Difference between revisions of "Trusted Platform Module"

From ArchWiki
Jump to: navigation, search
(Add TPM 2 limitations)
 
(28 intermediate revisions by 10 users not shown)
Line 1: Line 1:
 
[[Category:Security]]
 
[[Category:Security]]
[[Category:Hardware]]
+
[[Category:Other hardware]]
{{expansion}}
+
[[ja:Trusted Platform Module]]
A Trusted Platform Module is a "Security Chip" which is built in many modern PCs.
+
Trusted Platform Module (TPM) is an international standard for a secure cryptoprocessor, which is a dedicated microprocessor designed to secure hardware by integrating cryptographic keys into devices.
  
[http://en.wikipedia.org/wiki/Trusted_Platform_Module Have a look on Wikipedia] for more general information.
+
In practice a TPM can be used for various different security applications such as secure boot and key storage.
  
== TPM or not TPM ==
+
TPM is naturally supported only on devices that have TPM hardware support. If your hardware has TPM support but it is not showing up, it might need to be enabled in the BIOS settings.
First you must find out if you have an TPM in your computer, and what kind of TPM.
+
  
For ThinkPads have a look in the [http://www.thinkwiki.org/wiki/Embedded_Security_Subsystem#Using_the_Embedded_Security_Subsystem Thinkwiki].
+
== Versions ==
  
== Enabling in the BIOS ==
+
{{Note|Support for TPM 2.0 is still incomplete (both on the kernel and in userspace), and no known workflow for TPM2 exists at the moment.}}
Just look for an Entry like "Enable TPM-Chip" and set it on Enabled.
+
 
 +
Current attempts to run {{ic|tcsd}} on a system with TPM 2.0 will result in the following:
 +
 
 +
# cat /sys/class/tpm/tpm0/device/description
 +
TPM 2.0 Device
 +
 
 +
# tcsd -f
 +
TCSD TDDL ioctl: (25) Inappropriate ioctl for device
 +
TCSD TDDL Falling back to Read/Write device support.
 +
TCSD TCS ERROR: TCS GetCapability failed with result = 0x1e
 +
 
 +
The rest of this article will focus only on TPM 1.2
  
 
== Drivers ==
 
== Drivers ==
Drivers are Kernel Modules and can be loaded with
 
modprobe tpm
 
or tpm_atmel, tpm_bios, tpm_infineon, tpm_nsc or tpm_tis, depending on your chipset.
 
  
== trousers/tcsd ==
+
TPM drivers are natively supported in modern kernels, but might need to be loaded:
For using a TPM you must compile some packages from the AUR.
+
 
 +
# modprobe tpm
 +
 
 +
Depending on your chipset, you might also need to load one of the following:
 +
 
 +
# modprobe tpm_{atmel,bios,infineon,nsc,tis,crb}
 +
 
 +
== Usage ==
 +
 
 +
TPM is managed by {{ic|tcsd}}, a userspace daemon that manages Trusted Computing resources and should be (according to the TSS spec) the only portal to the TPM device driver. {{ic|tcsd}} is part of the {{AUR|trousers}} AUR package, which was created and released by IBM, and can be configured via {{ic|/etc/tcsd.conf}}.
 +
 
 +
To start tcsd and watch the output, run:
 +
 
 +
# tcsd -f
 +
 
 +
or simply start and enable {{ic|tcsd.service}}.
 +
 
 +
Once {{ic|tcsd}} is running you might also want to install {{AUR|tpm-tools}} which provides many of the command line tools for managing the TPM.
 +
 
 +
Some other tools of interest:
 +
 
 +
* {{App|tpmmanager|A Qt front-end to tpm-tools|http://sourceforge.net/projects/tpmmanager|{{AUR|tpmmanager}}}}
 +
* {{App|openssl_tpm_engine|OpenSSL engine which interfaces with the TSS API|http://sourceforge.net/projects/trousers|{{AUR|openssl_tpm_engine}}{{Broken package link|{{aur-mirror|openssl_tpm_engine}}}}}}
 +
* {{App|tpm_keyring2|A key manager for TPM based eCryptfs keys|http://sourceforge.net/projects/trousers|{{AUR|tpm_keyring2}}{{Broken package link|{{aur-mirror|tpm_keyring2}}}}}}
 +
* {{App|opencryptoki|A PKCS#11 implementation for Linux. It includes drivers and libraries to enable IBM cryptographic hardware as well as a software token for testing.|http://sourceforge.net/projects/opencryptoki|{{AUR|opencryptoki}}}}
 +
 
 +
=== Basics ===
  
You will need the [https://aur.archlinux.org/packages.php?ID=14330 Trousers] package, which was created and released by IBM.
+
Start off by getting basic version info:
  
It provides you with "tcsd", a user space daemon that manages Trusted Computing resources and should be (according to the TSS spec) the only portal to the TPM device driver.
+
$ tpm_version
  
tcsd has a manpage. You can configure tcsd trough /etc/tcsd.conf.
+
and running a selftest:
  
For starting tcsd and watching the output, run
+
  $ tpm_selftest -l info
  tcsd -f
+
  TPM Test Results: 00000000 ...
 +
  tpm_selftest succeeded
  
or simply add tcsd to the DAEMONS line in /etc/rc.conf for automatic startup with every boot.
+
=== Securing SSH Keys ===
  
== Using the TPM ==
+
There are several methods to use TPM to secure keys, but here we show a simple method based on {{aur|simple-tpm-pk11-git}}.
There are several AUR packages for using the TPM with trousers, most of are also part of the trousers project.
+
  
=== tpm-tools ===
+
First, create a new directory and generate the key:
https://aur.archlinux.org/packages.php?ID=14331
+
  
Is a set of tools like tpm_changeownerauth, tpm_clear, tpm_createek, tpm_getpubek, tpm_resetdalock, tpm_restrictpubek, tpm_revokeek, tpm_sealdate, tpm_selftest, tpm_setactive, tpm_setclearable, tpm_setenable, tpm_setoperatorauth, tpm_setownable, tpm_setpresence, tpm_takeownership, tpm_version.
+
$ mkdir ~/.simple-tpm-pk11
 +
$ stpm-keygen -o ~/.simple-tpm-pk11/my.key
  
Each of them has an own manpage.
+
Point the config to the key:
  
=== tpmmanager ===
+
{{hc|~/.simple-tpm-pk11/config|
https://aur.archlinux.org/packages.php?ID=30261
+
key my.key
 +
}}
  
A Qt front-end to tpm-tools, not developed by the trousers team.
+
Now configure SSH to use the right PKCS11 provider:
  
=== openssl_tpm_engine ===
+
{{hc|~/.ssh/config|
https://aur.archlinux.org/packages.php?ID=14332
+
Host *
 +
    PKCS11Provider /usr/lib/libsimple-tpm-pk11.so
 +
}}
  
OpenSSL engine which interfaces with the TSS API
+
It's now possible to generate keys with the PKCS11 provider:
  
=== tpm_keyring2 ===
+
$ ssh-keygen -D /usr/lib/libsimple-tpm-pk11.so
https://aur.archlinux.org/packages.php?ID=14339
+
  
A key manager for TPM based eCryptfs keys
+
{{Note|This method currently does not allow for multiple keys to be generated and used.}}
  
=== opencryptoki ===
+
== See also ==
https://aur.archlinux.org/packages.php?ID=22500
+
  
openCryptoki is a PKCS#11 implementation for Linux. It includes drivers and libraries to enable IBM cryptographic hardware as well as a software token for testing.
+
* [[wikipedia:Trusted_Platform_Module|TPM on Wikipedia]]
 +
* [http://lwn.net/Articles/674751/ Protecting systems with the TPM]
 +
* [http://www.thinkwiki.org/wiki/Embedded_Security_Subsystem Embedded Security Subsystem on Thinkwiki]
 +
* [http://www.cs.unh.edu/~it666/reading_list/Hardware/tpm_fundamentals.pdf TPM Fundamentals (PDF)]

Latest revision as of 08:26, 14 April 2016

Trusted Platform Module (TPM) is an international standard for a secure cryptoprocessor, which is a dedicated microprocessor designed to secure hardware by integrating cryptographic keys into devices.

In practice a TPM can be used for various different security applications such as secure boot and key storage.

TPM is naturally supported only on devices that have TPM hardware support. If your hardware has TPM support but it is not showing up, it might need to be enabled in the BIOS settings.

Versions

Note: Support for TPM 2.0 is still incomplete (both on the kernel and in userspace), and no known workflow for TPM2 exists at the moment.

Current attempts to run tcsd on a system with TPM 2.0 will result in the following:

# cat /sys/class/tpm/tpm0/device/description 
TPM 2.0 Device
# tcsd -f
TCSD TDDL ioctl: (25) Inappropriate ioctl for device
TCSD TDDL Falling back to Read/Write device support.
TCSD TCS ERROR: TCS GetCapability failed with result = 0x1e

The rest of this article will focus only on TPM 1.2

Drivers

TPM drivers are natively supported in modern kernels, but might need to be loaded:

# modprobe tpm

Depending on your chipset, you might also need to load one of the following:

# modprobe tpm_{atmel,bios,infineon,nsc,tis,crb}

Usage

TPM is managed by tcsd, a userspace daemon that manages Trusted Computing resources and should be (according to the TSS spec) the only portal to the TPM device driver. tcsd is part of the trousersAUR AUR package, which was created and released by IBM, and can be configured via /etc/tcsd.conf.

To start tcsd and watch the output, run:

# tcsd -f

or simply start and enable tcsd.service.

Once tcsd is running you might also want to install tpm-toolsAUR which provides many of the command line tools for managing the TPM.

Some other tools of interest:

  • tpmmanager — A Qt front-end to tpm-tools
http://sourceforge.net/projects/tpmmanager || tpmmanagerAUR
  • openssl_tpm_engine — OpenSSL engine which interfaces with the TSS API
http://sourceforge.net/projects/trousers || openssl_tpm_engineAUR[broken link: archived in aur-mirror]
  • tpm_keyring2 — A key manager for TPM based eCryptfs keys
http://sourceforge.net/projects/trousers || tpm_keyring2AUR[broken link: archived in aur-mirror]
  • opencryptoki — A PKCS#11 implementation for Linux. It includes drivers and libraries to enable IBM cryptographic hardware as well as a software token for testing.
http://sourceforge.net/projects/opencryptoki || opencryptokiAUR

Basics

Start off by getting basic version info:

$ tpm_version

and running a selftest:

$ tpm_selftest -l info
 TPM Test Results: 00000000 ...
 tpm_selftest succeeded

Securing SSH Keys

There are several methods to use TPM to secure keys, but here we show a simple method based on simple-tpm-pk11-gitAUR.

First, create a new directory and generate the key:

$ mkdir ~/.simple-tpm-pk11
$ stpm-keygen -o ~/.simple-tpm-pk11/my.key

Point the config to the key:

~/.simple-tpm-pk11/config
key my.key

Now configure SSH to use the right PKCS11 provider:

~/.ssh/config
Host *
    PKCS11Provider /usr/lib/libsimple-tpm-pk11.so

It's now possible to generate keys with the PKCS11 provider:

$ ssh-keygen -D /usr/lib/libsimple-tpm-pk11.so
Note: This method currently does not allow for multiple keys to be generated and used.

See also