The biggest usability defect of the tpm engine is that it always prompts for the SRK authority password, making it unusable with the reasonably common default of a well known authority. The first patch makes it work with this common default by trying the well known authority first and only prompting if that fails. The second problem is that create_tpm_key needs to wrap rsa keys with more modern encryption protection (like the AES-128 that openss uses); this can be fixed by moving to EVP keys and the third is that if I'm wrapping a key, I don't necessarily want it ever to be able to be migrated out of the TPM I wrapped it for (for security reasons). This seems to be a bit of a design fault in the TSS, since it assumes all keys placed into the TPM by wrapping should be capable of being migrated out again, but it can be mostly fixed by giving the key a random number for the migration authority.
The three patches in this series then are: James Bottomley (3): try well known authority for SRK first Handle EVP keys Add option for random migration authority create_tpm_key.c | 70 +++++++++++++++++++++++++++++++++++++++++--------------- e_tpm.c | 9 ++++++++ 2 files changed, 60 insertions(+), 19 deletions(-) James ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ TrouSerS-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-tech
