Skip to content
Permalink
9cc43eec11
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

cse4400-2024spring/projects/prj4/prj4.md

Go to file
 
 
Cannot retrieve contributors at this time
TPM Install Docker and TPM Tasks Task 1 Set up the environment and generate random bytes Task 2 Experiment with objects Task 3 Keys and encryption/decryption/signing/verification Task 4: Quoting Task 5: Sealing and unsealing Deliverables
145 lines (91 sloc) 5.08 KB
Raw Blame

TPM

Deadline: Friday, 4/26/2024. Submit the report in HuskyCT.

In this project, we experiment with TPM.

We will first follow the course from the following repo. There are detailed instructions in files under docs directory.

TPM 2.0 Courses

The list of tutorials in the course is in the docs folder.

List of tutorials

The manual of TPM2 commands is on the following page.

TPM2 tools manual

Install Docker and TPM

The environment for this project is in a docker container. See docker.md for details. Be careful about removing containers. A container can be stopped and resumed. However, if you delete a container, all files in that container will be lost.

Here are some commonly used commands, assuming the container's name is tpm.

# start a container 
docker run --name tpm -it tpmcourse:latest

# start a stopped container
docker start tpm

# run a command in a running container
docker exec -it tpm bash

# stop a running container
docker stop tpm

We can restart the TPM with the shell script tpm2restart.sh.

Tasks

Task 1 Set up the environment and generate random bytes

After setting up the docker container, study the tutorial in random.md.

Includ the following tasks in your report.

  • Generate 16 random bytes and display them on screen in hexadecimal.

  • Find out the largest number of random values that can be generated by the command. What happens if we ask for more random numbers?

Task 2 Experiment with objects

Study the tutorial and try the commands in objects.md.

  • Do not set "lockout" password in this project. If you forget any password, we can use tpm2_clear to clear the passwords.

  • Do not need to try "Dictionary Lockout" and "Locality" sections.

Clear all passwords before working on later tasks (so we do not need to enter passwords). To clear a password, just leave the new password empty.

Includ the following tasks in your report.

  • Assume no password is set. Set the owner's password to "ABCDE".
  • Try the same command. What messages are shown? Explain why it is not successful.
  • Change the owner's password to "123456".
  • Try to change the password again. What messages are shonw? Explain why it is not successful.
  • Clear the owner's password.

Task 3 Keys and encryption/decryption/signing/verification

Study the tutorial and try the commands in key.md. Skip the "Loading External Keys". We need the keys in the "Special keys" section in later tasks.

In this project, we do not have to make a key persistent. We can use the context file in place of a handle.

The main purpose is to learn how to generate AES/RSA keys and use the keys to encrypt/decrypt/sign/verify messages.

Include the following tasks in the report.

  • Generate AES key in owner's hierarchy, encrypt a plaintext file with an IV, and then decrypt it. The command in the tutorial does not have IV file. We generate 16 random bytes as IV. The same IV is required for decrypton. Find out what happens if we do not specify IV when decrypting. Can the command encrypt the largest file in the directory?

  • Generate an RSA key pair in owner's hierarchy, and demostrate encryption, decryption, signing and verification with the key.

  • Demostrate that you can decrypt the ciphertext after the TPM restarts.

Task 4: Quoting

Study the tutorials and try the commands in pcrs.md and quoting.md.

We will use PCR 23 in SHA1 bank.

Include the following tasks in the report.

  • Reset PCR 23, extend it with h.txt, find out the value in PCR 23. The SHA1 hash of the file ends with 0399. The updated PCR 23 value ends with 4881.

  • Generate endorsement key (EK) and an attestation key (AK). The instructions are in keys.md. Generate a quote with tpm2_quote for PRC 23 (in SHA1 bank), which has the hash from the previoius step. Run tpm2_print to examine the quote.

  • If we do not make AK persistent, can we use the same AK after restarting TPM? Explain your answer.

Task 5: Sealing and unsealing

Now we experiement with sealing secret with key and measurements.

  • We create a policy that specifies the set of PCRs to be used in sealing. The "Policy Creation" section in nvram.md has examples of creating policy. We will include PCR 23 (SHA1) only in our policy (and we can easily include more PCRs). PCR 23 must have the hash value extended by h.txt from 0.

    Note that if PCR 23 has the correct hash value, we do not need to use the -f option for tpm2_createpolicy.

  • Seal file secret with the primary key in owner's hierarchy and the policy created in the previous step. Demostrate that you can unseal the blob.

  • Demostrate that if PCR 23 does not have the correct value, you cannot unseal the blob.

  • Demostrate that you can unseal the the blob after restarting the TPM.

Deliverables

Submit a PDF file that includes commands you used in each Task and the results in screenshots.