gnome-keyring [RFC 0/2] Use the TPM as a key store for keyring signing keys

From: James Bottomley <James Bottomley HansenPartnership com>
To: gnome-keyring-list gnome org
Subject: gnome-keyring [RFC 0/2] Use the TPM as a key store for keyring signing keys
Date: Fri, 09 Dec 2016 14:47:26 -0800

The keyring daemon performs signing internally for ssh and pkcs11 keys,
so it should be perfectly possible for it to use TPM based keys instead
of file based ones, thus allowing security minded users to use the TPM
as a storage repository from which their keys can never be extracted.

The code to do this currently piggy backs on the ssh code.  However, I
think it might be better to have a separate directory for storing TPM
keys.  Note that an external TPM key storage is required: the TPM
shielded memory is too small to store every possible key
simultaneously, so keys are actually loaded into the TPM at signature
time and then unloaded again.

The current code also assumes that you have a well known authority for
the SRK root to simplify the code.  However, it is perfectly possible
to have a SRK password and use the login keyring to store it too.

There's also a lot of missing validation about signature types. 

to make this work, simply go into your ssh directory, create a wrapped
key for each private RSA2048 key using create_tpm_key from
openssl_tpm_engine:

create_tpm_key -m -a -w <ssh private key> <tpm private key>

Using the same password for the tpm key you used for the ssh key is not
essential.

then move <tpm private key> over <ssh private key> and restart the
gnome-keyring-daemon.  You should now be using TPM shielded private
keys for all your ssh interactions.

James

---

James Bottomley (2):
  pkcs11: read TPM based ssh private keys
  gkm: add TPM as signing capability

 configure.ac                       |  24 ++++++
 pkcs11/gkm/Makefile.am             |   2 +
 pkcs11/gkm/gkm-crypto.c            |  12 ++-
 pkcs11/gkm/gkm-data-der.c          |  34 ++++++++
 pkcs11/gkm/gkm-data-der.h          |   4 +
 pkcs11/gkm/gkm-tpm-mechanism.c     | 168 +++++++++++++++++++++++++++++++++++++
 pkcs11/gkm/gkm-tpm-mechanism.h     |  17 ++++
 pkcs11/ssh-store/gkm-ssh-openssh.c |  21 +++++
 8 files changed, 279 insertions(+), 3 deletions(-)
 create mode 100644 pkcs11/gkm/gkm-tpm-mechanism.c
 create mode 100644 pkcs11/gkm/gkm-tpm-mechanism.h

Follow-Ups:
- gnome-keyring [RFC 1/2] pkcs11: read TPM based ssh private keys
  - From: James Bottomley
- gnome-keyring [RFC 2/2] gkm: add the TPM as a signing engine
  - From: James Bottomley

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]