TPM resume with commands

TPM

Features overview of tmp2-tools (commands examples from the course slides), using /dev/tpm0 under the hood

  • tpm2_getcap -l list the capabilities/features of the TPM, todo test
  • tpm2_getcap handles-transient: list entries in the transient zone (volatile memory)
  • tpm2_getcap handles-persistent: same but for NVRAM
  • tpm2_flushcontext: remove a specified handle or more RSA
  • tpm2_createprimary -C o -G rsa2048 -c o_primary.ctx: create a primary key in RSA in the owner hierarchy (-C) and save a context file o_primary.ctx
  • tpm2_evictcontrol -c o_primary.ctx: move the key referenced in NVRAM if currently in VRAM, otherwise delete it if present in NVRAM already.
  • tpm2_create -C o_primary -G rsa2048 -u child_public -r child_private: create a child key with parent key referenced in o_primary.
  • tpm2_load -C o_primary -u child_public -r child_private -c child: load the key
  • tpm2_rsaencrypt -c child -s rsaes clearfile -o encryptedfile: Encrypt a textfile clearfile with RSA into encryptedfile with the key loaded in context child by tpm2_load. Warning: hard limit of clearfile size to be key length - padding...
  • tpm2_rsadecrypt -c child -s rsaes encryptedfile -o clearfile: do the reverse, to decrypt the file
  • tpm2_sign -c child -g sha256 -o file.sign file: create a signature with RSA using SHA256. Warning: the hash is made by the TPM, for performance reasons, be careful if the file is big.
  • tpm2_verifysignature -c child -g sha256 -s file.sign -m file: do the reverse, verify the RSA signature
  • tpm2_loadexternal -C o -G rsa -u rsa_pub.pem -c rsa_pub: import public keys generated outside the TPM
  • tpm2_verifysignature -c rsa_pub -g sha256 -f rsassa -s t.sign -m t.txt: verify the RSA signature using an imported public key

AES

  • tpm2_create -C primary -G aes128cbc -u aeskey.pub -r aeskey.priv: create a child key (not a primary key) in AES 128 CBC
  • tpm2_load -C primary -u aeskey.pub -r aeskey.priv -c aeskey: load this key in the transient area
  • echo -n 234sdfweaw34rft6 > IV : you have to choose an IV manually before encryption/decryption
  • tpm2_encryptdecrypt -c aeskey -e --iv=IV --pad -o encryptedfile clearfile: AES encryption -e
  • tpm2_encryptdecrypt -c aeskey -d --iv=IV -o clearfile encryptedfile: AES decryption -d

PCR and Seals

  • tpm2_pcrread: read all hash values in all algo types
  • tpm2_pcrextend 0:sha1=8c8393ac8939430753d7cb568e2f2237bc62d683: extend the PCR 0 in SHA1 with a new hash
  • tpm2_pcrreset 16: reset the PCR number 16 (man page says PCR 0 to 15 are not resettable (being part of SRTM).)

Seals are a way to store (seal) and load (unseal) small amount of data in the TPM.

  • tpm2_create -C primary.ctx -i secret -u secret.pub -r secret.priv: seal the content of file secret (this is not a keypair generation because of the -i)
  • tpm2_readpublic -c 0x80000001: read the public part of object at given address (to check this address is the new created entry)
  • tpm2_evictcontrol -c 0x80000001: save the sealed object to NVRAM