[gnutls-devel] [PATCH 0/2] Fix TPM key handling

[James Bottomley]

On Sun, 2016-12-04 at 10:08 +0100, Nikos Mavrogiannopoulos wrote:
> On Sat, 2016-12-03 at 14:31 -0800, James Bottomley wrote:
> > It looks like TPM keys requiring authorization have never worked in
> > gnutls, partly because of a coding error which is fixed in the 
> > first patch and partly because of an apparent misunderstanding 
> > about the way trousers works, which is fixed in the second.
> > 
> > It's amusing to note that the concerns about the dictionary attack
> > lockout in the second patch are real: I managed to lock up my own 
> > TPM while debugging the code and, thanks to Nuvoton, I discovered 
> > that the DA lockout survives clearing the TPM, meaning I was left 
> > with a TPM that was locked out but had no owner authority, meaning 
> > no viable way of resetting the DA lockout.  Fortunately, it agreed 
> > to let me back in the next day.
> 
> Thank you. I have applied a different fix on the first issue, i.e., 
> to ensure that import_tpm_key clears the key on failure (while 
> leaving any PIN info intact). The second I've applied as is.

That's fine ... clearing the whole thing felt like a bit of a hack.

> Note that I have not yet tested  the fixes (unfortunately my test 
> suite on TPM is manual, and since tpm-emulator no longer runs on 
> modern systems testing of TPM functionality is not the easiest 
> thing).

After my TPM lockout, I convinced myself I need to know how to make an
emulated TPM work.  It looks like there is a functional 1.2 one:

https://github.com/stefanberger/libtpms

But I need to figure out how to integrate it easily.  I also need to
find a 2.0 one ..

>  I've put the changes on a merge request at:
> https://gitlab.com/gnutls/gnutls/merge_requests/171

Thanks.

> regards,
> Nikos
> 
> PS. If you know some mock tspi library, or have some idea testing TPM
> functionality without a real TPM, I'm really interested. That's a 
> thing missing from our CI.

It's high up on my list of things to look at.

James