- 论坛徽章:
- 0
|
Introduction to Using the TSS
By Ari Singer NTRU Cryptosystems November 7, 2005
1.TPM Keys
- Endorsement key for root of TPM trust
- Storage root key for top of key hierarchy
- Storage keys for key hierarchy and sealing
- Identity keys for certifiable signatures
- Signing keys for signing arbitrary data
- Legacy keys that can both sign and encrypt.
2.Accessing the TPM
- There are several APIs and mechanisms for accessing the TPM
- These APIs require differing levels of understanding of the TPM
- Some mechanisms abstract away more TPM complexity than others
3. Understanding the TSS
- The TSS abstracts some of the TPM complexities away
- If you learn the TPM basics and the TSS API, you can create secure applications
- The main goals of the TSS are:
– Supply one entry point for applications to the TPM functionality
– Provide synchronized access to the TPM
– Hide building command streams with appropriate byte ordering and alignment from the applications
– Manage TPM resources
– Release TPM resources when appropriate
– Manage application use of secrets and keys
file:///tmp/moz-screenshot.png
file:///tmp/moz-screenshot-1.png
file:///tmp/moz-screenshot-2.png
4. TCG Device Driver Library (TDDL)
- Creates an abstraction layer hiding OS-specific device driver interfaces from the TCS
- Single point of compatibility for TSS developers
- Allows the TPM vendor to get/set device driver capabilities
5.Code Samples
Now here are some details about how to actually use this stuff . . .
/***** Seal to PCR Code ****/
int
main(void)
{
TSS_HCONTEXT hContext;
TSS_HTPM hTPM;
TSS_HPOLICY hPolicy;
TSS_HKEY hSRK ,hSealKey;
TSS_HENCDATA hSealData;
TSS_HPCRS hPCRs;
BYTE wellKnownSecret[] = TSS_WELL_KNOWN_SECRET;
BYTE rawData[64];
UINT32 unsealedDataLength, pcrLength;
BYTE *unsealedData, *pcrValue;
int i;
for (i = 0; i 64; i++)
rawData = (BYTE)i;
/* create context and connect to TPM */
Tspi_Context_Create(&hContext);
Tspi_Context_Connect(hContext, NULL);
/* create empty keys and data object */
Tspi_Context_CreateObject(hContext,
TSS_OBJECT_TYPE_RSAKEY,
TSS_KEY_TSP_SRK,
&hSRK);
Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_RSAKEY,
TSS_KEY_TYPE_STORAGE |
TSS KEY SIZE 2048 |
TSS_KEY_NO_AUTHORIZATION |
TSS_KEY_NOT_MIGRATABLE,
&hSealKey);
Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_ENCDATA,
TSS_ENCDATA_SEAL,
&hSealData);
/* get TPM object */
Tspi_Context_GetTpmObject(hContext, &hTPM);
/* set up the default policy - this will apply to all objects */
Tspi_Context_GetDefaultPolicy(hContext, &hPolicy);
Tspi_Policy_SetSecret(hPolicy, TSS_SECRET_MODE_SHA1, 20, wellKnownSecret);
/* create and load the sealing key */
Tspi_Key_CreateKey(hSealKey, hSRK, 0);
Tspi_Key_LoadKey(hSealKey, hSRK);
/* seal to PCR values */
/* set the PCR values to the current values in the TPM */
Tspi_TPM_PcrRead(hTPM, 5, &pcrLength, &pcrValue);
Tspi_PcrComposite_SetPcrValue(hPCRs, 5, pcrLength,pcrValue);
Tspi TPM_PcrRead(hTPM, 7, &pcrLength, &pcrValue);
Tspi_PcrComposite_SetPcrValue(hPCRs, 7, pcrLength,pcrValue);
/* perform the seal operation */
Tspi_Data_Seal(hSealData,hSealKey, 64, rawData, hPCRs);
/* unseal the blob */
unsealedData = NULL;
Tspi_Data_Unseal(hSealData, hSealKey, &unsealedDataLength, &unsealedData);
/* free memory */
Tspi_Context_FreeMemory(hContext, unsealedData);
/* clean up */
Tspi_Key_UnloadKey(hSealKey);
Tspi_Context_CloseObject(hContext, hPCRs);
Tspi_Context_CloseObject(hContext, hSealKey);
Tspi_Context_CloseObject(hContext, hSealData);
/* close context */
Tspi_Context_Close(hContext);
return 0;
}
/*******Sign/verify Code************/
int
main(void)
{
TSS_HCONTEXT hContext;
TSS_HHASH hHash;
TSS_HKEY hSigningKey, hSRK;
TSS HPOLICY hPolicy;
TSS_UUID srkUUID = TSS_UUID_SRK;
BYTE secret[] = TSS_WELL_KNOWN_SECRET;
UINT32 sigLen;
BYTE *sig;
BYTE hash[] =
{0x32, 0xd1, 0x0c, 0x7b, 0x8c, 0xf9, 0x65, 0x70, 0xca, 0x04,
0xce, 0x37, 0xf2, 0xa1, 0x9d, 0x84, 0x24, 0x0d, 0x3a, 0x89};
/* create context and connect */
Tspi_Context_Create(&hContext);
Tspi_Context_Connect(hContext, remote-pc);
/* create a signing key under the SRK */
Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_POLICY,
TSS_POLICY_USAGE, &hPolicy);
Tspi_Policy_SetSecret(hPolicy, TSS_SECRET_MODE_SHA1, 20, secret);
Tspi_Context_GetKeyByUUID(hContext, TSS_PS_TYPE_SYSTEM, srkUUID, &hSRK);
Tspi_Policy_AssignToObject(hPolicy,hSRK);
Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_RSAKEY,
TSS_KEY_TYPE_SIGNING |
TSS_KEY_SIZE_2048 |
TSS_KEY_AUTHORIZATION |
TSS_KEY_NOT_MIGRATABLE,
&hSigningKey);
Tspi_Policy_AssignToObject(hPolicy, hSigningKey);
Tspi_Key_CreateKey(hSigningKey, hSRK, 0);
Tspi_Key_LoadKey(hSigningKey, hSRK);
/* open valid hash object */
Tspi_Context_CreateObject(hContext,TSS_OBJECT_TYPE_HASH,TSS_HASH_SHA1,
&hHash);
/* set hash value and get valid signature */
Tspi_Hash_SetHashValue(hHash, sizeof(hash), hash);
Tspi_Hash_Sign(hHash, hSigningKey, &sigLen, &sig);
/* verify signature */
Tspi_Hash_VerifySignature(hHash, hSigningKey, sigLen, sig);
/* free sig memory, close signing key object and context */
Tspi Context FreeMemory(hContext sig);
Tspi_Context_CloseObject(hContext, hSigningKey);
/* close context */
Tspi_Context_Close(hContext);
// we forgot to unload the signing key, but the TSS did it for us
// when we closed the context
return 0;
}
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u3/95392/showart_2164377.html |
|