Skip to content

Add TPM support for mTLS key/certs#1502

Draft
Jino26 wants to merge 1 commit into
ibm-openbmc:1210from
Jino26:bmcweb_tpm_support
Draft

Add TPM support for mTLS key/certs#1502
Jino26 wants to merge 1 commit into
ibm-openbmc:1210from
Jino26:bmcweb_tpm_support

Conversation

@Jino26

@Jino26 Jino26 commented Jul 13, 2026

Copy link
Copy Markdown
Member

Allow mTLS identity used for BMC-to-BMC Redfish aggregation - both the private key and the certificate - to live in the TPM instead of on the filesystem, loaded through the OpenSSL OSSL_STORE API via a provider (e.g. tpm2-openssl).

Why: mutual aggregation authenticates each BMC to its peer with a client certificate and with a filesystem-resident key that identity is only as strong as the readability of a PEM file, anyone who can read the rootfs can extract the key and impersonate the BMC. Moving the key into TPM makes it non-exportable; the private key never exists in bmcweb's memory or on flash, signing happens inside TPM and the identity is bound to that specific board. Storing the certificate in a TPM NV index as well lets the whole mTLS identity be provisioned into the hardware at manufacturing, with nothing to deploy onto the filesystem.

Key changes:

  • meson: add uri-key (single key for both aggregation roles), uri-cert, and openssl-config-path options, resolved into bmcweb_config.h. A handle: URI selects a TPM object; file:// or a bare path preserves the existing filesystem behavior.
  • config: ship openssl.cnf (activates the default + tpm2 providers) and wire OPENSSL_CONF into bmcweb.service via openssl-config-path so the provider is scoped to bmcweb.

Validated on hardware with both the key (persistent handle) and the certificate (NV index) resident in each BMC's TPM.

Allow mTLS identity used for BMC-to-BMC Redfish aggregation - both
the private key and the certificate - to live in the TPM instead of on
the filesystem, loaded through the OpenSSL OSSL_STORE API via a provider
(e.g. tpm2-openssl).

Why: mutual aggregation authenticates each BMC to its peer with a client
certificate and with a filesystem-resident key that identity is only as
strong as the readability of a PEM file, anyone who can read the rootfs
can extract the key and impersonate the BMC. Moving the key into TPM
makes it non-exportable; the private key never exists in bmcweb's memory
or on flash, signing happens inside TPM and the identity is bound to
that specific board. Storing the certificate in a TPM NV index as well
lets the whole mTLS identity be provisioned into the hardware at
manufacturing, with nothing to deploy onto the filesystem.

Key changes:
- meson: add uri-key (single key for both aggregation roles), uri-cert,
  and openssl-config-path options, resolved into bmcweb_config.h. A
  handle:<persistent-handle> URI selects a TPM object; file:// or a bare
  path preserves the existing filesystem behavior.
- config: ship openssl.cnf (activates the default + tpm2 providers) and
  wire OPENSSL_CONF into bmcweb.service via openssl-config-path so the
  provider is scoped to bmcweb.

Validated on hardware with both the key (persistent handle)
and the certificate (NV index) resident in each BMC's TPM.

Signed-off-by: Jino Abraham <jinoabraham26@gmail.com>
@Jino26 Jino26 requested a review from manojkiraneda July 13, 2026 09:40
@jenkins-openbmc-ibm

Copy link
Copy Markdown

Can one of the admins verify this patch?

@Jino26

Jino26 commented Jul 13, 2026

Copy link
Copy Markdown
Member Author

Recipe meson options:

-Duri-key=handle:0x81000000 \
-Duri-cert=handle:0x1500010 \
-Dopenssl-config-path=/etc/ssl/openssl_bmcweb.cnf \

@Jino26 Jino26 changed the title ssl: Add TPM support for mTLS key/certs Add TPM support for mTLS key/certs Jul 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants