Revision as of 09:30, 20 March 2020

TPM test guide

Project Lead: zhaos <zhaos@neusoft.com>
Technical Lead:
Contributors: chen.dq <chen.dq@neusoft.com>; fuyong <fuyong@neusoft.com>;

Introduction on how to use tpm2-tools in starlingx

TPM hardware device support

  $ dmesg | grep tpm

  $ systemctl start tpm2-abrmd.service

Set TPM related password
- To take ownership with "ownerpass" as owner password, "endorsepass" as endorsement password, "lockpass" as lockout password:

   $ tpm2_takeownership -o ownerpass -e endorsepass -l lockpass

Create a Primary Object
- Create a Primary Object in endorsement hierarchy, with objectpass as the object password, with RSA keys & SHA256 name hash algorithm, with object context saved in file po.ctx.

   $ tpm2_createprimary -H e -K objectpass -g 0x000b -G 0x0001 -C po.ctx -P endorsepass

Create a RSA key under the previous primary key
- Create a RSA key under the previous primary key, with subobjectpass as the object password, with SHA256 name hash algorithm, with public portion saved in key.pub and private portion saved in key.priv.

   $ tpm2_create -c po.ctx -P objectpass -K subobjectpass -g 0x000b -G 0x0001 -u key.pub -r key.priv

 $ tpm2_load -c po.ctx -P objectpass -u key.pub -r key.priv -n key.name -C obj.ctx

 $ tpm2_rsaencrypt -c obj.ctx -o data.encrypt data.in

 $ tpm2_rsadecrypt -c obj.ctx -P subobjectpass -I data.encrypted -o data.out

 Contents in data.out should be identical to data.in.

Sign on data with RSA key
- Sign on data with RSA key, using SHA256 as hash algorithm.

   $ tpm2_sign -c obj.ctx -P subobjectpass -g 0x000b -m msg.in -s sig.out

 $ tpm2_verifysignature -c obj.ctx -g 0x000b -m msg.in -s sig.out -t tk.sig

 Signature verification success.

@@ Line 13: / Line 13: @@
 === Preparation Environment ===
-* Turn on tpm in BIOS
+* Check TPM2.0 enabled in BIOS
 ** [Security] -> TPM2 enabled
 * Check tpm driver has been loaded correctly