前置知识

可信计算

可信计算架构

因为TPM里面寄存器内容较少，所以TPM主要负责对 boot kernel 的安全；

IMA EVM 负责对上层（偏应用）的安全，针对IMA的配置相关，请看上一篇文章；IMA的实现原理内容请看语雀。

信任度量模型的特点
- 二值：信任/不信任
- 无损：不考虑信任传递中的损失，甲->乙->丙，那么甲也可以信任丙；
  - OS 中的信任链也是逐层向上传递的
  - 所以可以用数据完整性度量值充当信任值：度量值、相关密钥存储在 TPM 模块中，只要TPM是安全的（硬件安全），那么根据传递链，这个系统就是安全的。

TPM与PCR

TPM里面的寄存器为PCR

$PCR_{新值}=hash(PCR_{OLD}|| 扩展的数据)$

典型的PCR分配如下：


PCR编号	用途
0	BIOS
1	BIOS配置
2	可选ROM
3	可选ROM配置
4	MBR
5	MBR配置
6	状态转变和唤醒事件
7	平台制造商特定度量
8-15	静态操作系统
16	Debug
23	应用程序支持

TPM的模拟

因为WSL无法直接访问调用本机的TPM芯片，所以我们模拟一个TPM（用软件方式）。

安装TPM模拟器

安装必要的包

1
2

sudo apt install lcov pandoc autoconf-archive liburiparser-dev libdbus-1-dev libglib2.0-dev dbus-x11 libssl-dev
sudo apt install autoconf automake libtool pkg-config gcc  libcurl4-gnutls-dev libgcrypt20-dev libcmocka-dev uthash-dev

下载模拟器

1 2	mkdir ibmtpm && cd ibmtpm

然后从这个连接中下载最新版ibmtpm。我的版本是ibmtpm1682

下载IBMTPM

网上有教程让下1332版本，但在我的内核下会各种报错

下载后移动到刚刚创建的ibmtpm文件夹之下并解压

1	tar -xf ibmtpm1682.tar.gz

编译
1
2
cd src/
sudo make
将编译文件移动并创建服务

为了使得一开机就能使用tpm，我们将tpm加入启动服务中

1	sudo cp tpm_server /usr/local/bin

编辑服务项

1 2	# 编辑服务项目 sudo vim /lib/systemd/system/tpm-server.service

编辑（新增）的内容如下

[Unit]
Description=TPM2.0 Simulator Server Daemon
Before=tpm2-abrmd.service
 
[Service]
ExecStart=/usr/local/bin/tpm_server 
Restart=always
Environment=PATH=/usr/bin:/usr/local/bin
 
[Install]
WantedBy=multi-user.target

启动服务

# 重新加载服务的配置文件
sudo systemctl daemon-reload

# 启动tpm服务
sudo systemctl start tpm-server.service

# 测试TPM配置情况
sudo service tpm-server status

我的报错——

# 我的报错
$ sudo systemctl start tpm-server.service
System has not been booted with systemd as init system (PID 1). Can't operate.
Failed to connect to bus: Host is down

因为WSL系统没有使用 systemd 作为其初始化系统

解决方案：打开或创建 /etc/wsl.conf 文件，并添加以下内容：

text

1 2	[boot] systemd=true

保存并关闭文件后，在power shell 运行wsl --shutdown。然后首次开启大概需要等待15s。

然后在运行刚刚的命令就好了

tpm-server启动成功截图

此时TPM 模拟器已经成功配置，并完成启动服务。

tpm软件包介绍、安装和配置

为了方便使用TPM，开发者开发了许多TPM应用软件来实现对TPM更好地使用
Tpm软件包括 tpm2-tss、tpm2-abrmd、tpm2-tools

建议前两个的安装顺序不要换

tpm2-tss、tpm2-abrmd 和 tpm2-tools 是与 TPM 2.0（Trusted Platform Module 2.0）相关的三个关键软件组件，它们共同构成了 TPM 2.0 软件栈，用于支持 TPM 2.0 芯片的各种操作。下面是每个组件的具体功能：

tpm2-tss：
- 这是 TPM 2.0 软件栈（TSS）的实现，遵循可信计算组织（TCG）的规范。
- 它提供了一组 API，允许软件开发者通过这些 API 与 TPM 硬件交互，执行各种安全操作，如密钥生成、加密、解密、签名等。
- tpm2-tss 包括不同的层，如 Feature API (FAPI)、Enhanced System API (ESAPI)、System API (SAPI)、Marshaling/Unmarshaling (MU) 和 TPM Command Transmission Interface (TCTI)，每一层都有特定的功能和用途。
tpm2-abrmd：
- 全称为 TPM2 Access Broker & Resource Management Daemon，是一个守护进程，用于管理多个客户端对 TPM 2.0 的访问。
- 它实现了 TPM 访问代理和资源管理器，处理应用程序对 TPM 2.0 的请求，确保只有经过授权的应用程序才能访问 TPM。
- tpm2-abrmd 采用异步通信方式处理 TPM 请求，提高系统性能和安全性。
tpm2-tools：
- 这是一组命令行工具，提供直接与 TPM 2.0 芯片交互的能力。
- 这些工具可以用来执行各种 TPM 操作，如读取 PCR 值、生成密钥、加密、解密、签名验证等。
- tpm2-tools 包括多个命令，如 tpm2_createprimary、tpm2_create、tpm2_load、tpm2_evictcontrol、tpm2_nvdefine、tpm2_nvread 等，每个命令都对应特定的 TPM 操作。

这些工具和库文件共同为开发人员提供了一个完整的解决方案，以便在软件层面上利用 TPM 2.0 硬件的安全性功能。通过这些组件，可以在应用程序中实现安全认证、数据加密、密钥管理等多种安全增强功能。

具体安装过程及依赖包的安装可参考

安装tss包 https://github.com/tpm2-software/tpm2-tss/blob/master/INSTALL.md
安装abrmd包 https://github.com/tpm2-software/tpm2-abrmd/blob/master/INSTALL.md
安装tools包 https://github.com/tpm2-software/tpm2-tools/blob/master/doc/INSTALL.md

tss

添加tss账户
1
sudo useradd --system --user-group tss

从上面的github连接下载tss安装包，我的是tpm2-tss-4.1.3，然后跟着github的INSTALL.md完成安装

先安装依赖

sudo apt -y install \
  autoconf-archive \
  libcmocka0 \
  libcmocka-dev \
  procps \
  iproute2 \
  build-essential \
  git \
  pkg-config \
  gcc \
  libtool \
  automake \
  libssl-dev \
  uthash-dev \
  autoconf \
  doxygen \
  libjson-c-dev \
  libini-config-dev \
  libcurl4-openssl-dev \
  uuid-dev \
  libltdl-dev \
  libusb-1.0-0-dev \
  libftdi-dev

然后依次运行

1
2
3

./configure
make -j$(nproc)
sudo make install

然后输入

1	sudo ldconfig

sudo ldconfig 是一个在 Linux 系统中使用的命令，它用于配置动态链接器运行时绑定所需的环境。动态链接器（dynamic linker），也称为动态加载器（dynamic loader），是负责在程序启动时加载动态库的程序。

当你安装、卸载或者更新了动态库（如 .so 文件）时，通常需要运行 ldconfig 命令来更新系统的动态链接库缓存。这个缓存是一个数据库，包含了系统中所有可用的动态库的信息，动态链接器在运行时会使用这个缓存来找到所需的库。

ldconfig 命令通常执行以下操作：

根据 /etc/ld.so.conf 文件和 /etc/ld.so.conf.d/ 目录下的配置文件，以及 /lib 和 /usr/lib 目录下的默认库，生成或更新动态链接库的缓存文件。
清除不再存在的库条目。
可选地，可以指定特定的目录来更新缓存，而不是扫描整个文件系统。

使用 sudo 是因为这些操作通常需要管理员权限来修改系统文件和目录。

例如，如果你刚刚安装了一个新库或者更新了一个库，运行 sudo ldconfig 可以确保系统知道新库的位置，这样程序就可以在运行时正确地找到并使用这些库。

在某些系统中，ldconfig 命令可能不是必需的，因为动态链接器可以自动发现新安装的库。然而，在大多数传统的 Linux 发行版中，ldconfig 是管理动态库的标准工具。

abrmd安装

从上面连接下载安装包，我的是tpm2-abrmd-2.3.3.tar.gz

解压&切换

1
2
3

tar -xf tpm2-abrmd-2.3.3.tar.gz
cd tpm2-abrmd-2.3.3/
sudo ldconfig

编译

./bootstrap

# 在配置过程中，添加–with-dbuspolicydir=/etc/dbus-1/system.d选项，这样可以将tpm2-abrmd声明到系统总线上，允许tss账户声明该策略。同时将tpm2-abrmd添加进系统引导：–with-systemdsystemunitdir=/lib/systemd/system
./configure --with-dbuspolicydir=/etc/dbus-1/system.d --with-udevrulesdir=/usr/lib/udev/rules.d --with-systemdsystemunitdir=/usr/lib/systemd/system

make -j8
sudo make install

添加tpm2-abrmd进入系统服务

1 2	sudo cp /usr/local/share/dbus-1/system-services/com.intel.tss2.Tabrmd.service /usr/share/dbus-1/system-services/

重启DBUS
1
sudo pkill -HUP dbus-daemon
修改tpm2-abrmd.service服务配置（！！！！这是错误的）：
1
2
cd /lib/systemd/system
sudo vim tpm2-abrmd.service
在ExecStart后面增加--allow-root --tcti="libtss2-tcti-mssim.so.0:host=127.0.0.1,port=2321"，变成

tpm2-abrmd.service服务配置（修改后）

好的我在这里被坑了，上面是错误的，我的实际存储的tpm2-abrmd.service在/usr/local/lib/systemd/system/tpm2-abrmd.service里面（我是在运行sudo service tpm2-abrmd status后观察到service的位置的）

然后需要注释掉一处(#After=dev-tpm0.device #Requires=dev-tpm0.device，因为我们实际没有这/dev/tpm)、添加一处(—allow-root —tcti=mssim)，然后修改User为root，即——

正确的修改tpm2-abrmd方式

同样重启服务

1
2
3

sudo systemctl daemon-reload
sudo systemctl start tpm2-abrmd
sudo service tpm2-abrmd status

tpm2-abrmd.service服务状态

tools

很简单，一行命令

1	sudo apt install tpm2-tools

验证

若tpm2-abrmd.service无法启动，可以单开一个窗口，启动tpm2-abrmd
1
sudo tpm2-abrmd --allow-root --tcti=mssim

单独启动tpm2-abrmd

使用tpm2_pcrread命令读取PCR值（注：很多博客写的tpm2_pcrlist已不被支持）

对审计日志存入PCR

sudo tpm2_pcrevent 10 ascii_runtime_measurements

将ascii_runtime_measurements文件的度量值扩展PCR10的哈希中，如果不加10，则只输出不扩展写入PCR

sudo tpm2_pcrread

读取PCR值

$ sudo tpm2_pcrevent 10 ascii_runtime_measurements
sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709
sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
sha384: 38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b
sha512: cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
$ sudo tpm2_pcrread
  sha1:
    0 : 0x0000000000000000000000000000000000000000
    1 : 0x0000000000000000000000000000000000000000
    2 : 0x0000000000000000000000000000000000000000
    3 : 0x0000000000000000000000000000000000000000
    4 : 0x0000000000000000000000000000000000000000
    5 : 0x0000000000000000000000000000000000000000
    6 : 0x0000000000000000000000000000000000000000
    7 : 0x0000000000000000000000000000000000000000
    8 : 0x0000000000000000000000000000000000000000
    9 : 0x0000000000000000000000000000000000000000
    10: 0x31A2DC4C22F9C5444A41625D05F95898E055F750
    11: 0x0000000000000000000000000000000000000000
    12: 0x0000000000000000000000000000000000000000
    13: 0x0000000000000000000000000000000000000000
    14: 0x0000000000000000000000000000000000000000
    15: 0x0000000000000000000000000000000000000000
    16: 0x0000000000000000000000000000000000000000
    17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    23: 0x0000000000000000000000000000000000000000
  sha256:
    0 : 0x0000000000000000000000000000000000000000000000000000000000000000
    1 : 0x0000000000000000000000000000000000000000000000000000000000000000
    2 : 0x0000000000000000000000000000000000000000000000000000000000000000
    3 : 0x0000000000000000000000000000000000000000000000000000000000000000
    4 : 0x0000000000000000000000000000000000000000000000000000000000000000
    5 : 0x0000000000000000000000000000000000000000000000000000000000000000
    6 : 0x0000000000000000000000000000000000000000000000000000000000000000
    7 : 0x0000000000000000000000000000000000000000000000000000000000000000
    8 : 0x0000000000000000000000000000000000000000000000000000000000000000
    9 : 0x0000000000000000000000000000000000000000000000000000000000000000
    10: 0x1C9ECEC90E28D2461650418635878A5C91E49F47586ECF75F2B0CBB94E897112
    11: 0x0000000000000000000000000000000000000000000000000000000000000000
    12: 0x0000000000000000000000000000000000000000000000000000000000000000
    13: 0x0000000000000000000000000000000000000000000000000000000000000000
    14: 0x0000000000000000000000000000000000000000000000000000000000000000
    15: 0x0000000000000000000000000000000000000000000000000000000000000000
    16: 0x0000000000000000000000000000000000000000000000000000000000000000
    17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    23: 0x0000000000000000000000000000000000000000000000000000000000000000
  sha384:
    0 : 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    1 : 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    2 : 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    3 : 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    4 : 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    5 : 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    6 : 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    7 : 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    8 : 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    9 : 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    10: 0x21B9EFBC184807662E966D34F390821309EEAC6802309798826296BF3E8BEC7C10EDB30948C90BA67310F7B964FC500A
    11: 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    12: 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    13: 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    14: 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    15: 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    16: 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    23: 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
  sha512:
    0 : 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    1 : 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    2 : 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    3 : 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    4 : 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    5 : 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    6 : 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    7 : 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    8 : 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    9 : 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    10: 0x1441F2DB863A70B3287435D61F7D6455CD9ADD37618D73E8A0A1E92C06F625BB0ED58427268966A305C0607864386634920DE3ACA3538DDB349B27F80F0D6C76
    11: 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    12: 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    13: 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    14: 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    15: 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    16: 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    23: 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

模拟配置TPM可信度量