On Thu, 2019-03-14 at 09:41 -0700, David Woodhouse wrote: > On Thu, 2019-03-14 at 09:19 -0700, Andersen, John wrote: > > Sweet! I'd been working on this too, I just got the hostapd / > > wpa_supplicant test stuff working and was going to try setting > > pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so > > > > To the tpm2-software/tpm2-pcks11 library. > > > > From the amount of changes it took you, it seems like your approach > > is cleaner, so, out of curiousity, what was your ratoinal for going > > with this approach? I was going to try the pcks11 way because I > > came across > > > > https://w1.fi/cgit/hostap/plain/wpa_supplicant/examples/openCryptok > > i.conf > > > > But, I haven't gotten to it yet as I got sidetracked right after I > > got the tests up and running. > > If you are using the TPMv2 PKCS#11 token (or indeed any PKCS#11 > token) and it's installed correctly, it ought to Just Work. The big problem is which token? There are enough TPM PKCS11 implementations to fill a small warehouse. The Thomas Habets one seems to be the best thought out: https://github.com/ThomasHabets/simple-tpm-pk11 But it's TPM1.2. The big problem with any TPM to PKCS11 interface is that PKCS11 expects resident keys and the TPM expects to use volatile ones this causes massive provisioning and use pain because it's not just drop in and go. This als seems to be the source of the broken for some use cases problem in each of these implementations ... and obviously when you find that an implementation is broken for your use case you write your own ... > You should be able to just give a PKCS#11 URI in place of a filename > for any key or certificate, and any well-behaved application will do > the right thing. I believe wpa_supplicant meets that definition of > "well-behaved application", by automatically using the PKCS#11 ENGINE > when the "filename" it's given is actually a PKCS#11 URI. As I said, my solution was a generic OpenSSL engine to PKCS11 exporter, but it still needs a config file. James _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
