2 .\" Copyright (c) 2006, Sun Microsystems, Inc. All Rights Reserved
3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
4 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with
5 .\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 .TH PKCS11_TPM 5 "May 13, 2017"
8 pkcs11_tpm \- RSA PKCS#11 token for Trusted Platform Modules (TPM)
12 /usr/lib/security/pkcs11_tpm.so
17 /usr/lib/security/64/pkcs11_tpm.so
22 The \fBpkcs11_tpm.so\fR object implements the RSA PKCS#11 v2.20 specification
23 using Trusted Computing Group protocols to talk to a TPM security device. This
24 provider implements the PKCS#11 specification and uses the TCG Software Stack
25 (TSS) APIs in the \fBtrousers\fR package.
28 Application developers should link to \fBlibpkcs11.so.1\fR rather than link
29 directly with \fBpkcs11_tpm.so\fR. See \fBlibpkcs11\fR(3LIB).
32 The following cryptographic algorithms are implemented: \fBRSA\fR, \fBSHA1\fR,
36 All of the standard PKCS#11 functions listed in \fBlibpkcs11\fR(3LIB) are
37 implemented except for the following:
60 The following RSA PKCS#11 v2.20 mechanisms are supported:
64 CKM_RSA_PKCS_KEY_PAIR_GEN
72 CKM_SHA_1_HMAC_GENERAL
80 .SS "Per-User Initialization"
82 The \fBpkcs11_tpm\fR provider can only be used on a system which has a TPM
83 device and which also has the \fBtrousers\fR package installed. If those
84 prerequisites are met, users can create their own private tokens using
85 \fBpktool\fR(1), which will allow them to perform operations using the TPM
86 device and protect their private data with TPM-protected keys.
89 To prepare and initialize a user's TPM token, the following steps must be
99 Set the SO (security officer) PIN.
104 Set the user's unique PIN.
108 Initializing the token is done using the \fBpktool\fR(1) command as follows:
112 $ \fBpktool inittoken currlabel=TPM newlabel=tpm/myname\fR
121 By default, an uninitialized TPM is recognized by the name \fBTPM\fR. When a
122 user initializes their own private token, it can either be renamed to something
123 else (for example, \fBtpm/joeuser\fR) or kept as \fBTPM\fR (in which case the
124 \fBnewlabel\fR argument would be omitted).
130 The user will have to supply the default SO PIN before being able to initialize
131 his or her token. The default SO PIN is \fB87654321\fR. It is changed in step
136 Once the token is initialized, the SO and user PINs must be changed from the
137 default values. Again, \fBpktool\fR(1) is used to change these PIN values.
144 $ \fBpktool setpin token=tpm/joeuser so\fR
151 The \fBso\fR option indicates that this "setpin" operation is to change the SO
152 PIN and must be present. The user must then enter the default SO PIN
153 (\fB87654321\fR) and then enter (and confirm) a new PIN.
156 Once the SO PIN is reset from the default, the user's unique PIN must also be
160 Changing the user's PIN:
164 $ \fBpktool setpin token=tmp/joeuser\fR
171 The default PIN for a non-SO user is \fB12345678\fR. The user must enter the
172 default PIN and then enter (and confirm) a new, unique PIN.
175 The PIN provided for the \fBpktool\fR \fBsetpin\fR operation or by calling
176 \fBC_Login()\fR and \fBC_SetPIN()\fR functions can be any string of characters
177 with a length between 1 and 256 and no embedded nulls.
178 .SS "Accessing the Token"
180 After a user initializes their token, they can begin using it with
181 \fBpktool\fR(1) or by writing PKCS11 applications and locating the token using
182 the name created above (\fBtpm/joeuser\fR in the examples above).
189 $ \fBpktool gencert token=tpm/joeuser -i\fR
190 $ \fBpktool list token=tpm/joeuser\fR
197 \fBpkcs11_tpm.so\fR provides object storage in a filesystem-specific token
198 object storage area. Private objects are protected by encryption with private
199 keys and can only be decrypted by loading the token's private key into the TPM
200 and performing the decryption entirely in the TPM. The user's private key is
201 generated by the TPM when the user sets their personal PIN (see above). The
202 keys for both the SO and users are stored in the TSS persistent storage
203 database and are referenced by a unique UUID value. All user tokens have a
204 unique SO key and unique user key so that the PINs for one user's token will
205 not unlock private data in another user's token on the same machine.
208 Each TPM is unique and the token keys created on one TPM may not be used on
209 another TPM. The \fBpkcs11_tpm.so\fR token data is all managed on the system
210 where the TPM resides and may not be moved to other systems. If the TPM is
211 reset and the SRK (Storage Root Key) is changed, all of the keys previously
212 generated for that TPM will no longer be valid.
215 \fBpkcs11_tpm.so\fR creates a private workspace to manage administrative files
216 for each token created. By default, this area is created as
217 \fB/var/tpm/pkcs11/$USERNAME\fR. However, users may override this by setting
218 the \fBPKCS11_TPM_DIR\fR environment variable prior to initializing or using
222 The return values for each of the implemented functions are defined and listed
223 in the RSA PKCS#11 v2.20 specification. See \fBhttp://www.rsasecurity.com\fR.
227 \fB\fB/var/tpm/pkcs11/USERNAME\fR\fR
231 User's default token object store.
237 \fB\fB${PKCS11_TPM_DIR}\fR\fR
241 Alternate token object store.
246 See \fBattributes\fR(5) for descriptions of the following attributes:
254 ATTRIBUTE TYPE ATTRIBUTE VALUE
256 Interface Stability Committed
258 MT-Level MT-Safe with Exceptions (see below)
260 Standard PKCS#11 v2.20
265 Exceptions to MT-Safe attribute are documented in section 6.5.2 of RSA PKCS#11
269 \fBpktool\fR(1), \fBcryptoadm\fR(1M), \fBlibpkcs11\fR(3LIB),
273 TCG Software Stack (TSS) Specifications: \fBhttps://www.trustedcomputinggroup.org/specs/TSS\fR (as of the date of publication)