Kernel keyring support to offload TPM
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 02 May 2024 19:23:46 UTC
We have a need for a kernel keyring or similar functionality to allow offloading crypto operations from a TPM. The basic idea is a master keyring key wrapped by TPM. The TPM needs to unwrap it before it can be used, but that is all the TPM needs to do. This would likely need to be done frequently - at least in FIPS mode we cannot leave idle keys unprotected in memory. The encrypted keyring would not count, so we still reduce load on the TPM. The folk looking for this have done a proof of concept on Linux leveraging https://docs.kernel.org/security/keys/core.html but we need similar for FreeBSD. Wondering who else might be interested, and even better if someone is already working on something similar. Thanks --sjg