WolfSSL
/
wolfBoot
mirror of https://github.com/wolfSSL/wolfBoot.git
1
0
Fork 0
Code Issues Releases Wiki Activity
wolfBoot/docs/TPM.md

324 lines
8.2 KiB
Markdown
Raw Blame History

# TPM Integration Guide
This guide describes wolfBoot's integration with Trusted Platform Module (TPM) for enhanced security features.
## Features Overview
- Root of Trust (RoT) using TPM
- Cryptographic operation offloading
- Measured boot support
- Secure sealing/unsealing of secrets
- PCR-based policy enforcement
## Configuration Options
### Core TPM Support
| Option | Macro | Description |
|--------|-------|-------------|
| `WOLFTPM=1` | `WOLFBOOT_TPM` | Enable TPM integration |
### Cryptographic Features
| Option | Macro | Description |
|--------|-------|-------------|
| `WOLFBOOT_TPM_VERIFY=1` | `WOLFBOOT_TPM_VERIFY` | Offload RSA2048/ECC256/384 to TPM |
| `WOLFBOOT_TPM_KEYSTORE=1` | `WOLFBOOT_TPM_KEYSTORE` | Enable TPM-based root of trust |
### Storage Configuration
| Option | Macro | Description |
|--------|-------|-------------|
| `WOLFBOOT_TPM_KEYSTORE_NV_BASE=0x` | Same | NV index (0x1400000-0x17FFFFF) |
| `WOLFBOOT_TPM_KEYSTORE_AUTH=secret` | Same | NV access password |
| `WOLFBOOT_TPM_SEAL_NV_BASE=0x01400300` | Same | Sealed blob storage location |
| `WOLFBOOT_TPM_SEAL_AUTH=secret` | Same | Sealing/unsealing password |
### Measured Boot
| Option | Macro | Description |
|--------|-------|-------------|
| `MEASURED_BOOT=1` | `WOLFBOOT_MEASURED_BOOT` | Enable PCR measurements |
| `MEASURED_PCR_A=16` | `WOLFBOOT_MEASURED_PCR_A=16` | PCR index selection |
| `WOLFBOOT_TPM_SEAL=1` | `WOLFBOOT_TPM_SEAL` | Enable PCR-based sealing |
For detailed measured boot information, see [measured_boot.md](/docs/measured_boot.md)
## Feature Details
### Root of Trust (RoT)
Implements secure boot chain using TPM-based key verification.
**Implementation:**
- Uses locked platform NV handle
- Stores public key hash
- Requires authentication for tampering prevention
- Authentication encrypted during transit
**Example:** See [wolfTPM RoT Example](https://github.com/wolfSSL/wolfTPM/tree/master/examples/boot)
### Cryptographic Offloading
Delegates cryptographic operations to TPM hardware.
**Supported Operations:**
- RSA2048 verification
- ECC256/384 verification
**Notes:**
- Reduces code size
- Improves performance
- Requires `WOLFBOOT_TPM_VERIFY`
- Use `SIGN=RSA2048ENC` for ASN.1 encoding
### Measured Boot
Tracks boot process integrity using PCR measurements.
**Features:**
- Hashes wolfBoot image
- Extends PCR with hash
- Verifiable boot attestation
- API: `wolfBoot_tpm2_extend`
### Secret Management
#### Sealing/Unsealing API
```c
// Seal data with policy and authentication
int wolfBoot_seal_auth(
const uint8_t* pubkey_hint, // Public key reference
const uint8_t* policy, // Policy data
uint16_t policySz, // Policy size
int index, // NV index
const uint8_t* secret, // Data to seal
int secret_sz, // Data size
const byte* auth, // Authentication
int authSz // Auth size
);
// Unseal previously sealed data
int wolfBoot_unseal_auth(
const uint8_t* pubkey_hint, // Public key reference
const uint8_t* policy, // Policy data
uint16_t policySz, // Policy size
int index, // NV index
uint8_t* secret, // Buffer for unsealed data
int* secret_sz, // Buffer size
const byte* auth, // Authentication
int authSz // Auth size
);
```
**Storage Location:**
- Default: `0x01400300 + index`
- Configurable via `WOLFBOOT_TPM_SEAL_NV_BASE`
For implementation examples, see [wolfTPM Sealing Example](https://github.com/wolfSSL/wolfTPM/tree/master/examples/boot#secure-boot-encryption-key-storage)
NOTE: The TPM's RSA verify requires ASN.1 encoding, so use SIGN=RSA2048ENC
## Testing Guide
### Simulator Testing
#### Setup and Configuration
```bash
# 1. Copy TPM simulator config
cp config/examples/sim-tpm-seal.config .config
# 2. Build required tools
make keytools
make tpmtools
# 3. Create test files
echo aaa > aaa.bin
echo bbb > bbb.bin
# 4. Configure PCR values
./tools/tpm/pcr_extend 0 aaa.bin
./tools/tpm/pcr_extend 1 bbb.bin
# 5. Create policy (PCR 1 then 0)
./tools/tpm/policy_create -pcr=1 -pcr=0 -out=policy.bin
# 6. Setup Root of Trust (optional)
./tools/tpm/rot -write [-auth=TestAuth]
# 7. Build with policy
make clean
make POLICY_FILE=policy.bin \
[WOLFBOOT_TPM_KEYSTORE_AUTH=TestAuth] \
[WOLFBOOT_TPM_SEAL_AUTH=SealAuth]
```
#### Testing Sequence
```bash
# First Run - Initial Secret Creation
./wolfboot.elf get_version
```
**Expected Output:**
```
Mfg IBM (0), Vendor SW TPM, Fw 8228.293 (0x120000)...
Unlocking disk...
Error 395 reading blob... (First run expected error)
Creating new secret (32 bytes)
7801a7fb716371c975a9a1bca6159a223bc7dba6adb2acf82781421062e498a5
Wrote 242 bytes to NV index 0x1400300
TPM Root of Trust valid (id 0)
```
**Subsequent Runs:**
```bash
./wolfboot.elf get_version
```
**Expected Output:**
```
Unlocking disk...
Read 242 bytes from NV index 0x1400300
Secret 32 bytes
7801a7fb716371c975a9a1bca6159a223bc7dba6adb2acf82781421062e498a5
TPM Root of Trust valid (id 0)
```
```
### Hardware Testing
#### Policy Generation Process
1. Build Tools and Setup
```bash
make tpmtools
./tools/tpm/rot -write
./tools/tpm/pcr_reset 16
```
2. Generate Initial Policy
```bash
./wolfboot.elf get_version
```
**Expected Output:**
```
Policy header not found!
Generating policy based on active PCR's!
Getting active PCR's (0-16)
PCR 16 (counter 20)
8f7ac1d5a5eac58a2305ca459f27c35705a9212c0fb2a9088b1df761f3d5f842
Found 1 active PCR's (mask 0x00010000)
PCR Digest:
f84085631f85333ad0338b06c82f16888b7923abaccffb881d5416e389be256c
PCR Policy:
0000010034ba061436aba2e9a167a1ee46af4a9578a8c6b9f71fdece21607a0cb40468ec
```
#### Policy Creation Methods
1. **Direct Method**
```bash
# Convert hex policy to binary
echo "0000010034ba061436aba2e9a167a1ee46af4a9578a8c6b9f71fdece21607a0cb40468ec" | \
xxd -r -p > policy.bin
```
2. **Using Policy Creation Tool**
```bash
# Method A: Specify PCR Index
./tools/tpm/policy_create \
-pcr=16 \
-pcrdigest=f84085631f85333ad0338b06c82f16888b7923abaccffb881d5416e389be256c \
-out=policy.bin
# Method B: Specify PCR Mask
./tools/tpm/policy_create \
-pcrmask=0x00010000 \
-pcrdigest=f84085631f85333ad0338b06c82f16888b7923abaccffb881d5416e389be256c \
-out=policy.bin
```
**Tool Output:**
```
Policy Create Tool
PCR Index(s) (SHA256): 16 (mask 0x00010000)
PCR Digest (32 bytes):
f84085631f85333ad0338b06c82f16888b7923abaccffb881d5416e389be256c
PCR Policy (36 bytes):
0000010034ba061436aba2e9a167a1ee46af4a9578a8c6b9f71fdece21607a0cb40468ec
Wrote 36 bytes to policy.bin
```
#### Policy Signing
Two methods are available for signing the policy:
1. **Simple Build Method**
```bash
make POLICY_FILE=policy.bin
```
2. **Manual Signing Tools**
Both tools below sign policy digest without TPM access:
- `tools/tpm/policy_sign`
- `tools/keytools/sign`
##### Using Policy Sign Tool
```bash
./tools/tpm/policy_sign \
-pcr=0 \
-pcrdigest=eca4e8eda468b8667244ae972b8240d3244ea72341b2bf2383e79c66643bbecc
```
**Output Details:**
```
Sign PCR Policy Tool
Signing Algorithm: ECC256
PCR Index(s): 0
Key: wolfboot_signing_private_key.der
Digests:
1. PCR Digest (32 bytes):
eca4e8eda468b8667244ae972b8240d3244ea72341b2bf2383e79c66643bbecc
2. Policy Digest (32 bytes):
2d401eb05f45ba2b15c35f628b5896cc7de9745bb6e722363e2dbee804e0500f
3. Policy Digest w/Ref (32 bytes):
749b3139ece21449a7828f11ee05303b0473ff1a26cf41d6f9ff28b24c717f02
Output:
PCR Mask (0x1) + Signature (68 bytes total):
01000000
5b5f875b3f7ce78b5935abe4fc5a4d8a6e87c4b4ac0836fbab909e232b6d7ca2
3ecfc6be723b695b951ba2886d3c7b83ab2f8cc0e96d766bc84276eaf3f213ee
File: policy.bin.sig (68 bytes written)
```
##### Using Signing Key Tool
```bash
./tools/keytools/sign \
--ecc256 \
--policy policy.bin \
test-app/image.elf \
wolfboot_signing_private_key.der 1
```
**Process Details:**
```
wolfBoot KeyTools v1100000
Configuration:
- Update Type: Firmware
- Input: test-app/image.elf
- Cipher: ECC256
- Hash: SHA256
- Key: wolfboot_signing_private_key.der
- Output: test-app/image_v1_signed.bin
- Partition: 1
- Header Size: 256 bytes (runtime calculated)
Steps:
1. Calculate SHA256 digest
2. Sign digest
3. Process policy file
4. Sign policy digest
5. Save policy signature
6. Generate final image
```
```
Reference in New Issue View Git Blame Copy Permalink