Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PKCS11 TPM support #23

Merged
merged 5 commits into from
Dec 5, 2023
Merged

PKCS11 TPM support #23

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
9510dc7
wolfPKCS11 support for using TPM 2.0 module as backend. Uses wolfTPM …
dgarske Nov 28, 2023
424decb
Added PKCS11 TPM NV store (enabled with `WOLFPKCS11_TPM_STORE`).
dgarske Nov 29, 2023
8cabca7
Allow `WOLFPKCS11_NO_STORE` for TPM use case.
dgarske Nov 30, 2023
2eecc1d
Fix compiler warnings from mingw. Add portability macro `WOLFPKCS11_N…
dgarske Dec 4, 2023
a7782fc
Peer review cleanups.
dgarske Dec 5, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 38 additions & 2 deletions .github/workflows/build-workflow.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ on:
config:
required: false
type: string
check:
required: false
type: string
default: 'make check'

jobs:
build:
Expand All @@ -30,7 +34,7 @@ jobs:
- name: wolfssl configure
working-directory: ./wolfssl
run: |
./configure --enable-cryptonly --enable-aescfb --enable-rsapss --enable-keygen --enable-pwdbased --enable-scrypt \
./configure --enable-cryptocb --enable-aescfb --enable-rsapss --enable-keygen --enable-pwdbased --enable-scrypt \
C_EXTRA_FLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT"
- name: wolfssl make install
working-directory: ./wolfssl
Expand All @@ -41,6 +45,38 @@ jobs:
sudo make install
sudo ldconfig

#setup ibmswtpm2
- uses: actions/checkout@v3
with:
repository: kgoldman/ibmswtpm2
path: ibmswtpm2
- name: ibmswtpm2 make
working-directory: ./ibmswtpm2/src
run: |
make
./tpm_server &

#setup wolftpm
- uses: actions/checkout@v3
with:
repository: wolfssl/wolftpm
path: wolftpm
- name: wolftpm autogen
working-directory: ./wolftpm
run: ./autogen.sh
- name: wolftpm configure
working-directory: ./wolftpm
run: |
./configure --enable-swtpm
- name: wolftpm make install
working-directory: ./wolftpm
run: make
- name: wolftpm make install
working-directory: ./wolftpm
run: |
sudo make install
sudo ldconfig

#setup wolfPKCS11
- name: wolfpkcs11 autogen
run: ./autogen.sh
Expand All @@ -49,7 +85,7 @@ jobs:
- name: wolfpkcs11 make
run: make
- name: wolfpkcs11 make check
run: make check
run: ${{inputs.check}}
- name: wolfpkcs11 make install
run: sudo make install
- name: wolfpkcs11 make dist
Expand Down
13 changes: 12 additions & 1 deletion .github/workflows/unit-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ name: wolfPKCS11 Build Tests

on:
push:
branches: [ '*' ]
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]

Expand All @@ -11,6 +11,17 @@ jobs:
defaults_all:
uses: ./.github/workflows/build-workflow.yml

single_theaded:
uses: ./.github/workflows/build-workflow.yml
with:
config: --enable-singlethreaded

tpm:
uses: ./.github/workflows/build-workflow.yml
with:
config: --enable-singlethreaded --enable-wolftpm --disable-dh CFLAGS="-DWOLFPKCS11_TPM_STORE"
check: ./tests/pkcs11str && ./tests/pkcs11test

no_rsa:
uses: ./.github/workflows/build-workflow.yml
with:
Expand Down
20 changes: 19 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ Build wolfSSL:
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-rsapss --enable-keygen --enable-pwdbased --enable-scrypt C_EXTRA_FLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT"
./configure --enable-aescfb --enable-cryptocb --enable-rsapss --enable-keygen --enable-pwdbased --enable-scrypt C_EXTRA_FLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT"
make
make check
sudo make install
Expand All @@ -33,12 +33,29 @@ make
make check
```


### TPM support with wolfTPM

Enables using a TPM for cryptography and keystore.
Tested using `./configure --enable-singlethreaded --enable-wolftpm --disable-dh CFLAGS="-DWOLFPKCS11_TPM_STORE" && make`.

Note: The TPM does not support DH, so only RSA and ECC are supported.


### Build options and defines

#### Define WOLFPKCS11_TPM_STORE

Use `WOLFPKCS11_TPM_STORE` storing objects in TPM NV.

#### Define WOLFPKCS11_NO_STORE

Disables storage of tokens.

#### Define WOLFPKCS11_DEBUG_STORE

Enables debugging printf's for store.

#### Define WOLFPKCS11_CUSTOM_STORE

Removes default implementation of storage functions.
Expand All @@ -48,6 +65,7 @@ See wolfpkcs11/store.h for prototypes of functions to implement.

Sets the private key's label against the public key when generating key pairs.


## Environment variables

### WOLFPKCS11_TOKEN_PATH
Expand Down
18 changes: 17 additions & 1 deletion configure.ac
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -322,8 +322,24 @@ fi

if test "$enable_shared" = "no"; then
AM_CFLAGS="$AM_CFLAGS -DHAVE_PKCS11_STATIC"
else
LIBS="$LIBS -ldl"
fi


AC_ARG_ENABLE([wolftpm],
[AS_HELP_STRING([--enable-wolftpm],[Enable wolfTPM keystore support (default: disabled)])],
[ ENABLED_TPM=$enableval ],
[ ENABLED_TPM=no ]
)
if test "$ENABLED_TPM" = "yes"
then
LIBS="$LIBS -lwolftpm"
AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_TPM"
fi



AM_CONDITIONAL([BUILD_STATIC],[test "x$enable_shared" = "xno"])


Expand All @@ -333,7 +349,7 @@ AX_HARDEN_CC_COMPILER_FLAGS

OPTION_FLAGS="$CFLAGS $CPPFLAGS $AM_CFLAGS"

LIBS="$LIBS -lwolfssl -ldl -lm"
LIBS="$LIBS -lwolfssl -lm"

CREATE_HEX_VERSION
AC_SUBST([AM_CPPFLAGS])
Expand Down
15 changes: 0 additions & 15 deletions include.am
View file
Open in desktop

This file was deleted.

Loading