d6f0f945c528ce92a02479672c6a059221c42609
FieldNotes/LegalName.md
| ... | ... | @@ -1,3 +1,7 @@ |
| 1 | +--- |
|
| 2 | +title: Changing your legal name in Madison County, Alabama |
|
| 3 | +--- |
|
| 4 | + |
|
| 1 | 5 | This is how I changed my legal name in Madison County, AL. The process is definitely different elsewhere. |
| 2 | 6 | |
| 3 | 7 | ## Background |
FieldNotes/TPMKeys.md
| ... | ... | @@ -0,0 +1,99 @@ |
| 1 | +--- |
|
| 2 | +title: TPM2-backed SSH keys on NixOS |
|
| 3 | +--- |
|
| 4 | + |
|
| 5 | +## Introduction |
|
| 6 | + |
|
| 7 | +If you are here, I am assuming you already know why it's useful to store keys on a TPM, so I won't write about my rationale here. |
|
| 8 | + |
|
| 9 | +There are a few components to understand here: |
|
| 10 | + |
|
| 11 | +* The TPM hardware itself generates and stores keys |
|
| 12 | +* `tpm2-abrmd` is the Access Broker and Resource Manager Daemon, which exposes access to the TPM chip over dbus |
|
| 13 | +* `tpm2-pkcs11` provides a PKCS#11 interface to keys stored on the TPM, allowing many applications (including OpenSSH) a way to use the keys managed by the TPM |
|
| 14 | + |
|
| 15 | +## Installation |
|
| 16 | + |
|
| 17 | +Let's make sure those components are all installed and configured appropriately: |
|
| 18 | + |
|
| 19 | +* You may need to enable the TPM in your system's firmware setup. Be sure to enable it as in 2.0 mode; certain ThinkPads seem to support 1.2 and 2.0 but only 2.0 will work for this. |
|
| 20 | +* Install all of the components required. On NixOS, that's this snippet in your `configuration.nix`: |
|
| 21 | + |
|
| 22 | +``` |
|
| 23 | +security.tpm2 = { |
|
| 24 | + enable = true; |
|
| 25 | + pkcs11.enable = true; |
|
| 26 | + abrmd.enable = true; |
|
| 27 | +}; |
|
| 28 | + |
|
| 29 | +environment.systemPackages = [ |
|
| 30 | + # your other desired systemPackages |
|
| 31 | + tpm2-tools |
|
| 32 | +]; |
|
| 33 | +``` |
|
| 34 | + |
|
| 35 | +* The next steps will need to be completed as your regular user. You will need the environment variable `TPM2TOOLS_TCTI` set to `tabrmd:bus_type=system`. I use `home-manager`, so I configured this in `home.sessionVariables`, but you can add an `export` in your shell initialization file and it should work fine that way too. To cause less noise later on, set `TSS2_LOG` to `fapi+NONE` too. |
|
| 36 | + |
|
| 37 | +## Configuring the TPM |
|
| 38 | + |
|
| 39 | +Now we can initialize the TPM and generate our keys. |
|
| 40 | + |
|
| 41 | +First, initialize an object hierarchy within the TPM, store that information in `tpm2-pkcs11`'s database, and return a handle that we can use in future commands. |
|
| 42 | + |
|
| 43 | +``` |
|
| 44 | +% tpm2_ptool init |
|
| 45 | +action: Created |
|
| 46 | +id: 1 |
|
| 47 | +``` |
|
| 48 | + |
|
| 49 | +The `id` returned is that of the "primary object" of the hierarchy. We will need this number in future commands. It's probably `1`, but change the `--pid` option in later commands if you need to. |
|
| 50 | + |
|
| 51 | +Next, we'll create a PKCS11 token. You have to pass a sopin ("system operator" PIN, for recovery/admin purposes) and a userpin (the PIN you will usually use to unlock the keys of this token) on the command line in this step, so consider `export HISTFILE=/dev/null` so those don't get stored in your shell history. |
|
| 52 | + |
|
| 53 | +The `label` can be anything you want, and both PINs can contain non-numeric characters if you like. |
|
| 54 | + |
|
| 55 | +``` |
|
| 56 | +% tpm2_ptool addtoken --pid=1 --label=ftpmtoken1 --sopin=youradminpassword --userpin=youruserpassword |
|
| 57 | +``` |
|
| 58 | + |
|
| 59 | +Next, create a key on the newly created token. `--label` and `--userpin` must match what you used before. Multiple algorithms are available (`tpm2_ptool addkey --help`) but not all of them are necessarily supported by your TPM. |
|
| 60 | + |
|
| 61 | +To see if your TPM supports a specific ECC curve, try `tpm2_getcap ecc-curves`. To see if your TPM supports a specific RSA key size, try `tpm2_testparms rsa[bits]`, like `tpm2_testparams rsa4096`. If no error is returned, you can use that key size. |
|
| 62 | + |
|
| 63 | +``` |
|
| 64 | +% tpm2_ptool addkey --algorithm=ecc256 --label=ftpmtoken1 --userpin=youruserpassword |
|
| 65 | +``` |
|
| 66 | + |
|
| 67 | +## Configuring OpenSSH |
|
| 68 | + |
|
| 69 | +Now we can get our public key from the TPM: |
|
| 70 | + |
|
| 71 | +``` |
|
| 72 | +% ssh-keygen -D /run/current-system/sw/lib/libtpm2_pkcs11.so |
|
| 73 | +WARNING: Listing FAPI token objects failed: "fapi:A parameter has a bad value" |
|
| 74 | +Please see https://github.com/tpm2-software/tpm2-pkcs11/blob/master/docs/FAPI.md for more details |
|
| 75 | +WARNING: FAPI backend was not initialized. |
|
| 76 | +ecdsa-sha2-nistp256 [...] |
|
| 77 | +``` |
|
| 78 | + |
|
| 79 | +You can safely ignore the FAPI warnings, if any appear for you. Install the SSH public key on whatever hosts you need to access, then: |
|
| 80 | + |
|
| 81 | +``` |
|
| 82 | +% ssh -o IdentityAgent=none -o PKCS11Provider=/run/current-system/sw/lib/libtpm2_pkcs11.so user@host |
|
| 83 | +``` |
|
| 84 | + |
|
| 85 | +You should be prompted for your token PIN here. |
|
| 86 | + |
|
| 87 | +You only need to set `IdentityAgent=none` to bypass using your usual SSH agent (in my case, this is `gpg-agent` configured to use keys stored on a YubiKey, so I'm skipping the "insert token" prompt this way). |
|
| 88 | + |
|
| 89 | +You may configure these options in your `~/.ssh/config` as well, to save on typing. |
|
| 90 | + |
|
| 91 | +## Potential future work |
|
| 92 | + |
|
| 93 | +* Get keys stored with the Feature API instead of just ignoring errors (this is the `fapi` in `TSS2_LOG=fapi+NONE`) |
|
| 94 | +* Bind keys to boot measurements |
|
| 95 | +* Use keys in other applications (like Firefox for HTTPS client certs) |
|
| 96 | + |
|
| 97 | +## References |
|
| 98 | + |
|
| 99 | +- [leo60228.space](https://leo60228.space/trusting-ssh-keys-using-a-centralized-hardware-secret/), some of the `tpm2-pkcs11` commands originally came from here! |
Home.md
| ... | ... | @@ -1,7 +1,20 @@ |
| 1 | +--- |
|
| 2 | +title: tris.fyi wiki |
|
| 3 | +--- |
|
| 4 | + |
|
| 1 | 5 | Welcome to [Tris](https://tris.fyi)'s wiki! Here you'll find: |
| 2 | 6 | |
| 3 | 7 | ## Field notes |
| 4 | 8 | |
| 5 | 9 | Field notes are short, usually technical blogpost-y bits of content. I use them to document my experience with a piece of technology or describe how to perform a particular task. |
| 6 | 10 | |
| 11 | +* [Using TPM-backed SSH keys on NixOS](FieldNotes/TPMKeys) |
|
| 7 | 12 | * [Changing your legal name in Madison County, Alabama](FieldNotes/LegalName) (originally published October 2020) |
| 13 | + |
|
| 14 | +## Contact information |
|
| 15 | + |
|
| 16 | +The best way to reach me is via email: tris@tris.fyi. |
|
| 17 | + |
|
| 18 | +## Other things of interest |
|
| 19 | + |
|
| 20 | +* [My local government meeting notes](https://tris.fyi/gov) - may eventually be moved into this wiki |