Proposal for importing persistent keys and key objects into a token without relying on third-party software

[wxleong]

Here is a proposal for importing persistent keys and key objects into a token without relying on third-party software, where it will work with both backends (FAPI/ESYSDB).

If there isn't any opposition, I'll start the implementation soon.

• Modify struct tobject:

  • uint32_t tpm_persistent_handle; // Persistent TPM handle
  • uint32_t tpm_esys_tr; // Loaded TPM handle

• C_GenerateKeyPair: Utilize a key template that contains vendor-specific attributes, linking the key object to either the persistent TPM key or TPM key objects.

  • For TPM key objects:
    • CKA_TPM2_PUB_BLOB
    • CKA_TPM2_PRIV_BLOB
    • CKA_TPM2_OBJAUTH // The TPM key auth value in plain text
  • For persistent TPM key:
    • CKA_TPM2_PERSISTENT_HANDLE // Allows persistent handle only
    • CKA_TPM2_OBJAUTH

• C_GenerateKeyPair:

  • If either key templates (pub/priv) include the attribute CKA_TPM2_PERSISTENT_HANDLE, indicating that a tpm_persistent_handle is used:
    • Create two tobjs: pub_tobj and priv_tobj.
    • Set pub_tobj->tpm_persistent_handle and priv_tobj->tpm_persistent_handle to the value of CKA_TPM2_PERSISTENT_HANDLE.
    • Leave the x_tobj->priv & pub fields empty.
    • Set the auth value in x_tobj using tobject_set_auth() to the wrapped value of CKA_TPM2_OBJAUTH.
    • Store the x_tobj in the backend.
    • Store the x_tobj in the global variable (token->tobjects).
  • If the pub key template includes attribute CKA_TPM2_PUB_BLOB and priv key template includes attribute CKA_TPM2_PRIV_BLOB, indicating that TPM key objects are used:
    • Create two tobjs: pub_tobj and priv_tobj.
    • Set pub_tobj->pub and priv_tobj->pub & priv to the value of CKA_TPM2_PUB_BLOB and CKA_TPM2_PRIV_BLOB, respectively.
    • Set the auth value in x_tobj using tobject_set_auth() to the wrapped value of CKA_TPM2_OBJAUTH.
    • Store the x_tobj in the backend.
    • Store the x_tobj in the global variable (token->tobjects).
  • Otherwise, follow the default implementation.

• TPM key loading using token_load_object():

  • Set tobject->tpm_esys_tr according to the rules:
    • If tobject->tpm_persistent_handle is not empty:
      • If CKA_CLASS == CKO_PRIVATE_KEY, set tobject->tpm_esys_tr to Esys_TR_FromTPMPublic(tobject->tpm_persistent_handle).
      • If CKA_CLASS == CKO_PUBLIC_KEY, set tobject->tpm_esys_tr to Esys_LoadExternal(Esys_ReadPublic(tobject->tpm_persistent_handle)).
    • Otherwise, follow the default implementation.

• C_SignInit/C_EncryptInit/C_DecryptInit Operation:

  • During the initialization operation, the tobj is loaded using token_load_object():
    • If tobj->tpm_esys_tr is already set, no action is required.
    • Otherwise:
      • If pub_tobj->tpm_persistent_handle is not empty, set tobject->tpm_esys_tr according to the above rules.
      • Otherwise, follow the default implementation to load the TPM key objects.
  • If the tobj->tpm_esys_tr is set, flush it during C_Logout -> session_ctx_logout.
    *this is the default implementation