The software TPM is targeted toward application development,
education, and virtualization.
Software Development
The intent is that an application can be developed using the software
TPM. The application should then run using a hardware TPM without
changes.
Advantages of this approach:
- In contrast to a hardware TPM, it runs on many platforms and it's
generally faster.
- Application software errors are easily reversed by simply removing
the TPM state and starting over.
- Difficult crypto errors are quickly debugged by looking inside the
TPM. The extensive tracing supports remote diagnosis and support.
- The tracing and ability to step through code, as well as the
supporting TPM demo utilities, help to understand how a TPM works.
- The TPM defaults to minimal resources, although this is easily
changed. Since hardware TPM resources (e.g., key and session slots)
vary, this default helps detect an application that might not be
portable to TPMs from different vendors.
- See also the TPM Proxy
This package contains four modules (the items in the green boxes):
- Software TPM
- A complete TPM 1.2 implementation. Portions of the
specification are reproduced with permission of the Trusted Computing
Group.
- libtpm
- A library of low level demo TPM function calls
- Utilities
- A set of demo command line utilities and a TPM regression test using libtpm
- TPM Proxy
- Proxies used to connect a TCP/IP based TPM interface to a hardware TPM device driver
- Trousers Interface
- Instructions for running the SW TPM with Trousers
- TCG TPM Test Suite
- Instructions for running the SW TPM with the TCG TPM Test Suite
The IBM Software TPM can be
downloaded here.
See also the
TrouSers TSS
for Linux, the
Linux Integrity Subsystem
and
Open Platform Trust Services (OpenPTS).
The typical Software TPM interface is TCP/IP sockets. The block
diagram shows that many host applications, such as the Trousers TSS , the IBM TPM
utilities and regression test, the TCG TPM test
suite, and the IBM DAA test suite all support this socket interface.
Some advantages are:
- An application can connect to more than one TPM. For example, TPM
to TPM key migration is easily tested.
- Using the TPM proxy, an application can transparently switch
between software and hardware TPMs
- An application can connect to a remote hardware TPM, allowing
application debug on a platform that does not have a TPM, where the
platform hosting the TPM does not currently support the application,
or where the application developer is at a remote location.
- The TPM can be halted and restarted, or the platform rebooted,
without stopping the application.
- A proxy in the socket path can intercept and trace TPM commands
and responses.
The features include:
- Current to TPM 1.2 revision 116 with updates to 117
- Coded in C
- Interfaces
- TCP/IP or Unix domain sockets
- multiple TPMs
- multiple operating systems
- mix hardware and software TPMs
- simple TPM server reboot
- scripting tester
- direct function call
- does not simulate TIS registers or the LPC bus
- Platforms
- Windows XP 32 and 64 bit
- Linux 32 and 64 bit
- AIX PPC
- IBM Cell processor (not included)
- IBM Crypto Coprocessor (not included)
- Uses openSSL 0.9.8 or 1.0.0 crypto library
- #ifdef's for
- PC Client
- TPM 1.1 (not well tested)
- tracing
- TPM_Init
- Optional callbacks for
- locality
- physical presence
- GPIO
- Environment variables for
- NVRAM directory
- Socket hostname and port, Unix domain socket
- Goal was correct, portable, maintainable code
- Goal was not performance, code size, memory size
- Options implemented
- All optional commands, all deprecated commands
- audit
- Optional key sizes
- AES for ADIP and transport, CTR and OFB mode
- Testing
libtpm supports the Utilities. It compiles
to a shared object or DLL. It provides a low level API to TPM command
ordinals.
Here is some background material.
- Linux
- The TPM interfaces are TCP/IP sockets to the Software TPM or TPM
Proxy, Unix domain sockets, or the hardware TPM device driver.
- Windows
- The TPM interfaces is TCP/IP sockets only. Use the TPM Proxy to connect to a hardware TPM device driver.
Utilities is a number of command line programs. Each typically maps
directly to TPM command ordinals, but some support authorization
session setup or context saving.
In general, the -h option provides help for each program.
The TPM Proxy acts on one side as a TCP/IP socket server and on the
other side as an interface to the TPM device driver. It passes
commands from the socket to the device driver and passes responses
from the device driver to the socket.
The proxies are useful in cases such as:
- Connecting the libtpm Windows version (socket only) to a Windows
hardware TPM.
- The host application supports TCP/IP sockets but is not ported to
the platform where the TPM is running. Porting the proxy is easier
than porting the application.
- One application can connect to more than one TPM, with some
TPMs running on another platform.
- The proxy, in verbose mode, will trace each TPM command and
response packet. This aids debugging, especially in cases where the
application itself does not trace. Both the Trousers TSS and libtpm
support the socket interface.
- While libtpm and thus the utilities support both socket and device
driver interfaces, it is often more convenient to compile once for
sockets and use the proxy.
The Trousers TSS can interface to the SW TPM using TCP/IP sockets.
Here are some instructions. Please provide feedback.
To interface the TCG TPM Test Suite to the SW TPM using TCP/IP sockets:
- Start the tpmtest program with the -HSC hostname:port
options, where hostname is the host where the TPM is
running, possibly localhost, and port is the socket
port number that the TPM is listening on.