New issue
Advanced search Search tips

Issue 855675 link

Starred by 1 user

Issue metadata

Status: Available
Merged: issue 855667
Owner: ----
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Feature

Blocking:
issue 855667


Participants' hotlists:
Cros-Hwsec-Ready


Sign in to add a comment

Support a method for explicitly requesting that Chaps backs a key in Software, rather than TPM

Project Member Reported by rsleevi@chromium.org, Jun 22 2018

Issue description

This is a feature request to have Chaps support backing keys that are not stored on the TPM itself, but protected with TPM-backed keys - that is, software-implementation of algorithms, using TPM-wrapped keys rather than TPM-backed keys.
 
See also https://bugs.chromium.org/p/chromium/issues/detail?id=855667#c7

So it sounds like importing keys to Chaps already supports this. Thus, we can either close this feature request (and make implementations responsible for generating the key, then importing), or look at adding an attribute to the generation request to indicate it should be generated using Chaps' stack (which should be robust and secure, compared to a dozen different other ways), but not TPM backed.
Also, note that there is a work going on already to speed up signing with tpm-backed keys, which may reduce the need in software-backed keys. See  issue 851053  -> issue 851113.
Labels: Enterprise-Triaged
Components: OS>Systems>Security
Labels: Cros-Hwsec-Ready
Mergedinto: 855667
Status: Duplicate (was: Untriaged)
Status: Available (was: Duplicate)
Cc: menghuan@chromium.org

Sign in to add a comment