Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for RSA 3072 keys #244

Merged
merged 4 commits into from
May 5, 2020
Merged

Add support for RSA 3072 keys #244

merged 4 commits into from
May 5, 2020

Conversation

stefanberger
Copy link
Owner

@stefanberger stefanberger commented Apr 23, 2020
edited

This pull request adds support for RSA 3072 keys by

  • testing that a vTPM that has been filled up with RSA 2048 bit keys can still be loaded into a libtpms that support RSA 3072 bit keys; the problem is especially related to the size of the TPM 2 OBJECT type that has increased due to RSA 3072 support and now the NVRAM needs more space
  • having swtpm and swtpm_setup advertise RSA 3072 bit key support via --print-capabilities
  • supporting RSA 3072 bit EK keys via swtpm_setup
  • extending swtpm_setup test cases to cover RSA 3072 bit keys

@coveralls
Copy link

coveralls commented Apr 23, 2020
edited

Pull Request Test Coverage Report for Build 2148

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 72.903%
Totals Coverage Status
Change from base Build 2138: 0.0%
Covered Lines: 3764
Relevant Lines: 5163
💛 - Coveralls

@stefanberger stefanberger force-pushed the rsa_3072 branch 4 times, most recently from 9561ac3 to 54c8e1b Compare April 24, 2020 19:04
@stefanberger stefanberger force-pushed the rsa_3072 branch 11 times, most recently from 039bb4e to bfa8c09 Compare May 1, 2020 15:54
@stefanberger stefanberger force-pushed the rsa_3072 branch 6 times, most recently from fb3f992 to 5d71211 Compare May 4, 2020 23:17
@stefanberger
swtpm_setup: Report supported RSA key sizes useful for EK key creation
9c943b3 
Extend the --print-capabilities option to also report supported RSA
key sizes. Only the TPM 2 may support anything else than 2048 bit RSA
keys, so we only consult 'swtpm socket --tpm2 --print-capabilities'
and grep for 2048 and 3072 key sizes and report them.
If nothing is found, nothing is reported, as before, and 2048 bit RSA
keys should be assumed.

'swtpm_setup --tpm2 --print-capabilities' may now show the following:
{
  "type": "swtpm_setup",
  "features": [
    "cmdarg-keyfile-fd",
    "cmdarg-pwdfile-fd",
    "tpm2-rsa-keysize-2048",
    "tpm2-rsa-keysize-3072"
  ]
}

Also adjust a test case to use a regular expression for matching
against an expected string that may nor may not have rsa-keysize
verbs.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
@stefanberger
swtpm_setup: Add support for RSA 3072 bit EK keys
7af93fd 
Extend the creation of the EK key to support also 3072 bits RSA keys.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
@stefanberger
tests: Extend swtpm_setup test cases to also test with RSA 3072 bit keys
d5cdc94 
Extend a few test cases to also test with RSA 3072 bit keys if they
are supported.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
@stefanberger
swtpm_setup: Allow to create largest possible EK
d46624f 
By passing '--rsa-keysize max' allow to create the largest possible RSA
EK key.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
@stefanberger stefanberger merged commit 7dc24c2 into master May 5, 2020
@stefanberger stefanberger deleted the rsa_3072 branch May 12, 2020 18:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@stefanberger @coveralls