Skip to content
OpenSSL Engine for TPM2 devices
C Shell M4 Makefile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
bash-completion Added support for using a parent key password Jul 15, 2019
include tpm2-tss-engine: Add __cplusplus include guard to header file Sep 2, 2019
m4 Initial code commit Jun 7, 2018
man Added support for using a parent key password Jul 15, 2019
src Fix function name error messages in ECC code Oct 16, 2019
test test: add a test for the ECC handle flush fix Oct 16, 2019
.gitignore build: update for ax_code_coverage.m4 version 2019.01.06 Feb 18, 2019
.lgtm.yml ci: add LGTM Jul 30, 2019
.travis.yml ci: update TPM2TOOLS_BRANCH to the fixed version 4.0 Oct 10, 2019
CHANGELOG.md Release v1.0.0 Apr 4, 2019
CONTRIBUTING.md Added CHANGELOG and CONTRIBUTING Nov 16, 2018
INSTALL.md test: use tpm2-tools 4.X Oct 2, 2019
LICENSE Use GitHub compatible LICENSE text May 6, 2019
MAINTAINERS
Makefile.am test: add a test for the ECC handle flush fix Oct 16, 2019
README.md ci: add LGTM Jul 30, 2019
RELEASE.md Update for v1.0.0-rc1 Mar 4, 2019
bootstrap Add unit tests for some error cases Jan 24, 2019
configure.ac build: add --disable-defaultflags Jun 3, 2019
openssl.conf.sample A sample openssl.cnf file for the tpm2tss engine Aug 26, 2019

README.md

Linux Build Status Code Coverage Language grade: C/C++

Overview

The tpm2-tss-engine project implements a cryptographic engine for OpenSSL for Trusted Platform Module (TPM 2.0) using the tpm2-tss software stack that follows the Trusted Computing Groups (TCG) TPM Software Stack (TSS 2.0). It uses the Enhanced System API (ESAPI) interface of the TSS 2.0 for downwards communication. It supports RSA decryption and signatures as well as ECDSA signatures.

Operations

Key hierarchies

The keys used by this engine are all located underneath an ECC restricted primary storage decryption key. This key is created on each invocation (since ECC key creation is faster than RSA's). Thus, no persistent SRK key need to be predeployed.

The authorization value for the storage hierarchie (the owner password) is assumed to be clear (of zero length). If this is not the case, it needs to be set using the engine ctrl.

Key types

The RSA keys are created with the ability to sign as well as to decrypt. This allows all RSA keys to be used for either operation. Note: The TPM's RSA sign operation will enforce tagging payloads with an ASN.1 encoded identifier of the used hash algorithm. This is incompatible with OpelSSL's RSA interface structures. Thus, the TPM2_RSA_Decrypt method is also used for signing operations which also requires decrypt capabilities to be activated for this key.

The ECDSA keys are created as ECDSA keys with the ability to perform signature operations.

Build and install instructions

Instructions to build and install tpm2-tss are available in the INSTALL file.

Usage

For additional usage examples, please consider the integration tests under tests/*.sh.

Engine information

Engine informations can be retrieved using

openssl engine -t -c tpm2tss

Random data

A set of 10 random bytes can be retrieved using

openssl rand -engine tpm2tss -hex 10
engine "tpm2tss" set.
WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not load TCTI file: libtss2-tcti-default.so
WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not load TCTI file: libtss2-tcti-tabrmd.so
40ac9191079e490d17b7
WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not load TCTI file: libtss2-tcti-default.so
WARNING:esys:src/tss2-esys/esys_tcti_default.c:137:tcti_from_file() Could not load TCTI file: libtss2-tcti-tabrmd.so

Note: These warnings stem from the tpm2-tss libraries and are not an issue, as long as a TPM connection is established afterwards by a different tcti.

RSA operations

RSA decrypt

The following sequence of commands creates an RSA key using the TPM, exports the public key, encrypts a data file and decrypts it using the TPM:

tpm2tss-genkey -a rsa -s 2048 mykey
openssl rsa -engine tpm2tss -inform engine -in mykey -pubout -outform pem -out mykey.pub
openssl pkeyutl -pubin -inkey mykey.pub -in mydata -encrypt -out mycipher
openssl pkeyutl -engine tpm2tss -keyform engine -inkey mykey -decrypt -in mycipher -out mydata

Alternatively, the data can be encrypted directly with the TPM key using:

openssl pkeyutl -engine tpm2tss -keyform engine -inkey mykey -encrypt -in mydata -out mycipher

RSA sign

The following sequence of commands creates an RSA key using the TPM, exports the public key, signs a data file using the TPM and validates the signature:

openssl rsa -engine tpm2tss -inform engine -in mykey -pubout -outform pem -out mykey.pub
openssl pkeyutl -engine tpm2tss -keyform engine -inkey mykey -sign -in mydata -out mysig
openssl pkeyutl -pubin -inkey mykey.pub -verify -in mydata -sigfile mysig

Alternatively, the data can be validated directly using: openssl pkeyutl -engine tpm2tss -keyform engine -inkey mykey -verify -in mydata -sigfile mysig Note: mydata must not exceed the size of the RSA key, since these operation do not perform any hashing of the input data.

ECDSA operations

The following sequence of commands creates an ECDSA key using the TPM, signs a data file using the TPM and validates the signature:

tpm2tss-genkey -a ecdsa mykey
openssl pkeyutl -engine tpm2tss -keyform engine -inkey mykey -sign -in mydata -out mysig
openssl pkeyutl -engine tpm2tss -keyform engine -inkey mykey -verify -in mydata -sigfile mysig

To export the public key use:

openssl ec -engine tpm2tss -inform engine -in mykey -pubout -outform pem -out mykey.pub

Self Signed certificate generate operation

The following sequence of commands creates self signed certificate using TPM key. Openssl command sets tpm2tss as engine and generates a self signed certificate based on provided CSR configuration information.

$ tpm2tss-genkey -a rsa rsa.tss
$ openssl req -new -x509 -engine tpm2tss -key rsa.tss  -keyform engine -out rsa.crt

TLS and s_server

This engine can be used in all places where OpenSSL is used to create a TLS secure channel connection. You have can specify the command

./tpm2tss-genkey -a rsa rsa.tss
openssl req -new -x509 -engine tpm2tss -key rsa.tss  -keyform engine  -out rsa.crt
openssl s_server -cert rsa.crt -key rsa.tss -keyform engine -engine tpm2tss -accept 8443

For ECDSA keys however, the Hash algorithm needs to be specified because the TPM does not support SHA512. You can blacklisting SHA512 universally. That is possible via openssl.cnf. See the "SignatureAlgorithms" configuration file command on this page: https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html

Note: Usage of s_server with HSM-protected private keys is only supported on OpenSSL 1.1.0 and newer.

Development prefixes

In order to use this engine without make install for testing call:

export LD_LIBRAY_PATH=${TPM2TSS}/src/tss2-{tcti,mu,sys,esys}/.libs
export PKG_CONFIG_PATH=$PWD/../tpm2-tss/lib
./bootstrap
./configure \
    CFLAGS="-I$PWD/../tpm2-tss/include" \
    LDFLAGS="-L$PWD/../tpm2-tss/src/tss2-{esys,sys,mu,tcti}/.libs"
make
make check
You can’t perform that action at this time.