Date: Thu, 2 May 2024 12:23:46 -0700 From: Simon J Gerraty <sjg@juniper.net> To: <freebsd-arch@freebsd.org> Cc: <sjg@juniper.net> Subject: Kernel keyring support to offload TPM Message-ID: <37306.1714677826@kaos.jnpr.net>
next in thread | raw e-mail | index | archive | help
We have a need for a kernel keyring or similar functionality to allow offloading crypto operations from a TPM. The basic idea is a master keyring key wrapped by TPM. The TPM needs to unwrap it before it can be used, but that is all the TPM needs to do. This would likely need to be done frequently - at least in FIPS mode we cannot leave idle keys unprotected in memory. The encrypted keyring would not count, so we still reduce load on the TPM. The folk looking for this have done a proof of concept on Linux leveraging https://docs.kernel.org/security/keys/core.html but we need similar for FreeBSD. Wondering who else might be interested, and even better if someone is already working on something similar. Thanks --sjg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37306.1714677826>