

@novag novag force-pushed the persist branch 2 times, most recently from 737dfe5 to 12bb054 Compare May 19, 2024 20:20
@novag novag marked this pull request as draft May 19, 2024 20:20
@novag novag force-pushed the persist branch 2 times, most recently from 17cbd10 to b940614 Compare May 24, 2024 09:44
@novag
add support for persistent srk
5b2786a 
* Persisting the SRK allows the creation and use of individual keys
  without specifying the owner password
@Foxboron
Copy link
Owner

Foxboron commented Jun 2, 2024
edited
Loading

@novag

Yo, thanks for working on this.

I've been tidying up go-tpm-keyfiles with the intention of moving most of the keyfile handling and TPM stuff around these to this library. I think your time is better spent making sure your use-case of persistent SRKs is handeled in this library as it should be much easier to support this in ssh-tpm-agent as a result.

I think it should work as-is, but I have not yet written any tests for it. parent should point at a PERSISTENT handle and ReadPublic from it.

https://github.com/Foxboron/go-tpm-keyfiles

Relevant code is here: https://github.com/Foxboron/go-tpm-keyfiles/blob/master/tpm.go#L458

@Foxboron
Copy link
Owner

Yo,

I'm sorry for making this PR difficult to merge for you. I've added a --parent-handle flag to ssh-tpm-keygen which might do what you want to do as it just hooks directly into go-tpm-keyfiles.

I believe there is some flag parsing missing for specifying static handles instead of a hierarchy, but I think this is going to be easier to implement.

If you don't want to work on this anymore I can salvage the interesting bits from this PR and work it out for you :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@novag @Foxboron