TPM 2.0 Device Identity Attestation Samples

enrollment.sh

#!/bin/bash

# Dependencies
# tpm2-tools-4.0.1-1.fc31.x86_64
# tpm2-tss-2.3.1-1.fc31.x86_64
# tpm2-tss-engine-master

set -euxo pipefail

export TPM2TOOLS_TCTI="device:/dev/tpmrm0"

tpm2_print_handles () {
  for i in transient saved-session loaded-session;
  do
     tpm2_getcap handles-$i;
  done
}

tpm2_flush_handles () {
  for i in transient-object saved-session loaded-session;
  do
     tpm2_flushcontext --$i;
  done

}

enroll_with_ek () {
  echo "Enrolling with Endorsement Key"

  # Clear the TPM
  tpm2_clear

  # Create Endorsement Key
  tpm2_createprimary -c ek.ctx -C e
  tpm2_readpublic -c ek.ctx -o ek.pub > ek.yaml
  cat ek.yaml | grep '^name:' | awk '{ print $2 }' > ek.name

  # Generate the nonce and credential for challenge
  openssl rand -hex 6 > nonce.plain
  tpm2_makecredential -T none -e ek.pub -s nonce.plain -n $(cat ek.name) -o nonce.encrypted

  # Decrypt nonce with Endorsement Key
  tpm2_activatecredential -c ek.ctx -C ek.ctx -i nonce.encrypted -o nonce.decrypted

  # Validate nonce
  diff nonce.decrypted nonce.plain
}

enroll_with_srk () {
  echo "Enrolling with Storage Root Key"

  # Clear the TPM
  tpm2_clear

  # Create Endorsement Key
  tpm2_createek -c ek.ctx
  tpm2_readpublic -c ek.ctx -o ek.pub > ek.yaml
  cat ek.yaml | grep '^name:' | awk '{ print $2 }' > ek.name

  # Create Storage Root Key
  tpm2_startauthsession --policy-session -S session.ctx
  tpm2_policysecret -S session.ctx -c 0x4000000B
  tpm2_create -C ek.ctx -P "session:session.ctx" -G rsa2048 -u srk.pub -r srk.priv \
              -a 'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth'
  tpm2_flushcontext session.ctx
  tpm2_startauthsession --policy-session -S session.ctx
  tpm2_policysecret -S session.ctx -c 0x4000000B
  tpm2_load -C ek.ctx -P "session:session.ctx" -u srk.pub -r srk.priv -c srk.ctx
  tpm2_flushcontext session.ctx
  tpm2_evictcontrol -C o -c srk.ctx 0x81010002
  tpm2_readpublic -c srk.ctx > srk.yaml
  cat srk.yaml | grep '^name:' | awk '{ print $2 }' > srk.name

  # Generate the nonce and credential for challenge
  openssl rand -hex 6 > nonce.plain
  tpm2_makecredential -T none -e ek.pub -s nonce.plain -n $(cat srk.name) -o nonce.encrypted

  # Decrypt nonce with Endorsement Key
  tpm2_startauthsession --policy-session -S session.ctx
  tpm2_policysecret -S session.ctx -c 0x4000000B
  tpm2_activatecredential -C ek.ctx -P "session:session.ctx" -c 0x81010002 -i nonce.encrypted -o nonce.decrypted
  tpm2_flushcontext session.ctx

  # Validate nonce
  diff nonce.decrypted nonce.plain
}

enroll_with_ak () {
  echo "Enrolling with Atestation Key"

  # Clear the TPM
  tpm2_clear

  # Create Endorsment Key
  tpm2_createek -c ek.ctx -G rsa -u ek.pub

  # Create Attestation Key
  tpm2_createak -C ek.ctx -c ak.ctx -G rsa -g sha256 -s rsassa
  tpm2_evictcontrol -C o -c ak.ctx 0x81010002
  tpm2_readpublic -c ak.ctx -f pem -o ak.pem > ak.yaml
  cat ak.yaml | grep '^name:' | awk '{ print $2 }' > ak.name

  # Generate the nonce and credential for challenge
  openssl rand -hex 6 > nonce.plain
  tpm2_makecredential -e ek.pub -s nonce.plain -n $(cat ak.name) -o nonce.encrypted

  # Decrypt nonce with Endorsement Key
  tpm2_startauthsession --policy-session -S session.ctx
  TPM2_RH_ENDORSEMENT=0x4000000B
  tpm2_policysecret -S session.ctx -c ${TPM2_RH_ENDORSEMENT}
  tpm2_activatecredential -c 0x81010002 -C ek.ctx -i nonce.encrypted -o nonce.decrypted -P "session:session.ctx"
  tpm2_flushcontext session.ctx

  # Generate Attestation Quote
  tpm2_quote -c 0x81010002 -l sha256:0,1,2,3,4,5,6,7,8,9 -q $(cat nonce.decrypted) -m quote.message -s quote.signature -o quote.pcrs -g sha256

  # Validate Attestation Quote in the server
  tpm2_checkquote -u ak.pem -m quote.message -s quote.signature -f quote.pcrs -g sha256 -q $(cat nonce.plain)
}

enroll_with_csr () {
  echo "Enrolling with Certificate Signing Request"

  # Clear the TPM
  tpm2_clear

  # Create Endorsement Key
  tpm2_createprimary -c ek.ctx -C e
  tpm2_readpublic -c ek.ctx -o ek.pub > ek.yaml
  cat ek.yaml | grep '^name:' | awk '{ print $2 }' > ek.name

  # Create Private Enrollment Key
  tpm2_create -C ek.ctx -G ecc:ecdsa -g sha256 -u key.pub -r key.priv -a 'sign|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda'
  tpm2_load -C ek.ctx -u key.pub -r key.priv -c key.ctx
  tpm2_evictcontrol -C o -c key.ctx 0x817FFFFF
  tpm2_readpublic -c key.ctx > key.yaml
  cat key.yaml | grep '^name:' | awk '{ print $2 }' > key.name

  # Generate the Certificate Signing Request
  echo "[ req ]" > csr.cnf
  echo "default_bits = 2048" >> csr.cnf
  echo "distinguished_name = req_distinguished_name" >> csr.cnf
  echo "prompt = no" >> csr.cnf
  echo "[ req_distinguished_name ]" >> csr.cnf
  echo "C = US" >> csr.cnf
  echo "ST = Oregon" >> csr.cnf
  echo "L = Hillsboro" >> csr.cnf
  echo "O = Intel Corp" >> csr.cnf
  echo "OU = Internet of Things Group" >> csr.cnf
  echo "CN = [email protected]" >> csr.cnf
  openssl req -new -key 0x817FFFFF -engine tpm2tss -keyform engine -out key.csr -config csr.cnf

  # Generate the nonce and credential for challenge
  openssl rand -hex 6 > nonce.plain
  tpm2_makecredential -T none -e ek.pub -s nonce.plain -n $(cat key.name) -o nonce.encrypted

  # Decrypt nonce with Endorsement Key
  tpm2_activatecredential -c 0x817FFFFF -C ek.ctx -i nonce.encrypted -o nonce.decrypted

  # Validate nonce
  diff nonce.decrypted nonce.plain
}

case "${1-}" in
  ek)
    enroll_with_ek
    ;;
  srk)
    enroll_with_srk
    ;;
  ak)
    enroll_with_ak
    ;;
  csr)
    enroll_with_csr
    ;;
  *)
    echo $"Usage ${0} {ek|srk|ak|csr}"
    exit 1
esac