-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FIDO2: TPM 2.0 with PIN support #4
Comments
Any updates on this? |
Hey @AleDema, I don't have plans to work on this at the moment, but I would be happy to have a chat if you're interested in contributing, or have an interesting use case you'd like to discuss. |
I just discovered @psanford's tpm-fido, which is a TPM based, U2F platform authenticator for Linux. This might be a great fit. tpm-fido currently emulates a HID device. We already support CTAP1 over HID, but it would be great to be able to integrate without HID dependencies. I've opened an issue for the implementation of high-level APIs psanford/tpm-fido#14 As for CTAP2, in addition to higher level APIs, we would need some sort of user verification (TPM2 PIN?). |
@AlfioEmanueleFresta I may get nlnet funding for it, I am currently in discussion with them. I thought of integrating it directly into systemd so it comes by default with the distro. Any thoughts, wishes from your side? |
@zaolin that sounds great. For FIDO2 use cases, I can think of the following requirements:
I have written about the challenge of origin scoping in a blog post. I do not recommend you solve this within your TPM (systemd?) service, but rather simply ensure the design is compatible with origin scoping being enforced by xdg-desktop-portal or whatever D-Bus portal providing FIDO2 functionality to applications. Specifically, I can think of two ways of achieving this:
I would recommend approach (2) because it would solve both issues of (a) supporting origin scoping enforcement by FIDO2 middleware, as well as (b) storing a virtually unbounded number of credentials, by completely offloading storage of wrapped private keys to the user space middleware. WDYT? I would recommend joining the Secrets @ GNOME Matrix room and connect other contributors who may have more thoughts on the systemd integration. |
@AlfioEmanueleFresta Hey, I have joined meanwhile the matrix channel. |
Includes:
The text was updated successfully, but these errors were encountered: