Skip to content

Instantly share code, notes, and snippets.

@tobyp

tobyp/tss-with-tpm2go.md

Created June 30, 2022 18:31
Show Gist options
  • Save tobyp/aed5598188088f4abbeb737b408e5287 to your computer and use it in GitHub Desktop.
Save tobyp/aed5598188088f4abbeb737b408e5287 to your computer and use it in GitHub Desktop.
Download ZIP
TPM2-TSS with TPM2Go Support
Raw
tss-with-tpm2go.md

Testing TPM2-TSS for LetsTrust TMP2Go

1. Build TPM2-TSS with necessary patches for LetsTrust TPM2Go

Check out the branch and all tags:

git clone --branch letstrust2go --tags https://github.com/tobyp/tpm2-tss

This is a version that is rebased onto a recent (3.2.0) version of tpm2-tss. The original TPM2Go implementation is at https://github.com/PeterHuewe/tpm2-tss/tree/letstrust2go (Hopefully to be updated soon). (NOTE for updaters: the build process uses git tags to figure out the version of the code, and if code changes are pushed without the corresponding tags, an old version number will be built into the libraries. Use git push --tags $REMOTE $BRANCH to push tags along.)

Build and install (we need to install so the tpm2-tools build can find it via pkg-config):

cd tpm2-tss
./bootstrap
./configure
make
sudo make install
cd ..

This installs to /usr/local/lib; at least for ArchLinux, this will not interfere with the "productive" version of the tpm2-tss pacman package.

2. Build TPM2-Tools on top of this modified version of TPM2-TSS

Check it out:

git clone https://github.com/tpm2-software/tpm2-tools.git

Build and install:

cd tpm2-tools
./bootstrap
PKG_CONFIG_PATH=$PWD/../tpm2-tss/lib ./configure
make
sudo make install
cd ..

UDev rules for TPM2Go

Create the file /etc/udev/rules.d/60-tpm2go.rules

ATTRS{idVendor}=="04b4", ATTRS{idProduct}=="0004", TAG+="uaccess"

Activate it:

sudo udevadm control --reload

If you had the TPM2Go plugged in already, remove and re-insert it now.

You can check that the access rights are granted correctly by reading the udev database entry for the LetsTrust-TPM2Go:

sudo udevadm info -e | awk 'BEGIN { DEV=""; } /P:/ { DEV=""; } /.+/ { DEV=DEV $0 "\n"; } /^$/ { if (match(DEV,"LetsTrust-TPM2Go")) {printf DEV;} }'

There should be a E: TAGS=:uaccess:seat: property.

Test it!

The TSS binaries in /usr/local/bin already link to the TSS libraries in /usr/local/lib, but TCTI modules are loaded using dlopen(3) (i.e. ld.so(8) semantics), so LD_LIBRARY_PATH is needed.

LD_LIBRARY_PATH=/usr/local/lib /usr/local/bin/tpm2_getrandom -T "spi-usb"

In the current state of the code, this will error:

WARNING:esys:src/tss2-esys/api/Esys_GetCapability.c:303:Esys_GetCapability_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_GetCapability.c:107:Esys_GetCapability() Esys Finish ErrorCode (0x00000100) 
ERROR: Esys_GetCapability(0x100) - tpm:error(2.0): TPM not initialized by TPM2_Startup or already initialized
ERROR: Unable to run /usr/local/bin/tpm2_getrandom
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment