Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
prj4
- Loading branch information
Jerry Shi
committed
Apr 5, 2024
1 parent
d59e11d
commit 9cc43ee
Showing
5 changed files
with
316 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,147 @@ | ||
# Docker commands | ||
|
||
## To run docker | ||
|
||
Here are some docker commands useful in this project. | ||
|
||
If docker is not installed, install it. | ||
|
||
sudo apt install docker.io | ||
|
||
Follow the instructions in the TPM course repo. To run docker, the current user | ||
should be in group docker. Use `id` command to check. The following command add | ||
the current user into docker group. | ||
|
||
sudo usermod -a -G docker $USER | ||
|
||
After adding the user into the group, log out and log in again to activate | ||
the new group. Or use the following command to log in again. | ||
|
||
exec su -l $USER | ||
|
||
## Build the images | ||
|
||
The command to build the images is as follows. It takes a long time (10 | ||
minutes?) to complete. Be patient. | ||
|
||
docker build -t tpmcourse:latest . | ||
|
||
There is a prebuilt image on [Docker | ||
Hub](https://hub.docker.com/r/nokia/tpmcourse). The page also has the command | ||
to pull the image. | ||
|
||
## Run the docker container | ||
|
||
Once we have a docker image, we can start it and we get a container. A docker | ||
image is like a program and a container is like a process. The difference is | ||
that a docker container can be stopped and resumed later. | ||
|
||
Since we have only one container in this project, we do not need to run | ||
`docker-compose`. | ||
|
||
### Start a container | ||
|
||
To start a container from an image: | ||
|
||
docker run -it tpmcourse:latest | ||
|
||
# --name can specify a name, which we can use refer to this container later | ||
docker run --name tpm -it tpmcourse:latest | ||
|
||
To list active container: | ||
|
||
docker ps | ||
# we can find the container ID and names for each container | ||
|
||
If a container is stopped (e.g., when we exit from the shell), we will not see | ||
the container on the active list. Use `-a` option to see all containers, even | ||
if they are not running | ||
|
||
docker ps -a | ||
|
||
### Stop a container | ||
|
||
If you exit from the shell, the container will be stopped as the process has | ||
terminated. | ||
|
||
We can also stop a container with docker command. | ||
|
||
# need to run in another terminal | ||
docker stop CONTAINER | ||
|
||
Once a container is stopped, we do not see it with `docker ps` command. We | ||
need to add `-a` option to see stopped containers. | ||
|
||
### Resume a container | ||
|
||
To resume a stopped container and get a shell: | ||
|
||
# -a : attach the current console | ||
docker start -ai CONTAINER | ||
|
||
The container will be runnning and you have a shell in it. | ||
|
||
We can also start the container in the detached mode and keep it running in the | ||
background. | ||
|
||
docker start CONTAINER | ||
|
||
## Start a shell in a running container | ||
|
||
If we need to access a shell in a running, detached container, we can use `docker exec` | ||
command. For example, the following command starts a bash in a running | ||
container. | ||
|
||
# we can start any shell we like, for example, bash | ||
docker exec -it CONTAINER bash | ||
|
||
When we exit from the shell (bash), the container is still running. | ||
|
||
Another method is to attach the current console to a running container that | ||
does not have a console. The downside is that when we exit from the shell, the | ||
container is stopped. | ||
|
||
docker attach CONTAINER | ||
|
||
## Delete a container | ||
|
||
Use `rm` command to delete a container. | ||
|
||
### All files in the container will be LOST !!! | ||
### Copy all files to host first !! | ||
### Normally you only need this after you receive the final grade | ||
|
||
docker rm CONTAINER | ||
|
||
## Copy files | ||
|
||
We can use `docker cp` to copy files between the container and the host file system. | ||
|
||
docker cp ./cleanup.sh CONTAINER:/root | ||
docker cp CONTAINER:/root/a.pem local/a.pem | ||
|
||
## TPM Course container | ||
|
||
When the TPM container is started for the first time (with `docker run`), the | ||
TPM simulator should work. If we (accidentally) exit from the shell, the | ||
container will be stopped. After we start/resume the container (with `docker | ||
start`), the TPM simulator may not be working because some processes have been | ||
terminated. | ||
|
||
I found it is more convenient to start the docker in the detached mode and keep | ||
it running. We can use `docker exec` to start another shell in the container. | ||
Even better, we can pick a shell we like, for example, bash. | ||
|
||
# only start the container if it is stopped | ||
docker start tpm | ||
|
||
# start bash in the running container | ||
docker exec -it tpm bash | ||
|
||
Once we are in bash, if the TPM simulator is not working, we can clean up and | ||
restart the simulator. The commands are in `tpm2restart.sh`. You can copy the | ||
script to the container and run the script to restart the TPM simulator. | ||
|
||
If we exit from bash, the TPM simulator is still running. When needed, we can | ||
start a bash in it, again. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
f9fc4d5750c6e45440ed0e9ced3675b215f0ed2f0a73ef2566e97a7d3837dec2221c44e1cb8aaffc96898e3e7eeb05e10da7ac402c7c74e680f91c753b188f50 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,145 @@ | ||
# TPM | ||
|
||
**Deadline: Friday, 4/26/2024. Submit the report in HuskyCT.** | ||
|
||
In this project, we experiment with TPM. | ||
|
||
We will first follow the course from the following repo. There are detailed | ||
instructions in files under docs directory. | ||
|
||
[TPM 2.0 Courses](https://github.com/nokia/TPMCourse) | ||
|
||
The list of tutorials in the course is in the docs folder. | ||
|
||
[List of tutorials](https://github.com/nokia/TPMCourse/tree/master/docs) | ||
|
||
The manual of TPM2 commands is on the following page. | ||
|
||
[TPM2 tools manual](https://tpm2-tools.readthedocs.io/en/latest/man/tpm2.1/) | ||
|
||
## Install Docker and TPM | ||
|
||
The environment for this project is in a docker container. See | ||
[docker.md](./docker.md) for details. Be careful about removing containers. A | ||
container can be stopped and resumed. However, if you delete a container, all | ||
files in that container will be lost. | ||
|
||
Here are some commonly used commands, assuming the container's name is tpm. | ||
|
||
# start a container | ||
docker run --name tpm -it tpmcourse:latest | ||
|
||
# start a stopped container | ||
docker start tpm | ||
|
||
# run a command in a running container | ||
docker exec -it tpm bash | ||
|
||
# stop a running container | ||
docker stop tpm | ||
|
||
We can restart the TPM with the shell script `tpm2restart.sh`. | ||
|
||
## Tasks | ||
|
||
### Task 1 Set up the environment and generate random bytes | ||
|
||
After setting up the docker container, study the tutorial in random.md. | ||
|
||
Includ the following tasks in your report. | ||
|
||
* Generate 16 random bytes and display them on screen in hexadecimal. | ||
|
||
* Find out the largest number of random values that can be generated by the | ||
command. What happens if we ask for more random numbers? | ||
|
||
### Task 2 Experiment with objects | ||
|
||
Study the tutorial and try the commands in objects.md. | ||
|
||
* Do not set "lockout" password in this project. If you forget any password, we can use | ||
`tpm2_clear` to clear the passwords. | ||
|
||
* Do not need to try "Dictionary Lockout" and "Locality" sections. | ||
|
||
Clear all passwords before working on later tasks (so we do not need to enter | ||
passwords). To clear a password, just leave the new password empty. | ||
|
||
Includ the following tasks in your report. | ||
|
||
* Assume no password is set. Set the owner's password to "ABCDE". | ||
* Try the same command. What messages are shown? Explain why it is not successful. | ||
* Change the owner's password to "123456". | ||
* Try to change the password again. What messages are shonw? Explain why it is not successful. | ||
* Clear the owner's password. | ||
|
||
### Task 3 Keys and encryption/decryption/signing/verification | ||
|
||
Study the tutorial and try the commands in key.md. Skip the "Loading External | ||
Keys". We need the keys in the "Special keys" section in later tasks. | ||
|
||
In this project, we do not have to make a key persistent. We can use the | ||
context file in place of a handle. | ||
|
||
The main purpose is to learn how to generate AES/RSA keys and use the keys to | ||
encrypt/decrypt/sign/verify messages. | ||
|
||
Include the following tasks in the report. | ||
|
||
* Generate AES key in owner's hierarchy, encrypt a plaintext file with an IV, | ||
and then decrypt it. The command in the tutorial does not have IV file. We | ||
generate 16 random bytes as IV. The same IV is required for decrypton. Find | ||
out what happens if we do not specify IV when decrypting. Can the command | ||
encrypt the largest file in the directory? | ||
|
||
* Generate an RSA key pair in owner's hierarchy, and demostrate encryption, | ||
decryption, signing and verification with the key. | ||
|
||
* Demostrate that you can decrypt the ciphertext after the TPM restarts. | ||
|
||
### Task 4: Quoting | ||
|
||
Study the tutorials and try the commands in pcrs.md and quoting.md. | ||
|
||
We will use PCR 23 in SHA1 bank. | ||
|
||
Include the following tasks in the report. | ||
|
||
* Reset PCR 23, extend it with `h.txt`, find out the value in PCR | ||
23. The SHA1 hash of the file ends with 0399. The updated PCR 23 value | ||
ends with 4881. | ||
|
||
* Generate endorsement key (EK) and an attestation key (AK). The instructions | ||
are in keys.md. Generate a quote with `tpm2_quote` for PRC 23 (in SHA1 | ||
bank), which has the hash from the previoius step. Run `tpm2_print` to | ||
examine the quote. | ||
|
||
* If we do not make AK persistent, can we use the same AK after restarting TPM? | ||
Explain your answer. | ||
|
||
### Task 5: Sealing and unsealing | ||
|
||
Now we experiement with sealing secret with key and measurements. | ||
|
||
* We create a policy that specifies the set of PCRs to be used in sealing. | ||
The "Policy Creation" section in `nvram.md` has examples of creating | ||
policy. We will include PCR 23 (SHA1) only in our policy (and we can easily | ||
include more PCRs). PCR 23 must have the hash value extended by `h.txt` | ||
from 0. | ||
|
||
Note that if PCR 23 has the correct hash value, we do not need to use the `-f` | ||
option for `tpm2_createpolicy`. | ||
|
||
* Seal file `secret` with the primary key in owner's hierarchy and the policy | ||
created in the previous step. Demostrate that you can unseal the blob. | ||
|
||
* Demostrate that if PCR 23 does not have the correct value, you cannot unseal | ||
the blob. | ||
|
||
* Demostrate that you can unseal the the blob after restarting the TPM. | ||
|
||
## Deliverables | ||
|
||
Submit a PDF file that includes commands you used in each Task and the results | ||
in screenshots. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
Secret in CSE 4400 | ||
BEGIN | ||
253ee23116c71684fa5c77d8f28bc0dc3cfb58731bd4226439e37d70c0c340f6 | ||
END |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
#!/bin/sh | ||
|
||
pkill dbus-daemon | ||
pkill tpm_server | ||
pkill tpm2-abrmd | ||
|
||
rm -rf /var/run/dbus.pid | ||
|
||
# Start dbus service and sleep for 1 second to wait that it has started. | ||
# If tpm2-abrmd starts before the dbus service is ready we get an error. | ||
dbus-daemon --system & | ||
sleep 1 | ||
|
||
# Start the ibm tpm simulator with default settings | ||
tpm_server & | ||
|
||
# Start tpm2 access broker & resource manager daemon | ||
tpm2-abrmd --allow-root --tcti=mssim & | ||
|