From: "Jarkko Sakkinen" <jarkko@kernel.org>
To: <Andreas.Fuchs@infineon.com>, <tpm2@lists.linux.dev>
Cc: "James Prestwood" <prestwoj@gmail.com>
Subject: Re: TPM2_Sign vs TPM2_RSA_Decrypt
Date: Thu, 16 May 2024 15:51:47 +0300 [thread overview]
Message-ID: <D1B2ZP29BA7Y.3OYCZMEP3MLGY@kernel.org> (raw)
In-Reply-To: <c8c85a062358420ab13e849a902606cd@infineon.com>
On Thu May 16, 2024 at 3:01 PM EEST, wrote:
> For the OpenSSL engines and also the GNU-TLS engine, we go ahead and
> use TPM2_RSA_Decrypt for RSA Signing but TPM2_Sign for ECDSA signing.
Yeah we get simplest and most understandable and most compatible
RSA because it is textbook style with no strings attached :-)
You can fit it to any scheme.
I can admit after reading TPM2_Sign documentation, my head hurts
and I still don't think I fully get the gist of it so better not
to use something that you don't get, right? :-)
If someone could really put TPM2_Sign into nutshell that'd be
awesome.
> The reason here was, that OpenSSL wants to perform SHA512 digests and
> padding, whilst the TPM only supported SHA384. And an OpenSSL engine
> could not tell the OpenSSL-TLS-module, which Hash-Algs are supported.
> If that restriction does not exist, I would also tend to use TPM2_Sign
> for RSA signing.
Maybe a dumb question but what I could possibly accomplish with
TPM2_Sign that I could not accomplish with TPM2_RSA_Decrypt and
appropraite ASN.1 heading and padding?
This connects to the not understanding TPM2_Sign (obviously).
Just trying to make sure that we make exactly right call for
kernel.
Thanks for responding!
>
> Cheers,
> Andreas
BR, Jarkko
next prev parent reply other threads:[~2024-05-16 12:51 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-16 10:25 TPM2_Sign vs TPM2_RSA_Decrypt Jarkko Sakkinen
2024-05-16 12:01 ` Andreas.Fuchs
2024-05-16 12:51 ` Jarkko Sakkinen [this message]
2024-05-16 13:05 ` Andreas.Fuchs
2024-05-16 13:31 ` Jarkko Sakkinen
2024-05-16 13:33 ` Jarkko Sakkinen
2024-05-16 13:44 ` James Prestwood
2024-05-16 13:55 ` Jarkko Sakkinen
2024-05-16 13:59 ` James Prestwood
2024-05-16 14:14 ` Andreas.Fuchs
2024-05-16 15:20 ` Jarkko Sakkinen
2024-05-17 17:58 ` Jarkko Sakkinen
2024-05-16 15:18 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D1B2ZP29BA7Y.3OYCZMEP3MLGY@kernel.org \
--to=jarkko@kernel.org \
--cc=Andreas.Fuchs@infineon.com \
--cc=prestwoj@gmail.com \
--cc=tpm2@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.