Am 06.03.2009 um 17:01 schrieb Alexander Valitov:


Hi Alexander!

I've got hardware with TPM on board (Infineon SLB9635TT1.2). I've just
discovered STPM package and have several questions about it:

1. What kind of functionality is provided by the package? Is it just driver
for TPM and TPM emulator?

It includes various TPM drivers that can be used through the STPM interface. This interface basically allows you to send a command blob to the TPM and receive the blob with the encoded response. Then there's our L4 port of the TPM emulator, which is intended to be used as a virtual TPM. It can be used instead of a hardware TPM, but there is at least some work that still needs to be done for that.

The package also includes a version of libtcg, which provides commands such as TPM_Seal() and TPM_Unseal(). It uses the STPM interface to talk to the TPM. Our version of libtcg does not support all TPM commands, but the most common ones are there. This library is similar to libtpm on Linux.

2. There are some examples in the package. What do they do? I mean what use
case are they demonstrate: memory sealing, key storing, signature
generation, SHA1 generation, RSA en(de)cryption, trusted boot?

The only really useful example is probably 'tpmrun', which is an interactive shell that allows you to play with the TPM and do basic things such as creating/loading keys, creating signatures, etc. It can talk to a standalone version of the TIS driver (stpm-l4-tis) or a virtual TPM based on the aforementioned TPM emulator.

How they
should be started (module options, grub menu.lst, on what hardware)?

On real hardware: either launch stpm-l4-tis and a client such as tpmrun, or build your own program that links against libstpm-l4- tis.o.a and libtcg (+ dependencies). The tpmrun example needs l4con.

3. Is my TPM chip (Infineon SLB9635TT1.2) supported?

There are multiple drivers and your v1.2 TPM should be supported by the TIS driver (libstpm-l4-tis.o.a or stpm-l4-tis).

4. What general use cases could you imagine for TPM module in L4
environment? What is it intended for?

Authenticated booting, sealed storage, remote attestation, ...

As for authenticated booting, the directory contrib/oslo contains a secure boot loader, which is described here:

Please note: we do not provide any support for things that are described in the TCG specs, like which commands to send to the TPM, what keys to use, or how to extend libtcg. So using all this stuff beyond the basic examples provided requires quite some knowledge about trusted computing and TPMs.


l4-hackers mailing list

Reply via email to