From 43df19dec5a118a6bcd81dd7c853d1b6a7fd12ba Mon Sep 17 00:00:00 2001 From: "xu.xinbj" Date: Wed, 11 Oct 2023 10:58:05 +0800 Subject: [PATCH] modify code block format --- src/anolisos-tpm2-tools.md | 223 ++++++++++++++++++++++---------- src/anolisos-tpm2-tss-engine.md | 82 ++++++++---- 2 files changed, 211 insertions(+), 94 deletions(-) diff --git a/src/anolisos-tpm2-tools.md b/src/anolisos-tpm2-tools.md index 96b5724..5a051c5 100644 --- a/src/anolisos-tpm2-tools.md +++ b/src/anolisos-tpm2-tools.md @@ -26,16 +26,19 @@ tool="tpm2_startup" version="" tctis="libtss2-tctildr" tcti-default=tcti-abrmd tpm2_startup工具可执行TPM2_CC_Startup命令使能TPM2.0芯片 ``` tpm2_startup -V #执行TPM2_SU_STATE类型的startup -INFO on line: "54" in file: "tools/tpm2_startup.c": Sending TPM_Startup command with type: TPM2_SU_STATE +INFO on line: "54" in file: "tools/tpm2_startup.c": \ +Sending TPM_Startup command with type: TPM2_SU_STATE tpm2_startup -c -V #执行TPM2_SU_CLEAR类型的startup -INFO on line: "54" in file: "tools/tpm2_startup.c": Sending TPM_Startup command with type: TPM2_SU_CLEAR +INFO on line: "54" in file: "tools/tpm2_startup.c": \ +Sending TPM_Startup command with type: TPM2_SU_CLEAR ``` tpm2_getcap工具可执行TPM2_CC_GetCapability命令获取TPM2.0芯片信息 ``` tpm2_getcap algorithms -V #获取TPM2.0芯片支持的算法信息 -INFO on line: "44" in file: "lib/tpm2_capability.c": GetCapability: capability: 0x0, property: 0x1 +INFO on line: "44" in file: "lib/tpm2_capability.c": \ +GetCapability: capability: 0x0, property: 0x1 rsa: value: 0x1 asymmetric: 1 @@ -49,7 +52,8 @@ rsa: ..... tpm2_getcap commands -V #获取TPM2.0芯片支持的命令码 -INFO on line: "44" in file: "lib/tpm2_capability.c": GetCapability: capability: 0x2, property: 0x11f +INFO on line: "44" in file: "lib/tpm2_capability.c": \ +GetCapability: capability: 0x2, property: 0x11f TPM2_CC_NV_UndefineSpaceSpecial: value: 0x440011F commandIndex: 0x11f @@ -64,7 +68,8 @@ TPM2_CC_NV_UndefineSpaceSpecial: ...... tpm2_getcap properties-fixed -V #获取TPM2.0芯片固定属性信息 -INFO on line: "44" in file: "lib/tpm2_capability.c": GetCapability: capability: 0x6, property: 0x100 +INFO on line: "44" in file: "lib/tpm2_capability.c": \ +GetCapability: capability: 0x6, property: 0x100 TPM2_PT_FAMILY_INDICATOR: raw: 0x322E3000 value: "2.0" @@ -82,7 +87,8 @@ TPM2_PT_MANUFACTURER: ..... tpm2_getcap ecc-curves -V #获取TPM2.0芯片支持的椭圆曲线信息 -INFO on line: "44" in file: "lib/tpm2_capability.c": GetCapability: capability: 0x8, property: 0x1 +INFO on line: "44" in file: "lib/tpm2_capability.c": \ +GetCapability: capability: 0x8, property: 0x1 TPM2_ECC_NIST_P192: 0x1 TPM2_ECC_NIST_P224: 0x2 TPM2_ECC_NIST_P256: 0x3 @@ -91,13 +97,15 @@ TPM2_ECC_BN_P256: 0x10 ...... tpm2_getcap handles-nv-index -V #获取已定义的NV空间句柄 -INFO on line: "44" in file: "lib/tpm2_capability.c": GetCapability: capability: 0x1, property: 0x1000000 +INFO on line: "44" in file: "lib/tpm2_capability.c": \ +GetCapability: capability: 0x1, property: 0x1000000 - 0x1691D65 - 0x1C00002 - 0x1C0000A tpm2_getcap handles-transient -V #获取暂存对象句柄 -INFO on line: "44" in file: "lib/tpm2_capability.c": GetCapability: capability: 0x1, property: 0x80000000 +INFO on line: "44" in file: "lib/tpm2_capability.c": \ +GetCapability: capability: 0x1, property: 0x80000000 - 0x80000000 - 0x80000001 ``` @@ -109,12 +117,14 @@ TPM2.0密钥管理采用加密存储的方式,每一密钥都有父密钥, ``` tpm2_createprimary -C o -G rsa -c rsaprimary.ctx -V #在TPM_RH_Owner Hierary创建RSA算法的 -INFO on line: "44" in file: "lib/tpm2_capability.c": GetCapability: capability: 0x5, property: 0x0 +INFO on line: "44" in file: "lib/tpm2_capability.c": \ +GetCapability: capability: 0x5, property: 0x0 name-alg: value: sha256 raw: 0xb attributes: - value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|decrypt + value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth \ + |restricted|decrypt raw: 0x30072 type: value: rsa @@ -134,21 +144,36 @@ sym-mode: value: cfb raw: 0x43 sym-keybits: 128 -rsa: b7a9f512d495edc54b0fae7a76c8f72a3708f0de4d6a6a08a73547c4df6fddb15e5bf9a94fb5a63ecdeb62e18138d93be4d4522ac12a091b354bab5e4e36dde30b17ae4e84bf5d72a5447f2bfb3e6bc53b9ba847d85c0ec0169354e301dbd9d83ba45a43747d55b54152639786741116da666bfa2fa583e317fd1757309a1904c933fae6e92502a01b72bc3f46cc7665852b1a93d3b3344e95aa254ba4f7d9345916648a7a667a5ae275894a2789b46dff6a26cc8dc4cd83e848ac7e23a2fa7a0d2091eacb1cd40851eb0bdccb7ebdd1ad8057d1fbc1cbe54ceacba3e4a90157cfa53adf22f88a7c730b4b1584dff596c62f88ade2a8a7c9d67f36f6db169b4f -INFO on line: "190" in file: "lib/files.c": Save TPMS_CONTEXT->savedHandle: 0x80000000 +rsa: b7a9f512d495edc54b0fae7a76c8f72a3708f0de4d6a6a08a73547c4d \ +f6fddb15e5bf9a94fb5a63ecdeb62e18138d93be4d4522ac12a091b354bab5 \ +e4e36dde30b17ae4e84bf5d72a5447f2bfb3e6bc53b9ba847d85c0ec016935 \ +4e301dbd9d83ba45a43747d55b54152639786741116da666bfa2fa583e317f \ +d1757309a1904c933fae6e92502a01b72bc3f46cc7665852b1a93d3b3344e9 \ +5aa254ba4f7d9345916648a7a667a5ae275894a2789b46dff6a26cc8dc4cd8 \ +3e848ac7e23a2fa7a0d2091eacb1cd40851eb0bdccb7ebdd1ad8057d1fbc1c \ +be54ceacba3e4a90157cfa53adf22f88a7c730b4b1584dff596c62f88ade2a \ +8a7c9d67f36f6db169b4f +INFO on line: "190" in file: "lib/files.c": \ +Save TPMS_CONTEXT->savedHandle: 0x80000000 ``` 2)创建密钥 ``` -tpm2_create -C rsaprimary.ctx -G rsa -u rsa.public -r rsa.private -V #以上一步创建的PrimaryObject为父密钥,创建RSA算法的密钥 -INFO on line: "44" in file: "lib/tpm2_capability.c": GetCapability: capability: 0x5, property: 0x0 -INFO on line: "362" in file: "lib/files.c": Assuming tpm context file -INFO on line: "293" in file: "lib/files.c": load: TPMS_CONTEXT->savedHandle: 0x80000000 +tpm2_create -C rsaprimary.ctx -G rsa -u rsa.public \ +-r rsa.private -V #以上一步创建的PrimaryObject为父密钥,\ +创建RSA算法的密钥 +INFO on line: "44" in file: "lib/tpm2_capability.c": \ +GetCapability: capability: 0x5, property: 0x0 +INFO on line: "362" in file: "lib/files.c": \ +Assuming tpm context file +INFO on line: "293" in file: "lib/files.c": \ +load: TPMS_CONTEXT->savedHandle: 0x80000000 name-alg: value: sha256 raw: 0xb attributes: - value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt|sign + value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth \ + |decrypt|sign raw: 0x60072 type: value: rsa @@ -168,7 +193,15 @@ sym-mode: value: (null) raw: 0x0 sym-keybits: 0 -rsa: d01e9a0f80a79c7248b29e66535a16c43ff0ad70f5f6773d048bb6e917878f91ac53f672091b8103123123bce8603d761e7b39eb12b4a286816068c40c4af5bd6296bc565913acc69fa5b4485835f1493a180cfb41ec6d18828f195941a6446f55794ab8a304e78d2cf04e52d36a98ae94a70f8fa868dcbd8cf58c909df684f0dc1f41ba27bcd86097cb8ae0d3cc50d5fba3ea6efd5780a605536f8a60aa95350a0db6d639f5c25732ed4ab122df37d258d6786e0fbb123fc18eab71ed421c9200b1ebfc47ab5ab0e12a3566fcac5e97b1343ab022bf6ba8a94a1c4b79546208806e3561d405bfdcbd7b2e7205a3fc73ed8e54cac847d32a06f0aec291efb27f +rsa: d01e9a0f80a79c7248b29e66535a16c43ff0ad70f5f6773d048bb6e9178 \ +78f91ac53f672091b8103123123bce8603d761e7b39eb12b4a286816068c40c4 \ +af5bd6296bc565913acc69fa5b4485835f1493a180cfb41ec6d18828f195941a \ +6446f55794ab8a304e78d2cf04e52d36a98ae94a70f8fa868dcbd8cf58c909df \ +684f0dc1f41ba27bcd86097cb8ae0d3cc50d5fba3ea6efd5780a605536f8a60a \ +a95350a0db6d639f5c25732ed4ab122df37d258d6786e0fbb123fc18eab71ed4 \ +21c9200b1ebfc47ab5ab0e12a3566fcac5e97b1343ab022bf6ba8a94a1c4b795 \ +46208806e3561d405bfdcbd7b2e7205a3fc73ed8e54cac847d32a06f0aec291e \ +fb27f ``` 注:由于TPM2.0芯片中存储空间有限,并不无限加载密钥,tpm2-tools在管理密钥方面,会将生成的密钥通过TPM2_CC_ContextSave将密钥信息导出到文件保存,当使用密钥时,先通过TPM2_CC_ContextLoad将密钥信息加载至芯片中,再使用该密钥。 ##### RSA算法加密/解密 @@ -176,23 +209,37 @@ rsa: d01e9a0f80a79c7248b29e66535a16c43ff0ad70f5f6773d048bb6e917878f91ac53f672091 ``` tpm2_create -C rsaprimary.ctx -G rsa -u rsa.public -r rsa.private #创建RSA算法的密钥 -tpm2_load -C rsaprimary.ctx -u rsa.public -r rsa.private -c rsa-enc-key.ctx -V #执行TPM2_CC_Load命令将创建的RSA密钥加载至TPM芯片中 -INFO on line: "44" in file: "lib/tpm2_capability.c": GetCapability: capability: 0x5, property: 0x0 -INFO on line: "362" in file: "lib/files.c": Assuming tpm context file -INFO on line: "293" in file: "lib/files.c": load: TPMS_CONTEXT->savedHandle: 0x80000000 -name: 000b0b8d6e072c99c31c90856d9758ca1d2068147e028c8073914e4a17a85e573fca -INFO on line: "190" in file: "lib/files.c": Save TPMS_CONTEXT->savedHandle: 0x80000000 +tpm2_load -C rsaprimary.ctx -u rsa.public -r rsa.private \ +-c rsa-enc-key.ctx -V #执行TPM2_CC_Load命令将创建的RSA密钥加 \ +载至TPM芯片中 +INFO on line: "44" in file: "lib/tpm2_capability.c": \ +GetCapability: capability: 0x5, property: 0x0 +INFO on line: "362" in file: "lib/files.c": \ +Assuming tpm context file +INFO on line: "293" in file: "lib/files.c": \ +load: TPMS_CONTEXT->savedHandle: 0x80000000 +name: 000b0b8d6e072c99c31c90856d9758ca1d2068147e028c \ +8073914e4a17a85e573fca +INFO on line: "190" in file: "lib/files.c": \ +Save TPMS_CONTEXT->savedHandle: 0x80000000 echo 12345 > data.txt #生成明文 -tpm2_rsaencrypt -c rsa-enc-key.ctx -o cipher.bin data.txt -V #使用RSA密钥加密data.txt文件,将密文输出到cipher.bin文件中 -INFO on line: "362" in file: "lib/files.c": Assuming tpm context file -INFO on line: "293" in file: "lib/files.c": load: TPMS_CONTEXT->savedHandle: 0x80000000 - -tpm2_rsadecrypt -c rsa-enc-key.ctx -o data-dec.txt cipher.bin -V #使用RSA密钥解密密文,并将密文输出到data-dec.txt文件 -INFO on line: "44" in file: "lib/tpm2_capability.c": GetCapability: capability: 0x5, property: 0x0 -INFO on line: "362" in file: "lib/files.c": Assuming tpm context file -INFO on line: "293" in file: "lib/files.c": load: TPMS_CONTEXT->savedHandle: 0x80000000 +tpm2_rsaencrypt -c rsa-enc-key.ctx -o cipher.bin data.txt -V \ +#使用RSA密钥加密data.txt文件,将密文输出到cipher.bin文件中 +INFO on line: "362" in file: "lib/files.c": \ +Assuming tpm context file +INFO on line: "293" in file: "lib/files.c": \ +load: TPMS_CONTEXT->savedHandle: 0x80000000 + +tpm2_rsadecrypt -c rsa-enc-key.ctx -o data-dec.txt cipher.bin -V \ +#使用RSA密钥解密密文,并将密文输出到data-dec.txt文件 +INFO on line: "44" in file: "lib/tpm2_capability.c": \ +GetCapability: capability: 0x5, property: 0x0 +INFO on line: "362" in file: "lib/files.c": \ +Assuming tpm context file +INFO on line: "293" in file: "lib/files.c": \ +load: TPMS_CONTEXT->savedHandle: 0x80000000 diff data-dec.txt data.txt #明文与解密后文件对比 ``` @@ -200,29 +247,46 @@ diff data-dec.txt data.txt #明文与解密后文件对比 ##### RSA算法签名/验签 ``` -tpm2_create -C rsaprimary.ctx -G rsa -u rsa.public -r rsa.private #创建RSA算法的密钥 +tpm2_create -C rsaprimary.ctx -G rsa -u rsa.public \ +-r rsa.private #创建RSA算法的密钥 -tpm2_load -C rsaprimary.ctx -u rsa.public -r rsa.private -c rsa-sign-key.ctx -V #执行TPM2_CC_Load命令将创建的RSA密钥加载至TPM芯片中 +tpm2_load -C rsaprimary.ctx -u rsa.public -r rsa.private \ +-c rsa-sign-key.ctx -V #执行TPM2_CC_Load命令将创建的RSA密钥 \ +加载至TPM芯片中 echo "rsasign" > rsasigndata.txt #生成签名内容 -tpm2_sign -c rsa-sign-key.ctx -o rsa-sig.bin rsasigndata.txt -V #使用RSA密钥对rsasigndata.txt签名,将签名信息写入rsa-sig.bin文件 -INFO on line: "44" in file: "lib/tpm2_capability.c": GetCapability: capability: 0x5, property: 0x0 -INFO on line: "362" in file: "lib/files.c": Assuming tpm context file -INFO on line: "293" in file: "lib/files.c": load: TPMS_CONTEXT->savedHandle: 0x80000000 +tpm2_sign -c rsa-sign-key.ctx -o rsa-sig.bin rsasigndata.txt -V +#使用RSA密钥对rsasigndata.txt签名,将签名信息写入rsa-sig.bin文件 +INFO on line: "44" in file: "lib/tpm2_capability.c": \ +GetCapability: capability: 0x5, property: 0x0 +INFO on line: "362" in file: "lib/files.c": \ +Assuming tpm context file +INFO on line: "293" in file: "lib/files.c": \ +load: TPMS_CONTEXT->savedHandle: 0x80000000 -tpm2_verifysignature -c rsa-sign-key.ctx -s rsa-sig.bin -m rsasigndata.txt #使用RSA密钥验签 +tpm2_verifysignature -c rsa-sign-key.ctx -s rsa-sig.bin \ +-m rsasigndata.txt #使用RSA密钥验签 echo "rsasign1" > rsasign1data.txt #构建异常数据 -tpm2_verifysignature -c rsa-sign-key.ctx -s rsa-sig.bin -m rsasign1data.txt -V #对异常数据签名验签 -INFO on line: "362" in file: "lib/files.c": Assuming tpm context file -INFO on line: "293" in file: "lib/files.c": load: TPMS_CONTEXT->savedHandle: 0x80000000 -WARNING:esys:src/tss2-esys/api/Esys_VerifySignature.c:302:Esys_VerifySignature_Finish() Received TPM Error -ERROR:esys:src/tss2-esys/api/Esys_VerifySignature.c:103:Esys_VerifySignature() Esys Finish ErrorCode (0x000002db) -ERROR on line: "53" in file: "lib/log.h": Esys_VerifySignature(0x2DB) - tpm:parameter(2):the signature is not valid -ERROR on line: "259" in file: "tools/tpm2_verifysignature.c": Verify signature failed! -ERROR on line: "147" in file: "tools/tpm2_tool.c": Unable to run tpm2_verifysignature +tpm2_verifysignature -c rsa-sign-key.ctx -s rsa-sig.bin \ +-m rsasign1data.txt -V #对异常数据签名验签 +INFO on line: "362" in file: "lib/files.c": \ +Assuming tpm context file +INFO on line: "293" in file: "lib/files.c": \ +load: TPMS_CONTEXT->savedHandle: 0x80000000 +WARNING:esys:src/tss2-esys/api/Esys_VerifySignature.c:302:Esys_VerifySignature_Finish() \ +Received TPM Error +ERROR:esys:src/tss2-esys/api/Esys_VerifySignature.c:103:Esys_VerifySignature() \ +Esys Finish ErrorCode (0x000002db) +ERROR on line: "53" in file: "lib/log.h": \ +Esys_VerifySignature(0x2DB) - tpm:parameter(2):\ +the signature is not valid +ERROR on line: "259" in file: "tools/tpm2_verifysignature.c": \ +Verify signature failed! +ERROR on line: "147" in file: "tools/tpm2_tool.c": \ +Unable to run tpm2_verifysignature ``` ##### ECC算法签名/验签 @@ -230,11 +294,13 @@ ERROR on line: "147" in file: "tools/tpm2_tool.c": Unable to run tpm2_verifysign ``` tpm2_create -C rsaprimary.ctx -G ecc -u ecc.public -r ecc.private #创建ECC算法的密钥 -tpm2_load -C rsaprimary.ctx -u ecc.public -r ecc.private -c ecc-sign-key.ctx -V #执行TPM2_CC_Load命令将创建的ECC密钥加载至TPM芯 片中 +tpm2_load -C rsaprimary.ctx -u ecc.public -r ecc.private -c ecc-sign-key.ctx -V \ +#执行TPM2_CC_Load命令将创建的ECC密钥加载至TPM芯 片中 echo "eccsign" > eccsigndata.txt #生成签名内容 -tpm2_sign -c ecc-sign-key.ctx -o ecc-sig.bin eccsigndata.txt -V #使用ECC密钥对eccsigndata.txt签名,将签名信息写入ecc-sig.bin文件 +tpm2_sign -c ecc-sign-key.ctx -o ecc-sig.bin eccsigndata.txt -V \ +#使用ECC密钥对eccsigndata.txt签名,将签名信息写入ecc-sig.bin文件 tpm2_verifysignature -c ecc-sign-key.ctx -s ecc-sig.bin -m eccsigndata.txt #使用ECC密钥验签 ``` @@ -243,24 +309,34 @@ tpm2_verifysignature -c ecc-sign-key.ctx -s ecc-sig.bin -m eccsigndata.txt #使 TPM2.0芯片内置了NVRAM(Non-Volatile Random Access Memory,非易失性随机访问存储器),用于存放数据。TPM2.0芯片NVRAM读写需要授权,因此可用于存放敏感数据。TPM2.0 NV空间需要要先定义才能进行读写操作,使用完毕后要释放已定义的空间。 ``` -tpm2_nvdefine -C o -s 100 0x01800001 -V #在TPM_RH_Owner特权域中创建100字节的存储空间,空间索引为0x01800001 -INFO on line: "44" in file: "lib/tpm2_capability.c": GetCapability: capability: 0x5, property: 0x0 +tpm2_nvdefine -C o -s 100 0x01800001 -V +#在TPM_RH_Owner特权域中创建100字节的存储空间,空间索引为0x01800001 +INFO on line: "44" in file: "lib/tpm2_capability.c": \ +GetCapability: capability: 0x5, property: 0x0 nv-index: 0x1800001 echo "1234567890" > nv.txt #生成存储数据 -tpm2_nvwrite -i nv.txt -C o 0x01800001 -V #向NVRAM 0x01800001写入数据 -INFO on line: "44" in file: "lib/tpm2_capability.c": GetCapability: capability: 0x5, property: 0x0 -INFO on line: "80" in file: "tools/tpm2_nvwrite.c": The data(size=11) to be written: -INFO on line: "1657" in file: "lib/tpm2.c": Success to write NV area at index 0x1800001 offset 0x0. - -tpm2_nvread -C o 0x01800001 -V #读取NVRAM 0x01800001中的内容 -INFO on line: "44" in file: "lib/tpm2_capability.c": GetCapability: capability: 0x5, property: 0x0 +tpm2_nvwrite -i nv.txt -C o 0x01800001 -V \ +#向NVRAM 0x01800001写入数据 +INFO on line: "44" in file: "lib/tpm2_capability.c": \ +GetCapability: capability: 0x5, property: 0x0 +INFO on line: "80" in file: "tools/tpm2_nvwrite.c": \ +The data(size=11) to be written: +INFO on line: "1657" in file: "lib/tpm2.c": \ +Success to write NV area at index 0x1800001 offset 0x0. + +tpm2_nvread -C o 0x01800001 -V \ +#读取NVRAM 0x01800001中的内容 +INFO on line: "44" in file: "lib/tpm2_capability.c": \ +GetCapability: capability: 0x5, property: 0x0 1234567890 tpm2_nvundefine -C o 0x01800001 -V #释放NVRAM 0x1800001 -INFO on line: "44" in file: "lib/tpm2_capability.c": GetCapability: capability: 0x5, property: 0x0 -INFO on line: "1580" in file: "lib/tpm2.c": Success to release NV area at index 0x1800001. +INFO on line: "44" in file: "lib/tpm2_capability.c": \ +GetCapability: capability: 0x5, property: 0x0 +INFO on line: "1580" in file: "lib/tpm2.c": \ +Success to release NV area at index 0x1800001. ``` #### 4、TPM2.0 PCR功能 TPM2.0 PCR(Platform Configuration Register, 平台配置寄存器)是TPM2.0中与完整性相关的信息存储空间。PCR的更新方法叫做扩展(Extend),扩展是一种单向的加密操作,保证度量值不被篡改。 @@ -322,9 +398,11 @@ sha256: echo "123" > pcr.txt #生成扩展数据 sha256sum pcr.txt #计算扩展数据sha256摘要值 -181210f8f9c779c26da1d9b2075bde0127302ee0e3fca38c9a83f5b1dd8e5d3b pcr.txt +181210f8f9c779c26da1d9b2075bde0127302ee0e3fca38c9a83f5b1dd8e5d3b \ +pcr.txt -tpm2_pcrextend 10:sha256=181210f8f9c779c26da1d9b2075bde0127302ee0e3fca38c9a83f5b1dd8e5d3b -V #将pcr.txt摘要值扩展至PCR4 SHA-256 Bank中 +tpm2_pcrextend 10:sha256=181210f8f9c779c26da1d9b2075bde0127302ee0e3fca38c9a83f5b1dd8e5d3b -V \ +#将pcr.txt摘要值扩展至PCR4 SHA-256 Bank中 ``` #### 5、TPM2.0死锁功能 @@ -333,7 +411,8 @@ TPM2.0中与死锁相关的属性有maxTries(最大允许授权失败次数)、l ``` tpm2_getcap properties-variable -V #获取与DA相关的属性 -INFO on line: "44" in file: "lib/tpm2_capability.c": GetCapability: capability: 0x6, property: 0x200 +INFO on line: "44" in file: "lib/tpm2_capability.c": \ +GetCapability: capability: 0x6, property: 0x200 ...... TPM2_PT_LOCKOUT_COUNTER: 0x0 TPM2_PT_MAX_AUTH_FAIL: 0x3 @@ -341,12 +420,16 @@ TPM2_PT_LOCKOUT_INTERVAL: 0x3E8 TPM2_PT_LOCKOUT_RECOVERY: 0x3E8 ...... -tpm2_dictionarylockout -s -l 300 -t 300 -n 10 -V #设定maxTries为10次,lockoutRecovery为300秒,recoveryTime为300秒 -INFO on line: "44" in file: "lib/tpm2_capability.c": GetCapability: capability: 0x5, property: 0x0 -INFO on line: "1110" in file: "lib/tpm2.c": Setting up Dictionary Lockout parameters. +tpm2_dictionarylockout -s -l 300 -t 300 -n 10 -V \ +#设定maxTries为10次,lockoutRecovery为300秒,recoveryTime为300秒 +INFO on line: "44" in file: "lib/tpm2_capability.c": \ +GetCapability: capability: 0x5, property: 0x0 +INFO on line: "1110" in file: "lib/tpm2.c": \ +Setting up Dictionary Lockout parameters. tpm2_getcap properties-variable -V -INFO on line: "44" in file: "lib/tpm2_capability.c": GetCapability: capability: 0x6, property: 0x200 +INFO on line: "44" in file: "lib/tpm2_capability.c": \ +GetCapability: capability: 0x6, property: 0x200 ...... TPM2_PT_LOCKOUT_COUNTER: 0x0 TPM2_PT_MAX_AUTH_FAIL: 0xA @@ -355,6 +438,8 @@ TPM2_PT_LOCKOUT_RECOVERY: 0x12C ...... tpm2_dictionarylockout -c -V #重置死锁计数器 -INFO on line: "44" in file: "lib/tpm2_capability.c": GetCapability: capability: 0x5, property: 0x0 -INFO on line: "1099" in file: "lib/tpm2.c": Resetting dictionary lockout state. +INFO on line: "44" in file: "lib/tpm2_capability.c": \ +GetCapability: capability: 0x5, property: 0x0 +INFO on line: "1099" in file: "lib/tpm2.c": \ +Resetting dictionary lockout state. ``` diff --git a/src/anolisos-tpm2-tss-engine.md b/src/anolisos-tpm2-tss-engine.md index 5a1b0fc..5971a5f 100644 --- a/src/anolisos-tpm2-tss-engine.md +++ b/src/anolisos-tpm2-tss-engine.md @@ -7,7 +7,8 @@ tpm2-tss-engine利用遵循可信计算组织(Trusted Computing Group,TCG) 根据以下命令在anolis(以Anolis 8.8为例)上安装tpm2-tss-engine ```shell -yum install git automake libtool autoconf autoconf-archive openssl-devel tpm2-tss-devel tpm2-tools make +yum install git automake libtool autoconf autoconf-archive \ +openssl-devel tpm2-tss-devel tpm2-tools make git clone https://github.com/tpm2-software/tpm2-tss-engine.git pushd tpm2-tss-engine ./bootstrap @@ -31,7 +32,11 @@ openssl engine -t -c tpm2tss ``` openssl rand -engine tpm2tss -hex 128 engine "tpm2tss" set. -8a1b6a489fcf1b1fd8324e97cd76ff7e52617373fc43f7227145c69163b85bd15bb77375a4d5a69b998c4717e7b4c8b1bdb1f3b0e3936a6f528d9c90189c022cfeb94f008e35d54407c89229ef7fa338f9be0670e8d4660aa61afcdb6e54dccd6079a9e2f93f3ce1528aa8124fcbbadd5bc7929623ce2afe5802af2317b27a43 +8a1b6a489fcf1b1fd8324e97cd76ff7e52617373fc43f7227145c69163 \ +b85bd15bb77375a4d5a69b998c4717e7b4c8b1bdb1f3b0e3936a6f528d \ +9c90189c022cfeb94f008e35d54407c89229ef7fa338f9be0670e8d466 \ +0aa61afcdb6e54dccd6079a9e2f93f3ce1528aa8124fcbbadd5bc79296 \ +23ce2afe5802af2317b27a43 ``` #### 3、RSA算法功能 @@ -41,7 +46,8 @@ tpm2tss-genkey创建密钥 ``` tpm2tss-genkey -a rsa -s 2048 rsakey #使用tpm2-tss-genkey生成RSA算法密钥 -openssl rsa -engine tpm2tss -inform engine -in rsakey -pubout -outform pem -out rsakey.pub #导出密钥公钥 +openssl rsa -engine tpm2tss -inform engine -in rsakey -pubout \ +-outform pem -out rsakey.pub #导出密钥公钥 engine "tpm2tss" set. writing RSA key @@ -69,7 +75,9 @@ tpm2_evictcontrol -C o -c rsa.ctx #将RSA密钥设置为持久对象 persistent-handle: 0x81000000 action: persisted -openssl rsa -engine tpm2tss -inform engine -in 0x81000000 -pubout -outform pem -out rsatpmkey.pub #导出TPM2中持久对象0x81000000的公钥 +openssl rsa -engine tpm2tss -inform engine -in 0x81000000 \ +-pubout -outform pem -out rsatpmkey.pub \ +#导出TPM2中持久对象0x81000000的公钥 engine "tpm2tss" set. Enter password for user key: writing RSA key @@ -91,18 +99,23 @@ owIDAQAB ``` echo 123456 > mydata #创建明文 -openssl pkeyutl -pubin -inkey rsakey.pub -in mydata -encrypt -out mycipher #使用公钥加密数据 +openssl pkeyutl -pubin -inkey rsakey.pub -in mydata -encrypt \ +-out mycipher #使用公钥加密数据 -openssl pkeyutl -engine tpm2tss -keyform engine -inkey rsakey -decrypt -in mycipher -out mycipher-dec #使用私钥解密数据 +openssl pkeyutl -engine tpm2tss -keyform engine -inkey rsakey \ +-decrypt -in mycipher -out mycipher-dec #使用私钥解密数据 diff mydata mycipher-dec #对比原文与解密后的明文 ``` 使用TPM2中已加载密钥加密数据 ``` -openssl pkeyutl -pubin -inkey rsatpmkey.pub -in mydata -encrypt -out mycipher #使用公钥加密数据 +openssl pkeyutl -pubin -inkey rsatpmkey.pub -in mydata -encrypt \ +-out mycipher #使用公钥加密数据 -openssl pkeyutl -engine tpm2tss -keyform engine -inkey 0x81000000 -decrypt -in mycipher -out mycipher-dec #使用TPM2中持久对象0x81000000私钥解密数据 +openssl pkeyutl -engine tpm2tss -keyform engine -inkey 0x81000000 \ +-decrypt -in mycipher -out mycipher-dec +#使用TPM2中持久对象0x81000000私钥解密数据 diff mydata mycipher-dec #对比原文与解密后的明文 ``` @@ -110,17 +123,22 @@ diff mydata mycipher-dec #对比原文与解密后的明文 使用tpm2tss-genkey生成的密钥签名验签数据 ``` -openssl pkeyutl -engine tpm2tss -keyform engine -inkey rsakey -sign -in mydata -out mysig #使用tpm2tss-genkey生成的密钥rsakey签名数据 +openssl pkeyutl -engine tpm2tss -keyform engine -inkey rsakey \ +-sign -in mydata -out mysig \ +#使用tpm2tss-genkey生成的密钥rsakey签名数据 -openssl pkeyutl -pubin -inkey rsakey.pub -verify -in mydata -sigfile mysig #使用rsakey的公钥验签 +openssl pkeyutl -pubin -inkey rsakey.pub -verify -in mydata \ +-sigfile mysig #使用rsakey的公钥验签 Signature Verified Successfully ``` 使用TPM2中已加载密钥签名验签 ``` -openssl pkeyutl -engine tpm2tss -keyform engine -inkey 0x81000000 -sign -in mydata -out mysig #使用TPM2中持久对象0x81000000签名数据 +openssl pkeyutl -engine tpm2tss -keyform engine -inkey 0x81000000 \ +-sign -in mydata -out mysig #使用TPM2中持久对象0x81000000签名数据 -openssl pkeyutl -pubin -inkey rsatpmkey.pub -verify -in mydata -sigfile mysig #使用TPM2中持久对象0x81000000的公钥验证签名 +openssl pkeyutl -pubin -inkey rsatpmkey.pub -verify -in mydata \ +-sigfile mysig #使用TPM2中持久对象0x81000000的公钥验证签名 ``` #### 4、ECC算法功能 ##### 创建密钥 @@ -129,7 +147,8 @@ tpm2tss-genkey创建密钥 ``` tpm2tss-genkey -a ecdsa ecckey ##使用tpm2-tss-genkey生成ECC算法密钥,默认椭圆曲线为nist_p256 -openssl ec -engine tpm2tss -inform engine -in ecckey -pubout -outform pem -out ecckey.pub #导出ECC密钥公钥 +openssl ec -engine tpm2tss -inform engine -in ecckey -pubout \ +-outform pem -out ecckey.pub #导出ECC密钥公钥 cat ecckey.pub #读取公钥信息 -----BEGIN PUBLIC KEY----- @@ -140,17 +159,21 @@ tuy2ZtDVL6yKkqnEJJZ0insTH+uJyeM0o3qeuKuzmlY+Qh053okXoA8t9w== 使用TPM2中已有ECC算法密钥 ``` -tpm2_createprimary -C o -G ecc -c eccprimary.ctx #创建TPM2 ECC算法Primary Object +tpm2_createprimary -C o -G ecc -c eccprimary.ctx \ +#创建TPM2 ECC算法Primary Object -tpm2_create -C eccprimary.ctx -G ecc -u ecc.pub -r ecc.pri #创建TPM2 ECC密钥 +tpm2_create -C eccprimary.ctx -G ecc -u ecc.pub -r ecc.pri \ +#创建TPM2 ECC密钥 -tpm2_load -C eccprimary.ctx -u ecc.pub -r ecc.pri -c ecc.ctx #将ECC密钥导入TPM2芯片 +tpm2_load -C eccprimary.ctx -u ecc.pub -r ecc.pri -c ecc.ctx +#将ECC密钥导入TPM2芯片 tpm2_evictcontrol -C o -c ecc.ctx #将ECC密钥设置为持久对象 persistent-handle: 0x81000001 action: persisted -openssl ec -engine tpm2tss -inform engine -in 0x81000001 -pubout -outform pem -out ecctpmkey.pub #导出TPM2中持久对象0x81000000的公钥 +openssl ec -engine tpm2tss -inform engine -in 0x81000001 -pubout \ +-outform pem -out ecctpmkey.pub #导出TPM2中持久对象0x81000000的公钥 engine "tpm2tss" set. read EC key Enter password for user key: @@ -169,20 +192,26 @@ dSzdfR/+ogYfN/NjvlW18IhKZg0rO2PdIsS2V5neCnffzKwRiVK0CP/Xvw== ``` echo 1234567890 > mydata #创建被签名信息 -openssl dgst -sha256 -out mydata.sha256 -binary mydata #创建被签名信息的摘要值 +openssl dgst -sha256 -out mydata.sha256 -binary mydata +#创建被签名信息的摘要值 -openssl pkeyutl -engine tpm2tss -keyform engine -inkey ecckey -sign -in mydata.sha256 -out mysig #使用tpm2tss-genkey生成的密钥ecckey签名数据 +openssl pkeyutl -engine tpm2tss -keyform engine -inkey ecckey -sign -in mydata.sha256 -out mysig \ +#使用tpm2tss-genkey生成的密钥ecckey签名数据 -openssl pkeyutl -engine tpm2tss -keyform engine -inkey ecckey -verify -in mydata.sha256 -sigfile mysig #使用tpm2tss-genkey生成的密钥ecckey验证签名数据 +openssl pkeyutl -engine tpm2tss -keyform engine -inkey ecckey -verify \ +-in mydata.sha256 -sigfile mysig +#使用tpm2tss-genkey生成的密钥ecckey验证签名数据 engine "tpm2tss" set. Signature Verified Successfully ``` TPM2中已加载密钥签名验签 ``` -openssl pkeyutl -engine tpm2tss -keyform engine -inkey 0x81000001 -sign -in mydata.sha256 -out mysig #使用TPM2中持久对象0x81000001签名数据 +openssl pkeyutl -engine tpm2tss -keyform engine -inkey 0x81000001 \ +-sign -in mydata.sha256 -out mysig #使用TPM2中持久对象0x81000001签名数据 -openssl pkeyutl -engine tpm2tss -keyform engine -inkey 0x81000001 -verify -in mydata.sha256 -sigfile mysig +openssl pkeyutl -engine tpm2tss -keyform engine -inkey 0x81000001 \ +-verify -in mydata.sha256 -sigfile mysig engine "tpm2tss" set. Enter password for user key: Signature Verified Successfully @@ -194,7 +223,8 @@ Signature Verified Successfully ``` tpm2_createprimary -C o -G rsa2048 -c rsaprimary.ctx #创建TPM2 RSA算法Primary Object -tpm2_create -C rsaprimary.ctx -G rsa2048 -u rsa.pub -r rsa.pri #创建TPM2 RSA密钥 +tpm2_create -C rsaprimary.ctx -G rsa2048 -u rsa.pub -r rsa.pri +#创建TPM2 RSA密钥 tpm2_load -C rsaprimary.ctx -u rsa.pub -r rsa.pri -c rsa.ctx #将RSA密钥导入TPM2芯片 @@ -203,7 +233,8 @@ tpm2_evictcontrol -C o -c rsa.ctx #将RSA密钥设置为持久对象 persistent-handle: 0x81000000 action: persisted -openssl req -new -x509 -engine tpm2tss -keyform engine -key 0x81000000 -out rsa.crt#使用TPM2芯片中持久对象0x81000000生成自签名证书 +openssl req -new -x509 -engine tpm2tss -keyform engine -key 0x81000000 \ +-out rsa.crt#使用TPM2芯片中持久对象0x81000000生成自签名证书 engine "tpm2tss" set. Enter password for user key: You are about to be asked to enter information that will be incorporated @@ -306,5 +337,6 @@ RyknNDUUvkMOkhY= ##### TLS服务器 通过tpm2-tss-engine可使用TPM2自签名证书创建TLS服务 ``` -openssl s_server -cert rsa.crt -key 0x81000000 -keyform engine -engine tpm2tss -accept 8443 #使用TPM2自签名证书创建SSL服务程序 +openssl s_server -cert rsa.crt -key 0x81000000 -keyform engine \ +-engine tpm2tss -accept 8443 #使用TPM2自签名证书创建SSL服务程序 ``` \ No newline at end of file -- Gitee