Below, will be examples and discussion on how to use P11kit with tpm2-pkcs11. This will not be exhaustive, nor should it be. However, commands not explicitly listed will likely not work as they are work in progress.
In order to use tpm2-pkcs11 with P11kit, one MUST have P11kit installed before running
and perform a make install
. Often times, one must be root to do the install,
ie sudo make install
During the configure step, tpm2-pkcs11 detects if P11kit is installed, and installs necessary configuration files and changes library installation paths so it works.
To install p11kit, on Ubuntu, just do:
sudo apt-get install p11-kit
This is the hello world of P11kit. This tests that the module can be seen. We assume a clean slate, it no TPM2_PKCS11_STORE is present.
p11-kit list-modules
p11-kit: tpm2_pkcs11: module failed to initialize, skipping: The device is not present or unplugged
This will likely have more output than what is shown here, however, the error message indicates that p11 kit sees the tpm2-pkcs11 library as a slot but that the token is not present. This state is analogous to a smart card reader that doesn't have a smart card in it.
Now that we have p11kit seeing the tpm2-pkcs11 library, lets initialize a store. This is the process of configuring the the tpm to pkcs11 bridge so it has tokens and objects for the pkcs11 paradigm. init --path=~/tmp addtoken --pid=1 --sopin=mysopin --userpin=myuserpin --label=p11kit --path=~/tmp
auto-detecting TPM encryptdecrypt interface for wrapping key usage
Using "TPM" based object authorization protections
Created token: p11kit
No we have an initialized store and a token. Ie we inserted a non-provisioned smart card into the reader. Now when we list the installed modules, it should be an in inserted and initialized state.
p11-kit list-modules
library-description: TPM2.0 Cryptoki
library-manufacturer: Intel
library-version: 42.42
token: p11kit
manufacturer: Intel
model: TPM2 PKCS#11
serial-number: 0000000000000000
Note: The details of this output may change, as many of the values are still in development.
The p11tool is used to interact with pkcs11 modules and its API.
It can be installed on Ubuntu via:
sudo apt install gnutls-bin
This tutorial assumes you completed the section P11 Kit Configuration
p11tool can work of of token URLs. To find our token URL so we can use only that token we run the command:
p11tool --list-token-urls
Now we have a URL we can use for subsequent commands and ignore other tokens on your system.
Note:I set the variable token=pkcs11:model=TPM2%20PKCS%2311;manufacturer=Intel;serial=0000000000000000;token=p11kit
my bash shell before continuing.
Let's probe the token and see what objects are on it:
p11tool --list-all "$token"
No matching objects found
The only way to add an object to the token currently is via and we only support AES and RSA key objects. This will change in the future. addkey --label=p11kit --userpin=myuserpin --algorithm=aes128 --key-label=myfirstkey --path=~/tmp
Added key as label: "myfirstkey"
p11tool --list-all "$token"
Object 0:
URL: pkcs11:model=TPM2%20PKCS%2311;manufacturer=Intel;serial=0000000000000000;token=p11kit;object=myfirstkey;type=secret-key
Type: Secret key
Label: myfirstkey
Object 1:
The next example will show how to generate a random number. We'll be piping it through xxd for display purposes. Be careful running this command without a redirect or pipe to something like xxd. Dumping raw bytes to the terminal can cause unexpected behaviors.
$ p11tool --generate-random=4 $token | xxd
00000000: 02b6 0c20
Outside of using to add objects, p11tool supports creating objects through the PKCS#11 interface.
This will generate an RSA keypair using p11tool:
p11tool --login --generate-rsa --bits=2048 --label=p11kit "$token"
Successful runs should see the following output:
-----END PUBLIC KEY-----
This will show how to delete an object. The first step is having an object to delete on the token and obtaining a URL to the object you want to delete. Look at the section on Adding Object via The URL should be:
URL: pkcs11:model=TPM2%20PKCS%2311;manufacturer=Intel;serial=0000000000000000;token=p11kit;object=myfirstkey;type=secret-key
Now that we know what object to delete, lets delete it. Ensure you provide the --login
option and the password:
$ GNUTLS_PIN=myuserpin p11tool --login --delete 'pkcs11:model=TPM2%20PKCS%2311;manufacturer=Intel;serial=0000000000000000;token=p11kit;object=myfirstkey;type=secret-key'
Object 0:
URL: pkcs11:library-description=%20TPM2.0%20Cryptoki%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00;library-manufacturer=%20Intel%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00;model=TPM2%20PKCS%2311;manufacturer=Intel;serial=0000000000000000;token=p11kit;id=%62%33%34%39%39%38%63%32%37%66%37%38%39%61%62%66;object=myfirstkey;type=secret-key
Type: Secret key
Label: myfirstkey
ID: 62:33:34:39:39:38:63:32:37:66:37:38:39:61:62:66
Are you sure you want to delete those objects? (y/N): y
1 objects deleted
And verify that it's gone:
$ p11tool --list-all "$token"
No matching objects found