diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-05-24 13:27:12 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-05-24 13:39:21 +0200 |
| commit | e84cf7770e69e24c4b60ca4a772c753774da2693 (patch) | |
| tree | e5baf1ffd29aaf27b8e8504664613f1b293a0892 /doc | |
| parent | a725980e92c866b5d46b3b900d2a51988f55500b (diff) | |
| download | gnutls-e84cf7770e69e24c4b60ca4a772c753774da2693.tar.gz | |
doc: advise against using the TPM-specific API
It is restricted to TPM 1.2, and there are fine PKCS#11 wrappers that
will provide identifical functionality.
Relates #101
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/cha-tokens.texi | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/doc/cha-tokens.texi b/doc/cha-tokens.texi index 9518b3445c..a700280b65 100644 --- a/doc/cha-tokens.texi +++ b/doc/cha-tokens.texi @@ -18,18 +18,15 @@ In GnuTLS the approach is to handle all keys transparently by the high level API the API that loads a key or certificate from a file. The high-level API will accept URIs in addition to files that specify keys on an HSM or in TPM, and a callback function will be used to obtain any required keys. The URI format is defined in -@xcite{TPMURI} and the standardized @xcite{PKCS11URI}. +@xcite{PKCS11URI}. More information on the API is provided in the next sections. Examples of a URI of a certificate stored in an HSM, as well as a key stored in the TPM chip are shown below. To discover the URIs -of the objects the @code{p11tool} (see @ref{p11tool Invocation}), -or @code{tpmtool} (see @ref{tpmtool Invocation}) may be used. - +of the objects the @code{p11tool} (see @ref{p11tool Invocation}). @example pkcs11:token=Nikos;serial=307521161601031;model=PKCS%2315; \ manufacturer=EnterSafe;object=test1;type=cert -tpmkey:uuid=42309df8-d101-11e1-a89a-97bb33c23ad1;storage=user @end example @@ -491,7 +488,10 @@ certificates by specifying a PKCS #11 URL instead of a filename. @cindex TPM In this section we present the Trusted Platform Module (TPM) support -in @acronym{GnuTLS}. +in @acronym{GnuTLS}. Note that we recommend against using TPM with this +API because it is restricted to TPM 1.2. We recommend instead +to use PKCS#11 wrappers for TPM such as CHAPS@footnote{@url{https://github.com/google/chaps-linux}} or opencryptoki@footnote{@url{https://sourceforge.net/projects/opencryptoki/}}. +These will allow using the standard smart card and HSM functionality (see @ref{Smart cards and HSMs}) for TPM keys. There was a big hype when the TPM chip was introduced into computers. Briefly it is a co-processor in your PC that allows it to perform |