This project explains how to use an OPTIGA™ TPM 2.0 on a Raspberry Pi to perform Endorsement Key (EK)-based device onboarding to a private cloud. EK-based device onboarding is a mechanism for registering a device on a cloud service using EK as the device identity, without the need to provision the TPM with an additional key or certificate. Additionally, there is a way to securely transfer server-generated keys (HMAC/RSA/ECC) to a TPM of a device. The in-transit encrypted key blobs can be associated with an EK, and as a result, the blobs can only be imported to a TPM that holds the specified EK. Depending on the application, these keys can be used for various purposes, such as data encryption/decryption and digital signing.
- Prerequisites
- Project Overview
- Preparing Raspberry Pi for First Use
- Installing Software for First Use
- Operation Guide
- License
There are two options for TPM usage: using an actual TPM or a simulated TPM.
Option 1:
To use an actual TPM, you will need the following hardware:
- You can use either of the following TPM2.0 boards:
- A Raspberry Pi 4 with TPM mounted.
Option 2:
For a simulated TPM, you can use any host machine with one of the following Linux distributions installed: Debian (Bullseye, Buster), Ubuntu (18.04, 20.04).
The purpose of this project is to demonstrate the following flow:
| Flow | Description |
|---|---|
| 1. Onboarding | This step is performed once to onboard a device to a server and follows this sequence:
|
| 2. Authentication | The authentication step requires the device to produce a total of three signatures using the three imported keys (for demonstration purposes only; in normal circumstances, a single signature may suffice). After a successful authentication, the device will receive a server-signed JWT-formatted token. The JWT is necessary for all subsequent communication with the server as proof of identity. The JWT is only valid for a limited period. The authentication step can be repeated to obtain a new JWT. |
| 3. Key Derivation and Second-Layer Encryption | This step demonstrates that the imported HMAC key can be used to add another layer of data encryption. A session-based encryption key can be derived using the HMAC function after exchanging seeds between the server and the device. |
Skip this section if you do not plan to use Raspberry Pi.
This section outlines the steps required to prepare an SD card image that can be used to boot a Raspberry Pi.
To begin, flash the Raspberry Pi OS image 2021-01-11 release onto a micro-SD card that is at least 8GB in size.
After inserting the SD card that you just flashed, boot up your Raspberry Pi. To enable TPM, execute the following commands:
$ sudo sh -c "echo 'dtoverlay=tpm-slb9670' >> /boot/config.txt"
Reboot the Raspberry Pi and check if TPM is activated by:
$ ls /dev | grep tpm
tpm0
tpmrm0
Download package information:
$ sudo apt update
Install generic packages:
$ sudo apt -y install xxd jq maven openjdk-11-jre autoconf-archive libcmocka0 libcmocka-dev procps iproute2 build-essential git pkg-config gcc libtool automake libssl-dev uthash-dev autoconf doxygen libjson-c-dev libini-config-dev libcurl4-openssl-dev uuid-dev pandoc acl libglib2.0-dev xxd curl
Install platform dependent packages on Ubuntu (18.04, 20.04):
$ sudo apt -y install python-yaml
Install tpm2-tss:
$ git clone https://github.com/tpm2-software/tpm2-tss ~/tpm2-tss
$ cd ~/tpm2-tss
$ git checkout 3.2.0
$ ./bootstrap
$ ./configure
$ make -j$(nproc)
$ sudo make install
$ sudo ldconfig
# For debugging:
# Possible levels are: NONE, ERROR, WARNING, INFO, DEBUG, TRACE
# export TSS2_LOG=all+TRACE
Install tpm2-tools:
$ git clone https://github.com/tpm2-software/tpm2-tools ~/tpm2-tools
$ cd ~/tpm2-tools
$ git checkout 5.2
$ ./bootstrap
$ ./configure
$ make -j$(nproc)
$ sudo make install
$ sudo ldconfig
Install tpm2-abrmd:
$ git clone https://github.com/tpm2-software/tpm2-abrmd ~/tpm2-abrmd
$ cd ~/tpm2-abrmd
$ git checkout 2.4.1
$ ./bootstrap
$ ./configure
$ make -j$(nproc)
$ sudo make install
$ sudo ldconfig
Install libtpms-based TPM simulator:
# Install dependencies
$ sudo apt-get install -y dh-autoreconf libtasn1-6-dev net-tools libgnutls28-dev expect gawk socat libfuse-dev libseccomp-dev make libjson-glib-dev gnutls-bin
# Install libtpms-devel
$ git clone https://github.com/stefanberger/libtpms ~/libtpms
$ cd ~/libtpms
$ git checkout v0.9.5
$ ./autogen.sh --with-tpm2 --with-openssl
$ make -j$(nproc)
$ sudo make install
$ sudo ldconfig
# Install Libtpms-based TPM simulator
$ git clone https://github.com/stefanberger/swtpm ~/swtpm
$ cd ~/swtpm
$ git checkout v0.7.3
$ ./autogen.sh --with-openssl --prefix=/usr
$ make -j$(nproc)
$ sudo make install
$ sudo ldconfig
Download the project:
$ git clone https://github.com/infineon/ek-based-onboarding-optiga-tpm ~/ek-based-onboarding-optiga-tpm
If you don't plan to use TPM simulator, you may skip this section.
Start Libtpms-based TPM simulator:
$ mkdir /tmp/simulated_tpm
# Create configuration files for swtpm_setup:
# - ~/.config/swtpm_setup.conf
# - ~/.config/swtpm-localca.conf
# This file specifies the location of the CA keys and certificates:
# - ~/.config/var/lib/swtpm-localca/*.pem
# - ~/.config/swtpm-localca.options
$ swtpm_setup --tpm2 --create-config-files overwrite,root
# Initialize the swtpm
$ swtpm_setup --tpm2 --config ~/.config/swtpm_setup.conf --tpm-state /tmp/simulated_tpm --overwrite --create-ek-cert --create-platform-cert --write-ek-cert-files /tmp/simulated_tpm
# Launch the swtpm
$ swtpm socket --tpm2 --flags not-need-init --tpmstate dir=/tmp/simulated_tpm --server type=tcp,port=2321 --ctrl type=tcp,port=2322 & <--- to debug, add "--log level=?"
$ sleep 5
Copy swtpm CA certificates to the server source:
# Root CA
$ openssl x509 -outform der -in ~/.config/var/lib/swtpm-localca/swtpm-localca-rootca-cert.pem -out ~/ek-based-onboarding-optiga-tpm/server/src/main/resources/rootCAs/swtpm-localca-rootca-cert.crt
# Intermediate CA
$ mkdir ~/ek-based-onboarding-optiga-tpm/server/src/main/resources/intermediateCAs
$ openssl x509 -outform der -in ~/.config/var/lib/swtpm-localca/issuercert.pem -out ~/ek-based-onboarding-optiga-tpm/server/src/main/resources/intermediateCAs/issuercert.crt
Start a session dbus which is limited to the current login session:
$ sudo apt install -y dbus
$ export DBUS_SESSION_BUS_ADDRESS=`dbus-daemon --session --print-address --fork`
Start TPM resource manager:
$ tpm2-abrmd --allow-root --session --tcti=swtpm:host=127.0.0.1,port=2321 &
$ sleep 5
Build and start the server:
$ cd ~/ek-based-onboarding-optiga-tpm/server
$ mvn package
$ mvn spring-boot:run &
$ sleep 20
The server is ready for operation once you see the following message:
...
2023-02-17 07:52:53.582 INFO 8998 --- [main] o.s.m.s.b.SimpleBrokerMessageHandler : Started.
2023-02-17 07:52:53.915 INFO 8998 --- [main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port(s): 443 (https) 80 (http) with context path ''
2023-02-17 07:52:53.916 INFO 8998 --- [main] com.ifx.server.ServerApplication : Started ServerApplication in 3.51 seconds (JVM running for 3.732)
To view the webpage, open a web browser and navigate to https://localhost. A warning message may appear due to the server using a self-signed certificate. You can bypass this warning and proceed as usual. Once the webpage has loaded, click on "Start" in the upper menu bar to enter the sign-in page (Screenshot-1). Use the following credentials to sign in:
- Username: infineon
- Password: noenifni
Once you have logged in successfully, you will see that the dashboard page (as shown in Screenshot-2 and Screenshot-3) has the following elements:
| Element | Description |
|---|---|
| A | The table displays a list of onboarded devices, along with a button for unpairing devices. |
| B | Display of server activity log. |
| C | Upload a CSV-formatted file containing a list of whitelisted EK public keys. |
| D | You can enable or disable the effect of whitelisting. If the option is disabled, a device can only be onboarded if its TPM is issued by Infineon. If the option is enabled, a device can only be onboarded if both of the following conditions are met:
|
| E | The table displays a list of whitelisted devices, along with a button for blacklisting devices. |
Screenshots:
Screenshot-1 |
 |
Screenshot-2 |
 |
Screenshot-3 |
 |
Depending on your choice of TPM:
- Hardware TPM
Set the TCTI interface:Grant access permissions to the TPM device nodes:$ export TPM2TOOLS_TCTI="device:/dev/tpmrm0"$ cd ~/ek-based-onboarding-optiga-tpm/device $ ./0_prep.sh - Simulated TPM
Set the TCTI interface:$ export TPM2TOOLS_TCTI="tabrmd:bus_name=com.intel.tss2.Tabrmd,bus_type=session"
Once the server is up and running, execute the following scripts:
$ cd ~/ek-based-onboarding-optiga-tpm/device
$ ./1_clean.sh
$ ./2_tpm-clear-init.sh
$ ./3_onboard-req.sh
$ ./4_tpm-key-import.sh
$ ./5_onboard-ack.sh
$ ./6_auth.sh
$ ./7_seed-exchange.sh
$ ./8_derive-aes-key.sh
$ ./9_secured-download.sh
You can find more information about each individual script in the following table:
0_prep.sh |
Authorizes non-privileged access to the TPM device nodes. |
1_clean.sh |
Cleans up the environment, erase non-essential files. |
2_tpm-clear-init.sh |
Performs the following actions:
|
3_onboard-req.sh |
Sends an onboarding request to the server, the request contains:
|
4_tpm-key-import.sh |
After receiving the server response:
|
5_onboard-ack.sh |
Acknowledges the challenge by sending the three signatures to the server. Once the signatures are verified, the device is now successfully onboarded to the server. |
6_auth.sh |
Starts an authentication sequence:
|
7_seed-exchange.sh |
Performs seed exchange. |
8_derive-aes-key.sh |
The device uses the HMAC key and seed values to perform an HMAC operation, from which it derives a session-based AES key (AES-256/CBC/PKCS5Padding). |
9_secured-download.sh |
After downloading encrypted media from the server, the device decrypts it using the AES key. The media that the device expects to receive include:
|
This project is licensed under the MIT License - see the LICENSE file for details.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent