Solaris 11 Express Security Features - TPM Support
By wyllys on Nov 16, 2010
A while back (March 2009, to be exact), I wrote about the introduction of TPM support in OpenSolaris. If you didn't try out OpenSolaris, you can now get the TPM support features in Solaris 11 Express. Just to recap and update some older information from the earlier post:
- Support for TPM 1.2 devices on x86/64 and some SPARC (sun4v) platforms.
- Trusted Computing Group (TCG) software interfaces are supported with the inclusion of the TrouSerS package. Solaris 11 Express includes Trousers version 0.3.4.
- The tpmadm(1M) utility can be used to perform TPM administrative functions and view the state of some TPM registers.
- A PKCS#11 provider for using the TPM to secure keys is also provided (and explained below).
In my original blog entry, I omitted the details about the PKCS#11 TPM provider. Solaris 11 Express includes a provider that plugs into the Solaris Cryptographic Framework that enables PKCS#11 consumers to use the TPM as a secure keystore. This allows private data stored in the TPM provider to be protected by TPM-resident keys. The benefit is that data protected with TPM keys can only ever be decrypted on that same platform using the same TPM (unless they are migrated, which is a topic for another day). This protects the data from brute-force password attacks on the keys, and also makes them useless if they are removed from the platform that protects them.
The TCSD service must be enabled and the TPM device must be available in order for the TPM support to work correctly.
Check for TPM device:
ls -alF /dev/tpm lrwxrwxrwx 1 root root 44 Oct 1 2009 /dev/tpm -> \\ ../devices/pci@0,0/isa@1f/tpm@0,fed40000:tpm
Enable the TCSD service:
# svcadm enable tcsd
If the TPM device is available and the tcsd service is running, individual users must initialize their own personal TPM-protected token storage area as follows:
# pktool inittoken currlabel=TPM
Next, the token PIN must be set for the SO (security officer), the default is 87654321:
$ pktool setpin token=tpm/joeuser so
Finally, the user's PIN can be set (the initial PIN is 12345678):
$ pktool setpin token=tmp/joeuser
The TPM token should now be ready for use. pktool(1) can be used to generate keys and certificates using the TPM device by specifying the token name used when the token was initialized ("TPM" in the examples above).
$ pktool gencert token=tpm/joeuser -i
$ pktool list token=tpm/joeuser
Also, any existing applications that already use the Solaris Cryptographic Framework interfaces (libpkcs11) can easily be made to use the TPM token for their operations by just making them select the TPM token device for the sessions.
More details about the TPM provider are available in the man pages for pkcs11_tpm(5) included in Solaris 11 Express.