Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS using a private key store in a TPM #649

Open
2 tasks
AlexLaroche opened this issue Jun 28, 2024 · 5 comments
Open
2 tasks

TLS using a private key store in a TPM #649

AlexLaroche opened this issue Jun 28, 2024 · 5 comments
Labels
feature-request A feature should be added or improved. p3 This is a minor priority issue

Comments

@AlexLaroche
Copy link

Describe the feature

Add support for TLS establishments by using a private key store in the TPM.

Use Case

Protect the private key by storing it in a TPM

Proposed Solution

No response

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change
@AlexLaroche AlexLaroche added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Jun 28, 2024
@bretambrose
Copy link
Contributor

@AlexLaroche
Copy link
Author

No. If you use PKCS#11 to connect to the TPM, you must load an external library like this : https://github.com/tpm2-software/tpm2-pkcs11

The problem is that there are metadata specific to PKCS#11 that must be saved outside the TPM.

For the example library, it uses an SQLite database to store the metadata. There have been migration issues caused by this in the past with the specified library. In addition, key management in the TPM without going through this connector becomes almost impossible.

A TPM has an interface with very well standardized. We shouldn't need to go through an interface like PKCS#11.

@bretambrose
Copy link
Contributor

No. If you use PKCS#11 to connect to the TPM, you must load an external library like this : https://github.com/tpm2-software/tpm2-pkcs11

Why is this problematic? It is very unlikely that we will ever directly embed device-specific TPM support in this library. Every single customer who has asked for TPM support has been satisfied with pkcs11 support.

The problem is that there are metadata specific to PKCS#11 that must be saved outside the TPM.

Needs more explanation how this is a problem.

A TPM has an interface with very well standardized. We shouldn't need to go through an interface like PKCS#11.

What is this standard you refer to? After all, Pkcs11 is an industry-wide standard for hardware security module access.

@AlexLaroche
Copy link
Author

It is very unlikely that we will ever directly embed device-specific TPM support in this library.

You don’t need to embed “device-specific”TPM support in this library. As mentioned, TPM has standardized specification including the communication interface. Generic TPM integration could be supported by this library.

TPM specification :

https://trustedcomputinggroup.org/resource/tpm-library-specification/

It’s even standardized in a ISO standard (ISO/IEC 11889:2015).

Why is this problematic?

The problem is that there are metadata specific to PKCS#11 that must be saved outside the TPM. (It’s normally not the case for a hardware security module [HSM].)

For the example library (the only one we found doing what we want), it uses an SQLite database to store the metadata. There have been migration issues caused in the past with the specified library.

We want to store the private key to connect via MQTT to AWS IoT using the SDK provided by AWS which depends on this library. However, the risk of using a third party library to interface the TPM via PKCS#11 which could break due to a SQLite database migration problem in future really does not enchant us. We don’t want our manufactured devices to get bricked on the field.

Another issue is that we need to preserve the SQLite database in a no readonly storage and we also need to keep the SQLite database even in a factory reset and other operation because it’s represent the identity. It add a lot of complexity in the context.

Also, key management in the TPM without going through this connector becomes almost impossible. It’s quite useful to be able to call the TPM with standard tool like OpenSSL without breaking the PKCS#11 integration, but if you don’t use without the integration, it’s actually breaking everything.

@bretambrose
Copy link
Contributor

bretambrose commented Jun 29, 2024

I see.

Ultimately, this is an ask whose complexity is high enough that I think it would require you to go through a business-to-business contact (like a TAM or SA) for evaluation/movement.

As a feature request for others to +1, it's fine of course.

@jmklix jmklix added p3 This is a minor priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Jul 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature-request A feature should be added or improved. p3 This is a minor priority issue
Projects
None yet
Development

No branches or pull requests

3 participants