ぷらっとホーム社のIoTゲートウェイ、OpenBlocks VX1にはTPM2.0(Intel PTT)が搭載されています。OSはDevianですので、Linux上でのTPMの利用方法についてまとめます。ここではOpenBlocks VX1(以降VX1)の設定が完了し、ネットワークに接続された状態を前提として、TPMを利用するための手順をまとめます。
1. TPM2.0の概要
1-1. TPM2.0
TPM2.0には主に2つの実装方法があります。ひとつは専用のチップ、もうひとつはチップセットのファームウェアに組み込まれたものものになります。VX1の場合はIntelのAtom E3805内臓のPTT(Platform Trust Technology)を使いますので後者になります。
1-2. BIOSおよびBootloader
BIOSはシステム起動時に最初に動くをフトウェアになります。Trusted Bootを正しく実現するにはBIOSがTPM2.0に対応しており、プラットフォーム上で起動するソフトウェアを順次計測しTPMに記録する機能をもつ必要があります。
1-3. デバイスドライバ
オペレーティングシステムがTPMにアクセスするためにはデバイスドライバが必要になります。これは Linux,Windows共に対応しています。VX1にはDebian jessie (Linux Kernel 4.4.26) が搭載されており、TPM2.0のドライバが付属していますので、TPM自動的にOSに認識されます。
# dmesg | grep tpm
[ 1.959679] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1A, rev-id 16)
[ 7.766968] Modules linked in: i8042(+) serio video backlight tpm_crb snd_soc_sst_acpi rfkill_gpio(+) rfkill
1-4. TSS2.0
TPMを使うためにライブラリとしてTPM2.0用のTSS(TCG Software Stack)が必要となります。TPM1.2とTPM2.0には互換性がないため、TPM1.2用のTSS(Linuxの場合はTrousers)は使えません。TSS2.0のオープンソース実装はIntel,Google,IBMから出ており、Debianの場合は IntelのTSS2.0が標準でサポートされています。
LinuxではVersion 4.11 かそれ以降で、TSS2.0のリソースマネージャーがユーザーランドから LinuxのKernel 内に移動します。ここでは Kernel 4.4.26 を用いるため従来のTSS2.0になります。
$ sudo apt-get install tpm2-tools libsapi0 libsapi-dev libsapi-utils
....
$ sudo systemctl start tpm2-resourcemgr
$ tpm2_listpcrs
2. TPM2.0を使ってみる
2-1. PCR
$ sudo systemctl start tpm2-resourcemgr
$ /usr/sbin/resourcemgr &
$ tpm2_listpcrs
Accept socket: 0x6
Resource Manager TPM CMD Server accepted client
Accept socket: 0x7
Resource Manager Other CMD Server accepted client
Bank/Algorithm: TPM_ALG_SHA1(0x0004)
PCR_00: 9e f0 b7 41 27 e0 41 8d 3e 76 32 35 57 56 f1 7a 63 dc 8d 2d
PCR_01: b2 a8 3b 0e bf 2f 83 74 29 9a 5b 2b df c3 1e a9 55 ad 72 36
PCR_02: b2 a8 3b 0e bf 2f 83 74 29 9a 5b 2b df c3 1e a9 55 ad 72 36
PCR_03: b2 a8 3b 0e bf 2f 83 74 29 9a 5b 2b df c3 1e a9 55 ad 72 36
PCR_04: 44 87 0f 11 b0 76 f5 7a 1c b3 b8 38 3d 06 7a 27 72 00 c3 4f
PCR_05: 8e 8e 34 61 7d b2 99 ee 59 fa ff c9 0d 38 5f 8d 1c 89 a1 7a
PCR_06: b2 a8 3b 0e bf 2f 83 74 29 9a 5b 2b df c3 1e a9 55 ad 72 36
PCR_07: 40 37 33 6f a7 bc 0e ab e3 77 8f cf ff 5f cd 0e e6 ad cd e3
PCR_08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_10: c3 ed 4a c5 4c bc 0a ae 1b 16 36 6a c5 51 9c 4e bd 4e dc d6
PCR_11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_17: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_18: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_19: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_20: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_21: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_22: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Bank/Algorithm: TPM_ALG_SHA256(0x000b)
PCR_00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_01: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_02: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_03: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_04: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_05: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_06: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_07: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_17: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_18: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_19: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_20: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_21: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_22: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
PCR_23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
OtherCmdServer died (Other CMD), socket: 0x7.
TpmCmdServer died (TPM CMD), rval: 0x00000000, socket: 0x6.
3. 関連情報
- OpenBlocks IoT VX1の製品ページ
- OpenBlocks VX1のマニュアル
- TPM2.0 practical usage by Davide Guerri at FOSDEM 2017
- Minnow Board MAXでfTPM2.0をつかえるようにする話