Signing Key Example

We're going to demonstrate how to exercise a TPM signing key using TrouSerS, tpm-tools, and their testsuite. We're going to be building everything from source. The test host for this example was running 32-bit Ubuntu 11.04. You may need to chase down a few packages:

sudo aptitude install build-essential automake autoconf libtool autopoint

Step 1: Get the source code for TrouSerS, tpm-tools, and testsuite. TrouSerS, tpm-tools, and testsuite all use the 'git' revision control system: [http://sourceforge.net/scm/?type=git&group_id=126012 TrouSerS git info page]

username@host:~$ mkdir trousers; cd trousers
username@host:~/trousers$ git clone git://trousers.git.sourceforge.net/gitroot/trousers/trousers trousers-git
username@host:~/trousers$ git clone git://trousers.git.sourceforge.net/gitroot/trousers/tpm-tools tpm-tools-git
username@host:~/trousers$ git clone git://trousers.git.sourceforge.net/gitroot/trousers/testsuite testsuite-git

Step 1b: If you proceed naively, you will get compilation errors, because Ubuntu 11.04's gcc is newer and generates some warnings, causing -Werror to break things. So you must edit configure.in and remove '-Werror'. Also note that I've changed directory.

username@host:~/trousers/trousers-git$ vi configure.in

Step 2: Build and install TrouSerS

username@host:~/trousers/trousers-git$ bash bootstrap.sh
username@host:~/trousers/trousers-git$ ./configure --enable-debug
username@host:~/trousers/trousers-git$ make
username@host:~/trousers/trousers-git$ sudo make install

Step 3: Same thing (including Werror shenanigans) for tpm-tools:

username@host:~/trousers/trousers-git$ cd ../tpm-tools-git/
username@host:~/trousers/tpm-tools-git$ vi configure.in
username@host:~/trousers/tpm-tools-git$ bash bootstrap.sh
username@host:~/trousers/tpm-tools-git$ ./configure --enable-debufg
username@host:~/trousers/tpm-tools-git$ make
username@host:~/trousers/tpm-tools-git$ sudo make install

Step 4: There's a good chance you'll get dynamic linker problems if you don't do this:

username@host:~/trousers/testsuite-git$ sudo ldconfig

Step 5: Build testsuite

username@host:~/trousers/tpm-tools-git$ cd ../testsuite-git/tcg
username@host:~/trousers/testsuite-git/tcg$ make

Okay, now we're done compiling things. We need to make sure tcsd is running. Since we built it with debug enabled, it will generate a lot of output. We want to capture that somewhere. I suggest you run it in a separate terminal at first to see what happens.

username@host:~/trousers/testsuite-git/tcg$ sudo tcsd -f

Confirm that you can communicate with the TPM:

username@host:~/trousers/testsuite-git/tcg$ tpm_selftest

If you've already taken ownership of your TPM, the newly compiled version of TrouSerS may balk because it can't find the SRK. Rather than try to debug that, I just reset my TPM using my system's BIOS. If your system is in a state that prevents that, then a few more steps are required to copy over TrouSerS' existing state. Not explained here, but it is possible.

username@host:~/trousers/testsuite-git/tcg$ tpm_takeownership

For purposes of discussion, let's assume we set both the owner and SRK passwords to 'tpm' (without quotes). They need to be something that can be assigned to an environment variable (so no null bytes, etc). An alternative is to edit testsuite-git/tcg/include/common.h in the testsuite and recompile, but this is easier from the perspective of explaining things.

Reading the public EK is a good test that you have taken ownership successfully and are capable of entering the right owner password.

username@host:~/trousers/testsuite-git/tcg$ tpm_getpubek

Now let's test the new SRK auth value using tpm_sealdata.

username@host:~/trousers/testsuite-git/tcg$ echo hello > hello.in
username@host:~/trousers/testsuite-git/tcg$ tpm_sealdata -i hello.in -o hello.out
username@host:~/trousers/testsuite-git/tcg$ cat hello.out

Now we've got our system in a configuration where we can actually exercise a testsuite app that does some signing. Let's set the environment variables that control the auth values used for testing. Look at include/common.h and common/common.c in testsuite-git/tcg.

username@host:~/trousers/testsuite-git/tcg$ grep _SECRET include/common.h
username@host:~/trousers/testsuite-git/tcg$ export TESTSUITE_OWNER_SECRET=tpm
username@host:~/trousers/testsuite-git/tcg$ export TESTSUITE_SRK_SECRET=tpm

username@host:~/trousers/testsuite-git/tcg$ find . -name "*Sign*.c"

This one looks decent (see the steps that it performs in the comments in its source code):

username@host:~/trousers/testsuite-git/tcg$ less highlevel/hash/Tspi_Hash_Sign04.c

Give it a try:

username@host:~/trousers/testsuite-git/tcg$ ./highlevel/hash/Tspi_Hash_Sign04 -v 1.2

Now, the other terminal window where 'sudo tcsd -f' was running should have produced a bunch of raw dumps of bytes exchanged with the TPM. I suggest you take those apart a little bit to understand what's really going on. Note that tcsd will invoke a lot of GetCapability commands that discover TPM information that you may be willing to bake into your PAL as assumptions.