Trusted Platform Module 2.0 » History » Version 28
Andreas Steffen, 18.02.2017 21:18
| 1 | 17 | Andreas Steffen | h1. Trusted Platform Module 2.0 |
|---|---|---|---|
| 2 | 1 | Andreas Steffen | |
| 3 | 6 | Andreas Steffen | {{>toc}} |
| 4 | 6 | Andreas Steffen | |
| 5 | 2 | Andreas Steffen | h2. Connect to a TPM 2.0 device |
| 6 | 2 | Andreas Steffen | |
| 7 | 5 | Andreas Steffen | In order to connect to a TPM 2.0 hardware or firmware device, the TSS2 software stack developed by Intel is needed. Because the official Ubuntu *tpm2-tss* package is rather outdated (e.g. since version 0.98 the TCTI interface to the TPM 2.0 resource manager has changed several times), strongSwan is currently based on a recent version directly drawn from the TPM2-TSS git repository https://github.com/01org/TPM2.0-TSS. Avoid any TCTI interface incompatibilities by fetching the latest *tpm2-tools* version from https://github.com/01org/tpm2.0-tools as well. |
| 8 | 1 | Andreas Steffen | |
| 9 | 11 | Andreas Steffen | Build and install both the *tpm2-tss* stack and the *tpm2.0-tools*, start the *tpm2-resourcemgr* as a service in the background and try to connect to the TPM 2.0 by listing e.g. the contents of the SHA-1 bank of PCR registers |
| 10 | 1 | Andreas Steffen | |
| 11 | 7 | Andreas Steffen | |
| 12 | 7 | Andreas Steffen | tpm2_listpcrs -g 0x0004 |
| 13 | 3 | Andreas Steffen | |
| 14 | 18 | Andreas Steffen | <pre> |
| 15 | 18 | Andreas Steffen | Bank/Algorithm: TPM_ALG_SHA1(0x0004) |
| 16 | 3 | Andreas Steffen | PCR_00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| 17 | 3 | Andreas Steffen | PCR_01: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| 18 | 3 | Andreas Steffen | PCR_02: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| 19 | 3 | Andreas Steffen | PCR_03: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| 20 | 3 | Andreas Steffen | PCR_04: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| 21 | 3 | Andreas Steffen | PCR_05: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| 22 | 3 | Andreas Steffen | PCR_06: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| 23 | 3 | Andreas Steffen | PCR_07: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| 24 | 3 | Andreas Steffen | PCR_08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| 25 | 3 | Andreas Steffen | PCR_09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| 26 | 3 | Andreas Steffen | PCR_10: a9 45 e7 0f 42 a2 79 f0 78 ca d4 64 60 39 39 da 9d 6a d1 a5 |
| 27 | 3 | Andreas Steffen | PCR_11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| 28 | 3 | Andreas Steffen | PCR_12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| 29 | 3 | Andreas Steffen | PCR_13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| 30 | 3 | Andreas Steffen | PCR_14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| 31 | 3 | Andreas Steffen | PCR_15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| 32 | 3 | Andreas Steffen | PCR_16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| 33 | 3 | Andreas Steffen | PCR_17: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |
| 34 | 3 | Andreas Steffen | PCR_18: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |
| 35 | 3 | Andreas Steffen | PCR_19: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |
| 36 | 3 | Andreas Steffen | PCR_20: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |
| 37 | 1 | Andreas Steffen | PCR_21: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |
| 38 | 1 | Andreas Steffen | PCR_22: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |
| 39 | 1 | Andreas Steffen | PCR_23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| 40 | 18 | Andreas Steffen | </pre> |
| 41 | 1 | Andreas Steffen | |
| 42 | 7 | Andreas Steffen | A manual showing all *tpm2-tools* functions with their arguments can be found "here":https://github.com/01org/tpm2.0-tools/blob/master/manual. |
| 43 | 7 | Andreas Steffen | |
| 44 | 7 | Andreas Steffen | h2. TPM 2.0 Algorithm IDs |
| 45 | 7 | Andreas Steffen | |
| 46 | 8 | Andreas Steffen | h3. Hash Algorithms |
| 47 | 8 | Andreas Steffen | |
| 48 | 7 | Andreas Steffen | |0x0004 |SHA-1 | |
| 49 | 7 | Andreas Steffen | |0x000B |SHA-2_256 | |
| 50 | 7 | Andreas Steffen | |0x000C |SHA-2_384 | |
| 51 | 1 | Andreas Steffen | |0x000D |SHA-2_512 | |
| 52 | 7 | Andreas Steffen | |
| 53 | 28 | Andreas Steffen | Currently available TPM 2.0 devices like the Infineon *Optiga SLB 9670 VQ2.0* hardware TPM or Intel's *PTT* firmware TPM integrated into the Management Engine starting with the 4th generation (Haswell) of the *Core* processor family, support the *SHA-1* and *SHA-2_256* algorithms. |
| 54 | 1 | Andreas Steffen | |
| 55 | 8 | Andreas Steffen | h3. Public Key Types |
| 56 | 8 | Andreas Steffen | |
| 57 | 8 | Andreas Steffen | |0x0001 |RSA | |
| 58 | 8 | Andreas Steffen | |0x0023 |ECC | |
| 59 | 1 | Andreas Steffen | |
| 60 | 22 | Andreas Steffen | Currently RSA keys have a modulus size of 2048 bits and ECC keys are based on the 256 bit NIST curve. |
| 61 | 22 | Andreas Steffen | |
| 62 | 11 | Andreas Steffen | h3. Signature Schemes |
| 63 | 11 | Andreas Steffen | |
| 64 | 11 | Andreas Steffen | |0x0014 |RSASSA | |
| 65 | 11 | Andreas Steffen | |0x0016 |RSAPSS | |
| 66 | 9 | Andreas Steffen | |0x0018 |ECDSA | |
| 67 | 9 | Andreas Steffen | |
| 68 | 20 | Andreas Steffen | h2. Derive a Persistent RSA Endorsement Key |
| 69 | 1 | Andreas Steffen | |
| 70 | 25 | Andreas Steffen | The following tpm2-tools command derives a 2048 bit RSA Endorsement Key (EK) in a deterministic way from the secret _Endorsement Primary Seed_ *unique* to each TPM device and makes the key persistent in the non-volatile memory of the TPM under the object handle 0x81010001 |
| 71 | 11 | Andreas Steffen | |
| 72 | 24 | Andreas Steffen | tpm2_getpubek -H 0x81010001 -g 0x0001 -f ek_rsa.pub |
| 73 | 9 | Andreas Steffen | |
| 74 | 27 | Andreas Steffen | The EK public key stored in the ek_rsa.pub file is encoded in a TPM 2.0 proprietary format but the key can be exported from the TPM in the regular PKCS#1 format using the *pki* tool |
| 75 | 9 | Andreas Steffen | |
| 76 | 12 | Andreas Steffen | pki --pub --keyid 81010001 --outform pem > ek_rsa_pub.pem |
| 77 | 9 | Andreas Steffen | |
| 78 | 9 | Andreas Steffen | The fingerprint of the RSA EK public key can be displayed with the command |
| 79 | 9 | Andreas Steffen | |
| 80 | 9 | Andreas Steffen | pki --print --type pub --in ek_rsa_pub.pem |
| 81 | 9 | Andreas Steffen | pubkey: RSA 2048 bits |
| 82 | 9 | Andreas Steffen | keyid: d1:f1:49:84:36:44:e6:8c:d2:a6:69:ee:fd:b5:7d:56:2f:39:ff:58 |
| 83 | 1 | Andreas Steffen | subjkey: c1:1b:8e:f1:c7:f8:8a:1e:9a:dd:7e:82:2f:7a:a3:f5:c0:e2:4d:7d |
| 84 | 1 | Andreas Steffen | |
| 85 | 20 | Andreas Steffen | h2. Generate a Persistent RSA Attestation Key |
| 86 | 11 | Andreas Steffen | |
| 87 | 12 | Andreas Steffen | A 2048 bit RSA Attestation Key (AK) bound to the EK with handle 0x81010001 can be created and made persistent under the handle 0x81010002 with the following tpm2-tools command |
| 88 | 1 | Andreas Steffen | |
| 89 | 15 | Andreas Steffen | tpm2_getpubak -E 0x81010001 -g 0x0001 -D 0x000B -s 0x0014 -k 0x81010002 -f ak_rsa2.pub -n ak_rsa2.name |
| 90 | 12 | Andreas Steffen | |
| 91 | 12 | Andreas Steffen | The AK public key can be exported in PKCS#1 format from the TPM using the *pki* tool |
| 92 | 12 | Andreas Steffen | |
| 93 | 12 | Andreas Steffen | pki --pub --keyid 81010002 --outform pem > ak_rsa_pub.pem |
| 94 | 12 | Andreas Steffen | |
| 95 | 12 | Andreas Steffen | The fingerprint of the RSA AK public key can be displayed with the command |
| 96 | 12 | Andreas Steffen | |
| 97 | 12 | Andreas Steffen | pki --print --type pub --in ak_rsa_pub.pem |
| 98 | 12 | Andreas Steffen | pubkey: RSA 2048 bits |
| 99 | 12 | Andreas Steffen | keyid: 71:21:f5:d4:7e:59:4a:88:16:ca:57:85:98:3d:36:a7:b1:d5:75:fa |
| 100 | 12 | Andreas Steffen | subjkey: f4:9e:85:7d:de:4e:67:f5:fb:87:03:98:67:3f:20:7c:f3:3f:2b:66 |
| 101 | 11 | Andreas Steffen | |
| 102 | 20 | Andreas Steffen | h2. Derive a Persistent ECC Endorsement Key |
| 103 | 1 | Andreas Steffen | |
| 104 | 25 | Andreas Steffen | The following tpm2-tools command derives a 256 bit ECC Endorsement Key (EK) in a deterministic way from the secret _Endorsement Primary Seed_ *unique* to each TPM device and makes the key persistent in the non-volatile memory of the TPM under the object handle 0x81010003: |
| 105 | 1 | Andreas Steffen | |
| 106 | 24 | Andreas Steffen | tpm2_getpubek -H 0x81010003 -g 0x0023 -f ek_ecc.pub |
| 107 | 9 | Andreas Steffen | |
| 108 | 11 | Andreas Steffen | The EK public key can be exported in PKCS#1 format from the TPM using the *pki* tool: |
| 109 | 11 | Andreas Steffen | |
| 110 | 11 | Andreas Steffen | pki --pub --keyid 81010003 > ek_ecc_pub.der |
| 111 | 9 | Andreas Steffen | |
| 112 | 9 | Andreas Steffen | The fingerprint of the ECC EK public key can be displayed with the command |
| 113 | 9 | Andreas Steffen | |
| 114 | 10 | Andreas Steffen | pki --print --type pub --in ek_ecc_pub.der |
| 115 | 9 | Andreas Steffen | pubkey: ECDSA 256 bits |
| 116 | 9 | Andreas Steffen | keyid: 7f:39:ca:e6:83:9b:a9:06:97:40:27:6a:e1:bf:8f:f5:9f:d3:a5:31 |
| 117 | 9 | Andreas Steffen | subjkey: 8b:43:4d:5e:5e:7b:ff:c2:54:4d:ef:88:cb:0c:7c:47:75:28:4d:09 |
| 118 | 9 | Andreas Steffen | |
| 119 | 20 | Andreas Steffen | h2. Generate a Persistent ECC Attestation Key |
| 120 | 13 | Andreas Steffen | |
| 121 | 13 | Andreas Steffen | A 256 bit ECC Attestation Key (AK) bound to the EK with handle 0x81010003 can be created and made persistent under the handle 0x81010004 with the following tpm2-tools command |
| 122 | 13 | Andreas Steffen | |
| 123 | 15 | Andreas Steffen | tpm2_getpubak -E 0x81010003 -g 0x0023 -D 0x000B -s 0x0018 -k 0x81010004 -f ak_ecc4.pub -n ak_ecc4.name |
| 124 | 13 | Andreas Steffen | |
| 125 | 13 | Andreas Steffen | The AK public key can be exported in PKCS#1 format from the TPM using the *pki* tool |
| 126 | 13 | Andreas Steffen | |
| 127 | 14 | Andreas Steffen | pki --pub --keyid 81010004 > ak_ecc_pub.der |
| 128 | 13 | Andreas Steffen | |
| 129 | 13 | Andreas Steffen | The fingerprint of the RSA AK public key can be displayed with the command |
| 130 | 13 | Andreas Steffen | |
| 131 | 14 | Andreas Steffen | pki --print --type pub --in ak_ecc_pub.der |
| 132 | 1 | Andreas Steffen | pubkey: ECDSA 256 bits |
| 133 | 1 | Andreas Steffen | keyid: 71:49:7c:42:41:e7:c6:81:bc:31:73:f0:0f:7e:4a:e1:2d:53:00:38 |
| 134 | 1 | Andreas Steffen | subjkey: c7:0e:63:f8:7f:6f:f6:55:00:e5:05:7f:5a:3e:6b:6c:e7:d2:d5:13 |
| 135 | 15 | Andreas Steffen | |
| 136 | 20 | Andreas Steffen | h2. Generate Another ECC Attestation Key |
| 137 | 15 | Andreas Steffen | |
| 138 | 15 | Andreas Steffen | Multiple AK keys bound to a common EK key can be generated |
| 139 | 15 | Andreas Steffen | |
| 140 | 15 | Andreas Steffen | tpm2_getpubak -E 0x81010003 -g 0x0023 -D 0x000B -s 0x0018 -k 0x81010005 -f ak_ecc5.pub -n ak_ecc5.name |
| 141 | 15 | Andreas Steffen | |
| 142 | 15 | Andreas Steffen | The AK public key can be exported in PKCS#1 format from the TPM using the *pki* tool |
| 143 | 15 | Andreas Steffen | |
| 144 | 15 | Andreas Steffen | pki --pub --keyid 81010005 > ak_ecc5_pub.der |
| 145 | 15 | Andreas Steffen | |
| 146 | 15 | Andreas Steffen | The fingerprint of the second ECC AK public key can be displayed with the command |
| 147 | 15 | Andreas Steffen | |
| 148 | 15 | Andreas Steffen | pki --print --type pub --in ak_ecc5_pub.der |
| 149 | 15 | Andreas Steffen | pubkey: ECDSA 256 bits |
| 150 | 15 | Andreas Steffen | keyid: c4:b4:9c:95:27:9e:ce:81:2f:98:42:c8:1b:f0:54:ff:d4:d1:24:34 |
| 151 | 15 | Andreas Steffen | subjkey: cf:44:f4:f7:9d:97:09:ad:b1:09:3a:8e:6f:23:eb:9f:2c:35:94:c9 |
| 152 | 15 | Andreas Steffen | |
| 153 | 19 | Andreas Steffen | h2. Remove a Persistent Key Object |
| 154 | 15 | Andreas Steffen | |
| 155 | 15 | Andreas Steffen | Since the non-volatile memory of the TPM is limited any persistent key object can be removed to free storage space. |
| 156 | 15 | Andreas Steffen | The following tpm2-tools command removes the ECC AK key with persistent handle 0x81010005 |
| 157 | 15 | Andreas Steffen | |
| 158 | 1 | Andreas Steffen | tpm2_evictcontrol -A o -H 0x81010005 -S 0x81010005 |
| 159 | 18 | Andreas Steffen | |
| 160 | 18 | Andreas Steffen | h2. List Persistent Objects |
| 161 | 18 | Andreas Steffen | |
| 162 | 18 | Andreas Steffen | The following tpm2-tools command lists all persistent objects stored by the TPM in non-volatile memory |
| 163 | 18 | Andreas Steffen | |
| 164 | 18 | Andreas Steffen | tpm2_listpersistent |
| 165 | 18 | Andreas Steffen | |
| 166 | 18 | Andreas Steffen | <pre> |
| 167 | 18 | Andreas Steffen | 6 persistent objects defined. |
| 168 | 18 | Andreas Steffen | |
| 169 | 18 | Andreas Steffen | 0. Persistent handle: 0x81000001 |
| 170 | 18 | Andreas Steffen | { |
| 171 | 18 | Andreas Steffen | Type: 0x23 |
| 172 | 18 | Andreas Steffen | Hash algorithm(nameAlg): 0xb |
| 173 | 18 | Andreas Steffen | Attributes: 0x30072 |
| 174 | 18 | Andreas Steffen | } |
| 175 | 18 | Andreas Steffen | 1. Persistent handle: 0x81000002 |
| 176 | 18 | Andreas Steffen | { |
| 177 | 18 | Andreas Steffen | Type: 0x23 |
| 178 | 18 | Andreas Steffen | Hash algorithm(nameAlg): 0xb |
| 179 | 18 | Andreas Steffen | Attributes: 0x60072 |
| 180 | 18 | Andreas Steffen | } |
| 181 | 18 | Andreas Steffen | 2. Persistent handle: 0x81010001 |
| 182 | 18 | Andreas Steffen | { |
| 183 | 18 | Andreas Steffen | Type: 0x1 |
| 184 | 18 | Andreas Steffen | Hash algorithm(nameAlg): 0xb |
| 185 | 18 | Andreas Steffen | Attributes: 0x300b2 |
| 186 | 18 | Andreas Steffen | } |
| 187 | 18 | Andreas Steffen | 3. Persistent handle: 0x81010002 |
| 188 | 18 | Andreas Steffen | { |
| 189 | 18 | Andreas Steffen | Type: 0x1 |
| 190 | 18 | Andreas Steffen | Hash algorithm(nameAlg): 0xb |
| 191 | 18 | Andreas Steffen | Attributes: 0x50072 |
| 192 | 18 | Andreas Steffen | } |
| 193 | 18 | Andreas Steffen | 4. Persistent handle: 0x81010003 |
| 194 | 18 | Andreas Steffen | { |
| 195 | 18 | Andreas Steffen | Type: 0x23 |
| 196 | 18 | Andreas Steffen | Hash algorithm(nameAlg): 0xb |
| 197 | 18 | Andreas Steffen | Attributes: 0x300b2 |
| 198 | 18 | Andreas Steffen | } |
| 199 | 18 | Andreas Steffen | 5. Persistent handle: 0x81010004 |
| 200 | 18 | Andreas Steffen | { |
| 201 | 18 | Andreas Steffen | Type: 0x23 |
| 202 | 18 | Andreas Steffen | Hash algorithm(nameAlg): 0xb |
| 203 | 18 | Andreas Steffen | Attributes: 0x50072 |
| 204 | 18 | Andreas Steffen | } |
| 205 | 18 | Andreas Steffen | </pre> |
| 206 | 13 | Andreas Steffen | |
| 207 | 23 | Andreas Steffen | h2. Access TPM Private Keys via VICI Interface |
| 208 | 1 | Andreas Steffen | |
| 209 | 23 | Andreas Steffen | Configuration of TPM private key access as tokens in the secrets section of *swanctl.conf* |
| 210 | 1 | Andreas Steffen | |
| 211 | 7 | Andreas Steffen | secrets { |
| 212 | 1 | Andreas Steffen | token_ak_rsa { |
| 213 | 7 | Andreas Steffen | handle = 81010002 |
| 214 | 1 | Andreas Steffen | } |
| 215 | 1 | Andreas Steffen | token_ak_ecc { |
| 216 | 7 | Andreas Steffen | handle = 81010004 |
| 217 | 1 | Andreas Steffen | } |
| 218 | 1 | Andreas Steffen | } |