1 / 11

SEC Configuration Tool

SEC Configuration Tool. Tianyu Qi. Packages Needed. Python (2.7) with hashlib tpm2-tss cmake And packages those above depend on. Components. SEC-configure.py Python script file, the front-end of the tool.

johansson
Download Presentation

SEC Configuration Tool

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SEC Configuration Tool Tianyu Qi

  2. Packages Needed • Python (2.7) with hashlib • tpm2-tss • cmake • And packages those above depend on.

  3. Components • SEC-configure.py Python script file, the front-end of the tool. • SEC-worker Compiled and linked executable file written by C, the back-end of the tool • README.md Manual of the tool

  4. Command Description • python SEC-configure -P <Passphrase> -S <AuthValue-of-Sealing-Key> -G <Hash-Algorithm> -B <component 1>,<component2> … -O* <AuthValue-of-object> -H <Handle-of-Sealing-Key> -R <Directory-of-config-file> -D <Directory-of-SABLE> • Require administrator authorization in Windows and sudo in Linux.

  5. Command Description (Cont.) • Parameters: • -P: SECsecret • -S: Password of sealing key (used in TPM2_Load) • -G: Hash algorithm (SHA1 or SHA256, use SHA256 if not specified) • -B: Directory/of/boot/modules (separated by “,”) • -O: Password of sealed object (used in TPM2_Unseal, optional, use value of “-S” if not specified) • -H: Handle of the persist object. • -R: Directory/to/save/this/configuration/file (save to current directory if not specified) • -D: Directory/of/SABLE

  6. Assumptions SEC configuration tool should work based on following assumptions: • User has installed tpm2-tss. tpm2-tss libraries are in /usr/local/lib. User can provide the handle and the name of sealing key object. • User will use same hash algorithm in configuration tool and sable. • SEC-configure.py and SEC-worker are in the same directory • SABLE will hash the same boot modules in the same order with what user hashed in configuration. This is guaranteed by user who need to modify 40_custom in /etc/grub.d correctly. Details about modify grub is described in manual of sable.

  7. Procedure • Check if proper authority is granted, if tpm2-tss library is accessible, if SEC-worker is in current directory, and if sable-AMD, as well as given boot modules, are accessible by using aforementioned parameters. (Output error message if either one condition is not satisfied, then terminate) • Parse the received parameters, hash sable, get the result digest for PCR17; then hash boot modules, get result digest for PCR19. (No error should be thrown in this step, because all parameters are valid after step 1) • Invoke SEC-worker. (From this step, all works are done in background)

  8. Procedure (Cont.) • SEC-worker will accept and parse following parameters from SEC-configure.py: • -H: parentHandle (handle of persist object) • -P: parentAuth (auth value of persist object) • -S: digest of Seventeenth PCR (PCR17) • -N: digest of Nineteenth PCR (PCR19) • -p: objectAuth (auth value of SEC object) • -t: objectSecret (SEC secret) • SEC-worker initialize tcti (use tcti device), enhanced system api (one kind of tpm2 command api provided by tpm2-tss)

  9. Procedure (Cont.) • SEC-worker invoke following commands in order: • TPM2_StartAuthSession, start a trial session Strial • TPM2_PolicyPCR(Strial,digestPCR17) • TPM2_PolicyPCR(Strial,digestPCR19) • TPM2_PolicyLocality(Strial,LOC_TWO) • TPM2_GetPolicy(Strial), get the policy digest digestpolicy • TPM2_Create, get private portion and public portion of created object • SEC-worker write parent handle (sealing key object name), parent name (sealing key object name), private portion, public portion, digest read from PCR17 and digest read from PCR19 into SEC-config.dat, and save it to the specified directory.

  10. Format of SEC-config.dat • The file is written in key-value pairs. With hash digests written in ASCII characters. • For each record, key and value are separated with “:”, and each record ends with a “\n” (including the last record). • Keys are: “handle”, “private”, “public”, “name”, “PCR17”, “PCR19” (without quotes). • No sequential order requirements for records. • E.g: handle:<handle>\nprivate:<private>\npublic:<public>\nname<name>\n

  11. Parsing config on SABLE side • SABLE will use parseConfig package to extract configuration from SEC-config.dat • struct configContext will hold config data, include parentHandle, private, privateSize, public, publicSize, name, nameSize. • In post launch stage, after tis_init(), sable will get config file from boot modules (should be the last one). Invoke parseConfig() to parse configuration file. • If sable fails to get any of those configs, an exception will be thrown.

More Related