Changes between Version 9 and Version 10 of tpm


Ignore:
Timestamp:
05/15/2024 11:11:55 PM (6 months ago)
Author:
Tim Harvey
Comment:

restructured the page for better flow, added a measured boot section, added anchors, removed the duplicate refereces to venice/secure_boot (one reference is enough!)

Legend:

Unmodified
Added
Removed
Modified

  • tpm

    v9 v10  
    99TPM chips are either compliant with the initial specification or the v2.0+ specification: See [https://en.wikipedia.org/wiki/Trusted_Platform_Module#TPM_1.2_vs_TPM_2.0 TPM v1.2 vs TPM 2.0] for details.
    1010
    11 Please also read: [wiki:venice/secure_boot Gateworks TPM Wiki when used with Secure Boot]
     11See also:
     12 - [wiki:venice/secure_boot] - Example showing use of TPM on Venice for secure/measured boot
     13
    1214
    1315== Microchip ATTPM20P
     
    3032 - RSA 1024-2048 bit keys
    3133
     34
     35[=#pcr]
     36== PCR Values
     37A cryptographic hash (sometimes called a 'digest') is a kind of 'signature' for a set of data. For example the SHA-256 algorithm can be used to generate an almost-unique 256-bit (32-byte) signature (aka 'hash' or 'digest') for a file. Note that this signature/hash/digest is not 'encryption' - it is a one way cryptographic function and is a fixed size for any source of data.
     38
     39Starting from a root of trust (typically the SoC BOOT ROM) each software stage during the boot process is supposed to to some measurements and store them in a safe place. A 'measure' is just a signature/hash/digest of a memory region. This value can be sent to the TPM as a measure which will merge with measurement with the previous ones.
     40
     41The hardware feature used to store and merge these measurements is called Platform Configuration Registers (PCR). At power-up a PCR is set to a known value (typically either 0x00's or 0xff's) and sending a new value to the TPM is called 'extending a PCR' because the chosen register will extend its value with the one received. This way a PCR can only evolve in one direction and never go back unless the platform is reset. Each software stage will be in charge of extending a set of PCRs with digests of the next software stage. Once in Linux for example user software may ask the TPM to deliver its secrects but the only way to get them is having all PCRs matching a known pattern which can only be obtained by extending the PCRs in the right order with the right digets.
     42
     43If the stored PCR values in the TPM do not match the currently booting system PCRs, access will not be granted. For example, someone trying to boot a Ubuntu Live CD would not be able to access the TPM key as the PCRs generated from the original disk and stored in the TPM will not match the newly generated PCRs from the boot CD. PCRs use hashing and thus any new value is concatenated with the old and then hashed. This new hash will replace the old hash. The definition of each specific PCR register can be found online.   
     44
     45
     46[=#measuredboot]
     47== Measured Boot
     48The concept of measured boot utilizes a TPM to used measured values of boot stages to extend PCR's that are used to lock a secret. The secret can not be revealed unless the PCR values match what was used when the secret was stored and the only way that can happen is if the measurements are the same. So if the measurements used in the PCR's cover each boot phase your secret is secure and can never be pulled from the TPM if access to your device is obtained.
     49
     50For example consider the following:
     51 * boot firmware is loaded by an SoC BOOT_ROM and authenticated by fuses and signature (the BOOT_ROM would be the root of trust here)
     52 * boot firmware code is measured into a PCR; a hash algorithm can be run on the code itself and the PCR extended with that hash
     53 * a key used to unlock/decrypt the root filesystem is locked by that PCR. Once the key is read and used the PCR is extended again which effectively 'seals' the key from being read further down the chain
     54
     55
     56[=#key]
     57== TPM Key Flow
     58A general flow for loading a key into the TPM: (arguments needed for below commands specific to each application )
     59{{{#!bash
     60tpm2_createpolicy  # Create PCR Policy
     61tpm2_createprimary  # Create primary TPM object
     62tpm2_create  # Create TPM Object with Secret
     63tpm2_load  # Load object into the TPM
     64tpm2_evictcontrol  # Make TPM Object Persistant
     65rm files #remove your working files
     66}}}
     67
     68
     69[=#linux]
    3270== Linux Driver
    3371The TIS compliant TPM devices are supported by the TCG SPI Linux driver:
     
    112150Please also read: [wiki:venice/secure_boot Gateworks TPM Wiki when used with Secure Boot]
    113151
    114 == PCR Values
    115 A cryptographic hash (sometimes called a 'digest') is a kind of 'signature' for a set of data. For example the SHA-256 algorithm can be used to generate an almost-unique 256-bit (32-byte) signature (aka 'hash' or 'digest') for a file. Note that this signature/hash/digest is not 'encryption' - it is a one way cryptographic function and is a fixed size for any source of data.
    116 
    117 Starting from a root of trust (typically the SoC BOOT ROM) each software stage during the boot process is supposed to to some measurements and store them in a safe place. A 'measure' is just a signature/hash/digest of a memory region. This value can be sent to the TPM as a measure which will merge with measurement with the previous ones.
    118 
    119 The hardware feature used to store and merge these measurements is called Platform Configuration Registers (PCR). At power-up a PCR is set to a known value (typically either 0x00's or 0xff's) and sending a new value to the TPM is called 'extending a PCR' because the chosen register will extend its value with the one received. This way a PCR can only evolve in one direction and never go back unless the platform is reset. Each software stage will be in charge of extending a set of PCRs with digests of the next software stage. Once in Linux for example user software may ask the TPM to deliver its secrects but the only way to get them is having all PCRs matching a known pattern which can only be obtained by extending the PCRs in the right order with the right digets.
    120 
    121 If the stored PCR values in the TPM do not match the currently booting system PCRs, access will not be granted. For example, someone trying to boot a Ubuntu Live CD would not be able to access the TPM key as the PCRs generated from the original disk and stored in the TPM will not match the newly generated PCRs from the boot CD. PCRs use hashing and thus any new value is concatenated with the old and then hashed. This new hash will replace the old hash. The definition of each specific PCR register can be found online.   
    122 
    123 Please also read: [wiki:venice/secure_boot Gateworks TPM Wiki when used with Secure Boot]
    124 
    125 == TPM Key Flow
    126 A general flow for loading a key into the TPM: (arguments needed for below commands specific to each application )
    127 {{{#!bash
    128 tpm2_createpolicy  # Create PCR Policy
    129 tpm2_createprimary  # Create primary TPM object
    130 tpm2_create  # Create TPM Object with Secret
    131 tpm2_load  # Load object into the TPM
    132 tpm2_evictcontrol  # Make TPM Object Persistant
    133 rm files #remove your working files
    134 }}}
    135 
    136 Please also read: [wiki:venice/secure_boot Gateworks TPM Wiki when used with Secure Boot]
    137 
     152[=#uboot]
    138153== U-Boot
    139154U-Boot has TPM support as well: