-
Notifications
You must be signed in to change notification settings - Fork 96
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enablement of other TPM 2 algorithms: Assess which Distros' OpenSSL supports 'what' #206
Comments
SHA3:
(1): SHA3 family and/or SM3 hash would have to be enabled in firmwares also to appropriately measure, extend into PCR banks of those hashes, and log (EDK2, SLOF, SeaBIOS, etc.) IF the PCR bank were to be enabled; IMA also needs to supported them |
OpenSSL is not a good fit for libtpms. Nettle seems like a much better choice. |
Why is/was Nettle better than OpenSSL's crypto library? Is it available across all the Linux & BSD distros like OpenSSL or LibreSSL? The decision whether to use OpenSSL was made several years ago also based on the fact that the TPM 2 reference code was based on OpenSSL (partially at least) and for better or worse it's OpenSSL crypto now -- it's also a bandwidth issue on my side. A reason back then was certainly that OpenSSL's crypto library had the API that the TPM 2 needed and experience with it. How the API evolved over time, what is being deprecated over time, is not something that was foreseeable. |
OpenSSL is intended to be a high-level crypto library for use by applications. Nettle is intended to be a low-level crypto library that directly exposes the underlying primitives. From what I have observed, libtpms and the TPM 2 reference code need the latter, not the former. To the best of my knowledge, Nettle also provides a much more stable API than OpenSSL. Despite suppressing deprecation warnings, I cannot compile Microsoft’s TPM reference implementation because of OpenSSL API changes. I do not believe Nettle has had anywhere near as many API changes, which is likely because it is a lower-level library.
I believe so. It also follows a policy of zero memory allocations for its symmetric cryptography. The asymmetric cryptography is not zero-allocations, but I suspect patches to make it so would be accepted. Nettle is also on the list of approved cryptographic libraries in RHEL.
That is absolutely understandable. |
Would you consider implementing other EC curves, like 25519? They've been accepted in the TCG standard. |
Considering, 'yes'. Will have to look how it can be supported across all distros. |
Ok. How can I help with that? Easiest way I know to check for support is to check the return value for From what I could check on my machines:
|
I am not sure yet how this curve needs to be implemented. But any step towards an implementation may be helpful... including test cases. |
Assess the support of encryption and hash algorithms that libtpms could still enable and in which distros they are supported.
The text was updated successfully, but these errors were encountered: