mirror of https://github.com/wolfSSL/wolfBoot.git
abee55e7f5
|
||
|---|---|---|
| .. | ||
| Makefile | ||
| README.md | ||
| policy_create.c | ||
| policy_sign.c | ||
| rot.c | ||
| user_settings.h | ||
README.md
TPM Tools for wolfBoot
Tools to help with TPM setup.
For wolfBoot TPM features see (docs/TPM.md)[/docs/TPM.md].
Secure Boot Root of Trust (ROT)
Examples:
./tools/tpm/rot: Parse keystore.c keys, hash each and read NV values../tools/tpm/rot -write: Also write hash to NV../tools/tpm/rot -write -lock: Write and lock the NV./tools/tpm/rot -write -sha384: Write NV using SHA2-384./tools/tpm/rot -write -auth=test: Use password for NV access
Sealing / Unsealing
A PCR policy is signed with the tools/keytool/sign tool using the --policy argument.
The policy file comes from the tools/tpm/policy_create tool and contains a 4-byte PCR mask and PCR digest.
The authorization for the sealing/unsealing comes from the signed policy and its public key (stored in keystore.c).
Typically PCR's 0-15 are used for boot measurements and sealing/unsealing, since they can only be reset on a reboot. The PCR 16 is used for testing.
Examples:
./tools/tpm/pcr_reset 16: Reset PCR 16./tools/tpm/pcr_extend 16 aaa.bin: Extend PCR 16 with the SHA2-256 hash of "aaa"./tools/tpm/policy_create -pcr=16 -pcrdigest=eca4e8eda468b8667244ae972b8240d3244ea72341b2bf2383e79c66643bbecc -out=policy.bin: Create a policy.bin file with 4-byte PCR mask and 32-byte PCR digest../tools/keytools/sign --ecc256 --policy policy.bin test-app/image.elf wolfboot_signing_private_key.der 1: Sign the PCR policy and include in theHDR_POLICY_SIGNATUREimage header.make POLICY_FILE=policy.bin: This will perform a build and include the policy file argument to the sign tool. This can also go into the .config file.