[3] Add support for ML-KEM and ML-DSA keys to swtpm_setup#1099
Open
stefanberger wants to merge 19 commits into
Open
[3] Add support for ML-KEM and ML-DSA keys to swtpm_setup#1099stefanberger wants to merge 19 commits into
stefanberger wants to merge 19 commits into
Conversation
stefanberger
force-pushed
the
stefanberger/swtpm_setup_pqc
branch
2 times, most recently
from
8730a2c to
c4a0981
Compare
stefanberger
changed the title
Owner
Author
|
Need to wait until ubuntu-26.04 becomes available in github actions. |
stefanberger
force-pushed
the
stefanberger/swtpm_setup_pqc
branch
19 times, most recently
from
a6483cd to
1e920a1
Compare
stefanberger
force-pushed
the
stefanberger/swtpm_setup_pqc
branch
2 times, most recently
from
1285621 to
93090d0
Compare
stefanberger
changed the title
stefanberger
force-pushed
the
stefanberger/swtpm_setup_pqc
branch
from
15540f5 to
4b12cf8
Compare
stefanberger
force-pushed
the
stefanberger/swtpm_setup_pqc
branch
from
4b12cf8 to
33a73fc
Compare
stefanberger
force-pushed
the
stefanberger/swtpm_setup_pqc
branch
from
75b6dd9 to
0795c28
Compare
stefanberger
force-pushed
the
stefanberger/swtpm_setup_pqc
branch
from
616a60b to
f0dbe7c
Compare
stefanberger
changed the title
stefanberger
force-pushed
the
stefanberger/swtpm_setup_pqc
branch
4 times, most recently
from
dc66f25 to
3b87887
Compare
…pport Require that OpenSSL's libcrypto >= v3.5 is available since ML-KEM and ML-DSA support was added in this version. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since swtpm now needs OpenSSL >= v3.5, upgrade the requirement for Ubuntu to 26.04. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
libtpms v0.11 reports 8192 bytes for the buffersize. Accept this value now also besides the previous 4096. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Enable the creation of EK and platform certificates where the to-be-certified key is an ML-KEM-512/768/1024 key. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Enable the createion of EK and platform certificates where the certified key is an ML-DSA-44/65/87 key. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Test creating an EK certificate with a pre-created public ML-KEM-1024 key and test for expected size of the certificate file. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Test creating an EK certificate with a pre-created public ML-DSA-65 key and test for expected size of the certificate file. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add descriptions for the --public and --keyalgo command line options for passing ML-KEM and ML-DSA public keys to the swtpm_cert man page. Also describe the new capabilities. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add a regular expression parser that can parse the following type of string passed as description of a public key: pubkey=65ac32,algo=ml-kem-1024 If parsing it succeeds, then build the command line parameter for swtpm_cert with the extracted parameters, otherwise fall back to trying to parse for EC and RSA keys. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the EK parameters table with parameters for an ML-KEM primary key and implement functions for creating an ML-KEM primary key and also an ML-KEM storage primary key (SPK). Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the EK key algo table with options for ML-KEM keys as 1st and 2nd EK keys. Since we are now depending on libtpms v0.11 with ML-KEM support, it may not be necessary to test whether the key types are supported. The user has to choose a profile that supports the requested key type, though. A user currently has to used the 'default-v2' or a custom profile where ML-KEM keys are enabled. Print an error if IAK and IDevID keys are supposed to be ML-KEM keys. Mention the new key algorithms in the the man pages for swtpm_setup.conf and swtpm_setup. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the EK, IAK, and IDevID tables with parameters for an ML-DSA primary key and implement functions for creating an ML-DSA primary key. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the EK key algo table with options for ML-DSA keys as 1st and 2nd EK keys. Since we are now depending on libtpms v0.11 with ML-DSA support, it may not be necessary to test whether the key types are supported. The user has to choose a profile that supports the requested key type, though. A user currently has to use the 'default-v2' or a custom profile where ML-KEM keys are enabled. Mention the new key algorithms in the the man pages for swtpm_setup.conf and swtpm_setup. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Run TPM2_GetCapability(TPM_PROPERTIES) to query the TPM 2 for the maximum NV buffer size that can be used for writing data to an NV space. With the larger certificates it now makes sense to query when the number of bytes to write is beyond 1kb. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Display the the type of storage primary key that was created and mention in the help screen and man page that an ML-KEM key will be used instead of a ML-DSA key. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
…setup Add some test case for having swtpm_setup create ML-KEM and ML-DSA EK keys. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the test that is checking created EK certificates to now also create ML-KEM and ML-DSA certificates. Don't try to use use tpm2_createek with these key algorithms, since they are not supported by the tool, yet. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
…chemes Enable swtpm_cert to sign EK certificates with ML-DSA and EdDSA keys. An ML-DSA-87 EK signed by an ML-DSA-87 private key (currently) leads to an EK certificate of ~7567 bytes. Therefore, large NVRAM spaces are needed to store such certificates. Also allow signing of the certificates with EdDSA keys, such as Ed25519 and Ed448. Add a recommendation for CA keys to the swtpm_setup man page. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
stefanberger
force-pushed
the
stefanberger/swtpm_setup_pqc
branch
from
3b87887 to
04e333c
Compare
stefanberger
changed the title
Add a test case that starts the TPM 2 with the default-v2 profile which enables ML-KEM and ML-DSA and check that the TPM 2 cannot be initialized when the buffer size is set to 5kb and that it can be initialized once the buffer size is at 8kb. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add support for ML-KEM and ML-DSA keys to swtpm_setup. This also requires that swtpm_local can parse the new types of parameters passed to it and then pass them along to swtpm_cert, which in turn also needs to be extended for ML-KEM and ML-DSA keys.