Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Want to use TPM as localCA #788

Closed
shuk777 opened this issue Feb 21, 2023 · 5 comments
Closed

Want to use TPM as localCA #788

shuk777 opened this issue Feb 21, 2023 · 5 comments

Comments

@shuk777
Copy link

shuk777 commented Feb 21, 2023
edited
Loading

I would like to sign a vTPM ek certificate with hardware TPM to build a trust chain from TPM to vTPM, is there anyway to do so?
@shuk777 shuk777 changed the title Want to use TPM Want to use TPM as localCA Feb 21, 2023
@stefanberger
Copy link
Owner

You would have to use a pkcs11 driver for TPM 2 (such as https://github.com/tpm2-software/tpm2-pkcs11) and use it for signing the certificate of the swtpm. For this you would have to have a signing key in the pkcs11 device and determine the pkcs11 URI of the key. There's a test case using softhsm as a pkcs11 device in this repo that shows how this can be done: https://github.com/stefanberger/swtpm/blob/master/tests/test_tpm2_swtpm_localca_pkcs11.test

For this to work you need to modify an existing swtpm-localca.conf file to contain the pkcs11 URI of the key, and possibly also its PIN, rather than the typical name of the private key file:

swtpm/tests/test_tpm2_swtpm_localca_pkcs11.test

Lines 131 to 137 in 346b3d6

cat <<_EOF_ > "${workdir}/swtpm-localca.conf"
statedir = ${workdir}
signingkey = ${pkcs11uri//;/\\;}
issuercert = ${ISSUERCERT}
certserial = ${CERTSERIAL}
SWTPM_PKCS11_PIN = ${PIN}
_EOF_

The challenge is likely to setup the pkcs11 device to provide the signing key.

@stefanberger
Copy link
Owner

Actually, you could also try to follow this man page here for setting up the CA -- look for TPM 2 as CA: https://github.com/stefanberger/swtpm/blob/master/man/man8/swtpm-create-tpmca.pod#example

@stefanberger
Copy link
Owner

This here is the workflow on Fedora (as root):

> dnf -y install swtpm-tools-pkcs11
[...]
> tpm2_ptool init
action: Created
id: 1

> SWTPM_PKCS11_PIN="mypin 123" SWTPM_PKCS11_SO_PIN=123 /usr/share/swtpm/swtpm-create-tpmca \
                       --dir /var/lib/swtpm-localca \
                       --overwrite \
                       --outfile /etc/swtpm-localca.conf \
                       --group tss \
                       --tpm2 \
                       --pid 1
/usr/share/swtpm/swtpm-create-tpmca: line 407: tpmtool: command not found               # Will fix this
Reusing existing root CA
statedir = /var/lib/swtpm-localca
signingkey = pkcs11:model=SW%20%20%20TPM%00%00%00%00%00%00%00%00\;manufacturer=IBM\;serial=0000000000000000\;token=swtpm-tpmca-1\;id=%31\;object=swtpm-tpmca-key\;type=private
issuercert = /var/lib/swtpm-localca/swtpm-localca-tpmca-cert.pem
certserial = /var/lib/swtpm-localca/certserial
SWTPM_PKCS11_PIN = mypin 123

> swtpm_setup --tpm2 --tpmstate ./ --create-ek-cert
Starting vTPM manufacturing as root:root @ Wed 22 Feb 2023 01:32:33 PM EST
TPM is listening on Unix socket.
Successfully created RSA 2048 EK with handle 0x81010001.
  Invoking /usr/bin/swtpm_localca --type ek --ek ba3bc8d04d22fb763194c0edc3f7b254a9003add05eb05363e9a7a9307c1d03266f7110ca845dfc0e765688f6369c2fc6ec8cc0b4d288a30bd36902a78006afbdda5b4c3dae75f7e165011e09ee97383b64dc75ba4f0fb59c4dca00a0158291738684526dfa957f508b8af799adda3685463ae3e82f2789fd853623571f84d0d32586fb7538d7afd008c7f837d16c070c56c10237c6071a65555c9f8ef7ee555bf1b39c613b09376b774cd829d07a393230bbb79a8c0ffae332612b41669afab3aa14e9738335e640eeb9413ae6a0057ccc13d76609729621e637d3028335b55368c0c710ada0008c34e5391a3b51ba9fb4aad9e2e8ce793b71269be6e2bcaad --dir /tmp/swtpm_setup.certs.RNIO01 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
swtpm_localca: CA uses a PKCS#11 key; using SWTPM_PKCS11_PIN                    <----- PKCS11 device is being used for signing
swtpm_localca: Successfully created EK certificate locally.
Successfully created NVRAM area 0x1c00002 for RSA 2048 EK certificate.
Successfully created ECC EK with handle 0x81010016.
  Invoking /usr/bin/swtpm_localca --type ek --ek x=33c7311692aab1333df78594681db65ada0208c834add9d9aa9ac31949761ee4f950a1e1f88908fb9240d065e0edbbef,y=4b949af7ca7e78d48d1476ddedfe81519ed83efdb92cf7688982a60eae4b53ecca5d025e05f3cb1d6e72f0859e6cb8e6,id=secp384r1 --dir /tmp/swtpm_setup.certs.RNIO01 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
swtpm_localca: CA uses a PKCS#11 key; using SWTPM_PKCS11_PIN                    <----- PKCS11 device is being used for signing
swtpm_localca: Successfully created EK certificate locally.
Successfully created NVRAM area 0x1c00016 for ECC EK certificate.
Successfully activated PCR banks sha256 among sha1,sha256,sha384,sha512.
Successfully authored TPM state.
Ending vTPM manufacturing @ Wed 22 Feb 2023 01:32:33 PM EST

The tools needs some minor updating due to missing tpmtool now on Fedora but otherwise the packages are all available and ready to be used.

@shuk777
Copy link
Author

shuk777 commented Mar 3, 2023

Awesome! thanks for ur help

@stefanberger
Copy link
Owner

I let you close this issue if it's resolved. Thanks.

@shuk777 shuk777 closed this as completed Mar 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stefanberger @shuk777