TPM零知识学习十一 —— tpm全安装流程复盘(下)
Posted 蓝天居士
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了TPM零知识学习十一 —— tpm全安装流程复盘(下)相关的知识,希望对你有一定的参考价值。
接前一篇文章《TPM零知识学习十 —— tpm全安装流程复盘(中)》,链接为:
TPM零知识学习十 —— tpm全安装流程复盘(中)_蓝天居士的博客-CSDN博客
五、TPM模拟器做成服务
本步骤前导步骤参见 《TPM零知识学习九 —— tpm全安装流程复盘(上)》—— 一、模拟器安装全流程。在步骤6之后插入以下步骤:
1. 配置TPM服务
创建tpm.server.service文件和配置服务
sudo vim /lib/systemd/system/tpm-server.service在文件中添加以下内容:
[Unit]
Description=TPM2.0 Simulator Server Daemon
Before=tpm2-abrmd.service
[Service]
ExecStart=/usr/bin/tpm_server
Restart=always
Environment=PATH=/usr/bin:/usr/local/bin
[Install]
WantedBy=multi-user.target保存退出。
2. 测试TPM配置情况,启动TPM服务
penghao@Ding-Perlis-MP260S48:~$ sudo systemctl daemon-reload
[sudo] penghao 的密码:
penghao@Ding-Perlis-MP260S48:~$ sudo systemctl start tpm-server.service
penghao@Ding-Perlis-MP260S48:~$ sudo systemctl status tpm-server.service
● tpm-server.service - TPM2.0 Simulator Server Daemon
Loaded: loaded (/usr/lib/systemd/system/tpm-server.service; disabled; vendor preset: enabled)
Active: active (running) since Fri 2023-01-13 11:21:10 CST; 14s ago
Main PID: 29025 (tpm_server)
Tasks: 3 (limit: 18940)
Memory: 968.0K
CPU: 10ms
CGroup: /system.slice/tpm-server.service
└─29025 /usr/bin/tpm_server
1月 13 11:21:10 Ding-Perlis-MP260S48 tpm_server[29025]: Manufacturing NV state...
1月 13 11:21:10 Ding-Perlis-MP260S48 tpm_server[29025]: Size of OBJECT = 2600
1月 13 11:21:10 Ding-Perlis-MP260S48 tpm_server[29025]: Size of components in TPMT_SENSITIVE = 1096
1月 13 11:21:10 Ding-Perlis-MP260S48 tpm_server[29025]: TPMI_ALG_PUBLIC 2
1月 13 11:21:10 Ding-Perlis-MP260S48 tpm_server[29025]: TPM2B_AUTH 66
1月 13 11:21:10 Ding-Perlis-MP260S48 tpm_server[29025]: TPM2B_DIGEST 66
1月 13 11:21:10 Ding-Perlis-MP260S48 tpm_server[29025]: TPMU_SENSITIVE_COMPOSITE 962
1月 13 11:21:10 Ding-Perlis-MP260S48 tpm_server[29025]: Starting ACT thread...
1月 13 11:21:10 Ding-Perlis-MP260S48 tpm_server[29025]: TPM command server listening on port 2321
1月 13 11:21:10 Ding-Perlis-MP260S48 tpm_server[29025]: Platform server listening on port 2322
说明此时TPM模拟器已经成功配置,并启动服务。
但是有一个问题,重启后再查看服务状态,又回到inactive状态了,如下所示:
penghao@Ding-Perlis-MP260S48:~$ sudo systemctl status tpm-server
○ tpm-server.service - TPM2.0 Simulator Server Daemon
Loaded: loaded (/usr/lib/systemd/system/tpm-server.service; disabled; vendor preset: enabled)
Active: inactive (dead)
应该如何解决这个问题?使用systemctl enable命令。如下所示:
penghao@Ding-Perlis-MP260S48:~$ sudo systemctl enable tpm-server.service
Created symlink /etc/systemd/system/multi-user.target.wants/tpm-server.service → /usr/lib/systemd/system/tpm-server.service.
再次重启并查看tpm_server服务的状态。如下所示:
penghao@Ding-Perlis-MP260S48:~$ sudo systemctl status tpm-server.service
[sudo] penghao 的密码:● tpm-server.service - TPM2.0 Simulator Server Daemon
Loaded: loaded (/usr/lib/systemd/system/tpm-server.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2023-01-13 11:58:39 CST; 32s ago
Main PID: 369 (tpm_server)
Tasks: 3 (limit: 18940)
Memory: 1.2M
CPU: 6ms
CGroup: /system.slice/tpm-server.service
└─369 /usr/bin/tpm_server
1月 13 11:58:39 Ding-Perlis-MP260S48 systemd[1]: Started TPM2.0 Simulator Server Daemon.
1月 13 11:58:39 Ding-Perlis-MP260S48 tpm_server[369]: LIBRARY_COMPATIBILITY_CHECK is ON
1月 13 11:58:39 Ding-Perlis-MP260S48 tpm_server[369]: Starting ACT thread...
1月 13 11:58:39 Ding-Perlis-MP260S48 tpm_server[369]: TPM command server listening on port 2321
1月 13 11:58:39 Ding-Perlis-MP260S48 tpm_server[369]: Platform server listening on port 2322
可见,TPM模拟器服务已经正常启动了。
至此,TPM模拟器服务配置流程就完全结束了。
六、tpm2-abrmd做成服务
本步骤前导步骤参见 《TPM零知识学习十 —— tpm全安装流程复盘(中)》—— 四、tpm2-abrmd安装全流程。在步骤11之后插入以下步骤:
1. 修改tpm2-abrmd.service服务配置
修改服务配置文件/lib/systemd/system/tpm2-abrmd.service。原始内容如下:
[Unit]
Description=TPM2 Access Broker and Resource Management Daemon
# These settings are needed when using the device TCTI. If the
# TCP mssim is used then the settings should be commented out.
After=dev-tpm0.device
Requires=dev-tpm0.device
[Service]
Type=dbus
BusName=com.intel.tss2.Tabrmd
ExecStart=/usr/local/sbin/tpm2-abrmd
User=tss
[Install]
WantedBy=multi-user.target
在启动服务时加载tss动态库并将服务启动到本地2321端口。将文件中“ExecStart=/usr/local/sbin/tpm2-abrmd”修改为“ExecStart=/usr/local/sbin/tpm2-abrmd --allow-root --tcti=mssim”。修改后文件内容如下:
[Unit]
Description=TPM2 Access Broker and Resource Management Daemon
# These settings are needed when using the device TCTI. If the
# TCP mssim is used then the settings should be commented out.
After=dev-tpm0.device
Requires=dev-tpm0.device
[Service]
Type=dbus
BusName=com.intel.tss2.Tabrmd
ExecStart=/usr/local/sbin/tpm2-abrmd --allow-root --tcti=mssim
User=tss
[Install]
WantedBy=multi-user.target
修改后保存退出。
2. 测试TPM配置情况,启动tpm2-abrmd服务
Bug#995925: tpm2-tss: Latest version breaks tpm2-abrmd due to outdated udev rule
笔者环境的实际情况:
penghao@Ding-Perlis-MP260S48:~$ sudo systemctl status tpm2-abrmd.service
[sudo] penghao 的密码:○ tpm2-abrmd.service - TPM2 Access Broker and Resource Management Daemon
Loaded: loaded (/usr/local/lib/systemd/system/tpm2-abrmd.service; enabled; vendor preset: enabled)
Active: inactive (dead)
1月 13 13:07:15 Ding-Perlis-MP260S48 systemd[1]: Dependency failed for TPM2 Access Broker and Resource Management Daemon.
1月 13 13:07:15 Ding-Perlis-MP260S48 systemd[1]: tpm2-abrmd.service: Job tpm2-abrmd.service/start failed with result 'dependency'.
1月 13 13:42:25 Ding-Perlis-MP260S48 systemd[1]: Dependency failed for TPM2 Access Broker and Resource Management Daemon.
1月 13 13:42:25 Ding-Perlis-MP260S48 systemd[1]: tpm2-abrmd.service: Job tpm2-abrmd.service/start failed with result 'dependency'.
1月 13 15:25:49 Ding-Perlis-MP260S48 systemd[1]: Dependency failed for TPM2 Access Broker and Resource Management Daemon.
1月 13 15:25:49 Ding-Perlis-MP260S48 systemd[1]: tpm2-abrmd.service: Job tpm2-abrmd.service/start failed with result 'dependency'.
penghao@Ding-Perlis-MP260S48:~$ sudo systemctl status dev-tpm0.device
[sudo] penghao 的密码:○ dev-tpm0.device - /dev/tpm0
Loaded: loaded
Active: inactive (dead)
1月 13 13:07:15 Ding-Perlis-MP260S48 systemd[1]: dev-tpm0.device: Job dev-tpm0.device/start timed out.
1月 13 13:07:15 Ding-Perlis-MP260S48 systemd[1]: Timed out waiting for device /dev/tpm0.
1月 13 13:07:15 Ding-Perlis-MP260S48 systemd[1]: dev-tpm0.device: Job dev-tpm0.device/start failed with result 'timeout'.
1月 13 13:42:25 Ding-Perlis-MP260S48 systemd[1]: dev-tpm0.device: Job dev-tpm0.device/start timed out.
1月 13 13:42:25 Ding-Perlis-MP260S48 systemd[1]: Timed out waiting for device /dev/tpm0.
1月 13 13:42:25 Ding-Perlis-MP260S48 systemd[1]: dev-tpm0.device: Job dev-tpm0.device/start failed with result 'timeout'.
1月 13 15:25:49 Ding-Perlis-MP260S48 systemd[1]: dev-tpm0.device: Job dev-tpm0.device/start timed out.
1月 13 15:25:49 Ding-Perlis-MP260S48 systemd[1]: Timed out waiting for device /dev/tpm0.
1月 13 15:25:49 Ding-Perlis-MP260S48 systemd[1]: dev-tpm0.device: Job dev-tpm0.device/start failed with result 'timeout'.
可见,是和上述网页中的情况一致的。
笔者环境的实际情况:
penghao@Ding-Perlis-MP260S48:~$ cat TPM/tss/tpm2-tss/dist/tpm-udev.rules
# tpm devices can only be accessed by the tss user but the tss
# group members can access tpmrm devices
KERNEL=="tpm[0-9]*", TAG+="systemd", MODE="0660", OWNER="tss"
KERNEL=="tpmrm[0-9]*", TAG+="systemd", MODE="0660", GROUP="tss"
并不存在/lib/udev/rules.d/60-tpm-udev.rules文件。
可见,需要拷贝~/TPM/tss/tpm2-tss/dist/tpm-udev.rules文件到/lib/udev/rules.d/下,并重命名为60-tpm-udev.rules。
$ sudo cp TPM/tss/tpm2-tss/dist/tpm-udev.rules /lib/udev/rules.d/60-tpm-udev.rules
重启。重启后查看tpm-abrmd服务运行状态:
penghao@Ding-Perlis-MP260S48:~$ sudo systemctl status tpm2-abrmd.service
● tpm2-abrmd.service - TPM2 Access Broker and Resource Management Daemon
Loaded: loaded (/usr/local/lib/systemd/system/tpm2-abrmd.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2023-01-13 18:49:25 CST; 1min 4s ago
Main PID: 343 (tpm2-abrmd)
Tasks: 6 (limit: 18940)
Memory: 5.7M
CPU: 30ms
CGroup: /system.slice/tpm2-abrmd.service
└─343 /usr/local/sbin/tpm2-abrmd --allow-root
1月 13 18:49:25 Ding-Perlis-MP260S48 systemd[1]: Starting TPM2 Access Broker and Resource Management Daemon...
1月 13 18:49:25 Ding-Perlis-MP260S48 systemd[1]: Started TPM2 Access Broker and Resource Management Daemon.
1月 13 18:49:25 Ding-Perlis-MP260S48 systemd[1]: tpm2-abrmd.service: Current command vanished from the unit file, execution of the command list won't be resumed.
penghao@Ding-Perlis-MP260S48:~$ ps -ef | grep abrmd
tss 343 1 0 18:49 ? 00:00:00 /usr/local/sbin/tpm2-abrmd --allow-root
penghao 6947 1585 0 18:52 pts/1 00:00:00 grep --color=auto abrmd
可见,问题已经解决。
至此,tpm-abrmd服务配置流程就完全结束了!
以上是关于TPM零知识学习十一 —— tpm全安装流程复盘(下)的主要内容,如果未能解决你的问题,请参考以下文章
TPM分析笔记TPM 组织架构(TPM hierarchy)