Trusted Platform Module 2.0 » History » Version 9
« Previous -
Version 9/158
(diff) -
Next » -
Current version
Andreas Steffen, 18.02.2017 17:49
Trusted Platform Module 2.0¶
- Table of contents
- Trusted Platform Module 2.0
Connect to a TPM 2.0 device¶
In order to connect to a TPM 2.0 hardware or firmware device, the TSS2 software stack developed by Intel is needed. Because the official Ubuntu tpm2-tss package is rather outdated (e.g. since version 0.98 the TCTI interface to the TPM 2.0 resource manager has changed several times), strongSwan is currently based on a recent version directly drawn from the TPM2-TSS git repository https://github.com/01org/TPM2.0-TSS. Avoid any TCTI interface incompatibilities by fetching the latest tpm2-tools version from https://github.com/01org/tpm2.0-tools as well.
Build and install both the tpm2-tss stack and the tpm2.0-tools, start the tpm2-resourcemgr as a servicein the background and try to connect to the TPM 2.0 by listing e.g. the contents of the SHA-1 bank of PCR registers
tpm2_listpcrs -g 0x0004Bank/Algorithm: TPM_ALG_SHA1(0x0004)
PCR_00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_01: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_02: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_03: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_04: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_05: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_06: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_07: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_10: a9 45 e7 0f 42 a2 79 f0 78 ca d4 64 60 39 39 da 9d 6a d1 a5
PCR_11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_17: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_18: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_19: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_20: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_21: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_22: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00A manual showing all tpm2-tools functions with their arguments can be found here.
TPM 2.0 Algorithm IDs¶
Hash Algorithms¶
| 0x0004 | SHA-1 |
| 0x000B | SHA-2_256 |
| 0x000C | SHA-2_384 |
| 0x000D | SHA-2_512 |
Currently available TPM 2.0 devices like the Infineon Optiga SLB 9670 VQ2.0 hardware TPM or Intel's PTT firmware TPM support the SHA-1 and SHA-2_256 algorithms.
Public Key Types¶
| 0x0001 | RSA |
| 0x0023 | ECC |
The RSA keys have a modulus size of 2048 bits and the ECC keys are based on the 256 bit NIST curve.
Derivation of a Persistent RSA Endorsement Key¶
tpm2_getpubek -H 0x81010001 -g 0x0001The 2048 bit RSA Endorsement Key (EK) is derived deterministically from the secret Endorsement Seed unique to each TPM device and is made persistent under the object handle 0x81010001. The public key can be exported in PKCS#1 format using the pki tool:
pki --pub --keyid 81010001 --outform pem > ek_rsa_pub.pemThe fingerprint of the RSA EK public key can be displayed with the command
pki --print --type pub --in ek_rsa_pub.pem
pubkey: RSA 2048 bits
keyid: d1:f1:49:84:36:44:e6:8c:d2:a6:69:ee:fd:b5:7d:56:2f:39:ff:58
subjkey: c1:1b:8e:f1:c7:f8:8a:1e:9a:dd:7e:82:2f:7a:a3:f5:c0:e2:4d:7dDerivation of a Persistent ECC Endorsement Key¶
tpm2_getpubek -H 0x81010002 -g 0x0023The 256 bit ECC Endorsement Key (EK) is derived deterministically from the secret Endorsement Seed unique to each TPM device and is made persistent under the object handle 0x81010002. The public key can be exported in PKCS#1 format using the pki tool:
pki --pub --keyid 81010002 > ek_ecc_pub.derThe fingerprint of the ECC EK public key can be displayed with the command
pki --print --type pub --in ek_ecc_pub.der
pubkey: ECDSA 256 bits
keyid: 7f:39:ca:e6:83:9b:a9:06:97:40:27:6a:e1:bf:8f:f5:9f:d3:a5:31
subjkey: 8b:43:4d:5e:5e:7b:ff:c2:54:4d:ef:88:cb:0c:7c:47:75:28:4d:09
TPM Private Key Access via VICI Interface¶
Configuration of TPM private key access in swanctl.conf:
secrets {
token_ak_rsa {
handle = 81010002
}
token_ak_ecc {
handle = 81010004
}
}