This is a proof of concept signature signing with TPM hardware. Beware, very rough edges. These are the steps I preformed to run it:
- Hardware: ThinkPad T430s
- Distribution: Fedora 21
This code is in the public domain. See https://creativecommons.org/publicdomain/zero/1.0/ for more info.
Written by Noa Resare ([email protected]) as part of a hackday project in April 2015.
-
Make sure you have the following packages installed:
gnutls-utils gnutls-devel tpm-tools gcc make
-
Make sure your PTM is wiped clean. To do this, turn off the computer (restart doesn't work for me), boot into BIOS settings, Security -> Security chip -> Clear. Save changes. Reboot.
-
start the tcsd TPM comms daemon as root:
sudo systemctl start tcsd.service
-
Take ownership of TPM with
tpm_takeownership
(I use the SRK password 'a') -
Generate an RSA keypair on the TPM with this:
tpmtool --generate-rsa --bits 2048 --register --user
-
Export the public part of the keypair to a file named pubkey.pem:
tpmtool --pubkey "tpmkey:uuid=5014ce3f-aab4-4ab6-83ac-572b7bd33654;storage=user" --outfile pubkey.pem
(your uuid will differ, use the output oftpmtool --list
) -
Adjust the TPM_KEY_URL define in the top of sign.c to match your key
-
Build the programs with
make
-
Run
./sign
. This will generate a random challenge.bin and corresponding signature signature.bin using the TPM private key -
Run
./verify
to verify that the contents that signature.bin is a valid signature of challenge.bin using pubkey.pem