使用裤子将 SRK 存储在 TPM 上
Storing SRK on the TPM with Trousers
我正在使用 Trousers 与项目的 TPM 进行交互。我 运行 遇到了 SRK(存储根密钥)的存储问题。
我的理解是 SRK 密钥对是在取得 TPM 所有权时生成的,并且存储在 TPM 中。但看起来它的某些部分存储在系统持久存储中(由 system_ps_file 配置定义)。如果系统持久存储被删除,则无法再加载 SRK。
创建 SRK 的代码
TSS_FLAG srk_flags = TSS_KEY_TSP_SRK|TSS_KEY_AUTHORIZATION;
int result = Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_RSAKEY, srk_flags, srk_handle);
加载 SRK 的代码
TSS_UUID srk_uuid = TSS_UUID_SRK;
int result = Tspi_Context_LoadKeyByUUID(hContext, TSS_PS_TYPE_SYSTEM, srk_uuid, srk_handle);
以上代码可以正常工作,直到出现系统持久存储数据文件。但是一旦它被删除,我得到:
ERROR: Tspi Context LoadKeyByUUID (SRK ) failed rc =0 x2020
有没有办法恢复删除的存储文件?或避免将其用于 SRK ?
您对正在发生的事情的评估非常正确。将密钥存储在持久存储中的要求直接来自 TSS 规范:
All keys, which should be internally managed by the Key Management
Services of TSS must be registered in the persistent storage database
of TCS (System Persistent Storage) or TSP (User Persistent Storage).
Each key registered in one of these databases will be referenced by
its UUID and called a persistent key from this specification’s point
of view.
也就是说,代替 SRK 存储的是 zeroed-out "fake SRK",因此理论上您可以 运行 相同的代码来替换它:
BYTE *save;
/* Once the key file is created, it stays forever. There could be
* migratable keys in the hierarchy that are still useful to someone.
*/
result = ps_remove_key(&SRK_UUID);
if (result != TSS_SUCCESS && result != TCSERR(TSS_E_PS_KEY_NOTFOUND)) {
destroy_key_refs(&srkKeyContainer);
LogError("Error removing SRK from key file.");
*srkKeySize = 0;
free(*srkKey);
goto done;
}
/* Set the SRK pubkey to all 0's before writing the SRK to disk, this is for
* privacy reasons as outlined in the TSS spec */
save = srkKeyContainer.pubKey.key;
srkKeyContainer.pubKey.key = fake_pubkey;
offset = 0;
LoadBlob_TSS_KEY(&offset, fake_srk, &srkKeyContainer);
if ((result = ps_write_key(&SRK_UUID, &NULL_UUID, NULL, 0, fake_srk,
offset))) {
destroy_key_refs(&srkKeyContainer);
LogError("Error writing SRK to disk");
*srkKeySize = 0;
free(*srkKey);
goto done;
}
srkKeyContainer.pubKey.key = save;
但是您应该做的是备份您的持久存储。如果您丢失了它,您将丢失您创建的所有其他密钥(不是 SRK)。
我正在使用 Trousers 与项目的 TPM 进行交互。我 运行 遇到了 SRK(存储根密钥)的存储问题。
我的理解是 SRK 密钥对是在取得 TPM 所有权时生成的,并且存储在 TPM 中。但看起来它的某些部分存储在系统持久存储中(由 system_ps_file 配置定义)。如果系统持久存储被删除,则无法再加载 SRK。
创建 SRK 的代码
TSS_FLAG srk_flags = TSS_KEY_TSP_SRK|TSS_KEY_AUTHORIZATION;
int result = Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_RSAKEY, srk_flags, srk_handle);
加载 SRK 的代码
TSS_UUID srk_uuid = TSS_UUID_SRK;
int result = Tspi_Context_LoadKeyByUUID(hContext, TSS_PS_TYPE_SYSTEM, srk_uuid, srk_handle);
以上代码可以正常工作,直到出现系统持久存储数据文件。但是一旦它被删除,我得到:
ERROR: Tspi Context LoadKeyByUUID (SRK ) failed rc =0 x2020
有没有办法恢复删除的存储文件?或避免将其用于 SRK ?
您对正在发生的事情的评估非常正确。将密钥存储在持久存储中的要求直接来自 TSS 规范:
All keys, which should be internally managed by the Key Management Services of TSS must be registered in the persistent storage database of TCS (System Persistent Storage) or TSP (User Persistent Storage). Each key registered in one of these databases will be referenced by its UUID and called a persistent key from this specification’s point of view.
也就是说,代替 SRK 存储的是 zeroed-out "fake SRK",因此理论上您可以 运行 相同的代码来替换它:
BYTE *save;
/* Once the key file is created, it stays forever. There could be
* migratable keys in the hierarchy that are still useful to someone.
*/
result = ps_remove_key(&SRK_UUID);
if (result != TSS_SUCCESS && result != TCSERR(TSS_E_PS_KEY_NOTFOUND)) {
destroy_key_refs(&srkKeyContainer);
LogError("Error removing SRK from key file.");
*srkKeySize = 0;
free(*srkKey);
goto done;
}
/* Set the SRK pubkey to all 0's before writing the SRK to disk, this is for
* privacy reasons as outlined in the TSS spec */
save = srkKeyContainer.pubKey.key;
srkKeyContainer.pubKey.key = fake_pubkey;
offset = 0;
LoadBlob_TSS_KEY(&offset, fake_srk, &srkKeyContainer);
if ((result = ps_write_key(&SRK_UUID, &NULL_UUID, NULL, 0, fake_srk,
offset))) {
destroy_key_refs(&srkKeyContainer);
LogError("Error writing SRK to disk");
*srkKeySize = 0;
free(*srkKey);
goto done;
}
srkKeyContainer.pubKey.key = save;
但是您应该做的是备份您的持久存储。如果您丢失了它,您将丢失您创建的所有其他密钥(不是 SRK)。