最近有项目需要,需要开发移动终端的安全。首先想到的是可信计算,可信计算在PC机比较流行,但是目前对可信计算的褒贬不一,这里不作评论。本文的目的是记录一下我的开发过程。
我使用的芯片是ATMEL公司的AT97SC3204T,基于I2C总线的。从选型、硬件设计、画板、驱动、TSS栈一条龙下来,目前进展的还算顺利。
一、硬件设计和驱动
先说一下硬件的设计,上图!
原理图异常简单,根据手册的要求设计即可。这里值得提一下的是,手册里要求必须上拉的引脚务必上拉,否则芯片将不能工作。我遇到的情况是由于当初手动焊接该芯片,导致一个引脚虚焊,在加载I2C驱动程序进行芯片探测的时候,一直找不到它:
后来补焊之后就OK了。这里贴一下驱动加载OK之后的一些效果,具体的使用下一步再说。
加载驱动:
[zhang@ray210 /nfs/at97sc3204t]# insmod tpm_data.ko
[zhang@ray210 /nfs/at97sc3204t]# insmod tpm_i2c_atmel.ko
tpm_i2c_atmel 0-0029: probe TPM 1.2 start.
tpm_i2c_atmel 0-0029: misc device /dev/tpm0 created.
tpm_i2c_atmel 0-0029: Issuing TPM_STARTUP OK.
tpm_i2c_atmel 0-0029: probe TPM 1.2 succeed.
[zhang@ray210 /sys/devices/platform/s3c2440-i2c.0/i2c-0/0-0029]# ls
active enabled pcrs timeouts
cancel misc power uevent
caps modalias pubek
driver name subsystem
durations owned temp_deactivated
看一下文件内容:
[zhang@ray210 /sys/devices/platform/s3c2440-i2c.0/i2c-0/0-0029]# cat pcrs
PCR-00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-01: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-02: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-03: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-04: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-05: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-06: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-07: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-22: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[zhang@ray210 /sys/devices/platform/s3c2440-i2c.0/i2c-0/0-0029]# cat caps
Manufacturer: 0x41544d4c //ATML的ASCII码
TCG version: 1.2
Firmware version: 37.13
[zhang@ray210 /sys/devices/platform/s3c2440-i2c.0/i2c-0/0-0029]# cat pubek
Algorithm: 00 00 00 01
Encscheme: 00 03
Sigscheme: 00 01
Parameters: 00 00 08 00 00 00 00 02 00 00 00 00
Modulus length: 256
Modulus:
AB 56 7C 0E 60 8C 5C 18 9E 90 2C 37 32 CF E3 FE
4F A7 B5 0C 78 A1 5D A7 39 EB C0 06 87 05 DB 1F
E4 AB 2A 9A 68 E3 5B B6 FB 27 69 5A 4B E2 90 65
04 B2 78 CF 44 02 7C 16 4C FB F5 F0 F6 25 7D 31
F1 2E D8 67 93 5A 48 B2 C1 4C 16 FD 97 E5 86 65
4A 2E 07 4B 14 78 F7 66 83 66 05 B0 EA EC 1E 16
CF F9 F9 C5 5C BC 7B 42 24 A1 A7 1B 55 D7 4B B1
62 7F 90 88 EE FB FB 26 B1 4F 56 97 8C D0 12 05
A6 EF 09 C9 08 10 F2 1B 65 9C F2 05 7B CC 4E 6A
65 0C 1C E1 B5 3E 86 7D F8 0B 8B 6F E3 72 2B CB
C9 3D F8 61 F4 83 74 B1 38 A6 CE DE 18 7F 8D C4
8F A1 8E A6 AC 71 A4 89 60 D3 3E 5F 3D 18 5C 32
6C 96 1D 84 8B 50 C3 5B 68 5C 16 2D 9C BB F1 79
60 6E C9 25 AA EC 26 9E 9E D4 D6 89 F3 FF 23 AA
75 46 3B 4A EA 1D E5 03 B9 AC 6D F8 2D 88 FF 84
12 B8 47 CF 3A 32 C9 66 C6 E3 2C 1F 7D 30 D8 99
二、TSS栈
这里指的是Trousers,我用的版本是0.3.11.2。Trousers是一个开源可信计算软件栈,它从下到上依次为TDDL(驱动库)、TCS(核心服务)、TSP(服务提供者),tcsd是编译完毕之后的一个用户态可执行文件,作为守护进程运行。tcsd需在系统启动初始化阶段运行,这样以后所有要操作tpm的程序都必须经过TSS栈,这也是TCG规范所规定的。TDDL负责唯一打开TPM设备,实现打开、关闭、收发指令数据、获取版本信息等,TCS提供核心服务,调用TDDL。TSP是给上层程序的接口,用户可以编写应用程序利用这些接口,实现操作TPM。
1) 修改一下文件
修改src/include/tcsd.h里面的宏定义为:
#defineTCSD_DEFAULT_CONFIG_FILE "/etc/tcsd.conf"
这是默认的tcsd的配置文件,要不然默认的配置文件是编译输出的文件夹。按照下一步的做法,即是:$PWD/out/ etc/tcsd.conf。
当然,这一步不做的话也可以,使用 -c指定配置文件: tcsd -c /etc/tcsd.conf
2) 编译安装
[root@ubuntu:/home/zcw/tpm/trousers-0.3.11.2]# ./configure --host=arm-linux --prefix=$PWD/out LIBS=-liconv
[root@ubuntu:/home/zcw/tpm/trousers-0.3.11.2]# make
[root@ubuntu:/home/zcw/tpm/trousers-0.3.11.2]# make install
[root@ubuntu:/home/zcw/tpm/trousers-0.3.11.2]# ls out/
etc include lib sbin share var
3) 将编译出的文件拷贝到根文件系统
4) 执行tcsd可能遇到的错误:
错误1:
[zhang@ray210 /mine]# ./tcsd -f
TCSD ERROR: Group "tss" not found, please add this groupmanually.
修改/etc/group文件,里面添加一行(其中1001是PC机上模拟器的,可以尝试一下别的是否可行):
tss::1001:
错误2:
[zhang@ray210 /mine]# ./tcsd -f
TCSD ERROR: User "tss" not found, please add this usermanually.
办法,看了一下PC上的(事先在PC上安装了模拟器),修改/etc目录下的passwd,添加一行:
tss:x:999:1001::/:/bin/sh
错误3:
[zhang@ray210 /mine]# ./tcsd -f
TCSD ERROR: TCSD config file (/etc/tcsd.conf)must be user/group tss/tss
执行:
[zhang@ray210 /nfs]# chown tss /etc/tcsd.conf
[zhang@ray210 /nfs]# chgrp tss etc/tcsd.conf
错误4:
[zhang@ray210 /nfs]# ./tcsd -f
TCSD ERROR: Failed bind: Cannot assign requested address
解决办法
[zhang@ray210 /nfs]# ifconfig lo up
之后就成功了。
[zhang@ray210 /nfs/at97sc3204t]# tcsd -f
TCSD TDDL ioctl: (25) Inappropriate ioctl for device
TCSD TDDL Falling back to Read/Write device support.
TCSD trousers 0.3.11.2: TCSD up and running.
修改:tpm_nvread.c添加下面头文件:
26 #include
[root@ubuntu:/home/zcw/open_source_tools/tpm/tpm-tools-1.3.8]# ./configure--prefix=$PWD/out --host=arm-linux --with-openssl=/path/to/openssl/compiled_out
[root@ubuntu:/home/zcw/open_source_tools/tpm/tpm-tools-1.3.8]# make
[root@ubuntu:/home/zcw/open_source_tools/tpm/tpm-tools-1.3.8]# makeinstall
拷贝库、可执行文件到根文件系统。
测试芯片:
[zhang@ray210 /nfs/at97sc3204t]# tpm_version
TPM 1.2 Version Info:
Chip Version: 1.2.37.13
Spec Level: 2
Errata Revision: 2
TPM Vendor ID: ATML
TPM Version: 01010000
Manufacturer Info: 41544d4c