Chinaunix首页 | 论坛 | 博客
  • 博客访问: 472740
  • 博文数量: 40
  • 博客积分: 1178
  • 博客等级: 少尉
  • 技术积分: 578
  • 用 户 组: 普通用户
  • 注册时间: 2009-04-28 21:27
文章分类

全部博文(40)

文章存档

2012年(3)

2011年(29)

2010年(7)

2009年(1)

分类: LINUX

2010-01-29 19:55:02

 
Introduction to Using the TSS
    By Ari Singer NTRU Cryptosystems  November 7, 2005


1.TPM Keys
  • Endorsement key for root of TPM trust
  • Storage root key for top of key hierarchy
  • Storage keys for key hierarchy and sealing
  • Identity keys for certifiable signatures
  • Binding keys for binding
  • Signing keys for signing arbitrary data
  • Legacy keys that can both sign and encrypt.
2.Accessing the TPM
  • There are several APIs and mechanisms for accessing the TPM
  • These APIs require differing levels of understanding of the TPM
  • Some mechanisms abstract away more TPM complexity than others
3. Understanding the TSS
  • The TSS abstracts some of the TPM complexities away
  • If you learn the TPM basics and the TSS API, you can create secure applications
  • The main goals of the TSS are:
   – Supply one entry point for applications to the TPM functionality
   – Provide synchronized access to the TPM
   – Hide building command streams with appropriate byte ordering and alignment from the applications
   – Manage TPM resources
   – Release TPM resources when appropriate
   – Manage application use of secrets and keys

4. TCG Device Driver Library (TDDL)
  •  Creates an abstraction layer hiding OS-specific device driver interfaces from the TCS
  • Single point of compatibility for TSS developers
  • Allows the TPM vendor to get/set device driver capabilities
 5.Code Samples
 Now here are some details about how to actually use this stuff . . .

/***** Seal to PCR Code ****/
int

main(void)

{

    TSS_HCONTEXT    hContext;

    TSS_HTPM        hTPM;

    TSS_HPOLICY     hPolicy;

    TSS_HKEY        hSRK ,hSealKey;
   
    TSS_HENCDATA    hSealData;

    TSS_HPCRS       hPCRs;


    BYTE            wellKnownSecret[] = TSS_WELL_KNOWN_SECRET;

    BYTE            rawData[64];

    UINT32          unsealedDataLength, pcrLength;

    BYTE            *unsealedData, *pcrValue;

    int             i;

    for (i = 0; i < 64; i++)

      rawData[i] = (BYTE)i;

/* create context and connect to TPM */

    Tspi_Context_Create(&hContext);

    Tspi_Context_Connect(hContext, NULL);


/* create empty keys and data object */

       Tspi_Context_CreateObject(hContext,

                                 TSS_OBJECT_TYPE_RSAKEY,          

                                 TSS_KEY_TSP_SRK,

                                 &hSRK);

       Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_RSAKEY,

                                        TSS_KEY_TYPE_STORAGE |

                                         TSS KEY SIZE 2048 |

                                         TSS_KEY_NO_AUTHORIZATION |

                                         TSS_KEY_NOT_MIGRATABLE,

                                        &hSealKey);

       Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_ENCDATA,
                                           TSS_ENCDATA_SEAL,

                                           &hSealData);

/* get TPM object */

       Tspi_Context_GetTpmObject(hContext, &hTPM);

  
/* set up the default policy - this will apply to all objects */

       Tspi_Context_GetDefaultPolicy(hContext, &hPolicy);

       Tspi_Policy_SetSecret(hPolicy, TSS_SECRET_MODE_SHA1, 20, wellKnownSecret);


/* create and load the sealing key */

       Tspi_Key_CreateKey(hSealKey, hSRK, 0);

       Tspi_Key_LoadKey(hSealKey, hSRK);


/* seal to PCR values */

    /* set the PCR values to the current values in the TPM */

       Tspi_TPM_PcrRead(hTPM, 5, &pcrLength, &pcrValue);

       Tspi_PcrComposite_SetPcrValue(hPCRs, 5, pcrLength,pcrValue);

       Tspi TPM_PcrRead(hTPM, 7, &pcrLength, &pcrValue);

       Tspi_PcrComposite_SetPcrValue(hPCRs, 7, pcrLength,pcrValue);

    
  /* perform the seal operation */

       Tspi_Data_Seal(hSealData,hSealKey, 64, rawData, hPCRs);

     
    /* unseal the blob */

       unsealedData = NULL;

       Tspi_Data_Unseal(hSealData, hSealKey, &unsealedDataLength, &unsealedData);
       

    /* free memory */

       Tspi_Context_FreeMemory(hContext, unsealedData);


   /* clean up */

       Tspi_Key_UnloadKey(hSealKey);

       Tspi_Context_CloseObject(hContext, hPCRs);

       Tspi_Context_CloseObject(hContext, hSealKey);

       Tspi_Context_CloseObject(hContext, hSealData);


  /* close context */

       Tspi_Context_Close(hContext);

       return 0;
  }


/*******Sign/verify Code************/
int
main(void)
{
    TSS_HCONTEXT        hContext;
    TSS_HHASH           hHash;
    TSS_HKEY            hSigningKey, hSRK;
    TSS HPOLICY         hPolicy;
    TSS_UUID            srkUUID = TSS_UUID_SRK;
    BYTE                secret[] = TSS_WELL_KNOWN_SECRET;
    UINT32              sigLen;
    BYTE                *sig;
    BYTE                hash[] =
      {0x32, 0xd1, 0x0c, 0x7b, 0x8c, 0xf9, 0x65, 0x70, 0xca, 0x04,
       0xce, 0x37, 0xf2, 0xa1, 0x9d, 0x84, 0x24, 0x0d, 0x3a, 0x89};
/* create context and connect */
       Tspi_Context_Create(&hContext);
       Tspi_Context_Connect(hContext, remote-pc);
/* create a signing key under the SRK */
      Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_POLICY,
                                       TSS_POLICY_USAGE, &hPolicy);
      Tspi_Policy_SetSecret(hPolicy, TSS_SECRET_MODE_SHA1, 20, secret);
      Tspi_Context_GetKeyByUUID(hContext, TSS_PS_TYPE_SYSTEM, srkUUID, &hSRK);
      Tspi_Policy_AssignToObject(hPolicy,hSRK);
      Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_RSAKEY,
                             TSS_KEY_TYPE_SIGNING |
                              TSS_KEY_SIZE_2048 |
                              TSS_KEY_AUTHORIZATION |
                              TSS_KEY_NOT_MIGRATABLE,
                             &hSigningKey);
      Tspi_Policy_AssignToObject(hPolicy, hSigningKey);
      Tspi_Key_CreateKey(hSigningKey, hSRK, 0);
      Tspi_Key_LoadKey(hSigningKey, hSRK);
/* open valid hash object */
      Tspi_Context_CreateObject(hContext,TSS_OBJECT_TYPE_HASH,TSS_HASH_SHA1,
                                                                    &hHash);
/* set hash value and get valid signature */
       Tspi_Hash_SetHashValue(hHash, sizeof(hash), hash);
       Tspi_Hash_Sign(hHash, hSigningKey, &sigLen, &sig);
/* verify signature */
       Tspi_Hash_VerifySignature(hHash, hSigningKey, sigLen, sig);
/* free sig memory, close signing key object and context */
       Tspi Context FreeMemory(hContext sig);
       Tspi_Context_CloseObject(hContext, hSigningKey);
/* close context */
       Tspi_Context_Close(hContext);
   // we forgot to unload the signing key, but the TSS did it for us

// when we closed the context

    return 0;
}


阅读(2600) | 评论(0) | 转发(1) |
给主人留下些什么吧!~~