genofire
/
tpm2_tap
1
1
Fork 0
Code Issues Pull Requests Releases Activity
A TAP implementation for the TPM2. https://web.fireorbit.de/tpm2_tap
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
51 Commits
1 Branch
1 Tag
149 KiB
 
 
 
 
 
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
genofire 7e68138f39
use aes128cfb for Infineon TPM9670 on PI 		2 years ago
contrib improve file-to-pcr 2 years ago
migrations rewrite quote signature im verifier (exporter) + handle without public attester key 2 years ago
src use aes128cfb for Infineon TPM9670 on PI 2 years ago
tests cargo fmt 2 years ago
.gitignore cleanup dependencies 2 years ago
.gitlab-ci.yml ci: fix tss build 2 years ago
Cargo.lock use only current state of tss_esapi 2 years ago
Cargo.toml use only current state of tss_esapi 2 years ago
Makefile tap implement pcr read 2 years ago
README.md rewrite quote signature im verifier (exporter) + handle without public attester key 2 years ago
diesel.toml WIP: first version to handle database 2 years ago

README.md

Depenencies

  • rust
  • tpm2-tss
    • llvm
    • clang
  • libsystemd-dev (for socket activation)
  • libsqlite3-dev

Archlinux install

pacman -S rust tpm2-tss llvm clang diesel-cli

Build

Build Binary:

cargo build

Build Documentation:

cargo doc --no-deps

Run Debugging

export RUST_LOG=debug;

Installiere tap-service

  1. Installiere Abhängigkeit: pacman -S tpm2-tss
  2. Copiere Binary tap_service unter /usr/local/bin/.
  3. Erstelle service (und socket-file) unter /etc/systemd/system/, Inhalt und Dateiname sind im Repo.
    • contrib/tpm2-tap.socket
    • contrib/tpm2-tap.service
  4. Konfiguriere Service mit den Variablen unter /etc/tpm2-tap.env,
    • ein Beispiel liegt unter contrib/tpm2-tap.env
  5. Starte socket-activation für Service und füge diese zum Bootvorgang hinzu:
    • `systemctl enable --now tpm2-tap.socket

Install virtuelle TPM (for boot)

Erstelle service-file mit folgenden Inhalt unter: /etc/systemd/system/ibm-sw-tpm2.service

[Unit]
Description=IBM Software TPM2

[Service]
Type=simple
ExecStart=/usr/bin/tpm_server
WorkingDirectory=/var/lib/tpm_server
Restart=always
RestartSec=5s

[Install]
WantedBy=multi-user.target

Installiere und starte TPM

pacman -Sy ibm-sw-tpm2 tpm2-abrmd
mkdir /var/lib/tpm_server
systemctl enable --now ibm-sw-tpm2

Für die Benutzung des virtuellen TPM durch mehrere Prozesse / Threads muss der AccessBroker folgend angepasst werden: systemctl edit tpm2-abrmd

[Unit]
ConditionPathExistsGlob=

[Service]
ExecStart=
ExecStart=/usr/bin/tpm2-abrmd --tcti=mssim

Nun kann auch der gestartet werden und zum Bootvorgang hinzugefügt: systemctl enable --now tpm2-abrmd

Verifier

Example to add attester public key into verifier_exporter database

sqlite3 verifier.db "update attesters set public_key=x'DBA74546118988FD3791CCB8BCA1791131717F1B1EACAF29CBD799C178EA6EF6594654D8C0A07A21DDD9269177ED1F0B9165CAA85E703DEA0A20F7840FE57944E75602D6833FFFFCCEF3F0D1E865A1DA4D2736AED351EF3660FF8CC7DE86BC0BEC8867DD16E6BFA0EFB071C4F23B8DE9E1775662C1A8F83758DAB2C919428EE1' where address='[::1]:30271';"