Jump to: navigation, search

Difference between revisions of "StarlingX/Distro/tpm-verify"

(TPM test guide)
 
(6 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
= TPM test guide =
 
= TPM test guide =
 +
 +
'''October 2021 PTG: This project is no longer active'''
  
 
=== Team Information ===
 
=== Team Information ===
 
* Project Lead: '''zhaos''' <zhaos@neusoft.com>
 
* Project Lead: '''zhaos''' <zhaos@neusoft.com>
 
* Technical Lead:  
 
* Technical Lead:  
* Contributors: '''chen.dq''' <chen.dq@neusoft.com>; '''fuyong''' <fuyong@neusoft.com>
+
* Contributors: '''chen.dq''' <chen.dq@neusoft.com>; '''fuyong''' <fuyong@neusoft.com>;
  
 
=== Team Objective / Priorities ===
 
=== Team Objective / Priorities ===
Introduce how to use tpm2-tools in starlingx
+
Introduction on how to use tpm2-tools in starlingx
  
 
=== Hardware Requirement ===
 
=== Hardware Requirement ===
Line 13: Line 15:
  
 
=== Preparation Environment ===
 
=== Preparation Environment ===
* BIOS turn on tpm
+
* Check TPM2.0 enabled in BIOS
** security -> TPM2 enabled
+
** [Security] -> TPM2 enabled
* Check the driver is loaded correctly
+
* Check tpm driver has been loaded correctly
 
   $ dmesg | grep tpm
 
   $ dmesg | grep tpm
 
* Service startup
 
* Service startup
 
   $ systemctl start tpm2-abrmd.service
 
   $ systemctl start tpm2-abrmd.service
 +
 +
=== Test Environment ===
 +
*Linux localhost 4.18.0-147.3.1.el8_1.1.tis.x86_64 #1 SMP PREEMPT Thu Mar 12 04:19:22 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 +
*Linux localhost 4.18.0-147.3.1.rt24.96.el8.tis.3.x86_64 #1 SMP PREEMPT RT Thu Mar 12 09:04:05 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
  
 
=== Encrypt / Decrypt ===
 
=== Encrypt / Decrypt ===
 
* Set TPM related password
 
* Set TPM related password
 
** To take ownership with "ownerpass" as owner password, "endorsepass" as endorsement password, "lockpass" as lockout password:
 
** To take ownership with "ownerpass" as owner password, "endorsepass" as endorsement password, "lockpass" as lockout password:
    $ tpm2_takeownership -o ownerpass -e endorsepass -l lockpass
+
  $ tpm2_takeownership -o ownerpass -e endorsepass -l lockpass
 
* Create a Primary Object
 
* Create a Primary Object
 
** Create a Primary Object in endorsement hierarchy, with objectpass as the object password, with RSA keys & SHA256 name hash algorithm, with object context saved in file po.ctx.
 
** Create a Primary Object in endorsement hierarchy, with objectpass as the object password, with RSA keys & SHA256 name hash algorithm, with object context saved in file po.ctx.
    $ tpm2_createprimary -H e -K objectpass -g 0x000b -G 0x0001 -C po.ctx -P endorsepass
+
  $ tpm2_createprimary -H e -K objectpass -g 0x000b -G 0x0001 -C po.ctx -P endorsepass
 
* Create a RSA key under the previous primary key
 
* Create a RSA key under the previous primary key
** Create a RSA key under the previous primary key, with subobjectpass as the object password, with SHA256 name hash algorithm, with public portion saved in key.pub and private  
+
** Create a RSA key under the previous primary key, with subobjectpass as the object password, with SHA256 name hash algorithm, with public portion saved in key.pub and private portion saved in key.priv.
portion saved in key.priv.
+
  $ tpm2_create -c po.ctx -P objectpass -K subobjectpass -g 0x000b -G 0x0001 -u key.pub -r key.priv
    $ tpm2_create -c po.ctx -P objectpass -K subobjectpass -g 0x000b -G 0x0001 -u key.pub -r key.priv
 
 
* Load the created RSA key
 
* Load the created RSA key
  $ tpm2_load -c po.ctx -P objectpass -u key.pub -r key.priv -n key.name -C obj.ctx
+
  $ tpm2_load -c po.ctx -P objectpass -u key.pub -r key.priv -n key.name -C obj.ctx
 
* Encrypt with RSA key
 
* Encrypt with RSA key
  $ tpm2_rsaencrypt -c obj.ctx -o data.encrypt data.in
+
  $ tpm2_rsaencrypt -c obj.ctx -o data.encrypt data.in
 
* Decrypt with RSA key
 
* Decrypt with RSA key
  $ tpm2_rsadecrypt -c obj.ctx -P subobjectpass -I data.encrypted -o data.out
+
  $ tpm2_rsadecrypt -c obj.ctx -P subobjectpass -I data.encrypt -o data.out
 +
* Results
 +
  Contents in data.out should be identical to data.in.
  
 
=== Signature / Verify Signature ===
 
=== Signature / Verify Signature ===
 
* Sign on data with RSA key
 
* Sign on data with RSA key
 
** Sign on data with RSA key, using SHA256 as hash algorithm.
 
** Sign on data with RSA key, using SHA256 as hash algorithm.
    $ tpm2_sign -c obj.ctx -P subobjectpass -g 0x000b -m msg.in -s sig.out
+
  $ tpm2_sign -c obj.ctx -P subobjectpass -g 0x000b -m msg.in -s sig.out
 
* Verify signature with RSA key
 
* Verify signature with RSA key
  $ tpm2_verifysignature -c obj.ctx -g 0x000b -m msg.in -s sig.out -t tk.sig
+
  $ tpm2_verifysignature -c obj.ctx -g 0x000b -m msg.in -s sig.out -t tk.sig
 +
* Results
 +
  Signature verification success.

Latest revision as of 14:43, 27 October 2021

TPM test guide

October 2021 PTG: This project is no longer active

Team Information

  • Project Lead: zhaos <zhaos@neusoft.com>
  • Technical Lead:
  • Contributors: chen.dq <chen.dq@neusoft.com>; fuyong <fuyong@neusoft.com>;

Team Objective / Priorities

Introduction on how to use tpm2-tools in starlingx

Hardware Requirement

TPM hardware device support

Preparation Environment

  • Check TPM2.0 enabled in BIOS
    • [Security] -> TPM2 enabled
  • Check tpm driver has been loaded correctly
  $ dmesg | grep tpm
  • Service startup
  $ systemctl start tpm2-abrmd.service

Test Environment

  • Linux localhost 4.18.0-147.3.1.el8_1.1.tis.x86_64 #1 SMP PREEMPT Thu Mar 12 04:19:22 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
  • Linux localhost 4.18.0-147.3.1.rt24.96.el8.tis.3.x86_64 #1 SMP PREEMPT RT Thu Mar 12 09:04:05 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Encrypt / Decrypt

  • Set TPM related password
    • To take ownership with "ownerpass" as owner password, "endorsepass" as endorsement password, "lockpass" as lockout password:
  $ tpm2_takeownership -o ownerpass -e endorsepass -l lockpass
  • Create a Primary Object
    • Create a Primary Object in endorsement hierarchy, with objectpass as the object password, with RSA keys & SHA256 name hash algorithm, with object context saved in file po.ctx.
  $ tpm2_createprimary -H e -K objectpass -g 0x000b -G 0x0001 -C po.ctx -P endorsepass
  • Create a RSA key under the previous primary key
    • Create a RSA key under the previous primary key, with subobjectpass as the object password, with SHA256 name hash algorithm, with public portion saved in key.pub and private portion saved in key.priv.
  $ tpm2_create -c po.ctx -P objectpass -K subobjectpass -g 0x000b -G 0x0001 -u key.pub -r key.priv
  • Load the created RSA key
  $ tpm2_load -c po.ctx -P objectpass -u key.pub -r key.priv -n key.name -C obj.ctx
  • Encrypt with RSA key
  $ tpm2_rsaencrypt -c obj.ctx -o data.encrypt data.in
  • Decrypt with RSA key
  $ tpm2_rsadecrypt -c obj.ctx -P subobjectpass -I data.encrypt -o data.out
  • Results
  Contents in data.out should be identical to data.in.

Signature / Verify Signature

  • Sign on data with RSA key
    • Sign on data with RSA key, using SHA256 as hash algorithm.
  $ tpm2_sign -c obj.ctx -P subobjectpass -g 0x000b -m msg.in -s sig.out
  • Verify signature with RSA key
  $ tpm2_verifysignature -c obj.ctx -g 0x000b -m msg.in -s sig.out -t tk.sig
  • Results 
  Signature verification success.
Retrieved from "https://wiki.openstack.org/w/index.php?title=StarlingX/Distro/tpm-verify&oldid=179797"