On Mon, 2019-07-08 at 18:46 +0200, Daniel Kobras wrote:
Hi all! Using either GnuTLS or one of the TPM2 engines for OpenSSL, it's possible to use keyfiles that are encrypted with a wrapping key from a TPM2 device. Implementations have started to use special PEM headers for these files. If openconnect it can automatically invoke the necessary magic to unwrap the key without any user interaction. A similar patch for wpa_supplicant can be found at http://lists.infradead.org/pipermail/hostap/2019-July/040318.html. Alas, these PEM files currently fail NM's header validation. The attached patch just accepts these keys in NM, assuming further support is present in the backend tools.
Hi, The patch looks good to me. best, Thomas
Attachment:
signature.asc
Description: This is a digitally signed message part