STPM package functionality
weinhold at os.inf.tu-dresden.de
Fri Mar 6 17:57:26 CET 2009
Am 06.03.2009 um 17:01 schrieb Alexander Valitov:
> I've got hardware with TPM on board (Infineon SLB9635TT1.2). I've just
> discovered STPM package and have several questions about it:
> 1. What kind of functionality is provided by the package? Is it just
> for TPM and TPM emulator?
It includes various TPM drivers that can be used through the STPM
interface. This interface basically allows you to send a command blob
to the TPM and receive the blob with the encoded response. Then
there's our L4 port of the TPM emulator, which is intended to be used
as a virtual TPM. It can be used instead of a hardware TPM, but there
is at least some work that still needs to be done for that.
The package also includes a version of libtcg, which provides commands
such as TPM_Seal() and TPM_Unseal(). It uses the STPM interface to
talk to the TPM. Our version of libtcg does not support all TPM
commands, but the most common ones are there. This library is similar
to libtpm on Linux.
> 2. There are some examples in the package. What do they do? I mean
> what use
> case are they demonstrate: memory sealing, key storing, signature
> generation, SHA1 generation, RSA en(de)cryption, trusted boot?
The only really useful example is probably 'tpmrun', which is an
interactive shell that allows you to play with the TPM and do basic
things such as creating/loading keys, creating signatures, etc. It can
talk to a standalone version of the TIS driver (stpm-l4-tis) or a
virtual TPM based on the aforementioned TPM emulator.
> How they
> should be started (module options, grub menu.lst, on what hardware)?
On real hardware: either launch stpm-l4-tis and a client such as
tpmrun, or build your own program that links against libstpm-l4-
tis.o.a and libtcg (+ dependencies). The tpmrun example needs l4con.
> 3. Is my TPM chip (Infineon SLB9635TT1.2) supported?
There are multiple drivers and your v1.2 TPM should be supported by
the TIS driver (libstpm-l4-tis.o.a or stpm-l4-tis).
> 4. What general use cases could you imagine for TPM module in L4
> environment? What is it intended for?
Authenticated booting, sealed storage, remote attestation, ...
As for authenticated booting, the directory contrib/oslo contains a
secure boot loader, which is described here:
Please note: we do not provide any support for things that are
described in the TCG specs, like which commands to send to the TPM,
what keys to use, or how to extend libtcg. So using all this stuff
beyond the basic examples provided requires quite some knowledge about
trusted computing and TPMs.
More information about the l4-hackers