TPM, APU and OpenBSD

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

TPM, APU and OpenBSD

kolargol
Hi,

according to this https://github.com/pcengines/coreboot/blob/v4.9.0.1/CHANGELOG.md TPM is going to be enabled finally on the APUs. Looking at OpenBSD man for tpm(4) (https://man.openbsd.org/tpm.4) i see that Infineon is already supported but slightly different models. One found in APU is SLB 9665 (that is: https://www.infineon.com/dgdl/Infineon-TPM+SLB+9665-DS-v10_15-EN.pdf?fileId=5546d4625185e0e201518b83d9273d87)

Not sure anyone interested in this but just dropping it here, since many of you use APUs so bit added security by TPM is always welcome.

_
kolargol
Reply | Threaded
Open this post in threaded view
|

Re: TPM, APU and OpenBSD

Luis Coronado-3
I thought that the tpm driver was only there to avoid issues with
acpi/suspend-resume but it doesn’t do any tpm stuff. I could be wrong
though.

-l

https://www.undeadly.org/cgi?action=article;sid=20160519112803


https://man.openbsd.org/tpm.4

https://marc.info/?l=openbsd-cvs&m=147024505322058&w=2


On Tue, Jan 15, 2019 at 6:52 AM kolargol <[hidden email]> wrote:

> Hi,
>
> according to this
> https://github.com/pcengines/coreboot/blob/v4.9.0.1/CHANGELOG.md TPM is
> going to be enabled finally on the APUs. Looking at OpenBSD man for tpm(4) (
> https://man.openbsd.org/tpm.4) i see that Infineon is already supported
> but slightly different models. One found in APU is SLB 9665 (that is:
> https://www.infineon.com/dgdl/Infineon-TPM+SLB+9665-DS-v10_15-EN.pdf?fileId=5546d4625185e0e201518b83d9273d87
> )
>
> Not sure anyone interested in this but just dropping it here, since many
> of you use APUs so bit added security by TPM is always welcome.
>
> _
> kolargol
>
Reply | Threaded
Open this post in threaded view
|

Re: TPM, APU and OpenBSD

kolargol
regarding TPM there were this patches:

http://bsssd.sourceforge.net/download.html

but looks like quite abandoned as diff dates back to OpenBSD 4.7, looks like lack of interest in TPM...

Sent with [ProtonMail](https://protonmail.com) Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, January 15, 2019 2:43 PM, Luis Coronado <[hidden email]> wrote:

> I thought that the tpm driver was only there to avoid issues with acpi/suspend-resume but it doesn’t do any tpm stuff. I could be wrong though.
>
> -l
>
> https://www.undeadly.org/cgi?action=article;sid=20160519112803
>
> https://man.openbsd.org/tpm.4
>
> https://marc.info/?l=openbsd-cvs&m=147024505322058&w=2
>
> On Tue, Jan 15, 2019 at 6:52 AM kolargol <[hidden email]> wrote:
>
>> Hi,
>>
>> according to this https://github.com/pcengines/coreboot/blob/v4.9.0.1/CHANGELOG.md TPM is going to be enabled finally on the APUs. Looking at OpenBSD man for tpm(4) (https://man.openbsd.org/tpm.4) i see that Infineon is already supported but slightly different models. One found in APU is SLB 9665 (that is: https://www.infineon.com/dgdl/Infineon-TPM+SLB+9665-DS-v10_15-EN.pdf?fileId=5546d4625185e0e201518b83d9273d87)
>>
>> Not sure anyone interested in this but just dropping it here, since many of you use APUs so bit added security by TPM is always welcome.
>>
>> _
>> kolargol
Reply | Threaded
Open this post in threaded view
|

Re: TPM, APU and OpenBSD

William Ahern-2
On Thu, Jan 17, 2019 at 10:41:37AM +0000, kolargol wrote:
> regarding TPM there were this patches:
>
> http://bsssd.sourceforge.net/download.html
>
> but looks like quite abandoned as diff dates back to OpenBSD 4.7, looks like lack of interest in TPM...
>

I'd love to use the TPM for private key operations for sshd, iked, etc. The
problem is that the existing software stacks are horrendously ugly and
impenetrable. The developmental costs of using the TPM are too high.

I'm writing a framework for scripting PC/SC and PKCS#11 drivers in Lua. I
won't lie and pretend it's not complex, but at least it has zero
dependencies, builds natively out-of-the-box on various platforms, and
permits one to gradually explore the space (as opposed to the extremes of
either being stuck on the edges poking at a command-line utility or
hopelessly drowning in baroque C code that long outgrew any original
design).

I've already written a GnuPG adapter which enables PC/SC transactions (so
GnuPG's scdaemon doesn't hog the card), and a PKCS#11 bridge so ssh can use
OpenPGP Smartcard or PIV tokens. It would be nice if OpenBSD had a generic
LPC or SPI layer that permitted talking to the TPM from userspace.

The idea for the framework is to make it easy for developers to use and
explore HSM and HSM-like devices, including nailing down and solving
integration issues. Using that real-world experience one could then select a
subset of device types and access modes and implement simpler solutions from
scratch, ideally without all the middleware.