Project

General

Profile

Trusted Platform Module 2.0 » History » Version 29

« Previous - Version 29/87 (diff) - Next » - Current version
Andreas Steffen, 19.02.2017 10:21


Trusted Platform Module 2.0

Connect to a TPM 2.0 device

In order to connect to a TPM 2.0 hardware or firmware device, the TSS2 software stack developed by Intel is needed. Because the official Ubuntu tpm2-tss package is rather outdated (e.g. since version 0.98 the TCTI interface to the TPM 2.0 resource manager has changed several times), strongSwan is currently based on a recent version directly drawn from the TPM2-TSS git repository https://github.com/01org/TPM2.0-TSS. Avoid any TCTI interface incompatibilities by fetching the latest tpm2-tools version from https://github.com/01org/tpm2.0-tools as well.

Build and install both the tpm2-tss stack and the tpm2.0-tools, start the tpm2-resourcemgr as a service in the background and try to connect to the TPM 2.0 by listing e.g. the contents of the SHA-1 bank of PCR registers

tpm2_listpcrs -g 0x0004
Bank/Algorithm: TPM_ALG_SHA1(0x0004)
PCR_00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_01: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_02: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_03: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_04: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_05: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_06: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_07: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_10: a9 45 e7 0f 42 a2 79 f0 78 ca d4 64 60 39 39 da 9d 6a d1 a5
PCR_11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_17: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_18: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_19: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_20: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_21: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_22: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

A manual showing all tpm2-tools functions with their arguments can be found here.

TPM 2.0 Algorithm IDs

Hash Algorithms

0x0004 SHA-1
0x000B SHA-2_256
0x000C SHA-2_384
0x000D SHA-2_512

Currently available TPM 2.0 devices like the Infineon Optiga SLB 9670 VQ2.0 hardware TPM or Intel's PTT firmware TPM integrated into the Management Engine starting with the 4th generation (Haswell) of the Core processor family, support the SHA-1 and SHA-2_256 algorithms.

Public Key Types

0x0001 RSA
0x0023 ECC

Currently RSA keys have a modulus size of 2048 bits and ECC keys are based on the 256 bit NIST curve.

Signature Schemes

0x0014 RSASSA
0x0016 RSAPSS
0x0018 ECDSA

Derive a Persistent RSA Endorsement Key

The following tpm2-tools command derives a 2048 bit RSA Endorsement Key (EK) in a deterministic way from the secret Endorsement Primary Seed unique to each TPM device and makes the key persistent in the non-volatile memory of the TPM under the object handle 0x81010001

tpm2_getpubek -H 0x81010001 -g 0x0001 -f ek_rsa.pub

The EK public key stored in the ek_rsa.pub file is encoded in a TPM 2.0 proprietary format but the key can be exported from the TPM in the regular PKCS#1 format using the pki tool

pki --pub --keyid 81010001 --outform pem > ek_rsa_pub.pem

The fingerprint of the RSA EK public key can be displayed with the command

pki --print --type pub --in ek_rsa_pub.pem
pubkey: RSA 2048 bits
keyid: d1:f1:49:84:36:44:e6:8c:d2:a6:69:ee:fd:b5:7d:56:2f:39:ff:58
subjkey: c1:1b:8e:f1:c7:f8:8a:1e:9a:dd:7e:82:2f:7a:a3:f5:c0:e2:4d:7d

Generate a Persistent RSA Attestation Key

A 2048 bit RSA Attestation Key (AK) bound to the EK with handle 0x81010001 can be created and made persistent under the handle 0x81010002 with the following tpm2-tools command

tpm2_getpubak -E 0x81010001 -g 0x0001 -D 0x000B -s 0x0014 -k 0x81010002 -f ak_rsa2.pub -n ak_rsa2.name

The AK public key can be exported in PKCS#1 format from the TPM using the pki tool

pki --pub --keyid 81010002 --outform pem > ak_rsa_pub.pem

The fingerprint of the RSA AK public key can be displayed with the command

pki --print --type pub --in ak_rsa_pub.pem
pubkey: RSA 2048 bits
keyid: 71:21:f5:d4:7e:59:4a:88:16:ca:57:85:98:3d:36:a7:b1:d5:75:fa
subjkey: f4:9e:85:7d:de:4e:67:f5:fb:87:03:98:67:3f:20:7c:f3:3f:2b:66

Derive a Persistent ECC Endorsement Key

The following tpm2-tools command derives a 256 bit ECC Endorsement Key (EK) in a deterministic way from the secret Endorsement Primary Seed unique to each TPM device and makes the key persistent in the non-volatile memory of the TPM under the object handle 0x81010003:

tpm2_getpubek -H 0x81010003 -g 0x0023 -f ek_ecc.pub

The EK public key can be exported in PKCS#1 format from the TPM using the pki tool:

pki --pub --keyid 81010003 > ek_ecc_pub.der

The fingerprint of the ECC EK public key can be displayed with the command

pki --print --type pub --in ek_ecc_pub.der
pubkey: ECDSA 256 bits
keyid: 7f:39:ca:e6:83:9b:a9:06:97:40:27:6a:e1:bf:8f:f5:9f:d3:a5:31
subjkey: 8b:43:4d:5e:5e:7b:ff:c2:54:4d:ef:88:cb:0c:7c:47:75:28:4d:09

Generate a Persistent ECC Attestation Key

A 256 bit ECC Attestation Key (AK) bound to the EK with handle 0x81010003 can be created and made persistent under the handle 0x81010004 with the following tpm2-tools command

tpm2_getpubak -E 0x81010003 -g 0x0023 -D 0x000B -s 0x0018 -k 0x81010004 -f ak_ecc4.pub -n ak_ecc4.name

The AK public key can be exported in PKCS#1 format from the TPM using the pki tool

pki --pub --keyid 81010004 > ak_ecc_pub.der

The fingerprint of the RSA AK public key can be displayed with the command

pki --print --type pub --in ak_ecc_pub.der
pubkey: ECDSA 256 bits
keyid: 71:49:7c:42:41:e7:c6:81:bc:31:73:f0:0f:7e:4a:e1:2d:53:00:38
subjkey: c7:0e:63:f8:7f:6f:f6:55:00:e5:05:7f:5a:3e:6b:6c:e7:d2:d5:13

Generate Another ECC Attestation Key

Multiple AK keys bound to a common EK key can be generated

tpm2_getpubak -E 0x81010003 -g 0x0023 -D 0x000B -s 0x0018 -k 0x81010005 -f ak_ecc5.pub -n ak_ecc5.name

The AK public key can be exported in PKCS#1 format from the TPM using the pki tool

pki --pub --keyid 81010005 > ak_ecc5_pub.der

The fingerprint of the second ECC AK public key can be displayed with the command

pki --print --type pub --in ak_ecc5_pub.der
pubkey: ECDSA 256 bits
keyid: c4:b4:9c:95:27:9e:ce:81:2f:98:42:c8:1b:f0:54:ff:d4:d1:24:34
subjkey: cf:44:f4:f7:9d:97:09:ad:b1:09:3a:8e:6f:23:eb:9f:2c:35:94:c9

Remove a Persistent Key Object

Since the non-volatile memory of the TPM is limited any persistent key object can be removed to free storage space.
The following tpm2-tools command removes the ECC AK key with persistent handle 0x81010005

tpm2_evictcontrol -A o -H 0x81010005 -S 0x81010005

List Persistent Objects

The following tpm2-tools command lists all persistent objects stored by the TPM in non-volatile memory

tpm2_listpersistent
6 persistent objects defined.

0. Persistent handle: 0x81000001
{
        Type: 0x23
        Hash algorithm(nameAlg): 0xb
        Attributes: 0x30072
}
1. Persistent handle: 0x81000002
{
        Type: 0x23
        Hash algorithm(nameAlg): 0xb
        Attributes: 0x60072
}
2. Persistent handle: 0x81010001
{
        Type: 0x1
        Hash algorithm(nameAlg): 0xb
        Attributes: 0x300b2
}
3. Persistent handle: 0x81010002
{
        Type: 0x1
        Hash algorithm(nameAlg): 0xb
        Attributes: 0x50072
}
4. Persistent handle: 0x81010003
{
        Type: 0x23
        Hash algorithm(nameAlg): 0xb
        Attributes: 0x300b2
}
5. Persistent handle: 0x81010004
{
        Type: 0x23
        Hash algorithm(nameAlg): 0xb
        Attributes: 0x50072
}

Access TPM Private Keys via VICI Interface

Configuration of TPM private key access as tokens in the secrets section of swanctl.conf

secrets {
token_ak_rsa {
handle = 81010002
}
token_ak_ecc {
handle = 81010004
}
}

Starting the strongSwan Daemon

systemctl start strongswan-swanctl
Feb 19 09:35:14 raspi5 systemd[1]: Starting strongSwan IPsec IKEv1/IKEv2 daemon using swanctl...

The RSA AK private key is attached via the TPM 2.0 resource manager

Feb 19 09:35:14 raspi5 resourcemgr[531]: Accept socket:  0xa
Feb 19 09:35:14 raspi5 resourcemgr[531]: Resource Manager Other CMD Server accepted client
Feb 19 09:35:14 raspi5 resourcemgr[531]: Accept socket:  0xb
Feb 19 09:35:14 raspi5 resourcemgr[531]: Resource Manager TPM CMD Server accepted client
Feb 19 09:35:14 raspi5 charon-systemd[20831]: TPM 2.0 - algorithms: RSA SHA1 HMAC AES KEYEDHASH XOR SHA256 RSASSA RSAES RSAPSS OAEP ECDSA ECDH SM2 KDF1_SP800_56A KDF1_SP800_108 ECC SYMCIPHER CFB
Feb 19 09:35:15 raspi5 charon-systemd[20831]: TPM 2.0 - ECC curves: NIST_P256 BN_P256
Feb 19 09:35:15 raspi5 charon-systemd[20831]: TPM 2.0 via TSS2 available
Feb 19 09:35:15 raspi5 charon-systemd[20831]: AIK signature algorithm is RSASSA with SHA256 hash

The ECC AK private key is attached via the TPM 2.0 resource manager

Feb 19 09:35:15 raspi5 resourcemgr[531]: Accept socket:  0x6
Feb 19 09:35:15 raspi5 resourcemgr[531]: Resource Manager Other CMD Server accepted client
Feb 19 09:35:15 raspi5 resourcemgr[531]: Accept socket:  0x7
Feb 19 09:35:15 raspi5 resourcemgr[531]: Resource Manager TPM CMD Server accepted client
Feb 19 09:35:15 raspi5 charon-systemd[20831]: TPM 2.0 - algorithms: RSA SHA1 HMAC AES KEYEDHASH XOR SHA256 RSASSA RSAES RSAPSS OAEP ECDSA ECDH SM2 KDF1_SP800_56A KDF1_SP800_108 ECC SYMCIPHER CFB
Feb 19 09:35:15 raspi5 charon-systemd[20831]: TPM 2.0 - ECC curves: NIST_P256 BN_P256
Feb 19 09:35:15 raspi5 charon-systemd[20831]: TPM 2.0 via TSS2 available
Feb 19 09:35:15 raspi5 charon-systemd[20831]: AIK signature algorithm is ECDSA with SHA256 hash

The swanctl command line tool loads the RSA and ECC AK certificates as well as the demoCA root certificate and connects to the RSA and ECC private keys residing in the TPM

Feb 19 09:35:15 raspi5 swanctl[20849]: loaded certificate from '/etc/swanctl/x509/raspi5_ak_rsa_Cert.der'
Feb 19 09:35:15 raspi5 swanctl[20849]: loaded certificate from '/etc/swanctl/x509/raspi5_ak_ecc_Cert.der'
Feb 19 09:35:15 raspi5 swanctl[20849]: loaded certificate from '/etc/swanctl/x509ca/demoCaCert.pem'
Feb 19 09:35:15 raspi5 swanctl[20849]: loaded key token_ak_rsa from token [keyid: f49e857dde4e67f5fb870398673f207cf33f2b66]
Feb 19 09:35:15 raspi5 swanctl[20849]: loaded key token_ak_ecc from token [keyid: c70e63f87f6ff65500e5057f5a3e6b6ce7d2d513]
Feb 19 09:35:15 raspi5 swanctl[20849]: loaded connection 'rsa'
Feb 19 09:35:15 raspi5 swanctl[20849]: loaded connection 'ecc'
Feb 19 09:35:15 raspi5 swanctl[20849]: successfully loaded 2 connections, 0 unloaded

Feb 19 09:35:15 raspi5 systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.