prj4

zhs04001 · Apr 5, 2024 · 9cc43ee · 9cc43ee
1 parent d59e11d
commit 9cc43ee
Show file tree

Hide file tree

Showing 5 changed files with 316 additions and 0 deletions.
diff --git a/projects/prj4/docker.md b/projects/prj4/docker.md
@@ -0,0 +1,147 @@
+# Docker commands  
+
+## To run docker
+
+Here are some docker commands useful in this project.
+
+If docker is not installed, install it.
+
+    sudo apt  install docker.io
+
+Follow the instructions in the TPM course repo. To run docker, the current user
+should be in group docker. Use `id` command to check. The following command add
+the current user into docker group. 
+
+    sudo usermod -a -G docker $USER
+
+After adding the user into the group, log out and log in again to activate 
+the new group. Or use the following command to log in again. 
+
+    exec su -l $USER
+
+## Build the images
+
+The command to build the images is as follows. It takes a long time (10
+minutes?) to complete. Be patient.
+
+    docker build -t tpmcourse:latest .
+
+There is a prebuilt image on [Docker
+Hub](https://hub.docker.com/r/nokia/tpmcourse). The page also has the command
+to pull the image.
+
+## Run the docker container
+
+Once we have a docker image, we can start it and we get a container. A docker
+image is like a program and a container is like a process.  The difference is
+that a docker container can be stopped and resumed later.
+
+Since we have only one container in this project, we do not need to run
+`docker-compose`.
+
+### Start a container
+
+To start a container from an image: 
+
+    docker run -it tpmcourse:latest
+
+    # --name can specify a name, which we can use refer to this container later
+    docker run --name tpm -it tpmcourse:latest
+
+To list active container:
+
+    docker ps
+    # we can find the container ID and names for each container
+
+If a container is stopped (e.g., when we exit from the shell), we will not see
+the container on the active list. Use `-a` option to see all containers, even
+if they are not running
+
+    docker ps -a 
+
+### Stop a container
+
+If you exit from the shell, the container will be stopped as the process has
+terminated. 
+
+We can also stop a container with docker command.
+
+    # need to run in another terminal
+    docker stop CONTAINER
+
+Once a container is stopped, we do not see it with `docker ps` command. We 
+need to add `-a` option to see stopped containers.
+
+### Resume a container
+
+To resume a stopped container and get a shell:
+
+    # -a : attach the current console 
+    docker start -ai CONTAINER
+
+The container will be runnning and you have a shell in it. 
+
+We can also start the container in the detached mode and keep it running in the
+background. 
+
+    docker start CONTAINER
+
+## Start a shell in a running container
+
+If we need to access a shell in a running, detached container, we can use `docker exec`
+command. For example, the following command starts a bash in a running
+container. 
+
+    # we can start any shell we like, for example, bash
+    docker exec -it CONTAINER bash
+
+When we exit from the shell (bash), the container is still running.
+
+Another method is to attach the current console to a running container that
+does not have a console. The downside is that when we exit from the shell, the
+container is stopped.
+
+    docker attach CONTAINER
+
+## Delete a container
+
+Use `rm` command to delete a container.
+
+    ### All files in the container will be LOST !!!
+    ### Copy all files to host first !!
+    ### Normally you only need this after you receive the final grade 
+
+    docker rm CONTAINER
+
+## Copy files
+
+We can use `docker cp` to copy files between the container and the host file system.
+
+    docker cp ./cleanup.sh CONTAINER:/root
+    docker cp CONTAINER:/root/a.pem local/a.pem
+
+## TPM Course container
+
+When the TPM container is started for the first time (with `docker run`), the
+TPM simulator should work. If we (accidentally) exit from the shell, the
+container will be stopped. After we start/resume the container (with `docker
+start`), the TPM simulator may not be working because some processes have been
+terminated.  
+
+I found it is more convenient to start the docker in the detached mode and keep
+it running. We can use `docker exec` to start another shell in the container.
+Even better, we can pick a shell we like, for example, bash.
+
+    # only start the container if it is stopped
+    docker start tpm
+
+    # start bash in the running container
+    docker exec -it tpm bash
+
+Once we are in bash, if the TPM simulator is not working, we can clean up and
+restart the simulator. The commands are in `tpm2restart.sh`.  You can copy the
+script to the container and run the script to restart the TPM simulator.
+
+If we exit from bash, the TPM simulator is still running. When needed, we can
+start a bash in it, again.
+
diff --git a/projects/prj4/h.txt b/projects/prj4/h.txt
@@ -0,0 +1 @@
+f9fc4d5750c6e45440ed0e9ced3675b215f0ed2f0a73ef2566e97a7d3837dec2221c44e1cb8aaffc96898e3e7eeb05e10da7ac402c7c74e680f91c753b188f50
diff --git a/projects/prj4/prj4.md b/projects/prj4/prj4.md
@@ -0,0 +1,145 @@
+# TPM 
+
+**Deadline: Friday, 4/26/2024. Submit the report in HuskyCT.**
+
+In this project, we experiment with TPM.
+
+We will first follow the course from the following repo. There are detailed
+instructions in files under docs directory.
+
+[TPM 2.0 Courses](https://github.com/nokia/TPMCourse)
+
+The list of tutorials in the course is in the docs folder.
+
+[List of tutorials](https://github.com/nokia/TPMCourse/tree/master/docs)
+
+The manual of TPM2 commands is on the following page.
+
+[TPM2 tools manual](https://tpm2-tools.readthedocs.io/en/latest/man/tpm2.1/)
+
+## Install Docker and TPM 
+
+The environment for this project is in a docker container. See
+[docker.md](./docker.md) for details. Be careful about removing containers. A
+container can be stopped and resumed. However, if you delete a container, all
+files in that container will be lost.
+
+Here are some commonly used commands, assuming the container's name is tpm.
+
+    # start a container 
+    docker run --name tpm -it tpmcourse:latest
+
+    # start a stopped container
+    docker start tpm
+
+    # run a command in a running container
+    docker exec -it tpm bash
+
+    # stop a running container
+    docker stop tpm
+
+We can restart the TPM with the shell script `tpm2restart.sh`. 
+
+## Tasks
+
+### Task 1 Set up the environment and generate random bytes
+
+After setting up the docker container, study the tutorial in random.md.
+
+Includ the following tasks in your report. 
+
+*   Generate 16 random bytes and display them on screen in hexadecimal.  
+
+*   Find out the largest number of random values that can be generated by the
+    command. What happens if we ask for more random numbers? 
+
+### Task 2 Experiment with objects
+
+Study the tutorial and try the commands in objects.md.
+
+*   Do not set "lockout" password in this project. If you forget any password, we can use
+    `tpm2_clear` to clear the passwords.
+
+*   Do not need to try "Dictionary Lockout" and "Locality" sections.
+
+Clear all passwords before working on later tasks (so we do not need to enter
+passwords). To clear a password, just leave the new password empty.
+
+Includ the following tasks in your report. 
+
+*   Assume no password is set. Set the owner's password to "ABCDE".
+*   Try the same command. What messages are shown? Explain why it is not successful.
+*   Change the owner's password to "123456".
+*   Try to change the password again. What messages are shonw? Explain why it is not successful.
+*   Clear the owner's password. 
+
+### Task 3 Keys and encryption/decryption/signing/verification
+
+Study the tutorial and try the commands in key.md.  Skip the "Loading External
+Keys". We need the keys in the "Special keys" section in later tasks.
+
+In this project, we do not have to make a key persistent. We can use the
+context file in place of a handle.
+
+The main purpose is to learn how to generate AES/RSA keys and use the keys to
+encrypt/decrypt/sign/verify messages. 
+
+Include the following tasks in the report. 
+
+*   Generate AES key in owner's hierarchy, encrypt a plaintext file with an IV,
+    and then decrypt it. The command in the tutorial does not have IV file. We
+    generate 16 random bytes as IV. The same IV is required for decrypton. Find
+    out what happens if we do not specify IV when decrypting. Can the command
+    encrypt the largest file in the directory? 
+
+*   Generate an RSA key pair in owner's hierarchy, and demostrate encryption,
+    decryption, signing and verification with the key. 
+
+*   Demostrate that you can decrypt the ciphertext after the TPM restarts.
+
+### Task 4: Quoting
+
+Study the tutorials and try the commands in pcrs.md and quoting.md. 
+
+We will use PCR 23 in SHA1 bank.
+
+Include the following tasks in the report. 
+
+*   Reset PCR 23, extend it with `h.txt`, find out the value in PCR
+    23.  The SHA1 hash of the file ends with 0399. The updated PCR 23 value
+    ends with 4881.
+
+*   Generate endorsement key (EK) and an attestation key (AK). The instructions
+    are in keys.md. Generate a quote with `tpm2_quote` for PRC 23 (in SHA1
+    bank), which has the hash from the previoius step. Run `tpm2_print` to
+    examine the quote.
+
+*   If we do not make AK persistent, can we use the same AK after restarting TPM? 
+    Explain your answer.
+
+### Task 5: Sealing and unsealing
+
+Now we experiement with sealing secret with key and measurements. 
+
+*   We create a policy that specifies the set of PCRs to be used in sealing.
+    The "Policy Creation" section in `nvram.md` has examples of creating
+    policy. We will include PCR 23 (SHA1) only in our policy (and we can easily
+    include more PCRs). PCR 23 must have the hash value extended by `h.txt`
+    from 0.
+
+    Note that if PCR 23 has the correct hash value, we do not need to use the `-f`
+    option for `tpm2_createpolicy`.
+
+*   Seal file `secret` with the primary key in owner's hierarchy and the policy
+    created in the previous step. Demostrate that you can unseal the blob.
+
+*   Demostrate that if PCR 23 does not have the correct value, you cannot unseal
+    the blob.
+
+*   Demostrate that you can unseal the the blob after restarting the TPM.
+
+## Deliverables
+
+Submit a PDF file that includes commands you used in each Task and the results
+in screenshots.
+
diff --git a/projects/prj4/secret b/projects/prj4/secret
@@ -0,0 +1,4 @@
+Secret in CSE 4400
+BEGIN
+253ee23116c71684fa5c77d8f28bc0dc3cfb58731bd4226439e37d70c0c340f6
+END
diff --git a/projects/prj4/tpm2restart.sh b/projects/prj4/tpm2restart.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+pkill dbus-daemon
+pkill tpm_server
+pkill tpm2-abrmd
+
+rm -rf /var/run/dbus.pid
+
+# Start dbus service and sleep for 1 second to wait that it has started.
+# If tpm2-abrmd starts before the dbus service is ready we get an error.
+dbus-daemon --system &
+sleep 1
+
+# Start the ibm tpm simulator with default settings
+tpm_server &
+
+# Start tpm2 access broker & resource manager daemon
+tpm2-abrmd --allow-root --tcti=mssim &
+