Skip to content

Commit

Permalink
Added TPM user examples
Browse files Browse the repository at this point in the history
  • Loading branch information
@vishnusudhan
vishnusudhan committed Oct 26, 2023
1 parent b7154ca commit 111359c
Show file tree
Hide file tree
Showing 10 changed files with 364 additions and 0 deletions.
1 change: 1 addition & 0 deletions conf/layer.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ IMAGE_INSTALL:append = " \
sys-setup \
caam-keygen \
lrzsz \
${@bb.utils.contains('TPM_ENABLE', '1', 'tpm-examples', '', d)} \
"

# Changing the WKS file to add DM partition
Expand Down
86 changes: 86 additions & 0 deletions recipes-support/tpm-test-scripts/tpm-examples/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
# TPM Script Examples
This folder contains a collection of shell scripts for working with the Trusted Platform Module (TPM). These scripts demonstrate various TPM commands and their usage.

## Scripts

`tpm_err_aes_nvread.sh`

This Bash script demonstrates an intentional error scenario involving TPM (Trusted Platform Module) NV (Non-Volatile) Index operations. It showcases how providing an incorrect PCR (Platform Configuration Register) index value can result in an error during TPM NV read.

`tpm_err_aes_nvwrite.sh`
This script intentionally attempts to overwrite an AES-256 key stored in a TPM2 NV (Non-Volatile) index with an incorrect PCR policy. The script demonstrates the following steps:

1. Defines the PCR index, NV index, and the output file for the AES-256 key.

2. Generates a random AES-256 key (32 bytes) to be used for overwriting the key stored in the TPM NV index.

3. Attempts to write the generated AES-256 key to the TPM NV index using an incorrect PCR policy.

4. In the event of a policy error, the script will display an error message, as the provided PCR index is not linked with the expected PCR state file (pcr16.dat).

`tpm_policy_creation.sh`

This script shows how to create policies and define nv indexes for key storage.
The script performs the following steps:

1.Verifying the existence of the file to be checked, pcr_extend.dat, in the script directory.If not, it will create(used for measured boot)
2. Verifying whether the script directory contains the pcr16.dat (pcr output file) or not.
3. Checking whether the pcr is extended or not. If extended it will proceed further otherwise the process should terminated.
4.If the pcr_extend.dat and pcr16.dat files match, the measured boot passes, and the operation can continue.
5. PCR Policy gets satisfied by comparing the current state value with the passed-in value; this is done by TPM internally.
6. Creates a policy based on the satisfied PCR policy for pcr16.dat
7. Defines an NV (Non-Volatile) index in the TPM with the created PCR policy.

`tpm_nv_write_aes_256.sh`

This script demonstrates how to securely store an AES-256 key in TPM2 NV memory based on the satisfaction of a PCR (Platform Configuration Register) policy. The script performs the following steps:

1. creating an 32 byte aes key using openssl
2. Writes the AES-256 key to the TPM NV index, ensuring that the key is only written if the PCR policy is satisfied.

`tpm_nv_read_aes_256.sh`
This script demonstrates how to securely retrieve an AES-256 key from TPM2 NV (Non-Volatile) memory based on the satisfaction of a PCR (Platform Configuration Register) policy. The script performs the following steps:

Defines the PCR index, NV index, and the output file for the AES-256 key.
Reads the AES-256 key from the TPM NV index with the specified PCR policy.
If the PCR policy is satisfied, the script successfully retrieves the AES-256 key and saves it to the specified output file.

`tpm_nv_write_rsa_2048.sh`

This script demonstrates how to securely store an rsa-2048 key in TPM2 NV memory based on the satisfaction of a PCR policy. The script performs the following steps:

1. creating an rsa key with 2048 bits length
2. Calculate the size of the key content and split it into three segments
3. Write the segments to the TPM NV index with the PCR policy, tpm verify internally the pcr.dat is belongs to the mentioned index or not.
4. And removing all the segments.


`tpm_nv_read_rsa_2048.sh`

This script demonstrates how to securely retrieve an rsa-2048 bit key from TPM2 NV (Non-Volatile) memory based on the satisfaction of a PCR (Platform Configuration Register) policy

The script will perform the following steps:

1. Read key segments one by one from the TPM NV index with the specified PCR policy.
2. Save key segments as separate files (key1.pem, key2.pem, key3.pem).
3. Concatenate the key segments into one key file (key_con_2048.pem).
4. Compare the concatenated key with the original key (key.pem).
5. Display whether the keys match or not.


## Usage
Run the scripts:
```
./tpm_policy_creation.sh
./tpm_nv_write_rsa_2048.sh
./tpm_nv_read_rsa_2048.sh
./tpm_nv_write_aes_256.sh
./tpm_nv_read_aes_256.sh
./tpm_err_aes_nvwrite.sh
./tpm_err_aes_nvread.sh
```

### Notes:
Replace placeholders like `hash of file` and `data` with actual values before running the scripts.

Ensure that you have the necessary `TPM tools` and permissions to run these scripts.
13 changes: 13 additions & 0 deletions recipes-support/tpm-test-scripts/tpm-examples/tpm_err_aes_nvread.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
#!/bin/bash

#PCR index, NV index, and output file for the AES-256 key
pcr_index=10
nv_index=0x1400004
output_file="aes-key"

# Read the AES-256 key from the TPM NV index with the wrong PCR index to produce tpm error.
if tpm2_nvread $nv_index -P pcr:sha256:$pcr_index -s 768 > $output_file; then
echo "AES-256 key successfully read from TPM NV index and saved to $output_file."
else
echo "Error: Reading the TPM NV index failed because of wrong PCR index value."
fi
19 changes: 19 additions & 0 deletions recipes-support/tpm-test-scripts/tpm-examples/tpm_err_aes_nvwrite.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
#!/bin/bash
#R index, NV index, and aes output file for the AES-256 key
pcr_index=10
nv_index=0x1400004
aes_key_file="aes-256-key"

# Generate a random AES-256 key (32 bytes) to overwrite the key which is already present in the nv index
openssl rand -out $aes_key_file 32

# Save the PCR16 value to pcr16.dat
tpm2_pcrread -o pcr16.dat sha256:$pcr_index

# Write the AES-256 key to the TPM NV index with the PCR policy
# input -> given the wrong index value which is not linked with pcr16.dat to produce tpm error.
if tpm2_nvwrite $nv_index -P pcr:sha256:$pcr_index=pcr16.dat -i $aes_key_file; then
echo "AES-256 key successfully written to TPM NV index."
else
echo "Error: Writing to TPM NV index failed. Please create the NV index first or check whether your policy is valid or not"
fi
14 changes: 14 additions & 0 deletions recipes-support/tpm-test-scripts/tpm-examples/tpm_nv_read_aes_256.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# This script shows that the aes key should only be readed from nv memory if the current pcr state gets satisfied.
#!/bin/bash

# Define the PCR index, NV index, and output file for the AES-256 key
pcr_index=16
nv_index=0x1400004
output_file="aes-key"

# Read the AES-256 key from the TPM NV index with the specified PCR policy
if tpm2_nvread $nv_index -P pcr:sha256:$pcr_index -s 768 > $output_file; then
echo "AES-256 key successfully read from TPM NV index and saved to $output_file."
else
echo "Error: Reading the TPM NV index failed."
fi
44 changes: 44 additions & 0 deletions recipes-support/tpm-test-scripts/tpm-examples/tpm_nv_read_rsa_2048.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
#!/bin/bash

# Define the TPM NV index and PCR index
nv_index=0x1400004
pcr_index=16

# Read the key segments from the NV index and save them as separate key files
# Read the segments from the TPM NV index with the specified PCR policy and stored in files.
if tpm2_nvread $nv_index -P pcr:sha256:$pcr_index -s 568 > key1.pem; then
echo "key1 successfully read from TPM NV index and saved to $output_file."
else
echo "Error: Reading the TPM NV index failed."
exit 1
fi

if tpm2_nvread $nv_index -P pcr:sha256:$pcr_index -s 568 --offset 569 > key2.pem; then
echo "key2 successfully read from TPM NV index and saved to $output_file."
else
echo "Error: Reading the TPM NV index failed."
exit 1
fi

if tpm2_nvread $nv_index -P pcr:sha256:$pcr_index -s 568 --offset 1137 > key3.pem; then
echo "key3 successfully read from TPM NV index and saved to $output_file."
else
echo "Error: Reading the TPM NV index failed."
exit 1
fi

# Concatenate the key segments into one key file
cat key1.pem key2.pem key3.pem > key_con_2048.pem

# Remove temporary key files
rm key1.pem
rm key2.pem
rm key3.pem

# Compare the concatenated key with the original key
if cmp -s key_con_2048.pem key.pem; then
echo "Keys match."

else
echo "Keys do not match. Error!"
fi
21 changes: 21 additions & 0 deletions recipes-support/tpm-test-scripts/tpm-examples/tpm_nv_write_aes_256.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
#!/bin/bash
# This script shows that the aes key should only be written to nv memory if the current pcr state gets satisfied.#!/bin/bash

# Define the PCR index, NV index, and output file for the AES-256 key
pcr_index=16
nv_index=0x1400004
aes_key_file="aes-256-key"

# Generate a random AES-256 key (32 bytes)
openssl rand -out $aes_key_file 32

# Write the AES-256 key to the TPM NV index with the PCR policy, tpm verify internally the pcr.dat is belongs to the mentioned index or not.
if tpm2_nvwrite $nv_index -P pcr:sha256:$pcr_index=pcr16.dat -i $aes_key_file; then
echo "AES-256 key successfully written to TPM NV index."
else
echo "Error: Writing to TPM NV index failed. Please create the NV index first or check whether your policy is valid or not."
exit 1
fi

# Clean up the temporary AES key file
rm $aes_key_file
43 changes: 43 additions & 0 deletions recipes-support/tpm-test-scripts/tpm-examples/tpm_nv_write_rsa_2048.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
#!/bin/bash

# Define the TPM NV index and PCR index
nv_index=0x1400004
pcr_index=16

# Generate an RSA key with a length of 2048 bits
openssl genrsa -out key.pem 2048

# Calculate the size of the key content and split it into three segments
content_size=$(wc -c < key.pem)
segment_size=$((content_size / 3))
dd if=key.pem of=segment1.pem bs=1 count=$segment_size
dd if=key.pem of=segment2.pem bs=1 skip=$segment_size count=$segment_size
dd if=key.pem of=segment3.pem bs=1 skip=$((2 * $segment_size))

# Write the segments to the TPM NV index with the PCR policy, tpm verify internally the pcr.dat is belongs to the mentioned index or not.
# Write the key segments to the NV index with the verified PCR policy
if tpm2_nvwrite $nv_index -P pcr:sha256:$pcr_index=pcr16.dat -i segment1.pem; then
echo "segment1 successfully written to TPM NV index."
else
echo "Error: Writing to TPM NV index failed. Please create the NV index first or check whether your policy is valid or not."
exit 1
fi

if tpm2_nvwrite $nv_index -P pcr:sha256:$pcr_index=pcr16.dat -i segment2.pem --offset 569; then
echo "segment2 successfully written to TPM NV index."
else
echo "Error: Writing to TPM NV index failed. Please create the NV index first or check whether your policy is valid or not."
exit 1
fi

if tpm2_nvwrite $nv_index -P pcr:sha256:$pcr_index=pcr16.dat -i segment3.pem --offset 1137; then
echo "segment3 successfully written to TPM NV index."
else
echo "Error: Writing to TPM NV index failed. Please create the NV index first or check whether your policy is valid or not."
exit 1
fi

# Remove temporary segment files
rm segment1.pem
rm segment2.pem
rm segment3.pem
78 changes: 78 additions & 0 deletions recipes-support/tpm-test-scripts/tpm-examples/tpm_policy_creation.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
#!/bin/bash

# Define the PCR index, NV index
pcr_index=16
nv_index=0x1400004

#script is located
script_directory="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

# Define the filename you want to check
file_to_check="pcr_extend.dat"
pcr_file="pcr16.dat"

# Combine the directory and the filename
file_path="$script_directory/$file_to_check"
pcr_file_path="$script_directory/$pcr_file"

if [ -e "$file_path" ]; then
echo "File $file_to_check exists in the script's directory."
else
echo "File $file_to_check does not exist in the script's directory, creating pcr extended file."
tpm2_pcrread -o pcr16.dat sha256:$pcr_index
cp pcr16.dat pcr_extend.dat
fi

if [ -e "$pcr_file_path" ]; then
echo "File $pcr_file exists in the script's directory."
else
echo "File $pcr_file does not exist in the script's directory, creating pcr file."
tpm2_pcrread -o pcr16.dat sha256:$pcr_index
fi

# creating a bin file with the value of zero
dd if=/dev/zero of=pcr_zero.dat bs=32 count=1

#comparing the pcr.dat with pcr_zero.dat file, if the values is not extended means then it will terminated the whole process.
cmp_value=$(cmp -s pcr16.dat pcr_zero.dat; echo $?)

if [ "$cmp_value" -eq 1 ]; then
echo "PCR value is extended we can proceed further"
else
echo "PCR value is all zeros, check whether it is the closed board or not."
exit 1
fi

cmpare_value=$(cmp -s $file_to_check pcr16.dat; echo $?)

if [ "$cmpare_value" -eq 1 ]; then
echo "PCR values are not same, Measure Boot fails"
exit 1
else
echo "PCR value is extended and Passes the Measure Boot condition."
fi

# Start a policy auth session used when authenticating with a policy.
tpm2_startauthsession --policy-session -S session1.dat

# PCR Policy gets satisfied by comparing the current state value with the passed-in value; this is done by TPM internally.
if tpm2_policypcr -S session1.dat -l sha256:$pcr_index -f pcr16.dat; then
echo "Policy PCR16 satisfied."
else
echo "Policy PCR16 failed. Terminating."
exit 1
fi

# Create a policy for the current PCR index
tpm2_createpolicy --policy-pcr -l sha256:$pcr_index -L policy16.pcr

# Define the NV index with the policy of the current PCR state
if tpm2_nvdefine $nv_index -L policy16.pcr; then
echo "NV index defined at the given address with the current PCR state policy."
else
echo "Error: Defining NV index failed."
exit 1
fi

rm pcr_zero.dat
rm session1.dat
45 changes: 45 additions & 0 deletions recipes-support/tpm-test-scripts/tpm-examples_1.0.bb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
# Copyright (c) 2021 BG Networks, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#

SUMMARY = "tpm test scripts"
LICENSE = "CLOSED"

SRC_URI = " \
file://tpm_policy_creation.sh \
file://tpm_err_aes_nvread.sh \
file://tpm_err_aes_nvwrite.sh \
file://tpm_nv_read_aes_256.sh \
file://tpm_nv_write_aes_256.sh \
file://tpm_nv_read_rsa_2048.sh \
file://tpm_nv_write_rsa_2048.sh \
"

RDEPENDS:${PN} += "bash"

do_install() {
# Installing the test scripts in /etc/tpm/user_examples
install -d ${D}/etc/tpm/user_examples

install -m 0755 ${WORKDIR}/tpm_policy_creation.sh ${D}/etc/tpm/user_examples
install -m 0755 ${WORKDIR}/tpm_err_aes_nvread.sh ${D}/etc/tpm/user_examples
install -m 0755 ${WORKDIR}/tpm_err_aes_nvwrite.sh ${D}/etc/tpm/user_examples
install -m 0755 ${WORKDIR}/tpm_nv_read_aes_256.sh ${D}/etc/tpm/user_examples
install -m 0755 ${WORKDIR}/tpm_nv_write_aes_256.sh ${D}/etc/tpm/user_examples
install -m 0755 ${WORKDIR}/tpm_nv_read_rsa_2048.sh ${D}/etc/tpm/user_examples
install -m 0755 ${WORKDIR}/tpm_nv_write_rsa_2048.sh ${D}/etc/tpm/user_examples
}

FILES:${PN} += " \
/etc/tpm/user_examples/tpm_policy_creation.sh \
/etc/tpm/user_examples/tpm_err_aes_nvread.sh \
/etc/tpm/user_examples/tpm_err_aes_nvwrite.sh \
/etc/tpm/user_examples/tpm_nv_read_aes_256.sh \
/etc/tpm/user_examples/tpm_nv_write_aes_256.sh \
/etc/tpm/user_examples/tpm_nv_read_rsa_2048.sh \
/etc/tpm/user_examples/tpm_nv_write_rsa_2048.sh \
"

0 comments on commit 111359c

Please sign in to comment.