From 76f424e841653b899504d8064f1055f8c114985d Mon Sep 17 00:00:00 2001 From: Pramod Date: Thu, 29 Mar 2018 10:22:33 -0700 Subject: tpm tools for the below functionalities 1.INIT(Script) - Establish connection with the Actual TPM Hardware and loads the primary key into the TPM hardware 2. Sign and verify(Script) - Loads the key and does the sign and verify operation Issue-ID: AAF-207 Change-Id: I015eb5fbc6f0e6f09ca454ed1bb55c5f5aadebae Signed-off-by: Pramod --- tpm-tools/INSTALL | 53 ++++++++++++++++++++ tpm-tools/LICENSE | 14 ++++++ tpm-tools/README | 17 +++++++ tpm-tools/initandverify/Duplicate.sh | 6 +++ tpm-tools/initandverify/ImportTpmKey.sh | 6 +++ .../initandverify/Init_and_create_tpm_primary.sh | 58 ++++++++++++++++++++++ tpm-tools/initandverify/Sign_Verify_test.sh | 35 +++++++++++++ tpm-tools/initandverify/private.pem | 27 ++++++++++ tpm-tools/initandverify/public.pem | 9 ++++ 9 files changed, 225 insertions(+) create mode 100644 tpm-tools/INSTALL create mode 100644 tpm-tools/LICENSE create mode 100644 tpm-tools/README create mode 100755 tpm-tools/initandverify/Duplicate.sh create mode 100755 tpm-tools/initandverify/ImportTpmKey.sh create mode 100755 tpm-tools/initandverify/Init_and_create_tpm_primary.sh create mode 100755 tpm-tools/initandverify/Sign_Verify_test.sh create mode 100644 tpm-tools/initandverify/private.pem create mode 100644 tpm-tools/initandverify/public.pem diff --git a/tpm-tools/INSTALL b/tpm-tools/INSTALL new file mode 100644 index 0000000..a33bc6b --- /dev/null +++ b/tpm-tools/INSTALL @@ -0,0 +1,53 @@ +1. Download TPM emulator - ibmtpm974.tar.gz + a. cd src/ + b. make + c. Run tpm_server binary - ./tpm_server –rm + +2. Download TSS version 1.2.0 + a. Run following commands + i. ./bootstrap + ii. ./configure + iii. If you face any error for pkg-config, + 1. export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig + iv. make && make install + +3. Download tpm2-abrmd version 1.1.1 + a. Run following commands + i. sudo useradd --system --user-group tss + ii. cd tpm2-abrmd + iii. ./bootstrap + iv. ./configure + v. If you face any error for pkg-config, + 1. export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig + vi. make && make install + vii. sudo udevadm control --reload-rules && sudo udevadm trigger + viii. sudo pkill -HUP dbus-daemon + ix. systemctl daemon-reload + b. Run tpm2-abrmd as follows - ./tpm2-abrmd -t socket + c. Check in tpm_server whether following debug prints are resulted in console, after resource manager startup + Client accepted + Client accepted + +4. Download tpm2-tools version 2.1.0 + a. Run the following commands + i. ./bootstrap + ii. ./configure + iii. make && make install + +5. Now configure Initialize TPM, configure with Primary key and then save it in TPM’s NV ram + a. Initialize TPM + i. tpm2_startup -clear -T tabrmd –V + b. Take ownership + i. tpm2_takeownership -o new -e new -l new -T tabrmd –V + c. Create Primary Key + i. tpm2_createprimary -P new -A o -g 0x000B -G 0x0001 -T tabrmd -V -C PrimaryKeyBlob + d. Save primary Key in NV ram + i. tpm2_evictcontrol -A o -c ./PrimaryKeyBlob -S 0x81000011 -T tabrmd -V -P new + e. Check Primary Keys public portion + i. tpm2_readpublic -H 0x81000011 --opu out_primary_public -T tabrmd –V + f. If all the above commands are successful then TPM emulator, TPM resource manager and TPM tools are working fine + +6. Now compile the TPM duplication tool with "make" command and run it as per instructions. use "./ossl_tpm_util --help" for usage. + +7. Note: If you restart tpm_server, then you have to restart TPM resource manager too. And the repeat from step 5. + diff --git a/tpm-tools/LICENSE b/tpm-tools/LICENSE new file mode 100644 index 0000000..366ca6c --- /dev/null +++ b/tpm-tools/LICENSE @@ -0,0 +1,14 @@ +/* Copyright 2018 Intel Corporation, Inc +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ diff --git a/tpm-tools/README b/tpm-tools/README new file mode 100644 index 0000000..a49420c --- /dev/null +++ b/tpm-tools/README @@ -0,0 +1,17 @@ + +After the installation of steps as given in the INSTALL document, +follow the steps below. + +After you have installed the tools in "Duplicate" and "Import" directory + +1. Run the Init_and_create_tpm_primary.sh to initialize the connection to TPM +and load the primary key into the TPM + +2. Run the Duplicate.sh which takes RSA private key in pem format as input and +generates TPM structured buffers + +3. Run the ImportTpmKey.sh which takes the generated buffers from the "Duplicate tool" +and generates the private and public portion of the tpm loaded key + +4. Run the Sign_Verify_test.sh which loads the key and does the sign and verify +operation diff --git a/tpm-tools/initandverify/Duplicate.sh b/tpm-tools/initandverify/Duplicate.sh new file mode 100755 index 0000000..fd95c09 --- /dev/null +++ b/tpm-tools/initandverify/Duplicate.sh @@ -0,0 +1,6 @@ +#!/bin/sh + +echo "../duplicate/ossl_tpm_duplicate -pemfile ./private.pem -parentPub out_parent_public -dupPub dupPub -dupPriv dupPriv -dupSymSeed dupSymseed -dupEncKey dupEncKey" +rm -f dupPub dupPriv dupSymseed dupEncKey +../duplicate/ossl_tpm_duplicate -pemfile ./private.pem -parentPub out_parent_public -dupPub dupPub -dupPriv dupPriv -dupSymSeed dupSymseed -dupEncKey dupEncKey + diff --git a/tpm-tools/initandverify/ImportTpmKey.sh b/tpm-tools/initandverify/ImportTpmKey.sh new file mode 100755 index 0000000..0ff4848 --- /dev/null +++ b/tpm-tools/initandverify/ImportTpmKey.sh @@ -0,0 +1,6 @@ +#!/bin/sh + +echo "../import/ossl_tpm_import -H 0x81000011 -dupPub dupPub -dupPriv dupPriv -dupSymSeed dupSymseed -dupEncKey dupEncKey -pub outPub -priv outPriv" +rm -f outPub outPriv +../import/ossl_tpm_import -H 0x81000011 -dupPub dupPub -dupPriv dupPriv -dupSymSeed dupSymseed -dupEncKey dupEncKey -pub outPub -priv outPriv + diff --git a/tpm-tools/initandverify/Init_and_create_tpm_primary.sh b/tpm-tools/initandverify/Init_and_create_tpm_primary.sh new file mode 100755 index 0000000..6863102 --- /dev/null +++ b/tpm-tools/initandverify/Init_and_create_tpm_primary.sh @@ -0,0 +1,58 @@ +#!/bin/sh + +case "$1" in + +--out-public) + out_primary_public=$2 + ;; + +--help) + echo "$0 [--out-public primaty_public_bin_file (optional)]" + exit 0 + ;; + +*) + out_primary_public="out_parent_public" + ;; + +esac + +#echo "out-public file: $out_primary_public" + +# TPM initialize +echo "tpm2_startup -clear -T tabrmd -V" +tpm2_startup -clear -T tabrmd -V +if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit."; exit 1; fi +echo "" + +# Take ownership +echo "tpm2_takeownership -o new -e new -l new -T tabrmd -V" +tpm2_takeownership -o new -e new -l new -T tabrmd -V +if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit."; exit 1; fi +echo "" + +# Create Primary Key in RH_OWNER hierarchy +rm -f PrimaryKeyBlob +echo "tpm2_createprimary -P new -A o -g 0x000B -G 0x0001 -T tabrmd -V -C PrimaryKeyBlob" +tpm2_createprimary -P new -A o -g 0x000B -G 0x0001 -T tabrmd -V -C PrimaryKeyBlob +if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit."; exit 1; fi +echo "" + +# Store Primary Key in TPMs NV RAM +echo "tpm2_evictcontrol -A o -c ./PrimaryKeyBlob -S 0x81000011 -T tabrmd -V -P new" +tpm2_evictcontrol -A o -c ./PrimaryKeyBlob -S 0x81000011 -T tabrmd -V -P new +if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit."; exit 1; fi +echo "" +rm -f PrimaryKeyBlob + +# To test, Read public portion of TPM primary key with stored handle +rm -f $out_primary_public +echo "tpm2_readpublic -H 0x81000011 --opu $out_primary_public -T tabrmd -V" +tpm2_readpublic -H 0x81000011 --opu $out_primary_public -T tabrmd -V +if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit."; exit 1; fi +echo "" + + +# Some TPM commands to test +#tpm2_load -c PrimaryKeyBlob -u outPub -r outPriv -n ChildKeyName -C ContextChild + diff --git a/tpm-tools/initandverify/Sign_Verify_test.sh b/tpm-tools/initandverify/Sign_Verify_test.sh new file mode 100755 index 0000000..660dff9 --- /dev/null +++ b/tpm-tools/initandverify/Sign_Verify_test.sh @@ -0,0 +1,35 @@ +#!/bin/sh + +echo "hello world.." > hello_tpm.txt + +# Load the Child context in TPM +rm -f ChildKeyName ContextChild +tpm2_load -H 0x81000011 -u outPub -r outPriv -n ChildKeyName -C ContextChild + +echo "tpm2_hash -H o -g 0x00B -I hello_tpm.txt -o hello_tpm_hash.bin -t outTicket" +rm -f hello_tpm_hash.bin outTicket +tpm2_hash -H o -g 0x00B -I hello_tpm.txt -o hello_tpm_hash.bin -t outTicket +echo "" + +echo "tpm2_sign -c ContextChild -g 0x000B -m hello_tpm.txt -s hello_tpm.sig" +rm -f hello_tpm.sig +tpm2_sign -c ContextChild -g 0x000B -m hello_tpm.txt -s hello_tpm.sig +echo "" + +echo "tpm2_verifysignature -c ContextChild -g 0x000b -m hello_tpm.txt -s hello_tpm.sig -t tk.sig" +rm -f tk.sig +tpm2_verifysignature -c ContextChild -g 0x000b -m hello_tpm.txt -s hello_tpm.sig -t tk.sig +echo "" + +echo "Extracting signature from TPM format" +echo "dd if=hello_tpm.sig of=hello_tpm.sig.raw bs=1 skip=6 count=256" +rm -f hello_tpm.sig.raw +dd if=hello_tpm.sig of=hello_tpm.sig.raw bs=1 skip=6 count=256 +echo "" + +echo "openssl dgst -verify public.pem -keyform pem -sha256 -signature hello_tpm.sig.raw hello_tpm.txt" +openssl dgst -verify public.pem -keyform pem -sha256 -signature hello_tpm.sig.raw hello_tpm.txt +echo "" + +rm -f hello_tpm_hash.bin outTicket tk.sig + diff --git a/tpm-tools/initandverify/private.pem b/tpm-tools/initandverify/private.pem new file mode 100644 index 0000000..4ac26a2 --- /dev/null +++ b/tpm-tools/initandverify/private.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAxTuMhW1v3lPZWp7yoxngkVvqctJsuSA4F3LsGVB/Sz8shqQA +YGcoiVPP0jZM91V//FvyJIbMmV0+/05wedOm4gQk0PvJ/uIyiSb7eGFuqph0mmtt +FZRB1J7h7Wl84QIKqz7xLZdkjwPlr7t3cl2w/0CJ8ighTpDj0Vkqf15EYp67WLmL +kaF8Z+HB/pkZbLXFqSfAlblhqHQYsx4+Qv9r1uiziD90g2/Vx2TSRI1YSGkmDJOQ +pPK9IjUWIsUQDa4cmKen32bGjMgLcz2qpNf3o9uD4zp51zVIpYcEGzXNLn3yl/vy +57rhXHd83bSSLD67B1HCNF3Pt/jwWwUVOS5WfwIDAQABAoIBAB4EQBCWZS4a6Ltn +8VltOMYmjPnImI9cHe1Dqjb4D0duZ+Jd10jUqlCsFrbRWMlTk9TeUW3Jrh2xGUNV +trxzv7QqGUhM6aMG3dYNvrvFaEhCR4ywyLs+Av7O52dwZHcCDomdXKspnT4+w5gJ +Gdan96YBNn1KKjeAyYs03MjhmdrANS245NYSHzWWDt1nQDr6mpgaRO2+Ev3/08Mr +OQHBx6UFP0uQwFXNLUVJ8j8xqnI6HoBaFBHnra86auWZbq3giA0G1XfNwoC/s72P +Sd5MHtBBRkvLFbxZH6cad/mQ0CBgtjiYUzizqnz7mEUNQeriNiQqMA3tXS3iG540 +BoKIBmECgYEA5YokyUoARMzncKE0UWoKytKMKgF5l+5sV1o7jltHVVr1X2bFLaMk +a+BX1Rra5H5t4XVtjgf5IA8ta0AUaUE5OI8VlCTQGeDRLHZfCFIRF1oGuj834vk7 +KNQb9njd9AqQNT25P2Olr+pDLroO1WE7wdhHos3tRJ9+3jGAs5gZiNkCgYEA2/gB +Xb5+VDSjPqRVZAHGGEkcTlpEmDAgqHnrQVvq+YL11fvMNSbkACTGDtf5+BP9Z73j +7ubMjaapke/f0eKaAbgvMjRfEo48rAhXigB9Vo0TZn0DN6h3LC7+9/h14tz23JTE +RYiGqTDAhCAeFu5TYvjs9anAsqRGsu48ceM8gxcCgYEA4PKq7mEJNmOghK5WuVq0 +zOPd3OSpJw3POyQArZgipjGHukDbB8iTzuyC5yN0VOzZ/lO4U7LYoGR/XFXmKuhy +jU0cFpylHFdIZsxygZL7kOj3ItsFh/g7091asgbtbVZU0Ph2bPrYyzdHM6m/E7pA +d83fFlu9JL0x9cqJmHd8vrECgYAsJ00G5yzudB5sfYoSZ/S+fTZsV9w6/DYh+08I +sI2rBemYyVFFPgg4KymCY0Hu1PxhrZEqLDPVHyYcgBzaQXUOcU0v86k9zUVKduYz +ckO2ctz5DpDtxCgfu1M8rSfkoNwAjPAU0QHOxlVucA/6JF6imDrgWPGwKh9y3TVO +2wETgwKBgQDYHZJLwvi8H4+qGTb96iV/GswAccQm4dEKTLmX7NsQQl1A2l8TevAi +ti/uWIFUf6S8IAVEccVvwoTOSadO06Q/OOnA8tDd6/iV2PMPJC1zm1gJ8iVxX1gr +bSXwvznIEnHO6dx4MjofdEVdR5btCEdJ+gcbAIUpl/6+Q7eaUwAHyA== +-----END RSA PRIVATE KEY----- diff --git a/tpm-tools/initandverify/public.pem b/tpm-tools/initandverify/public.pem new file mode 100644 index 0000000..fcbaa99 --- /dev/null +++ b/tpm-tools/initandverify/public.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxTuMhW1v3lPZWp7yoxng +kVvqctJsuSA4F3LsGVB/Sz8shqQAYGcoiVPP0jZM91V//FvyJIbMmV0+/05wedOm +4gQk0PvJ/uIyiSb7eGFuqph0mmttFZRB1J7h7Wl84QIKqz7xLZdkjwPlr7t3cl2w +/0CJ8ighTpDj0Vkqf15EYp67WLmLkaF8Z+HB/pkZbLXFqSfAlblhqHQYsx4+Qv9r +1uiziD90g2/Vx2TSRI1YSGkmDJOQpPK9IjUWIsUQDa4cmKen32bGjMgLcz2qpNf3 +o9uD4zp51zVIpYcEGzXNLn3yl/vy57rhXHd83bSSLD67B1HCNF3Pt/jwWwUVOS5W +fwIDAQAB +-----END PUBLIC KEY----- -- cgit 1.2.3-korg