Trusted Platform Module 2.0 » History » Version 9
Version 8 (Andreas Steffen, 18.02.2017 17:29) → Version 9/158 (Andreas Steffen, 18.02.2017 17:49)
h1. Trusted Platform Module 2.0
{{>toc}}
h2. Connect to a TPM 2.0 device
In order to connect to a TPM 2.0 hardware or firmware device, the TSS2 software stack developed by Intel is needed. Because the official Ubuntu *tpm2-tss* package is rather outdated (e.g. since version 0.98 the TCTI interface to the TPM 2.0 resource manager has changed several times), strongSwan is currently based on a recent version directly drawn from the TPM2-TSS git repository https://github.com/01org/TPM2.0-TSS. Avoid any TCTI interface incompatibilities by fetching the latest *tpm2-tools* version from https://github.com/01org/tpm2.0-tools as well.
Build and install both the *tpm2-tss* stack and the *tpm2.0-tools*, start the *tpm2-resourcemgr* as a servicein the background and try to connect to the TPM 2.0 by listing e.g. the contents of the SHA-1 bank of PCR registers
tpm2_listpcrs -g 0x0004
Bank/Algorithm: TPM_ALG_SHA1(0x0004)
PCR_00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_01: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_02: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_03: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_04: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_05: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_06: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_07: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_10: a9 45 e7 0f 42 a2 79 f0 78 ca d4 64 60 39 39 da 9d 6a d1 a5
PCR_11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_17: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_18: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_19: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_20: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_21: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_22: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
A manual showing all *tpm2-tools* functions with their arguments can be found "here":https://github.com/01org/tpm2.0-tools/blob/master/manual.
h2. TPM 2.0 Algorithm IDs
h3. Hash Algorithms
|0x0004 |SHA-1 |
|0x000B |SHA-2_256 |
|0x000C |SHA-2_384 |
|0x000D |SHA-2_512 |
Currently available TPM 2.0 devices like the Infineon *Optiga SLB 9670 VQ2.0* hardware TPM or Intel's *PTT* firmware TPM support the *SHA-1* and *SHA-2_256* algorithms.
h3. Public Key Types
|0x0001 |RSA |
|0x0023 |ECC |
The RSA keys have a modulus size of 2048 bits and the ECC keys are based on the 256 bit NIST curve.
h2. Derivation of a Persistent RSA Endorsement Key
tpm2_getpubek -H 0x81010001 -g 0x0001
The 2048 bit RSA Endorsement Key (EK) is derived deterministically from the secret *Endorsement Seed* unique to each TPM device and is made persistent under the object handle *0x81010001*. The public key can be exported in PKCS#1 format using the *pki* tool:
pki --pub --keyid 81010001 --outform pem > ek_rsa_pub.pem
The fingerprint of the RSA EK public key can be displayed with the command
pki --print --type pub --in ek_rsa_pub.pem
pubkey: RSA 2048 bits
keyid: d1:f1:49:84:36:44:e6:8c:d2:a6:69:ee:fd:b5:7d:56:2f:39:ff:58
subjkey: c1:1b:8e:f1:c7:f8:8a:1e:9a:dd:7e:82:2f:7a:a3:f5:c0:e2:4d:7d
h2. Derivation of a Persistent ECC Endorsement Key
tpm2_getpubek -H 0x81010002 -g 0x0023
The 256 bit ECC Endorsement Key (EK) is derived deterministically from the secret *Endorsement Seed* unique to each TPM device and is made persistent under the object handle *0x81010002*. The public key can be exported in PKCS#1 format using the *pki* tool:
pki --pub --keyid 81010002 > ek_ecc_pub.der
The fingerprint of the ECC EK public key can be displayed with the command
pki --print --type pub --in ek_ecc_pub.der
pubkey: ECDSA 256 bits
keyid: 7f:39:ca:e6:83:9b:a9:06:97:40:27:6a:e1:bf:8f:f5:9f:d3:a5:31
subjkey: 8b:43:4d:5e:5e:7b:ff:c2:54:4d:ef:88:cb:0c:7c:47:75:28:4d:09
|
h2. TPM Private Key Access via VICI Interface
Configuration of TPM private key access in *swanctl.conf*:
secrets {
token_ak_rsa {
handle = 81010002
}
token_ak_ecc {
handle = 81010004
}
}
{{>toc}}
h2. Connect to a TPM 2.0 device
In order to connect to a TPM 2.0 hardware or firmware device, the TSS2 software stack developed by Intel is needed. Because the official Ubuntu *tpm2-tss* package is rather outdated (e.g. since version 0.98 the TCTI interface to the TPM 2.0 resource manager has changed several times), strongSwan is currently based on a recent version directly drawn from the TPM2-TSS git repository https://github.com/01org/TPM2.0-TSS. Avoid any TCTI interface incompatibilities by fetching the latest *tpm2-tools* version from https://github.com/01org/tpm2.0-tools as well.
Build and install both the *tpm2-tss* stack and the *tpm2.0-tools*, start the *tpm2-resourcemgr* as a servicein the background and try to connect to the TPM 2.0 by listing e.g. the contents of the SHA-1 bank of PCR registers
tpm2_listpcrs -g 0x0004
Bank/Algorithm: TPM_ALG_SHA1(0x0004)
PCR_00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_01: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_02: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_03: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_04: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_05: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_06: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_07: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_10: a9 45 e7 0f 42 a2 79 f0 78 ca d4 64 60 39 39 da 9d 6a d1 a5
PCR_11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_17: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_18: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_19: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_20: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_21: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_22: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
A manual showing all *tpm2-tools* functions with their arguments can be found "here":https://github.com/01org/tpm2.0-tools/blob/master/manual.
h2. TPM 2.0 Algorithm IDs
h3. Hash Algorithms
|0x0004 |SHA-1 |
|0x000B |SHA-2_256 |
|0x000C |SHA-2_384 |
|0x000D |SHA-2_512 |
Currently available TPM 2.0 devices like the Infineon *Optiga SLB 9670 VQ2.0* hardware TPM or Intel's *PTT* firmware TPM support the *SHA-1* and *SHA-2_256* algorithms.
h3. Public Key Types
|0x0001 |RSA |
|0x0023 |ECC |
The RSA keys have a modulus size of 2048 bits and the ECC keys are based on the 256 bit NIST curve.
h2. Derivation of a Persistent RSA Endorsement Key
tpm2_getpubek -H 0x81010001 -g 0x0001
The 2048 bit RSA Endorsement Key (EK) is derived deterministically from the secret *Endorsement Seed* unique to each TPM device and is made persistent under the object handle *0x81010001*. The public key can be exported in PKCS#1 format using the *pki* tool:
pki --pub --keyid 81010001 --outform pem > ek_rsa_pub.pem
The fingerprint of the RSA EK public key can be displayed with the command
pki --print --type pub --in ek_rsa_pub.pem
pubkey: RSA 2048 bits
keyid: d1:f1:49:84:36:44:e6:8c:d2:a6:69:ee:fd:b5:7d:56:2f:39:ff:58
subjkey: c1:1b:8e:f1:c7:f8:8a:1e:9a:dd:7e:82:2f:7a:a3:f5:c0:e2:4d:7d
h2. Derivation of a Persistent ECC Endorsement Key
tpm2_getpubek -H 0x81010002 -g 0x0023
The 256 bit ECC Endorsement Key (EK) is derived deterministically from the secret *Endorsement Seed* unique to each TPM device and is made persistent under the object handle *0x81010002*. The public key can be exported in PKCS#1 format using the *pki* tool:
pki --pub --keyid 81010002 > ek_ecc_pub.der
The fingerprint of the ECC EK public key can be displayed with the command
pki --print --type pub --in ek_ecc_pub.der
pubkey: ECDSA 256 bits
keyid: 7f:39:ca:e6:83:9b:a9:06:97:40:27:6a:e1:bf:8f:f5:9f:d3:a5:31
subjkey: 8b:43:4d:5e:5e:7b:ff:c2:54:4d:ef:88:cb:0c:7c:47:75:28:4d:09
|
h2. TPM Private Key Access via VICI Interface
Configuration of TPM private key access in *swanctl.conf*:
secrets {
token_ak_rsa {
handle = 81010002
}
token_ak_ecc {
handle = 81010004
}
}