CryptoCape Trusted Platform Module

Welcome!

Thanks for your interest in the CryptoCape and the Trusted Platform Module (TPM)! This page contains background information on the TPM, some FAQs, and notes on how to use it.

Disclaimer

The TPM is a complicated piece of hardware, accompanied by complicated software. Despite having a TPM on the CryptoCape, I don’t consider myself an expert on the TPM. I have put a few TPMs into states where I can’t recover them. Proceed with caution and have fun 🙂

I’ll be updating this page as I learn more. Feel free to add comments below, contact me, or email the CryptoCape list for help. If it’s software related, check the TrouSerS mailing lists.

Clearing the compliance vectors

The first thing you’ll want to do on the CryptoCape TPM is clear the compliance vectors. See this blog post for the background and this script to assist you.

Quick Start

For those who just want to get started, jump down to “using the TPM”.

FAQs

What is history of the TPM and DRM?

The TPM and TCG have received negative attention over the years. The most popular critiques of the TPM are Ross Anderson’s FAQ and the Free Software Foundation’s Treacherous Computing campaign. Both of these critiques focus on how the TPM enables Digital Rights Management (DRM).

A Practical Guide to Trusted Computing, perhaps the best book on the TPM, which is authored by employees of companies in the TCG, has this to say about DRM:

First, a caveat: The TPM was not designed for DRM – keeping content protected against the owner of the TPM – and as a result, is not terribly suitable for that. Hoops need to be jumped through, and specialized hardware and software designed around a TPM in order to provide a content protection solution. Nonetheless, the TPM does provide one piece that can be used in content protection solutions: It can contain keys that are unique to a system. It does this in a way that is privacy sensitive by abstracting the identify [sic] using either the Endorsement Key or the DAA protocol.

As FSF member #11526, the decision to put a TPM on the CryptoCape was not taken lightly. I am concerned about the proliferation of DRM in Internet Standards and I try to support privacy enhancing technologies. The reason I put a TPM on the CryptoCape is to encourage research and to satisfy my own curiosity about the TPM and trusted computing. If the TPM really bothers you, which is a position with which I empathize, then don’t install tpm-tools. If that’s not enough, you can physically cut the TPM’s system reset line with a hobby knife, and it won’t power on. I’m not sure SparkFun will take it back at this point; but hey, at least you are a true hardware hacker now 🙂

If you don’t have a laptop with a TPM, I think it’s non-trivial to find a working installation. AFAIK, the CryptoCape is the lowest cost consumer module that allows access to a TPM. Hopefully that does more good than harm.

Will the TPM make my BeagleBone secure?

Probably not. While my marketing department1 would like to convince you otherwise, there does not exist a “silver bullet” to instantly “secure” a general purpose computer. As Peter Gutmann remarks in his draft Engineering Security book, “your TPM-verified boot is giving you a guarantee that you’re loading an OS core with only a million bugs rather than a tampered one with a million and one bugs.” Securing a general purpose computer is extremely difficult. I think a TPM can help in some very specific instances, but putting the CryptoCape on the BeagleBone does not make it a shield.2

How does the Endorsement Key (EK) get loaded on this TPM?

The EK, which is an RSA-2048 key, is loaded onto the TPM by Atmel during manufacturing. Atmel sells the TPMs to distributors, from which SparkFun purchases them and sells them to you. The purpose of the EK is to prove you have a valid and authentic TPM, however there are also privacy concerns with such an unique identifier. SparkFun is not tracking the EK. So even if the entire distribution chain was compromised, your EK is essentially “mixed” among other SparkFun customers.3.

What can I do with a TPM?

The two main features of the TPM are providing secure boot and storing keys. Both are discussed below:

Secure boot

The canonical purpose of a TPM is to implement “secure boot.” This is where the TPM will monitor, or measure, the boot process and develop a “chain of trust.” The TPM has a few special registers called Platform Configuration Registers (PCRs) that can only be written to by an extend operation. The extend operation takes an input, concatenates that with the current value in the register, and sets the new value to the SHA1 result of the concatenation. For those who like formulas:

PCR_{n+1} = SHA1(PCR_{n} + Input)

On a PC, the BIOS runs and extends a PCR passing in the bootloader as input. Then the bootloader runs and it passes the kernel to the TPM as input, etc, etc, etc… By the time the OS is running, the TPM has “measured” the state of your boot process.

But, what does that provide you? First of all, if you know what the PCR values should be you can compare them to their current status to know if your boot chain was modified. Also, the TPM supports a command called “sealing” where it will encrypt data combined with the state of the PCRs. So if the boot chain is modified, it will be very difficult to decrypt your data.

How do I enable secure boot on the BeagleBone?

The TPM was originally designed for PC with a BIOS. The BeagleBone doesn’t have a BIOS since it’s an embedded system. It currently ships with uBoot. The default boot goes something like this:

  1. The ROM on the AM3358 runs and reaches out to a well-known address to find the second stage bootloader (MLO).

  2. The MLO reaches out and loads uBoot.

  3. uBoot reaches out and loads the kernel.

The boot process can change between the eMMC, SD Card, or a Cape. Consult the BBB System Reference Manual. The key point here is that uBoot needs to know about the TPM. Teddy Reed, a security researcher, is working on including the TPM in uBoot. However, we are running into some problems at the moment, so support isn’t quite currently. If you are a uBoot hacker, contact me if you’d like to help. 🙂

Also remember that the BBB has multiple boot options. If your TPM enabled uBoot is running on the eMMC, it can be made to boot from a SD card. The TPM would be bypassed in this case, assuming that the other boot media is not TPM-enable. While this attack bypasses your TPM, sealed data would not be available to the attacker since the TPM’s internal state is now different.

Storing Keys

The TPM can produce and store RSA keys. When it does this, it acts like a smart-card device and generally the software interface to these devices is through something called PKCS#11 4 Once you have a PKCS#11 interface the TPM can store SSH keys or SSL keys.

Using the TPM

The kernel driver for this TPM is tpm_i2c_atmel, which was officially adopted until 3.13. Robert Nelson backported into the 3.8.x series Debian images. This driver is loaded automatically by the Cape Manager when the Beagle powers up. However, we need some user space applications to manage the tpm, so you need to install tpm-tools:

sudo apt-get install tpm-tools

This should start the tcsd daemon. If not restart the board.

Verifying the TPM

Run tpm_version and tpm_selftest to make sure you can talk to the TPM:

debian@hactar ~ $ tpm_version
TPM 1.2 Version Info:
Chip Version:        1.2.37.13
Spec Level:          2
Errata Revision:     2
TPM Vendor ID:       ATML
TPM Version:         01010000
Manufacturer Info:   41544d4c
debian@hactar ~ $ tpm_selftest
TPM Test Results: 0000

If there are issues, make sure the CryptoCape firmware loaded, make sure you install tpm-tools, and make sure tcsd is running.

FULLY SHUT DOWN THE BEAGLE AFTER INSTALLING TPM TOOLS AND BEFORE TAKING OWNERSHIP

Issue a sudo halt and completely power off the Beagle before trying to take ownership, otherwise, you’ll be faced with this problem:

debian@hactar ~ $ tpm_takeownership -l debug
Tspi_Context_Create success
Enter owner password: 
Confirm password: 
Enter SRK password: 
Confirm password: 
Tspi_Context_Connect success
Tspi_Context_GetTpmObject success
Tspi_GetPolicyObject success
Tspi_Policy_SetSecret success
Tspi_Context_CreateObject success
Tspi_GetPolicyObject success
Tspi_Policy_SetSecret success
Tspi_TPM_TakeOwnership failed: 0x00002004 - layer=tcs, code=0004 (4), Internal software error
Tspi_Context_CloseObject success
Tspi_Context_FreeMemory success
Tspi_Context_Close success

Take ownership

Take ownership initializes the TPM. which you do by running the tpm_takeownership command. You did power cycle right?? Set the passwords thusly:

pm_takeownership -z -l debug
Tspi_Context_Create success
Enter owner password: 
Confirm password: 
Tspi_Context_Connect success
Tspi_Context_GetTpmObject success
Tspi_GetPolicyObject success
Tspi_Policy_SetSecret success
Tspi_Context_CreateObject success
Tspi_GetPolicyObject success
Tspi_Policy_SetSecret success
Tspi_TPM_TakeOwnership success
tpm_takeownership succeeded
Tspi_Context_CloseObject success
Tspi_Context_FreeMemory success
Tspi_Context_Close success

You will type in an owner password but your SRK will be the well known password of twenty zeros.

Yeah, I realize what I just said. What I’ve learned, in the brief time playing with this TPM, is that some of the software assumes that the SRK password is the universal “well-known” password of twenty zeros. I know, I know. If you man tpm_changeownerauth, it’s even in the man page. You can’t make this stuff up.

View the status of the PCRs

You can view the status of the PCRs with this:

debian@hactar ~ $ cat /sys/class/misc/tpm0/device/pcrs
PCR-00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-01: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-02: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-03: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-04: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-05: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-06: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-07: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-22: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Sealing data

Sealing data means to encrypt data that is tied to the current state of the TPM by specifying PCRs. You should be able to seal data like below. The input file is the .tar.gz file the output is sealed, we are using the well-known SRK password with -z and we want to see the deubg with -l debug.

tpm_sealdata -i hashlet-1.1.0.tar.gz -o sealed -z -l debug
Tspi_Context_Create success
Tspi_Context_Connect success
Tspi_Context_GetTpmObject success
Tspi_TPM_GetRandom success
Tspi_Context_LoadKeyByUUID success
Tspi_GetPolicyObject success
Tspi_Policy_SetSecret success
Tspi_Context_CreateObject success
Tspi_Context_CreateObject success
Tspi_Policy_SetSecret success
Tspi_Policy_AssignToObject success
Tspi_Key_CreateKey success
Tspi_Key_LoadKey success
Tspi_Context_CreateObject success
Tspi_Context_CreateObject success
Tspi_Policy_SetSecret success
Tspi_Policy_AssignToObject success
Tspi_Data_Seal success
Tspi_GetAttribData success
Tspi_GetAttribData success
tpm_sealdata succeeded
Tspi_Context_FreeMemory success
Tspi_Context_Close success

This will produce an text output file that contains Base-64 data. If you less sealed you should see something like this:

-----BEGIN TSS-----
-----TSS KEY-----
AQEAAAARAAAABAEAAAABAAMAAQAAAAwAAAgAAAAAAgAAAAAAAAAAAAABAKtWfA5g
jFwYnpAsNzLP4/5Pp7UMeKFdpznrwAaHBdsf5KsqmmjjW7b7J2laS+KQZQSyeM9E
AnwWTPv18PYlfTHxLthnk1pIssFMFv2X5YZlSi4HSxR492aDZgWw6uweFs/5+cVc
vHtCJKGnG1XXS7Fif5CI7vv7JrFPVpeM0BIFpu8JyQgQ8htlnPIFe8xOamUMHOG1
PoZ9+AuLb+NyK8vJPfhh9IN0sTimzt4Yf43Ej6GOpqxxpIlg0z5fPRhcMmyWHYSL
UMNbaFwWLZy78Xlgbsklquwmnp7U1onz/yOqdUY7Suod5QO5rG34LYj/hBK4R886
MslmxuMsH30w2JkAAAEApYezNrFBWBE/S5xAPbtSLwDsk/wiA4jk2OWXAFE9S1st
XhXrvNZwJUdDGGXhNlc3CsbEISnbvWmiE2yFsQC/RPyoI3ClgFjNEc8h4HwLcJS0
DzKLjVtem7XmFVe4Rz79zhdiKdA2/1lT2nTPR4ADWNPnUHj8sobVUdpic9FXVb5B
S8TUgWtIp79NZt42uaMUmPlm8XDVL5gzj3sWydZciEnBs7DL6TeP3+zSgZW6ERkg
GhJ3ecz5+cqoaFeXPVIDr4z96uSSoANfVZg9HMohPKn1djmm9nPd8ib4FeeT8YDp
Fn0flUuwC6BEzDBnuZSk/vBwFxeuICG+3VY1otL1jw==
-----ENC KEY-----
Symmetric Key: AES-256-CBC
AQEAAAAAAAAAAAEAbziU0TRh2zm9ebnWzopfTeVkIDg66qj3eNQ4SxzgFGvzgbVt
N/WJpTlFHL9Nig51/Ed7Y0W8UZjjYUVwxN/j99gXHACQu0i1diphfl0Wrw0VFmG0
m7PYfsQFgQmdQIhVdPa6XgeEQcrHxY8d1g+XJCKFZLcZmMMUVZKH+WbTabJt9I0R
VsDwe+6twbuaaSWrTwlmtBekEQPJAUxp2xPkVTJ4ac2NXxdeMVX75Y07R+rA8Yzl
8EjwvUwlm7F4V2y6eSFJuxsMdmGcKY06IirKoKqOZ6IbDFAgES9r5ubkGb3jOfys
LpUX4FpO5pBULXEPRWxUxJAwkB3NPjxRmiCYcg==
-----ENC DAT-----
1WDck3hX8FYbaqD9LAFqpDuJDszpx7yHnvwxBVv3ykek2PsVB37IC28NZ96tlSVN
hf6sEoQbH5RgQHeNN2QIDeF+dS592Z8WuHrbmG28MeVayTgYoD6kfq6v9/Fxm56O
7E+8/yzi98dtmFN4u+ErxZdSuIuu1fxVl1+VGXL+EbB88d8tIDMitIK1KUaOMBLQ

To decrypt, or unseal perform the following:

tpm_unsealdata -i sealed -o zzz.tar.gz -l debug -z

Interesting TPM links

Presented in no particular order, here are some interesting links on using the TPM:

Papers and research on the TPM

Below is list of interesting research I’ve discovered on the TPM. Where applicable, I’ve included the BibTeX; just click on “expand source.”

  • Trusted Platform Module Evolution. Highlights the changes in the TPM 2.0 spec.
    @Article{tpmevo,
    AUTHOR = {Osborn, Justin and Challener, David},
    TITLE = {Trusted Platform Module Evolution},
    JOURNAL = {Johns Hopkins APL Technical Digest},
    VOLUME = {32},
    YEAR = {2013},
    NUMBER = {2},
    PAGES = {536-543},
    URL = {http://techdigest.jhuapl.edu/TD/td3202/32_02-Osborn.pdf},
    }
    
  • Principles of Remote Attestation. Provides an explanation of Remote attestation and how to perform it for virtualized servers.
    @article{Coker:2011:PRA:1989153.1989155,
     author = {Coker, George and Guttman, Joshua and Loscocco, Peter and Herzog, Amy and Millen, Jonathan and O\&\#x2019;Hanlon, Brian and Ramsdell, John and Segall, Ariel and Sheehy, Justin and Sniffen, Brian},
     title = {Principles of Remote Attestation},
     journal = {Int. J. Inf. Secur.},
     issue_date = {June 2011},
     volume = {10},
     number = {2},
     month = jun,
     year = {2011},
     issn = {1615-5262},
     pages = {63--81},
     numpages = {19},
     url = {http://dx.doi.org/10.1007/s10207-011-0124-7},
     doi = {10.1007/s10207-011-0124-7},
     acmid = {1989155},
     publisher = {Springer-Verlag},
     address = {Berlin, Heidelberg},
     keywords = {Cryptographic protocols, Hardware Security Modules, Operating system security architecture, Strand spaces},
    } 
    

    Trustworthy and Personalized Computing on Public Kiosks. Good example of how to build a system using remote attestation. They are also up front about the weaknesses and limitations of their design.

    @inproceedings{Garriss:2008:TPC:1378600.1378623,
     author = {Garriss, Scott and C\'{a}ceres, R\'{a}mon and Berger, Stefan and Sailer, Reiner and van Doorn, Leendert and Zhang, Xiaolan},
     title = {Trustworthy and Personalized Computing on Public Kiosks},
     booktitle = {Proceedings of the 6th International Conference on Mobile Systems, Applications, and Services},
     series = {MobiSys '08},
     year = {2008},
     isbn = {978-1-60558-139-2},
     location = {Breckenridge, CO, USA},
     pages = {199--210},
     numpages = {12},
     url = {http://doi.acm.org/10.1145/1378600.1378623},
     doi = {10.1145/1378600.1378623},
     acmid = {1378623},
     publisher = {ACM},
     address = {New York, NY, USA},
     keywords = {integrity verification, kiosk computing, mobility, personalized computing, trusted platform module, virtualization},
    } 
    

    Does Trusted Computing Remedy Computer Security Problems. A fair and well written critique of trusted computing issues.

    @ARTICLE{1423956, 
    author={Oppliger, R. and Rytz, R.}, 
    journal={Security Privacy, IEEE}, 
    title={Does trusted computing remedy computer security problems?}, 
    year={2005}, 
    month={March}, 
    volume={3}, 
    number={2}, 
    pages={16-19}, 
    keywords={security of data;PC;computer security;trusted computing;Application software;Computer security;Control systems;Data security;Embedded computing;Hardware;Information security;Java;Manufacturing;Operating systems;Trusted Computing;digital rights management;software-closed computer systems;software-controlled computer systems;software-open computer systems}, 
    doi={10.1109/MSP.2005.40}, 
    ISSN={1540-7993},}
    

    Cloaking Malware with the Trusted Platform Module. Very, very interesting paper. Video here.

OSLO: Improving the Security of Trusted Computing. Shows to defeat the TPM by grounding the RESET# line.

@inproceedings{Kauer:2007:OIS:1362903.1362919,
 author = {Kauer, Bernhard},
 title = {OSLO: Improving the Security of Trusted Computing},
 booktitle = {Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium},
 series = {SS'07},
 year = {2007},
 isbn = {111-333-5555-77-9},
 location = {Boston, MA},
 pages = {16:1--16:9},
 articleno = {16},
 numpages = {9},
 url = {http://dl.acm.org/citation.cfm?id=1362903.1362919},
 acmid = {1362919},
 publisher = {USENIX Association},
 address = {Berkeley, CA, USA},
} 

  1. Before anybody takes this too seriously, I’m also the marketing department at Cryptotronix. Gutmann also has this quip about TPM vendors: “[TPMs, or trusted computing in general, isn’t going to help] unless you’re a vendor that sells TPMs, in which case trusted computing will solve all of the user’s problems, no matter what they are. 
  2. Ha! Sorry, I could resist the pun :) 
  3. Being a fan of anonymity systems, I’m not sure that the pool of SparkFun customers buying a CryptoCape is enough to protect you from a linkage attack. Researches were able to de-anonymize users in the Netflix prize dataset, which was considerably bigger. But you probably have bigger problems to worry about anyway; sorry to give you one more. :) 
  4. Unfortunately, this link is block to those running a Tor relay like myself. Sadly, systems just blacklist all tor relays, including non-exits, instead of dealing with abuse. I would expect that a security company like EMC would actually encourage usage of security software… 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s