Reliability improvements for OpenSSL tpm2 provider on an embedded system #42
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
james-ctc
force-pushed
the
openssl1-openssl3-and-tpm2
branch
from
b15bfb1 to
b25717d
Compare
james-ctc
force-pushed
the
openssl1-openssl3-and-tpm2
branch
3 times, most recently
from
079cb21 to
53c67ba
Compare
AssemblyJohn
requested changes
Feb 14, 2024
feat: OpenSSL tpm2 provider load on first use, configured via
property strings
feat: OpenSSL property strings configurable via cmake
feat: unit tests run for OpenSSL v1 and v3
feat: additional unit tests for tpm2 provider (OpenSSL v3 only)
provider handling changed following testing on an embedded system.
Loading and unloading providers was proving unreliable. Approach changed
to load providers early and use the property string to control
which provider is used.
A mutex has been added so that another call cann't change the
provider configuration whilst in use.
OpenSSL v3 uses providers. OpenSSL v1 uses previous code.
Note: the tpm2-abrmd daemon needs to be running for tpm2 where
TLS is being used.
Signed-off-by: James Chapman <[email protected]>
james-ctc
force-pushed
the
openssl1-openssl3-and-tpm2
branch
from
53c67ba to
59d9f6f
Compare
AssemblyJohn
approved these changes
Feb 15, 2024
james-ctc
force-pushed
the
openssl1-openssl3-and-tpm2
branch
2 times, most recently
from
5063dcf to
b95ee81
Compare
Signed-off-by: James Chapman <[email protected]>
james-ctc
force-pushed
the
openssl1-openssl3-and-tpm2
branch
from
b95ee81 to
42e2643
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Background
The existing implementation was occasionally failing especially when there was a migration from using non-TPM keys to supporting TPM protected keys (TSS2). Issues were observed during the loading and unloading of providers. There was also some concern that another call could impact which providers were loaded and their property strings.
There were significant improvements once the the tpm2-abrmd daemon was included and running. Generating keys, CSRs etc. didn't appear to need tpm2-abrmd however once TLS was being used tpm2-abrmd became essential.
It also became clear that the provider configuration depends on the key type. Hence the first line of the PEM key file is read so that the provider can be configured before actually loading the key.
Updates
feat: OpenSSL provider implementation now default for OpenSSL v3
feat: OpenSSL tpm2 provider load on first use, configured via property strings
feat: OpenSSL property strings configurable via cmake
feat: unit tests run for OpenSSL v1 and v3
feat: additional unit tests for tpm2 provider (OpenSSL v3 only)
provider handling changed following testing on an embedded system. Loading and unloading providers was proving unreliable. Approach changed to load providers early and use the property string to control which provider is used.
A mutex has been added so that another call can't change the provider configuration whilst in use.
There is support for general operations using the global OpenSSL library context and a separate context for use with TLS.
OpenSSL v3 uses providers. OpenSSL v1 uses previous code.
Note: the tpm2-abrmd daemon needs to be running for tpm2 where TLS is being used.
Functionality change
The meaning of UseTPM has been clarified to support interworking and upgrades from non-TPM keys to TPM protected keys.
For TLS the provider chosen is based on the PEM file and not the UseTPM OCPP configuration variable.
UseTPM is used to determine how a new key is to be generated and not how an existing key is used.
(part of this will be in a subsequent update to libocpp)
Configuration
cmake -DUSING_TPM2to enable use of the tpm2 OpenSSL provider (disabled by default).The propquery strings can be modified to suit the target e.g.
The options configured in this PR were based on testing in a single environment so may need to be adapted for another system.