Task #2948
Updated by Yingdi Yu over 8 years ago
One of the overhead of the current SecTpm is the key lookup, which is similar to the old implementation of Pib (SecPib). For example, to perform a signing operation, the current implementation must do a lookup operation in Tpm. In SecTpmOsx, the lookup involves inter-process operation; in SecTpmFile, the lookup involves file system operation, and even worse it has to load the key from file every time. It would be better to optimize the Tpm with the similar abstraction as the one of new Pib implementation (Pib). That is, we have a front end abstraction (whose public interface is read-only) and have a back end abstraction provides the handler of key. A key (Note, this handler is the abstract interface to manipulate a private key in TPM. For example, in the TPM based on OS X keychain, TPM is just the handler is a Keychain Item Reference. Every private key related crypto function in to OS X keychain service requires such a item reference. In previous implementation, we will lookup KeyChain service, it does not expose the reference in every crypto function. key bits). With the KeyHandler abstraction that retain the reference, we can avoid the lookup and directly invoke OS X keychain service functions. In Memory-based TPM, the handler could simply carry the private key. With the new abstraction, the front end can maintain in memory a list of key handlers that have been used before. This new abstraction also makes the style of the implementation of TPM and PIB consistent.