On Fri, 2021-05-21 at 09:17 -0700, James Bottomley wrote:
> I'm not so sure we want to encourage that. The persistent handle space
> is really limited in TPM 2.0. We just ran into a real world situation
> where the TPM ran out after a handful. It was an application that
> loaded files into persistent handles ("because it's easier") and then
> made use of them ... we're currently fixing it not to use persistent
> handles because it doesn't need to.
Makes sense. We should fix StrongSwan then, because they're doing the
same thing.
https://wiki.strongswan.org/projects/strongswan/wiki/TpmPlugin
Of course, if we document the file format and make it ubiquitously
supported (including making an OpenSSL *provider* to replace the
obsolete ENGINEs, and chasing it into GnuTLS in
https://gitlab.com/gnutls/gnutls/-/issues/594 ), that will go a long
way towards encouraging applications to use keys wrapped in files
instead of NVRAM...
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
