Hardware Requirement
- TPM hardware device support
Preparation Environment
- BIOS turn on tpm
security -> TPM2 enabled
- Check software and hardware support for TPM
hardware: dmesg | grep tpm
software: cat /proc/devices | grep tpm
localhost:~$ dmesg | grep tpm
[ 1.173042] tpm_tis IFX0785:00: 2.0 TPM (device-id 0x1B, rev-id 22)
localhost:~$ cat /proc/devices | grep tpm
241 tpm
- Service startup
sudo systemctl start tpm2-abrmd
localhost:~$ systemctl status tpm2-abrmd.service
● tpm2-abrmd.service - TPM2 Access Broker and Resource Management Daemon
Loaded: loaded (/usr/lib/systemd/system/tpm2-abrmd.service; disabled; vendor preset: disabled)
Active: active (running) since 五 2020-03-20 03:33:57 UTC; 2h 2min ago
Main PID: 2973 (tpm2-abrmd)
Tasks: 6
Memory: 1.7M
CGroup: /system.slice/tpm2-abrmd.service
└─2973 /usr/sbin/tpm2-abrmd
Testing Procedure
- Set TPM related password
$ tpm2_takeownership -o ownerpass -e endorsepass -l lockpass
- Create a Primary Object
Create a Primary Object in endorsement hierarchy, with objectpass as the object password, with RSA keys & SHA256 name hash algorithm, with object context saved in file po.ctx.
$ tpm2_createprimary -H e -K objectpass -g 0x000b -G 0x0001 -C po.ctx -P endorsepass
- Create a RSA key under the previous primary key
Create a RSA key under the previous primary key, with subobjectpass as the object password, with SHA256 name hash algorithm, with public portion saved in key.pub and private portion saved in key.priv.
$ tpm2_create -c po.ctx -P objectpass -K subobjectpass -g 0x000b -G 0x0001 -u key.pub -r key.priv
- Load the created RSA key
$ tpm2_load -c po.ctx -P objectpass -u key.pub -r key.priv -n key.name -C obj.ctx
- Encrypt with RSA key
$ tpm2_rsaencrypt -c obj.ctx -o data.encrypt data.in
- Decrypt with RSA key
$ tpm2_rsadecrypt -c obj.ctx -P subobjectpass -I data.encrypted -o data.out
- Sign on data with RSA key
Sign on data with RSA key, using SHA256 as hash algorithm.
$ tpm2_sign -c obj.ctx -P subobjectpass -g 0x000b -m msg.in -s sig.out
- Verify signature with RSA key
$ tpm2_verifysignature -c obj.ctx -g 0x000b -m msg.in -s sig.out -t tk.sig