Certificates created by swtpm_setup
swtpm_setup can be used to simulate the manufacturing of a TPM and create certificates for a TPM 1.2 and TPM 2. The implementation for swtpm_setup follows TCG specifications as close as possible in regards to the contents of the certificates and the NVRAM locations. The created certificates are signed by a local Certificate Authority (CA) that is automatically created if found missing. By default the swtpm-localca tool is used for creating those certificates locally.
The examples below assume that a user runs swtpm_setup to create the initial state of the TPM and then starts a QEMU VM with attached TPM that makes use of the initial state.
Use the following command line to create a TPM 1.2 certificate before starting swtpm.
> sudo mkdir /tmp/mytpm1
> sudo chown tss:root /tmp/mytpm1
> sudo swtpm_setup --tpmstate /tmp/mytpm1 --create-ek-cert --create-platform-cert
The EK certificate can be found at NVRAM location 0x1000f000 and the Platform certificate at 0x1000f002 [section 19.1.2 in [1]]. Both certificates are in DER format [2] with a 7-byte header [sections 7.4.4 and 7.4.5 in [3]]. Use the following commands from the tpm-tools package to read and display the contents of the certificate:
# Take ownership of the TPM 1.2
> tpm_takeownership
# Use the owner password as the NVRAM password when prompted; we skip the header using '-n 7'
> tpm_nvread -i 0x1000f000 -f ekcert.der -p -n 7
> tpm_nvread -i 0x1000f002 -f platcert.der -p -n 7
To display the certificates use the following command lines. Here we skip the 7 byte header.
> openssl x509 -inform der -in ekcert.der
> openssl x509 -inform der -in platcert.der
[1] TCG: TPM Main Part 2 TPM Structures Specification version 1.2 Level 2 Revision 116; 1 March 2011
[2] TCG Credential Profiles For TPM Family 1.2; Level 2; Specification Version 1.2, Revision 8; 3 July 2013
[3] TCG PC Specific Implementation Specification for Conventions BIOS; section 7.4.4 and 7.4.5.
Use the following command line to create a TPM 2 certificate before starting swtpm with the --tpm2 option.
> sudo mkdir /tmp/mytpm2
> sudo chown tss:root /tmp/mytpm2
> sudo swtpm_setup --tpmstate /tmp/mytpm2 --create-ek-cert --create-platform-cert --tpm2
The RSA EK certificate can be found at different NVRAM locations, depending on whether an RSA or elliptic curve key was created [1]. The following locations are supported:
- 0x01c00002: RSA 2048
- 0x01c0000a: NIST P-256 (secp256r1); up to swtpm 0.3
- 0x01c00016: NIST P-384 (secp384r1); since swtpm 0.4
- 0x01c0001c: RSA 3072 key; since swtpm 0.4
To determine which certificates are available run the following command:
> tssgetcapability -cap 1 -pr 0x01c00000
4 handles
01c00002
01c00004
01c00016
01c08000
The Platform certificate can be found at index 0x01c08000. All certificates are in DER format [2, 3].
Use the following commands from the tpm2-tools package to read and display the contents of an RSA 2048 certificate:
# first get the indices and sizes of the certificates
> tpm2_getcap handles-nv-index
> tpm2_nvread 0x1c00002 > ekcert.der
> tpm2_nvread 0x1c08000 > platcert.der
Alternatively, use the tss2 package, which allows us to write the data into files:
> export TPM_INTERFACE_TYPE=dev TPM_DEVICE=/dev/tpmrm0
> tssnvread -hia o -ha 0x01c00002 -of ekcert.der
> tssnvread -hia o -ha 0x01c08000 -of platcert.der
To display the certificates use the following command lines.
> openssl x509 -inform der -in platcert.der
> openssl x509 -inform der -in ekcert.der
[1] TCG TPM v2.0 Provisioning Guidance; Version 1.0, Revision 1.0; March 25, 2017
[2] TCG EK Credential Profile For TPM Family 2.0; Level 0; Specification Version 2.3, Revision 2; 9 March 2020 (Draft)
[3] TCG Platform Attribute Credential Profile; Specification Version 1.0, Revision 16; 16 January 2018
Now we want to verify the EK certificate (ekcert.der) against the CA that created it. Assuming the default configuration
was used by swtpm_setup, we would expect to find the CA's certificate files in /var/lib/swtpm-localca. The CA files of
interest are:
- swtpm-localca-rootca-cert.pem: This is the root CA's certificate; it signed issuercert.pem
- issuercert.pem : This is the intermediate CA's certificate that signed the EK certificate
We need to copy the above two files to the machine where we do the certificate verification and create a certificate bundle file from them. We also need to convert the DER formatted certificate into PEM format and then we can do the verification.
> openssl x509 -inform der -in ekcert.der -outform pem -out ekcert.pem
> cat swtpm-localca-rootca-cert.pem issuercert.pem > bundle.pem
> openssl verify -CAfile bundle.pem ekcert.pem
ekcert.pem: OK
The EK may not be stored in the TPM 2 but one has to create it using a command. Once we have that we can compare the public key from the RSA certificate with the key that we created and see that they are indeed the same.
Using the tools from the tpm2-tools package (version 4.x):
> tpm2_createek -c - -G rsa -u myek.tpm2 -c ekcontext.bin
> tpm2_readpublic -c ekcontext.bin -f pem -o myek.pem
> openssl rsa -pubin -in myek.pem -text -noout
# Compare the modulus against ek.cert from 0x01c00002
> openssl x509 -inform der -in ekcert.der -pubkey -noout | openssl rsa -pubin -text -noout
Using the tss2 tools:
> tsscreateek -cp -alg rsa
# Compare the modulus against ek.cert from 0x01c00002
> openssl x509 -inform der -in ekcert.der -pubkey -noout | openssl rsa -pubin -text -noout