TODO list for libtpms v0.10 #431
Description
- [] Merge all outstanding rev180/183 changes:
- deferred:
Support for RuntimeAttributes as used for support of FIPS: Add support for FIPS restrictions on more crypto algorithms #428 - KDFe support via OpenSSL: Implement KDFe using OpenSSL's SSKDF #424
[] KDFa support via OpenSSL: unlikely to work- Determine whether CrypEccEncrypt/Decrypt can be implemented with OpenSSL functions: no know API
- Check that algorithm and command filtering is done where necessary
- No: Enable SvnLimited and FirmwareLimited hierarchies? What would libtpms need to enable these?
- No to FirmwareLimited: different versions of compilers compiling the same code may lead to different binaries and therefore measuring the libtpms binary may lead to different measurements even if the source is the same -- what should the firmware hash then be?
- Deferring Svn-Limited hierarchy support to libtpms v0.11: WIP: Add support for enabling the SVN-limited hierarchy #470
- [] FIPS-compliance: Support FIPS-140-3 guidance document? How?
- Easy to support:
- Disablement of algorithms (ecdaa, ecschnorr) and curves (ecc-bn, ecc-bn-p*, ecc-sm2-p*)
- Min. RSA key size: rsa-min-size=2048
- Min. EC key suze: ecc-min-size=224
- HMAC min. key size 112 bits : are there any keys smaller than 128bits when only AES symmetric crypto is supported?
- ECC and RSA signature generation not allowed with SHA1: see code in FIPS 140 branch
- Others:
- Does preventing ECC key derivation solve the problem of prohibiting ECDSA signatures with derived ECC keys?
- Pair-wise consistency tests for RSA
- Missing:
- SHA1 etc. are used for HMAC testing but not tested on their own
- XOR usage described in 5.5
- See table 39 of FIPS 140-3 guidance document
- Easy to support:
For v0.11:
- SVN-limited hierarchy support: WIP: Add support for enabling the SVN-limited hierarchy #470