TPM Support [PSARC/2008/725 FastTrack timeout 11/27/2008]

Wyllys Ingersoll wyllys.ingersoll at sun.com
Tue Dec 2 12:54:01 PST 2008 

Krishna Yenduri wrote:
> Wyllys Ingersoll wrote:
>> ...
>> * TPM Device driver (tpm)
>>     The TPM device driver was developed in a joint effort between the 
>> Solaris
>> Security group and Dartmouth College and will be delivered on x86/64 
>> based platforms
>> as part of the core Solaris installation.
>
> Some X86/X64 machines can enable and use the TPM at the BIOS level.
> Does the TPM driver recognize/use the existing objects on the chip?

enabling/disabling at the BIOS level is a prerequisite from using it in 
the OS.
If the TPM is disabled in BIOS, the device will not work by definition.

>
>> We intend to defer delivery of a TPM
>> driver for SPARC systems to a later integration, as TPM hardware is 
>> predominantly
>> found on x86 systems.
>
> I believe the T5120 (Niagara 2) systems have a TPM chip. So, it is
> useful to deliver the driver for it soon.

We haven't had access to any of these for testing or developing yet, but 
hope
to follow up with a SPARC version soon.


>
>> * PKCS11 Provider
>>     A PKCS11 provider that will allow users to create individual 
>> tokens that use the TPM to generate keys and perform sensitive 
>> operations (encrypt/decrypt/sign/verify) will be
>> delivered into ON.  This provider will protect all private data 
>> objects by encrypting them
>> with keys that can only be used inside the TPM device.
>>     The PKCS11 TPM provider will support the following mechanisms:
>>     CKM_RSA_PKCS_KEY_PAIR_GEN     (2048 bit max) (hardware)
>>     CKM_RSA_PKCS                  (2048 bit max) (hardware)
>>     CKM_RSA_PKCS_OAEP             (2048 bit max) (hardware)
>>     CKM_RSA_X_509                 (2048 bit max) (hardware)
>>     CKM_MD5_RSA_PKCS              (2048 bit max) (hardware)
>>     CKM_SHA1_RSA_PKCS             (2048 bit max) (hardware)
>>     CKM_SHA_1
>>     CKM_SHA_1_HMAC
>>     CKM_SHA_1_HMAC_GENERAL
>>     CKM_MD5
>>     CKM_MD5_HMAC
>>     CKM_MD5_HMAC_GENERAL
>>   
>
> The chip can do random number generation too. So, do we plan
> to support the CKF_RNG and C_GenerateRandom() PKCS #11 interfaces?
Yes.  It does show  up in the flags list and should work with 
C_GenerateRandom().

Flags: CKF_RNG CKF_LOGIN_REQUIRED CKF_USER_PIN_INITIALIZED 
CKF_CLOCK_ON_TOKEN CKF_TOKEN_INITIALIZED

More information about the opensolaris-arc mailing list