TPM2.0软件栈

本文更新于2018-08-11

编译tss

wget https://github.com/tpm2-software/tpm2-tss/releases/download/1.4.0/tpm2-tss-1.4.0.tar.gz
tar xzf tpm2-tss-1.4.0.tar.gz
cd tpm2-tss-1.4.0

./configure --disable-static

make

sudo make install-libsapiHEADERS \
    install-libtctiHEADERS \
    install-libLTLIBRARIES \
    install-pkgconfigDATA 

编译abrmd

cd $HOME

wget https://github.com/tpm2-software/tpm2-abrmd/releases/download/1.3.1/tpm2-abrmd-1.3.1.tar.gz
tar xzf tpm2-abrmd-1.3.1.tar.gz
cd tpm2-abrmd-1.3.1

./configure --disable-static \
    --with-dbuspolicydir=/etc/dbus-1/system.d \
    --with-udevrulesdir=/etc/udev/rules.d/ \
    --with-udevrulesprefix="99-" \
    --with-systemdsystemunitdir=/usr/lib/systemd/system/ \
    --with-systemdpresetdir=/usr/lib/systemd/system-preset/

make

# 头文件和动态库
sudo make install-libtcti_tabrmdHEADERS \
    install-libLTLIBRARIES \
    install-pkgconfigDATA

# /etc/dbus-1/system.d/tpm2-abrmd.conf
sudo make install-dbuspolicyDATA

# /usr/local/sbin/tpm2-abrmd
sudo make install-sbinPROGRAMS

运行abrmd

• 如果系统已经安装/dev/tpm0设备

sudo su

/usr/local/sbin/tpm2-abrmd --tcti=device &

• 如果系统没有/dev/tpm0设备文件, 则只能用Simulator.exe或tpm_server模拟器

cd $HOME
wget https://downloads.sourceforge.net/project/ibmswtpm2/ibmtpm1119.tar.gz
mkdir ibmtpm
cd ibmtpm
tar xzvf ../ibmtpm1119.tar.gz
make -C src
./src/tpm_server &

sudo su
/usr/local/sbin/tpm2-abrmd --tcti=socket &

编译tools

cd $HOME

wget https://github.com/tpm2-software/tpm2-tools/releases/download/3.0.3/tpm2-tools-3.0.3.tar.gz
tar xzf tpm2-tools-3.0.3.tar.gz
cd tpm2-tools-3.0.3

./configure

make

sudo make install

运行tools

sudo ldconfig

# 创建 Primary 节点
/usr/local/bin/tpm2_createprimary --hierarchy o -g sha256 -G rsa -C $HOME/PrimaryNode.ctx
# ObjectAttribute: 0x00030072
# CreatePrimary Succeed ! Handle: 0x800000ff

# 创建随机的RSA密钥
/usr/local/bin/tpm2_create -c $HOME/PrimaryNode.ctx -g sha256 -G rsa -u $HOME/ChildKey.pub -r $HOME/ChildKey.priv
#algorithm:
#  value: sha256
#  raw: 0xb
#attributes:
#  value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt|sign
#  raw: 0x60072
#type: 
#  value: rsa
#  raw: 0x1
#  rsa: #dbbb5654000100fa5c0e1ae4c947458d75b99fa020b18b18edff1768a5f36ac732b46bca7063d6d3ebd785a88d6d60c160e44d3ea8966dc567a5155b665062eddd83327099abee23a2c513f823005519a47c465ef01ac5fdcbcea0adf1c89d9db03ff1c1b7be0a3349d8668906958bf0b193c018d569879320d37dea3395e2005c3f93212ef88d5f00c598768d8bfa36ed8379a0fb72629edbdd10d61bf9ec68bb5c099cc0311f54cbc14501ad000663c3fd1573d4023aeb9443a2a69ddf4e3ed3132bb5340710e7f17b27da7cf21d1d0db5e772387ca8a7b268c8719271350e846024f6a16cae3dbff2116aecc42f9c3e20225e4c64378b9b84d5a53ddde26d


# 将.priv和.pub转换为ChildKey.ctx格式
/usr/local/bin/tpm2_load -c $HOME/PrimaryNode.ctx -u $HOME/ChildKey.pub -r $HOME/ChildKey.priv -C $HOME/ChildKey.ctx
# Load succ.
# LoadedHandle: 0x80000100

# 有了ChildKey.ctx格式的密钥之后可以继续执行下列
# 调用tpm2_rsaencrypt
# 调用tpm2_rsadecrypt

# 调用tpm2_hash生成一条哈希摘要外加一个ticket凭证
# 调用tpm2_sign对哈希摘要进行数字签名
# 调用tpm2_verify校验前一步输出的数字签名

疑问:

• 无法查看每个命令的命令行选项, 很不方便。所以建议安装sudo apt-get install pandoc然后重新编译一遍tpm2-tools: 删除旧的tools-3.0.3目录, 重新./configure && make install-man

• tpm2-tools-3.0.3还依赖python和python-yaml但不安装也没有关系