STPM package functionality

Carsten Weinhold weinhold at
Fri Mar 6 17:57:26 CET 2009

Am 06.03.2009 um 17:01 schrieb Alexander Valitov:

> Hi,

Hi Alexander!

> I've got hardware with TPM on board (Infineon SLB9635TT1.2). I've just
> discovered STPM package and have several questions about it:
> 1. What kind of functionality is provided by the package? Is it just  
> driver
> for TPM and TPM emulator?

It includes various TPM drivers that can be used through the STPM  
interface. This interface basically allows you to send a command blob  
to the TPM and receive the blob with the encoded response. Then  
there's our L4 port of the TPM emulator, which is intended to be used  
as a virtual TPM. It can be used instead of a hardware TPM, but there  
is at least some work that still needs to be done for that.

The package also includes a version of libtcg, which provides commands  
such as TPM_Seal() and TPM_Unseal(). It uses the STPM interface to  
talk to the TPM. Our version of libtcg does not support all TPM  
commands, but the most common ones are there. This library is similar  
to libtpm on Linux.

> 2. There are some examples in the package. What do they do? I mean  
> what use
> case are they demonstrate: memory sealing, key storing, signature
> generation, SHA1 generation, RSA en(de)cryption, trusted boot?

The only really useful example is probably 'tpmrun', which is an  
interactive shell that allows you to play with the TPM and do basic  
things such as creating/loading keys, creating signatures, etc. It can  
talk to a standalone version of the TIS driver (stpm-l4-tis) or a  
virtual TPM based on the aforementioned TPM emulator.

> How they
> should be started (module options, grub menu.lst, on what hardware)?

On real hardware: either launch stpm-l4-tis and a client such as  
tpmrun, or build your own program that links against libstpm-l4- 
tis.o.a and libtcg (+ dependencies). The tpmrun example needs l4con.

> 3. Is my TPM chip (Infineon SLB9635TT1.2) supported?

There are multiple drivers and your v1.2 TPM should be supported by  
the TIS driver (libstpm-l4-tis.o.a or stpm-l4-tis).

> 4. What general use cases could you imagine for TPM module in L4
> environment? What is it intended for?

Authenticated booting, sealed storage, remote attestation, ...

As for authenticated booting, the directory contrib/oslo contains a  
secure boot loader, which is described here:

Please note: we do not provide any support for things that are  
described in the TCG specs, like which commands to send to the TPM,  
what keys to use, or how to extend libtcg. So using all this stuff  
beyond the basic examples provided requires quite some knowledge about  
trusted computing and TPMs.


More information about the l4-hackers mailing list