Project

General

Profile

Trusted Platform Module 2.0 » History » Version 31

« Previous - Version 31/87 (diff) - Next » - Current version
Andreas Steffen, 19.02.2017 10:43


Trusted Platform Module 2.0

Connect to a TPM 2.0 device

In order to connect to a TPM 2.0 hardware or firmware device, the TSS2 software stack developed by Intel is needed. Because the official Ubuntu tpm2-tss package is rather outdated (e.g. since version 0.98 the TCTI interface to the TPM 2.0 resource manager has changed several times), strongSwan is currently based on a recent version directly drawn from the TPM2-TSS git repository https://github.com/01org/TPM2.0-TSS. Avoid any TCTI interface incompatibilities by fetching the latest tpm2-tools version from https://github.com/01org/tpm2.0-tools as well.

Build and install both the tpm2-tss stack and the tpm2.0-tools, start the tpm2-resourcemgr as a service in the background and try to connect to the TPM 2.0 by listing e.g. the contents of the SHA-1 bank of PCR registers

tpm2_listpcrs -g 0x0004
Bank/Algorithm: TPM_ALG_SHA1(0x0004)
PCR_00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_01: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_02: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_03: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_04: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_05: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_06: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_07: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_10: a9 45 e7 0f 42 a2 79 f0 78 ca d4 64 60 39 39 da 9d 6a d1 a5
PCR_11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_17: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_18: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_19: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_20: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_21: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_22: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

A manual showing all tpm2-tools functions with their arguments can be found here.

TPM 2.0 Algorithm IDs

Hash Algorithms

0x0004 SHA-1
0x000B SHA-2_256
0x000C SHA-2_384
0x000D SHA-2_512

Currently available TPM 2.0 devices like the Infineon Optiga SLB 9670 VQ2.0 hardware TPM or Intel's PTT firmware TPM integrated into the Management Engine starting with the 4th generation (Haswell) of the Core processor family, support the SHA-1 and SHA-2_256 algorithms.

Public Key Types

0x0001 RSA
0x0023 ECC

Currently RSA keys have a modulus size of 2048 bits and ECC keys are based on the 256 bit NIST curve.

Signature Schemes

0x0014 RSASSA
0x0016 RSAPSS
0x0018 ECDSA

Derive a Persistent RSA Endorsement Key

The following tpm2-tools command derives a 2048 bit RSA Endorsement Key (EK) in a deterministic way from the secret Endorsement Primary Seed unique to each TPM device and makes the key persistent in the non-volatile memory of the TPM under the object handle 0x81010001

tpm2_getpubek -H 0x81010001 -g 0x0001 -f ek_rsa.pub

The EK public key stored in the ek_rsa.pub file is encoded in a TPM 2.0 proprietary format but the key can be exported from the TPM in the regular PKCS#1 format using the pki tool

pki --pub --keyid 81010001 --outform pem > ek_rsa_pub.pem

The fingerprint of the RSA EK public key can be displayed with the command

pki --print --type pub --in ek_rsa_pub.pem
pubkey: RSA 2048 bits
keyid: d1:f1:49:84:36:44:e6:8c:d2:a6:69:ee:fd:b5:7d:56:2f:39:ff:58
subjkey: c1:1b:8e:f1:c7:f8:8a:1e:9a:dd:7e:82:2f:7a:a3:f5:c0:e2:4d:7d

Generate a Persistent RSA Attestation Key

A 2048 bit RSA Attestation Key (AK) bound to the EK with handle 0x81010001 can be created and made persistent under the handle 0x81010002 with the following tpm2-tools command

tpm2_getpubak -E 0x81010001 -g 0x0001 -D 0x000B -s 0x0014 -k 0x81010002 -f ak_rsa2.pub -n ak_rsa2.name

The AK public key can be exported in PKCS#1 format from the TPM using the pki tool

pki --pub --keyid 81010002 --outform pem > ak_rsa_pub.pem

The fingerprint of the RSA AK public key can be displayed with the command

pki --print --type pub --in ak_rsa_pub.pem
pubkey: RSA 2048 bits
keyid: 71:21:f5:d4:7e:59:4a:88:16:ca:57:85:98:3d:36:a7:b1:d5:75:fa
subjkey: f4:9e:85:7d:de:4e:67:f5:fb:87:03:98:67:3f:20:7c:f3:3f:2b:66

Derive a Persistent ECC Endorsement Key

The following tpm2-tools command derives a 256 bit ECC Endorsement Key (EK) in a deterministic way from the secret Endorsement Primary Seed unique to each TPM device and makes the key persistent in the non-volatile memory of the TPM under the object handle 0x81010003:

tpm2_getpubek -H 0x81010003 -g 0x0023 -f ek_ecc.pub

The EK public key can be exported in PKCS#1 format from the TPM using the pki tool:

pki --pub --keyid 81010003 > ek_ecc_pub.der

The fingerprint of the ECC EK public key can be displayed with the command

pki --print --type pub --in ek_ecc_pub.der
pubkey: ECDSA 256 bits
keyid: 7f:39:ca:e6:83:9b:a9:06:97:40:27:6a:e1:bf:8f:f5:9f:d3:a5:31
subjkey: 8b:43:4d:5e:5e:7b:ff:c2:54:4d:ef:88:cb:0c:7c:47:75:28:4d:09

Generate a Persistent ECC Attestation Key

A 256 bit ECC Attestation Key (AK) bound to the EK with handle 0x81010003 can be created and made persistent under the handle 0x81010004 with the following tpm2-tools command

tpm2_getpubak -E 0x81010003 -g 0x0023 -D 0x000B -s 0x0018 -k 0x81010004 -f ak_ecc4.pub -n ak_ecc4.name

The AK public key can be exported in PKCS#1 format from the TPM using the pki tool

pki --pub --keyid 81010004 > ak_ecc_pub.der

The fingerprint of the RSA AK public key can be displayed with the command

pki --print --type pub --in ak_ecc_pub.der
pubkey: ECDSA 256 bits
keyid: 71:49:7c:42:41:e7:c6:81:bc:31:73:f0:0f:7e:4a:e1:2d:53:00:38
subjkey: c7:0e:63:f8:7f:6f:f6:55:00:e5:05:7f:5a:3e:6b:6c:e7:d2:d5:13

Generate Another ECC Attestation Key

Multiple AK keys bound to a common EK key can be generated

tpm2_getpubak -E 0x81010003 -g 0x0023 -D 0x000B -s 0x0018 -k 0x81010005 -f ak_ecc5.pub -n ak_ecc5.name

The AK public key can be exported in PKCS#1 format from the TPM using the pki tool

pki --pub --keyid 81010005 > ak_ecc5_pub.der

The fingerprint of the second ECC AK public key can be displayed with the command

pki --print --type pub --in ak_ecc5_pub.der
pubkey: ECDSA 256 bits
keyid: c4:b4:9c:95:27:9e:ce:81:2f:98:42:c8:1b:f0:54:ff:d4:d1:24:34
subjkey: cf:44:f4:f7:9d:97:09:ad:b1:09:3a:8e:6f:23:eb:9f:2c:35:94:c9

Remove a Persistent Key Object

Since the non-volatile memory of the TPM is limited any persistent key object can be removed to free storage space.
The following tpm2-tools command removes the ECC AK key with persistent handle 0x81010005

tpm2_evictcontrol -A o -H 0x81010005 -S 0x81010005

List Persistent Objects

The following tpm2-tools command lists all persistent objects stored by the TPM in non-volatile memory

tpm2_listpersistent
6 persistent objects defined.

0. Persistent handle: 0x81000001
{
        Type: 0x23
        Hash algorithm(nameAlg): 0xb
        Attributes: 0x30072
}
1. Persistent handle: 0x81000002
{
        Type: 0x23
        Hash algorithm(nameAlg): 0xb
        Attributes: 0x60072
}
2. Persistent handle: 0x81010001
{
        Type: 0x1
        Hash algorithm(nameAlg): 0xb
        Attributes: 0x300b2
}
3. Persistent handle: 0x81010002
{
        Type: 0x1
        Hash algorithm(nameAlg): 0xb
        Attributes: 0x50072
}
4. Persistent handle: 0x81010003
{
        Type: 0x23
        Hash algorithm(nameAlg): 0xb
        Attributes: 0x300b2
}
5. Persistent handle: 0x81010004
{
        Type: 0x23
        Hash algorithm(nameAlg): 0xb
        Attributes: 0x50072
}

Configure TPM Private Key Access via VICI Interface

Configuration of TPM private key access as tokens in the secrets section of swanctl.conf

secrets {
token_ak_rsa {
handle = 81010002
}
token_ak_ecc {
handle = 81010004
}
}

Define IPsec Connection with RSA AK Client Key

This connection configuration in swanctl.conf uses the RSA AK certificate for client authentication

connections {
   rsa {
      local_addrs  = 10.10.0.105
      remote_addrs = 10.10.0.104

      local {
         auth = pubkey 
         certs = raspi5_ak_rsa_Cert.der
      }
      remote {
         auth = pubkey 
         id = raspi4.example.com
      }
      children {
         rsa {
            mode = transport
            esp_proposals = aes128-sha256-curve25519
         }
      }
      version = 2
      proposals = aes128-sha256-curve25519
   }
}

Define IPsec Connection with ECC AK Client Key

This connection configuration in swanctl.conf uses the ECC AK certificate for client authentication

connections {
   ecc {
      local_addrs  = 10.10.0.105
      remote_addrs = 10.10.0.104

      local {
         auth = pubkey
         certs = raspi5_ak_ecc_Cert.der
      }
      remote {
         auth = pubkey
         id = raspi4.example.com
      }
      children {
         ecc {
            mode = transport
            esp_proposals = aes128-sha256-curve25519
         }
      }
      version = 2
      proposals = aes128-sha256-curve25519
   }
}

Starting the strongSwan Daemon

systemctl start strongswan-swanctl
Feb 19 09:35:14 raspi5 systemd[1]: Starting strongSwan IPsec IKEv1/IKEv2 daemon using swanctl...

The RSA AK private key is attached via the TPM 2.0 resource manager

Feb 19 09:35:14 raspi5 resourcemgr[531]: Accept socket:  0xa
Feb 19 09:35:14 raspi5 resourcemgr[531]: Resource Manager Other CMD Server accepted client
Feb 19 09:35:14 raspi5 resourcemgr[531]: Accept socket:  0xb
Feb 19 09:35:14 raspi5 resourcemgr[531]: Resource Manager TPM CMD Server accepted client
Feb 19 09:35:14 raspi5 charon-systemd[20831]: TPM 2.0 - algorithms: RSA SHA1 HMAC AES KEYEDHASH XOR SHA256 RSASSA RSAES RSAPSS OAEP ECDSA ECDH SM2 KDF1_SP800_56A KDF1_SP800_108 ECC SYMCIPHER CFB
Feb 19 09:35:15 raspi5 charon-systemd[20831]: TPM 2.0 - ECC curves: NIST_P256 BN_P256
Feb 19 09:35:15 raspi5 charon-systemd[20831]: TPM 2.0 via TSS2 available
Feb 19 09:35:15 raspi5 charon-systemd[20831]: AIK signature algorithm is RSASSA with SHA256 hash

The ECC AK private key is attached via the TPM 2.0 resource manager

Feb 19 09:35:15 raspi5 resourcemgr[531]: Accept socket:  0x6
Feb 19 09:35:15 raspi5 resourcemgr[531]: Resource Manager Other CMD Server accepted client
Feb 19 09:35:15 raspi5 resourcemgr[531]: Accept socket:  0x7
Feb 19 09:35:15 raspi5 resourcemgr[531]: Resource Manager TPM CMD Server accepted client
Feb 19 09:35:15 raspi5 charon-systemd[20831]: TPM 2.0 - algorithms: RSA SHA1 HMAC AES KEYEDHASH XOR SHA256 RSASSA RSAES RSAPSS OAEP ECDSA ECDH SM2 KDF1_SP800_56A KDF1_SP800_108 ECC SYMCIPHER CFB
Feb 19 09:35:15 raspi5 charon-systemd[20831]: TPM 2.0 - ECC curves: NIST_P256 BN_P256
Feb 19 09:35:15 raspi5 charon-systemd[20831]: TPM 2.0 via TSS2 available
Feb 19 09:35:15 raspi5 charon-systemd[20831]: AIK signature algorithm is ECDSA with SHA256 hash

The swanctl command line tool loads the RSA and ECC AK certificates as well as the demoCA root certificate and connects to the RSA and ECC private keys residing in the TPM

Feb 19 09:35:15 raspi5 swanctl[20849]: loaded certificate from '/etc/swanctl/x509/raspi5_ak_rsa_Cert.der'
Feb 19 09:35:15 raspi5 swanctl[20849]: loaded certificate from '/etc/swanctl/x509/raspi5_ak_ecc_Cert.der'
Feb 19 09:35:15 raspi5 swanctl[20849]: loaded certificate from '/etc/swanctl/x509ca/demoCaCert.pem'
Feb 19 09:35:15 raspi5 swanctl[20849]: loaded key token_ak_rsa from token [keyid: f49e857dde4e67f5fb870398673f207cf33f2b66]
Feb 19 09:35:15 raspi5 swanctl[20849]: loaded key token_ak_ecc from token [keyid: c70e63f87f6ff65500e5057f5a3e6b6ce7d2d513]
Feb 19 09:35:15 raspi5 swanctl[20849]: loaded connection 'rsa'
Feb 19 09:35:15 raspi5 swanctl[20849]: loaded connection 'ecc'
Feb 19 09:35:15 raspi5 swanctl[20849]: successfully loaded 2 connections, 0 unloaded

Feb 19 09:35:15 raspi5 systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.

The following swanctl command shows the two loaded connections

swanctl --list-conns

rsa: IKEv2, reauthentication every 10800s, no rekeying
  local:  10.10.0.105
  remote: 10.10.0.104
  local public key authentication:
    id: C=US, O=TNC Demo, OU=AIK RSA, CN=raspi5.example.com
    certs: C=US, O=TNC Demo, OU=AIK RSA, CN=raspi5.example.com
  remote public key authentication:
    id: raspi4.example.com
  rsa: TRANSPORT, rekeying every 3600s or 300000000 bytes or 500000 packets
    local:  dynamic
    remote: dynamic
ecc: IKEv2, reauthentication every 10800s, no rekeying
  local:  10.10.0.105
  remote: 10.10.0.104
  local public key authentication:
    id: C=US, O=TNC Demo, OU=AIK ECC, CN=raspi5.example.com
    certs: C=US, O=TNC Demo, OU=AIK ECC, CN=raspi5.example.com
  remote public key authentication:
    id: raspi4.example.com
  ecc: TRANSPORT, rekeying every 3600s or 300000000 bytes or 500000 packets
    local:  dynamic
    remote: dynamic

The loaded certificates can also be displayed

swanctl --list-certs

List of X.509 End Entity Certificates

  subject:  "C=US, O=TNC Demo, OU=AIK RSA, CN=raspi5.example.com" 
  issuer:   "C=US, O=TNC Demo, CN=TNC Demo CA" 
  validity:  not before Feb 19 09:33:43 2017, ok
             not after  Aug 29 10:33:43 2026, ok (expires in 3477 days)
  serial:    11:57:33:3e:2a:8e:8a:32
  altNames:  raspi5.example.com
  authkeyId: 21:02:7e:2d:de:8b:77:48:75:de:56:2f:b5:d4:62:ec:c3:09:15:f2
  subjkeyId: f4:9e:85:7d:de:4e:67:f5:fb:87:03:98:67:3f:20:7c:f3:3f:2b:66
  pubkey:    RSA 2048 bits, has private key
  keyid:     71:21:f5:d4:7e:59:4a:88:16:ca:57:85:98:3d:36:a7:b1:d5:75:fa
  subjkey:   f4:9e:85:7d:de:4e:67:f5:fb:87:03:98:67:3f:20:7c:f3:3f:2b:66

  subject:  "C=US, O=TNC Demo, OU=AIK ECC, CN=raspi5.example.com" 
  issuer:   "C=US, O=TNC Demo, CN=TNC Demo CA" 
  validity:  not before Feb 17 23:17:19 2017, ok
             not after  Aug 30 00:17:19 2026, ok (expires in 3478 days)
  serial:    52:9d:3e:42:6f:71:63:3d
  altNames:  raspi5.example.com
  authkeyId: 21:02:7e:2d:de:8b:77:48:75:de:56:2f:b5:d4:62:ec:c3:09:15:f2
  subjkeyId: c7:0e:63:f8:7f:6f:f6:55:00:e5:05:7f:5a:3e:6b:6c:e7:d2:d5:13
  pubkey:    ECDSA 256 bits, has private key
  keyid:     71:49:7c:42:41:e7:c6:81:bc:31:73:f0:0f:7e:4a:e1:2d:53:00:38
  subjkey:   c7:0e:63:f8:7f:6f:f6:55:00:e5:05:7f:5a:3e:6b:6c:e7:d2:d5:13

You can clearly see that the connection between AK certificates and the matching AK private key has been established.
List of X.509 CA Certificates

  subject:  "C=US, O=TNC Demo, CN=TNC Demo CA" 
  issuer:   "C=US, O=TNC Demo, CN=TNC Demo CA" 
  validity:  not before Aug 31 10:29:27 2016, ok
             not after  Aug 31 10:29:27 2026, ok (expires in 3479 days)
  serial:    02:c8:85:e1:ef:fa:8f:20
  flags:     CA CRLSign self-signed 
  subjkeyId: 21:02:7e:2d:de:8b:77:48:75:de:56:2f:b5:d4:62:ec:c3:09:15:f2
  pubkey:    ECDSA 256 bits
  keyid:     a1:b5:e0:29:d0:4c:a7:62:bd:ca:a3:b4:af:18:42:2c:4a:01:55:9a
  subjkey:   21:02:7e:2d:de:8b:77:48:75:de:56:2f:b5:d4:62:ec:c3:09:15:f2