Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
TPM 2.0 Device Identity Attestation Samples
#!/bin/bash
# Dependencies
# tpm2-tools-4.0.1-1.fc31.x86_64
# tpm2-tss-2.3.1-1.fc31.x86_64
# tpm2-tss-engine-master
set -euxo pipefail
export TPM2TOOLS_TCTI="device:/dev/tpmrm0"
tpm2_print_handles () {
for i in transient saved-session loaded-session;
do
tpm2_getcap handles-$i;
done
}
tpm2_flush_handles () {
for i in transient-object saved-session loaded-session;
do
tpm2_flushcontext --$i;
done
}
enroll_with_ek () {
echo "Enrolling with Endorsement Key"
# Clear the TPM
tpm2_clear
# Create Endorsement Key
tpm2_createprimary -c ek.ctx -C e
tpm2_readpublic -c ek.ctx -o ek.pub > ek.yaml
cat ek.yaml | grep '^name:' | awk '{ print $2 }' > ek.name
# Generate the nonce and credential for challenge
openssl rand -hex 6 > nonce.plain
tpm2_makecredential -T none -e ek.pub -s nonce.plain -n $(cat ek.name) -o nonce.encrypted
# Decrypt nonce with Endorsement Key
tpm2_activatecredential -c ek.ctx -C ek.ctx -i nonce.encrypted -o nonce.decrypted
# Validate nonce
diff nonce.decrypted nonce.plain
}
enroll_with_srk () {
echo "Enrolling with Storage Root Key"
# Clear the TPM
tpm2_clear
# Create Endorsement Key
tpm2_createek -c ek.ctx
tpm2_readpublic -c ek.ctx -o ek.pub > ek.yaml
cat ek.yaml | grep '^name:' | awk '{ print $2 }' > ek.name
# Create Storage Root Key
tpm2_startauthsession --policy-session -S session.ctx
tpm2_policysecret -S session.ctx -c 0x4000000B
tpm2_create -C ek.ctx -P "session:session.ctx" -G rsa2048 -u srk.pub -r srk.priv \
-a 'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth'
tpm2_flushcontext session.ctx
tpm2_startauthsession --policy-session -S session.ctx
tpm2_policysecret -S session.ctx -c 0x4000000B
tpm2_load -C ek.ctx -P "session:session.ctx" -u srk.pub -r srk.priv -c srk.ctx
tpm2_flushcontext session.ctx
tpm2_evictcontrol -C o -c srk.ctx 0x81010002
tpm2_readpublic -c srk.ctx > srk.yaml
cat srk.yaml | grep '^name:' | awk '{ print $2 }' > srk.name
# Generate the nonce and credential for challenge
openssl rand -hex 6 > nonce.plain
tpm2_makecredential -T none -e ek.pub -s nonce.plain -n $(cat srk.name) -o nonce.encrypted
# Decrypt nonce with Endorsement Key
tpm2_startauthsession --policy-session -S session.ctx
tpm2_policysecret -S session.ctx -c 0x4000000B
tpm2_activatecredential -C ek.ctx -P "session:session.ctx" -c 0x81010002 -i nonce.encrypted -o nonce.decrypted
tpm2_flushcontext session.ctx
# Validate nonce
diff nonce.decrypted nonce.plain
}
enroll_with_ak () {
echo "Enrolling with Atestation Key"
# Clear the TPM
tpm2_clear
# Create Endorsment Key
tpm2_createek -c ek.ctx -G rsa -u ek.pub
# Create Attestation Key
tpm2_createak -C ek.ctx -c ak.ctx -G rsa -g sha256 -s rsassa
tpm2_evictcontrol -C o -c ak.ctx 0x81010002
tpm2_readpublic -c ak.ctx -f pem -o ak.pem > ak.yaml
cat ak.yaml | grep '^name:' | awk '{ print $2 }' > ak.name
# Generate the nonce and credential for challenge
openssl rand -hex 6 > nonce.plain
tpm2_makecredential -e ek.pub -s nonce.plain -n $(cat ak.name) -o nonce.encrypted
# Decrypt nonce with Endorsement Key
tpm2_startauthsession --policy-session -S session.ctx
TPM2_RH_ENDORSEMENT=0x4000000B
tpm2_policysecret -S session.ctx -c ${TPM2_RH_ENDORSEMENT}
tpm2_activatecredential -c 0x81010002 -C ek.ctx -i nonce.encrypted -o nonce.decrypted -P "session:session.ctx"
tpm2_flushcontext session.ctx
# Generate Attestation Quote
tpm2_quote -c 0x81010002 -l sha256:0,1,2,3,4,5,6,7,8,9 -q $(cat nonce.decrypted) -m quote.message -s quote.signature -o quote.pcrs -g sha256
# Validate Attestation Quote in the server
tpm2_checkquote -u ak.pem -m quote.message -s quote.signature -f quote.pcrs -g sha256 -q $(cat nonce.plain)
}
enroll_with_csr () {
echo "Enrolling with Certificate Signing Request"
# Clear the TPM
tpm2_clear
# Create Endorsement Key
tpm2_createprimary -c ek.ctx -C e
tpm2_readpublic -c ek.ctx -o ek.pub > ek.yaml
cat ek.yaml | grep '^name:' | awk '{ print $2 }' > ek.name
# Create Private Enrollment Key
tpm2_create -C ek.ctx -G ecc:ecdsa -g sha256 -u key.pub -r key.priv -a 'sign|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda'
tpm2_load -C ek.ctx -u key.pub -r key.priv -c key.ctx
tpm2_evictcontrol -C o -c key.ctx 0x817FFFFF
tpm2_readpublic -c key.ctx > key.yaml
cat key.yaml | grep '^name:' | awk '{ print $2 }' > key.name
# Generate the Certificate Signing Request
echo "[ req ]" > csr.cnf
echo "default_bits = 2048" >> csr.cnf
echo "distinguished_name = req_distinguished_name" >> csr.cnf
echo "prompt = no" >> csr.cnf
echo "[ req_distinguished_name ]" >> csr.cnf
echo "C = US" >> csr.cnf
echo "ST = Oregon" >> csr.cnf
echo "L = Hillsboro" >> csr.cnf
echo "O = Intel Corp" >> csr.cnf
echo "OU = Internet of Things Group" >> csr.cnf
echo "CN = test@intel.com" >> csr.cnf
openssl req -new -key 0x817FFFFF -engine tpm2tss -keyform engine -out key.csr -config csr.cnf
# Generate the nonce and credential for challenge
openssl rand -hex 6 > nonce.plain
tpm2_makecredential -T none -e ek.pub -s nonce.plain -n $(cat key.name) -o nonce.encrypted
# Decrypt nonce with Endorsement Key
tpm2_activatecredential -c 0x817FFFFF -C ek.ctx -i nonce.encrypted -o nonce.decrypted
# Validate nonce
diff nonce.decrypted nonce.plain
}
case "${1-}" in
ek)
enroll_with_ek
;;
srk)
enroll_with_srk
;;
ak)
enroll_with_ak
;;
csr)
enroll_with_csr
;;
*)
echo $"Usage ${0} {ek|srk|ak|csr}"
exit 1
esac
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment