Initial Practice of Using TPM for Linux Trusted start

Source: Internet
Author: User
Tags tpm chip

First, you must have a computer with a TPM 1.2 chip and a Linux system.

 

Run the following command to view the system kernel tpm driver:

$ ls -la /lib/modules/`uname -r`/kernel/drivers/char/tpm

Total 100

Drwxr-XR-x 2 root Root 4096 02-03 21:47.

Drwxr-XR-x 7 Root 4096 02-03 21:47 ..

-Rwxr -- r -- 1 Root 9812 01-21 :27 tpm_atmel.ko

-Rwxr -- r -- 1 Root 11128 01-21 :27 tpm_bios.ko

-Rwxr -- r -- 1 Root 15860 01-21 :27 tpm_infineon.ko

-Rwxr -- r -- 1 Root 19184 01-21 :27 TPM. Ko

-Rwxr -- r -- 1 Root 10796 01-21 :27 tpm_nsc.ko

-Rwxr -- r -- 1 Root 16516 01-21 :27 tpm_tis.ko

The tpm_tis module can use tpm1.2. This module is required. If not, you may need to recompile the new kernel.

 

The following commands can be used to load the tpm driver:

 $ sudo modprobe tpm_bios
$ sudo modprobe tpm
$ sudo modprobe tpm_tis force=1 interrupts=0
$ dmesg
...
[xxx.yyy] tpm_tis tpm_tis: 1.2 TPM (device-id 0x4A10, rev-id 78)
If the preceding information is displayed, the setting is successful.

Install trouserst and TPM-tools to manage TPM.
$ sudo /etc/init.d/tcsd start
Use the above command to start this management tool

Then, check whether the TPM is available.
$ sudo tpm_version
TPM Version: 01010000
Manufacturer info: 53544d20

Okay. Now let's initialize the TPM chip.
$ sudo tpm_takeownership
Enter owner password: xxxxxx
Confirm password: xxxxxx
Enter SRK password: yyyyyyyy
Confirm password: yyyyyyyy
Remember! This command can be executed only once! No more common sense later!

If the following error occurs:
Tspi_tpm_getpubendorsementkey failed: 0x00000023-layer = TPM, code = 0023 (35), no ek
Description
Endorsement keyDoes not exist. You need to create the following command.
$ Sudo tpm_createek

OK! Then we can get
Public endorsement key
$ Sudo tpm_getpubek
Enter
Owner password.

Install
Trustedgrub, and then modify some of the files.

There is another important thing!
Drivers/Char/TPM/tpm_tis.c in the kernel source code file
[...] Static struct pnp_device_id tpm_pnp_tbl _ devinitdata = {"pnp0c31", 0},/* TPM */{"ATM 1200", 0},/* Atmel */{"ifx0102 ", 0},/* infineon */{"bcm0101", 0},/* Broadcom */{"nsc1200", 0 }, /* National * // * Add new here */{"", 0},/* user specified */{"", 0}/* Terminator */}; [...]
/* User Specified */Here we can add our own tpmuid (if it already exists), which allows the kernel to support the TPM model we need.

You can useIASLThis software is obtained, which is not described here.



The above is a simple attempt of BIOS> bootloader for trusted boot.
In fact, this trustedgrub also has an insecure bug, such as not performing hash during CD boot, but it is open source. If you need or want to improve it, you can do it yourself, and it is not difficult.

Next part of trusted boot, including initrd and init. It is the most complicated part of the entire process of starting credibility. I will also clarify the process in the next work and try my best to make some improvements.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.