On Thu, Jan 17, 2019 at 10:41:37AM +0000, kolargol wrote:
> regarding TPM there were this patches:
> http://bsssd.sourceforge.net/download.html >
> but looks like quite abandoned as diff dates back to OpenBSD 4.7, looks like lack of interest in TPM...
I'd love to use the TPM for private key operations for sshd, iked, etc. The
problem is that the existing software stacks are horrendously ugly and
impenetrable. The developmental costs of using the TPM are too high.
I'm writing a framework for scripting PC/SC and PKCS#11 drivers in Lua. I
won't lie and pretend it's not complex, but at least it has zero
dependencies, builds natively out-of-the-box on various platforms, and
permits one to gradually explore the space (as opposed to the extremes of
either being stuck on the edges poking at a command-line utility or
hopelessly drowning in baroque C code that long outgrew any original
I've already written a GnuPG adapter which enables PC/SC transactions (so
GnuPG's scdaemon doesn't hog the card), and a PKCS#11 bridge so ssh can use
OpenPGP Smartcard or PIV tokens. It would be nice if OpenBSD had a generic
LPC or SPI layer that permitted talking to the TPM from userspace.
The idea for the framework is to make it easy for developers to use and
explore HSM and HSM-like devices, including nailing down and solving
integration issues. Using that real-world experience one could then select a
subset of device types and access modes and implement simpler solutions from
scratch, ideally without all the middleware.