All of lore.kernel.org
 help / color / mirror / Atom feed
* [tpm2] Stablishing trust on to TPM simulator
@ 2020-05-20 14:08 
  0 siblings, 0 replies; only message in thread
From:  @ 2020-05-20 14:08 UTC (permalink / raw)
  To: tpm2

[-- Attachment #1: Type: text/plain, Size: 2023 bytes --]

Hello, everyone :)

I am creating a demo where I attest the state of a machine (VM) using a simulated TPM. I think I've done properly the core operations of my demonstration, but I'm still wondering how would I stablish trust with TPM in this simulated scenario.

I think that in a real setup, with a real TPM, there may be a service that validates the TPM Ek certificate. Is there something similar I could do in simulation mode, or I would have to mock this action (in simulation environment)?

Also, in case I have a real TPM, how would I use this service (for instance, with a TPM from Intel)? Where would I check the parameters of this API?


-------- 
More info on my setup:
The TPM I am using is simulated. Thus, my setup involves installing the SWTPM (https://github.com/stefanberger/swtpm.git and https://github.com/stefanberger/libtpms.git), QEMU (https://github.com/qemu/qemu), and EDK2 (https://github.com/tianocore/edk2.git).
When configuring my simulator, I run it with --createek, --create-ek-cert, and --create-platform-cert flag, as follows: 

sudo swtpm_setup --tpmstate ${VTPM_DIR_PATH} --createek --create-ek-cert --create-platform-cert --allow-signing --tpm2

Through Qemu, I am able to start a VM with TPM2 features, and then I install TSS (https://github.com/tpm2-software/tpm2-tss), ABRMD (https://github.com/tpm2-software/tpm2-abrmd), and TPM2_TOOLS (https://github.com/tpm2-software/tpm2-tools). This setup allows me to try out TPM in simulation mode.

Steps of attestation:
1. (VM to be attested) getting the public portion of my endorsement key
2. (VM to be attested) creating an attestation key (AK)
3. (VM to be attested) quoting given PCRs with freshly created AK (outputing the quote, pcrs, and signature)
4. (Attestator VM) run python program that checks quote signatue, and checks if value of PCR digest from quote matches an expected value 

Missing step:
1. (Attestator VM) check if vendor root certificates validate the EK certificate
-------- 

Best regards

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2020-05-20 14:08 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-20 14:08 [tpm2] Stablishing trust on to TPM simulator 

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.