TPM 2.0 support on win32 and MacOS

[ethindp]

So far, from what I understand TPM support is Linux/BSD-specific. It would be really cool to add Windows/MacOS support. I believe that through Windows this can be done by using TPM base services on win32. (MacOS would need integration of the T2 chip, I think?)

[reneme]

Regarding Windows: Yes, support for this is certainly possible and also in scope. Botan's wrapper is based on the TCG's TPM Software Stack which is meant to be platform-independent and also supports Windows. I reckon that creating a reliable test setup for our Windows builds in CI would probably need some work, though.

Regarding macOS: Apple is doing their own thing here, as usual. Frankly, I'm doubtful that shoe horning an integration with the T2 under our TPM2 wrapper will fly. I think it would make more sense to create a separate wrapper for this (maybe even via PKCS #11 if modules for that exist). And then, we could consider an abstraction across all those crypto hardware wrappers. Like so:

class Hardware_PrivateKey <<public>> {}

class TPM2_HW_PrivateKey <<private>> {}
class PKCS11_HW_PrivateKey <<private>> {}
class Apple_Enclave_HW_PrivateKey <<private>> {}

Hardware_PrivateKey <|-- TPM2_HW_PrivateKey
Hardware_PrivateKey <|-- PKCS11_HW_PrivateKey
Hardware_PrivateKey <|-- Apple_Enclave_HW_PrivateKey

TPM2_HW_PrivateKey --> TPM2_Wrapper
PKCS11_HW_PrivateKey --> PKCS11_Wrapper
Apple_Enclave_HW_PrivateKey --> T2_Wrapper

[randombit]

Is it even possible for regular userspace software to access the T2 chip? What I've found (from a very brief search) seems to indicate it is only accessible by the operating system itself.

[reneme]

I believe you can. Albeit there doesn't seem to be a lot of flexibility regarding algorithms and such. I didn't look into great detail, but here's a blog post explaining how to create and use a private key: https://medium.com/@alx.gridnev/ios-keychain-using-secure-enclave-stored-keys-8f7c81227f4

[weberph2]

@ethindp TPM support for Windows is available. The Windows specific implementation is part of tpm2-tss which is used by Botan (see here).

You can use the Microsoft TPM simulator for testing. Connect with: Botan::TPM2::Context::create("mssim:host=127.0.0.1,port=2321").