Trusted Platform Module 2.0 » History » Version 24
« Previous -
Version 24/157
(diff) -
Next » -
Current version
Andreas Steffen, 18.02.2017 19:43
Trusted Platform Module 2.0¶
- Table of contents
- Trusted Platform Module 2.0
- Connect to a TPM 2.0 device
- TPM 2.0 Algorithm IDs
- Derive a Persistent RSA Endorsement Key
- Generate a Persistent RSA Attestation Key
- Derive a Persistent ECC Endorsement Key
- Generate a Persistent ECC Attestation Key
- Generate Another ECC Attestation Key
- Remove a Persistent Key Object
- List Persistent Objects
- Access TPM Private Keys via VICI Interface
Connect to a TPM 2.0 device¶
In order to connect to a TPM 2.0 hardware or firmware device, the TSS2 software stack developed by Intel is needed. Because the official Ubuntu tpm2-tss package is rather outdated (e.g. since version 0.98 the TCTI interface to the TPM 2.0 resource manager has changed several times), strongSwan is currently based on a recent version directly drawn from the TPM2-TSS git repository https://github.com/01org/TPM2.0-TSS. Avoid any TCTI interface incompatibilities by fetching the latest tpm2-tools version from https://github.com/01org/tpm2.0-tools as well.
Build and install both the tpm2-tss stack and the tpm2.0-tools, start the tpm2-resourcemgr as a service in the background and try to connect to the TPM 2.0 by listing e.g. the contents of the SHA-1 bank of PCR registers
tpm2_listpcrs -g 0x0004
Bank/Algorithm: TPM_ALG_SHA1(0x0004) PCR_00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR_01: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR_02: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR_03: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR_04: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR_05: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR_06: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR_07: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR_08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR_09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR_10: a9 45 e7 0f 42 a2 79 f0 78 ca d4 64 60 39 39 da 9d 6a d1 a5 PCR_11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR_12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR_13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR_14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR_15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR_16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR_17: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff PCR_18: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff PCR_19: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff PCR_20: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff PCR_21: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff PCR_22: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff PCR_23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
A manual showing all tpm2-tools functions with their arguments can be found here.
TPM 2.0 Algorithm IDs¶
Hash Algorithms¶
0x0004 | SHA-1 |
0x000B | SHA-2_256 |
0x000C | SHA-2_384 |
0x000D | SHA-2_512 |
Currently available TPM 2.0 devices like the Infineon Optiga SLB 9670 VQ2.0 hardware TPM or Intel's PTT firmware TPM support the SHA-1 and SHA-2_256 algorithms.
Public Key Types¶
0x0001 | RSA |
0x0023 | ECC |
Currently RSA keys have a modulus size of 2048 bits and ECC keys are based on the 256 bit NIST curve.
Signature Schemes¶
0x0014 | RSASSA |
0x0016 | RSAPSS |
0x0018 | ECDSA |
Derive a Persistent RSA Endorsement Key¶
The following tpm2-tools command derives a 2048 bit RSA Endorsement Key (EK) in a deterministic way from the secret Endorsement Seed unique to each TPM device and makes the key persistent in the non-volatile memory of the TPM under the object handle 0x81010001
tpm2_getpubek -H 0x81010001 -g 0x0001 -f ek_rsa.pub
The EK public key can be exported in PKCS#1 format from the TPM using the pki tool
pki --pub --keyid 81010001 --outform pem > ek_rsa_pub.pem
The fingerprint of the RSA EK public key can be displayed with the command
pki --print --type pub --in ek_rsa_pub.pem
pubkey: RSA 2048 bits
keyid: d1:f1:49:84:36:44:e6:8c:d2:a6:69:ee:fd:b5:7d:56:2f:39:ff:58
subjkey: c1:1b:8e:f1:c7:f8:8a:1e:9a:dd:7e:82:2f:7a:a3:f5:c0:e2:4d:7d
Generate a Persistent RSA Attestation Key¶
A 2048 bit RSA Attestation Key (AK) bound to the EK with handle 0x81010001 can be created and made persistent under the handle 0x81010002 with the following tpm2-tools command
tpm2_getpubak -E 0x81010001 -g 0x0001 -D 0x000B -s 0x0014 -k 0x81010002 -f ak_rsa2.pub -n ak_rsa2.name
The AK public key can be exported in PKCS#1 format from the TPM using the pki tool
pki --pub --keyid 81010002 --outform pem > ak_rsa_pub.pem
The fingerprint of the RSA AK public key can be displayed with the command
pki --print --type pub --in ak_rsa_pub.pem
pubkey: RSA 2048 bits
keyid: 71:21:f5:d4:7e:59:4a:88:16:ca:57:85:98:3d:36:a7:b1:d5:75:fa
subjkey: f4:9e:85:7d:de:4e:67:f5:fb:87:03:98:67:3f:20:7c:f3:3f:2b:66
Derive a Persistent ECC Endorsement Key¶
The following tpm2-tools command derives a 256 bit ECC Endorsement Key (EK) in a deterministic way from the secret Endorsement Seed unique to each TPM device and makes the key persistent in the non-volatile memory of the TPM under the object handle 0x81010003:
tpm2_getpubek -H 0x81010003 -g 0x0023 -f ek_ecc.pub
The EK public key can be exported in PKCS#1 format from the TPM using the pki tool:
pki --pub --keyid 81010003 > ek_ecc_pub.der
The fingerprint of the ECC EK public key can be displayed with the command
pki --print --type pub --in ek_ecc_pub.der
pubkey: ECDSA 256 bits
keyid: 7f:39:ca:e6:83:9b:a9:06:97:40:27:6a:e1:bf:8f:f5:9f:d3:a5:31
subjkey: 8b:43:4d:5e:5e:7b:ff:c2:54:4d:ef:88:cb:0c:7c:47:75:28:4d:09
Generate a Persistent ECC Attestation Key¶
A 256 bit ECC Attestation Key (AK) bound to the EK with handle 0x81010003 can be created and made persistent under the handle 0x81010004 with the following tpm2-tools command
tpm2_getpubak -E 0x81010003 -g 0x0023 -D 0x000B -s 0x0018 -k 0x81010004 -f ak_ecc4.pub -n ak_ecc4.name
The AK public key can be exported in PKCS#1 format from the TPM using the pki tool
pki --pub --keyid 81010004 > ak_ecc_pub.der
The fingerprint of the RSA AK public key can be displayed with the command
pki --print --type pub --in ak_ecc_pub.der
pubkey: ECDSA 256 bits
keyid: 71:49:7c:42:41:e7:c6:81:bc:31:73:f0:0f:7e:4a:e1:2d:53:00:38
subjkey: c7:0e:63:f8:7f:6f:f6:55:00:e5:05:7f:5a:3e:6b:6c:e7:d2:d5:13
Generate Another ECC Attestation Key¶
Multiple AK keys bound to a common EK key can be generated
tpm2_getpubak -E 0x81010003 -g 0x0023 -D 0x000B -s 0x0018 -k 0x81010005 -f ak_ecc5.pub -n ak_ecc5.name
The AK public key can be exported in PKCS#1 format from the TPM using the pki tool
pki --pub --keyid 81010005 > ak_ecc5_pub.der
The fingerprint of the second ECC AK public key can be displayed with the command
pki --print --type pub --in ak_ecc5_pub.der
pubkey: ECDSA 256 bits
keyid: c4:b4:9c:95:27:9e:ce:81:2f:98:42:c8:1b:f0:54:ff:d4:d1:24:34
subjkey: cf:44:f4:f7:9d:97:09:ad:b1:09:3a:8e:6f:23:eb:9f:2c:35:94:c9
Remove a Persistent Key Object¶
Since the non-volatile memory of the TPM is limited any persistent key object can be removed to free storage space.
The following tpm2-tools command removes the ECC AK key with persistent handle 0x81010005
tpm2_evictcontrol -A o -H 0x81010005 -S 0x81010005
List Persistent Objects¶
The following tpm2-tools command lists all persistent objects stored by the TPM in non-volatile memory
tpm2_listpersistent
6 persistent objects defined. 0. Persistent handle: 0x81000001 { Type: 0x23 Hash algorithm(nameAlg): 0xb Attributes: 0x30072 } 1. Persistent handle: 0x81000002 { Type: 0x23 Hash algorithm(nameAlg): 0xb Attributes: 0x60072 } 2. Persistent handle: 0x81010001 { Type: 0x1 Hash algorithm(nameAlg): 0xb Attributes: 0x300b2 } 3. Persistent handle: 0x81010002 { Type: 0x1 Hash algorithm(nameAlg): 0xb Attributes: 0x50072 } 4. Persistent handle: 0x81010003 { Type: 0x23 Hash algorithm(nameAlg): 0xb Attributes: 0x300b2 } 5. Persistent handle: 0x81010004 { Type: 0x23 Hash algorithm(nameAlg): 0xb Attributes: 0x50072 }
Access TPM Private Keys via VICI Interface¶
Configuration of TPM private key access as tokens in the secrets section of swanctl.conf
secrets {
token_ak_rsa {
handle = 81010002
}
token_ak_ecc {
handle = 81010004
}
}