How to setup TPM-simulator in Ubuntu 20.04
This article will cover how to setup an environment with a simulator for Trusted Platform Module (TPM), specifically IBM’s Opensource Linux version of TPM 2.0 simulator. Which one can use in studying and developing software that talks to a real TPM without using a real TPM.
This should not be used for production purposes as it is by design not secure compared to a real TPM device. It is meant for research and development purposes.
The environment setup will be the following:
- Ubuntu 20.04 LTS — in this example, runs as a guest VM in Virtualbox
- ibmtpm1661
- tpm2-tss 3.1.0
- tpm2-abrmd 2.3.1
- tpm2-tss-engine 1.1.0
- tpm2-tools 4.3.2
- openssl 1.1.1
When choosing what version of tpm2-X libraries to use, we should refer to the dependencies table described in the documentation.
TPM-simulator installation
Install the necessary dependencies of the TPM-simulator, build and execute as a daemon service.
Once everything has been all setup, the TPM simulator daemon service should be in running state.
tpm2-tss installation
To be able to interface with a TPM (simulator or not), we would need to install tpm2-tss. Tpm2-tss is an opensource library that implements Trusted Computing Group’s (TCG) TPM2 Software Stack (TSS). Details and the APIs that implements can be found in its official github repository.
tpm2-abrmd installation
Normally with a real physical TPM device, there’s the resource manager (tpmrm) that… well let’s just quote what trusted computing group defines it:
manages the TPM context in a manner similar to a virtual memory manager. it swaps objects, sessions, and sequences in and out of the limited TPM memory as needed. This layer is mostly transparent to the upper layers of the TSS and is not mandatory. However, if not implemented, the upper layers will be responsible for TPM context management
In our case, since this is a software TPM we would have to install an access broker implementation of it, which is what tpm2-abrmd (TPM2 Access Broker & Resource Manager) is all about.
tpm2-tss-engine installation
To be able to use openssl with tpm, we would to install tpm2-tss-engine.
This will install the necessary libraries for openssl tpm2tss engine, below is the directory and its contents.
Testing with openssl
At this point, we now have a fully usable environment for openssl. You can do all sorts of commands supported with tpm2tss (i.e. creating a private key, signing a CSR, generating a random number backed by TPM, etc)
Example command for generating a random number using TPM via tpm2tss engine:
openssl rand -engine tpm2tss -hex 10
tpm2-tools installation
To be able to tinker with TPM itself (i.e. checking how to read PCRs, creating private key under a heirarchy, etc), tpm2-tools provides the commands to help with this.
After installation, the different tpm2 commands of tpm2-tools are available. Like tpm2_pcrread that displays PCR values. In this example it outputs all PCRs and their hash banks.
And there we go, a fully setup environment with a running virtual/software-based TPM for research, development, or simply exploration on what can be done with TPMs without having the real physical device.
