1. linux defconfig
CONFIG_TCG_TPM=y
CONFIG_HW_RANDOM_TPM=y
CONFIG_TCG_TIS_CORE=y
CONFIG_TCG_TIS=y
2.
preinstall openssl
3.download source
tpm2-tss-4.1.3.tar.gz
https://github.com/tpm2-software/tpm2-tss/releases
tpm2-tools-5.7.tar.gz
https://github.com/tpm2-software/tpm2-tools/releases
4. ########### tpm2-tss Makefile ###########
TPM2_TSS_NAME = tpm2-tss
TPM2_TSS_VERSION = 4.1.3
TPM2_TSS_SRC_DIR = $(SOURCE_DIR)/$(TPM2_TSS_NAME)-$(TPM2_TSS_VERSION)
TPM2_TSS_BUILD_DIR = $(OBJS_DIR)/$(TPM2_TSS_NAME)-$(TPM2_TSS_VERSION)
TPM2_TSS_CFLAGS = -Os
TPM2_TSS_LDFLAGS = -Wl,-rpath-link,$(STAGING_DIR)/usr/lib
TPM2_TSS_CONFIGURE = --build=x86_64-unknown-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
TPM2_TSS_CONFIGURE += --prefix=$(TPM2_TSS_BUILD_DIR)/build
TPM2_TSS_DEPENDENCIES = openssl
tpm2-tss-source:
@echo ">>> Checkout $(TPM2_TSS_NAME) Ver. $(TPM2_TSS_VERSION) ....."
tpm2-tss-update: tpm2-tss-source
@$(CMD_MKDIR) -p $(TPM2_TSS_BUILD_DIR)
tpm2-tss: tpm2-tss-update
echo tpm2-tss >> $(COMPLETE_FILE)
@echo ">>> Building $(TPM2_TSS_NAME) Ver. $(TPM2_TSS_VERSION) ....."
@[ -f $(TPM2_TSS_BUILD_DIR)/Makefile ] || (cd $(TPM2_TSS_BUILD_DIR) && $(TPM2_TSS_SRC_DIR)/configure $(TPM2_TSS_CONFIGURE) \
CFLAGS='$(TPM2_TSS_CFLAGS)' CXXFLAGS='$(TPM2_TSS_CFLAGS)' LDFLAGS='$(TPM2_TSS_LDFLAGS)')
@[ -f $(TPM2_TSS_BUILD_DIR)/build/lib/libtss2-esys.so ] || $(MAKE) -C $(TPM2_TSS_BUILD_DIR) install
@install -m 755 -d $(STAGING_DIR)/usr/include/tpm2-tss
@cp -rf $(TPM2_TSS_BUILD_DIR)/build/include $(STAGING_DIR)/usr/include/tpm2-tss
@cp -af $(TPM2_TSS_BUILD_DIR)/build/lib/pkgconfig/tss2-*.pc $(STAGING_DIR)/usr/lib/pkgconfig
tpm2-tss-install: tpm2-tss
@echo ">>> Installing $(TPM2_TSS_NAME) Ver. $(TPM2_TSS_VERSION) ....."
@cp -fa $(TPM2_TSS_BUILD_DIR)/build/lib/libtss2-esys.so* $(DESTDIR)/usr/lib
@cp -fa $(TPM2_TSS_BUILD_DIR)/build/lib/libtss2-sys.so* $(DESTDIR)/usr/lib
@cp -fa $(TPM2_TSS_BUILD_DIR)/build/lib/libtss2-mu.so* $(DESTDIR)/usr/lib
@cp -fa $(TPM2_TSS_BUILD_DIR)/build/lib/libtss2-rc.so* $(DESTDIR)/usr/lib
@cp -fa $(TPM2_TSS_BUILD_DIR)/build/lib/libtss2-tctildr.so* $(DESTDIR)/usr/lib
@cp -fa $(TPM2_TSS_BUILD_DIR)/build/lib/libtss2-tcti-device.so* $(DESTDIR)/usr/lib
$(CMD_STRIP) $(DESTDIR)/usr/lib/libtss2-esys.so*
$(CMD_STRIP) $(DESTDIR)/usr/lib/libtss2-sys.so*
$(CMD_STRIP) $(DESTDIR)/usr/lib/libtss2-mu.so*
$(CMD_STRIP) $(DESTDIR)/usr/lib/libtss2-rc.so*
$(CMD_STRIP) $(DESTDIR)/usr/lib/libtss2-tctildr.so*
$(CMD_STRIP) $(DESTDIR)/usr/lib/libtss2-tcti-device.so*
5. ########### tpm2-tools Makefile ###########
TPM2_TOOLS_NAME = tpm2-tools
TPM2_TOOLS_VERSION = 5.7
TPM2_TOOLS_SRC_DIR = $(SOURCE_DIR)/$(TPM2_TOOLS_NAME)-$(TPM2_TOOLS_VERSION)
TPM2_TOOLS_BUILD_DIR = $(OBJS_DIR)/$(TPM2_TOOLS_NAME)-$(TPM2_TOOLS_VERSION)
TPM2_TOOLS_CFLAGS = -I$(STAGING_DIR)/tpm2-tss/include -Os
TPM2_TOOLS_LDFLAGS = -Wl,-rpath-link,$(STAGING_DIR)/lib -Wl,-rpath-link,$(STAGING_DIR)/usr/lib
TPM2_TOOLS_CONFIGURE = --build=$(HOST_TOOLCHIN) --host=$(TOOLCHAIN)
TPM2_TOOLS_CONFIGURE += --build=x86_64-unknown-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
TPM2_TOOLS_CONFIGURE += PKG_CONFIG_PATH="$(STAGING_DIR)/usr/lib/pkgconfig"
TPM2_TOOLS_DEPENDENCIES = tpm2-tss
tpm2-tools-source:
@echo ">>> Checkout $(TPM2_TOOLS_NAME) Ver. $(TPM2_TOOLS_VERSION) ....."
tpm2-tools-update: tpm2-tools-source
@echo ">>> Updating $(TPM2_TOOLS_NAME) Ver. $(TPM2_TOOLS_VERSION) ....."
@$(CMD_MKDIR) -p $(TPM2_TOOLS_BUILD_DIR)
tpm2-tools: tpm2-tools-update
echo tpm2-tools >> $(COMPLETE_FILE)
@echo ">>> Building $(TPM2_TOOLS_NAME) Ver. $(TPM2_TOOLS_VERSION) ....."
@[ -f $(TPM2_TOOLS_BUILD_DIR)/Makefile ] || (cd $(TPM2_TOOLS_BUILD_DIR) && $(TPM2_TOOLS_SRC_DIR)/configure $(TPM2_TOOLS_CONFIGURE) \
CFLAGS='$(TPM2_TOOLS_CFLAGS)' CXXFLAGS='$(TPM2_TOOLS_CFLAGS)' LDFLAGS='$(TPM2_TOOLS_LDFLAGS)')
@[ -f $(TPM2_TOOLS_BUILD_DIR)/build/bin/tpm2 ] || $(MAKE) -C $(TPM2_TOOLS_BUILD_DIR) install
tpm2-tools-install: tpm2-tools
@echo ">>> Installing $(TPM2_TOOLS_NAME) Ver. $(TPM2_TOOLS_VERSION) ....."
@[ -d $(DESTDIR)/usr/bin ] || $(CMD_INSTALL) -m 755 -d $(DESTDIR)/usr/bin
@cp -af $(TPM2_TOOLS_BUILD_DIR)/build/bin/tpm2 $(DESTDIR)/usr/bin
@cp -af $(TPM2_TOOLS_BUILD_DIR)/build/bin/tpm2_create $(DESTDIR)/usr/bin
@cp -af $(TPM2_TOOLS_BUILD_DIR)/build/bin/tpm2_createprimary $(DESTDIR)/usr/bin
@cp -af $(TPM2_TOOLS_BUILD_DIR)/build/bin/tpm2_evictcontrol $(DESTDIR)/usr/bin
@cp -af $(TPM2_TOOLS_BUILD_DIR)/build/bin/tpm2_load $(DESTDIR)/usr/bin
@cp -af $(TPM2_TOOLS_BUILD_DIR)/build/bin/tpm2_sign $(DESTDIR)/usr/bin
@cp -af $(TPM2_TOOLS_BUILD_DIR)/build/bin/tpm2_verifysignature $(DESTDIR)/usr/bin
$(TOOLCHAIN_CMD_STRIP) $(DESTDIR)/usr/bin/tpm2
6.
# Create the primary key context (temporarily save to /tmp)
tpm2_createprimary -C e -g sha256 -G rsa -c ./tmp/primary.ctx
# Generate the signing key pair (temporarily save to ./tmp)
tpm2_create -C ./tmp/primary.ctx -g sha256 -G rsa -u ./tmp/key.pub -r ./tmp/key.priv
# Load the key and generate the execution context (temporarily save to ./tmp)
tpm2_load -C ./tmp/primary.ctx -u ./tmp/key.pub -r ./tmp/key.priv -c ./tmp/key.ctx
# Pin the key 0x81010001 becomes a permanent hardware stamp for this machine.
tpm2_evictcontrol -C o -c ./tmp/key.ctx 0x81010001
# Cleanup (option)
rm -f ./tmp/primary.ctx ./tmp/key.pub ./tmp/key.priv ./tmp/key.ctx
tpm2_sign -c 0x81010001 -g sha256 -o build_kernel.sh.sig build_kernel.sh
tpm2_verifysignature -c 0x81010001 -g sha256 -s build_kernel.sh.sig -m build_kernel.sh
echo $? #(return 0 is ok)
7. process flow
Private Key and Public Key (Hardware Seal): 0x81010001 sealed inside the TPM chip
Original File ./tmp/cmd.txt
The front-end calls the 0x81010001 (private key) inside the TPM to "seal" this file.
After TPM calculation, a signature file is output: ./tmp/cmd.sig(original file)
~situation1
./tmp/cmd.txt + key.pub (internal TPM on the chip) + ./tmp/cmd.sig(original file). fingerprint alignment is verified using TPM, result: Correct
~situation2
./tmp/cmd.txt (manually modified) + key.pub (internal TPM on the chip) + ./tmp/cmd.sig. Fingerprint alignment is not verified using TPM, result: Incorrect
~situation3
./tmp/cmd.txt + key.pub (internal TPM on the chip) + ./tmp/cmd.sig (manually modified) is not mathematically calculated: ./tmp/sig.dat, result: Incorrect
~situation4
./tmp/cmd.txt (manually modified) + key.pub (internal TPM on the chip) + ./tmp/cmd.sig (manually modified). Fingerprint alignment is not verified using TPM, result: Incorrect. The result of `./tmp/sig.dat` is incorrect; it wasn't calculated mathematically.
沒有留言:
張貼留言