Add a TPM provider #75
Conversation
|
The Possible solutions that I see:
I think 1. and 3. are definitely needed for now and we can look at 2. later. |
|
#76 addresses point 1 |
|
Check rust-lang/rust-bindgen#1541 for point 2. |
hug-dev
force-pushed
the
tpm
branch
3 times, most recently
from
ee2dd04 to
234df81
Compare
|
Executed |
| .expect("ESAPI Context lock poisoned"); | ||
|
|
||
| let len = hash.len(); | ||
| if len > 64 { |
There was a problem hiding this comment.
Ideally this should take into account the digest size of the hash algorithm that the key is created with - I think we actually have hash algorithms assigned to keys, maybe we can do something between the TPM crate and the provider to be able to get the public definition of the key and deduce from that the correct length
There was a problem hiding this comment.
Alternatively, these checks could be left to the crate to do by itself (which it actually is doing atm)
There was a problem hiding this comment.
Is not it fine at the moment as we are supporting only one kind of hash algorithm?
There was a problem hiding this comment.
Not sure about that! We actually support any hash algorithm, at least with Mbed Crypto; but it depends on what people want from us
| .expect("ESAPI Context lock poisoned"); | ||
|
|
||
| let (key_context, auth_value) = esapi_context | ||
| .create_rsa_signing_key(key_size, AUTH_VAL_LEN) |
There was a problem hiding this comment.
I don't know if creating an "RSA key definition structure" and passing that here is more sensible. We should be setting the hash algorithm, for example.
Maybe we could have a method like create_signing_key which takes in an enum (RSA or ECC) and the enum contains the other params as well... Don't know, really
There was a problem hiding this comment.
I think it is fine for now as we are limiting the scope of things that we support.
There was a problem hiding this comment.
True. We'll have to see how to manage that for the TPM crate, though
This provider uses the tss-esapi crate to interface with a TSS 2.0 Enhanced System library. Adds new configuration entries to select the TPM provider and which TCTI device to use. The TPM provider currently only supports RSA key, signing and verifying operations. Co-authored-by: Ionut Mihalcea <ionut.mihalcea@arm.com> Signed-off-by: Hugues de Valon <hugues.devalon@arm.com>
| key_triple: KeyTriple, | ||
| password_context: PasswordContext, | ||
| ) -> Result<()> { | ||
| let error_storing = |e| { |
There was a problem hiding this comment.
Nice!!! I actually believe this could be moved to be something surfaced by the KeyIdManager - apart from the text everything seems general, maybe the KIM could do this before returning to the providers?
There was a problem hiding this comment.
Same for many of the or_else handlers in here
There was a problem hiding this comment.
The thing is that the KeyIDManager returns a String in its Err variant, so we would still need an or_else to convert it to ResponseStatus :/
There was a problem hiding this comment.
Yes, but we could do that in the manager itself
There was a problem hiding this comment.
Ok, got it now, that is a good idea!
This provider uses the tss-esapi crate to interface with a TSS 2.0
Enhanced System library.
Adds new configuration entries to select the TPM provider and which
TCTI device to use.
The TPM provider currently only supports RSA key, signing and verifying
operations.
Co-authored-by: Ionut Mihalcea ionut.mihalcea@arm.com
Signed-off-by: Hugues de Valon hugues.devalon@arm.com