近来一直在整理资料,刚好看到有比较详细的介绍,就发扬一下“拿来主义”吧:)顺便鄙视一下某安全网站转载我的博客很乱:(
1、安装环境准备
1.1内核
Linux内核2.6.12版本及以上,提供了对tpm芯片的支持,下载地址:。
1.2算法库支持
Gmplib库,提供一些密码学算法的支持,下载地址:。
1.3 Tpm_emulator软件
Tpm_emulator模拟tpm芯片,相当于一个虚拟的芯片,目前最高版本0.5.1,下载地址:https://developer.berlios.de/project/showfiles.php?group_id=2491
1.4 Tss软件栈
Tss软件栈包括Trousers、grub-ima、openssl tpm engine、tpm keyring、tpm-tools,trousers软件包提供一些tpm的API函数,这里只安装trousers软件包,下载地址:
Trousers安装所需环境:
软件要求: 版本查看命令:
automake > 1.4 automake --version
autoconf > 1.4 autoconf --version
Pkgconfig pkg-config --version
Libtool rpm -qa | grep libtool
gtk2-devel pkg-config --list-all |grep gtk (查看是否安装了gtk)
openssl-devel >= 0.9.8 openssl version -a//redhat as4.7 的openssl版本 为0.9.7a
安装openssl-0.9.8以及它所依赖的glibc2.4软件下载地址: ?
安装、卸载命令:rpm -ivh/-e --enforce --nodeps XXXX
2、软件安装
2.1内核安装
#make menuconfig
在内核配置文件中选中如下参数即可将TPM驱动编入内核。
Device Driver->
Character Device->
[*] TPM Hardware Support->
[*] TPM Interface Specification 1.2 Interface
#make bzImage; make modules; make modules_install; make install
2.2 Gmplib安装
# ./configure
# make
# make check
# make install
2.3 Tpm_emulator安装
# cd /usr/src/linux 当前内核的源码目录
# zcat /proc/config.gz > .Config 保持内核配置文件与原来的相同,若没有config.Gz文件,直接用make menuconfig生成.Config文件。
# make oldconfig
# make modules_prepare
# tar -xvzf tpm_emulator-X.Y.tar.gz
# cd tpm_emulator-X.Y
# make
# make install
若Make install出现错误:
make[1]: Entering directory `/home/akshay/tmp/tpm_emulator-0.5.1/tpmd'
install -m 755 -o tss -g tss -d /var/lib/tpm
install: invalid user `tss'
解决办法:将make install改为:sudo make TPMD_USER=root TPMD_GROUP=root install
初始化
#tpmd deactivated
#killall tpmd
#tpmd clear
#rm /var/run/tpm/tpmd_socket:0 (出现failed:address already in use 时执行它)
启动软TPM
#modprobe tpmd_dev (如果出现FATAL: Module tpmd_dev not found,则先运行depmod -a)
#tpmd -f -d (tpmd -h查看启动参数)
2.3 TSS安装2.3.1解压Trousers软件包
2.3.2重定向tddl
由于使用TPM模拟器,在编译trousers前需要将其以来的tddl库改为TPM模拟器提供的tddl。
l 修改 ./src/tcsd/Makefile.am 第4行:
tcsd_LDADD=../tcs/libtcs.a ../tddl/libtddl.a –lpthread
为:tcsd_LDADD=../tcs/libtcs.a /usr/lib/libtddl.so –lpthread
l 修改 ./src/tcsd/Makefile.in 第59行:
tcsd_DEPENDENCIES = ../tcs/libtcs.a ../tddl/libtddl.a
为:tcsd_DEPENDENCIES = ../tcs/libtcs.a /usr/lib/libtddl.so
2.3.3修改Trousers Bug
l 修改 ./src/include/obj_context.h 第79行:struct tcs_api_table *obj_context_get_tcs_api();
为:struct tcs_api_table *obj_context_get_tcs_api(UINT32);
2.3.4编译,安装
#sh bootstrap.sh
#./configure –prefix=/usr
#make
#make install
2.3.5安装tpm-tools软件包
#sh bootstrap.sh
#./configure
#make
#make install
2.3.6启动Trousers
Tcsd
/tpm_emulator-0.5/tddl# make test_tddl (测试)
/tpm_emulator-0.5/tddl# ./test_tddl(此测试程序用到了tpm-tools的相关内容)
2. TPM系列——tpm-emulator说明(转)
2009-12-25 14:57
TPM-Emulator说明:
1. tpmd –用户空间的deamon实现TPM模拟,通过Socket实现访问
2. tpmd_dev –内核模块提供模拟硬件/dev/tmp,用于后台的兼容性和前台命令接收到tpmd
3. tddl—tpm驱动库,用与提供模块接口。
注意,模拟器只兼容内核在2.5.x以上的版本。
使用方法:
//install
#tar -zvxf tpm_emulator-X.Y .tar.gz
#cd tpm_emulator-X-Y
#make
#make install
//
//setup tpm
#modprobe tpmd_dev //将该模块加入内核
#tpmd save
注:
#tpmd [-d] [-f][-h] [start mode]
其中[-d]: enable debug mode
[-f]:force the application to run in the forground 会显示你发送给tpmd的命令
[-h]:print this help message 打印帮助消息
Start mode:’clear’清除之前的状态, ’save’默认情况下打开之前的状态, ‘deactivate’无效
//
//过程中可能遇到的问题是:
1. 使用save模式出错,由于之前保存的模式存在问题导致不能载入因此最好先使用clear模式,清除一下
2. 无法清除时,最好的方法是使用‘deactivate’模式暂停工作后再清除
3. 可能会遇见socket忙碌问题,导致命令不可用,此时需要去早var目录下的tpm文件夹内,把当前的socket文件删除,然后重新执行命令,会重新初始化socket
4. 另外使用tddl函数接口编程,建议在模式选用时用参数f,这样你就可以看到对应的函数执行时具体会使用哪个tpm命令,便于理解。
5. 另外如果您可能没有GMP授权文件,可以到GNU官方下载安装,确保开放源码的权益保障,这也是安装开放模拟器的一个比较条件。
最后您就可以使用tpm-emulator来模拟任何tmp所能做到的事情了。
3. TPM系列——tpm emulator测试程序(转)
2009-12-25 14:58
一个简单的tpm emulator的测试程序,程序实现了通过软tpm产生随机数和求哈希值的功能。注意,此程序是基于tpm驱动层的,与trousers软件没有任何关系。可以通过这个程序验证你的tpm emulator是否安装成功。
代码:tpmrandomsha1.c
#include
#include
#include
#include
#include
#define TPM_TAG_RQU_COMMAND 193
#define TPM_TAG_RQU_AUTH1_COMMAND 194
#define TPM_ORD_SHA1Start 160
#define TPM_ORD_SHA1Complete 162
#define TPM_ORD_GetRandom 70
/*********************first run "modprobe tpmd_dev""tpmd -f -d" and if there is a tcsd ,you cannot run it **********/
int main(int argc, char **argv)
{
unsigned int i,j,fd;
int res,ret;
unsigned char buf[256];
int buf_size = sizeof(buf);
unsigned char random_cmd[] = {0, TPM_TAG_RQU_COMMAND,
0, 0, 0, 14,
0, 0, 0, TPM_ORD_GetRandom,
0, 0, 0, 8};//70 means TPM_ORD_GetRandom
unsigned char tpm_sha1start[]={0,TPM_TAG_RQU_COMMAND,
0,0,0,10,
0,0,0,TPM_ORD_SHA1Start};
unsigned char tpm_sha1complete[]={0,TPM_TAG_RQU_COMMAND,
0,0,0,78,0,0,0,TPM_ORD_SHA1Complete,
0,0,0,64,
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,
33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64};
fd = open("/dev/tpm0",O_RDWR);
if(fd < 0){
printf("Error: Open() failed: (%04x)\n ", fd);
return -1;
}
printf("sizeof(random_cmd): %d\n", sizeof(random_cmd));
printf("data in random_cmd: ");
for(i = 0; i < sizeof(random_cmd); i++)
printf("%02x", random_cmd[i]);
printf("\n");
res = write(fd, random_cmd, sizeof(random_cmd));
if(res != sizeof(random_cmd)){
printf("Error: write random command failed: (%04x)\n ", res);
close(fd);
return -1;
}
buf_size = 256;
ret = read(fd, buf, buf_size);
printf("ret of read random tpm0: %d\n",ret);
printf("read tpm0 random data: ");
for(i = 0; i < ret; i++){
printf("%02x ",buf[i] );
}
printf("\n");
buf_size = 256;//buf_size > 10
printf("sizeof(tpm_sha1start): %d\n", sizeof(tpm_sha1start));
printf("data in tpm_sha1start: ");
for(i = 0; i < sizeof(tpm_sha1start); i++)
printf("%02x", tpm_sha1start[i]);
printf("\n");
res =write(fd, tpm_sha1start, sizeof(tpm_sha1start));
if(res != sizeof(tpm_sha1start)){
printf("Error: write tpm_sha1start failed: (%04x)\n ", res);
close(fd);
return -1;
}
buf_size = 256;
ret = read(fd, buf, buf_size);
printf("ret of read tpm0 after tpm_sha1start : %d\n",ret);
printf("read tpm0 tpm_sha1start data: ");
for(i = 0; i < ret; i++){
printf("%02x ",buf[i] );
}
printf("\n");
buf_size = 256;//buf_size > 10
printf("sizeof(tpm_sha1complete): %d\n", sizeof(tpm_sha1complete));
printf("data in tpm_sha1complete: ");
for(i = 0; i < sizeof(tpm_sha1complete); i++)
printf("%02x", tpm_sha1complete[i]);
printf("\n");
res =write(fd, tpm_sha1complete, sizeof(tpm_sha1complete));
if(res != sizeof(tpm_sha1complete)){
printf("Error: write tpm_sha1complete failed: (%04x)\n ", res);
close(fd);
return -1;
}
buf_size = 256;
ret = read(fd, buf, buf_size);
printf("ret of read tpm0 after tpm_sha1complete : %d\n",ret);
printf("read tpm0 data after tpm_sha1complete : ");
for(i = 0; i < ret; i++){
printf("%02x ",buf[i] );
}
printf("\n");
close(fd);
return 0;
}
Makefile:
CC := gcc
all: tpmrandomsha1
tpm_getrandom: tpmrandomsha1.c
$(CC) tpmrandomsha1.c -o tpmrandomsha1
clean:
rm -f tpmrandomsha1
测试参考结果:
sizeof(random_cmd): 14
data in random_cmd: 00c10000000e0000004600000008
ret of read random tpm0: 22
read tpm0 random data: 00 c4 00 00 00 16 00 00 00 00 00 00 00 08 20 c2 10 97 bf cb c3 ec
sizeof(tpm_sha1start): 10
data in tpm_sha1start: 00c10000000a000000a0
ret of read tpm0 after tpm_sha1start : 14
read tpm0 tpm_sha1start data: 00 c4 00 00 00 0e 00 00 00 00 00 00 08 00
sizeof(tpm_sha1complete): 78
data in tpm_sha1complete:00c10000004e000000a2000000400102030405060708090a0b0c0d0e0f10111213141516171819
1a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f40
ret of read tpm0 after tpm_sha1complete : 30
read tpm0 data after tpm_sha1complete : 00 c4 00 00 00 1e 00 00 00 00 92 cb 89 df 62 d9 00 b3 50 d9 3e 42 25 ca 6f 08 1d 54 7a 28原文:http://blog.chinaunix.net/u3/96833/showart_1993602.html
4. TPM系列——A TPM for Everyone
2009-12-25 15:18
既然转了,就发扬一下连续作战的风格,一转到底,哈哈~
Introduction
In the past, I've talked about the Trusted Platform Module (TPM) and Trusted Computing in the context of Mac OS X.
October 2006—
October 2006—
December 2006—, 23rd Chaos Communications Congress, Berlin
December 2007—
"Trusted" Computing is usually a contentious topic and the actual utility of a TPM is often overshadowed by a never-ending litany of "what-if" scenarios that have been brought up over time. The Mac OS X specific gist of this is that although the early x86-based Macintosh computers had onboard TPMs, Apple stopped including TPMs in Macintoshes roughly around the time the Mac Pro was introduced. In contrast, it is quite common to find TPMs in modern day non-Apple computers. There are several interesting and useful things one can do with a TPM on any operating system. It is rather disappointing that a modern Macintosh is devoid of this device.
The Next Best Thing to a TPM
Suppose you have a Macintosh without a TPM and you really do want to experiment with Trusted Computing or features of the TPM in general. Your needs could be development-related or they could be purely academic. Well, you could do the next best thing to having a real TPM: you can use a software TPM emulator. has been around for some time and it is straightforward to make it run on Mac OS X.
The TPM emulator is implemented as a daemon that encapsulates most of the functionality of a physical TPM. Out of the box, the TPM emulator will need to be accessed on Mac OS X through an intermediate library—the equivalent of the TPM Device Driver Library (TDDL). It would be nice if all existing TPM-related software used the TDDL interface, but often that's not the case. Instead, software that uses the TPM might want to directly access the TPM device. The Mac OS X TPM device driver I wrote in 2006 for the Infineon TPM chip provides a /dev/tpm device node, which is then used by all the other TPM tools and libraries I ported to Mac OS X. Therefore, it would be really useful if, in addition to the TPM emulator daemon, we had something that provides a /dev/tpm that behaves like the "real thing".
That something would be a Mac OS X kernel extension. It would publish a /dev/tpm device node just like the "real" TPM device driver. However, instead of communicating with the TPM hardware (which does not exist), this kernel extension would communicate with the TPM emulator daemon running in user space. I'm releasing the source code for such a kernel extension—let us call it the TPM Emulator Device Bridge Kernel Extension. Let us see how to set everything up so that we have a /dev/tpm that's functional enough to work seamlessly with TPM-based software.
Setting Up a Software TPM
First, we check out the source code for the TPM emulator from its subversion tree. We will assume that our working directory is /work/tpm/.
$ cd /work/tpm/ $ svn checkout svn://svn.berlios.de/tpm-emulator/trunk tpm-emulator ... $ cd tpm-emulator
Next, download the TPM emulator patch from the Download section of this page. You can apply the patch and compile the emulator as follows.
$ pwd /work/tpm/tpm-emulator $ patch -p0 < /path/to/tpm-emulator-0.5-macosx.patch patching file tpm/tpm_deprecated.c patching file tpmd/tpm_emulator_config.h patching file tpmd/tpmd.c patching file tddl/tddl.c patching file tddl/Makefile patching file Makefile $ make ...
Now download and compile the TPM Device Bridge kernel extension.
$ cd /work/tpm/ $ tar -xzvf /path/to/tpm_bridge.tar.gz $ cd tpm_bridge $ xcodebuild -target tpm_bridge -configuration Release ... ** BUILD SUCCEEDED ** $
We can now load the newly compiled kernel extension. Mac OS X has specific requirements on the ownership and permissions of kernel extension bundles.
$ pwd /work/tpm/tpm_bridge $ cp -pR build/Release/tpm_bridge.kext /tmp/ $ sudo chown -R root:wheel /tmp/tpm_bridge.kext $ sudo kextload -v /tmp/tpm_bridge.kext kextload: extension /tmp/tpm_bridge.kext appears to be loadable kextload: loading extension /tmp/tpm_bridge.kext kextload: sending 1 personality to the kernel kextload: /tmp/tpm_bridge.kext loaded successfully kextload: extension /tmp/tpm_bridge.kext has no personalities $ ls -las /dev/tpm 0 crw-rw-rw- 1 root wheel 19, 0 Feb 23 02:06 /dev/tpm
Once the kernel extension is loaded, we see that a /dev/tpm node becomes available. By default, the kernel extension allows read/write access to everybody for experimental convenience—depending on your needs, you might want to change this in the source. At this point, the device will not behave like a "real" TPM device because we still need to run the TPM emulator daemon, which the device would communicate with.
The kernel extension uses a Unix domain socket to communicate with the emulator daemon. By default, the path to this socket is /tmp/tpm/tpmd_socket:0. Moreover, the daemon needs a location to store the TPM's persistent state. By default, the daemon would store it in the /tmp/tpm/ directory in a file whose name begins with tpm_emulator-1.2. Let us create a /tmp/tpm/ directory and start the daemon. Please refer to the TPM emulator documentation to understand which command-line arguments to use. Initially, we will run the daemon in its "clear" startup mode.
The /tmp location for both TPM persistent data and the Unix domain socket is makeshift. In particular, remember that /tmp will not be persistent across a reboot. In a production setup, you would use more appropriate locations. For example, you could use the per user Documents folder for storing TPM persistent data and the per user temporary folder (the DARWIN_USER_TEMP_DIR configuration parameter) for the socket.
The socket path must be changed both in the kernel extension source and in the emulator source.
$ mkdir /tmp/tpm/ $ cd /work/tpm/tpm-emulator/tpmd $ ./tpmd -d -f clear ... ../tpm/tpm_startup.c:44: Info: TPM_Startup(1) tpmd.c:376: Debug: waiting for connections... ...
At this point, TPM-based software should be able to talk to /dev/tpm just as if the machine had a physical TPM. Please refer to for more information on TPM-related software you can experiment with. The following is an example of what you should see if you run the tpm_demo program from the osxbook-libtpm package.
$ cd /path/to/osxbook-libtpm-2.0c $ ./tpm_demo TPM version 1.1.0.0 24 PCR registers are available PCR-00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ... PCR-23: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 10 Key slots are available slots = 10, num = 0 No keys are loaded $
Note that this setup should also work on a PowerPC Macintosh.
Download
TPM Emulator Patch for Mac OS X:
TPM Emulator Device Bridge Kernel Extension for Mac OS X:
原文:
