Enable Session Support

[williamcroberts]

Enable Verified Session Support, not sure where you can shove a trusted key in to enable session protections with the TPM.

[gotthardp]

And could you please write a draft test script indicating what should be the end result? Some shell script that would setup the TPM, create whatever needs to be created before the openssl commands are executed?

[williamcroberts]

Really all you have to do it call is Esys_StartAuthSession() With an established ESYS_TR object and then use Esys_TRSess_SetAttributes() To set the flags for encryption.

You can use the parent key as tpmKey parameter in the call to Esys_StartAuthSession.
Then you just pass that session to all the following Esys routines, either as session1 or session2 in the Function call. For instance, in Esys_Sign() session1 is going to be the ESYS_TR_PASSWORD Session, so you would pass it as session2,. For other things that have session1 as ESYS_TR_NONE You can just pass it as session 1.

The crux is that you need both the handle and a name. The PEM format only has the raw TPM handle Or the primary key is created with createprimary. As a side note, this is what makes ESYS_TRs useful, It’s a coupling of name and handle, this is why you can just pass is to ESys_StartAuthSession and not Worry. The name of an object is unspoofable and unforgeable. Continuing on, there are two ways you can you solve this:

1. Embed the name into the PEM file as an optional field. For transient primary keys, create primary returns the name, verify the name. For persistent handles, Esys_TR_GetName() and verify the name.
2. Use some other key, or that key and have folks specify it in the OPENSSL_CONFIG file, the name and location.

You could use both of these, let OSSL config over ride, so I'd start with 1.

It's not as bad as it looks tpm2-pkcs11 does this.

Concisely the steps are:

Phase 1:

• Key Creation (assume TPM trusted state), add an optional field to the PEM file and store parent name
• When consuming the PEM file and establishing the parent object:
  • if persistent parent after calling Esys_TR_FromTPMPublic() call Esys_TR_GetName() and verify with stored name.
  • if transient parent after calling Esys_CreatePrimary() verify the returned name with stored name.
• After verifying name, call Esys_TR_StartAuthSession() using parent key ESYS_TR as tpmKey and symdef as AES128CFB
• Set attributes of session to enable encrypt and decrypt with Esys_TRSess_SetAttributes()
• Pass the session as session1 or session2 for existing Esys_* commands. Use the first available ESYS_TR_NONE session "slot".