Added TPM user examples

conf/layer.conf

@@ -25,6 +25,7 @@ IMAGE_INSTALL:append = " \
     sys-setup \
     caam-keygen \
     lrzsz \
+    ${@bb.utils.contains('TPM_ENABLE', '1', 'tpm-examples', '', d)} \
 "
 
 # Changing the WKS file to add DM partition

recipes-support/tpm-test-scripts/tpm-examples/README.md

@@ -0,0 +1,122 @@
+# TPM Script Examples
+This folder contains a collection of shell scripts for working with the Trusted Platform Module (TPM). These scripts demonstrate various TPM commands and their usage.
+
+## Scripts
+
+`tpm_error_aes_nvread.sh` 
+
+This Bash script demonstrates an intentional error scenario involving TPM (Trusted Platform Module) NV (Non-Volatile) Index operations. It showcases how providing an incorrect PCR (Platform Configuration Register) index value can result in an error during TPM NV read.
+
+`tpm_error_aes_nvwrite.sh` 
+This script intentionally attempts to overwrite an AES-256 key stored in a TPM2 NV (Non-Volatile) index with an incorrect PCR policy. The script demonstrates the following steps:
+
+1. Defines the PCR index, NV index, and the output file for the AES-256 key.
+
+2. Generates a random AES-256 key (32 bytes) to be used for overwriting the key stored in the TPM NV index.
+
+3. Attempts to write the generated AES-256 key to the TPM NV index using an incorrect PCR policy.
+
+4. In the event of a policy error, the script will display an error message, as the provided PCR index is not linked with the expected PCR state file (pcr16.dat).
+
+`tpm_policy_creation.sh`
+
+This script demonstrates how to create policies
+
+1. Checking whether the pcr is extended or not. If extended it will proceed further otherwise the process should terminated.
+2. Create a policy by using the current state of the PCR.
+
+`tpm_check_measured_boot.sh`
+
+This script check the measure boot condition. 
+
+1. Checking whether the pcr is extended or not. If extended it will proceed further otherwise the process should terminated.
+2. Verifying the existence of the file to be checked (i.e) measured.pcrvalues, in the script directory.If not, it will create measured.pcrvalues and also the reboot is required.
+3. Measured boot check using tpm2_policypcr api carried out by comparing current state value with the measured.pcrvalues value; this is done by TPM internally.
+
+`tpm_nv_write_aes_256.sh`
+
+This script demonstrates how to securely store an AES-256 key in TPM2 NV memory based on the satisfaction of a PCR (Platform Configuration Register) policy. The script performs the following steps:
+
+1. By using the get cap command, to get the list of defined nv index
+2. From the nv index list, If the mentioned nv address is not in the list it will create the nv index for the mentioned address.
+3. creating an 32 byte aes key using openssl
+4. Writes the AES-256 key to the TPM NV index, ensuring that the key is only written if the PCR policy is satisfied.
+
+`tpm_nv_read_aes_256.sh`
+This script demonstrates how to securely retrieve an AES-256 key from TPM2 NV (Non-Volatile) memory based on the satisfaction of a PCR (Platform Configuration Register) policy. The script performs the following steps:
+
+1. Defines the PCR index, NV index, and the output file for the AES-256 key. 
+2. By using the get cap command, to get the list of defined nv index
+3. If the mentioned nv index is not defined, we will define the nv index.
+4. Reads the AES-256 key from the TPM NV index with the specified PCR policy. If the PCR policy is satisfied, the script successfully retrieves the AES-256 key and saves it to the specified output file.
+
+`tpm_nv_write_rsa_2048.sh`
+
+This script demonstrates how to securely store an rsa-2048 key in TPM2 NV memory based on the satisfaction of a PCR policy.
+
+The script performs the following steps:
+
+1. By using the get cap command, to get the list of defined nv index.
+2. From the nv index list, If the mentioned nv address is not in the list it will create the nv index for the mentioned address with the current state value.
+3. Calculate the size of the key content and also the number of full segments
+4. Use a loop to split the key into full segments and write the key in mentioned TPM index, ensuring that the key is only written if the PCR policy is satisfied.
+5. Also writes the remaining bytes if any in the mentioned TPM index.
+
+`tpm_nv_read_rsa_2048.sh`
+
+This script demonstrates how to securely retrive a rsa key from NV memory based on the satisfaction of a PCR.
+
+The script performs the following steps:
+
+1. By using the get cap command, to get the list of defined nv index.
+2. If the mentioned nv index is not defined, we will define the nv index.
+3. Calculate the size of the key content and also the number of full segments
+4. Using a loop,  to read the full segments key from the mentioned nv Index.
+5. And also read the remaining segments key from the mentioned nv Index.
+
+`tpm_nv_passphrase_write.sh`
+
+This script demonstrates how to securely store an passphrase from NV memory based on the satisfaction of a PCR.
+
+The script performs the following steps:
+
+1. Creating an data and passphrase file
+2. Generate the rsa key with the created passphrase.
+3. Sign the data with the encrypted private key.
+4. By using the get cap command, to get the list of defined nv index.
+5. If the mentioned nv index is not defined, we will define the nv index.
+6. From the nv index list, If the mentioned nv address is not in the list it will create the nv index for the mentioned address with the current state Pcr value.
+6. Writes the passphrase to the TPM NV index, ensuring that the passphrase is only written if the PCR policy is satisfied.
+
+`tpm_nv_passphrase_read.sh`
+
+This script demonstrates how to securely retrive a passphrase from NV memory based on the satisfaction of a PCR.
+
+The script performs the following steps:
+
+1. By using the get cap command, to get the list of defined nv index.
+2. If the mentioned nv index is not defined, we will define the nv index.
+3. Reads the passphrase from the TPM NV index with the specified pcr index.
+4. Then decrypt the encrypted private key with the passphrase file.
+5. By using decrypt private key, Extract the corresponding public key.
+6. Verify the signature using the public key.
+
+## Usage
+Run the scripts:
+```
+./tpm_policy_creation.sh
+./tpm_check_measured_boot.sh
+./tpm_nv_write_rsa_2048.sh
+./tpm_nv_read_rsa_2048.sh
+./tpm_nv_write_aes_256.sh
+./tpm_nv_read_aes_256.sh
+./tpm_err_aes_nvwrite.sh
+./tpm_err_aes_nvread.sh
+./tpm_nv_passphrase_read.sh
+./tpm_nv_passphrase_write.sh
+```
+
+### Notes:
+Replace placeholders like `hash of file` and `data` with actual values before running the scripts.
+
+Ensure that you have the necessary `TPM tools` and permissions to run these scripts.

recipes-support/tpm-test-scripts/tpm-examples/tpm_check_measured_boot.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# Define the PCR index
+pcr_index=16
+
+#script is located
+script_directory="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+# Define the filename you want to check
+file_to_check="measured.pcrvalues"
+
+# Combine the directory and the filename
+file_path="$script_directory/$file_to_check"
+
+tpm2_pcrread -o pcr16.dat sha256:$pcr_index
+
+# creating a bin file with the value of zero
+dd if=/dev/zero of=pcr_zero.dat bs=32 count=1
+
+#comparing the pcr.dat with pcr_zero.dat file, if the values is not extended means then it will terminated the whole process.
+cmp_value=$(cmp -s pcr16.dat pcr_zero.dat; echo $?)
+
+if [ "$cmp_value" -eq 1 ]; then
+    echo "PCR value is extended we can proceed further"
+else
+    echo "PCR value is all zeros, check whether it is the closed board or not."
+    rm pcr16.dat
+    exit 1
+fi
+
+if [ -e "$file_path" ]; then
+  echo "File $file_to_check exists in the script's directory."
+else
+  echo "File $file_to_check does not exist in the script's directory, creating measured.pcrvalues file."
+  cp pcr16.dat measured.pcrvalues
+fi
+
+# Start a policy auth session used when authenticating with a policy.
+tpm2_startauthsession --policy-session -S session1.dat
+
+# Measured boot check using tpm2_policypcr api carried out by comparing current state value with the measured.pcrvalues value; this is done by TPM internally.
+if tpm2_policypcr -S session1.dat -l sha256:$pcr_index -f $file_to_check; then
+    echo "PCR value is extended and Passes the Measure Boot condition."
+else
+    echo "PCR values are not matching, Measure Boot fails"
+    exit 1
+fi
+

recipes-support/tpm-test-scripts/tpm-examples/tpm_error_aes_nvread.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+#PCR index, NV index, and output file for the AES-256 key
+incorrect_pcr_index=10
+#user need to define / manually select the nv_index 
+nv_index=0x1400002
+aes_key_size=32
+
+output_file="aes-key"
+
+# Read the AES-256 key from the TPM NV index with the wrong PCR index to produce tpm error.
+if tpm2_nvread $nv_index -P pcr:sha256:$incorrect_pcr_index -s $aes_key_size > $output_file; then
+    echo "AES-256 key successfully read from TPM NV index and saved to $output_file."
+else
+    echo "Error: Reading the TPM NV index failed because of wrong PCR index value."
+fi

recipes-support/tpm-test-scripts/tpm-examples/tpm_error_aes_nvwrite.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+#PCR index, NV index, and aes output file for the AES-256 key
+incorrect_pcr_index=10
+#user need to define / manually select the nv_index 
+nv_index=0x1400002
+aes_key_file="aes-256-key"
+aes_key_size=32
+
+# Generate a random AES-256 key (32 bytes) to overwrite the key  which is already present in the nv index
+openssl rand -out $aes_key_file $aes_key_size
+
+
+# Write the AES-256 key to the TPM NV index with the PCR policy
+# input -> given the wrong index value which is not linked with pcr16.dat to produce tpm error.
+if tpm2_nvwrite $nv_index -P pcr:sha256:$incorrect_pcr_index -i $aes_key_file; then
+    echo "AES-256 key successfully written to TPM NV index."
+else
+    echo "Error: Writing to TPM NV index failed. Please create the NV index first or check whether your policy is valid or not"
+fi

recipes-support/tpm-test-scripts/tpm-examples/tpm_nv_passphrase_read.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+
+# Define the PCR index, NV index, and output file for the AES-256 key
+pcr_index=16
+#user need to define / manually select the nv_index 
+nv_index=0x1400003
+#user can modify the passphrase_size
+passphrase_size=32
+# Execute tpm2_getcap to get the list of defined NV indexes
+defined_nv_indexes=$(tpm2_getcap handles-nv-index)
+
+# Check if the NV index is defined
+if [[ $defined_nv_indexes == *"$nv_index"* ]]; then
+    echo "NV index $nv_index is defined"
+else
+    echo "NV index $nv_index is not defined. So can't able to read the value from this nv index $nv_index"
+    exit 1
+fi
+
+# Read the AES-256 key from the TPM NV index with the specified PCR policy
+if tpm2_nvread $nv_index -P pcr:sha256:$pcr_index -s $passphrase_size > password_retrived; then
+    echo "password_retrived file is successfully readed from TPM NV index and saved to password_retrived."
+else
+    echo "Error: Reading the TPM NV index failed."
+    exit 1
+fi
+
+# Decrypt the private key
+openssl rsa -in private_key.pem -out unencrypted_private_key.pem -passin file:password_retrived
+
+# Extract the corresponding public key
+openssl rsa -in unencrypted_private_key.pem -pubout -out public_key.pem
+
+# Verify the signature using the public key
+if openssl dgst -sha256 -verify public_key.pem -signature signature.bin data.txt; then
+    echo "Signature verified successfully."
+else
+    echo "Signature verification failed."
+    exit 1
+fi
+
+# Clean up temporary files
+rm unencrypted_private_key.pem
+rm public_key.pem
+#rm password_retrived
+
+echo "Script execution complete."

recipes-support/tpm-test-scripts/tpm-examples/tpm_nv_passphrase_write.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# Define the PCR index, NV index, and output file for the AES-256 key
+pcr_index=16
+#user need to define / manually select the nv_index 
+nv_index=0x1400003
+#user can modify the passphrase_size
+passphrase_size=32
+
+# creating a file
+echo "hi everyone" > data.txt
+
+# creating password file 
+echo "tpm!123" > password_file
+
+# Create an encrypted RSA private key with the password file
+if openssl genrsa -aes256 -passout file:password_file -out private_key.pem 2048; then
+    echo "rsa private key is created successfully with the password"
+else
+    echo "key creation failed"
+    exit 1
+fi
+
+# Sign the data with the encrypted private key
+openssl dgst -sha256 -sign private_key.pem -out signature.bin -passin file:password_file data.txt
+echo "data signed successfully"
+
+# Execute tpm2_getcap to get the list of defined NV indexes
+defined_nv_indexes=$(tpm2_getcap handles-nv-index)
+
+# Check if the NV index is defined
+if [[ $defined_nv_indexes == *"$nv_index"* ]]; then
+    echo "NV index $nv_index is defined"
+else
+    echo "NV index $nv_index is not defined. So defining $nv_index"
+    tpm2_nvdefine $nv_index -s $passphrase_size -L policy16.pcr
+fi
+
+# Write the AES-256 key to the TPM NV index with the PCR policy
+if tpm2_nvwrite $nv_index -P pcr:sha256:$pcr_index -i password_file; then
+    echo "password_file is successfully written to TPM NV index."
+else
+    echo "Error: Writing to TPM NV index failed. Please create the NV index first or check whether your pcr.dat or pcr_index is valid."
+    exit 1
+fi
+
+#Clean up temporary files
+rm password_file

recipes-support/tpm-test-scripts/tpm-examples/tpm_nv_read_aes_256.sh

@@ -0,0 +1,27 @@
+# This script shows that the aes key should only be readed from nv memory if the current pcr state gets satisfied.
+#!/bin/bash
+
+# Define the PCR index, NV index, and output file for the AES-256 key
+pcr_index=16
+#user need to define / manually select the nv_index 
+nv_index=0x1400002
+output_file="aes-key"
+aes_key_size=32
+
+# Execute tpm2_getcap to get the list of defined NV indexes
+defined_nv_indexes=$(tpm2_getcap handles-nv-index)
+
+# Check if the NV index is defined
+if [[ $defined_nv_indexes == *"$nv_index"* ]]; then
+    echo "NV index $nv_index is defined"
+else
+    echo "NV index $nv_index is not defined. So can't able to read the value from this nv index $nv_index"
+    exit 1
+fi
+
+# Read the AES-256 key from the TPM NV index with the specified PCR policy
+if tpm2_nvread $nv_index -P pcr:sha256:$pcr_index -s $aes_key_size > $output_file; then
+    echo "AES-256 key successfully read from TPM NV index and saved to $output_file."
+else
+    echo "Error: Reading the TPM NV index failed."
+fi