Initial Practice of Using TPM for Linux Trusted start

First, you must have a computer with a TPM 1.2 chip and a Linux system.

 

Run the following command to view the system kernel tpm driver:

$ ls -la /lib/modules/`uname -r`/kernel/drivers/char/tpm

Total 100

Drwxr-XR-x 2 root Root 4096 02-03 21:47.

Drwxr-XR-x 7 Root 4096 02-03 21:47 ..

-Rwxr -- r -- 1 Root 9812 01-21 :27 tpm_atmel.ko

-Rwxr -- r -- 1 Root 11128 01-21 :27 tpm_bios.ko

-Rwxr -- r -- 1 Root 15860 01-21 :27 tpm_infineon.ko

-Rwxr -- r -- 1 Root 19184 01-21 :27 TPM. Ko

-Rwxr -- r -- 1 Root 10796 01-21 :27 tpm_nsc.ko

-Rwxr -- r -- 1 Root 16516 01-21 :27 tpm_tis.ko

The tpm_tis module can use tpm1.2. This module is required. If not, you may need to recompile the new kernel.

 

The following commands can be used to load the tpm driver:

 $ sudo modprobe tpm_bios
$ sudo modprobe tpm
 $ sudo modprobe tpm_tis force=1 interrupts=0
$ dmesg
...
[xxx.yyy] tpm_tis tpm_tis: 1.2 TPM (device-id 0x4A10, rev-id 78)
If the preceding information is displayed, the setting is successful.

Install trouserst and TPM-tools to manage TPM.
$ sudo /etc/init.d/tcsd start
Use the above command to start this management tool

Then, check whether the TPM is available.
$ sudo tpm_version
    TPM Version:    01010000
Manufacturer info: 53544d20

Okay. Now let's initialize the TPM chip.
 $ sudo tpm_takeownership
Enter owner password: xxxxxx
Confirm password: xxxxxx
Enter SRK password: yyyyyyyy
Confirm password: yyyyyyyy
Remember! This command can be executed only once! No more common sense later!

If the following error occurs:
Tspi_tpm_getpubendorsementkey failed: 0x00000023-layer = TPM, code = 0023 (35), no ek
DescriptionEndorsement keyDoes not exist. You need to create the following command.
$ Sudo tpm_createek

OK! Then we can getPublic endorsement key
$ Sudo tpm_getpubek
EnterOwner password.

InstallTrustedgrub, and then modify some of the files.

There is another important thing!
Drivers/Char/TPM/tpm_tis.c in the kernel source code file
[...] Static struct pnp_device_id tpm_pnp_tbl _ devinitdata = {"pnp0c31", 0},/* TPM */{"ATM 1200", 0},/* Atmel */{"ifx0102 ", 0},/* infineon */{"bcm0101", 0},/* Broadcom */{"nsc1200", 0 }, /* National * // * Add new here */{"", 0},/* user specified */{"", 0}/* Terminator */}; [...]
/* User Specified */Here we can add our own tpmuid (if it already exists), which allows the kernel to support the TPM model we need.

You can useIASLThis software is obtained, which is not described here.



The above is a simple attempt of BIOS> bootloader for trusted boot.
In fact, this trustedgrub also has an insecure bug, such as not performing hash during CD boot, but it is open source. If you need or want to improve it, you can do it yourself, and it is not difficult.

Next part of trusted boot, including initrd and init. It is the most complicated part of the entire process of starting credibility. I will also clarify the process in the next work and try my best to make some improvements.