-
-
Save kuhlmannmarkus/aa9006db3eb7a6d2526f6a7c54e01348 to your computer and use it in GitHub Desktop.
TPM 2.0 Device Identity Attestation Samples
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Dependencies | |
# tpm2-tools-4.0.1-1.fc31.x86_64 | |
# tpm2-tss-2.3.1-1.fc31.x86_64 | |
# tpm2-tss-engine-master | |
set -euxo pipefail | |
export TPM2TOOLS_TCTI="device:/dev/tpmrm0" | |
tpm2_print_handles () { | |
for i in transient saved-session loaded-session; | |
do | |
tpm2_getcap handles-$i; | |
done | |
} | |
tpm2_flush_handles () { | |
for i in transient-object saved-session loaded-session; | |
do | |
tpm2_flushcontext --$i; | |
done | |
} | |
enroll_with_ek () { | |
echo "Enrolling with Endorsement Key" | |
# Clear the TPM | |
tpm2_clear | |
# Create Endorsement Key | |
tpm2_createprimary -c ek.ctx -C e | |
tpm2_readpublic -c ek.ctx -o ek.pub > ek.yaml | |
cat ek.yaml | grep '^name:' | awk '{ print $2 }' > ek.name | |
# Generate the nonce and credential for challenge | |
openssl rand -hex 6 > nonce.plain | |
tpm2_makecredential -T none -e ek.pub -s nonce.plain -n $(cat ek.name) -o nonce.encrypted | |
# Decrypt nonce with Endorsement Key | |
tpm2_activatecredential -c ek.ctx -C ek.ctx -i nonce.encrypted -o nonce.decrypted | |
# Validate nonce | |
diff nonce.decrypted nonce.plain | |
} | |
enroll_with_srk () { | |
echo "Enrolling with Storage Root Key" | |
# Clear the TPM | |
tpm2_clear | |
# Create Endorsement Key | |
tpm2_createek -c ek.ctx | |
tpm2_readpublic -c ek.ctx -o ek.pub > ek.yaml | |
cat ek.yaml | grep '^name:' | awk '{ print $2 }' > ek.name | |
# Create Storage Root Key | |
tpm2_startauthsession --policy-session -S session.ctx | |
tpm2_policysecret -S session.ctx -c 0x4000000B | |
tpm2_create -C ek.ctx -P "session:session.ctx" -G rsa2048 -u srk.pub -r srk.priv \ | |
-a 'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth' | |
tpm2_flushcontext session.ctx | |
tpm2_startauthsession --policy-session -S session.ctx | |
tpm2_policysecret -S session.ctx -c 0x4000000B | |
tpm2_load -C ek.ctx -P "session:session.ctx" -u srk.pub -r srk.priv -c srk.ctx | |
tpm2_flushcontext session.ctx | |
tpm2_evictcontrol -C o -c srk.ctx 0x81010002 | |
tpm2_readpublic -c srk.ctx > srk.yaml | |
cat srk.yaml | grep '^name:' | awk '{ print $2 }' > srk.name | |
# Generate the nonce and credential for challenge | |
openssl rand -hex 6 > nonce.plain | |
tpm2_makecredential -T none -e ek.pub -s nonce.plain -n $(cat srk.name) -o nonce.encrypted | |
# Decrypt nonce with Endorsement Key | |
tpm2_startauthsession --policy-session -S session.ctx | |
tpm2_policysecret -S session.ctx -c 0x4000000B | |
tpm2_activatecredential -C ek.ctx -P "session:session.ctx" -c 0x81010002 -i nonce.encrypted -o nonce.decrypted | |
tpm2_flushcontext session.ctx | |
# Validate nonce | |
diff nonce.decrypted nonce.plain | |
} | |
enroll_with_ak () { | |
echo "Enrolling with Atestation Key" | |
# Clear the TPM | |
tpm2_clear | |
# Create Endorsment Key | |
tpm2_createek -c ek.ctx -G rsa -u ek.pub | |
# Create Attestation Key | |
tpm2_createak -C ek.ctx -c ak.ctx -G rsa -g sha256 -s rsassa | |
tpm2_evictcontrol -C o -c ak.ctx 0x81010002 | |
tpm2_readpublic -c ak.ctx -f pem -o ak.pem > ak.yaml | |
cat ak.yaml | grep '^name:' | awk '{ print $2 }' > ak.name | |
# Generate the nonce and credential for challenge | |
openssl rand -hex 6 > nonce.plain | |
tpm2_makecredential -e ek.pub -s nonce.plain -n $(cat ak.name) -o nonce.encrypted | |
# Decrypt nonce with Endorsement Key | |
tpm2_startauthsession --policy-session -S session.ctx | |
TPM2_RH_ENDORSEMENT=0x4000000B | |
tpm2_policysecret -S session.ctx -c ${TPM2_RH_ENDORSEMENT} | |
tpm2_activatecredential -c 0x81010002 -C ek.ctx -i nonce.encrypted -o nonce.decrypted -P "session:session.ctx" | |
tpm2_flushcontext session.ctx | |
# Generate Attestation Quote | |
tpm2_quote -c 0x81010002 -l sha256:0,1,2,3,4,5,6,7,8,9 -q $(cat nonce.decrypted) -m quote.message -s quote.signature -o quote.pcrs -g sha256 | |
# Validate Attestation Quote in the server | |
tpm2_checkquote -u ak.pem -m quote.message -s quote.signature -f quote.pcrs -g sha256 -q $(cat nonce.plain) | |
} | |
enroll_with_csr () { | |
echo "Enrolling with Certificate Signing Request" | |
# Clear the TPM | |
tpm2_clear | |
# Create Endorsement Key | |
tpm2_createprimary -c ek.ctx -C e | |
tpm2_readpublic -c ek.ctx -o ek.pub > ek.yaml | |
cat ek.yaml | grep '^name:' | awk '{ print $2 }' > ek.name | |
# Create Private Enrollment Key | |
tpm2_create -C ek.ctx -G ecc:ecdsa -g sha256 -u key.pub -r key.priv -a 'sign|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda' | |
tpm2_load -C ek.ctx -u key.pub -r key.priv -c key.ctx | |
tpm2_evictcontrol -C o -c key.ctx 0x817FFFFF | |
tpm2_readpublic -c key.ctx > key.yaml | |
cat key.yaml | grep '^name:' | awk '{ print $2 }' > key.name | |
# Generate the Certificate Signing Request | |
echo "[ req ]" > csr.cnf | |
echo "default_bits = 2048" >> csr.cnf | |
echo "distinguished_name = req_distinguished_name" >> csr.cnf | |
echo "prompt = no" >> csr.cnf | |
echo "[ req_distinguished_name ]" >> csr.cnf | |
echo "C = US" >> csr.cnf | |
echo "ST = Oregon" >> csr.cnf | |
echo "L = Hillsboro" >> csr.cnf | |
echo "O = Intel Corp" >> csr.cnf | |
echo "OU = Internet of Things Group" >> csr.cnf | |
echo "CN = [email protected]" >> csr.cnf | |
openssl req -new -key 0x817FFFFF -engine tpm2tss -keyform engine -out key.csr -config csr.cnf | |
# Generate the nonce and credential for challenge | |
openssl rand -hex 6 > nonce.plain | |
tpm2_makecredential -T none -e ek.pub -s nonce.plain -n $(cat key.name) -o nonce.encrypted | |
# Decrypt nonce with Endorsement Key | |
tpm2_activatecredential -c 0x817FFFFF -C ek.ctx -i nonce.encrypted -o nonce.decrypted | |
# Validate nonce | |
diff nonce.decrypted nonce.plain | |
} | |
case "${1-}" in | |
ek) | |
enroll_with_ek | |
;; | |
srk) | |
enroll_with_srk | |
;; | |
ak) | |
enroll_with_ak | |
;; | |
csr) | |
enroll_with_csr | |
;; | |
*) | |
echo $"Usage ${0} {ek|srk|ak|csr}" | |
exit 1 | |
esac |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment