Skip to content

Certificates created by swtpm_setup

Stefan Berger edited this page Mar 17, 2021 · 9 revisions

Simulating TPM Manufacturing using swtpm_setup

swtpm_setup can be used to simulate the manufacturing of a TPM and create certificates for a TPM 1.2 and TPM 2. The implementation for swtpm_setup follows TCG specifications as close as possible in regards to the contents of the certificates and the NVRAM locations. The created certificates are signed by a local Certificate Authority (CA) that is automatically created if found missing. By default the swtpm-localca tool is used for creating those certificates locally.

The examples below assume that a user runs swtpm_setup to create the initial state of the TPM and then starts a QEMU VM with attached TPM that makes use of the initial state.

TPM 1.2 certificates

Use the following command line to create a TPM 1.2 certificate before starting swtpm.

> sudo mkdir /tmp/mytpm1
> sudo chown tss:root /tmp/mytpm1
> sudo swtpm_setup --tpmstate /tmp/mytpm1 --create-ek-cert --create-platform-cert

The EK certificate can be found at NVRAM location 0x1000f000 and the Platform certificate at 0x1000f002 [section 19.1.2 in [1]]. Both certificates are in DER format [2] with a 7-byte header [sections 7.4.4 and 7.4.5 in [3]]. Use the following commands from the tpm-tools package to read and display the contents of the certificate:

# Take ownership of the TPM 1.2
> tpm_takeownership
# Use the owner password as the NVRAM password when prompted; we skip the header using '-n 7'
> tpm_nvread -i 0x1000f000 -f ekcert.der -p -n 7
> tpm_nvread -i 0x1000f002 -f platcert.der -p -n 7

To display the certificates use the following command lines. Here we skip the 7 byte header.

> openssl x509 -inform der -in ekcert.der
> openssl x509 -inform der -in platcert.der

[1] TCG: TPM Main Part 2 TPM Structures Specification version 1.2 Level 2 Revision 116; 1 March 2011
[2] TCG Credential Profiles For TPM Family 1.2; Level 2; Specification Version 1.2, Revision 8; 3 July 2013
[3] TCG PC Specific Implementation Specification for Conventions BIOS; section 7.4.4 and 7.4.5.

TPM 2 certificates

Use the following command line to create a TPM 2 certificate before starting swtpm with the --tpm2 option.

> sudo mkdir /tmp/mytpm2
> sudo chown tss:root /tmp/mytpm2
> sudo swtpm_setup --tpmstate /tmp/mytpm2 --create-ek-cert --create-platform-cert --allow-signing --tpm2

The RSA EK certificate can be found at different NVRAM locations, depending on whether an RSA or elliptic curve key was created [1]. The following locations are supported:

  • 0x01c00002: RSA 2048
  • 0x01c0000a: NIST P-256 (secp256r1); up to swtpm 0.3
  • 0x01c00016: NIST P-384 (secp384r1); since swtpm 0.4
  • 0x01c0001c: RSA 3072 key; since swtpm 0.4

To determine which certificates are available run the following command:

> tssgetcapability -cap 1 -pr 0x01c00000
4 handles
        01c00002
        01c00004
        01c00016
        01c08000

The Platform certificate can be found at index 0x01c08000. All certificates are in DER format [2, 3]. Since the --allow-signing parameter was used, an EK Template for the RSA 2048 key was written into 0x01c0004.

Use the following commands from the tpm2-tools package to read and display the contents of an RSA 2048 certificate:

# first get the indices and sizes of the certificates
> tpm2_getcap handles-nv-index
> tpm2_nvread 0x1c00002 > ekcert.der
> tpm2_nvread 0x1c08000 > platcert.der

Alternatively, use the tss2 package, which allows us to write the data into files:

> export TPM_INTERFACE_TYPE=dev TPM_DEVICE=/dev/tpmrm0
> tssnvread -hia o -ha 0x01c00002 -of ekcert.der
> tssnvread -hia o -ha 0x01c08000 -of platcert.der

To display the certificates use the following command lines.

> openssl x509 -inform der -in platcert.der
> openssl x509 -inform der -in ekcert.der

[1] TCG TPM v2.0 Provisioning Guidance; Version 1.0, Revision 1.0; March 25, 2017
[2] TCG EK Credential Profile For TPM Family 2.0; Level 0; Specification Version 2.3, Revision 2; 9 March 2020 (Draft)
[3] TCG Platform Attribute Credential Profile; Specification Version 1.0, Revision 16; 16 January 2018

Verifying your EK cert against the CA

Now we want to verify the EK certificate (ekcert.der) against the CA that created it. Assuming the default configuration was used by swtpm_setup, we would expect to find the CA's certificate files in /var/lib/swtpm-localca. The CA files of interest are:

  • swtpm-localca-rootca-cert.pem: This is the root CA's certificate; it signed issuercert.pem
  • issuercert.pem : This is the intermediate CA's certificate that signed the EK certificate

We need to copy the above two files to the machine where we do the certificate verification and create a certificate bundle file from them. We also need to convert the DER formatted certificate into PEM format and then we can do the verification.

> openssl x509 -inform der -in ekcert.der -outform pem -out ekcert.pem
> cat swtpm-localca-rootca-cert.pem issuercert.pem > bundle.pem
> openssl verify -CAfile bundle.pem ekcert.pem
ekcert.pem: OK

Creating the EK

The EK may not be stored in the TPM 2 but one has to create it using a command. Once we have that we can compare the public key from the RSA certificate with the key that we created and see that they are indeed the same.

Using the tools from the tpm2-tools package (version 4.x):

> tpm2_createek -c - -G rsa -u myek.tpm2 -c ekcontext.bin
> tpm2_readpublic -c ekcontext.bin -f pem -o myek.pem
> openssl rsa -pubin -in myek.pem -text -noout
# Compare the modulus against ek.cert from 0x01c00002
> openssl x509 -inform der -in ekcert.der -pubkey  -noout | openssl rsa -pubin -text -noout

Using the tss2 tools:

> tsscreateek -cp -alg rsa
# Compare the modulus against ek.cert from 0x01c00002
> openssl x509 -inform der -in ekcert.der -pubkey  -noout | openssl rsa -pubin -text -noout