Thank you all for your prompt responses and links you shared.
In our earlier system, we tried openssh + openssl 3.x custom provider + HW crypto (without OP_TEE) and it works.
In this new system we have OP_TEE and try to port earlier approach. But what we could foresee is some potential issue on how OpenSSH handling with OP_TEE file handlers.
whether anybody tried before or knows OpenSSH + OP_TEE implementation? I am not sure whether we need PKCS#11 implementation, as per my understanding not needed !
Regards, Hareesh
-----Original Message----- From: Jorge Ramirez-Ortiz, Foundries jorge@foundries.io Sent: Wednesday, August 30, 2023 4:52 PM To: Sumit Garg sumit.garg@linaro.org Cc: Hareesh Das Ulleri hareesh.ulleri@ovt.com; op-tee@lists.trustedfirmware.org Subject: Re: Optee + OpenSSH/OpenSSL
[CAUTION]: EXTERNAL EMAIL
On 29/08/23 15:25:42, Sumit Garg wrote:
Hi Hareesh,
On Tue, 29 Aug 2023 at 13:35, Hareesh Das Ulleri hareesh.ulleri@ovt.com wrote:
Hello all,
We are started using Op-tee in our project.
Since we are new to Op-tee, could someone please confirm whether anyone has already tried below in their project or is it possible to use along with OpenSSH/OpenSSL ?
What we try to accomplish is: application/sshd -> openssl (libcrypto/provider) -> Optee (client/TA) -> (HW or SW cipher algorithm) for data encryption/decryption.
I would rather suggest you to use the existing OP-TEE based PKCS#11 engine for openssl. For detailed information, I would suggest you to go through [1].
+1
[1] https://urldefense.com/v3/__https://optee.readthedocs.io/en/latest/bui lding/userland_integration.html*pkcs-11-driver__;Iw!!AYUVhIwY!5CEUbRG2 _XfcFjd9qMKwDuxEY3bwTdRTQOm0dG-unCC52ylg2npsi4CLlZ74Ncm5BBrSdDm6osheiU JyNrQ$
If you use an openssl provider you will be developing on the edge so I will be interested in your commits upstream if you are using it to access a TPM (last time I checked the tpm2-pkcs11 implementation was not working with an openssl provider - just the engine)
what we did at foundries was to use the engine interface and from there plug the different pkcs11 implementations (op-tee being one, tpm2 being another)
-Sumit
Thanks, Hareesh