Version 7 - History - Trusted Platform Module 2.0 - strongSwan

Trusted Platform Module 2.0 » History » Version 7

Andreas Steffen, 18.02.2017 17:23

-Andreas Steffen
+h1. Trusted Platform Module 2.0
 Andreas Steffen
-Andreas Steffen
+{{>toc}}
 Andreas Steffen
-Andreas Steffen
+h2. Connect to a TPM 2.0 device
 Andreas Steffen
-Andreas Steffen
+In order to connect to a TPM 2.0 hardware or firmware device, the TSS2 software stack developed by Intel is needed. Because the official Ubuntu *tpm2-tss* package is rather outdated (e.g. since version 0.98 the TCTI interface to the TPM 2.0 resource manager has changed several times), strongSwan is currently based on a recent version directly drawn from the TPM2-TSS git repository https://github.com/01org/TPM2.0-TSS. Avoid any TCTI interface incompatibilities by fetching the latest *tpm2-tools* version from https://github.com/01org/tpm2.0-tools as well.
 Andreas Steffen
-Andreas Steffen
+Build and install both the *tpm2-tss* stack and the *tpm2.0-tools*, start the *tpm2-resourcemgr* as a servicein the background and try to connect to the TPM 2.0 by listing e.g. the contents of the SHA-1 bank of PCR registers
 Andreas Steffen
 Andreas Steffen
-Andreas Steffen
+ tpm2_listpcrs -g 0x0004
 Andreas Steffen
-Andreas Steffen
+ Bank/Algorithm: TPM_ALG_SHA1(0x0004)
-Andreas Steffen
+PCR_00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_01: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_02: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_03: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_04: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_05: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_06: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_07: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_10: a9 45 e7 0f 42 a2 79 f0 78 ca d4 64 60 39 39 da 9d 6a d1 a5
-Andreas Steffen
+PCR_11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_17: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
-Andreas Steffen
+PCR_18: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
-Andreas Steffen
+PCR_19: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
-Andreas Steffen
+PCR_20: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
-Andreas Steffen
+PCR_21: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
-Andreas Steffen
+PCR_22: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
-Andreas Steffen
+PCR_23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Andreas Steffen
-Andreas Steffen
+A manual showing all *tpm2-tools* functions with their arguments can be found "here":https://github.com/01org/tpm2.0-tools/blob/master/manual.
 Andreas Steffen
-Andreas Steffen
+h2. TPM 2.0 Algorithm IDs
 Andreas Steffen
-Andreas Steffen
+Hash Algorithms
-Andreas Steffen
+|0x0004 |SHA-1     |
-Andreas Steffen
+|0x000B |SHA-2_256 |
-Andreas Steffen
+|0x000C |SHA-2_384 |
-Andreas Steffen
+|0x000D |SHA-2_512 |
 Andreas Steffen
-Andreas Steffen
+Currently available TPM 2.0 devices like the Infineon *Optiga SLB 9670 VQ2.0* hardware TPM or Intel's *PTT* firmware TPM support the SHA-1 and SHA-2_256 algorithms.
 Andreas Steffen
-Andreas Steffen
+h2. TPM Private Key Access via VICI Interface
 Andreas Steffen
-Andreas Steffen
+Configuration of TPM private key access in *swanctl.conf*:
 Andreas Steffen
-Andreas Steffen
+ secrets {
-Andreas Steffen
+    token_ak_rsa {
-Andreas Steffen
+       handle = 81010002
 Andreas Steffen
-Andreas Steffen
+    token_ak_ecc {
-Andreas Steffen
+       handle = 81010004
 Andreas Steffen
 Andreas Steffen

Project

General

Profile

strongSwan

Trusted Platform Module 2.0 » History » Version 7