[PATCH] enhanced smartcard support

Jouni Malinen j at w1.fi
Fri May 23 12:20:15 EDT 2008


On Fri, May 23, 2008 at 11:47:28AM +0300, Jouni Malinen wrote:

> My ThinkPad T43 should have TPM, but getting it working was not exactly
> trivial and I don't know whether the security chip is now more or less
> completely locked or what it is doing since it does not likely any
> passwords/PINs..

I finally found a way to clear the security chip state through BIOS
(after some odd magic to get the BIOS setup to show the option for doing
this) and I tried again. This time, I just used a simple password/pin
for every possible location to avoid any possible issue and
tpm_takeownership and tpmtoken_init were able to complete their tasks.

For the first test, I just imported couple of certificates and a private
key to the TPM token with pkcs11-tool. This does not sound like the best
way of using TPM since I would prefer not to see the private key ever
exit the security chip, but for the time being, importing existing keys
seemed simpler. Should probably try to generate a certificate request
with TPM engine to avoid the private key being exposed.

I tried configuring the private key, user certificate, and CA
certificate from the OpenSSL engine and that seemed to work and I was
able to complete EAP-TLS authentication successfully. For some reason,
this is painfully slow and I needed to increase the authentication
timeout in eapol_test from the default 30 to couple of minutes to avoid
timeouts.. I don't understand why it would need that much time, but
well, it did. Anyway, at least the mechanism of fetching certificates
from tpm/pkcs11 token seemed to work fine.
 
-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list