On Thu, Jan 17, 2019 at 10:41:37AM +0000, kolargol wrote: > regarding TPM there were this patches: > > http://bsssd.sourceforge.net/download.html > > but looks like quite abandoned as diff dates back to OpenBSD 4.7, looks like > lack of interest in TPM... >
I'd love to use the TPM for private key operations for sshd, iked, etc. The problem is that the existing software stacks are horrendously ugly and impenetrable. The developmental costs of using the TPM are too high. I'm writing a framework for scripting PC/SC and PKCS#11 drivers in Lua. I won't lie and pretend it's not complex, but at least it has zero dependencies, builds natively out-of-the-box on various platforms, and permits one to gradually explore the space (as opposed to the extremes of either being stuck on the edges poking at a command-line utility or hopelessly drowning in baroque C code that long outgrew any original design). I've already written a GnuPG adapter which enables PC/SC transactions (so GnuPG's scdaemon doesn't hog the card), and a PKCS#11 bridge so ssh can use OpenPGP Smartcard or PIV tokens. It would be nice if OpenBSD had a generic LPC or SPI layer that permitted talking to the TPM from userspace. The idea for the framework is to make it easy for developers to use and explore HSM and HSM-like devices, including nailing down and solving integration issues. Using that real-world experience one could then select a subset of device types and access modes and implement simpler solutions from scratch, ideally without all the middleware.
