TPM Support [PSARC/2008/725 FastTrack timeout 11/27/2008]

[Krishna Yenduri]

Wyllys Ingersoll wrote:
> ...
> * TPM Device driver (tpm)
> 	The TPM device driver was developed in a joint effort between the Solaris
> Security group and Dartmouth College and will be delivered on x86/64 based platforms
> as part of the core Solaris installation.
 
 Some X86/X64 machines can enable and use the TPM at the BIOS level.
 Does the TPM driver recognize/use the existing objects on the chip?
 
> We intend to defer delivery of a TPM
> driver for SPARC systems to a later integration, as TPM hardware is predominantly
> found on x86 systems.

 I believe the T5120 (Niagara 2) systems have a TPM chip. So, it is
 useful to deliver the driver for it soon.

> * PKCS11 Provider
> 	A PKCS11 provider that will allow users to create individual tokens that use the TPM 
> to generate keys and perform sensitive operations (encrypt/decrypt/sign/verify) will be
> delivered into ON.  This provider will protect all private data objects by encrypting them
> with keys that can only be used inside the TPM device.
> 	The PKCS11 TPM provider will support the following mechanisms:
> 	CKM_RSA_PKCS_KEY_PAIR_GEN     (2048 bit max) (hardware)
> 	CKM_RSA_PKCS                  (2048 bit max) (hardware)
> 	CKM_RSA_PKCS_OAEP             (2048 bit max) (hardware)
> 	CKM_RSA_X_509                 (2048 bit max) (hardware)
> 	CKM_MD5_RSA_PKCS              (2048 bit max) (hardware)
> 	CKM_SHA1_RSA_PKCS             (2048 bit max) (hardware)
> 	CKM_SHA_1
> 	CKM_SHA_1_HMAC
> 	CKM_SHA_1_HMAC_GENERAL
> 	CKM_MD5
> 	CKM_MD5_HMAC
> 	CKM_MD5_HMAC_GENERAL
>   

 The chip can do random number generation too. So, do we plan
 to support the CKF_RNG and C_GenerateRandom() PKCS #11 interfaces?

Regards,
-Krishna