Issue 855675 link

Starred by 1 user

Issue metadata

Status:	Available
Merged:	issue 855667
Owner:	----
Cc:	apronin@chromium.org emaxx@chromium.org pmarko@chromium.org menghuan@chromium.org
Components:	Enterprise OS>Systems OS>Systems>Security
EstimatedDays:	----
NextAction:	----
OS:	Chrome
Pri:	2
Type:	Feature
Enterprise-Triaged Target-70 Cros-Hwsec-Ready

Blocking:
issue 855667

Participants' hotlists:
Cros-Hwsec-Ready

Support a method for explicitly requesting that Chaps backs a key in Software, rather than TPM

Project Member Reported by rsleevi@chromium.org, Jun 22 2018

Issue description

This is a feature request to have Chaps support backing keys that are not stored on the TPM itself, but protected with TPM-backed keys - that is, software-implementation of algorithms, using TPM-wrapped keys rather than TPM-backed keys.

Comment 1 by rsleevi@chromium.org, Jun 22 2018

See also https://bugs.chromium.org/p/chromium/issues/detail?id=855667#c7

So it sounds like importing keys to Chaps already supports this. Thus, we can either close this feature request (and make implementations responsible for generating the key, then importing), or look at adding an attribute to the generation request to indicate it should be generated using Chaps' stack (which should be robust and secure, compared to a dozen different other ways), but not TPM backed.

Comment 2 by apronin@chromium.org, Jun 22 2018

Also, note that there is a work going on already to speed up signing with tpm-backed keys, which may reduce the need in software-backed keys. See  issue 851053  -> issue 851113.