summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@redhat.com>2016-05-24 13:27:12 +0200
committerNikos Mavrogiannopoulos <nmav@redhat.com>2016-05-24 13:39:21 +0200
commite84cf7770e69e24c4b60ca4a772c753774da2693 (patch)
treee5baf1ffd29aaf27b8e8504664613f1b293a0892 /doc
parenta725980e92c866b5d46b3b900d2a51988f55500b (diff)
downloadgnutls-e84cf7770e69e24c4b60ca4a772c753774da2693.tar.gz
doc: advise against using the TPM-specific API
It is restricted to TPM 1.2, and there are fine PKCS#11 wrappers that will provide identifical functionality. Relates #101
Diffstat (limited to 'doc')
-rw-r--r--doc/cha-tokens.texi12
1 files changed, 6 insertions, 6 deletions
diff --git a/doc/cha-tokens.texi b/doc/cha-tokens.texi
index 9518b3445c..a700280b65 100644
--- a/doc/cha-tokens.texi
+++ b/doc/cha-tokens.texi
@@ -18,18 +18,15 @@ In GnuTLS the approach is to handle all keys transparently by the high level API
the API that loads a key or certificate from a file.
The high-level API will accept URIs in addition to files that specify keys on an HSM or in TPM,
and a callback function will be used to obtain any required keys. The URI format is defined in
-@xcite{TPMURI} and the standardized @xcite{PKCS11URI}.
+@xcite{PKCS11URI}.
More information on the API is provided in the next sections. Examples of a URI of a certificate
stored in an HSM, as well as a key stored in the TPM chip are shown below. To discover the URIs
-of the objects the @code{p11tool} (see @ref{p11tool Invocation}),
-or @code{tpmtool} (see @ref{tpmtool Invocation}) may be used.
-
+of the objects the @code{p11tool} (see @ref{p11tool Invocation}).
@example
pkcs11:token=Nikos;serial=307521161601031;model=PKCS%2315; \
manufacturer=EnterSafe;object=test1;type=cert
-tpmkey:uuid=42309df8-d101-11e1-a89a-97bb33c23ad1;storage=user
@end example
@@ -491,7 +488,10 @@ certificates by specifying a PKCS #11 URL instead of a filename.
@cindex TPM
In this section we present the Trusted Platform Module (TPM) support
-in @acronym{GnuTLS}.
+in @acronym{GnuTLS}. Note that we recommend against using TPM with this
+API because it is restricted to TPM 1.2. We recommend instead
+to use PKCS#11 wrappers for TPM such as CHAPS@footnote{@url{https://github.com/google/chaps-linux}} or opencryptoki@footnote{@url{https://sourceforge.net/projects/opencryptoki/}}.
+These will allow using the standard smart card and HSM functionality (see @ref{Smart cards and HSMs}) for TPM keys.
There was a big hype when the TPM chip was introduced into
computers. Briefly it is a co-processor in your PC that allows it to perform