Interfacing the IBM Software TPM to the TrouSers TSS

Items Needed

Download and either install from rpm or build the following:

Software TPM and associated TPM utilities.
Trousers TSS
TSS tpm-tools
TSS test suite

Architecture

The TSS test suite or tpm-tools link with the TSS. These are user applications that connect to tcsd through a socket.

Trousers includes a server, tcsd, which must be started as root. It connects through one socket to the TSS application and another socket to the TPM.

The TPM runs as a non-root server. It connects to tcsd through a socket.

Build

See the README files for build instructions.

Running

The overall procedure is:

Start and initialize the TPM using the TPM utilities
Start tcsd with -e
Provision the TPM using tpm-tools
Optionally continue provisioning the TPM using the TPM utilities
Run the TSS test suite applications

Running the TPM

See its INSTALL file for install and run instructions. They are not repeated here.

The environment variable TPM_PORT is the socket port that the TPM listens on.

Begin provisioning the TPM using the SW TPM utilities as per the INSTALL instructions. Additional steps are required if the TPM is disabled or deactivated.

> tpmbios				(each time the TPM is started)
> createek				(only required once)
> ./nv_definespace -in ffffffff -sz 0	(only required once)

DO NOT take ownership using the SW TPM utilities.

Running tcsd

Set the environment variable TCSD_TCP_DEVICE_PORT to match the TPM's TPM_PORT socket number.

As root:

# export TCSD_TCP_DEVICE_PORT=6543 # /usr/sbin/tcsd -e -f

Caution: One cannot set the port as a user and then run "sudo tcsd". The environment variable is not inherited by sudo. The result will be the error "TCSD TDDL ERROR: Could not find a device to open!". The environment variable must be set after becoming root.

Note: These error messages are expected and can be ignored

TCSD TDDL ioctl: (22) Invalid argument TCSD TDDL Falling back to Read/Write device support.

Running tpm-tools

Run this once to take ownership.

> tpm_takeownership
	ownerAuth	(example passwords)
	ownerAuth 
	srkAuth
	srkAuth

Provisioning for Maintenance

The TSS test suite can run the optional TPM maintenance commands if the TPM was compiled to support them. If so, use the TPM utilities to load the maintenance key. E.g.,

> createkey -kt e -pwdp srkAuth -pwdk key -pwdm key -ok stkey -hp 40000000
> loadmanumaintpub stkey.key

Running the TSS Test Suite

Set these environment variables:

TESTSUITE_OWNER_SECRET="ownerAuth"
TESTSUITE_SRK_SECRET="srkAuth"

To run: > bash > ./tsstests.sh -v 1.2 &> error.log The test suite will not yet run without errors, but it should not fail completely.