TPM: Difference between revisions

(3 intermediate revisions by 2 users not shown)

Line 28:

To tell OpenSSH to use the TPM2 during login, you may add the following line to your <code>~/.ssh/config</code>:

<syntaxhighlight>PKCS11Provider /run/current-system/sw/lib/libtpm2_pkcs11.so</syntaxhighlight>To load your ssh key into the running <code>ssh-agent</code>, use <code>ssh-add -s</code>:<syntaxhighlight lang="bash">

~~PKCS11Provider~~ /run/current-system/sw/lib/libtpm2_pkcs11.so

ssh-add -s /run/current-system/sw/lib/libtpm2_pkcs11.so

</syntaxhighlight>

</syntaxhighlight>Note that by default, <code>ssh-agent</code> refuses to load PKCS#11 modules outside a whitelist of trusted paths, and <code>/nix/store</code> paths are not included in this default list. You may need to start the agent with the <code>-P</code> flag to allow the library paths:<syntaxhighlight lang="bash">

ssh-agent -P "/run/current-system/sw/lib/*,/nix/store/*/lib/*"

</syntaxhighlight>For a persistent setup, you can configure the system-wide agent in your <code>configuration.nix</code>: <syntaxhighlight lang="nixos">programs.ssh = {

startAgent = true;

agentPKCS11Whitelist = "${config.security.tpm2.pkcs11.package}/lib/*,/run/current-system/sw/lib/*";

};</syntaxhighlight>

== Frequently Asked Questions ==

Line 44:

Line 49:

* <code>TPM2_PT_MAX_AUTH_FAIL</code> is the maximum number of failed attempts before lockdown,

* <code>TPM2_PT_LOCKOUT_INTERVAL</code> and <code>TPM2_PT_LOCKOUT_RECOVERY</code> are durations in seconds for recovery.

=== How to get TPM model information? ===

The following command will dump found strings from the raw TPM2 certificates:

nix-shell -p tpm2-tools --run "tpm2_getekcertificate" | strings

</syntaxhighlight>

Usually, you may find a vendor such as <code>STMicroelectronics</code> or <code>Infineon Technologies</code> and a model such as <code>ST33HTPxAHB61</code>.

To get firmware version information, you might want to look at:

nix-shell -p tpm2-tools --run "tpm2_getcap properties-fixed"

</syntaxhighlight>

== References ==

@@ Line 28: / Line 28: @@
 To tell OpenSSH to use the TPM2 during login, you may add the following line to your <code>~/.ssh/config</code>:
-<syntaxhighlight>
+<syntaxhighlight>PKCS11Provider /run/current-system/sw/lib/libtpm2_pkcs11.so</syntaxhighlight>To load your ssh key into the running <code>ssh-agent</code>, use <code>ssh-add -s</code>:<syntaxhighlight lang="bash">
-PKCS11Provider /run/current-system/sw/lib/libtpm2_pkcs11.so
+ssh-add -s /run/current-system/sw/lib/libtpm2_pkcs11.so
-</syntaxhighlight>
+</syntaxhighlight>Note that by default, <code>ssh-agent</code> refuses to load PKCS#11 modules outside a whitelist of trusted paths, and <code>/nix/store</code> paths are not included in this default list. You may need to start the agent with the <code>-P</code> flag to allow the library paths:<syntaxhighlight lang="bash">
+ssh-agent -P "/run/current-system/sw/lib/*,/nix/store/*/lib/*"
+</syntaxhighlight>For a persistent setup, you can configure the system-wide agent in your <code>configuration.nix</code>: <syntaxhighlight lang="nixos">programs.ssh = {
+  startAgent = true;
+  agentPKCS11Whitelist = "${config.security.tpm2.pkcs11.package}/lib/*,/run/current-system/sw/lib/*";
+};</syntaxhighlight>
 == Frequently Asked Questions ==
@@ Line 44: / Line 49: @@
 * <code>TPM2_PT_MAX_AUTH_FAIL</code> is the maximum number of failed attempts before lockdown,
 * <code>TPM2_PT_LOCKOUT_INTERVAL</code> and <code>TPM2_PT_LOCKOUT_RECOVERY</code> are durations in seconds for recovery.
+=== How to get TPM model information? ===
+The following command will dump found strings from the raw TPM2 certificates:
+<syntaxhighlight lang="bash">
+nix-shell -p tpm2-tools --run "tpm2_getekcertificate" | strings
+</syntaxhighlight>
+Usually, you may find a vendor such as <code>STMicroelectronics</code> or <code>Infineon Technologies</code> and a model such as <code>ST33HTPxAHB61</code>.
+To get firmware version information, you might want to look at:
+<syntaxhighlight lang="bash">
+nix-shell -p tpm2-tools --run "tpm2_getcap properties-fixed"
+</syntaxhighlight>
 == References ==