aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPramod <pramod.raghavendra.jayathirth@intel.com>2018-03-29 10:22:33 -0700
committerPramod <pramod.raghavendra.jayathirth@intel.com>2018-03-30 05:13:09 -0700
commit76f424e841653b899504d8064f1055f8c114985d (patch)
treeff41308d64f33605891f31cdfca0e04df130529d
parent8a5b33a9ba846d785d244e29bc29a46f7be34928 (diff)
tpm tools for the below functionalities
1.INIT(Script) - Establish connection with the Actual TPM Hardware and loads the primary key into the TPM hardware 2. Sign and verify(Script) - Loads the key and does the sign and verify operation Issue-ID: AAF-207 Change-Id: I015eb5fbc6f0e6f09ca454ed1bb55c5f5aadebae Signed-off-by: Pramod <pramod.raghavendra.jayathirth@intel.com>
-rw-r--r--tpm-tools/INSTALL53
-rw-r--r--tpm-tools/LICENSE14
-rw-r--r--tpm-tools/README17
-rwxr-xr-xtpm-tools/initandverify/Duplicate.sh6
-rwxr-xr-xtpm-tools/initandverify/ImportTpmKey.sh6
-rwxr-xr-xtpm-tools/initandverify/Init_and_create_tpm_primary.sh58
-rwxr-xr-xtpm-tools/initandverify/Sign_Verify_test.sh35
-rw-r--r--tpm-tools/initandverify/private.pem27
-rw-r--r--tpm-tools/initandverify/public.pem9
9 files changed, 225 insertions, 0 deletions
diff --git a/tpm-tools/INSTALL b/tpm-tools/INSTALL
new file mode 100644
index 0000000..a33bc6b
--- /dev/null
+++ b/tpm-tools/INSTALL
@@ -0,0 +1,53 @@
+1. Download TPM emulator - ibmtpm974.tar.gz
+ a. cd src/
+ b. make
+ c. Run tpm_server binary - ./tpm_server –rm
+
+2. Download TSS version 1.2.0
+ a. Run following commands
+ i. ./bootstrap
+ ii. ./configure
+ iii. If you face any error for pkg-config,
+ 1. export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
+ iv. make && make install
+
+3. Download tpm2-abrmd version 1.1.1
+ a. Run following commands
+ i. sudo useradd --system --user-group tss
+ ii. cd tpm2-abrmd
+ iii. ./bootstrap
+ iv. ./configure
+ v. If you face any error for pkg-config,
+ 1. export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
+ vi. make && make install
+ vii. sudo udevadm control --reload-rules && sudo udevadm trigger
+ viii. sudo pkill -HUP dbus-daemon
+ ix. systemctl daemon-reload
+ b. Run tpm2-abrmd as follows - ./tpm2-abrmd -t socket
+ c. Check in tpm_server whether following debug prints are resulted in console, after resource manager startup
+ Client accepted
+ Client accepted
+
+4. Download tpm2-tools version 2.1.0
+ a. Run the following commands
+ i. ./bootstrap
+ ii. ./configure
+ iii. make && make install
+
+5. Now configure Initialize TPM, configure with Primary key and then save it in TPM’s NV ram
+ a. Initialize TPM
+ i. tpm2_startup -clear -T tabrmd –V
+ b. Take ownership
+ i. tpm2_takeownership -o new -e new -l new -T tabrmd –V
+ c. Create Primary Key
+ i. tpm2_createprimary -P new -A o -g 0x000B -G 0x0001 -T tabrmd -V -C PrimaryKeyBlob
+ d. Save primary Key in NV ram
+ i. tpm2_evictcontrol -A o -c ./PrimaryKeyBlob -S 0x81000011 -T tabrmd -V -P new
+ e. Check Primary Keys public portion
+ i. tpm2_readpublic -H 0x81000011 --opu out_primary_public -T tabrmd –V
+ f. If all the above commands are successful then TPM emulator, TPM resource manager and TPM tools are working fine
+
+6. Now compile the TPM duplication tool with "make" command and run it as per instructions. use "./ossl_tpm_util --help" for usage.
+
+7. Note: If you restart tpm_server, then you have to restart TPM resource manager too. And the repeat from step 5.
+
diff --git a/tpm-tools/LICENSE b/tpm-tools/LICENSE
new file mode 100644
index 0000000..366ca6c
--- /dev/null
+++ b/tpm-tools/LICENSE
@@ -0,0 +1,14 @@
+/* Copyright 2018 Intel Corporation, Inc
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+* http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
diff --git a/tpm-tools/README b/tpm-tools/README
new file mode 100644
index 0000000..a49420c
--- /dev/null
+++ b/tpm-tools/README
@@ -0,0 +1,17 @@
+
+After the installation of steps as given in the INSTALL document,
+follow the steps below.
+
+After you have installed the tools in "Duplicate" and "Import" directory
+
+1. Run the Init_and_create_tpm_primary.sh to initialize the connection to TPM
+and load the primary key into the TPM
+
+2. Run the Duplicate.sh which takes RSA private key in pem format as input and
+generates TPM structured buffers
+
+3. Run the ImportTpmKey.sh which takes the generated buffers from the "Duplicate tool"
+and generates the private and public portion of the tpm loaded key
+
+4. Run the Sign_Verify_test.sh which loads the key and does the sign and verify
+operation
diff --git a/tpm-tools/initandverify/Duplicate.sh b/tpm-tools/initandverify/Duplicate.sh
new file mode 100755
index 0000000..fd95c09
--- /dev/null
+++ b/tpm-tools/initandverify/Duplicate.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+echo "../duplicate/ossl_tpm_duplicate -pemfile ./private.pem -parentPub out_parent_public -dupPub dupPub -dupPriv dupPriv -dupSymSeed dupSymseed -dupEncKey dupEncKey"
+rm -f dupPub dupPriv dupSymseed dupEncKey
+../duplicate/ossl_tpm_duplicate -pemfile ./private.pem -parentPub out_parent_public -dupPub dupPub -dupPriv dupPriv -dupSymSeed dupSymseed -dupEncKey dupEncKey
+
diff --git a/tpm-tools/initandverify/ImportTpmKey.sh b/tpm-tools/initandverify/ImportTpmKey.sh
new file mode 100755
index 0000000..0ff4848
--- /dev/null
+++ b/tpm-tools/initandverify/ImportTpmKey.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+echo "../import/ossl_tpm_import -H 0x81000011 -dupPub dupPub -dupPriv dupPriv -dupSymSeed dupSymseed -dupEncKey dupEncKey -pub outPub -priv outPriv"
+rm -f outPub outPriv
+../import/ossl_tpm_import -H 0x81000011 -dupPub dupPub -dupPriv dupPriv -dupSymSeed dupSymseed -dupEncKey dupEncKey -pub outPub -priv outPriv
+
diff --git a/tpm-tools/initandverify/Init_and_create_tpm_primary.sh b/tpm-tools/initandverify/Init_and_create_tpm_primary.sh
new file mode 100755
index 0000000..6863102
--- /dev/null
+++ b/tpm-tools/initandverify/Init_and_create_tpm_primary.sh
@@ -0,0 +1,58 @@
+#!/bin/sh
+
+case "$1" in
+
+--out-public)
+ out_primary_public=$2
+ ;;
+
+--help)
+ echo "$0 [--out-public primaty_public_bin_file (optional)]"
+ exit 0
+ ;;
+
+*)
+ out_primary_public="out_parent_public"
+ ;;
+
+esac
+
+#echo "out-public file: $out_primary_public"
+
+# TPM initialize
+echo "tpm2_startup -clear -T tabrmd -V"
+tpm2_startup -clear -T tabrmd -V
+if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit."; exit 1; fi
+echo ""
+
+# Take ownership
+echo "tpm2_takeownership -o new -e new -l new -T tabrmd -V"
+tpm2_takeownership -o new -e new -l new -T tabrmd -V
+if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit."; exit 1; fi
+echo ""
+
+# Create Primary Key in RH_OWNER hierarchy
+rm -f PrimaryKeyBlob
+echo "tpm2_createprimary -P new -A o -g 0x000B -G 0x0001 -T tabrmd -V -C PrimaryKeyBlob"
+tpm2_createprimary -P new -A o -g 0x000B -G 0x0001 -T tabrmd -V -C PrimaryKeyBlob
+if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit."; exit 1; fi
+echo ""
+
+# Store Primary Key in TPMs NV RAM
+echo "tpm2_evictcontrol -A o -c ./PrimaryKeyBlob -S 0x81000011 -T tabrmd -V -P new"
+tpm2_evictcontrol -A o -c ./PrimaryKeyBlob -S 0x81000011 -T tabrmd -V -P new
+if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit."; exit 1; fi
+echo ""
+rm -f PrimaryKeyBlob
+
+# To test, Read public portion of TPM primary key with stored handle
+rm -f $out_primary_public
+echo "tpm2_readpublic -H 0x81000011 --opu $out_primary_public -T tabrmd -V"
+tpm2_readpublic -H 0x81000011 --opu $out_primary_public -T tabrmd -V
+if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit."; exit 1; fi
+echo ""
+
+
+# Some TPM commands to test
+#tpm2_load -c PrimaryKeyBlob -u outPub -r outPriv -n ChildKeyName -C ContextChild
+
diff --git a/tpm-tools/initandverify/Sign_Verify_test.sh b/tpm-tools/initandverify/Sign_Verify_test.sh
new file mode 100755
index 0000000..660dff9
--- /dev/null
+++ b/tpm-tools/initandverify/Sign_Verify_test.sh
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+echo "hello world.." > hello_tpm.txt
+
+# Load the Child context in TPM
+rm -f ChildKeyName ContextChild
+tpm2_load -H 0x81000011 -u outPub -r outPriv -n ChildKeyName -C ContextChild
+
+echo "tpm2_hash -H o -g 0x00B -I hello_tpm.txt -o hello_tpm_hash.bin -t outTicket"
+rm -f hello_tpm_hash.bin outTicket
+tpm2_hash -H o -g 0x00B -I hello_tpm.txt -o hello_tpm_hash.bin -t outTicket
+echo ""
+
+echo "tpm2_sign -c ContextChild -g 0x000B -m hello_tpm.txt -s hello_tpm.sig"
+rm -f hello_tpm.sig
+tpm2_sign -c ContextChild -g 0x000B -m hello_tpm.txt -s hello_tpm.sig
+echo ""
+
+echo "tpm2_verifysignature -c ContextChild -g 0x000b -m hello_tpm.txt -s hello_tpm.sig -t tk.sig"
+rm -f tk.sig
+tpm2_verifysignature -c ContextChild -g 0x000b -m hello_tpm.txt -s hello_tpm.sig -t tk.sig
+echo ""
+
+echo "Extracting signature from TPM format"
+echo "dd if=hello_tpm.sig of=hello_tpm.sig.raw bs=1 skip=6 count=256"
+rm -f hello_tpm.sig.raw
+dd if=hello_tpm.sig of=hello_tpm.sig.raw bs=1 skip=6 count=256
+echo ""
+
+echo "openssl dgst -verify public.pem -keyform pem -sha256 -signature hello_tpm.sig.raw hello_tpm.txt"
+openssl dgst -verify public.pem -keyform pem -sha256 -signature hello_tpm.sig.raw hello_tpm.txt
+echo ""
+
+rm -f hello_tpm_hash.bin outTicket tk.sig
+
diff --git a/tpm-tools/initandverify/private.pem b/tpm-tools/initandverify/private.pem
new file mode 100644
index 0000000..4ac26a2
--- /dev/null
+++ b/tpm-tools/initandverify/private.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAxTuMhW1v3lPZWp7yoxngkVvqctJsuSA4F3LsGVB/Sz8shqQA
+YGcoiVPP0jZM91V//FvyJIbMmV0+/05wedOm4gQk0PvJ/uIyiSb7eGFuqph0mmtt
+FZRB1J7h7Wl84QIKqz7xLZdkjwPlr7t3cl2w/0CJ8ighTpDj0Vkqf15EYp67WLmL
+kaF8Z+HB/pkZbLXFqSfAlblhqHQYsx4+Qv9r1uiziD90g2/Vx2TSRI1YSGkmDJOQ
+pPK9IjUWIsUQDa4cmKen32bGjMgLcz2qpNf3o9uD4zp51zVIpYcEGzXNLn3yl/vy
+57rhXHd83bSSLD67B1HCNF3Pt/jwWwUVOS5WfwIDAQABAoIBAB4EQBCWZS4a6Ltn
+8VltOMYmjPnImI9cHe1Dqjb4D0duZ+Jd10jUqlCsFrbRWMlTk9TeUW3Jrh2xGUNV
+trxzv7QqGUhM6aMG3dYNvrvFaEhCR4ywyLs+Av7O52dwZHcCDomdXKspnT4+w5gJ
+Gdan96YBNn1KKjeAyYs03MjhmdrANS245NYSHzWWDt1nQDr6mpgaRO2+Ev3/08Mr
+OQHBx6UFP0uQwFXNLUVJ8j8xqnI6HoBaFBHnra86auWZbq3giA0G1XfNwoC/s72P
+Sd5MHtBBRkvLFbxZH6cad/mQ0CBgtjiYUzizqnz7mEUNQeriNiQqMA3tXS3iG540
+BoKIBmECgYEA5YokyUoARMzncKE0UWoKytKMKgF5l+5sV1o7jltHVVr1X2bFLaMk
+a+BX1Rra5H5t4XVtjgf5IA8ta0AUaUE5OI8VlCTQGeDRLHZfCFIRF1oGuj834vk7
+KNQb9njd9AqQNT25P2Olr+pDLroO1WE7wdhHos3tRJ9+3jGAs5gZiNkCgYEA2/gB
+Xb5+VDSjPqRVZAHGGEkcTlpEmDAgqHnrQVvq+YL11fvMNSbkACTGDtf5+BP9Z73j
+7ubMjaapke/f0eKaAbgvMjRfEo48rAhXigB9Vo0TZn0DN6h3LC7+9/h14tz23JTE
+RYiGqTDAhCAeFu5TYvjs9anAsqRGsu48ceM8gxcCgYEA4PKq7mEJNmOghK5WuVq0
+zOPd3OSpJw3POyQArZgipjGHukDbB8iTzuyC5yN0VOzZ/lO4U7LYoGR/XFXmKuhy
+jU0cFpylHFdIZsxygZL7kOj3ItsFh/g7091asgbtbVZU0Ph2bPrYyzdHM6m/E7pA
+d83fFlu9JL0x9cqJmHd8vrECgYAsJ00G5yzudB5sfYoSZ/S+fTZsV9w6/DYh+08I
+sI2rBemYyVFFPgg4KymCY0Hu1PxhrZEqLDPVHyYcgBzaQXUOcU0v86k9zUVKduYz
+ckO2ctz5DpDtxCgfu1M8rSfkoNwAjPAU0QHOxlVucA/6JF6imDrgWPGwKh9y3TVO
+2wETgwKBgQDYHZJLwvi8H4+qGTb96iV/GswAccQm4dEKTLmX7NsQQl1A2l8TevAi
+ti/uWIFUf6S8IAVEccVvwoTOSadO06Q/OOnA8tDd6/iV2PMPJC1zm1gJ8iVxX1gr
+bSXwvznIEnHO6dx4MjofdEVdR5btCEdJ+gcbAIUpl/6+Q7eaUwAHyA==
+-----END RSA PRIVATE KEY-----
diff --git a/tpm-tools/initandverify/public.pem b/tpm-tools/initandverify/public.pem
new file mode 100644
index 0000000..fcbaa99
--- /dev/null
+++ b/tpm-tools/initandverify/public.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxTuMhW1v3lPZWp7yoxng
+kVvqctJsuSA4F3LsGVB/Sz8shqQAYGcoiVPP0jZM91V//FvyJIbMmV0+/05wedOm
+4gQk0PvJ/uIyiSb7eGFuqph0mmttFZRB1J7h7Wl84QIKqz7xLZdkjwPlr7t3cl2w
+/0CJ8ighTpDj0Vkqf15EYp67WLmLkaF8Z+HB/pkZbLXFqSfAlblhqHQYsx4+Qv9r
+1uiziD90g2/Vx2TSRI1YSGkmDJOQpPK9IjUWIsUQDa4cmKen32bGjMgLcz2qpNf3
+o9uD4zp51zVIpYcEGzXNLn3yl/vy57rhXHd83bSSLD67B1HCNF3Pt/jwWwUVOS5W
+fwIDAQAB
+-----END PUBLIC KEY-----