From 0d5ca1e16065cc00991c5029c96ea458182d8ca7 Mon Sep 17 00:00:00 2001 From: Aidan Garske Date: Fri, 28 Mar 2025 09:39:11 -0700 Subject: [PATCH] Added more detailed steps and fixed wolftpm needing to be enabled in wolfssl --- recipes-examples/wolftpm/README.md | 98 ++++++++++++++++++--- recipes-examples/wolftpm/wolfssl_%.bbappend | 4 + recipes-examples/wolftpm/wolftpm_%.bbappend | 4 +- 3 files changed, 91 insertions(+), 15 deletions(-) create mode 100644 recipes-examples/wolftpm/wolfssl_%.bbappend diff --git a/recipes-examples/wolftpm/README.md b/recipes-examples/wolftpm/README.md index 7a4552c..d45e574 100644 --- a/recipes-examples/wolftpm/README.md +++ b/recipes-examples/wolftpm/README.md @@ -8,20 +8,58 @@ The recipes for these applications are located at: ``` meta-wolfssl/recipes-examples/wolftpm/wolftpm-examples.bb meta-wolfssl/recipes-examples/wolftpm/wolftpm-wrap-test.bb +meta-wolfssl/recipes-examples/wolftpm/wolfssl_%.bbappend ``` -You'll need to compile wolfTPM and the examples. This can be done with -these commands in the build directory: +You'll need to compile wolfTPM, wolfTPM wrap test example, and wolfSSL with +wolfTPM support. This can be done with these commands in the build directory: ``` +bitbake wolfssl bitbake wolftpm -bitbake wolftpm-examples +bitbake wolftpm-wrap-test ``` -To install these applications into your image, you will need to edit your -"build/conf/local.conf" file and add the following: +Adding Layers +------------- + +Besides adding meta-wolfssl to your bblayers.conf file, you will need to +add the following layers to your bblayers.conf file and clone +them into the poky directory. (Note: You need to have the same Yocto version +for all layers.) ```bash -# Install necessary packages +git clone https://github.com/openembedded/meta-openembedded.git -b +git clone https://github.com/ni/meta-security.git -b +``` + +Add the following layers to your bblayers.conf file: +```bash +BBLAYERS ?= " \ + /path/to/yocto/poky/meta-wolfssl \ + /path/to/yocto/poky/meta-security \ + /path/to/yocto/poky/meta-security/meta-tpm \ + /path/to/yocto/poky/meta-openembedded/meta-oe \ + /path/to/yocto/poky/meta-openembedded/meta-python \` + " +``` + +System Requirements +------------------- + +For Ubuntu/Debian systems, install the following packages: +```bash +sudo apt-get install python3-git python3-jinja2 python3-setuptools \ + swtpm swtpm-tools tpm2-tools git socat build-essential +``` + +Image Install Configuration +--------------------------- + +To install these applications into your image, you will need to edit your +`build/conf/local.conf` file and add the following: + +```bash +# Add TPM packages IMAGE_INSTALL:append = " \ tpm2-tools \ tpm2-tss \ @@ -34,24 +72,27 @@ IMAGE_INSTALL:append = " \ wolftpm-wrap-test \ " +# Set the image link name IMAGE_LINK_NAME = "core-image-minimal-qemux86-64" # Enable security features DISTRO_FEATURES:append = " security" # Enable TPM support DISTRO_FEATURES:append = " tpm tpm2" -# If you want all security modules, you can also add -DISTRO_FEATURES:append = " pam apparmor smack" # Enable kernel TPM support KERNEL_FEATURES:append = " features/tpm/tpm.scc" # Machine features MACHINE_FEATURES:append = " tpm tpm2" ``` +WolfTPM Configuration +--------------------- + To add wolfTPM configurations you can add configurations to the -EXTRA_OECONF variable. For example you can enable debug logging like -this: +EXTRA_OECONF variable. We need to have --enable-devtpm for the TPM +simulator to work. You can enable debug logging and other configurations +like this: ``` -EXTRA_OECONF += "--enable-debug" +EXTRA_OECONF += "--enable-devtpm --enable-debug" ``` Testing with QEMU and TPM Simulator @@ -100,7 +141,7 @@ sudo chmod -R 755 /tmp/mytpm1 sudo chmod 777 /tmp/mytpm1/swtpm-sock ``` -7. Start QEMU (in terminal 3): +7. Start and run the QEMU (in terminal 3): ``` cd ~/poky/build runqemu qemux86-64 nographic core-image-minimal \ @@ -115,6 +156,39 @@ cd /usr/bin ./wolftpm-wrap-test ``` +You should see the following output: +``` +root@qemux86-64:/usr/bin# ./wolftpm-wrap-test +TPM2 Demo for Wrapper API's +Mfg IBM (0), Vendor SW TPM, Fw 8217.4131 (0x163636), FIPS 140-2 0, CC-EAL4 0 +Found 2 persistent handles +Created new RSA Primary Storage Key at 0x81000200 +Creating a loaded new TPM 2.0 key Test Passed +RSA Sign/Verify using RSA PKCSv1.5 (SSA) padding +RSA Sign/Verify using RSA PSS padding +RSA Encrypt/Decrypt Test Passed +RSA Encrypt/Decrypt OAEP Test Passed +RSA Encrypt/Decrypt RSAES Test Passed +RSA Key 0x80000001 Exported to wolf RsaKey +wolf RsaKey loaded into TPM: Handle 0x80000000 +RSA Private Key Loaded into TPM: Handle 0x80000001 +Created new ECC Primary Storage Key at 0x81000201 +ECC Sign/Verify Passed +ECC DH Test Passed +ECC Verify Test Passed +ECC Key 0x80000001 Exported to wolf ecc_key +wolf ecc_key loaded into TPM: Handle 0x80000000 +ECC Private Key Loaded into TPM: Handle 0x80000001 +NV Test (with auth) on index 0x1800201 with 1024 bytes passed +NV Test on index 0x1800200 with 1024 bytes passed +Hash SHA256 test success +HMAC SHA256 test success +Encrypt/Decrypt (known key) test success +Encrypt/Decrypt test success +PCR Test pass +root@qemux86-64:/usr/bin# +``` + Refer to the [wolfTPM Examples README](https://github.com/wolfSSL/wolfTPM/blob/master/examples/README.md) for more information on the examples directory. Refer to the [meta-wolfssl README](https://github.com/wolfSSL/meta-wolfssl/blob/master/README.md) for more information on setting up your layer. diff --git a/recipes-examples/wolftpm/wolfssl_%.bbappend b/recipes-examples/wolftpm/wolfssl_%.bbappend new file mode 100644 index 0000000..7562ce5 --- /dev/null +++ b/recipes-examples/wolftpm/wolfssl_%.bbappend @@ -0,0 +1,4 @@ +# wolfssl_%.bbappend + +# Enables wolfTPM support in wolfSSL +EXTRA_OECONF += "--enable-wolftpm" diff --git a/recipes-examples/wolftpm/wolftpm_%.bbappend b/recipes-examples/wolftpm/wolftpm_%.bbappend index e988433..114596e 100644 --- a/recipes-examples/wolftpm/wolftpm_%.bbappend +++ b/recipes-examples/wolftpm/wolftpm_%.bbappend @@ -4,12 +4,10 @@ WOLFTPM_TEST = "wrap_test" WOLFTPM_TEST_YOCTO = "wolftpm-wrap-test" WOLFTPM_INSTALL_DIR = "${D}${bindir}" -# Configurations +# Configurations (--enable-devtpm is required for the TPM simulator to work) EXTRA_OECONF += "--enable-devtpm" python () { - # Current Configurations - bb.note("Current EXTRA_OECONF: %s" % d.getVar('EXTRA_OECONF')) # Get the environment variables WOLFTPM_TEST_DIR, WOLFTPM_TEST, # WOLFTPM_TEST_YOCTO, and WOLFTPM_INSTALL_DIR wolftpm_test_dir = d.getVar('WOLFTPM_TEST_DIR', True)