Added TPM user examples

[vishnusudhan]

Hi @rjfendricks ,

This PR has the TPM user examples which is maintained under /etc/tpm/user-examples

[rlysecky]

I don't think we need to compare the pcr16.dat and pcr_extend.dat. For one, they are likely to be the same as they were generated at the same time. Second, when setting a per policy, I believe the current PCR state is used for the policy if you don't pass in a value.

[vishnusudhan]

We will remove this step.
Instead to check measure boot , we will compare as like below to create the policy,

Measured boot check using tpm2_policypcr api carried out by comparing current state value with the measured.pcrvalues value; this is done by TPM internally.

if tpm2_policypcr -S session1.dat -l sha256:$pcr_index -f measured.pcrvalues;

[rlysecky]

Is this just a check of the current policy?

[vishnusudhan]

We have modified the current comparison with measure pcr value. inorder to allow the creation of the policy, when ,measured boot is satisfied.

[rlysecky]

Why aren't we setting the size here? Without specifying the size, it will default to 2048 per the documentation for this command. Should we set the size manually instead?

[vishnusudhan]

We are moving this NV define to respective NV_Write script , in-order to maintain separate NV index & size.

By default, if size parameter not specified then default 2048 will get assigned. if needed we can assign like -s {size(in bytes)}

Maybe we can use it for AES 256 key examples as -s 32

[rlysecky]

Can we rename this to measured.pcrvalues? This way the example will closely follow other tutorial I've seen online, and it's also clear that this is the measured value in the context of measured boot.

[vishnusudhan]

we will update in the latest script

[rlysecky]

Why is 768 for the AES example and 568 is used for each chunk in the rsa example?

[rlysecky]

Where is the documentation for limits not the size for an nvread or nvwrite command?

[vishnusudhan]

For AES , we wrongly taken the full NV read/write size of 768(as declared in the Infineon-SLB 9670VQ2.0-DataSheet-v01_04-EN.pdf (already mailed )) mentioned under key features.

Up to 768 Byte for NV read or NV write

For AES, We will fix 32bytes as size allocation on the NV & read the 32 bytes alone , instead of using full NV size(768 bytes)

For RSA, as you suggested we will use maximum offset (768bytes) & calculate segment to write & read.

[rlysecky]

Why is segment size being used here but not when defining he offset? If the size limit is fixed, then the offset should be used to determine the number of segments?

[vishnusudhan]

As you suggested we will use maximum offset (768bytes) & calculate segment to write & read.

[rlysecky]

Can we rename this to incorrect_pcr_index to make it very clear?

[rlysecky]

This applies to both error scripts

[vishnusudhan]

We will update in latest script

[rlysecky]

Rename the error scripts to use "error" instead or "err" in name.

[vishnusudhan]

We will rename the scripts as per your suggestion.

[rlysecky]

For all scripts we should add a comment indicate that this value needs to be manually set by the user to specify the location in the TPM.

[vishnusudhan]

We will update in latest script

[rlysecky]

Can we revise the scripts to use different indices, os if a user tries to run both, they are not overwriting the contents.

[vishnusudhan]

We can change over NV indices in separate scripts (AES, RSA, passphrase), as suggested to overwriting of the contents.

[vishnusudhan]

Hi @rlysecky ,

In few scripts , we are modifying the below changes,

1. In tpm_policy_creation script, in-order to store the measured pcr value , for first time after storing, we are requesting user to reboot & exiting the script . is it fine? or we can continue the first time alone without exiting.
   upon reboot / from the second time we are checking the measure pcr value & current pcr value to check the measure boot & allowing to create policy pcr.

if [ -e "$file_path" ]; then
echo "File $file_to_check exists in the script's directory."
else
echo "File $file_to_check does not exist in the script's directory, creating measured.pcrvalues file."
cp pcr16.dat measured.pcrvalues
echo "reboot the device"
exit 1
fi
For reboot case, user needs to run tpm_policy_creation script atleast 2 times to create the policy pcr.

2. For normal NV read/Write cases , Shall we inform the user to run the tpm_policy_creation script every-time before running nv read/write scripts? so measured boot will always happen.

3. NV define's are going to be moved to the respective NV_write scripts ,as we are planning to declare separate NV indices.

[rlysecky]

1. I don't think a reboot should be needed. The assumption is that measured boot is enabled. The check for a zero value in the PCR should be enough. There shouldn't need to be a manual check for the measured boot state. The policy itself will enforce this. Why does the session creation need to happen two times?
2. Why can't we store the policy file rather than recreate it each time?
3. This seems ok

[vishnusudhan]

1. I don't think a reboot should be needed. The assumption is that measured boot is enabled. The check for a zero value in the PCR should be enough. There shouldn't need to be a manual check for the measured boot state. The policy itself will enforce this. Why does the session creation need to happen two times?
   Solution: Ok. We will not request user to reboot and will allow to create the policy at the very first time itself.

2. Why can't we store the policy file rather than recreate it each time?
   Solution: We are storing the policy file and we are not recreating.
   As we wanted to check the measured boot case after every reboot, we thought to have the tpm_policy_creation script run every time before using NV read/write operations.

3. This seems ok

[vishnusudhan]

Hi @rlysecky ,

Scripts updated as per review comments & ready for review.

ReadME.md needs to be updated.

[vishnusudhan]

Hi @rlysecky ,

Updated README.MD file