Version 6 (modified by 10 months ago) ( diff ) | ,
---|
Trusted Protection Module
Gateworks has an optional TPM on some SBCs.
The below models can optionally have it loaded:
- Malibu GW8901
- Venice:
- GW74xx-B
- GW73xx-F
- GW72xx-F
- GW71xx-E
The boards can contain an onboard Microchip ATTPM20P-H6MA1-10 TPM connected to the SPI bus.
This is compliant to the Trusted Computing Group (TCG) Trusted Platform Module (TPM) Version 2.0, r116 Trusted Platform Module Library. See link here: Link
Cryptographic Support for:
- HMAC
- AES-128
- SHA-1
- SHA-256
- ECC BN_P256, ECCNIST_P256 -RSA 1024-2048 bit keys
It is controlled via generic TCG SPI Linux driver:
- drivers/char/tpm/tpm_tis_spi.c: CONFIG_TCG_TIS, CONFIG_TCG_TIS_SPI
TPM 2.0 provides direct access via /dev/tpm0 (with one client at a time), and can be accessed through the tpm2-abrmd resource manager daemon, or kernel-managed access via /dev/tpmrm0
The TPM device is at /dev/tpm0
The TPM tool set (over 100 different commands) can be installed with the following command:
apt install tpm2-tools tpm2-abrmd
Example tpm2-tools showing the properties:
root@jammy-malibu:~# tpm2_getcap properties-fixed TPM2_PT_FAMILY_INDICATOR: raw: 0x322E3000 value: "2.0" TPM2_PT_LEVEL: raw: 0 TPM2_PT_REVISION: raw: 0x77 value: 1.19 TPM2_PT_DAY_OF_YEAR: raw: 0x42 TPM2_PT_YEAR: raw: 0x7DE TPM2_PT_MANUFACTURER: raw: 0x4D434850 value: "MCHP" TPM2_PT_VENDOR_STRING_1: raw: 0x0 value: "" etc.....
PCR Values
Platform Configuration Registers (PCRs) are registers that represent ‘fingerprints’ of different pieces of a specific system. These pieces can be things such as the bootloader, Linux kernel, and Initramfs. If the stored PCR values in the TPM do not match the currently booting system PCRs, access will not be granted. For example, someone trying to boot a Ubuntu Live CD would not be able to access the TPM key as the PCRs generated from the original disk and stored in the TPM will not match the newly generated PCRs from the boot CD. PCRs use hashing and thus any new value is concatenated with the old and then hashed. This new hash will replace the old hash. The definition of each specific PCR register can be found online.
Read the PCR Values:
root@jammy-venice:~# tpm2_pcrread sha1: 0 : 0x0000000000000000000000000000000000000000 1 : 0x0000000000000000000000000000000000000000 2 : 0x0000000000000000000000000000000000000000 3 : 0x0000000000000000000000000000000000000000 4 : 0x0000000000000000000000000000000000000000 5 : 0x0000000000000000000000000000000000000000 6 : 0x0000000000000000000000000000000000000000 7 : 0x0000000000000000000000000000000000000000 8 : 0x0000000000000000000000000000000000000000 9 : 0x0000000000000000000000000000000000000000 10: 0x0000000000000000000000000000000000000000 11: 0x0000000000000000000000000000000000000000 12: 0x0000000000000000000000000000000000000000 13: 0x0000000000000000000000000000000000000000 14: 0x0000000000000000000000000000000000000000 15: 0x0000000000000000000000000000000000000000 16: 0x0000000000000000000000000000000000000000 17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 23: 0x0000000000000000000000000000000000000000 sha256:
Clearing the TPM
Only do this if you need to clear the TPM
tpm2_clear
Generate Random Number
See example below
tpm2_getrandom --hex 8
TPM Key Flow
A general flow for loading a key into the TPM: (arguments needed for below commands specific to each application )
tpm2_createpolicy # Create PCR Policy tpm2_createprimary # Create primary TPM object tpm2_create # Create TPM Object with Secret tpm2_load # Load object into the TPM tpm2_evictcontrol # Make TPM Object Persistant rm files #remove your working files
Resources
- Gateworks Venice Secure Boot Wiki: https://trac.gateworks.com/wiki/venice/secure_boot
- Security Considerations for Embedded Designs: https://www.gateworks.com/security-considerations-for-embedded-designs-single-board-computers/
- TPM Specification: https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/
- Microchip TPM Product Page: https://www.microchip.com/en-us/product/attpm20p
- The Web - A lot of examples and information about TPMs are available by searching the web