Discussion:
[strongSwan] TPM2.0 and ESAPI
Piotr Parus
2018-06-26 06:35:42 UTC
Permalink
Hello!

 From the source code I see that when strongswan uses TPM2.0 chip it
uses TSS System API (SAPI) without sessions. Does the strongswan
maintainers have plans to switch to  Enhanced System API (ESAPI) which
enables easier session handling and encrypting transmission on the wire
to the TPM chip?

Best regards,

Piotr Parus
Andreas Steffen
2018-06-26 15:07:43 UTC
Permalink
Cześć Piotr,

I've been aware of the emerging ESAPI which is indeed offering increased
security in the communication with the TPM 2.0 and [hopefully] easier
session handling but I wanted to wait for the 2.0.0 stable release,
which apparently happened 5 days ago.

Porting the strongSwan tpm plugin to ESAPI would be made much easier if
the tpm2-tools would also adopt the ESAPI session handling, thus
offering example code on how the new API is supposed to be used.

Pozdrowienia

Andreas
Post by Piotr Parus
Hello!
 From the source code I see that when strongswan uses TPM2.0 chip it
uses TSS System API (SAPI) without sessions. Does the strongswan
maintainers have plans to switch to  Enhanced System API (ESAPI) which
enables easier session handling and encrypting transmission on the wire
to the TPM chip?
Best regards,
Piotr Parus
--
======================================================================
Andreas Steffen ***@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==
Piotr Parus
2018-07-04 09:30:41 UTC
Permalink
Dzień dobry/Cześć/Hello Andreas,

Thanks for your quick answer. I understand from it, that switching to
ESAPI is possible but not in the nearest future as ESAPI is quite new
and require some significant time to learn how to use it. Am I correct?

Pozdrowienia/Regards,

Piotr Parus
Post by Andreas Steffen
Cześć Piotr,
I've been aware of the emerging ESAPI which is indeed offering increased
security in the communication with the TPM 2.0 and [hopefully] easier
session handling but I wanted to wait for the 2.0.0 stable release,
which apparently happened 5 days ago.
Porting the strongSwan tpm plugin to ESAPI would be made much easier if
the tpm2-tools would also adopt the ESAPI session handling, thus
offering example code on how the new API is supposed to be used.
Pozdrowienia
Andreas
Post by Piotr Parus
Hello!
 From the source code I see that when strongswan uses TPM2.0 chip it
uses TSS System API (SAPI) without sessions. Does the strongswan
maintainers have plans to switch to  Enhanced System API (ESAPI) which
enables easier session handling and encrypting transmission on the wire
to the TPM chip?
Best regards,
Piotr Parus
Andreas Steffen
2018-07-04 15:06:23 UTC
Permalink
Cześć Piotr,

yes, that's correct. Some practical ESAPI examples would help
tremendously. Especially in the form of ESAPI-enabled tpm2-tools.

Na razie

Andreas
Post by Piotr Parus
Dzień dobry/Cześć/Hello Andreas,
Thanks for your quick answer. I understand from it, that switching to
ESAPI is possible but not in the nearest future as ESAPI is quite new
and require some significant time to learn how to use it. Am I correct?
Pozdrowienia/Regards,
Piotr Parus
Post by Andreas Steffen
Cześć Piotr,
I've been aware of the emerging ESAPI which is indeed offering increased
security in the communication with the TPM 2.0 and [hopefully] easier
session handling but I wanted to wait for the 2.0.0 stable release,
which apparently happened 5 days ago.
Porting the strongSwan tpm plugin to ESAPI would be made much easier if
the tpm2-tools would also adopt the ESAPI session handling, thus
offering example code on how the new API is supposed to be used.
Pozdrowienia
Andreas
Post by Piotr Parus
Hello!
  From the source code I see that when strongswan uses TPM2.0 chip it
uses TSS System API (SAPI) without sessions. Does the strongswan
maintainers have plans to switch to  Enhanced System API (ESAPI) which
enables easier session handling and encrypting transmission on the wire
to the TPM chip?
Best regards,
Piotr Parus
--
======================================================================
Andreas Steffen ***@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==
Loading...