-
Notifications
You must be signed in to change notification settings - Fork 0
Setup Virtual TPM
The current wiki page describes how to setup the IBM's Software TPM 2.0 virtual TPM together with the TPM2 Software Stack (TSS), and the TPM tools associated with it. Besides the required dependencies, the commands presented here, that configure and build repositories, were obtain from the installation guide present in the respective repository. In addition to this, service configurations are also offered.
The following guide was tested on a Raspberry Pi 3, running Raspbian OS, with kernel 5.10.17.
Because of a compilation for tpm-tools we opted for a specific release, not the latest master one. Below are mentioned the versions and branches of the used repositories:
- tpm2-tss : master branch with version 3.1.0
- tpm2-tools: release tag with version 4.3.2
- tpm2-abrmd: master branch with version 2.4.0
- ibmtss: version 1661
The following commands, that configure and build the tpm2-tss library originate from here.
Install the dependencies:
sudo apt -y install autoconf-archive libcmocka0 libcmocka-dev procps iproute2 build-essential git pkg-config gcc libtool automake libssl-dev uthash-dev autoconf doxygen libjson-c-dev libini-config-dev libcurl4-openssl-dev acl
Clone the repository:
git clone https://github.com/tpm2-software/tpm2-tss.git
cd tpm2-tss
If a different configuration is wanted for the library, please consult the official installation guide for additional parameters than the default ones.
./bootstrap
./configure
Compile:
make -j4
sudo make install
Post install, as recommended in the install guide:
It may be necessary to run ldconfig (as root) to update the run-time bindings before executing a program that links against libsapi or a TCTI library:
sudo ldconfig
Dependencies:
sudo apt-get install pandoc autoconf automake libtool pkg-config gcc libssl-dev libcurl4-gnutls-dev python-yaml uuid-dev
Get the release used in this guide:
mkdir tpm-tools
cd tpm-tools
wget https://github.com/tpm2-software/tpm2-tools/releases/download/4.3.2/tpm2-tools-4.3.2.tar.gz
unarchive:
tar -xvf tpm2-tools-4.3.2.tar.gz
or clone the master branch:
git clone https://github.com/tpm2-software/tpm2-tools.git
and cd to the working directory depending on your downloaded repository.
Similar to the previous step, configure and build the repository:
./bootstrap
./configure
make
sudo make install
After the installation is completer, in the directory ./tools you will find a series of programs allowing you to interact with the tpm from command line.
The original installation guide recommends that tpm2-abrmd should be run under user/group tss , or a unprivileged user/group. If tpm2_tss is already install, the tss user should already exist, if not, it must be created:
sudo useradd --system --user-group tss
Install the followings dependencies if not already installed:
sudo apt install libglib2.0-dev
After, the sources can be obtained via git and then compiled with make similarly with the previous projects.
git clone https://github.com/tpm2-software/tpm2-abrmd.git
cd tpm2-abrmd
Configure:
./bootstrap
./configure
For additional configuration parameters before compilation, the installation guide should be consulted here.
Build:
make
sudo make install
Post installation as mentioned in the guide:
It may be necessary to run ldconfig (as root) to update the run-time bindings before executing a program that links against the tabrmd library
sudo ldconfig
and
The dbus-daemon will also need to be instructed to read this configuration file (assuming it's installed in a location consulted by dbus-daemon) before the policy will be in effect. This is typically accomplished by sending the dbus-daemon the HUP signal like so:
sudo pkill -HUP dbus-daemon
To obtain the virtual TPM 2.0, it's source code must be downloaded and compiled. At the time when this guide was written, the latest version is 1.6.0.
Download the sources:
mkdir ibmtss
cd ibmtss
wget https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm1661.tar.gz
Untar:
tar -xvf ibmtpm1661.tar.gz
cd src
Compile:
make
sudo make install
Now, you can run the tpm server as such:
./tpm_server
Compared to a physical TPM, which is exposed as a linux device, the virtual TPM exposes socket which allows similar interactions with it. Next, we must configure the TPM resource manager (tpm2-abrmd) to connect to the port opened by the tpm_server, and not to the default /dev/tpm0 device. This requires some changes on the tpm2-abrmd service unit.
If you followed a similar configuration with the one in this guide, the service file should be located in /usr/local/lib/systemd/system/tpm2-abrmd.service.
[Unit]
Description=TPM2 Access Broker and Resource Management Daemon
# These settings are needed when using the device TCTI. If the
# TCP mssim is used then the settings should be commented out.
- After=dev-tpm0.device
+ #After=dev-tpm0.device
- Requires=dev-tpm0.device
+ #Requires=dev-tpm0.device
[Service]
Type=dbus
BusName=com.intel.tss2.Tabrmd
- ExecStart=/usr/local/sbin/tpm2-abrmd
+ ExecStart=/usr/local/sbin/tpm2-abrmd --tcti=mssim:host=localhost,port=2321 User=tss
[Install]
WantedBy=multi-user.target
After modifying the file, we must reload the service using:
sudo systemctl daemon-reload
Last but not least, cd to the tpm2-abrmd downloaded repository and move the following file so the tss can access the dbus:
sudo cp dist/tpm2-abrmd.conf /etc/dbus-1/system.d/tpm2-abrmd.conf
the tpm2-abrmd.conf should look like this:
<busconfig>
<policy user="tss">
<allow own="com.intel.tss2.Tabrmd"/>
</policy>
<policy user="root">
<allow own="com.intel.tss2.Tabrmd"/>
</policy>
<policy context="default">
<allow send_destination="com.intel.tss2.Tabrmd"/>
<allow receive_sender="com.intel.tss2.Tabrmd"/>
</policy>
</busconfig>
Change the /dev/tpm0 ownership to tss:
sudo chown tss:tss /dev/tpm0
Now, we can restart the tpm2-abrmd and he will try to connect on port 2321 on localhost to a virtual tpm.