ubuntu16.04上TPM2.0软件包及TPM模拟器实验
pre-install:安装依赖包:
apt install lcov pandoc autoconf-archive liburiparser-dev libdbus-1-dev libglib2.0-dev dbus-x11 libssl-dev \
autoconf automake libtool pkg-config gcc libcurl4-gnutls-dev libgcrypt20-dev libcmocka-dev uthash-dev
一,下载及安装TPM 模拟器
IBMTPM模拟器项目页面: https://sourceforge.net/projects/ibmswtpm2/files/
下载最新的版本wget https://jaist.dl.sourceforge.net/project/ibmswtpm2/ibmtpm1332.tar.gz
mkdir ibmtpm1332
cd ibmtpm1332/
tar zxvf ../ibmtpm1332.tar.gz
cd src/
make
cp tpm_server /usr/local/bin/
增加tpm-server.service
vi /lib/systemd/system/tpm-server.service
[Unit]
Description=TPM2.0 Simulator Server Daemon
Before=tpm2-abrmd.service
[Service]
ExecStart=/usr/local/bin/tpm_server
Restart=always
Environment=PATH=/usr/bin:/usr/local/bin
[Install]
WantedBy=multi-user.target
systemctl daemon-reload
systemctl start tpm-server.service
确认tpm模拟器启动正常
二,安装TPM2相关软件包
1,安装tpm2_tss
添加TSS用户
useradd --system --user-group tss
下载地址:
wget https://github.com/tpm2-software/tpm2-tss/releases/download/2.1.0/tpm2-tss-2.1.0.tar.gz
tar zxvf tpm2-tss-2.1.0.tar.gz
cd tpm2-tss-2.1.0/
./configure --enable-unit --enable-integration
make check
make install
ldconfig
cd ..
2,安装tpm2_abrmd
下载地址:
wget https://github.com/tpm2-software/tpm2-abrmd/releases/download/2.0.2/tpm2-abrmd-2.0.2.tar.gz
tar zxvf tpm2-abrmd-2.0.2.tar.gz
cd tpm2-abrmd-2.0.2/
ldconfig
./configure --with-dbuspolicydir=/etc/dbus-1/system.d --with-systemdsystemunitdir=/lib/systemd/system
make
make install
cp /usr/local/share/dbus-1/system-services/com.intel.tss2.Tabrmd.service /usr/share/dbus-1/system-services/
重启 DBUS
pkill -HUP dbus-daemon
修改system tpm2-abrmd.service服务配置
vi /lib/systemd/system/tpm2-abrmd.service
将ExecStart=/usr/local/sbin/tpm2-abrmd修改为ExecStart=/usr/local/sbin/tpm2-abrmd --tcti="libtss2-tcti-mssim.so.0:host=127.0.0.1,port=2321"
systemctl daemon-reload
systemctl start tpm2-abrmd.service
查看status,确认服务正常启动
3,安装tpm2_tools
git clone https://github.com/tpm2-software/tpm2-tools.git
cd tpm2-tools/
./bootstrap
./configure
make
测试tpm2-tools工具连接abrmd服务是否正常
./tools/tpm2_getrandom 4
没问题的话
make install
安装完毕
执行tpm2_pcrlist,查看是否正常输出
三,tpm2常用命令
设定tpm相关密码(-o ownership password,-e endorsement password,-l lockout password):
tpm2_takeownership -o 1 -e 1 -l 1
Create a Primary Object in endorsement hierarchy, with objectpass as the object password, with RSA keys & SHA256 name hash algorithm, with object context saved in file po.ctx:
tpm2_createprimary -H e -K 11 -g 0x000b -G 0x0001 -C po.ctx -P 1
Create a RSA key under the previous primary key, with subobjectpass as the object password, with SHA256 name hash algorithm, with public portion saved in key.pub and private portion saved in key.priv:
tpm2_create -c po.ctx -P 11 -K 111 -g 0x000b -G 0x0001 -u key.pub -r key.priv
Load the created RSA key:
tpm2_load -c po.ctx -P 11 -u key.pub -r key.priv -n key.name -C obj.ctx
Encrypt file data.in with RSA key:
tpm2_rsaencrypt -c obj.ctx -o data.encrypt data.in
Decrypt with RSA key:
tpm2_rsadecrypt -c obj.ctx -I data.encrypt -P 111 -o data.decrypt
使用tpm2_quote对PCR签名,使用OpenSSL校验签名的步骤:
# Generate an ECC key
openssl ecparam -name prime256v1 -genkey -noout -out private.ecc.pem
openssl ec -in private.ecc.pem -out public.ecc.pem -pubout
# Load the private key for signing
tpm2_loadexternal -Q -G ecc -r private.ecc.pem -o key.ctx
# Sign in the TPM and verify with OSSL
tpm2_quote -C key.ctx -G sha256 -L sha256:16,17,18 -f plain -q 11aabb -s pcr.out.signed -m pcr.in.raw
openssl dgst -verify public.ecc.pem -keyform pem -sha256 -signature pcr.out.signed pcr.in.raw
备注:在使用tpm2_quote时,会报错如下:
ERROR: Could not convert signature hash algorithm selection, got: "sha256"
google查了半天也没结果,最后只能看源码,发现在tools/tpm2_quote.c第191开始的这段代码:
将命令行输入的-G参数后的值做个转换,然后与预定义的flags比较
但是不知道是什么情况,这里用了“tpm2_alg_util_flags_sig”,去lib/tpm2_alg_util.c里查了定义,flags_sig里并没有sha256,所以导致报错
但是我尝试使用定义里的ecdsa之类的算法,也会报另外一个错:
ERROR: Tss2_Sys_Quote(0x2C3) - tpm:parameter(2):hash algorithm not supported or not appropriate
ERROR: Unable to run tpm2_quote
而这可能就是tpm模拟器不支持了,不知道真实物理tpm芯片是不是支持,以后有条件再测试下
解决办法:暂时只能修改tpm2_quote的代码,将192行 “tpm2_alg_util_flags_sig”改为“tpm2_alg_util_flags_hash”,然后重新编译即可