TPM

Deadline: Wednesday, 5/7/2025. Submit the report in HuskyCT.

In this project, we experiment with TPM.

We will first follow the course from the following repo. There are detailed instructions in files under docs directory.

TPM 2.0 Courses

The list of tutorials in the course is in the docs folder.

List of tutorials

The manual of TPM2 commands is on the following page.

TPM2 tools manual

Environment Setup

This project is intended to run in a Linux environment. If you’re using Windows, please follow the instructions below step-by-step. For Linux/Ubuntu users, you can start directly from Step 2. For macOS users, while I haven’t tested it personally, you may also begin from Step 2. If you encounter any issues, try starting from Step 1.

Step 1: Install Ubuntu in a Virtual Machine.

We already installed a Virtual Machine in previous projects, we can reuse it. Then follow these steps to install Ubuntu in the Virtual Machine.

• Download the Ubuntu image from the official Ubuntu website. I used Ubuntu 24.04.2 LTS, but other versions should work as well.

• Set up the image using VirtualBox by following this step-by-step tutorial.

Step 2: Install Docker and Set Up the TPM Environment.

The environment for TPM is in a docker container. Once Ubuntu is up and running (either natively or in a virtual machine), follow the instructions under the “Installation” section in the TPM 2.0 Courses GitHub repository. These steps will walk you through installing Docker and configuring the TPM environment required for the project.

If you are not familiar with docker, please see docker.md for details. Be careful about removing containers. A container can be stopped and resumed. However, if you delete a container, all files in that container will be lost.

Here are some commonly used commands, assuming the container’s name is tpm.

docker run --name tpm -it tpmcourse:latest
docker start tpm
docker exec -it tpm bash
docker stop tpm

We can restart the TPM with the shell script tpm2restart.sh.

Tasks

Task 1 Set up the environment and generate random bytes

After setting up the docker container, study the tutorial in random.md.

Include the following tasks in your report.

• Generate 16 random bytes and display them on screen in hexadecimal.

• Find out the largest number of random values that can be generated by the command. What happens if we ask for more random numbers?

Task 2 Experiment with objects

Study the tutorial and try the commands in objects.md.

• Do not set “lockout” password. If you forget any password, we can use tpm2_clear to clear the passwords.

• Do not need to try “Dictionary Lockout” and “Locality” sections.

• Do not set lock out password in this project.

Clear all passwords before working on later tasks (so we do not need to enter passwords). To clear a password, just leave the new password empty.

Include the following tasks in your report.

• Assume no password is set. Set the owner’s password to “ABCDE”.
• Try the same command. What messages are shown? Explain why it is not successful.
• Change the owner’s password to “123456”.
• Try to change the password again. What messages are shown? Explain why it is not successful.
• Clear the owner’s password.

Task 3 Keys and encryption/decryption/signing/verification

Study the tutorial and try the commands in key.md. Skip the “Loading External Keys” section. There is an important section after it.

The command to remove an object by handle is as follows. The command in the tutorial misses -c.

tpm2_evictcontrol -c 0x81010004

We do not have to make a key persistent. We can use the context file in place of a handle.

When making a key persistent with tpm2_evictcontrol, we do not have to specify a handle. The first handle available will be used if the command line does not have a handle.

Include the following tasks in the report.

• Generate AES key in owner’s hierarchy, encrypt a plaintext file with an IV, and then decrypt it. The command in the tutorial does not have IV file. We generate 16 random bytes as IV. The same IV is required for decryption. Find out what happens if we do not specify IV when decrypting. Can the command encrypt the largest file in the directory?

• Demonstrate that you can decrypt the ciphertext after the TPM restarts.

• Generate an RSA key pair in owner’s hierarchy, and demonstrate signing and verification with the key. The process is similar to what is described in the tutorial.

Task 4: Quoting

Study the tutorials and try the commands in pcrs.md and quoting.md.

We will use PCR 23 in SHA1 bank.

Include the following tasks in the report.

• Reset PCR 23, extend it with the hash of h.txt, find out the value in PCR
  1. The SHA1 hash of the file ends with 0399. The updated PCR 23 value ends with 4881.

• Generate endorsement key (EK) and an attestation key (AK) as in keys.md. Generate a quote for PRC 23 (in SHA1 bank), which has the hash from the previous step. Run tpm2_print to examine the quote.

• If we do not make AK persistent, can we use the same AK after restarting TPM? Explain your answer.

Task 5: Sealing and unsealing

Now we experiment with sealing secret with key and measurements.

• We create a policy that specifies the set of PCRs to be used in sealing. The “Policy Creation” section in nvram.md has examples of creating policy. We will include PCR 23 (SHA1) only in our policy (and we can easily include more PCRs). PCR 23 must have the hash value extended by h.txt from 0.

  Note that if PCR 23 has the correct hash value, we do not need to use the -f option for tpm2_createpolicy.

• Seal file secret with the primary key in owner’s hierarchy and the policy created in the previous step. Demonstrate that you can unseal the blob.

• Demonstrate that if PCR 23 does not have the correct value, you cannot unseal the blob.

• Demonstrate that you can unseal the blob after restarting the TPM.

Deliverables

Submit a PDF file that includes commands you used in each Task and the results in screenshots.