Requires owner password for every key use

[swsnr]

I'm not very familiar with how TPMs work, but reading around I got the impression that ideally you'd take "ownership" of the TPM by setting owner, endorsement, and lockout passwords, e.g. with tss2 provision which also creates a new SRK.

Presumably, systemd-cryptenroll can then use this SRK without prompting for owner authorization; in other words I can run systemd-cryptenroll --tpm2-public-key=/etc/systemd/tpm2-pcr-public-key.pem --tpm2-device=auto /dev/disk/by-partlabel/linux-root to bind LUKS to a TPM policy without being prompted for the owner password.

With ssh-tpm-agent however, I need to provide the owner password every time I generate a key, and I also need to put the owner password into the environment for the agent process, which perhaps sort of defeats the purpose of the owner password in the first place?

Is this intended?

[Foxboron]

Is this intended?

Yes and no. The currently implementation works this way, and it's the intended way for this to work.

However you can create a parent that would allow you to bypass this. So use the SRK systemd creates after ownership and pass it to the keygen with --parent-handle.

See: Foxboron/age-plugin-tpm#32

I have not documented this, and I think it should work. Else I need to improve the code a bit.

[swsnr]

Thanks for the pointer. I'll try that soon, and report back 🙏

[swsnr]

Are you sure that custom handles are supported? ssh-tpm-keygen -f test -C 'test' --parent-handle 0x81000001 (educated guess 😇 ) gives TPM_RC_BAD_AUTH without owner password, and looking at the code, there's a) a TODO: Support custom handles where the --parent-handle option is handled, and b) the option value seems to be resolved through GetParentHandle which doesn't handle custom handles at all, and just falls through to owner for every unknown value.

[Foxboron]

Thhheeeennn I guess I never wrote that code 🙃

[swsnr]

🙈 Don't know no go, and have no clues of TPMs either but I'll start flailing around until I get this workingl🤓🤞

[Foxboron]

I suspect I'll write up something that solves this when I get a tiny bit of motivation. ssh-tpm-keygen could be a tiny bit more clever when it comes to the SRK parent I reckon.

[swsnr]

That would be appreciated 🙏