Difference between revisions of "Trusted Platform Module"

From ArchWiki
Jump to navigation Jump to search
(tcsd.service failed to start: You need to be root to do this, no?)
(add some initial bits for the two TPM versions)
 
Line 10: Line 10:
 
== Versions ==
 
== Versions ==
  
{{Accuracy | TPM2.0 support was added in kernel [https://fosdem.org/2018/schedule/event/tpm].}}
+
There are two very different TPM specifications: 1.2 and 2.0, which also use different software stacks.
  
{{Note|Support for TPM 2.0 is lacking.}}
+
- TPM 1.2 uses the "TrouSerS" TSS (TCG software stack) by IBM, which is packaged as {{aur|trousers}} (tcsd) and {{aur|tpm-tools}} (userspace). All software access the TPM through the ''tcsd'' daemon.
  
Current attempts to run {{ic|tcsd}} on a system with TPM 2.0 will result in the following:
+
- TPM 2.0 allows direct access via {{ic|/dev/tpm0}} (one client at a time), managed access through the {{pkg|tpm2-abrmd}} resource manager daemon, or kernel-managed access via {{ic|/dev/tpmrm0}}. There are two choices of userspace tools, {{pkg|tpm2-tools}} by Intel and {{aur|ibm-tss}} by IBM.
  
# cat /sys/class/tpm/tpm0/device/description
+
TPM 2.0 requires UEFI (native); BIOS or CSM systems can only use TPM 1.2.
TPM 2.0 Device
 
  
# tcsd -f
+
Some TPM chips can be switched between 1.2 and 2.0 through a firmware upgrade (which can be done only a limited number of times).
TCSD TDDL ioctl: (25) Inappropriate ioctl for device
 
TCSD TDDL Falling back to Read/Write device support.
 
TCSD TCS ERROR: TCS GetCapability failed with result = 0x1e
 
  
The rest of this article will focus only on TPM 1.2
+
== Using TPM 1.2 ==
  
== Drivers ==
+
=== Drivers ===
  
 
TPM drivers are natively supported in modern kernels, but might need to be loaded:
 
TPM drivers are natively supported in modern kernels, but might need to be loaded:
Line 36: Line 32:
 
  # modprobe tpm_{atmel,bios,infineon,nsc,tis,crb}
 
  # modprobe tpm_{atmel,bios,infineon,nsc,tis,crb}
  
== Usage ==
+
=== Usage ===
  
TPM is managed by {{ic|tcsd}}, a userspace daemon that manages Trusted Computing resources and should be (according to the TSS spec) the only portal to the TPM device driver. {{ic|tcsd}} is part of the {{AUR|trousers}} AUR package, which was created and released by IBM, and can be configured via {{ic|/etc/tcsd.conf}}.
+
TPM 1.2 is managed by {{ic|tcsd}}, a userspace daemon that manages Trusted Computing resources and should be (according to the TSS spec) the only portal to the TPM device driver. {{ic|tcsd}} is part of the {{AUR|trousers}} AUR package, which was created and released by IBM, and can be configured via {{ic|/etc/tcsd.conf}}.
  
 
To start tcsd and watch the output, run:
 
To start tcsd and watch the output, run:

Latest revision as of 18:23, 30 January 2019

Trusted Platform Module (TPM) is an international standard for a secure cryptoprocessor, which is a dedicated microprocessor designed to secure hardware by integrating cryptographic keys into devices.

In practice a TPM can be used for various different security applications such as secure boot and key storage.

TPM is naturally supported only on devices that have TPM hardware support. If your hardware has TPM support but it is not showing up, it might need to be enabled in the BIOS settings.

Versions

There are two very different TPM specifications: 1.2 and 2.0, which also use different software stacks.

- TPM 1.2 uses the "TrouSerS" TSS (TCG software stack) by IBM, which is packaged as trousersAUR (tcsd) and tpm-toolsAUR (userspace). All software access the TPM through the tcsd daemon.

- TPM 2.0 allows direct access via /dev/tpm0 (one client at a time), managed access through the tpm2-abrmd resource manager daemon, or kernel-managed access via /dev/tpmrm0. There are two choices of userspace tools, tpm2-tools by Intel and ibm-tssAUR by IBM.

TPM 2.0 requires UEFI (native); BIOS or CSM systems can only use TPM 1.2.

Some TPM chips can be switched between 1.2 and 2.0 through a firmware upgrade (which can be done only a limited number of times).

Using TPM 1.2

Drivers

TPM drivers are natively supported in modern kernels, but might need to be loaded:

# modprobe tpm

Depending on your chipset, you might also need to load one of the following:

# modprobe tpm_{atmel,bios,infineon,nsc,tis,crb}

Usage

TPM 1.2 is managed by tcsd, a userspace daemon that manages Trusted Computing resources and should be (according to the TSS spec) the only portal to the TPM device driver. tcsd is part of the trousersAUR AUR package, which was created and released by IBM, and can be configured via /etc/tcsd.conf.

To start tcsd and watch the output, run:

# tcsd -f

or simply start and enable tcsd.service.

Once tcsd is running you might also want to install tpm-toolsAUR which provides many of the command line tools for managing the TPM.

Some other tools of interest:

  • tpmmanager — A Qt front-end to tpm-tools
http://sourceforge.net/projects/tpmmanager || tpmmanagerAUR
  • openssl_tpm_engine — OpenSSL engine which interfaces with the TSS API
http://sourceforge.net/projects/trousers || openssl_tpm_engineAUR[broken link: archived in aur-mirror]
  • tpm_keyring2 — A key manager for TPM based eCryptfs keys
http://sourceforge.net/projects/trousers || tpm_keyring2AUR[broken link: archived in aur-mirror]
  • opencryptoki — A PKCS#11 implementation for Linux. It includes drivers and libraries to enable IBM cryptographic hardware as well as a software token for testing.
http://sourceforge.net/projects/opencryptoki || opencryptokiAUR

Basics

Start off by getting basic version info:

$ tpm_version

and running a selftest:

$ tpm_selftest -l info
 TPM Test Results: 00000000 ...
 tpm_selftest succeeded

Securing SSH Keys

There are several methods to use TPM to secure keys, but here we show a simple method based on simple-tpm-pk11-gitAUR.

First, create a new directory and generate the key:

$ mkdir ~/.simple-tpm-pk11
$ stpm-keygen -o ~/.simple-tpm-pk11/my.key

Point the config to the key:

~/.simple-tpm-pk11/config
key my.key

Now configure SSH to use the right PKCS11 provider:

~/.ssh/config
Host *
    PKCS11Provider /usr/lib/libsimple-tpm-pk11.so

It's now possible to generate keys with the PKCS11 provider:

$ ssh-keygen -D /usr/lib/libsimple-tpm-pk11.so
Note: This method currently does not allow for multiple keys to be generated and used.

Troubleshooting

tcsd.service failed to start

The tcsd.service service may not start correctly due to permission issues.[1]. It is possible to fix this using:

# chown tss:tss /dev/tpm*
# chown -R tss:tss /var/lib/tpm

See also