diff options
| author | James Bottomley <James.Bottomley@HansenPartnership.com> | 2021-03-09 22:50:29 +0100 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2021-03-10 13:23:05 +0100 |
| commit | 1f995b9ba42b76c1d83b484e5362548a54a70dab (patch) | |
| tree | 7d0c02dfd604251dc98b8276a9f267df839055a8 /agent/keyformat.txt | |
| parent | tpm2d: Add tpm2daemon code (diff) | |
| download | gnupg2-1f995b9ba42b76c1d83b484e5362548a54a70dab.tar.xz gnupg2-1f995b9ba42b76c1d83b484e5362548a54a70dab.zip | |
agent: Add new shadow key type and functions to call tpm2daemon
* agent/call-tpm2d.c: New.
* divert-tpm2.c: New.
* agent/Makefile.am: Add new files.
* agent/agent.h (DAEMON_TPM2D): New. Add stub fucntions.
* agent/call-daemon.c (GNUPG_MODULE_NAME_TPM2DAEMON): New.
* agent/command.c (do_one_keyinfo): Handle tpmv2.
* agent/gpg-agent.c (oTpm2daemonProgram): New.
(opts): New option --tpm2daemon-program.
(parse_rereadable_options): Handle option.
* agent/pkdecrypt.c (agent_pkdecrypt): Divert to tpm2d.
(agent_pksign_do): Ditto.
---
A new shadow key type: "tpm2-v1" is introduced signalling that the
shadowed key is handled by the tpm2daemon. A function to identify
this type is introduced and diversions to the tpm2daemon functions are
conditioned on this function for pkign and pkdecrypt where the same
diversions to scd are currently done. The (info) field of the
shadowed key stores the actual TPM key. The TPM key is encrypted so
only the physical TPM it was created on can read it (so no special
protection is required for the info filed), but if the (info) field
becomes corrupt or damaged, the key will be lost (unlike the token
case, where the key is actually moved inside the token).
Note, this commit adds handling for existing TPM format shadow keys,
but there is still no way to create them.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Additional changes:
* Add ChangeLog entries.
* Some minor indentation fixes.
* agent/Makefile.am (gpg_agent_SOURCES): Change to make distcheck
work.
* agent/agent.h [!HAVE_LIBTSS]: Do not return -EINVAL but an
gpg_error_t. Mark args as unused.
* agent/protect.c (agent_is_tpm2_key): Free BUF.
Signed-off-by: Werner Koch <wk@gnupg.org>
Diffstat (limited to 'agent/keyformat.txt')
| -rw-r--r-- | agent/keyformat.txt | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/agent/keyformat.txt b/agent/keyformat.txt index 88c3a2d36..3467f3bc5 100644 --- a/agent/keyformat.txt +++ b/agent/keyformat.txt @@ -312,8 +312,9 @@ to keys stored on a token: (comment whatever) ) -The currently used protocol is "t1-v1" (token info version 1). The -second list with the information has this layout: +The currently used protocols are "t1-v1" (token info version 1) and +"tpm2-v1" (TPM format key information). The second list with the +information has this layout for "t1-v1": (card_serial_number id_string_of_key fixed_pin_length) @@ -322,6 +323,13 @@ the PIN; a value of 0 indicates that this information is not available. The rationale for this field is that some pinpad equipped readers don't allow passing a variable length PIN. +This is the (info) layout for "tpm2-v1": + +(parent tpm_private_string tpm_public_string) + +Although this precise format is encapsulated inside the tpm2daemon +itself and nothing in gpg ever uses this. + More items may be added to the list. ** OpenPGP Private Key Transfer Format |