Jump to: navigation, search

Difference between revisions of "StarlingX/Distro/tpm-verify"

(Preparation Environment)
(TPM test guide)
Line 23: Line 23:
 
* Set TPM related password
 
* Set TPM related password
 
** To take ownership with "ownerpass" as owner password, "endorsepass" as endorsement password, "lockpass" as lockout password:
 
** To take ownership with "ownerpass" as owner password, "endorsepass" as endorsement password, "lockpass" as lockout password:
    $ tpm2_takeownership -o ownerpass -e endorsepass -l lockpass
+
  $ tpm2_takeownership -o ownerpass -e endorsepass -l lockpass
 
* Create a Primary Object
 
* Create a Primary Object
 
** Create a Primary Object in endorsement hierarchy, with objectpass as the object password, with RSA keys & SHA256 name hash algorithm, with object context saved in file po.ctx.
 
** Create a Primary Object in endorsement hierarchy, with objectpass as the object password, with RSA keys & SHA256 name hash algorithm, with object context saved in file po.ctx.
    $ tpm2_createprimary -H e -K objectpass -g 0x000b -G 0x0001 -C po.ctx -P endorsepass
+
  $ tpm2_createprimary -H e -K objectpass -g 0x000b -G 0x0001 -C po.ctx -P endorsepass
 
* Create a RSA key under the previous primary key
 
* Create a RSA key under the previous primary key
 
** Create a RSA key under the previous primary key, with subobjectpass as the object password, with SHA256 name hash algorithm, with public portion saved in key.pub and private portion saved in key.priv.
 
** Create a RSA key under the previous primary key, with subobjectpass as the object password, with SHA256 name hash algorithm, with public portion saved in key.pub and private portion saved in key.priv.
    $ tpm2_create -c po.ctx -P objectpass -K subobjectpass -g 0x000b -G 0x0001 -u key.pub -r key.priv
+
  $ tpm2_create -c po.ctx -P objectpass -K subobjectpass -g 0x000b -G 0x0001 -u key.pub -r key.priv
 
* Load the created RSA key
 
* Load the created RSA key
  $ tpm2_load -c po.ctx -P objectpass -u key.pub -r key.priv -n key.name -C obj.ctx
+
  $ tpm2_load -c po.ctx -P objectpass -u key.pub -r key.priv -n key.name -C obj.ctx
 
* Encrypt with RSA key
 
* Encrypt with RSA key
  $ tpm2_rsaencrypt -c obj.ctx -o data.encrypt data.in
+
  $ tpm2_rsaencrypt -c obj.ctx -o data.encrypt data.in
 
* Decrypt with RSA key
 
* Decrypt with RSA key
  $ tpm2_rsadecrypt -c obj.ctx -P subobjectpass -I data.encrypted -o data.out
+
  $ tpm2_rsadecrypt -c obj.ctx -P subobjectpass -I data.encrypted -o data.out
 
* Results
 
* Results
  Contents in data.out should be identical to data.in.
+
  Contents in data.out should be identical to data.in.
  
 
=== Signature / Verify Signature ===
 
=== Signature / Verify Signature ===
 
* Sign on data with RSA key
 
* Sign on data with RSA key
 
** Sign on data with RSA key, using SHA256 as hash algorithm.
 
** Sign on data with RSA key, using SHA256 as hash algorithm.
    $ tpm2_sign -c obj.ctx -P subobjectpass -g 0x000b -m msg.in -s sig.out
+
  $ tpm2_sign -c obj.ctx -P subobjectpass -g 0x000b -m msg.in -s sig.out
 
* Verify signature with RSA key
 
* Verify signature with RSA key
  $ tpm2_verifysignature -c obj.ctx -g 0x000b -m msg.in -s sig.out -t tk.sig
+
  $ tpm2_verifysignature -c obj.ctx -g 0x000b -m msg.in -s sig.out -t tk.sig
 
* Results  
 
* Results  
  Signature verification success.
+
  Signature verification success.

Revision as of 09:40, 20 March 2020

TPM test guide

Team Information

  • Project Lead: zhaos <zhaos@neusoft.com>
  • Technical Lead:
  • Contributors: chen.dq <chen.dq@neusoft.com>; fuyong <fuyong@neusoft.com>;

Team Objective / Priorities

Introduction on how to use tpm2-tools in starlingx

Hardware Requirement

TPM hardware device support

Preparation Environment

  • Check TPM2.0 enabled in BIOS
    • [Security] -> TPM2 enabled
  • Check tpm driver has been loaded correctly
  $ dmesg | grep tpm
  • Service startup
  $ systemctl start tpm2-abrmd.service

Encrypt / Decrypt

  • Set TPM related password
    • To take ownership with "ownerpass" as owner password, "endorsepass" as endorsement password, "lockpass" as lockout password:
  $ tpm2_takeownership -o ownerpass -e endorsepass -l lockpass
  • Create a Primary Object
    • Create a Primary Object in endorsement hierarchy, with objectpass as the object password, with RSA keys & SHA256 name hash algorithm, with object context saved in file po.ctx.
  $ tpm2_createprimary -H e -K objectpass -g 0x000b -G 0x0001 -C po.ctx -P endorsepass
  • Create a RSA key under the previous primary key
    • Create a RSA key under the previous primary key, with subobjectpass as the object password, with SHA256 name hash algorithm, with public portion saved in key.pub and private portion saved in key.priv.
  $ tpm2_create -c po.ctx -P objectpass -K subobjectpass -g 0x000b -G 0x0001 -u key.pub -r key.priv
  • Load the created RSA key
  $ tpm2_load -c po.ctx -P objectpass -u key.pub -r key.priv -n key.name -C obj.ctx
  • Encrypt with RSA key
  $ tpm2_rsaencrypt -c obj.ctx -o data.encrypt data.in
  • Decrypt with RSA key
  $ tpm2_rsadecrypt -c obj.ctx -P subobjectpass -I data.encrypted -o data.out
  • Results
  Contents in data.out should be identical to data.in.

Signature / Verify Signature

  • Sign on data with RSA key
    • Sign on data with RSA key, using SHA256 as hash algorithm.
  $ tpm2_sign -c obj.ctx -P subobjectpass -g 0x000b -m msg.in -s sig.out
  • Verify signature with RSA key
  $ tpm2_verifysignature -c obj.ctx -g 0x000b -m msg.in -s sig.out -t tk.sig
  • Results 
  Signature verification success.
Retrieved from "https://wiki.openstack.org/w/index.php?title=StarlingX/Distro/tpm-verify&oldid=174276"