Menu
▾
▴
Tree [17f5bb] master / History
John D. Ramsdell
Matthias Gerstner
Read Me
TPM Quote Tools The TPM Quote Tools is a collection of programs that provide support for TPM based attestation using the TPM quote mechanism. The manual page for tpm_quote_tools provides a usage overview. TPM Quote Tools has been tested with TrouSerS on Linux and NTRU on Windows XP. It was ported to Windows using MinGW and MSYS. DEPENDENCIES This package requires the TSS TSPI libraries and the TPM tools. On Debian, the packages are: libtspi1 TCG Software Stack (library) libtspi-dev TCG Software Stack (development) trousers TCG Software Stack (daemon) tpm-tools Management tools for the TPM hardware (tools) On Red Hat Linux, the packages are: trousers TCG Software Stack (library and daemon) trousers-devel TCG Software Stack (development) tpm-tools Management tools for the TPM hardware (tools) The manangement tools are only used to take ownership of a TPM. TO CONFIGURE AND BUILD $ ./configure $ make On Windows, if the name of the TSS library is not tspi, specify the library during configuration by defining LIBS. $ ./configure LIBS=-l<library> TO RUN: Make one UUID for all of your TPMs, and then on each machine, do the following. Ensure TPM driver is present with $ dmesg | grep tpm If nothing, sudo modprobe tpm_tis, and do check. If nothing, ensure your TPM is turned on in the BIOS setup. You can run the TPM daemon in the foreground with: $ sudo tcsd -f Start the daemon with: $ sudo /etc/init.d/trousers start To load the TPM driver at boot time, add the name of the driver on a separate line of text in the file /etc/modules. The trousers daemon will be started for you at boot time. Next, make sure you have an endorsement key by running $ tpm_getpubek If you don't have one, run $ tpm_createek Be patient, it takes a while to create the key. I took ownership with the command: $ tpm_takeownership -y -z Now generate an AIK with tpm_mkaik, load and register the key with tpm_loadkey, generate a PCR composite hash with tpm_getpcrhash, produce a quote with tpm_getquote, and validate it with tpm_verifyquote. When getting the quote, make a nonce with: $ openssl sha1 -binary tpm_verifyquote > nonce REMOTE ACCESS Some TPM Quote Tools programs can access a TPM on a remote machine. To allow remote access to a TPM, the local daemon must allow both quote and loadkey operations. For TrouSerS, add the folowing to /etc/tcsg.conf. remote_ops = loadkey,quote TPM QUOTE VERSION By default, this package will use TPM quote 2 when available. Use the configure option --without-tss12 to force the use of the original version of TPM quote. RED HAT PACKAGE BUILD Within a distribution, type: $ rpmbuild -ba tpm-quote-tools.spec DEBIAN PACKAGE BUILD Within a distribution, type: $ dh_make -s --createorig -c bsd -e "John D. Ramsdell <ramsdell@mitre.org>" $ cp control debian $ dpkg-buildpackage ACKNOWLEDGMENT Early on, code was inspired by Hal Finney's code on http://privacyca.com.