Menu
▾
▴
Re: [Opensc-devel] Crypto Chip Support imaginable ?
|
From: Anders R. <and...@gm...> - 2016-06-15 20:14:17
|
On 2016-06-15 21:03, David Woodhouse wrote: > On Wed, 2016-06-15 at 15:24 +0200, Anders Rundgren wrote: >> >> Since Intel have firmware in their CPUs it seems that Intel is the >> party that should enable this capability... > > Intel has SGX, which theoretically allows you do do basically the same > thing as I described to Peter, purely in a software enclave. https://software.intel.com/en-us/articles/providing-hardware-based-security-by-leveraging-intel-identity-protection-technology-and "To obtain a copy of the IntelJCE you need to contact your Intel representative" Anders > > You could just store your keys in a PKCS#11 token and your keys would > be magically bound to the hardware to prevent copying them, in exactly > the same way. > > If only there was someone from Intel who was interested in that use > case. Of course, even while they were tilting at windmills internally > to fix the SGX signing model and make it possible to ship open source > code to use such an enclave in a PKCS#11 token, they'd probably have > their work cut out making PKCS#11 a first-class citizen in the open > source world so that it's *feasible* to just use a key from PKCS#11 > instead of a filename, for various applications and crypto libraries. > > https://fedoraproject.org/wiki/PackageMaintainers/PKCS11 > https://bugzilla.gnome.org/show_bug.cgi?id=679860 > https://bugzilla.gnome.org/show_bug.cgi?id=719982 > ...etc... > |
