This post will show you how to clear the compliance keys from your TPM and create a new and unique Endorsement Key. If you bought the CryptoCape v02, which is the current revision as of this writing, you’ll want to perform these actions. Otherwise, the keys on your TPM are set to “well-known” test keys.

Installing the TPM packages

Under Debian, the TrouSerS (from now on just “trousers”) package provides the software to interface to your TPM. While you are installing trousers, go ahead and install some other TPM related software that will come in handy later on. You’ll want to run this command with the CryptoCape attached and after a reboot. If the TPM kernel driver isn’t loaded when you install trousers, apt will grumble at you since it tries to start the TPM daemon and it will fail.

[code language=”bash” light=”true”]
sudo apt-get install trousers tpm-tools libtspi-dev opencryptoki
[/code]

If you have already taken ownership of your TPM, the following status registers should indicate this:

[code language=”bash” light=”true”]
cat /sys/class/misc/tpm0/device/enabled
1
cat /sys/class/misc/tpm0/device/owned
1
[/code]

Understanding compliance mode

This is the state in which you want your TPM. The issue is, the TPMs as shipped from SparkFun, are in compliance mode. Compliance mode means that the Endorsement Key, the root key on the TPM, is a well-known value. This is extremely useful in testing to validate that the TPM meets the specification, hence the “compliance” moniker. This is not so useful if you want to store unique secrets on the TPM.

TPMs have different order codes from distributors and the one I chose for the CryptoCape means that the TPM ships in compliance mode. I didn’t realize this until some engineers at Atmel pointed it out to me (thank you!). Fortunately, it is relatively easily fixed.

More information about compliance mode can be found in Trusted Platform Module Basics over at Google Books.

Clearing the TPM and creating a new EK

The general procedure is as follows: we must clear the TPM of the compliance vectors, enable the TPM, activate the TPM, reboot, and then create a new, random EK. The benefit of this procedure is that your EK will be unique and not known to Atmel, SparkFun, or me. If I had a better marketing department, I would have said that I meant to do this 🙂

Let’s get started. With the CryptoCape attached and tcsd running, which you can verify with pgrep tcsd, switch over to root with sudo su.

Then clear the TPM. You’ll be prompted to enter your owner password. I like running these commands with the -l debug option so I can see what’s going on:

[code language=”bash” highlight=”5,10″]
$ tpm_clear -l debug
Tspi_Context_Create success
Tspi_Context_Connect success
Tspi_Context_GetTpmObject success
Enter owner password:
Tspi_GetPolicyObject success
Tspi_Policy_SetSecret success
Tspi_TPM_ClearOwner success
tpm_clear succeeded
TPM Successfuly Cleared. You need to reboot to complete this operation. After reboot the TPM will be in the default state: unowned, disabled and inactive.
Tspi_Context_FreeMemory success
Tspi_Context_Close success
[/code]

Then reboot. On the CryptoCape, the TPM reset line is tied to the BeagleBone reset line, but I always do a full sudo halt and re-power the board.

After you power on, if you dmesg | tpm you should see the following, which confirms the TPM is cleared.

[code language=”bash” light=”true”]
[ 5.143291] tpm_i2c_atmel 1-0029: Issuing TPM_STARTUP
[ 5.680399] tpm_i2c_atmel 1-0029: TPM is disabled/deactivated (0x6)
[/code]

Setting physical presence

Now for the tricky part. To enable and activate the TPM we must prove to the TPM that we are physically at the device, known as physical presence. If you follow the trousers rules, the way to do this is to boot in single user mode, which disables network access, and issue the commands. Booting in single user mode on the BBB is a pain. It requires modifying uBoot parameters and then connecting to the BBB over serial. With a cape attached, getting access to the serial debug header is very awkward.

Fortunately, my DEF CON 22 co-presenter helped me out. You can download and compile the following code which will issue the command to set presence, without requiring single user mode.

Download:

[code language=”bash” light=”true”]
wget https://gist.githubusercontent.com/jbdatko/4e6f4fb7f58248213f11/raw/64e376d94f17f7ee151d7c8da37af23a08ac92e9/tpm_assertpp.c
[/code]

Compile:

[code language=”bash” light=”true”]
gcc tpm_assertpp.c -o tpm_assertpp
[/code]

Kill tcsd, as it is monopolizing access to the TPM at the moment:

[code language=”bash” light=”true”]
sudo pkill tcsd
[/code]

Run the physical presence command:

[code language=”bash” light=”true”]
sudo ./tpm_assertpp
Physical presence asserted.
[/code]

Restart tcsd:

[code language=”bash” light=”true”]
sudo tcsd
[/code]

Enabling and activating the TPM

Now we are ready to enable and activate the TPM. Run as root the following commands:

[code language=”bash” highlight=”6″]
$ tpm_setenable -e -f -l debug
Tspi_Context_Create success
Tspi_Context_Connect success
Tspi_Context_GetTpmObject success
Tspi_TPM_SetStatus success
tpm_setenable succeeded
Tspi_Context_FreeMemory success
Tspi_Context_Close success
[/code]

Finally:

[code language=”bash” highlight=”6″]
tpm_setactive -a -l debug
Tspi_Context_Create success
Tspi_Context_Connect success
Tspi_Context_GetTpmObject success
Tspi_TPM_SetStatus success
Action requires a reboot to take effect
tpm_setactive succeeded
Tspi_Context_FreeMemory success
Tspi_Context_Close success
[/code]

Power down the board and bring it back up one last time.

Creating a new EK

Now you should be able to create a new EK with tpm_createek.¹ After that, take ownership again with:

[code language=”bash” light=”true”]
tpm_takeownership -z -l debug
[/code]

You’ll be prompted for a new owner password. To confirm you have real EK on the TPM, run tpm_getpubek. If it starts with 0xab567c0e than you still have the compliance vector loaded and something went wrong. Otherwise, you now have a unique EK.

Using the TPM

In a following post, I’ll show how to use the TPM’s random number generator and use it to protect SSH client keys.