StarlingX/Distro/tpm-verify

= TPM test guide =

October 2021 PTG: This project is no longer active

Team Information

 * Project Lead: zhaos 
 * Technical Lead:
 * Contributors: chen.dq ; fuyong ;

Team Objective / Priorities
Introduction on how to use tpm2-tools in starlingx

Hardware Requirement
TPM hardware device support

Preparation Environment
$ dmesg | grep tpm $ systemctl start tpm2-abrmd.service
 * Check TPM2.0 enabled in BIOS
 * [Security] -> TPM2 enabled
 * Check tpm driver has been loaded correctly
 * Service startup

Test Environment

 * Linux localhost 4.18.0-147.3.1.el8_1.1.tis.x86_64 #1 SMP PREEMPT Thu Mar 12 04:19:22 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 * Linux localhost 4.18.0-147.3.1.rt24.96.el8.tis.3.x86_64 #1 SMP PREEMPT RT Thu Mar 12 09:04:05 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Encrypt / Decrypt
$ tpm2_takeownership -o ownerpass -e endorsepass -l lockpass $ tpm2_createprimary -H e -K objectpass -g 0x000b -G 0x0001 -C po.ctx -P endorsepass $ tpm2_create -c po.ctx -P objectpass -K subobjectpass -g 0x000b -G 0x0001 -u key.pub -r key.priv $ tpm2_load -c po.ctx -P objectpass -u key.pub -r key.priv -n key.name -C obj.ctx $ tpm2_rsaencrypt -c obj.ctx -o data.encrypt data.in  $ tpm2_rsadecrypt -c obj.ctx -P subobjectpass -I data.encrypt -o data.out Contents in data.out should be identical to data.in.
 * Set TPM related password
 * To take ownership with "ownerpass" as owner password, "endorsepass" as endorsement password, "lockpass" as lockout password:
 * Create a Primary Object
 * Create a Primary Object in endorsement hierarchy, with objectpass as the object password, with RSA keys & SHA256 name hash algorithm, with object context saved in file po.ctx.
 * Create a RSA key under the previous primary key
 * Create a RSA key under the previous primary key, with subobjectpass as the object password, with SHA256 name hash algorithm, with public portion saved in key.pub and private portion saved in key.priv.
 * Load the created RSA key
 * Encrypt with RSA key
 * Decrypt with RSA key
 * Results

Signature / Verify Signature
$ tpm2_sign -c obj.ctx -P subobjectpass -g 0x000b -m msg.in -s sig.out $ tpm2_verifysignature -c obj.ctx -g 0x000b -m msg.in -s sig.out -t tk.sig Signature verification success.
 * Sign on data with RSA key
 * Sign on data with RSA key, using SHA256 as hash algorithm.
 * Verify signature with RSA key
 * Results