ubuntu16.04上TPM2.0软件包及TPM模拟器实验
作者:Road 发布时间:October 19, 2018 分类:技术
pre-install:安装依赖包:
apt install lcov pandoc autoconf-archive liburiparser-dev libdbus-1-dev libglib2.0-dev dbus-x11 libssl-dev \
autoconf automake libtool pkg-config gcc libcurl4-gnutls-dev libgcrypt20-dev libcmocka-dev uthash-dev
一,下载及安装TPM 模拟器
IBMTPM模拟器项目页面:https://sourceforge.net/projects/ibmswtpm2/files/
下载最新的版本wget https://jaist.dl.sourceforge.net/project/ibmswtpm2/ibmtpm1332.tar.gz
mkdir ibmtpm1332
cd ibmtpm1332/
tar zxvf ../ibmtpm1332.tar.gz
cd src/
make
cp tpm_server /usr/local/bin/
增加tpm-server.servicevi /lib/systemd/system/tpm-server.service
[Unit]
Description=TPM2.0 Simulator Server Daemon
Before=tpm2-abrmd.service
[Service]
ExecStart=/usr/local/bin/tpm_server
Restart=always
Environment=PATH=/usr/bin:/usr/local/bin
[Install]
WantedBy=multi-user.target
systemctl daemon-reload
systemctl start tpm-server.service
确认tpm模拟器启动正常
二,安装TPM2相关软件包
1,安装tpm2_tss
添加TSS用户useradd --system --user-group tss
下载地址:wget https://github.com/tpm2-software/tpm2-tss/releases/download/2.1.0/tpm2-tss-2.1.0.tar.gz
tar zxvf tpm2-tss-2.1.0.tar.gz
cd tpm2-tss-2.1.0/
./configure --enable-unit --enable-integration
make check
make install
ldconfig
cd ..
2,安装tpm2_abrmd
下载地址:wget https://github.com/tpm2-software/tpm2-abrmd/releases/download/2.0.2/tpm2-abrmd-2.0.2.tar.gz
tar zxvf tpm2-abrmd-2.0.2.tar.gz
cd tpm2-abrmd-2.0.2/
ldconfig
./configure --with-dbuspolicydir=/etc/dbus-1/system.d --with-systemdsystemunitdir=/lib/systemd/system
make
make install
cp /usr/local/share/dbus-1/system-services/com.intel.tss2.Tabrmd.service /usr/share/dbus-1/system-services/
重启 DBUSpkill -HUP dbus-daemon
修改system tpm2-abrmd.service服务配置vi /lib/systemd/system/tpm2-abrmd.service
将“ExecStart=/usr/local/sbin/tpm2-abrmd”修改为“ExecStart=/usr/local/sbin/tpm2-abrmd --tcti="libtss2-tcti-mssim.so.0:host=127.0.0.1,port=2321"”
systemctl daemon-reload
systemctl start tpm2-abrmd.service
查看status,确认服务正常启动
3,安装tpm2_tools
git clone https://github.com/tpm2-software/tpm2-tools.git
cd tpm2-tools/
./bootstrap
./configure
make
测试tpm2-tools工具连接abrmd服务是否正常./tools/tpm2_getrandom 4
没问题的话make install
安装完毕
执行tpm2_pcrlist
,查看是否正常输出
三,tpm2常用命令
设定tpm相关密码(-o ownership password,-e endorsement password,-l lockout password):tpm2_takeownership -o 1 -e 1 -l 1
Create a Primary Object in endorsement hierarchy, with objectpass as the object password, with RSA keys & SHA256 name hash algorithm, with object context saved in file po.ctx: tpm2_createprimary -H e -K 11 -g 0x000b -G 0x0001 -C po.ctx -P 1
Create a RSA key under the previous primary key, with subobjectpass as the object password, with SHA256 name hash algorithm, with public portion saved in key.pub and private portion saved in key.priv:tpm2_create -c po.ctx -P 11 -K 111 -g 0x000b -G 0x0001 -u key.pub -r key.priv
Load the created RSA key:tpm2_load -c po.ctx -P 11 -u key.pub -r key.priv -n key.name -C obj.ctx
Encrypt file data.in with RSA key:tpm2_rsaencrypt -c obj.ctx -o data.encrypt data.in
Decrypt with RSA key:tpm2_rsadecrypt -c obj.ctx -I data.encrypt -P 111 -o data.decrypt
使用tpm2_quote对PCR签名,使用OpenSSL校验签名的步骤:
# Generate an ECC key
openssl ecparam -name prime256v1 -genkey -noout -out private.ecc.pem
openssl ec -in private.ecc.pem -out public.ecc.pem -pubout
# Load the private key for signing
tpm2_loadexternal -Q -G ecc -r private.ecc.pem -o key.ctx
# Sign in the TPM and verify with OSSL
tpm2_quote -C key.ctx -G sha256 -L sha256:16,17,18 -f plain -q 11aabb -s pcr.out.signed -m pcr.in.raw
openssl dgst -verify public.ecc.pem -keyform pem -sha256 -signature pcr.out.signed pcr.in.raw
备注:在使用tpm2_quote时,会报错如下:
ERROR: Could not convert signature hash algorithm selection, got: "sha256"
google查了半天也没结果,最后只能看源码,发现在tools/tpm2_quote.c第191开始的这段代码:
将命令行输入的-G参数后的值做个转换,然后与预定义的flags比较
但是不知道是什么情况,这里用了“tpm2_alg_util_flags_sig”,去lib/tpm2_alg_util.c里查了定义,flags_sig里并没有sha256,所以导致报错
但是我尝试使用定义里的ecdsa之类的算法,也会报另外一个错:
ERROR: Tss2_Sys_Quote(0x2C3) - tpm:parameter(2):hash algorithm not supported or not appropriate
ERROR: Unable to run tpm2_quote
而这可能就是tpm模拟器不支持了,不知道真实物理tpm芯片是不是支持,以后有条件再测试下
解决办法:暂时只能修改tpm2_quote的代码,将192行 “tpm2_alg_util_flags_sig”改为“tpm2_alg_util_flags_hash”,然后重新编译即可
转载请注明出处:https://www.dp2u.com/2018/tpm2onubuntu16.html
tpm-arbmd服务在启动时显示没有检测到/dev/tpm0,因为tpm模拟器没有启动吗,按着上面的步骤来的,为什么tpm模拟器会没有开启呢 请问如何开启呢
应该是模拟器没自动启动,你自己systemctl enable一下让模拟器开机自动启动吧
tpm2-tss-2.1.0 tpm2-abrmd-2.0.2 对应tpm2-tools 哪个版本呢?从github 上下载最新的tpm2-tools 会和前面两个不匹配
想请教一下如果是tpm2.0设备不是模拟的,要怎么配置呢
楼主提供的安装tpm_tools的源不包含tpm2_pcrlist阿
请问 tpm2_tools安装完成后,执行tpm2_pcrlist提示
bash:tpm2_pcrlist:未找到命令
应该如何解决,谢谢
不要执行./bootstrap,直接执行./configure就行
请问 tpm2_tools 安装完成后 执行
tpm2_pcrlist 命令,出现
bash:tpm2_pcrlist:为找到命令如何解决?(按照步骤一步步安装成功的)
谢谢
hi,
我在安装tpm2-tools时,执行./configure报错如下:
configure: error: Invalid policy. Valid policies: git-directory, minor-version.
想请教这是什么问题。
谢谢!
我也遇到了同样的问题,更新了版本后把m4放进tpm2-tools里面并没有解决问题
https://github.com/tpm2-software/tpm2-tools/issues/1577
看看这个issue,是不是你的autoconf-archive啊版本问题?
请问一下,在安装tpm2_tss的时候,
执行make check时 所有的test/integration部分全部失败。。。
PASS: test/unit/esys-getpollhandles
PASS: test/unit/esys-nulltcti
PASS: test/unit/esys-crypto
FAIL: test/integration/sapi-asymmetric-encrypt-decrypt.int
FAIL: test/integration/sapi-primary-rsa-2K-aes128cfb.int
FAIL: test/integration/sapi-create-keyedhash-sha1-hmac.int
FAIL: test/integration/sapi-encrypt-decrypt.int
在github没有查到解决方案。
感觉你这还是之前的步骤是不是有什么包缺失了?我安装时未遇到这个情况