From: James Bottomley <jejb@linux.vnet.ibm.com>
To: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>,
Kenneth Goldman <kgoldman@us.ibm.com>
Cc: trousers-tech@lists.sourceforge.net,
tpmdd-devel@lists.sourceforge.net,
ibmtpm20tss-users@lists.sourceforge.net
Subject: Re: [Ibmtpm20tss-users] [tpmdd-devel] add TPM2 version of create_tpm2_key and libtpm2.so engine -> Hash algoritms
Date: Wed, 04 Jan 2017 11:45:21 -0800 [thread overview]
Message-ID: <1483559121.2561.67.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20170104185434.GA12614@obsidianresearch.com>
On Wed, 2017-01-04 at 11:54 -0700, Jason Gunthorpe wrote:
> On Wed, Jan 04, 2017 at 01:48:44PM -0500, Kenneth Goldman wrote:
> > Jason Gunthorpe <jgunthorpe@obsidianresearch.com> wrote on
> > 01/03/2017
> > 07:42:17 PM:
> > > > ... but my current TPM doesn't understand
> > > > anything other than sha1 or sha256, so it wouldn't allow
> > more state
> > of
> > > > the art algorithms like sha224, sha384 or sha512 either.
> > >
> > > Okay, yes, that is horrible :( If it is that bad it might not
> > be worth
> > > the effort.
>
> > The place to ask for new algorithms is the TCG's Device Driver
> > WG. It's an odd WG name, but this is the WG where the TPM
> > mandatory algorithms are specified. A real, commercial use case
> > will likely be an effective argument, since these are resource
> > constrained and cost sensitive. SHA-384 and SHA-512 are
> > currently optional, which traditionally means they won't be
> > implemented.
>
> We don't need the algorithm in the TPM. We just need to be able to
> RSA sign an arbitary OID + externally computed hash like TPM 1.2
> could.
>
> What is the recommended way to create a key with a sign-only intent
> that can be used with arbitary OID + computed hash?
There isn't one. TPM_ALG_NULL is illegal for sign operations. The
Part 1 Architecture Guide (version 1.16 lists all the potentially
supported OIDs in section B.6). The idea is that the TPM is supposed
to be able to validate that you're not causing it to generate a
nefarious signature, so you pass in the hash alone along with the
algorithm and it validates the legality of the hash and then returns
back the OID prepended hash signed by the key.
> James is proposing using the Decrypt op to do this job.
I believe the TCG has decided this is the only way to sign arbitrary
data.
James
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
next prev parent reply other threads:[~2017-01-04 19:45 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-31 22:48 [PATCH 0/1] TPM2 engine support for openssl James Bottomley
2016-12-31 22:52 ` [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine James Bottomley
2017-01-03 23:11 ` [tpmdd-devel] " Jason Gunthorpe
[not found] ` <20170103231126.GE29656-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2017-01-03 23:19 ` Andrey Pronin
2017-01-03 23:22 ` [TrouSerS-tech] " James Bottomley
[not found] ` <1483485776.2464.50.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2017-01-03 23:40 ` Jason Gunthorpe
[not found] ` <20170103234053.GA32185-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2017-01-04 0:17 ` James Bottomley
[not found] ` <1483489026.2464.76.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2017-01-04 0:42 ` Jason Gunthorpe
[not found] ` <20170104004217.GA390-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2017-01-04 18:48 ` add TPM2 version of create_tpm2_key and libtpm2.so engine -> Hash algoritms Kenneth Goldman
[not found] ` <OF69E51003.6475FD35-ON8525809E.00669529-8525809E.0067575C-8eTO7WVQ4XIsd+ienQ86orlN3bxYEBpz@public.gmane.org>
2017-01-04 18:54 ` Jason Gunthorpe
2017-01-04 19:45 ` James Bottomley [this message]
[not found] ` <1483559121.2561.67.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-01-04 20:58 ` [Ibmtpm20tss-users] " Kenneth Goldman
[not found] ` <20170104185434.GA12614-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2017-01-04 20:55 ` Kenneth Goldman
2017-01-04 12:25 ` [tpmdd-devel] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine Jarkko Sakkinen
2017-01-04 18:05 ` [Ibmtpm20tss-users] [TrouSerS-tech] " Kenneth Goldman
2017-01-10 19:38 ` Ken Goldman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1483559121.2561.67.camel@linux.vnet.ibm.com \
--to=jejb@linux.vnet.ibm.com \
--cc=ibmtpm20tss-users@lists.sourceforge.net \
--cc=jgunthorpe@obsidianresearch.com \
--cc=kgoldman@us.ibm.com \
--cc=tpmdd-devel@lists.sourceforge.net \
--cc=trousers-tech@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.