Difference between revisions of "StarlingX/Distro/tpm-verify"
(→TPM test guide) |
Zhaohedong (talk | contribs) (→TPM test guide) |
||
Line 4: | Line 4: | ||
* Project Lead: '''zhaos''' <zhaos@neusoft.com> | * Project Lead: '''zhaos''' <zhaos@neusoft.com> | ||
* Technical Lead: | * Technical Lead: | ||
− | * Contributors: '''chen.dq''' <chen.dq@neusoft.com>; '''fuyong''' <fuyong@neusoft.com> | + | * Contributors: '''chen.dq''' <chen.dq@neusoft.com>; '''fuyong''' <fuyong@neusoft.com>; |
=== Team Objective / Priorities === | === Team Objective / Priorities === | ||
− | + | Introduction on how to use tpm2-tools in starlingx | |
=== Hardware Requirement === | === Hardware Requirement === | ||
Line 13: | Line 13: | ||
=== Preparation Environment === | === Preparation Environment === | ||
− | * | + | * Turn on tpm in BIOS |
− | ** | + | ** [Security] -> TPM2 enabled |
− | * Check | + | * Check tpm driver has been loaded correctly |
$ dmesg | grep tpm | $ dmesg | grep tpm | ||
* Service startup | * Service startup |
Revision as of 09:09, 20 March 2020
Contents
TPM test guide
Team Information
- Project Lead: zhaos <zhaos@neusoft.com>
- Technical Lead:
- Contributors: chen.dq <chen.dq@neusoft.com>; fuyong <fuyong@neusoft.com>;
Team Objective / Priorities
Introduction on how to use tpm2-tools in starlingx
Hardware Requirement
TPM hardware device support
Preparation Environment
- Turn on tpm in BIOS
- [Security] -> TPM2 enabled
- Check tpm driver has been loaded correctly
$ dmesg | grep tpm
- Service startup
$ systemctl start tpm2-abrmd.service
Encrypt / Decrypt
- Set TPM related password
- To take ownership with "ownerpass" as owner password, "endorsepass" as endorsement password, "lockpass" as lockout password:
$ tpm2_takeownership -o ownerpass -e endorsepass -l lockpass
- Create a Primary Object
- Create a Primary Object in endorsement hierarchy, with objectpass as the object password, with RSA keys & SHA256 name hash algorithm, with object context saved in file po.ctx.
$ tpm2_createprimary -H e -K objectpass -g 0x000b -G 0x0001 -C po.ctx -P endorsepass
- Create a RSA key under the previous primary key
- Create a RSA key under the previous primary key, with subobjectpass as the object password, with SHA256 name hash algorithm, with public portion saved in key.pub and private
portion saved in key.priv.
$ tpm2_create -c po.ctx -P objectpass -K subobjectpass -g 0x000b -G 0x0001 -u key.pub -r key.priv
- Load the created RSA key
$ tpm2_load -c po.ctx -P objectpass -u key.pub -r key.priv -n key.name -C obj.ctx
- Encrypt with RSA key
$ tpm2_rsaencrypt -c obj.ctx -o data.encrypt data.in
- Decrypt with RSA key
$ tpm2_rsadecrypt -c obj.ctx -P subobjectpass -I data.encrypted -o data.out
Signature / Verify Signature
- Sign on data with RSA key
- Sign on data with RSA key, using SHA256 as hash algorithm.
$ tpm2_sign -c obj.ctx -P subobjectpass -g 0x000b -m msg.in -s sig.out
- Verify signature with RSA key
$ tpm2_verifysignature -c obj.ctx -g 0x000b -m msg.in -s sig.out -t tk.sig