Difference between revisions of "StarlingX/Distro/tpm-verify"
Zhaohedong (talk | contribs) (→TPM test guide) |
Ghada.khalil (talk | contribs) |
||
(4 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
= TPM test guide = | = TPM test guide = | ||
+ | |||
+ | '''October 2021 PTG: This project is no longer active''' | ||
=== Team Information === | === Team Information === | ||
Line 13: | Line 15: | ||
=== Preparation Environment === | === Preparation Environment === | ||
− | * | + | * Check TPM2.0 enabled in BIOS |
** [Security] -> TPM2 enabled | ** [Security] -> TPM2 enabled | ||
* Check tpm driver has been loaded correctly | * Check tpm driver has been loaded correctly | ||
Line 19: | Line 21: | ||
* Service startup | * Service startup | ||
$ systemctl start tpm2-abrmd.service | $ systemctl start tpm2-abrmd.service | ||
+ | |||
+ | === Test Environment === | ||
+ | *Linux localhost 4.18.0-147.3.1.el8_1.1.tis.x86_64 #1 SMP PREEMPT Thu Mar 12 04:19:22 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux | ||
+ | *Linux localhost 4.18.0-147.3.1.rt24.96.el8.tis.3.x86_64 #1 SMP PREEMPT RT Thu Mar 12 09:04:05 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux | ||
=== Encrypt / Decrypt === | === Encrypt / Decrypt === | ||
* Set TPM related password | * Set TPM related password | ||
** To take ownership with "ownerpass" as owner password, "endorsepass" as endorsement password, "lockpass" as lockout password: | ** To take ownership with "ownerpass" as owner password, "endorsepass" as endorsement password, "lockpass" as lockout password: | ||
− | + | $ tpm2_takeownership -o ownerpass -e endorsepass -l lockpass | |
* Create a Primary Object | * Create a Primary Object | ||
** Create a Primary Object in endorsement hierarchy, with objectpass as the object password, with RSA keys & SHA256 name hash algorithm, with object context saved in file po.ctx. | ** Create a Primary Object in endorsement hierarchy, with objectpass as the object password, with RSA keys & SHA256 name hash algorithm, with object context saved in file po.ctx. | ||
− | + | $ tpm2_createprimary -H e -K objectpass -g 0x000b -G 0x0001 -C po.ctx -P endorsepass | |
* Create a RSA key under the previous primary key | * Create a RSA key under the previous primary key | ||
− | ** Create a RSA key under the previous primary key, with subobjectpass as the object password, with SHA256 name hash algorithm, with public portion saved in key.pub and private | + | ** Create a RSA key under the previous primary key, with subobjectpass as the object password, with SHA256 name hash algorithm, with public portion saved in key.pub and private portion saved in key.priv. |
− | portion saved in key.priv. | + | $ tpm2_create -c po.ctx -P objectpass -K subobjectpass -g 0x000b -G 0x0001 -u key.pub -r key.priv |
− | |||
* Load the created RSA key | * Load the created RSA key | ||
− | + | $ tpm2_load -c po.ctx -P objectpass -u key.pub -r key.priv -n key.name -C obj.ctx | |
* Encrypt with RSA key | * Encrypt with RSA key | ||
− | + | $ tpm2_rsaencrypt -c obj.ctx -o data.encrypt data.in | |
* Decrypt with RSA key | * Decrypt with RSA key | ||
− | + | $ tpm2_rsadecrypt -c obj.ctx -P subobjectpass -I data.encrypt -o data.out | |
− | * Results | + | * Results |
− | + | Contents in data.out should be identical to data.in. | |
=== Signature / Verify Signature === | === Signature / Verify Signature === | ||
* Sign on data with RSA key | * Sign on data with RSA key | ||
** Sign on data with RSA key, using SHA256 as hash algorithm. | ** Sign on data with RSA key, using SHA256 as hash algorithm. | ||
− | + | $ tpm2_sign -c obj.ctx -P subobjectpass -g 0x000b -m msg.in -s sig.out | |
* Verify signature with RSA key | * Verify signature with RSA key | ||
− | + | $ tpm2_verifysignature -c obj.ctx -g 0x000b -m msg.in -s sig.out -t tk.sig | |
− | * Results | + | * Results |
− | + | Signature verification success. |
Latest revision as of 14:43, 27 October 2021
Contents
TPM test guide
October 2021 PTG: This project is no longer active
Team Information
- Project Lead: zhaos <zhaos@neusoft.com>
- Technical Lead:
- Contributors: chen.dq <chen.dq@neusoft.com>; fuyong <fuyong@neusoft.com>;
Team Objective / Priorities
Introduction on how to use tpm2-tools in starlingx
Hardware Requirement
TPM hardware device support
Preparation Environment
- Check TPM2.0 enabled in BIOS
- [Security] -> TPM2 enabled
- Check tpm driver has been loaded correctly
$ dmesg | grep tpm
- Service startup
$ systemctl start tpm2-abrmd.service
Test Environment
- Linux localhost 4.18.0-147.3.1.el8_1.1.tis.x86_64 #1 SMP PREEMPT Thu Mar 12 04:19:22 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
- Linux localhost 4.18.0-147.3.1.rt24.96.el8.tis.3.x86_64 #1 SMP PREEMPT RT Thu Mar 12 09:04:05 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Encrypt / Decrypt
- Set TPM related password
- To take ownership with "ownerpass" as owner password, "endorsepass" as endorsement password, "lockpass" as lockout password:
$ tpm2_takeownership -o ownerpass -e endorsepass -l lockpass
- Create a Primary Object
- Create a Primary Object in endorsement hierarchy, with objectpass as the object password, with RSA keys & SHA256 name hash algorithm, with object context saved in file po.ctx.
$ tpm2_createprimary -H e -K objectpass -g 0x000b -G 0x0001 -C po.ctx -P endorsepass
- Create a RSA key under the previous primary key
- Create a RSA key under the previous primary key, with subobjectpass as the object password, with SHA256 name hash algorithm, with public portion saved in key.pub and private portion saved in key.priv.
$ tpm2_create -c po.ctx -P objectpass -K subobjectpass -g 0x000b -G 0x0001 -u key.pub -r key.priv
- Load the created RSA key
$ tpm2_load -c po.ctx -P objectpass -u key.pub -r key.priv -n key.name -C obj.ctx
- Encrypt with RSA key
$ tpm2_rsaencrypt -c obj.ctx -o data.encrypt data.in
- Decrypt with RSA key
$ tpm2_rsadecrypt -c obj.ctx -P subobjectpass -I data.encrypt -o data.out
- Results
Contents in data.out should be identical to data.in.
Signature / Verify Signature
- Sign on data with RSA key
- Sign on data with RSA key, using SHA256 as hash algorithm.
$ tpm2_sign -c obj.ctx -P subobjectpass -g 0x000b -m msg.in -s sig.out
- Verify signature with RSA key
$ tpm2_verifysignature -c obj.ctx -g 0x000b -m msg.in -s sig.out -t tk.sig
- Results
Signature verification success.