《龙蜥社区:2023可信计算技术最佳实践白皮书(193页).pdf》由会员分享,可在线阅读,更多相关《龙蜥社区:2023可信计算技术最佳实践白皮书(193页).pdf(193页珍藏版)》请在三个皮匠报告上搜索。
1、 白皮书作者白皮书作者 This document is MulanPSL v2 licensed.龙蜥社区及龙蜥操作系统也获得了一定的行业认可,、荣获、“OSCAR 开源尖峰案例奖”等 25 项行业奖项。实验室简介 实验室设施及业务概况 实验室建设 SIG SIG 地址:https:/ 钉钉群:“龙蜥-可信计算 SIG 技术交流群”,群号: 微信群:“龙蜥-可信计算 SIG 技术交流群”1.1.3.3 futureTPM 工作组与主要目标 2.国家标准化管理委员会 ISO/IEC 11889 系列标准 TSS 规范官网入口:https:/trustedcomputing
2、group.org/resource/tcg-software-stack-tss-specification/缩略语 PTP Platform TPM Profile CRB Command Response Buffer interface DDWG Device Drivers Writers Guide Certification PP Certification Protection Profile TIS TPM Interface Specification PC Client 标准及配套文档体系:缩略语 PFP Platform Firmware Profile PPI Phy
3、sical Presence Interface FIM Firmware Integrity Measurement MOR Reset Attack Mitigation Memory on reset attack mitigation RIM Reference Integrity Manifest DRTM Dynamic Root of Trust for Measurement 标准编制 应用场景 标准推广 3.swtpm swtpm libtpms 1.#安装依赖包 2.yum install-y automake autoconf libtool gcc gcc-c+make
4、 3.openssl-devel pkg-config socat net-tools-deprecated 4.libtasn1-devel gnutls gnutls-devel libseccomp-devel 5.json-glib-devel expect softhsm 6.#下载 libtpms 源码 7.git clone https:/ 8.cd libtpms 9.#编译并安装 libtpms 10./autogen.sh-prefix=/usr-libdir=/usr/lib64-with-openssl 11.-with-tpm2 12.13.make-j4 14.ma
5、ke-j4 check 15.sudo make install 16.#下载 swtpm 源码 17.git clone https:/ 18.cd swtpm 19.#编译并安装 swtpm 20./autogen.sh-prefix=/usr-libdir=/usr/lib64-with-openssl 21.-with-tss-user=root-with-tss-group=tss-with-cuse 22.make-j4 23.sudo make check-j4 24.sudo make install 1.yum install libtpms swtpm swtpm-deve
6、l swtpm-tools swtpm 编译。1.#安装内核 cuse 模块 2.yum install kernel-modules-extra 3.modprobe cuse 1.#1.初始 tpm2 state 2.mkdir/tmp/myvtpm0;3.chown R tss:root/tmp/myvtpm0 4.swtpm_setup tpm2 tpm-state/tmp/myvtpm0 5.6.#2.创建 tpm2 字符设备 7.export TPM_PATH=/tmp/myvtpm0 8.swtpm_cuse-tpm2-n tpm0 9.#3.启动 tpm 设备 10.swtpm
7、_ioctl-i-tpm-device/dev/tpm0 1.rootlocalhost swtpm#tpm2_pcrread 2.sha1:3.sha256:4.0:0 x0000000000000000000000000000000000000000000000000000000000000000 5.1:0 x0000000000000000000000000000000000000000000000000000000000000000 6.2:0 x0000000000000000000000000000000000000000000000000000000000000000 7.3:
8、0 x0000000000000000000000000000000000000000000000000000000000000000 8.4:0 x0000000000000000000000000000000000000000000000000000000000000000 9.5:0 x0000000000000000000000000000000000000000000000000000000000000000 10.6:0 x0000000000000000000000000000000000000000000000000000000000000000 11.7:0 x0000000
9、000000000000000000000000000000000000000000000000000000000 12.8:0 x0000000000000000000000000000000000000000000000000000000000000000 13.9:0 x0000000000000000000000000000000000000000000000000000000000000000 14.10:0 x0000000000000000000000000000000000000000000000000000000000000000 15.11:0 x0000000000000
10、000000000000000000000000000000000000000000000000000 16.12:0 x0000000000000000000000000000000000000000000000000000000000000000 17.13:0 x0000000000000000000000000000000000000000000000000000000000000000 18.14:0 x0000000000000000000000000000000000000000000000000000000000000000 19.15:0 x00000000000000000
11、00000000000000000000000000000000000000000000000 20.16:0 x0000000000000000000000000000000000000000000000000000000000000000 21.17:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 22.18:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 23.19:0 xFFFFFFFFFFFFFFFFFFFFF
12、FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 24.20:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 25.21:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 26.22:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 27.23:0 x0000000000000000000000000
13、000000000000000000000000000000000000000 28.sha384:29.sha512:1.$mkdir$path_to_vm/mytpm0 1.$swtpm socket-tpmstate dir=$path_to_vm/mytpm0 2.-ctrl type=unixio,path=$path_to_vm/mytpm0/swtpm-sock 3.-log level=20 1.swtpm socket-tpm2-tpmstate dir=$path_to_vm/mytpm0 2.-ctrl type=unixio,path=$path_to_vm/mytpm
14、0/swtpm-sock 3.-log level=20 X86_641.-chardev socket,id=chrtpm,path=$path_to_vm/mytpm0/swtpm-sock 2.-tpmdev emulator,id=tpm0,chardev=chrtpm 3.-device tpm-tis,tpmdev=tpm0 aarch64-chardev socket,id=chrtpm,path=$path_to_vm/mytpm0/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-device
15、,tpmdev=tpm0 1.2.3.4.5.1.chmod-R 777/var/lib/swtpm-localca/2.virsh start vm 1.#lsmod|grep tpm 2.#tpm_tis 16384 0 3.#4.#yum list installed|grep-E tpm2-tss|tpm2-tools 5.#6.#yum install tpm2-tss tpm2-tools 1.rootlocalhost#tpm2_pcrread 2.sha1:3.0:0 xB88919A8FA33C7A11CEB80A1B9772B499BDAABC8 4.1:0 xED92ED
16、C2A5E26D77F83020956E1AA02140870AC3 5.2:0 xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236 6.3:0 xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236 7.4:0 x30DDAE4ED835392D81A7CE6FEF905E169BAC27A5 8.5:0 x7BC897262CAD4E3F16F5CE180F6F4B6DEE253483 9.6:0 xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236 10.7:0 xC8D7DB36A45078BA0
17、6A86DAD3A20DCFD525C1E1B 11.8:0 x26B98CA9A67B20C4E7B9C1DAFC6890234CBF6E38 12.9:0 x92B9BA924DEBF7A64AB157689AE4AC921B9E930D 13.10:0 x96E96D79512639B9A2DF577CE237D18F544BD74D 14.11:0 x0000000000000000000000000000000000000000 15.12:0 x0000000000000000000000000000000000000000 16.13:0 x0000000000000000000
18、000000000000000000000 17.14:0 x8DF12380EDE005407EAB81DA4405321E0DA61280 18.15:0 x0000000000000000000000000000000000000000 19.16:0 x0000000000000000000000000000000000000000 20.17:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 21.18:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 22.19:0 xFFFFFFFFFFFFFFFFFFF
19、FFFFFFFFFFFFFFFFFFFFF 23.20:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 24.21:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 25.22:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 26.23:0 x0000000000000000000000000000000000000000 27.sha256:28.0:0 xE3B7A76FDC83187F0233F4616FED23301B044DE62AABC0CCADE6D9468FCB
20、4233 29.1:0 x862224F4F2B87A4DF717EB92BB828C4598C4CF411ADF83FC9BB084B6D31A5D09 30.2:0 x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969 31.3:0 x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969 32.4:0 x8D870A781FF79622E72E858B36F025428C15846ABB3D54E0EEACA33E418B9E91 33.
21、5:0 x60EB17AA48B50CC8E78C052BAA633B0848F36B452FC4BE6C2481B525E595C8C8 34.6:0 x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969 35.7:0 x97FB0EDBE28C25A14D775090F36682D04596FDA4BF5750F275F76C1643BBDC2D 36.8:0 x62A10C0A8638B71A355AAB7C8C66BFE052EBF2F1E9C5308A430AF5FC7652B35E 37.9:0 xED7
22、43F4D59ABE8C055EA0E8CE983879D69DBE9894F42172ECFAA65E8583E9DFF 38.10:0 xF4FA23203592F54BD5E4392C84CD9591D5D8211638D128CCBE332F54BDD287B0 39.11:0 x0000000000000000000000000000000000000000000000000000000000000000 40.12:0 x0000000000000000000000000000000000000000000000000000000000000000 41.13:0 x0000000
23、000000000000000000000000000000000000000000000000000000000 42.14:0 xA4DAD77FB3B6CACBD20F556986C5D917F5E322C123AF82D12C5E5B7EF7AE9938 43.15:0 x0000000000000000000000000000000000000000000000000000000000000000 44.16:0 x0000000000000000000000000000000000000000000000000000000000000000 45.17:0 xFFFFFFFFFFF
24、FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 46.18:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 47.19:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 48.20:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 49.21:0 xFFFFFFFFFFFFFFF
25、FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 50.22:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 51.23:0 x0000000000000000000000000000000000000000000000000000000000000000 52.sha384:53.0:0 xE0B9E19988D06E4774A33A802981E77123045D56492146A914331AA1FA49AA99DE549823515E6D862779
26、E2F959FF5AC6 54.1:0 x1C44C67D8DD3C86ABD4BAFCC6761DDFFDA96B843F271C6D4D92F84AA8C11BF205831F33D57FB4E960A9C0E83D5C32827 55.2:0 x518923B0F955D08DA077C96AABA522B9DECEDE61C599CEA6C41889CFBEA4AE4D50529D96FE4D1AFDAFB65E7F95BF23C4 56.3:0 x518923B0F955D08DA077C96AABA522B9DECEDE61C599CEA6C41889CFBEA4AE4D50529
27、D96FE4D1AFDAFB65E7F95BF23C4 57.4:0 xBF5307DF2DC437D1F9CB35CB1A85E00717F150C306F01ED7D1EE3565E4626242AE41E9F2F1EDAD9C3F85A34F54F1C172 58.5:0 xAAA365D0D07B6C656D4F8A78346951ECFC2D7C92D3EE475925D9900BB22A255BFFB01B3C9E5CE631CD9BB3C91BB868DE 59.6:0 x518923B0F955D08DA077C96AABA522B9DECEDE61C599CEA6C41889
28、CFBEA4AE4D50529D96FE4D1AFDAFB65E7F95BF23C4 60.7:0 x8742CE00FA4AAB6A8C3B30584D1BB01D4BB680CD9D72923DDCD3600B25EDB9BE9B13B4714A023AE7DC57003ACFB544C1 61.8:0 xADC524F78EAE447F5068D5FCBFF0C9E235CA9903D91FCF21A753A5F7E30B50445C67D7B14184C202C56FFB0BCD55EE3A 62.9:0 xC4F3002193E307C45F62DB79640F3EE54F4738E
29、F83C138010FCA9E47BAD92FACEC0DCADFD0A7E9AB17EDA10F772F5A66 63.10:0 x97F83AABAE79094226377E6288AD64BE6A7BEE26FB40E1846D7A2A877F569633E65CAF72C02DE0665AFE626F476A6124 64.11:0 x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 65.12:0 x000000000000000000000
30、000000000000000000000000000000000000000000000000000000000000000000000000000 66.13:0 x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 67.14:0 x108357C39E8DC8F150A33738567AF451908F80DDFC8C14801FBD513F307DA99082EA0ABA8CC7E042940F310E54C8AB10 68.15:0 x000
31、000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 69.16:0 x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 70.17:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
32、FFFFF 71.18:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 72.19:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 73.20:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
33、FFFFFFFFFFFFFFFFFFFFFFF 74.21:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 75.22:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 76.23:0 x0000000000000000000000000000000000000000000000000000000
34、00000000000000000000000000000000000000000 77.sha512:78.0:0 x0893229AF987740D78145E551F2C04D6C3A1C3FD4043EBB6BCF6C94F8EDF92EE99DC44916C6FF3AB4F4492EA3AA6C1D60C9912DD379E3B9CF9E7BCF08789720C 79.1:0 x2CCA44A4B710CFFA20EF4C10F378E63E4D2065462A69981381C9DB1BC1D0D8396A09480CC31B4102E6C29A1F3002E170B52E1BE
35、2FEE80E565146C04A534A4BDD 80.2:0 x27EC091533C4B9EEA38DD14C3A3ECDEF0A99C1E564CBE66DFE008250154E7839B0B75228FE8DEBCC4CA330E6AEBC1ABC74070BC9C9C1E26B939C9D916E45E13C 81.3:0 x27EC091533C4B9EEA38DD14C3A3ECDEF0A99C1E564CBE66DFE008250154E7839B0B75228FE8DEBCC4CA330E6AEBC1ABC74070BC9C9C1E26B939C9D916E45E13C
36、82.4:0 xB9D1555BC9F1BCF7AFEAF3D60E246C6063ACF2572518FDC12CF7CD689A1E8E10D0B43CFB77CF60F898D99B5523C829849BF08CA8A882395554FECE71E618BFB2 83.5:0 x58F94888F6AC2C4CC23BFBCFF6A013BED1EFDF239EE1BF2FEF5F8C4E7443A7D2E7A90636792A1B858DC8A70C1BE077DE99992B67CC67AAF1746652FE9043A249 84.6:0 x27EC091533C4B9EEA3
37、8DD14C3A3ECDEF0A99C1E564CBE66DFE008250154E7839B0B75228FE8DEBCC4CA330E6AEBC1ABC74070BC9C9C1E26B939C9D916E45E13C 85.7:0 xD2CAB183E6A0BD48AF28C0B04DADAD16EDC21466FB1B8380546147399C42EF82F91A91F2E9D80BEF2EE691E298692775B07B4C02A0C69BD9E55D052865C38302 86.8:0 x77BA9278692B14942F7BCB5E447878D56039E5B64964
38、9039B0BBBD31B90DC23996F23213169173A4D30E466A2E98A47BFCBD80EA0E2363BF1AB292E1CB5F6C8F 87.9:0 xC2C007228B3DF18F6749EE86058EC4819833A77E6C3AFE053FBBEB1D1C474180AB9AE75E52621A4AD4E92F39234C5FB787F0576B9DCB292997C05ACEDC770DFC 88.10:0 x0DFFB841CDC6998F869A6EEF8A29E89FEC5485A6E0F00347A9D50B19B58DE98F6D66B
39、54A8C10721DA8CC2D52CD09B81CD00F9AB266407961621E4E96E13D767A 89.11:0 x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 90.12:0 x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
40、00000000000000000000000000000000000 91.13:0 x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 92.14:0 x795B199E04CF1A624716DC06C0352B1D8C8A57521BD8E252069E9DA04BCB0E0EA566E496FAFA959E25ACCFD47E0129E42FDCA0DBAE
41、2E31539918B 93.15:0 x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 94.16:0 x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 95.17:0 xFFF
42、FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 96.18:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 97.19:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFF
43、FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 98.20:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 99.21:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
44、FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 100.22:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 101.23:0 x0000000000000000000000000000000000000000000000000000000000000000000000000
45、0000000000000000000000000000000000000000000000000000000 4)enum vtpm_proxy_flags 5)/*6)*常量 7)*VTPM_PROXY_FLAG_TPM2 8)*the proxy TPM uses TPM 2.0 protocol 9)*/parameter structure for the VTPM_PROXY_IOC_NEW_DEV ioctl 1.struct vtpm_proxy_new_dev 2.3./Definition:4.struct vtpm_proxy_new_dev 5._u32 flags;6
46、._u32 tpm_num;7._u32 fd;8._u32 major;9._u32 minor;10.;11./*结构体成员说明 12.*flags:flags for the proxy TPM 13.*tpm_num:index of the TPM device 14.*fd:the file descriptor used by the proxy TPM 15.*major:the major number of the TPM device 16.*minor:the minor number of the TPM device 17.*/handler for the VTP
47、M_PROXY_IOC_NEW_DEV ioctl 1.long vtpmx_ioc_new_dev(struct file*file,unsigned int ioctl,unsigned long arg)2.3./*函数参数说明 4.*struct file*file /dev/vtpmx 5.*unsigned int ioctl the ioctl number 6.*unsigned long arg pointer to the struct vtpmx_proxy_new_dev 7.*/8.9./*函数功能描述 10.*创建一个匿名文件,供进程作为 TPM 与客户端进程通信。
48、11.*该函数还将添加一个新的 TPM 设备,通过该设备将数据代理到该 TPM 代理进程。12.*将为调用者提供一个文件描述符,用于与客户端通信,以及 TPM 设备的主要和次要编号。13.*/1.+-+2.|Linux DomU|.3.|4.|v|5.|xen-tpmfront|6.+-+7.|8.v|9.+-+10.|mini-os/tpmback|11.|12.|v|13.|vtpm-stubdom|.14.|15.|v|16.|mini-os/tpmfront|17.+-+18.|19.v|20.+-+21.|mini-os/tpmback|22.|23.|v|24.|vtpmmgr-s
49、tubdom|25.|26.|v|27.|mini-os/tpm_tis|28.+-+29.|30.v|31.+-+32.|Hardware TPM|33.+-+Linux DomU:配置有 vTPM 的 Linux 客户机可能不止一个。xen-tpmfront.ko:Linux 内核虚拟 TPM 前端驱动。该驱动程序提供对基于 linux 的 DomU 的 vTPM 访问。mini-os/tpmback:Mini-os TPM 后端驱动程序,提供 Linux 前端驱动与后端驱动对接功能,实现 Linux DomU 与 vTPM 之间的通信。这个驱动程序也被 vtpmmgr-stubdom 用
50、来与 vtpm-stubdom 通信。vtpm-stubdom:一个实现 vTPM 的 mini-os 存根域。在系统上运行的vtpm-stubdom 实例和逻辑 vtpms 之间存在一对一的映射关系。mini-os/tpmfront:Mini-os TPM 前端驱动程序。vTPM mini-os 域vTPM-stubdom 使用该驱动程序与 vtpmmgr-stubdom 通信。该驱动程序也用于与 vTPM 域通信的 mini-os 域,例如 pv-grub。vtpmmgr-stubdom:实现 vTPM 管理器的 mini-os 域。只有一个 vTPM管理器,它应该在机器的整个生命周期中运
51、行。该域规范对系统物理 TPM的访问,并确保每个 vTPM 的持久状态。mini-os/tpm_tis:Mini-os TPM version 1.2 TPM Interface Specification (TIS)驱动程序。vtpmmgr-stubdom 使用这个驱动程序直接与硬件 TPM 对话。通过将硬件内存页映射到 vtpmmgr-stubdom 的方式,方便与硬件 TPM 通信。硬件 TPM:物理 TPM 模块,一般是焊接到主板上的。与 Xen 集成 https:/ ima_ascii_measurements_show()(identifier:description)d:事件的摘
52、要(即度量文件的摘要);用 SHA1 或 MD5 哈希算法计算;n:事件的名称(即文件名),大小为 255 字节;d-ng:事件的摘要,用任意散列计算算法(字段格式:digest);d-ngv2:与 d-ng 相同,但前缀为”ima”或”verity”摘要类型(字段格式:摘要);d-modsig:事件摘要,不包含附加的 modsig;n-ng:事件的名称,没有大小限制;sig:文件签名,基于文件的/fsversity 的摘要,或 EVM 便携式签名。modsig附加文件签名;buf:用于生成哈希的缓冲区数据,没有大小限制;evmsig:EVM 便携签名;iuid:索引节点 UID;igid:索
53、引节点的 GID;imode:索引节点模式;xattrnames:xattr 名称列表(以|分隔),仅当 xattr 为现在;xattrlength:xattr 长度列表(u32),仅当 xattr 存在时;xattrvalues:xattr 值的列表。“ima”:格式为“d|n”;“ima-ng”(默认):它的格式是“d-ng|n-ng;“ima-ngv2”:格式为“d-ngv2|n-ng”;“image-sig”:格式为“d-ng|n-ng|sig”;“ima-sigv2”:格式为“d-ngv2|n-ng|sig”;“ima-buf”:格式为“d-ng|n-ng|buf”;“ima-mod
54、sig”:格式为“d-ng|n-ng|sig|d-modsig|modsig”;“evm-sig”:格式为“d-ng|n-ng|evmsig|xattrnames|xattrlength|xattrvalues|iuid|igid|imode”。ima-ng ima_template=ima_template_fmt=。一种是各个语言原生实现的:其中 tpm2-tss 是基于 TCG 标准实现的被广泛使用。一种是基于其它语言实现的 wrapper(tpm2-pytss 和 rust-tss-esapi 均基于 C 语言的 tpm2-tss 封装的 wrapper)。tpm2-tss 及配套的
55、tpm2-abrmd 和 tpm2-tools 来满足大部分可信计算用户的需求。python-tpm2-pytss 这个基于 tpm2-tss 的软件栈来满足可信计算Python 用户的需求。海光在龙蜥社区贡献了 tpm2-tss 和 tpm2-tools 的仓库部分组件/库的国密功能,详见 hygon-tpm2-tss 和 hygon-tpm2-tools,这些特性也都集成到 Anolis OS 对应版本的 yum 源中。龙蜥社区也在跟进和探索知名开源项目 keylime,keylime 部分组件依赖于 rust 的 TSS 软件栈 rust-tss-esapi,未来也有计划将 rust-t
56、ss-esapi引入来更好的服务可信计算 Rust 用户。FAPI:大多数的用户层引用程序基于 FAPI 开发就可以了,因为 FAPI 实现了 TPM 百分之八十的常用应用场景。使用这一层开发应用就像是使用JAVA,C#等高级语言开发应用一样方便。FAPI 对应的库为libtss2-fapi,对应的标准为 TCG Feature API(FAPI)Specification,TCG TSS 2.0 JSON Data Types and Policy Language Specification。ESAPI:往下一层是 ESAPI,它需要你对 TPM 了解很深,它实现了 TPM2命令的 1:1
57、 映射,但是同时提供了会话管理以及加解密的辅助功能。这有点像使用 C+开发应用程序。ESAPI 对应的库为 libtss-esys,对应的标准为 TCG TSS 2.0 Enhanced System API(ESAPI)Specification。SAPI:应用程序也可以直接基于 SAPI 这一层,它实现了 TPM2 命令的1:1 映射,但这需要你对 TPM 了如指掌。这就像是使用 C 语言编写应用程序,而不是用高级语言。它提供了 TPM 的所有功能,但是要想用好它你必须对 TPM 有很深的理解。SAPI 对应的库为libtss2sys,对应的标准为 TCG TSS 2.0 System L
58、evel API(SAPI)Specification。TCTI:TCTI 层用于向 TPM 发送命令并接收 TPM 对命令的响应。应用可以直接通过 TCTI 发送命令的数据流并解析接收到的响应数据流。这就像是使用汇编语言来编写应用程序。它对应的库为libtss2tctidevice、libtss2tctitbs等,对应的标准为 TCG TSS 2.0 TPM Command Transmission Interface(TCTI)API Specification。TAB:TAB 这一层主要负责多线程环境下 TPM 资源的同步。也就是说它允许多个线程同时访问 TPM 而不发生冲突。RM:因为
59、 TPM 内部的存储资源非常有限,所以需要一个资源管理器RM,它的原理于虚拟内存管理类似,它可以将 TPM 对象和会话换进换出 TPM。驱动:最后一层就是设备驱动,它主要是控制通信外设与 TPM 互相传输数据。如果你愿意的话,直接调用设备驱动接口来编写应用程序也是可以的,当然这就像是你用二进制数据编写程序一样。Application#1Application#2Feature APIEnhanced System API System APITCTITCTITCTITCTITABTABTABTABResource MgrResource MgrResource MgrLocal TPM dri
60、verSim TPM driverVirt TPM driverLocal TPM TPM SimulatorVirtualTPMTAB Resource MgrLocal TPM driverRemote TPMLocal TPM sendLocal TPM rcvSim TPM sendSim TPM rcvVirt TPM sendVirt TPM rcvRemote SystemRem TPM send 对于开发者和用户而言,tpm2-tss 中使用最多的是 FAPI 和 ESAPI,他们均提供了非常多的 APIs 供开发者使用。tpm2-tss 提供一个文档详细的介绍了 FAPI 和
61、ESAPI 中各个 APIs 的用法以及参数的含义,对用户快速理解和使用这些 APIs 非常有帮助。Esys Context ESYS_CONTEXT 相关 APIs:提供一些上下文相关的接口函数,用来初始化和释放上下文、获取底层的 SAPI 和 TCTI 上下文等。Esys Tpm Resource ESYS_TR 负责管理该层 TPM 软件资源相关的ESAPI。Esys TPM Commands 与 TPM 2.0 命令 1:1 映射的 ESAPI,调用对应的 ESAPI 命令最终会转换为对应的 TPM 2.0 命令。Internals of Enhanced System API:该层内
62、部使用的一些 ESAPI,包轮一些内部类型以及加密相关的 APIs 等。tools/tpm2_tool.h1.#include 然后参考/tpm2_tool.c的 ctx_init 函数去调用Esys_Initialize这个 ESAPI来初始化 ESAPI 的上下文,例如:1.static ESYS_CONTEXT*ctx_init(TSS2_TCTI_CONTEXT*tcti_ctx)2.3.ESYS_CONTEXT*esys_ctx;4.5.TSS2_RC rval=Esys_Initialize(&esys_ctx,tcti_ctx,NULL);6.if(rval!=TPM2_RC_S
63、UCCESS)7.LOG_PERR(Esys_Initialize,rval);8.return NULL;9.10.11.return esys_ctx;12.lib/tpm2.ctpm2_pcr_read函数Esys_PCR_Read1.tool_rc tpm2_pcr_read(ESYS_CONTEXT*esys_context,ESYS_TR shandle1,2.ESYS_TR shandle2,ESYS_TR shandle3,3.const TPML_PCR_SELECTION*pcr_selection_in,UINT32*pcr_update_counter,4.TPML_P
64、CR_SELECTION*pcr_selection_out,TPML_DIGEST*pcr_values,5.TPM2B_DIGEST*cp_hash,TPMI_ALG_HASH parameter_hash_algorithm)6.7.TSS2_RC rval=TSS2_RC_SUCCESS;8.tool_rc rc=tool_rc_success;9.10.11.rval=Esys_PCR_Read(esys_context,shandle1,shandle2,shandle3,12.pcr_selection_in,pcr_update_counter,pcr_selection_ou
65、t,pcr_values);13.if(rval!=TSS2_RC_SUCCESS)14.LOG_PERR(Esys_PCR_Read,rval);15.return tool_rc_from_tpm(rval);16.17.最 后 当 我 们 的 所 有 操 作 完 成 后,需 要 参 考tools/tpm2_tool.c的esys_teardown 函数去调用_Finalize这个 ESAPI 来销毁 ESAPI 的上下文,比如:1.static void esys_teardown(ESYS_CONTEXT*esys_context)2.3.if(esys_context=NULL)4.
66、return;5.if(*esys_context=NULL)6.return;7.Esys_Finalize(esys_context);持续跟进上游社区各个语言 TSS 软件栈的动态并积极参与贡献,同时也会把这些成果引入到 Anolis OS 中。接受社区各个参与方在 TSS 软件栈上的贡献,并以实践文档等方式输出到可信计算 SIG 中。提供更多的实践指南,使用文档等,便于用户更好地使用。1.yum install tpm2-tools 1.tpm2_startup-v 2.tool=tpm2_startup version=tctis=libtss2-tctildr tcti-defau
67、lt=tcti-device 1.tpm2_startup-v 2.tool=tpm2_startup version=tctis=libtss2-tctildr tcti-default=tcti-abrmd 1.tpm2_startup -V#执行 TPM2_SU_STATE 类型的 startup 2.INFO on line:54 in file:tools/tpm2_startup.c:3.Sending TPM_Startup command with type:TPM2_SU_STATE 4.5.tpm2_startup-c-V#执行 TPM2_SU_CLEAR 类型的 star
68、tup 6.INFO on line:54 in file:tools/tpm2_startup.c:7.Sending TPM_Startup command with type:TPM2_SU_CLEAR 1.tpm2_getcap algorithms-V#获取 TPM2.0 芯片支持的算法信息 2.INFO on line:44 in file:lib/tpm2_capability.c:3.GetCapability:capability:0 x0,property:0 x1 4.rsa:5.value:0 x1 6.asymmetric:1 7.symmetric:0 8.hash
69、:0 9.object:1 10.reserved:0 x0 11.signing:0 12.encrypting:0 13.method:0 14.15.16.tpm2_getcap commands-V#获取 TPM2.0 芯片支持的命令码 17.INFO on line:44 in file:lib/tpm2_capability.c:18.GetCapability:capability:0 x2,property:0 x11f 19.TPM2_CC_NV_UndefineSpaceSpecial:20.value:0 x440011F mandIndex:0 x11f 22.rese
70、rved1:0 x0 23.nv:1 24.extensive:0 25.flushed:0 26.cHandles:0 x2 27.rHandle:0 28.V:0 29.Res:0 x0 30.31.32.tpm2_getcap properties-fixed-V#获取 TPM2.0 芯片固定属性信息 33.INFO on line:44 in file:lib/tpm2_capability.c:34.GetCapability:capability:0 x6,property:0 x100 35.TPM2_PT_FAMILY_INDICATOR:36.raw:0 x322E3000
71、37.value:2.0 38.TPM2_PT_LEVEL:39.raw:0 40.TPM2_PT_REVISION:41.value:1.16 42.TPM2_PT_DAY_OF_YEAR:43.raw:0 xF 44.TPM2_PT_YEAR:45.raw:0 x7E0 46.TPM2_PT_MANUFACTURER:47.raw:0 x564D5700 48.value:VMW 49.50.51.tpm2_getcap ecc-curves-V#获取 TPM2.0 芯片支持的椭圆曲线信息 52.INFO on line:44 in file:lib/tpm2_capability.c:5
72、3.GetCapability:capability:0 x8,property:0 x1 54.TPM2_ECC_NIST_P192:0 x1 55.TPM2_ECC_NIST_P224:0 x2 56.TPM2_ECC_NIST_P256:0 x3 57.TPM2_ECC_NIST_P384:0 x4 58.TPM2_ECC_BN_P256:0 x10 59.60.61.tpm2_getcap handles-nv-index-V#获取已定义的 NV 空间句柄 62.INFO on line:44 in file:lib/tpm2_capability.c:63.GetCapability
73、:capability:0 x1,property:0 x1000000 64.-0 x1691D65 65.-0 x1C00002 66.-0 x1C0000A 67.68.tpm2_getcap handles-transient-V#获取暂存对象句柄 69.INFO on line:44 in file:lib/tpm2_capability.c:70.GetCapability:capability:0 x1,property:0 x80000000 71.-0 x80000000 72.-0 x80000001 1.tpm2_createprimary-C o-G rsa-c rsa
74、primary.ctx-V#在 TPM_RH_Owner Hierary 创建RSA 算法的 2.INFO on line:44 in file:lib/tpm2_capability.c:3.GetCapability:capability:0 x5,property:0 x0 4.name-alg:5.value:sha256 6.raw:0 xb 7.attributes:8.value:fixedtpm|fixedparent|sensitivedataorigin|userwithauth 9.|restricted|decrypt 10.raw:0 x30072 11.type:1
75、2.value:rsa 13.raw:0 x1 14.exponent:0 x0 15.bits:2048 16.scheme:17.value:null 18.raw:0 x10 19.scheme-halg:20.value:(null)21.raw:0 x0 22.sym-alg:23.value:aes 24.raw:0 x6 25.sym-mode:26.value:cfb 27.raw:0 x43 28.sym-keybits:128 29.rsa:b7a9f512d495edc54b0fae7a76c8f72a3708f0de4d6a6a08a73547c4d 30.f6fddb
76、15e5bf9a94fb5a63ecdeb62e18138d93be4d4522ac12a091b354bab5 31.e4e36dde30b17ae4e84bf5d72a5447f2bfb3e6bc53b9ba847d85c0ec016935 32.4e301dbd9d83ba45a43747d55b541116da666bfa2fa583e317f 33.d1757309a1904c933fae6e92502a01b72bc3f46cc7665852b1a93d3b3344e9 34.5aa254ba4f7d9345916648a7a667a5ae275894a278
77、9b46dff6a26cc8dc4cd8 35.3e848ac7e23a2fa7a0d2091eacb1cd40851eb0bdccb7ebdd1ad8057d1fbc1c 36.be54ceacba3e4a90157cfa53adf22f88a7c730b4b1584dff596c62f88ade2a 37.8a7c9d67f36f6db169b4f 38.INFO on line:190 in file:lib/files.c:39.Save TPMS_CONTEXT-savedHandle:0 x80000000 1.tpm2_create-C rsaprimary.ctx-G rsa-
78、u rsa.public 2.-r rsa.private-V#以上一步创建的 PrimaryObject 为父密钥,3.创建 RSA 算法的密钥 4.INFO on line:44 in file:lib/tpm2_capability.c:5.GetCapability:capability:0 x5,property:0 x0 6.INFO on line:362 in file:lib/files.c:7.Assuming tpm context file 8.INFO on line:293 in file:lib/files.c:9.load:TPMS_CONTEXT-savedH
79、andle:0 x80000000 10.name-alg:11.value:sha256 12.raw:0 xb 13.attributes:14.value:fixedtpm|fixedparent|sensitivedataorigin|userwithauth 15.|decrypt|sign 16.raw:0 x60072 17.type:18.value:rsa 19.raw:0 x1 20.exponent:0 x0 21.bits:2048 22.scheme:23.value:null 24.raw:0 x10 25.scheme-halg:26.value:(null)27
80、.raw:0 x0 28.sym-alg:29.value:null 30.raw:0 x10 31.sym-mode:32.value:(null)33.raw:0 x0 34.sym-keybits:0 35.rsa:d01e9a0f80a79c7248b29e66535a16c43ff0ad70f5f6773d048bb6e9178 36.78f91ac53f672091b8103123123bce8603d761e7b39eb12b4a286816068c40c4 37.af5bd6296bc565913acc69fa5b4485835f1493a180cfb41ec6d18828f1
81、95941a 38.6446f55794ab8a304e78d2cf04e52d36a98ae94a70f8fa868dcbd8cf58c909df 39.684f0dc1f41ba27bcd86097cb8ae0d3cc50d5fba3ea6efd5780a605536f8a60a 40.a95350a0db6d639f5c25732ed4ab122df37d258d6786e0fbb123fc18eab71ed4 41.21c9200b1ebfc47ab5ab0e12a3566fcac5e97b1343ab022bf6ba8a94a1c4b795 42.46208806e3561d405b
82、fdcbd7b2e7205a3fc73ed8e54cac847d32a06f0aec291e 43.fb27f 1.tpm2_create-C rsaprimary.ctx-G rsa-u rsa.public-r rsa.private#创建 RSA 算法的密钥 2.3.tpm2_load-C rsaprimary.ctx-u rsa.public-r rsa.private 4.-c rsa-enc-key.ctx-V#执行 TPM2_CC_Load 命令将创建的 RSA 密钥加 5.载至 TPM 芯片中 6.INFO on line:44 in file:lib/tpm2_capabil
83、ity.c:7.GetCapability:capability:0 x5,property:0 x0 8.INFO on line:362 in file:lib/files.c:9.Assuming tpm context file 10.INFO on line:293 in file:lib/files.c:11.load:TPMS_CONTEXT-savedHandle:0 x80000000 12.name:000b0b8d6e072c99c31c90856d9758ca1d2068147e028c 13.8073914e4a17a85e573fca 14.INFO on line
84、:190 in file:lib/files.c:15.Save TPMS_CONTEXT-savedHandle:0 x80000000 16.17.echo 12345 data.txt#生成明文 18.19.tpm2_rsaencrypt-c rsa-enc-key.ctx-o cipher.bin data.txt-V 20.#使用 RSA 密钥加密 data.txt 文件,将密文输出到 cipher.bin 文件中 21.INFO on line:362 in file:lib/files.c:22.Assuming tpm context file 23.INFO on line:
85、293 in file:lib/files.c:24.load:TPMS_CONTEXT-savedHandle:0 x80000000 25.26.tpm2_rsadecrypt-c rsa-enc-key.ctx-o data-dec.txt cipher.bin-V 27.#使用 RSA 密钥解密密文,并将密文输出到 data-dec.txt 文件 28.INFO on line:44 in file:lib/tpm2_capability.c:29.GetCapability:capability:0 x5,property:0 x0 30.INFO on line:362 in fi
86、le:lib/files.c:31.Assuming tpm context file 32.INFO on line:293 in file:lib/files.c:33.load:TPMS_CONTEXT-savedHandle:0 x80000000 34.35.diff data-dec.txt data.txt#明文与解密后文件对比 1.tpm2_create-C rsaprimary.ctx-G rsa-u rsa.public 2.-r rsa.private#创建 RSA 算法的密钥 3.4.tpm2_load-C rsaprimary.ctx-u rsa.public-r r
87、sa.private 5.-c rsa-sign-key.ctx-V#执行 TPM2_CC_Load 命令将创建的 RSA 密钥 6.加载至 TPM 芯片中 7.8.echo rsasign rsasigndata.txt#生成签名内容 9.10.tpm2_sign-c rsa-sign-key.ctx-o rsa-sig.bin rsasigndata.txt -V 11.#使用 RSA 密钥对 rsasigndata.txt 签名,将签名信息写入 rsa-sig.bin 文件 12.INFO on line:44 in file:lib/tpm2_capability.c:13.GetCa
88、pability:capability:0 x5,property:0 x0 14.INFO on line:362 in file:lib/files.c:15.Assuming tpm context file 16.INFO on line:293 in file:lib/files.c:17.load:TPMS_CONTEXT-savedHandle:0 x80000000 18.19.tpm2_verifysignature-c rsa-sign-key.ctx-s rsa-sig.bin 20.-m rsasigndata.txt#使用 RSA 密钥验签 21.22.echo rs
89、asign1 rsasign1data.txt#构建异常数据 23.24.tpm2_verifysignature-c rsa-sign-key.ctx-s rsa-sig.bin 25.-m rsasign1data.txt-V#对异常数据签名验签 26.INFO on line:362 in file:lib/files.c:27.Assuming tpm context file 28.INFO on line:293 in file:lib/files.c:29.load:TPMS_CONTEXT-savedHandle:0 x80000000 30.WARNING:esys:src/
90、tss2-esys/api/Esys_VerifySignature.c:302:Esys_VerifySignature_Finish()31.Received TPM Error 32.ERROR:esys:src/tss2-esys/api/Esys_VerifySignature.c:103:Esys_VerifySignature()33.Esys Finish ErrorCode(0 x000002db)34.ERROR on line:53 in file:lib/log.h:35.Esys_VerifySignature(0 x2DB)-tpm:parameter(2):36.
91、the signature is not valid 37.ERROR on line:259 in file:tools/tpm2_verifysignature.c:38.Verify signature failed!39.ERROR on line:147 in file:tools/tpm2_tool.c:40.Unable to run tpm2_verifysignature 1.tpm2_create-C rsaprimary.ctx-G ecc-u ecc.public-r ecc.private#创建 ECC 算法的密钥 2.3.tpm2_load-C rsaprimary
92、.ctx-u ecc.public-r ecc.private-c ecc-sign-key.ctx-V 4.#执行 TPM2_CC_Load 命令将创建的 ECC 密钥加载至 TPM 芯 片中 5.6.echo eccsign eccsigndata.txt#生成签名内容 7.8.tpm2_sign-c ecc-sign-key.ctx-o ecc-sig.bin eccsigndata.txt -V 9.#使用 ECC 密钥对 eccsigndata.txt 签名,将签名信息写入 ecc-sig.bin 文件 10.11.tpm2_verifysignature-c ecc-sign-ke
93、y.ctx-s ecc-sig.bin-m eccsigndata.txt#使用ECC 密钥验签 1.tpm2_nvdefine-C o-s 100 0 x01800001-V 2.#在 TPM_RH_Owner 特权域中创建 100 字节的存储空间,空间索引为 0 x01800001 3.INFO on line:44 in file:lib/tpm2_capability.c:4.GetCapability:capability:0 x5,property:0 x0 5.nv-index:0 x1800001 6.7.echo 1234567890 nv.txt#生成存储数据 8.9.tp
94、m2_nvwrite-i nv.txt-C o 0 x01800001-V 10.#向 NVRAM 0 x01800001 写入数据 11.INFO on line:44 in file:lib/tpm2_capability.c:12.GetCapability:capability:0 x5,property:0 x0 13.INFO on line:80 in file:tools/tpm2_nvwrite.c:14.The data(size=11)to be written:15.INFO on line:1657 in file:lib/tpm2.c:16.Success to w
95、rite NV area at index 0 x1800001 offset 0 x0.17.18.tpm2_nvread-C o 0 x01800001-V 19.#读取 NVRAM 0 x01800001 中的内容 20.INFO on line:44 in file:lib/tpm2_capability.c:21.GetCapability:capability:0 x5,property:0 x0 22.1234567890 23.24.tpm2_nvundefine-C o 0 x01800001-V#释放 NVRAM 0 x1800001 25.INFO on line:44
96、in file:lib/tpm2_capability.c:26.GetCapability:capability:0 x5,property:0 x0 27.INFO on line:1580 in file:lib/tpm2.c:28.Success to release NV area at index 0 x1800001.1.tpm2_pcrread-V#获取当前 PCR 中的内容 2.sha1:3.0:0 xA660D212EE691C9295BBEA32A78BE89F9F27C5A9 4.1:0 xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236
97、 5.2:0 xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236 6.3:0 xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236 7.4:0 xB0B51368B2865BD0B8B56BFE1CFE8E6177AB2465 8.5:0 x7273E316E323AAFFBFCDE3ED860DD266E0AA17EB 9.6:0 xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236 10.7:0 xDBAED2EAEFC85D2342AF7E2C7F0AD9188FF215B1 11.8:0 x16
98、992E4CFBD1E29D5D99ADD56FC9AFAB1EFB0595 12.9:0 x3CFED51D0D507E2CDA5C996374BACAB93C6C6A16 13.10:0 x327C45F6007C43E7C6D82958EE6D18F890796A02 14.11:0 x0000000000000000000000000000000000000000 15.12:0 x0000000000000000000000000000000000000000 16.13:0 x0000000000000000000000000000000000000000 17.14:0 x8DF
99、12380EDE005407EAB81DA4405321E0DA61280 18.15:0 x0000000000000000000000000000000000000000 19.16:0 x0000000000000000000000000000000000000000 20.17:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 21.18:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 22.19:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 23.20:0 xFFF
100、FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 24.21:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 25.22:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 26.23:0 x0000000000000000000000000000000000000000 27.sha256:28.0:0 xCD77123A880A51DB10BBA64BEBFF3B0AD20BA4D50F9F8B8A6B341DBD4E02F468 29.1:0 x3D458CFE55CC03EA1F443
101、F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969 30.2:0 x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969 31.3:0 x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969 32.4:0 x76A09DC9FB1E61888B36E6C4A45C02A36B2E39FD40925506110F53586560D4B2 33.5:0 xD004B8D98FBEE7E967E9F46F55CDE
102、E79D487FB5793AA5B1F6D7586A11AD9DEE9 34.6:0 x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969 35.7:0 x592E7099CFF05155224F26EC6F3781975A7B095F151772CB61714E32F59F6DE1 36.8:0 xE8A441D072B34D68432E00F368BCC3113315CF3707475072BAB93E3195B474C9 37.9:0 x93889BC9C705243940156FAFBD8EDB6CF8209
103、62BC45E005BBFFC90C516E991B1 38.10:0 x7ABD6A1ADAF3FA4AF27CAA9B541BDB79D535CB577C89FDED6BBF953ACB7AF29B 39.11:0 x0000000000000000000000000000000000000000000000000000000000000000 40.12:0 x0000000000000000000000000000000000000000000000000000000000000000 41.13:0 x00000000000000000000000000000000000000000
104、00000000000000000000000 42.14:0 xA4DAD77FB3B6CACBD20F556986C5D917F5E322C123AF82D12C5E5B7EF7AE9938 43.15:0 x0000000000000000000000000000000000000000000000000000000000000000 44.16:0 x0000000000000000000000000000000000000000000000000000000000000000 45.17:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
105、FFFFFFFFFFFFFFFFFFF 46.18:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 47.19:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 48.20:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 49.21:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
106、FFFFFFFFFFFFFFF 50.22:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 51.23:0 x0000000000000000000000000000000000000000000000000000000000000000 52.53.54.echo 123 pcr.txt#生成扩展数据 55.56.sha256sum pcr.txt#计算扩展数据 sha256 摘要值 57.181210f8f9c779c26da1d9b2075bde0127302ee0e3fca38c9a83f5b1dd
107、8e5d3b 58.pcr.txt 59.60.tpm2_pcrextend 10:sha256=181210f8f9c779c26da1d9b2075bde0127302ee0e3fca38c9a83f5b1dd8e5d3b-V 61.#将 pcr.txt 摘要值扩展至 PCR4 SHA-256 Bank 中 1.tpm2_getcap properties-variable-V#获取与 DA 相关的属性 2.INFO on line:44 in file:lib/tpm2_capability.c:3.GetCapability:capability:0 x6,property:0 x20
108、0 4.5.TPM2_PT_LOCKOUT_COUNTER:0 x0 6.TPM2_PT_MAX_AUTH_FAIL:0 x3 7.TPM2_PT_LOCKOUT_INTERVAL:0 x3E8 8.TPM2_PT_LOCKOUT_RECOVERY:0 x3E8 9.10.11.tpm2_dictionarylockout-s-l 300-t 300-n 10-V 12.#设定 maxTries 为 10 次,lockoutRecovery 为 300 秒,recoveryTime 为 300 秒 13.INFO on line:44 in file:lib/tpm2_capability.c
109、:14.GetCapability:capability:0 x5,property:0 x0 15.INFO on line:1110 in file:lib/tpm2.c:16.Setting up Dictionary Lockout parameters.17.18.tpm2_getcap properties-variable-V 19.INFO on line:44 in file:lib/tpm2_capability.c:20.GetCapability:capability:0 x6,property:0 x200 21.22.TPM2_PT_LOCKOUT_COUNTER:
110、0 x0 23.TPM2_PT_MAX_AUTH_FAIL:0 xA 24.TPM2_PT_LOCKOUT_INTERVAL:0 x12C 25.TPM2_PT_LOCKOUT_RECOVERY:0 x12C 26.27.28.tpm2_dictionarylockout-c-V#重置死锁计数器 29.INFO on line:44 in file:lib/tpm2_capability.c:30.GetCapability:capability:0 x5,property:0 x0 31.INFO on line:1099 in file:lib/tpm2.c:32.Resetting di
111、ctionary lockout state.1.yum install git automake libtool autoconf autoconf-archive 2.openssl-devel tpm2-tss-devel tpm2-tools make 3.git clone https:/ 4.pushd tpm2-tss-engine 5./bootstrap 6./configure-prefix=/usr 7.make 8.make install 9.popd 1.openssl engine-t-c tpm2tss 2.(tpm2tss)TPM2-TSS engine fo
112、r OpenSSL 3.RSA,RAND 4.available 1.openssl rand-engine tpm2tss-hex 128 2.engine tpm2tss set.3.8a1b6a489fcf1b1fd8324e97cd76ff7e52617373fc43f7227145c69163 4.b85bd15bb77375a4d5a69b998c4717e7b4c8b1bdb1f3b0e3936a6f528d 5.9c90189c022cfeb94f008e35d54407c89229ef7fa338f9be0670e8d466 6.0aa61afcdb6e54dccd6079a
113、9e2f93f3ce1528aa8124fcbbadd5bc79296 7.23ce2afe5802af2317b27a43 1.tpm2tss-genkey-a rsa-s 2048 rsakey#使用 tpm2-tss-genkey 生成 RSA 算法密钥 2.3.openssl rsa-engine tpm2tss-inform engine-in rsakey-pubout 4.-outform pem-out rsakey.pub#导出密钥公钥 5.engine tpm2tss set.6.writing RSA key 7.8.cat rsakey.pub#读取公钥信息 9.-BE
114、GIN PUBLIC KEY-10.MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA17VGBbc3y8/+KSKJ5+K 11.MiGyY2CXpvgiYcajGZon8dEhYYLZ2d53wk6tgs19rHQl89T7h6rG2i5haaLRLTNr 12.gkxB4/OfK4dneVEtHgEZLbQmiGoI0ke4wCf9FhyrlpSRV7EUA0NYg86DE654X8Pd 13.4VsIc2Wb3Lf1MP1/lX/r5gZknyPqBe7NL5BM46m8WHS25tDf+Mg/vHADgWboVGFK 14.W+YpxYtubSh
115、AgOjXHc5lKuMKqG5nnIJkrxr8hgtf0ZXbVYywMt4NmaYV7Bc632ic 15.SkHk0OPGZ+RMl8YQmIEmXLK9Tu0IVy58dC0wxvi4V2GQ+p75uWF3K+nZmYUXFl+2 16.IQIDAQAB 17.-END PUBLIC KEY-1.tpm2_createprimary-C o-G rsa2048-c rsaprimary.ctx#创建 TPM2 RSA 算法Primary Object 2.3.tpm2_create-C rsaprimary.ctx-G rsa2048-u rsa.pub-r rsa.pri#创建
116、TPM2 RSA 密钥 4.5.tpm2_load-C rsaprimary.ctx-u rsa.pub-r rsa.pri-c rsa.ctx#将 RSA 密钥导入 TPM2芯片 6.7.tpm2_evictcontrol-C o-c rsa.ctx#将 RSA 密钥设置为持久对象 8.persistent-handle:0 x81000000 9.action:persisted 10.11.openssl rsa-engine tpm2tss-inform engine-in 0 x81000000 12.-pubout-outform pem-out rsatpmkey.pub 13.
117、#导出 TPM2 中持久对象 0 x81000000 的公钥 14.engine tpm2tss set.15.Enter password for user key:16.writing RSA key 17.18.cat rsatpmkey.pub#读取公钥信息 19.-BEGIN PUBLIC KEY-20.MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyA02SWyY6ZYyVR28O0R9 21.oDxxqd/RkxPa5W/4O773VkCRF8lovREKLrVV7pVHts6cxw8yrLc8Pzq5bArOTPh0 22.9M45Ca
118、xo13uhPd8H8p5UDORvrylJT7bJb5hrfJYyXyvd9FeXLqXexbJOSwPf+vcD 23.yv6OKccNwCK/3s/89aEm1B8xuYU1TXFnfo/sLJ+trUIiqrP3Aug/5gwB52lzTAX 24.WSCdogcbRL/AG7F2Zkn/56miZSzQ0I/o2Y/AaYrY3Oj0W/lIJmGTDiD5TbJJS3gQ 25.GdY1Tr3xf1Xsfo6ihJ0KCx2ZNBdtX7PIpErztLlllUCBGPNUt8OSVA+V6eZANv9B 26.owIDAQAB 27.-END PUBLIC KEY-1.echo
119、123456 mydata#创建明文 2.3.openssl pkeyutl-pubin-inkey rsakey.pub-in mydata-encrypt 4.-out mycipher#使用公钥加密数据 5.6.openssl pkeyutl-engine tpm2tss-keyform engine-inkey rsakey 7.-decrypt-in mycipher-out mycipher-dec#使用私钥解密数据 8.9.diff mydata mycipher-dec#对比原文与解密后的明文 1.openssl pkeyutl-pubin-inkey rsatpmkey.pu
120、b-in mydata-encrypt 2.-out mycipher#使用公钥加密数据 3.4.openssl pkeyutl-engine tpm2tss-keyform engine-inkey 0 x81000000 5.-decrypt-in mycipher-out mycipher-dec 6.#使用 TPM2 中持久对象 0 x81000000 私钥解密数据 7.8.diff mydata mycipher-dec#对比原文与解密后的明文 1.openssl pkeyutl-engine tpm2tss-keyform engine-inkey rsakey 2.-sign-i
121、n mydata-out mysig 3.#使用 tpm2tss-genkey 生成的密钥 rsakey 签名数据 4.5.openssl pkeyutl-pubin-inkey rsakey.pub-verify-in mydata 6.-sigfile mysig#使用 rsakey 的公钥验签 7.Signature Verified Successfully 1.openssl pkeyutl-engine tpm2tss-keyform engine-inkey 0 x81000000 2.-sign-in mydata-out mysig#使用 TPM2 中持久对象 0 x8100
122、0000 签名数据 3.4.openssl pkeyutl-pubin-inkey rsatpmkey.pub-verify-in mydata 5.-sigfile mysig#使用 TPM2 中持久对象 0 x81000000 的公钥验证签名 1.tpm2tss-genkey-a ecdsa ecckey#使用 tpm2-tss-genkey 生成 ECC 算法密钥,默认椭圆曲线为 nist_p256 2.3.openssl ec-engine tpm2tss-inform engine-in ecckey-pubout 4.-outform pem-out ecckey.pub#导出 E
123、CC 密钥公钥 5.6.cat ecckey.pub#读取公钥信息 7.-BEGIN PUBLIC KEY-8.MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwCUr6W94NwjHOQVoTdWQfxwXQ/qD 9.tuy2ZtDVL6yKkqnEJJZ0insTH+uJyeM0o3qeuKuzmlY+Qh053okXoA8t9w=10.-END PUBLIC KEY-1.tpm2_createprimary-C o-G ecc-c eccprimary.ctx 2.#创建 TPM2 ECC 算法 Primary Object 3.4.tpm2_create-C
124、eccprimary.ctx-G ecc-u ecc.pub-r ecc.pri 5.#创建 TPM2 ECC 密钥 6.7.tpm2_load-C eccprimary.ctx-u ecc.pub-r ecc.pri-c ecc.ctx 8.#将 ECC 密钥导入 TPM2 芯片 9.10.tpm2_evictcontrol-C o-c ecc.ctx#将 ECC 密钥设置为持久对象 11.persistent-handle:0 x81000001 12.action:persisted 13.14.openssl ec-engine tpm2tss-inform engine-in 0 x
125、81000001-pubout 15.-outform pem-out ecctpmkey.pub#导出 TPM2 中持久对象 0 x81000000 的公钥 16.engine tpm2tss set.17.read EC key 18.Enter password for user key:19.writing EC key 20.21.cat ecctpmkey.pub#读取公钥信息 22.-BEGIN PUBLIC KEY-23.MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEE16KNIBp/Ca7A3U38AKXcRh+Ji0O 24.dSzdfR/+ogY
126、fN/NjvlW18IhKZg0rO2PdIsS2V5neCnffzKwRiVK0CP/Xvw=25.-END PUBLIC KEY-1.echo 1234567890 mydata#创建被签名信息 2.3.openssl dgst-sha256-out mydata.sha256-binary mydata 4.#创建被签名信息的摘要值 5.6.openssl pkeyutl-engine tpm2tss-keyform engine-inkey ecckey-sign-in mydata.sha256-out mysig 7.#使用 tpm2tss-genkey 生成的密钥 ecckey
127、签名数据 8.9.openssl pkeyutl-engine tpm2tss-keyform engine-inkey ecckey-verify 10.-in mydata.sha256-sigfile mysig 11.#使用 tpm2tss-genkey 生成的密钥 ecckey 验证签名数据 12.engine tpm2tss set.13.Signature Verified Successfully 1.openssl pkeyutl-engine tpm2tss-keyform engine-inkey 0 x81000001 2.-sign-in mydata.sha256-
128、out mysig#使用 TPM2 中持久对象 0 x81000001 签名数据 3.4.openssl pkeyutl-engine tpm2tss-keyform engine-inkey 0 x81000001 5.-verify-in mydata.sha256-sigfile mysig 6.engine tpm2tss set.7.Enter password for user key:8.Signature Verified Successfully 1.tpm2_createprimary-C o-G rsa2048-c rsaprimary.ctx#创建 TPM2 RSA 算
129、法Primary Object 2.3.tpm2_create-C rsaprimary.ctx-G rsa2048-u rsa.pub-r rsa.pri 4.#创建 TPM2 RSA 密钥 5.6.tpm2_load-C rsaprimary.ctx-u rsa.pub-r rsa.pri-c rsa.ctx#将 RSA 密钥导入 TPM2芯片 7.8.tpm2_evictcontrol-C o-c rsa.ctx#将 RSA 密钥设置为持久对象 9.10.persistent-handle:0 x81000000 11.action:persisted 12.13.openssl req
130、-new-x509-engine tpm2tss-keyform engine-key 0 x81000000 14.-out rsa.crt#使用 TPM2 芯片中持久对象 0 x81000000 生成自签名证书 15.engine tpm2tss set.16.Enter password for user key:17.You are about to be asked to enter information that will be incorporated 18.into your certificate request.19.What you are about to enter
131、 is what is called a Distinguished Name or a DN.20.There are quite a few fields but you can leave some blank 21.For some fields there will be a default value,22.If you enter.,the field will be left blank.23.-24.Country Name(2 letter code)XX:CN 25.State or Province Name(full name):Shandong 26.Localit
132、y Name(eg,city)Default City:Jinan 27.Organization Name(eg,company)Default Company Ltd:XX 28.Organizational Unit Name(eg,section):Anolis 29.Common Name(eg,your name or your servers hostname):TC 30.Email Address:31.32.openssl x509-in rsa.crt-text#查看证书详细信息 33.Certificate:34.Data:35.Version:3(0 x2)36.Se
133、rial Number:37.61:78:a3:3b:05:ec:e3:1a:ed:c0:a6:74:c5:ee:c6:60:22:7f:a5:53 38.Signature Algorithm:sha256WithRSAEncryption 39.Issuer:C=CN,ST=Shandong,L=Jinan,O=XX,OU=Anolis,CN=TC 40.Validity 41.Not Before:Aug 25 16:48:29 2023 GMT 42.Not After:Sep 24 16:48:29 2023 GMT 43.Subject:C=CN,ST=Shandong,L=Jin
134、an,O=XX,OU=Anolis,CN=TC 44.Subject Public Key Info:45.Public Key Algorithm:rsaEncryption 46.RSA Public-Key:(2048 bit)47.Modulus:48.00:a8:27:60:bd:00:01:03:7c:d0:b4:4b:5e:44:92:49.75:fa:84:5a:8a:80:ad:17:da:e0:6d:96:e9:4e:6f:50.f6:b9:11:84:80:75:ab:66:2a:06:ce:db:59:8d:1f:51.f9:11:54:ba:45:0a:cb:be:d
135、a:39:83:53:c8:9f:39:52.9d:91:a7:37:03:9e:6a:dd:bd:89:86:e1:96:38:ff:53.8d:c5:97:d1:1c:da:16:59:dc:98:c7:48:0b:ed:9f:54.73:3f:b3:ac:8e:89:e2:c3:83:db:53:1d:9c:d3:a7:55.f1:ea:33:97:f2:2c:98:04:a8:b1:e9:61:29:d5:78:56.26:ad:d8:31:2f:d6:c6:c3:cf:87:63:4e:9d:2b:c0:57.d1:67:b9:15:51:8a:4d:a7:46:98:fe:d9:8
136、3:10:91:58.96:0e:54:cc:e7:77:05:73:0b:e9:f2:a0:18:b7:e4:59.b9:98:96:90:58:8f:6e:e4:01:e6:7e:78:91:07:df:60.04:2c:59:21:38:7e:05:56:27:2e:bf:af:77:d0:6c:61.e6:8c:d9:97:f9:0e:58:65:b0:da:d3:6f:f3:33:e2:62.c6:40:d3:9d:0c:ba:b6:78:5a:14:54:b1:89:09:9e:63.5f:d4:86:a0:d0:09:41:fa:67:4c:48:02:96:a8:a5:64.d
137、5:f2:97:80:02:55:c1:b3:f2:b8:c2:32:82:1c:ed:65.2a:d9 66.Exponent:65537(0 x10001)67.X509v3 extensions:68.X509v3 Subject Key Identifier:69.09:34:FF:5E:CE:1F:7E:42:C3:3B:59:DA:A7:74:68:B1:65:C7:4B:28 70.X509v3 Authority Key Identifier:71.keyid:09:34:FF:5E:CE:1F:7E:42:C3:3B:59:DA:A7:74:68:B1:65:C7:4B:28
138、 72.73.X509v3 Basic Constraints:critical 74.CA:TRUE 75.Signature Algorithm:sha256WithRSAEncryption 76.4d:02:e3:18:0f:63:1a:08:66:fb:b4:4a:86:f2:68:26:ce:bd:77.52:ac:e3:f3:95:fd:4f:44:31:f2:ce:40:33:61:a1:5e:59:67:78.76:c6:a8:4e:76:db:85:86:67:e4:ee:4c:fd:73:99:6c:12:21:79.bf:7a:71:b1:b4:ff:1a:ea:5a:
139、f7:eb:3d:57:d7:d6:c7:73:db:80.dd:80:9f:95:ad:24:58:e5:dd:06:0a:47:c4:bc:22:2d:6c:54:81.99:1a:c9:6b:75:7e:a2:27:aa:cb:ab:4b:53:1b:be:33:08:7d:82.99:5d:67:4c:c7:4a:77:82:64:e1:30:3c:9d:17:be:88:a1:64:83.6a:c9:7e:ca:e5:48:f5:a2:cd:0e:8e:c9:9a:21:2c:fb:e4:56:84.ce:b1:cf:82:f4:b1:59:eb:a6:d8:0c:27:11:cb:
140、2e:bf:d0:20:85.cc:d0:75:ef:12:af:34:2d:da:0d:cd:ea:a1:3c:0b:26:0f:0a:86.40:c6:9f:be:da:33:47:db:48:97:f5:5e:3b:4e:dd:3c:f8:d3:87.63:94:be:d4:98:c3:3f:8e:e7:71:85:30:71:1c:d4:0d:11:26:88.4c:ee:69:ce:18:2b:2c:16:8a:b8:02:9b:45:e9:ee:39:96:b4:89.76:93:56:e2:7c:c6:ab:1a:b0:89:c1:47:29:27:34:35:14:be:90.
141、43:0e:92:16 91.-BEGIN CERTIFICATE-92.MIIDlzCCAn+gAwIBAgIUYXijOwXs4xrtwKZ0 xe7GYCJ/pVMwDQYJKoZIhvcNAQEL 93.BQAwWzELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFNoYW5kb25nMQ4wDAYDVQQHDAVK 94.aW5hbjELMAkGA1UECgwCWFgxDzANBgNVBAsMBkFub2xpczELMAkGA1UEAwwCVEMw 95.HhcNMjMwODI1MTY0ODI5WhcNMjMwOTI0MTY0ODI5WjBbMQswCQYDVQQGEw
142、JDTjER 96.MA8GA1UECAwIU2hhbmRvbmcxDjAMBgNVBAcMBUppbmFuMQswCQYDVQQKDAJYWDEP 97.MA0GA1UECwwGQW5vbGlzMQswCQYDVQQDDAJUQzCCASIwDQYJKoZIhvcNAQEBBQAD 98.ggEPADCCAQoCggEBAKgnYL0AAQN80LRLXkSSdfqEWoqArRfa4G2W6U5v9rkRhIB1 99.q2YqBs7bWY0f+RFUukUKy77aOYNTyJ85nZGnNwOeat29iYbhljj/jcWX0RzaFlnc 100.mMdIC+2fcz+zrI6J4
143、sOD21MdnNOn8eozl/IsmASoselhKdV4Jq3YMS/WxsPPh2NO 101.nSvA0We5FVGKTadGmP7ZgxCRlg5UzOd3BXML6fKgGLfkuZiWkFiPbuQB5n54kQff 102.BCxZITh+BVYnLr+vd9Bs5ozZl/kOWGWw2tNv8zPixkDTnQy6tnhaFFSxiQmeX9SG 103.oNAJQfpnTEgClqil1fKXgAJVwbPyuMIyghztKtkCAwEAAaNTMFEwHQYDVR0OBBYE 104.FAk0/17OH35CwztZ2qd0aLFlx0soMB8GA1UdIwQYM
144、BaAFAk0/17OH35CwztZ2qd0 105.aLFlx0soMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAE0C4xgP 106.YxoIZvu0SobyaCbOvVKs4/OV/U9EMfLOQDNhoV5ZZ3bGqE5224WGZ+TuTP1zmWwS 107.Ib96cbG0/xrqWvfrPVfX1sdz292An5WtJFjl3QYKR8S8Ii1sVJkayWt1fqInqsur 108.S1MbvjMIfZldZ0zHSneCZOEwPJ0XvoihZGrJfsrlSPWizQ6OyZohLPvkVs6xz4L0
145、109.sVnrptgMJxHLLr/QIMzQde8SrzQt2g3N6qE8CyYPCkDGn77aM0fbSJf1XjtO3Tz4 110.02OUvtSYwz+O53GFMHEc1A0RJkzuac4YKywWirgCm0Xp7jmWtHaTVuJ8xqsasInB 111.RyknNDUUvkMOkhY=112.-END CERTIFICATE-1.openssl s_server-cert rsa.crt-key 0 x81000000-keyform engine 2.-engine tpm2tss-accept 8443#使用 TPM2 自签名证书创建 SSL 服务程序 4.1
146、.$git clone https:/ 2.$cd hygon-devkit/tpm/pkg/tpm-1.0.0-20230331/3.$./install.sh 1.$git clone https:/ 2.$cd hygon-devkit/tdm/pkg/tdm-1.0.0-20230316/3.$make LOCAL_KERDIR=/lib/modules/uname-r/build 1.$sudo mkdir/boot/efi/bak 2.$sudo cp-fr/boot/efi/EFI/boot/efi/bak/3.$sudo cp-fr/boot/efi/boot/boot/efi
147、/bak/4.$sudo grub2-install-efi-directory=/boot/efi-bootloader-id=anolis-boot-directory=/boot/efi/boot 5.-target=x86_64-efi-modules=tpm 6.$sudo grub2-mkconfig-o/boot/efi/boot/grub/grub.cfg 1.$wget https:/ftp.gnu.org/gnu/grub/grub-2.04.tar.gz 2.$tar-zxvf grub-2.04.tar.gz 3.$cd grub-2.04/4.$./bootstrap
148、 5.$./configure-host=x86_64-linux-target=x86_64-with-platform=efi 6.$make 7.$sudo make install 8.$sudo cp/etc/default/grub/usr/local/etc/default/9.$sudo mkdir/boot/efi/bak 10.$sudo cp-fr/boot/efi/EFI/boot/efi/bak/11.$sudo cp-fr/boot/efi/boot/boot/efi/bak/12.$sudo/usr/local/sbin/grub-install-efi-dire
149、ctory=/boot/efi-bootloader-id=anolis 13.-boot-directory=/boot/efi/boot-target=x86_64-efi-modules=tpm 14.$sudo/usr/local/sbin/grub-mkconfig-o/boot/efi/boot/grub/grub.cfg 1.$sudo useradd-system-user-group tss 2.$sudo udevadm control-reload-rules&udevadm trigger 3.$sudo pkill-HUP dbus-daemon 4.$sudo sy
150、stemctl daemon-reload 5.$sudo ldconfig 6.$sudo systemctl enable tpm2-abrmd 7.$sudo chown tss:tss/dev/tpm0 8.$sudo service tpm2-abrmd start 9.$systemctl status tpm2-abrmd.service 1.hygonlocalhost$tpm2_pcrread sm3_256:0,1,2,3,4,5,6,7,8,9,10,11 2.sm3_256:3.0:0 x5D25A693796A9D6060834A9FB0AF416E9C9FB4D47
151、A22326BBC45686300B471A3 4.1:0 xFAC21DA05E1F8467972D6ABAF2CBED26FBB81B20A26A2751D32798EE574A7B1F 5.2:0 x0D72B0164E4FA67D6B43D3CB8EAD734737E479767E0D545EFF22C6FE6275B357 6.3:0 x0D72B0164E4FA67D6B43D3CB8EAD734737E479767E0D545EFF22C6FE6275B357 7.4:0 xA2381A4E30198BED49FB10A3D86274930B10D0EE788ED1121D1B8
152、3CF814362C9 8.5:0 xC71BED60766F8B89F6296C076F88E702B0E0474ACB8019AC8B8DB52E66E739ED 9.6:0 x0D72B0164E4FA67D6B43D3CB8EAD734737E479767E0D545EFF22C6FE6275B357 10.7:0 x2304AF3530A51BC03051BA7D3A2BB7B462120DF1B1D13BB55FA0B565831C19F4 11.8:0 xDEA0758622845043428A74802AABB23B53941CD216BA934FBFB5AF4D69FD790
153、5 12.9:0 x2AEF34ABB0803C293AD390C2D9AB8B6D5FA9086E6A1ED4CD706FD 13.10:0 x0000000000000000000000000000000000000000000000000000000000000000 14.11:0 x0000000000000000000000000000000000000000000000000000000000000000 1.hygonlocalhost tests_gm$./test.sh 2.test_tpm2_activatecredential.sh.PASSED
154、3.test_tpm2_attest.sh.PASSED 4.test_tpm2_changeauth.sh.PASSED 5.test_tpm2_clock.sh.PASSED 6.test_tpm2_encryptdecrypt.sh.PASSED 7.test_tpm2_hash.sh.PASSED 8.test_tpm2_nv.sh.PASSED 9.test_tpm2_pcr.sh.PASSED 10.test_tpm2_policy.sh.PASSED 11.test_tpm2_random.sh.PASSED 12.test_tpm2_selftest.sh.PASSED 13.
155、test_tpm2_sign.sh.PASSED 14.Tests passed:12 15.Tests Failed:0 1.tdm:Thread started for measurement exception handler dispatching.2.tdm:TDM driver loaded successfully!1.rootlocalhost hygon#hag tdm show_tdm_device 2.#TDM_SHOW_DEVICE#3.api_major :1 4.api_minor :4 5.buildId :1882 6.task_max :100 7.range
156、_max_per_task:128 8.show tdm device successful.9.show_tdm_device command success!10.11.tdm Command successful!1.$sudo insmod tdm-verify.ko test_scene=0 1.$sudo rmmod tdm-verify.ko 1.$dmesg 1.-Victim module:has 3 blocks of data measured by PSP-test_scene:0 2.23048.936285 Call psp_create_measure_task
157、to request measuring service.3.23048.936286 tdm:TDM:Cant get max_pfn,skip physical address check 4.23048.936964 Call psp_register_measure_exception_handler to register measuring exception function for task:0 5.23048.937059 Call psp_startstop_measure_task to start measuring for task:0 6.23048.980357
158、Call psp_create_measure_task to request measuring service.7.23048.980358 tdm:TDM:Cant get max_pfn,skip physical address check 8.23048.983682 Call psp_register_measure_exception_handler to register measuring exception function for task:1 9.23048.986755 Call psp_startstop_measure_task to start measuri
159、ng for task:1 10.23049.035503 Call psp_create_measure_task to request measuring service.11.23049.035505 tdm:TDM:Cant get max_pfn,skip physical address check 12.23049.039294 Call psp_register_measure_exception_handler to register measuring exception function for task:2 13.23049.042308 Call psp_starts
160、top_measure_task to start measuring for task:2 14.23059.357713 Call psp_startstop_measure_task to stop measuring for task:0 15.23059.402299 Call psp_destroy_measure_task to destroy measuring service for task:0 16.23059.406240 Call psp_startstop_measure_task to stop measuring for task:1 17.23059.4512
161、98 Call psp_destroy_measure_task to destroy measuring service for task:1 18.23059.457734 Call psp_startstop_measure_task to stop measuring for task:2 19.23059.502293 Call psp_destroy_measure_task to destroy measuring service for task:2 20.23059.502470 21.-end-1.$sudo insmod tdm-verify.ko test_scene=
162、1 1.$sudo rmmod tdm-verify.ko 1.$dmesg 1.-Victim module:has 3 blocks of data measured by PSP-test_scene:1 2.23074.069910 Call psp_create_measure_task to request measuring service.3.23074.069911 tdm:TDM:Cant get max_pfn,skip physical address check 4.23074.070566 Call psp_register_measure_exception_ha
163、ndler to register measuring exception function for task:3 5.23074.070661 Call psp_startstop_measure_task to start measuring for task:3 6.23074.112871 Call psp_create_measure_task to request measuring service.7.23074.112872 tdm:TDM:Cant get max_pfn,skip physical address check 8.23074.116483 Call psp_
164、register_measure_exception_handler to register measuring exception function for task:4 9.23074.119492 Call psp_startstop_measure_task to start measuring for task:4 10.23074.166990 Call psp_create_measure_task to request measuring service.11.23074.166992 tdm:TDM:Cant get max_pfn,skip physical address
165、 check 12.23074.170536 Call psp_register_measure_exception_handler to register measuring exception function for task:5 13.23074.173597 Call psp_startstop_measure_task to start measuring for task:5 14.23074.331699 Call psp_startstop_measure_task to stop measuring for task:3 15.23074.375645 Call psp_u
166、pdate_measure_task to update measuring for task:3 16.23074.377384 Call psp_startstop_measure_task to start measuring for task:3 17.23074.394873 tdm:-Measurement exception handler dispatching thread-18.23074.394874 tdm:Measurement exception received for task 3 19.23074.394875 tdm:Step1:Query PSP for
167、task 3 status to confirm the error.20.23074.394876 tdm:Step2:Error confirmed,CALL measurement exception handler.21.23074.394926 Call psp_startstop_measure_task to stop measuring for task:4 22.23074.401037 tdm:Error detected for task 3,action TODO!23.23074.401039 tdm:-Measurement exception handler-24
168、.23074.401040 ALARM!25.23074.401040 Task:3,corruption detected!26.23074.401041 Please check if its intended,or your machine may be on danger!27.23074.401041 tdm:Exit measurement exception handler.28.23074.439650 Call psp_update_measure_task to update measuring for task:4 29.23074.440293 Call psp_sta
169、rtstop_measure_task to start measuring for task:4 30.23074.454929 tdm:-Measurement exception handler dispatching thread-31.23074.454931 tdm:Measurement exception received for task 4 32.23074.454931 tdm:Step1:Query PSP for task 4 status to confirm the error.33.23074.454932 tdm:Step2:Error confirmed,C
170、ALL measurement exception handler.34.23074.454953 Call psp_startstop_measure_task to stop measuring for task:5 35.23074.458098 tdm:Error detected for task 4,action TODO!36.23074.458100 tdm:-Measurement exception handler-37.23074.458100 ALARM!38.23074.458101 Task:4,corruption detected!39.23074.458101
171、 Please check if its intended,or your machine may be on danger!40.23074.458102 tdm:Exit measurement exception handler.41.23074.502635 Call psp_update_measure_task to update measuring for task:5 42.23074.502728 Call psp_startstop_measure_task to start measuring for task:5 43.23074.517418 tdm:-Measure
172、ment exception handler dispatching thread-44.23074.517420 tdm:Measurement exception received for task 5 45.23074.517420 tdm:Step1:Query PSP for task 5 status to confirm the error.46.23074.517421 tdm:Step2:Error confirmed,CALL measurement exception handler.47.23074.517477 tdm:Error detected for task
173、5,action TODO!48.23074.517478 tdm:-Measurement exception handler-49.23074.517478 ALARM!50.23074.517479 Task:5,corruption detected!51.23074.517479 Please check if its intended,or your machine may be on danger!52.23074.517479 tdm:Exit measurement exception handler.53.23076.730176 Call psp_destroy_meas
174、ure_task to destroy measuring service for task:3 54.23076.730346 Call psp_destroy_measure_task to destroy measuring service for task:4 55.23076.730486 Call psp_destroy_measure_task to destroy measuring service for task:5 56.23076.730651 57.-end-1.$sudo insmod tdm-verify.ko test_scene=2 1.$sudo rmmod
175、 tdm-verify.ko 1.$dmesg 1.-Victim module:has 3 blocks of data measured by PSP-test_scene:2 2.23090.387377 Call psp_create_measure_task to request measuring service.3.23090.387378 tdm:TDM:Cant get max_pfn,skip physical address check 4.23090.388051 Call psp_register_measure_exception_handler to regist
176、er measuring exception function for task:6 5.23090.388126 Call psp_startstop_measure_task to start measuring for task:6 6.23090.434179 Call psp_create_measure_task to request measuring service.7.23090.434181 tdm:TDM:Cant get max_pfn,skip physical address check 8.23090.437755 Call psp_register_measur
177、e_exception_handler to register measuring exception function for task:7 9.23090.440727 Call psp_startstop_measure_task to start measuring for task:7 10.23090.488312 Call psp_create_measure_task to request measuring service.11.23090.488314 tdm:TDM:Cant get max_pfn,skip physical address check 12.23090
178、.491870 Call psp_register_measure_exception_handler to register measuring exception function for task:8 13.23090.494848 Call psp_startstop_measure_task to start measuring for task:8 14.23090.541148 Call psp_startstop_measure_task in scene2 to stop measuring for task:6 15.23090.551624 tdm:psp_startst
179、op_measure_task exception error:0 x2 16.23091.574741 tdm:psp_startstop_measure_task exception error:0 x2 17.23091.577725 tdm:psp_startstop_measure_task exception error:0 x5 18.23091.580672 tdm:psp_startstop_measure_task exception error:0 x5 19.23093.614989 Call psp_startstop_measure_task in scene2 t
180、o stop measuring for task:7 20.23093.626034 tdm:psp_startstop_measure_task exception error:0 x2 21.23094.646682 tdm:psp_startstop_measure_task exception error:0 x2 22.23094.649850 tdm:psp_startstop_measure_task exception error:0 x5 23.23094.649913 tdm:psp_startstop_measure_task exception error:0 x5
181、24.23096.688192 Call psp_startstop_measure_task in scene2 to stop measuring for task:8 25.23096.695727 tdm:psp_startstop_measure_task exception error:0 x2 26.23097.720379 tdm:psp_startstop_measure_task exception error:0 x2 27.23097.720457 tdm:psp_startstop_measure_task exception error:0 x5 28.23097.
182、723599 tdm:psp_startstop_measure_task exception error:0 x5 29.23103.104351 Call psp_destroy_measure_task to destroy measuring service for task:6 30.23103.104526 Call psp_destroy_measure_task to destroy measuring service for task:7 31.23103.104664 Call psp_destroy_measure_task to destroy measuring se
183、rvice for task:8 32.23103.104823 33.-end-4.6.TDM 度量任务通过虚拟地址创建运行销毁流程(1.3 固件版本后支持)1.$sudo insmod tdm-verify.ko test_scene=3 1.$sudo rmmod tdm-verify.ko 1.$dmesg 1.-Victim module:has 3 blocks of data measured by PSP-test_scene:3 2.23115.105615 Call psp_create_measure_task to request measuring service.3
184、.23115.106269 Call psp_register_measure_exception_handler to register measuring exception function for task:9 4.23115.106351 Call psp_startstop_measure_task to start measuring for task:9 5.23115.151078 Call psp_create_measure_task to request measuring service.6.23115.154563 Call psp_register_measure
185、_exception_handler to register measuring exception function for task:10 7.23115.157550 Call psp_startstop_measure_task to start measuring for task:10 8.23115.204366 Call psp_create_measure_task to request measuring service.9.23115.207533 Call psp_register_measure_exception_handler to register measur
186、ing exception function for task:11 10.23115.210041 Call psp_startstop_measure_task to start measuring for task:11 11.23117.109442 Call psp_startstop_measure_task to stop measuring for task:9 12.23117.153770 Call psp_destroy_measure_task to destroy measuring service for task:9 13.23117.157152 Call ps
187、p_startstop_measure_task to stop measuring for task:10 14.23117.200769 Call psp_destroy_measure_task to destroy measuring service for task:10 15.23117.204428 Call psp_startstop_measure_task to stop measuring for task:11 16.23117.247762 Call psp_destroy_measure_task to destroy measuring service for t
188、ask:11 17.23117.247932 18.-end-1.$cd/lib/modules/uname-r/kernel/drivers/crypto/ccp/1.$sudo insmod tdm-verify.ko test_scene=4 验证流程如下:(1)假设 hag 工具已安装到/usr/bin/目录(具体路径请以安装为准)。(2)检查 hag 支持的 TDM 命令。1.rootlocalhost hygon#hag tdm-help 2.3.get_ak_cert get_tdm_report get_vPCR_audit show_tdm_device 4.parse_ak
189、_cert verify_ak_cert parse_tdm_report verify_tdm_report 5.parse_vPCR_audit replay_vPCR_audit 6.7.tdm Command successful!(3)可以看到 TDM 支持 get_ak_cert、parse_ak_cert、veriry_ak_cert 三个与证书相关的命令,获取名字为 cert 的 AK 证书。结果如下所示,可以看到成功获取 ak.cert 的证书。1.rootlocalhost hygon#hag tdm get_ak_cert-out ak.cert 2.get tdm ak
190、 cert successful.3.get_ak_cert command success!4.5.tdm Command successful!6.rootlocalhost hygon#ls-l 7.总用量 4 8.-rw-r-r-1 root root 448 9 月 1 11:32 ak.cert (4)解析证书,主要将证书中的版本、chip_id、curve_id、公钥信息、证书签名等信息进行解析显示,方便用户了解证书中的内容。1.rootlocalhost hygon#hag tdm parse_ak_cert-in ak.cert 2.#TDM_CERT START#3.ver
191、sion:10000 4.5.chip_id_len:13 6.chip_id:7.0 x4e 0 x5a 0 x47 0 x46 0 x47 0 x30 0 x36 0 x31 0 x30 0 x31 0 x38 0 x30 0 x35 8.chip_id:NZGFG06101805 9.10.curve_id:3 11.qx:12.0 xb2 0 xcd 0 x0c 0 x07 0 x44 0 x61 0 x9d 0 x97 0 x00 0 xd0 0 xb9 0 x72 0 x65 0 xe3 0 x1a 0 xba 13.0 x21 0 x2d 0 x66 0 x40 0 x51 0
192、xe7 0 xf6 0 xac 0 x2f 0 x7d 0 xcb 0 x0c 0 x17 0 xd0 0 x8b 0 xb5 14.15.qy:16.0 x4a 0 x4b 0 xca 0 x88 0 xcb 0 x1d 0 xb1 0 x29 0 x2f 0 x4d 0 x50 0 xf6 0 x5c 0 xff 0 xa8 0 xdd 17.0 x1f 0 xcb 0 x4c 0 x09 0 x22 0 xf7 0 xe9 0 x5b 0 x9f 0 xe9 0 xd0 0 x8a 0 x5d 0 x0f 0 x45 0 xcd 18.19.user_id_len:15 20.user_
193、id:21.0 x48 0 x59 0 x47 0 x4f 0 x4e 0 x2d 0 x53 0 x53 0 x44 0 x2d 0 x54 0 x44 0 x4d 0 x41 0 x4b 22.23.sig1_key_usage_id:0 x1004 24.sig1_r:25.0 x98 0 x3d 0 xeb 0 x96 0 x2e 0 x6f 0 xb8 0 xcf 0 xec 0 x5a 0 x0c 0 x5a 0 xaf 0 xf1 0 xb8 0 x2d 26.0 xdc 0 xaa 0 x55 0 x77 0 x01 0 xd0 0 x74 0 x1a 0 x66 0 x9e
194、0 x60 0 x3d 0 xa6 0 xf0 0 xec 0 x16 27.28.sig1_s:29.0 xd5 0 x09 0 x57 0 x7f 0 x54 0 x30 0 x0e 0 x8c 0 x7c 0 xf3 0 x34 0 x06 0 xc4 0 xa5 0 xd1 0 x46 30.0 xaf 0 x67 0 xbc 0 x8d 0 xb7 0 x19 0 xfd 0 xb5 0 xf1 0 xdc 0 x54 0 x0a 0 x41 0 xde 0 x16 0 x51 31.32.sig2_key_usage_id:0 x1000 33.sig2_r:34.0 x00 0
195、x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 35.0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 36.37.sig2_s:38.0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 3
196、9.0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 40.41.ak cert origin data:42.0 x00 0 x00 0 x01 0 x00 0 x00 0 x00 0 x0d 0 x00 0 x4e 0 x5a 0 x47 0 x46 0 x47 0 x30 0 x36 0 x31 43.0 x30 0 x31 0 x38 0 x30 0 x35 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0
197、x00 0 x00 0 x00 0 x00 44.0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 45.0 x01 0 x20 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x03 0 x00 0 x00 0 x00 46.0 xb2 0 xcd 0 x0c 0 x07 0 x44 0 x61 0 x9d 0 x97 0 x00 0 xd0 0 xb9 0 x72 0 x65
198、 0 xe3 0 x1a 0 xba 47.0 x21 0 x2d 0 x66 0 x40 0 x51 0 xe7 0 xf6 0 xac 0 x2f 0 x7d 0 xcb 0 x0c 0 x17 0 xd0 0 x8b 0 xb5 48.0 x4a 0 x4b 0 xca 0 x88 0 xcb 0 x1d 0 xb1 0 x29 0 x2f 0 x4d 0 x50 0 xf6 0 x5c 0 xff 0 xa8 0 xdd 49.0 x1f 0 xcb 0 x4c 0 x09 0 x22 0 xf7 0 xe9 0 x5b 0 x9f 0 xe9 0 xd0 0 x8a 0 x5d 0
199、x0f 0 x45 0 xcd 50.0 x0f 0 x00 0 x48 0 x59 0 x47 0 x4f 0 x4e 0 x2d 0 x53 0 x53 0 x44 0 x2d 0 x54 0 x44 0 x4d 0 x41 51.0 x4b 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 52.0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00
200、 0 x00 0 x00 53.0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 54.0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 55.0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0
201、x00 0 x00 56.0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 57.0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 58.0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00
202、 0 x00 59.0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x04 0 x10 0 x00 0 x00 60.0 x98 0 x3d 0 xeb 0 x96 0 x2e 0 x6f 0 xb8 0 xcf 0 xec 0 x5a 0 x0c 0 x5a 0 xaf 0 xf1 0 xb8 0 x2d 61.0 xdc 0 xaa 0 x55 0 x77 0 x01 0 xd0 0 x74 0 x1a 0 x66 0 x9e 0 x60 0 x3d 0 xa6 0 xf0 0 xec 0
203、x16 62.0 xd5 0 x09 0 x57 0 x7f 0 x54 0 x30 0 x0e 0 x8c 0 x7c 0 xf3 0 x34 0 x06 0 xc4 0 xa5 0 xd1 0 x46 63.0 xaf 0 x67 0 xbc 0 x8d 0 xb7 0 x19 0 xfd 0 xb5 0 xf1 0 xdc 0 x54 0 x0a 0 x41 0 xde 0 x16 0 x51 64.0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00
204、 65.0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x10 0 x00 0 x00 66.0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 67.0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 68
205、.0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 69.0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 70.71.#TDM_CERT END#72.parse tdm ak cert successful.73.parse_ak_cert command success!74.75.tdm Command s
206、uccessful!(5)验证证书链 1.rootlocalhost hygon#hag tdm verify_ak_cert-in ak.cert 2.-2023-09-01 11:34:24-https:/ 3.正在解析主机 ().172.23.18.50 4.正在连接 ()|172.23.18.50|:443.已连接。5.已发出 HTTP 请求,正在等待回应.200 OK 6.长度:2916(2.8K)binary 7.正在保存至:“hsk_cek.cert”8.9.hsk_cek.cert 100%=10.=2.85K -.-KB/s 用时 0s 11.12.2023-09-01 11
207、:34:24(104 MB/s)-已保存“hsk_cek.cert”2916/2916)13.14.-2023-09-01 11:34:24-https:/ 15.正在解析主机 ().172.23.18.50 16.正在连接 ()|172.23.18.50|:443.已连接。17.已发出 HTTP 请求,正在等待回应.200 OK 18.长度:832 binary 19.正在保存至:“hrk.cert”20.21.hrk.cert 100%=22.=832 -.-KB/s 用时 0s 23.24.2023-09-01 11:34:24(51.0 MB/s)-已保存“hrk.cert”832/8
208、32)25.26.hrk pubkey verify hrk cert successful 27.hrk pubkey verify hsk cert successful 28.hsk pubkey verify cek cert successful 29.30.rootlocalhost hygon#ls-l 31.总用量 20 32.-rw-r-r-1 root root 448 9 月 1 11:32 ak.cert 33.-rw-r-r-1 root root 2084 9 月 1 11:34 cek.cert 34.-rw-r-r-1 root root 832 9 月 1 1
209、1:34 hrk.cert 35.-rw-r-r-1 root root 2916 9 月 1 11:34 hsk_cek.cert 36.-rw-r-r-1 root root 832 9 月 1 11:34 hsk.cert (6)可以看到成功验证了 TDM 的证书链,该验证方式主要通过从 AK 证书中获取的 chip_id,到证书服务器下载其对应的 CEK 证书、HSK 证书、HRK证书,通过从根证书一级一级验证到 AK 证书。1.$sudo insmod tdm-verify.ko test_scene=1 (4)获取并查看用户提供的随机数文件:1.$dd if=/dev/random
210、 of=user_data.bin bs=32 count=1 2.$hexdump user_data.bin 1.rootlocalhost hygon#hag tdm get_tdm_report-report_file report.bin-report_type 1 2.-user_data_file user_data.bin 3.#Report type :1#4.#Report task id:0 xffffffff#5.get tdm report successful.6.get_tdm_report command success!7.8.tdm Command succ
211、essful!9.rootlocalhost hygon#ls-l 10.总用量 28 11.-rw-r-r-1 root root 448 9 月 1 11:32 ak.cert 12.-rw-r-r-1 root root 2084 9 月 1 11:34 cek.cert 13.-rw-r-r-1 root root 832 9 月 1 11:34 hrk.cert 14.-rw-r-r-1 root root 2916 9 月 1 11:34 hsk_cek.cert 15.-rw-r-r-1 root root 832 9 月 1 11:34 hsk.cert 16.-rw-r-r-
212、1 root root 448 9 月 1 11:45 report.bin 17.-rw-r-r-1 root root 32 9 月 1 11:45 user_data.bin 结果如下:1.rootlocalhost hygon#hag tdm parse_tdm_report-report_file report.bin 2.#TDM_REPORT START#3.#version:0 x10000 4.#fw_version:1882 5.#report_type:1 6.#task_nums:3 7.#task_bitmap:8.0 xe0 0 x00 0 x00 0 x00 0
213、x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 9.10.#task_error_bitmap:11.0 xe0 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 12.13.#task_running_bitmap:14.0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00
214、 0 x00 0 x00 0 x00 15.16.#user_supplied_data_len:32 17.#user_supplied_data:18.0 x63 0 xd6 0 xae 0 x11 0 xd9 0 x20 0 xff 0 x64 0 xac 0 x7a 0 xd9 0 x30 0 xe4 0 x9d 0 x0a 0 xeb 19.0 xad 0 x84 0 x0c 0 x39 0 x3a 0 x8d 0 x05 0 x3c 0 x0e 0 x8d 0 x08 0 x76 0 x30 0 x5f 0 x45 0 xd3 20.21.#aggregate_hash:22.0
215、x0f 0 x68 0 xc1 0 x01 0 x3e 0 xd9 0 x4b 0 x33 0 x7c 0 x77 0 xf8 0 x1f 0 xde 0 x9f 0 x49 0 xa3 23.0 xff 0 x76 0 xad 0 x40 0 x4b 0 xeb 0 xe4 0 x37 0 xe4 0 x80 0 x35 0 x5c 0 x03 0 x6e 0 x34 0 x60 24.25.*26.#task_id:15 27.#perios_ms:0 28.#measured_count:30 29.#last_measure_elapsed_ms:32071 30.#measured_
216、hash:31.0 x69 0 x20 0 xde 0 x37 0 x20 0 xc7 0 x9e 0 x44 0 xba 0 x82 0 x7b 0 xcb 0 x4a 0 x72 0 xc7 0 xbd 32.0 xac 0 xe6 0 xd4 0 xf2 0 xe2 0 xf5 0 xd3 0 x06 0 x84 0 x46 0 x51 0 x12 0 x1f 0 x8c 0 xd7 0 xde 33.34.*35.#task_id:16 36.#perios_ms:0 37.#measured_count:24 38.#last_measure_elapsed_ms:32000 39.
217、#measured_hash:40.0 x7d 0 x49 0 x86 0 x8a 0 x49 0 xc5 0 xdd 0 xd3 0 xa3 0 x3b 0 x6b 0 x42 0 x16 0 x75 0 xc6 0 x87 41.0 x78 0 xf9 0 x16 0 x36 0 x33 0 x91 0 xc0 0 x6e 0 x47 0 xbd 0 x5f 0 x55 0 x21 0 xba 0 xcb 0 xe9 42.43.*44.#task_id:17 45.#perios_ms:0 46.#measured_count:29 47.#last_measure_elapsed_ms
218、:31946 48.#measured_hash:49.0 xe8 0 x45 0 xd4 0 x8e 0 xc1 0 x3f 0 x0c 0 xc8 0 xf5 0 x22 0 x8b 0 xf5 0 xe2 0 x25 0 x5e 0 x8e 50.0 xd7 0 x9e 0 xdd 0 x04 0 x72 0 xcb 0 xa4 0 x0d 0 x2b 0 xa4 0 xc4 0 x4c 0 x7d 0 xe2 0 xb5 0 x3e 51.52.*53.54.#sig_key_usage_id:0 x2001 55.#sig_r:56.0 x3b 0 x4a 0 xd3 0 xac 0
219、 xae 0 xb0 0 x8e 0 x55 0 xa9 0 xb4 0 xf3 0 x5e 0 x66 0 x86 0 xf4 0 x23 57.0 xd2 0 x5d 0 x60 0 x1a 0 xee 0 x02 0 x88 0 xea 0 xc4 0 x29 0 xf0 0 x17 0 xcf 0 x82 0 x5c 0 x01 58.59.#sig_s:60.0 xc4 0 x96 0 x5f 0 xfb 0 xe9 0 xfc 0 x76 0 xd7 0 x6d 0 xea 0 xf5 0 x65 0 x83 0 x7c 0 x8f 0 x0c 61.0 xa5 0 xb1 0 x
220、1b 0 x7e 0 xae 0 xde 0 x9f 0 x58 0 xde 0 xfd 0 xb6 0 xb0 0 xd6 0 x6f 0 x13 0 xc6 62.63.report origin data:64.0 x00 0 x00 0 x01 0 x00 0 x5a 0 x07 0 x00 0 x00 0 x01 0 x00 0 x00 0 x00 0 x00 0 x00 0 x03 0 x00 65.0 xe0 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0
221、x00 66.0 xe0 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 67.0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 68.0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00
222、 69.0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x20 0 x00 70.0 x63 0 xd6 0 xae 0 x11 0 xd9 0 x20 0 xff 0 x64 0 xac 0 x7a 0 xd9 0 x30 0 xe4 0 x9d 0 x0a 0 xeb 71.0 xad 0 x84 0 x0c 0 x39 0 x3a 0 x8d 0 x05 0 x3c 0 x0e 0 x8d 0 x08 0 x76 0 x30 0 x5f 0 x45 0 xd3 72
223、.0 x0f 0 x68 0 xc1 0 x01 0 x3e 0 xd9 0 x4b 0 x33 0 x7c 0 x77 0 xf8 0 x1f 0 xde 0 x9f 0 x49 0 xa3 73.0 xff 0 x76 0 xad 0 x40 0 x4b 0 xeb 0 xe4 0 x37 0 xe4 0 x80 0 x35 0 x5c 0 x03 0 x6e 0 x34 0 x60 74.0 x0f 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x1e 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 75.0
224、x47 0 x7d 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 76.0 x69 0 x20 0 xde 0 x37 0 x20 0 xc7 0 x9e 0 x44 0 xba 0 x82 0 x7b 0 xcb 0 x4a 0 x72 0 xc7 0 xbd 77.0 xac 0 xe6 0 xd4 0 xf2 0 xe2 0 xf5 0 xd3 0 x06 0 x84 0 x46 0 x51 0 x12 0 x1f 0 x8c 0 xd7 0 xde 78.0 x10
225、 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x18 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 79.0 x00 0 x7d 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 80.0 x7d 0 x49 0 x86 0 x8a 0 x49 0 xc5 0 xdd 0 xd3 0 xa3 0 x3b 0 x6b 0 x42 0 x16 0 x75 0 xc6 0 x87 81.0 x78 0
226、xf9 0 x16 0 x36 0 x33 0 x91 0 xc0 0 x6e 0 x47 0 xbd 0 x5f 0 x55 0 x21 0 xba 0 xcb 0 xe9 82.0 x11 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x1d 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 83.0 xca 0 x7c 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 84.0 xe8 0 x45
227、 0 xd4 0 x8e 0 xc1 0 x3f 0 x0c 0 xc8 0 xf5 0 x22 0 x8b 0 xf5 0 xe2 0 x25 0 x5e 0 x8e 85.0 xd7 0 x9e 0 xdd 0 x04 0 x72 0 xcb 0 xa4 0 x0d 0 x2b 0 xa4 0 xc4 0 x4c 0 x7d 0 xe2 0 xb5 0 x3e 86.0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 87.0 x00 0 x00 0
228、x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x01 0 x20 0 x00 0 x00 88.0 x3b 0 x4a 0 xd3 0 xac 0 xae 0 xb0 0 x8e 0 x55 0 xa9 0 xb4 0 xf3 0 x5e 0 x66 0 x86 0 xf4 0 x23 89.0 xd2 0 x5d 0 x60 0 x1a 0 xee 0 x02 0 x88 0 xea 0 xc4 0 x29 0 xf0 0 x17 0 xcf 0 x82 0 x5c 0 x01 90.0 xc4 0 x96 0 x5f
229、 0 xfb 0 xe9 0 xfc 0 x76 0 xd7 0 x6d 0 xea 0 xf5 0 x65 0 x83 0 x7c 0 x8f 0 x0c 91.0 xa5 0 xb1 0 x1b 0 x7e 0 xae 0 xde 0 x9f 0 x58 0 xde 0 xfd 0 xb6 0 xb0 0 xd6 0 x6f 0 x13 0 xc6 92.93.#TDM_REPORT END#94.parse tdm report successful.95.parse_tdm_report command success!96.97.tdm Command successful!结果如下
230、:1.rootlocalhost hygon#hag tdm verify_tdm_report-ak_cert ak.cert-report_file report.bin 2.verify tdm report successful.3.verify_tdm_report command success!4.5.tdm Command successful!(10)$sudo rmmod tdm-verify.ko 基本验证流程如下:1.hygonlocalhost hygon$tpm2_pcrread sm3_256 2.sm3_256:3.0:0 x5D25A693796A9D6060
231、834A9FB0AF416E9C9FB4D47A22326BBC45686300B471A3 4.1:0 xFAC21DA05E1F8467972D6ABAF2CBED26FBB81B20A26A2751D32798EE574A7B1F 5.2:0 x0D72B0164E4FA67D6B43D3CB8EAD734737E479767E0D545EFF22C6FE6275B357 6.3:0 x0D72B0164E4FA67D6B43D3CB8EAD734737E479767E0D545EFF22C6FE6275B357 7.4:0 xA2381A4E30198BED49FB10A3D86274
232、930B10D0EE788ED1121D1B83CF814362C9 8.5:0 xC71BED60766F8B89F6296C076F88E702B0E0474ACB8019AC8B8DB52E66E739ED 9.6:0 x0D72B0164E4FA67D6B43D3CB8EAD734737E479767E0D545EFF22C6FE6275B357 10.7:0 x2304AF3530A51BC03051BA7D3A2BB7B462120DF1B1D13BB55FA0B565831C19F4 11.8:0 xDEA0758622845043428A74802AABB23B53941CD2
233、16BA934FBFB5AF4D69FD7905 12.9:0 x2AEF34ABB0803C293AD390C2D9AB8B6D5FA9086E6A1ED4CD706FD 13.10:0 x0000000000000000000000000000000000000000000000000000000000000000 14.11:0 x0000000000000000000000000000000000000000000000000000000000000000 15.12:0 x000000000000000000000000000000000000000000000
234、0000000000000000000 16.13:0 x0000000000000000000000000000000000000000000000000000000000000000 17.14:0 x0000000000000000000000000000000000000000000000000000000000000000 18.15:0 x0000000000000000000000000000000000000000000000000000000000000000 19.16:0 x8E4D2AD793AEDBA2DBFE2AE09F0A49727988DFE8F460923A7
235、5B524A7FE9CFD80 20.17:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 21.18:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 22.19:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 23.20:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
236、FFFFFFFFFFF 24.21:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 25.22:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 26.23:0 x0000000000000000000000000000000000000000000000000000000000000000 1.$sudo insmod tdm-verify.ko test_scene=1 1.hygonlocalhost hygon$t
237、pm2_pcrread sm3_256 2.sm3_256:3.0:0 x5D25A693796A9D6060834A9FB0AF416E9C9FB4D47A22326BBC45686300B471A3 4.1:0 xFAC21DA05E1F8467972D6ABAF2CBED26FBB81B20A26A2751D32798EE574A7B1F 5.2:0 x0D72B0164E4FA67D6B43D3CB8EAD734737E479767E0D545EFF22C6FE6275B357 6.3:0 x0D72B0164E4FA67D6B43D3CB8EAD734737E479767E0D545
238、EFF22C6FE6275B357 7.4:0 xA2381A4E30198BED49FB10A3D86274930B10D0EE788ED1121D1B83CF814362C9 8.5:0 xC71BED60766F8B89F6296C076F88E702B0E0474ACB8019AC8B8DB52E66E739ED 9.6:0 x0D72B0164E4FA67D6B43D3CB8EAD734737E479767E0D545EFF22C6FE6275B357 10.7:0 x2304AF3530A51BC03051BA7D3A2BB7B462120DF1B1D13BB55FA0B56583
239、1C19F4 11.8:0 xDEA0758622845043428A74802AABB23B53941CD216BA934FBFB5AF4D69FD7905 12.9:0 x2AEF34ABB0803C293AD390C2D9AB8B6D5FA9086E6A1ED4CD706FD 13.10:0 x67B124D86989268B92A26FBB88CF440FD6157475BB5472A27ADEB0D77843FDB9 14.11:0 xC4D7DDA8900CA0F784F36D9C8C95039244E842CB3FE73B5AFCCE521872D41D3F
240、 15.12:0 x2E2D1C8F7759D7CFB57004C007FC22EB3DB340AF7CAE90D5668E3AEA5A33F6D2 16.13:0 x0000000000000000000000000000000000000000000000000000000000000000 17.14:0 x0000000000000000000000000000000000000000000000000000000000000000 18.15:0 x0000000000000000000000000000000000000000000000000000000000000000 19.
241、16:0 x8E4D2AD793AEDBA2DBFE2AE09F0A49727988DFE8F460923A75B524A7FE9CFD80 20.17:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 21.18:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 22.19:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 23.20:0
242、 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 24.21:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 25.22:0 xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 26.23:0 x0000000000000000000000000000000000000000000000000000000000000000 1.rootlocal
243、host hygon#hag tdm get_vPCR_audit-audit_file audit.bin-pcr_num 11 2.#PCR number :11#3.get vPCR audit successful.4.get_vPCR_audit command success!5.6.tdm Command successful!1.rootlocalhost hygon#hag tdm parse_vPCR_audit-audit_file audit.bin 2.#TDM_VPCR_AUDIT START#3.#pcr:11 4.#tpm2_digest:5.0 x00 0 x
244、00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 6.0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 0 x00 7.8.*9.#task_id:19 10.#hash:11.0 x7d 0 x49 0 x86 0 x8a 0 x49 0 xc5 0 xdd 0 xd3 0 xa3 0 x3b 0 x6b 0 x42 0 x16 0 x75
245、0 xc6 0 x87 12.0 x78 0 xf9 0 x16 0 x36 0 x33 0 x91 0 xc0 0 x6e 0 x47 0 xbd 0 x5f 0 x55 0 x21 0 xba 0 xcb 0 xe9 13.14.*15.#TDM_VPCR AUDIT END#16.parse vPCR audit successful.17.parse_vPCR_audit command success!1.rootlocalhost hygon#hag tdm replay_vPCR_audit-vPCR_file audit.bin 2.#TDM_VPCR_AUDIT_REPLAY
246、 START#3.#replay pcr:11 4.VPCR hash:5.0 xc4 0 xd7 0 xdd 0 xa8 0 x90 0 x0c 0 xa0 0 xf7 0 x84 0 xf3 0 x6d 0 x9c 0 x8c 0 x95 0 x03 0 x92 6.0 x44 0 xe8 0 x42 0 xcb 0 x3f 0 xe7 0 x3b 0 x5a 0 xfc 0 xce 0 x52 0 x18 0 x72 0 xd4 0 x1d 0 x3f 7.8.#TDM_VPCR_AUDIT_REPLAY END#9.replay vPCR audit successful.10.rep
247、lay_vPCR_audit command success!11.12.tdm Command successful!1.$sudo rmmod tdm-verify.ko keylime 概述 Keylime Keylime AgentKeylime RegistrarKeylime VerifierVM/裸金属/容器vTPM/TPMPublic Key store/Agent RegistrationVerifier checks agent integrityRemote machine in cloud:needs to prove its integrity using TPM q
248、uote with KeylimeKeylime checks integrity of remote machinesUntrustednetwork 龙蜥社区在 keylime 社区的工作与探索 keylime release notesrust-keylime 开源软件名称 总计 commit 数量 总计修改行数 rust-keylime 3-19/+20 keylime 14-24/+156 龙蜥 Anolis OS 上 keylime 用途与实践 用 Restful API 去监控/管理 Anolis OS 上的各个 keylime 组件Anolis OS 上 keylime 安装与
249、配置、运行 keylimecd keylime&./installer.sh-i rust-keylime:包含 keylime 的 agent 组件;tpm2-tss 软件包tpm2-tools 软件包 yum install-y libarchive-devel clang-devel rust cargo openssl-devel jq git clone https:/ cd rust-keylime cargo build make install useradd keylime mkdir-p/var/lib/keylime/cv_ca#将 keylime verifier 机器
250、上的/var/lib/keylime/cv_ca/cacert.crt 拷贝到 agent#机器上/var/lib/keylime/cv_ca/目录下,以便于后续 Agent 侧 https RESTful APIs 的访问 chown-R keylime/var/lib/keylime /etc/keylime/verifier.conf/etc/keylime/registrar.conf/etc/keylime/agent.conf/etc/keylime/tenant.conf 3)cd keylime 4)./services/installer.sh 5)systemctl sta
251、rt keylime_verifier 6)systemctl start keylime_registrar 7)systemctl start keylime_agent Anolis OS 上 keylime 高级功能实践 1.keylime_tenant-v 121.43.60.253-t 120.26.100.138 2.-uuid d432fbb3-d2f1-4a97-9ef7-75bd81c00000 3.-tpm_policy 15:0000000000000000000000000000000000000000,4.000000000000000000000000000000
252、0000000000000000000000000000000000,5.00000000000000000000000000000000000000000000000000000000000000000000000000 6.0000000000000000000000 7.-c add-cert/var/lib/keylime/cv_ca 1.DEBUG keylime_agent:quotes_handler Calling Integrity Quote with nonce:lCYwDxi2UkTIWM6Fk2aH,mask:0 x408000 2.INFO keylime_agen
253、t:quotes_handler GET integrity quote returning 200 response 3.INFO actix_web:middleware:logger GET 4./v2.1/quotes/integrity?nonce=lCYwDxi2UkTIWM6Fk2aH&mask=0 x408000&partial=1&ima_ml_entry=0 5.HTTP/1.1 from 121.43.60.253 result 200(took 1229.894715 ms)6.INFO keylime_agent GET invoked from 121.43.60.
254、253 with uri 7./v2.1/quotes/integrity?nonce=WSn8mEpGLjN5I8mhHjPn&mask=0 x408000&partial=1&ima_ml_entry=0 AgentVerifier发送quote(包含PCRs信息)和/sys/kernel/security/tpm0/binary_bios_measurements里面的boot log12重放boot log来验证PCRs(0-9,11-14)是否正确3根据measured boot policy,比较boot log跟measured boot reference state是否一致
255、1.cd keylime 2./scripts/create_mb_refstate 3.-i/sys/kernel/security/tpm0/binary_bios_measurements 4./measured_boot_reference_state.json 5.cat./measured_boot_reference_state.json|jq.1.keylime_tenant-c update-t 120.26.100.138-v 121.43.60.253 2.-u d432fbb3-d2f1-4a97-9ef7-75bd81c00000 3.-mb_refstate./me
256、asured_boot_reference_state.json 4.-cert/var/lib/keylime/cv_ca 1.INFO keylime_agent GET invoked from 121.43.60.253 with uri 2./v2.1/quotes/integrity?nonce=EiRTFv9tgNBmwy6HwxAC&mask=0 xfbff&partial=1&ima_ml_entry=0 3.DEBUG keylime_agent:quotes_handler Calling Integrity Quote with nonce:EiRTFv9tgNBmwy
257、6HwxAC,mask:0 xfbff 4.INFO keylime_agent:quotes_handler GET integrity quote returning 200 response 5.INFO actix_web:middleware:logger GET 6./v2.1/quotes/integrity?nonce=EiRTFv9tgNBmwy6HwxAC&mask=0 xfbff&partial=1&ima_ml_entry=0 7.HTTP/1.1 from 121.43.60.253 result 200(took 1452.270707 ms)1.keylime_c
258、reate_policy-m/sys/kernel/security/ima/ascii_runtime_measurements-o runtime_policy.json 2.cat runtime_policy.json|jq.1.keylime_tenant-c update-uuid d432fbb3-d2f1-4a97-9ef7-75bd81c00000 2.-t 120.26.100.138-v 121.43.60.253-runtime-policy/root/runtime_policy.json 3.-runtime-policy-name=tpm-cert/var/lib
259、/keylime/cv_ca 1.#curl-key/var/lib/keylime/cv_ca/client-private.pem 2.-cert/var/lib/keylime/cv_ca/client-cert.crt 3.-k https:/127.0.0.1:8881/v2.1/allowlists/tpm|jq.4.5.code:200,6.status:Success,7.results:8.name:tpm,9.tpm_policy:null,10.runtime_policy:.11.监控 IMA 错误 1.2023-09-07 15:20:10.295-keylime.t
260、pm-INFO-Checking IMA measurement list on agent:2.d432fbb3-d2f1-4a97-9ef7-75bd81c00000 3.2023-09-07 15:20:10.295-keylime.ima-WARNING-Hashes for file boot_aggregate dont match 4.1aa841ace294d93414158a2f070c92d078c464da0110269d3ad1e59367cdc285 not in 5.fd2cf72bae331c6ba3db242e04f65ad5ca5c9da3f94dd5c78f
261、5e56496e7cf0da 6.2023-09-07 15:20:10.296-keylime.ima-ERROR-IMA ERRORS:Some entries couldnt be validated.Number of 7.failures in modes:ImaSig 1.8.2023-09-07 15:20:10.357-keylime.verifier-WARNING-Agent d432fbb3-d2f1-4a97-9ef7-75bd81c00000 failed,9.stopping polling 用 Restful API 去监控/管理 Anolis OS 上的各个 k
262、eylime 组件 GET/v2.1/agents/1.#curl-key/var/lib/keylime/cv_ca/client-private.pem 2.-cert/var/lib/keylime/cv_ca/client-cert.crt 3.-k https:/127.0.0.1:8891/v2.1/agents|jq.4.5.code:200,6.status:Success,7.results:8.uuids:9.d432fbb3-d2f1-4a97-9ef7-75bd81c00000 10.11.12.GET/v2.1/agents/agent_id:UUID 1.#curl
263、-key/var/lib/keylime/cv_ca/client-private.pem 2.-cert/var/lib/keylime/cv_ca/client-cert.crt 3.-k https:/127.0.0.1:8891/v2.1/agents/d432fbb3-d2f1-4a97-9ef7-75bd81c00000|jq.4.5.code:200,6.status:Success,7.results:8.9.ip:121.43.60.253,10.port:9002,11.regcount:1 12.13.PUT/v2.1/agents/agent_id:UUID/activ
264、ate 1.#curl-k 2.-X PUT http:/127.0.0.1:8890/v2.1/agents/d432fbb3-d2f1-4a97-9ef7-75bd81c00000/activate 3.-H Content-Type:application/json 4.-d auth_tag:166be150040c57b4e2c69ad7a5dd4c57059e5838a1df4715872f6e385e8ce1ed91 5.|jq.6.7.code:200,8.status:Success,9.results:10.DELETE/v2.1/agents/agent_id:UUID
265、1.#curl-k 2.-X PUT http:/127.0.0.1:8890/v2.1/agents/d432fbb3-d2f1-4a97-9ef7-75bd81c00000/activate 3.-H Content-Type:application/json 4.-d auth_tag:166be150040c57b4e2c69ad7a5dd4c57059e5838a1df4715872f6e385e8ce1ed91 5.|jq.6.7.code:200,8.status:Success,9.results:10.11.#curl-key/var/lib/keylime/cv_ca/cl
266、ient-private.pem 12.-cert/var/lib/keylime/cv_ca/client-cert.crt 13.-k https:/127.0.0.1:8891/v2.1/agents|jq.14.15.code:200,16.status:Success,17.results:18.uuids:19.20.POST/v2.1/agents/agent_id:UUID 1.#curl-X POST http:/127.0.0.1:8890/v2.1/agents/d432fbb3-d2f1-4a97-9ef7-75bd81c00000 2.-H Content-Type:
267、application/json 3.-d ekcert:MIIE3DCCA8SgAwIBAgIBBDANBgkqhkiG9w0BAQsFADBvMQswCQYDVQQGEwJDTjEPMA0GA1UECgwGQWxpeXVuMTIwMA 4.aik_tpm:ARgAAQALAAUAcgAAABAAFAALCAAAAAAAAQC7R7SiAAExqqCZJ60cTJXxcYMCRsctsh96vX/f2T31DMrB6SnCMV9euHlMUCUs 5.ip:127.0.0.1,port:9002|jq.6.7.code:200,8.status:Success,9.10.11.#curl-k
268、ey/var/lib/keylime/cv_ca/client-private.pem-cert/var/lib/keylime/cv_ca/client-cert.crt 12.-k https:/127.0.0.1:8891/v2.1/agents|jq.13.14.code:200,15.status:Success,16.results:17.uuids:18.d432fbb3-d2f1-4a97-9ef7-75bd81c00000 19.20.21.GET/v2.1/agents/agent_id:UUID agent_id1.#curl-key/var/lib/keylime/cv
269、_ca/client-private.pem 2.-cert/var/lib/keylime/cv_ca/client-cert.crt 3.-k https:/127.0.0.1:8881/v2.1/agents/d432fbb3-d2f1-4a97-9ef7-75bd81c00000|jq.4.5.code:200,6.status:Success,7.results:8.9.hash_alg:sha256,10.enc_alg:rsa,11.sign_alg:rsassa,12.verifier_id:default,13.verifier_ip:121.43.60.253,14.ver
270、ifier_port:8881,15.severity_level:6,16.17.PUT/v2.1/agents/agent_id:UUID/stop agent_id1.#curl-key/var/lib/keylime/cv_ca/client-private.pem 2.-cert/var/lib/keylime/cv_ca/client-cert.crt-k 3.-X PUT https:/127.0.0.1:8881/v2.1/agents/d432fbb3-d2f1-4a97-9ef7-75bd81c00000/stop 4.|jq.5.6.code:200,7.status:S
271、uccess,8.results:9.DELETE/v2.1/agents/agent_id:UUID 1.#curl-key/var/lib/keylime/cv_ca/client-private.pem 2.-cert/var/lib/keylime/cv_ca/client-cert.crt 3.-k-X DELETE https:/127.0.0.1:8881/v2.1/agents/d432fbb3-d2f1-4a97-9ef7-75bd81c00000 4.|jq.5.6.code:200,7.status:Success,8.results:9.10.#curl-key/var
272、/lib/keylime/cv_ca/client-private.pem 11.-cert/var/lib/keylime/cv_ca/client-cert.crt 12.-k https:/121.0.0.1:8881/v2.1/agents/d432fbb3-d2f1-4a97-9ef7-75bd81c00000|jq.13.14.code:404,15.status:agent id not found,16.results:17.GET/v2.1/allowlists/runtime_policy_name:string 1.curl-key/var/lib/keylime/cv_
273、ca/client-private.pem 2.-cert/var/lib/keylime/cv_ca/client-cert.crt-k 3.https:/127.0.0.1:8881/v2.1/allowlists/tpm|jq.4.5.code:200,6.status:Success,7.results:8.name:tpm,9.tpm_policy:null,10.runtime_policy:.11.12.1.#curl-key/var/lib/keylime/cv_ca/client-private.pem 2.-cert/var/lib/keylime/cv_ca/client
274、-cert.crt-k 3.https:/127.0.0.1:8881/v2.1/allowlists/test|jq.4.5.code:404,6.status:Runtime policy test not found,7.results:8.DELETE/v2.1/allowlist/runtime_policy_name:string runtime_policy_nametpm1.#curl-key/var/lib/keylime/cv_ca/client-private.pem 2.-cert/var/lib/keylime/cv_ca/client-cert.crt 3.-k h
275、ttps:/127.0.0.1:8881/v2.1/allowlists/tpm|jq.4.5.code:200,6.status:Success,7.results:8.name:tpm,9.tpm_policy:null,10.runtime_policy:.11.12.13.#curl-key/var/lib/keylime/cv_ca/client-private.pem 14.-cert/var/lib/keylime/cv_ca/client-cert.crt-X DELETE 15.-k https:/127.0.0.1:8881/v2.1/allowlists/tpm|jq.1
276、6.#curl-key/var/lib/keylime/cv_ca/client-private.pem 17.-cert/var/lib/keylime/cv_ca/client-cert.crt 18.-k https:/127.0.0.1:8881/v2.1/allowlists/test|jq.19.20.code:404,21.status:Runtime policy test not found,22.results:23.1.#curl-key/var/lib/keylime/cv_ca/client-private.pem 2.-cert/var/lib/keylime/cv
277、_ca/client-cert.crt-X DELETE 3.-k https:/127.0.0.1:8881/v2.1/allowlists/test|jq.4.5.code:404,6.status:Runtime policy test not found,7.results:8.GET/version 1.#curl-key/var/lib/keylime/cv_ca/client-private.pem 2.-cert/var/lib/keylime/cv_ca/client-cert.crt-k 3.https:/127.0.0.1:9002/version|jq.4.5.code
278、:200,6.status:Success,7.results:8.supported_version:2.1 9.10.GET/v2.1/keys/pubkey 1.#curl-key/var/lib/keylime/cv_ca/client-private.pem 2.-cert/var/lib/keylime/cv_ca/client-cert.crt-k 3.https:/127.0.0.1:9002/v2.1/keys/pubkey|jq.4.5.code:200,6.status:Success,7.results:8.pubkey:.9.10.GET/v2.1/quotes/id
279、entity 1.#curl-key/var/lib/keylime/cv_ca/client-private.pem 2.-cert/var/lib/keylime/cv_ca/client-cert.crt-k 3.https:/127.0.0.1:9002/v2.1/quotes/identity?nonce=1234567890ABCDEFHIJ 4.|jq.5.6.code:200,7.status:Success,8.results:9.quote:.10.hash_alg:sha256,11.enc_alg:rsa,12.sign_alg:rsassa,13.pubkey:.14
280、.15.GET/v2.1/quotes/integrity 1.#curl-key/var/lib/keylime/cv_ca/client-private.pem 2.-cert/var/lib/keylime/cv_ca/client-cert.crt-k 3.https:/127.0.0.1:9002/v2.1/quotes/integrity?nonce=1234567890&mask=0 x10401&partial=0 4.5.code:200,6.status:Success,7.results:8.quote:.9.hash_alg:sha256,10.enc_alg:rsa,
281、11.sign_alg:rsassa,12.pubkey:.13.ima_measurement_list:.14.mb_measurement_list:.15.ima_measurement_list_entry:0 16.17.GET/v2.1/keys/verify 1.#curl-key/var/lib/keylime/cv_ca/client-private.pem 2.-cert/var/lib/keylime/cv_ca/client-cert.crt-k 3.https:/127.0.0.1:9002/v2.1/keys/verify?challenge=1234567890
282、ABCDEFHIJ|jq.4.5.code:400,6.status:Bootstrap key not yet available.,7.results:8.本节以一个未受保护的 loopback-mounted 文件系统为例,介绍如何通过TPM 增强基于 luks 磁盘加密的安全防护能力。1.#创建磁盘镜像,写入内容 2.#如下命令,我们在磁盘中添加了名为 plain.txt 的文件,该文件包含的内容为“this is my plain text”3.dd if=/dev/zero of=plain.disk bs=1M count=10 4.mkfs.ext4 plain.disk 5.
283、mkdir mountpoint 6.sudo mount plain.disk mountpoint 7.sudo sh-c echo This is my plain text mountpoint/plain.txt 8.sudo umount mountpoint 9.10.#可以通过简单的 linux 命令(如下所示)即可查看文件内容 11.strings plain.disk 1.#创建一个新的 luks 卷,使用简单的密码口令作为该卷的保护密钥 2.dd if=/dev/zero of=enc.disk bs=1M count=50 3.dd if=/dev/urandom of
284、=disk.key bs=1 count=32 4.sudo losetup/dev/loop0 enc.disk 5.sudo cryptsetup-key-file=disk.key luksFormat/dev/loop0 6.7.#基于上述方案加密后,磁盘中的文件不再可见、起到了一定的保护作用,采用如下命令无法查看明文信息 8.strings enc.disk|grep-i plain 1.#创建并保存一个密封对象,并使用它来密封一个随机字节序列作为磁盘密钥:2.tpm2_createprimary-Q-hierarchy=o-key-context=prim.ctx 3.dd if=
285、/dev/urandom bs=1 count=32 status=none|tpm2_create-hash-algorithm=sha256-public=seal.pub-private=seal.priv-sealing-input=-parent-context=prim.ctx 4.tpm2_load-Q-parent-context=prim.ctx-public=seal.pub-private=seal.priv-name=seal.name-key-context=seal.ctx 5.tpm2_evictcontrol-hierarchy=o-object-context
286、=seal.ctx 0 x81010002 6.7.#安装新密钥以取代旧密钥,并删除之前创建的旧密钥:8.tpm2_unseal-Q-object-context=0 x81010002|sudo cryptsetup-key-file=disk.key luksChangeKey enc.disk 9.shred disk.key 10.rm-f disk.key 11.12.#用 TPM 中密封的新身份验证挂载卷:13.sudo losetup/dev/loop0 enc.disk 14.tpm2_unseal-Q-object-context=0 x81010002|sudo crypt
287、setup-key-file=-luksOpen/dev/loop0 enc_volume 15.sudo mount/dev/mapper/enc_volume mountpoint 16.17.#磁盘访问被授予新的秘密:18.ls mountpoint 19.20.#卸载磁盘:21.22.sudo umount mountpoint 23.sudo cryptsetup remove enc_volume 24.sudo losetup-d/dev/loop0 1.#在 sha256 bank 中创建一个当前值为 PCR0 的 PCR 策略:2.tpm2_startauthsession-
288、session=session.ctx 3.tpm2_policypcr-Q-session=session.ctx-pcr-list=sha256:0-policy=pcr0.sha256.policy 4.tpm2_flushcontext session.ctx 5.6.#现在将 TPM 非易失性内存中保护磁盘加密密钥的密封对象替换为一个新对象,该对象添加了我们刚刚创建的 pcr 策略,作为访问密封密钥的身份验证机制:7.tpm2_unseal-object-context=0 x81010002|tpm2_create-Q-hash-algorithm=sha256-public=pc
289、r_seal_key.pub-private=pcr_seal_key.priv-sealing-input=-parent-context=prim.ctx-policy=pcr0.sha256.policy 8.tpm2_evictcontrol-hierarchy=o-object-context=0 x81010002 9.tpm2_load-Q-parent-context=prim.ctx-public=pcr_seal_key.pub-private=pcr_seal_key.priv-name=pcr_seal_key.name-key-context=pcr_seal_key
290、.ctx 10.tpm2_evictcontrol-hierarchy=o-object-context=pcr_seal_key.ctx 0 x81010002 11.12.#现在尝试再次挂载加密磁盘,只不过这次密钥被密封在 TPM 对象中,其解密封操作只能通过满足PCR 策略来访问。换句话说,通过 PCR 值所反映的预期系统软件状态不变来进行身份验证。13.sudo losetup/dev/loop0 enc.disk 14.tpm2_startauthsession-policy-session-session=session.ctx 15.tpm2_policypcr-Q-sessio
291、n=session.ctx-pcr-list=sha256:0-policy=pcr0.sha256.policy 16.17.#此时,理想情况下,您希望在内存中解开秘密,并将其直接管道到 cryptsetup,如下所示:“tpm2_unsealauth=session:session。object-context=0 x81010002|sudo cryptsetup luksOpenkey-file=-/dev/loop0 encvolume”。18.#但是,为了在下一节演示灵活 PCR,我们将复制未密封的秘密:19.tpm2_unseal-auth=session:session.ctx
292、-object-context=0 x81010002 disk_secret.bkup 20.cat disk_secret.bkup|sudo cryptsetup-key-file=-luksOpen/dev/loop0 enc_volume 21.tpm2_flushcontext session.ctx 22.sudo mount/dev/mapper/enc_volume mountpoint/23.ls mountpoint/24.25.#为了防止进一步开封,PCR0 将被延长。这将导致 PCR0 保持不同的值,就像在固件替换攻击期间一样。这将导致策略检查失败,从而导致打开尝试失
293、败。26.#延长前观察 PCR 状态,延长后再次观察:27.tpm2_pcrread-sel-list=sha256:0 28.tpm2_pcrextend 0:sha256=0000000000000000000000000000000000000000000000000000000000000000 29.tpm2_pcrread-sel-list=sha256:0 30.31.#尝试用脏 PCR 打开密封的磁盘加密密匙:32.tpm2_startauthsession-policy-session-session=session.ctx 33.tpm2_policypcr-Q-sessi
294、on=session.ctx-pcr-list=sha256:0-policy=pcr0.sha256.policy 34.35.#以下操作将导致策略检查失败,从而阻止开封操作:36.tpm2_unseal-auth=session:session.ctx-object-context=0 x81010002 37.tpm2_flushcontext session.ctx 38.39.#卸载磁盘:40.sudo umount mountpoint 41.sudo cryptsetup remove enc_volume 42.sudo losetup-d/dev/loop0 1.openss
295、l genrsa-out signing_key_private.pem 2048 2.openssl rsa-in signing_key_private.pem-out signing_key_public.pem-pubout 1.tpm2_startauthsession-session=session.ctx 2.tpm2_policypcr-Q-session=session.ctx-pcr-list=sha256:0-policy=set2.pcr.policy 3.tpm2_flushcontext session.ctx 4.openssl dgst-sha256-sign
296、signing_key_private.pem-out set2.pcr.signature set2.pcr.policy 1.#在将 LUKS 加密密码口令密封到 TPM 之前,有必要创建一个策略对象,该对象指定可以解封密码口令的条件。该策略将指定一组特定的 pcr(PCR0)必须与使用特定密钥(signing_key_public.pem)签名的值匹配:2.tpm2_loadexternal-key-algorithm=rsa-hierarchy=o-public=signing_key_public.pem-key-context=signing_key.ctx-name=signin
297、g_key.name 3.tpm2_startauthsession-session=session.ctx 4.tpm2_policyauthorize-session=session.ctx-policy=authorized.policy-name=signing_key.name 5.tpm2_flushcontext session.ctx 6.7.#通过使用上述策略创建一个密封对象,将密码口令密封到 TPM。请注意,由于前面的示例扩展了PCR0 以防止密码口令的重新解密,因此使用了密码口令的备份副本:8.cat disk_secret.bkup|tpm2_create-hash-a
298、lgorithm=sha256-public=auth_pcr_seal_key.pub-private=auth_pcr_seal_key.priv-sealing-input=-parent-context=prim.ctx-policy=authorized.policy 9.10.#用上面创建的对象替换旧的持久密封对象:11.tpm2_evictcontrol-hierarchy=o-object-context=0 x81010002 12.tpm2_load-Q-parent-context=prim.ctx-public=auth_pcr_seal_key.pub-private
299、=auth_pcr_seal_key.priv-name=auth_pcr_seal_key.name-key-context=auth_pcr_seal_key.ctx 13.tpm2_evictcontrol-hierarchy=o-object-context=auth_pcr_seal_key.ctx 0 x81010002 1.#加载公钥、PCR 策略和签名,并要求 TPM 验证签名:2.tpm2_loadexternal-key-algorithm=rsa-hierarchy=o-public=signing_key_public.pem-key-context=signing_k
300、ey.ctx-name=signing_key.name 3.tpm2_verifysignature-key-context=signing_key.ctx-hash-algorithm=sha256-message=set2.pcr.policy-signature=set2.pcr.signature-ticket=verification.tkt-format=rsassa 4.5.#现在请 TPM 验证 PCR 值是否与当前值匹配,并为签名验证传递一个验证票据。请注意,一次只能验证一组 PCR 值:整个过程必须重复,以便尝试验证另一组签名 PCR 值:6.tpm2_startauth
301、session-policy-session-session=session.ctx 7.tpm2_policypcr-pcr-list=sha256:0-session=session.ctx-policy=set2.pcr.policy 8.tpm2_policyauthorize-session=session.ctx-input=set2.pcr.policy-name=signing_key.name-ticket=verification.tkt 9.10.#解锁加密密码口令并解锁卷:11.sudo losetup/dev/loop0 enc.disk 12.tpm2_unseal
302、-auth=session:session.ctx-object-context=0 x81010002|sudo cryptsetup-key-file=-luksOpen/dev/loop0 enc_volume 13.tpm2_flushcontext session.ctx 14.sudo mount/dev/mapper/enc_volume mountpoint/15.ls mountpoint/16.17.#卸载卷 18.sudo umount mountpoint 19.sudo cryptsetup remove enc_volume 20.sudo losetup-d/de
303、v/loop0 1.h_ek_persistent_ecc=0 x81010002 2.3.tpm2_createak-C$h_ek_persistent_ecc-G ecc-g sm3_256 4.-s sm2-c ak_ecc.ctx-u ak_ecc.pub-n ak_ecc.name-T device 1.#grub2 系列所有组件(如 grub2、grbu2-common、grub2-efi-x64 等)均需部署 2.rpm-ivh grub2-xxx.anolis.x86_64.rpm 3.rpm-ivh iTrustMidware-3.0.1-20220827200013.kos
304、.x86_6.rpm 1.tlcptool 2.1.Check Policy State.3.2.Turn on Supervisory Policy.4.3.Update Supervisory Policy.5.4.Turn on Interception Policy.6.5.Update Interception Policy.7.6.Turn off Policy.8.7.Export BootLoader Passphrase.9.8.Deploy Measurement File.10.9.Update Measurement File.11.10.Delete Measurem
305、ent File.12.11.Export Software Trusted Report.13.O.Exit.14.Please Input the Corresponding Operations.61.0 0d818d47f8b7.S-CRTM Version 2.0 b16790da86a8.POST CODE 3.7 c3e86209704b.EV_EFI_VARIABLE_DRIVER_CONFIG SecureBoot 4.5.8 c9eef8824efb.IPL grub_cmd set gfx_payload=keep 6.8 6a1007c86dc8.IPL grub_cmd insmod gzio 7.8 eb204c91fc3d.IPL grub_cmd linux(hd0,gpt2)/vmlinuz-4.18.0 root=/dev/sda2 ro 8.9 3e9ff31a4687.IPL grub_linuxefi Kernel 9.8 603cfbaa8375.IPL grub_cmd initrd(hd0,gpt2)/initramfs-4.18.0.img 10.9 f0ba7132ccea.IPL grub_linuxefi Initrd RSA+SHA256+AESECDSA+SHA256+AES 3)