제안된 플랫폼에서 TPM 설정
설치 펌웨어 TPM(fTPM)
fTPM(펌웨어 TPM)에는 특별한 프로세서/SoC 지원이 필요하며, 현재 Raspberry Pi2에서 fTPM이 구현되지 않은 경우.
UEFI 버전이 0.80 이상인 MBM이 있어야 합니다.
다음 UEFI 설정을 변경하여 fTPM을 사용하도록 설정합니다.
Device Manager -> System Setup -> Security Configuration -> PTT = <Enable>sTPM/dTPM용 C:\Windows\System32\ACPITABL.dat가 없는지 확인합니다(필요 없는 경우 충돌 해결/파일 삭제).
올바른 TPM 버전을 사용하도록 설정했는지 확인합니다. Windows IoT Core 디바이스에서 TPM 2.0 도구를 실행합니다.
C:\>t2t.exe -cap TBS detected 2.0 firmware TPM (fTPM) using Intel TEE. Capabilities: PT_FIXED: TPM_PT_FAMILY_INDICATOR = '2.0' TPM_PT_LEVEL = 0 (0x00000000) TPM_PT_REVISION = 0.93 TPM_PT_DAY_OF_YEAR = 283 (0x0000011b) TPM_PT_YEAR = 2012 (0x000007dc) TPM_PT_MANUFACTURER = 'INTC' TPM_PT_VENDOR_STRING = 'Intel' TPM_PT_VENDOR_TPM_TYPE = 3 (0x00000003) TPM_PT_FIRMWARE_VERSION_1 = 1.0 (0x1.0x0) TPM_PT_FIRMWARE_VERSION_2 = 2.1060 (0x2.0x424) TPM_PT_INPUT_BUFFER = 1024 (0x00000400) TPM_PT_HR_TRANSIENT_MIN = 3 (0x00000003) TPM_PT_HR_PERSISTENT_MIN = 2 (0x00000002) TPM_PT_HR_LOADED_MIN = 3 (0x00000003) TPM_PT_ACTIVE_SESSIONS_MAX = 64 (0x00000040) TPM_PT_PCR_COUNT = 24 (0x00000018) TPM_PT_PCR_SELECT_MIN = 3 (0x00000003) TPM_PT_CONTEXT_GAP_MAX = 65535 (0x0000ffff) TPM_PT_NV_COUNTERS_MAX = 16 (0x00000010) TPM_PT_NV_INDEX_MAX = 2048 (0x00000800) TPM_PT_MEMORY = sharedNV objectCopiedToRam TPM_PT_CLOCK_UPDATE = 4096ms TPM_PT_CONTEXT_HASH = TPM_ALG_SHA256 TPM_PT_CONTEXT_SYM = TPM_ALG_AES TPM_PT_CONTEXT_SYM_SIZE = 128 (0x00000080) TPM_PT_ORDERLY_COUNT = 255 (0x000000ff) TPM_PT_MAX_COMMAND_SIZE = 3968 (0x00000f80) TPM_PT_MAX_RESPONSE_SIZE = 3968 (0x00000f80) TPM_PT_MAX_DIGEST = 32 (0x00000020) TPM_PT_MAX_OBJECT_CONTEXT = 924 (0x0000039c) TPM_PT_MAX_SESSION_CONTEXT = 244 (0x000000f4) TPM_PT_PS_FAMILY_INDICATOR = TPM_PS_MAIN TPM_PT_PS_LEVEL = 0 (0x00000000) TPM_PT_PS_REVISION = 0 TPM_PT_PS_DAY_OF_YEAR = 0 (0x00000000) TPM_PT_PS_YEAR = 0 (0x00000000) TPM_PT_SPLIT_MAX = 0 (0x00000000) TPM_PT_TOTAL_COMMANDS = 70 (0x00000046) TPM_PT_LIBRARY_COMMANDS = 70 (0x00000046) TPM_PT_VENDOR_COMMANDS = 0 (0x00000000) PT_VAR: TPM_PT_PERMANENT = lockoutAuthSet tpmGeneratedEPS TPM_PT_STARTUP_CLEAR = phEnable shEnable ehEnable TPM_PT_HR_NV_INDEX = 2 (0x00000002) TPM_PT_HR_LOADED = 0 (0x00000000) TPM_PT_HR_LOADED_AVAIL = 3 (0x00000003) TPM_PT_HR_ACTIVE = 0 (0x00000000) TPM_PT_HR_ACTIVE_AVAIL = 64 (0x00000040) TPM_PT_HR_TRANSIENT_AVAIL = 3 (0x00000003) TPM_PT_HR_PERSISTENT = 3 (0x00000003) TPM_PT_HR_PERSISTENT_AVAIL = 18 (0x00000012) TPM_PT_NV_COUNTERS = 2 (0x00000002) TPM_PT_NV_COUNTERS_AVAIL = 14 (0x0000000e) TPM_PT_ALGORITHM_SET = 0 (0x00000000) TPM_PT_LOADED_CURVES = 0 (0x00000000) TPM_PT_LOCKOUT_COUNTER = 0 (0x00000000) TPM_PT_MAX_AUTH_FAIL = 10 (0x0000000a) TPM_PT_LOCKOUT_INTERVAL = 2h 0" 0' TPM_PT_LOCKOUT_RECOVERY = 2h 0" 0' TPM_PT_AUDIT_COUNTER = 0 c:\>fTPM이 작동하는지 확인 - Windows IoT Core 디바이스에서 Urchin 단위 테스트를 실행합니다 .
몇 가지 PASS 테스트가 표시되어야 합니다(일부 기능은 fTPM에서 지원되지 않으므로 몇 가지 오류 코드가 필요합니다.)C:\>urchintest.exe ---SETUP---------------------------------------- PASS...........CreateAuthorities() PASS...........CreateEkObject() PASS...........CreateSrkObject() (0x80280400)...CreateAndLoadAikObject() PASS...........CreateAndLoadKeyObject() ---TESTS---------------------------------------- PASS...........TestGetCapability() PASS...........TestGetEntropy() PASS...........TestPolicySession() PASS...........TestSignWithPW() PASS...........TestSignHMAC() PASS...........TestSignBound() PASS...........TestSignSalted() PASS...........TestSignSaltedAndBound() PASS...........TestSignParameterEncryption() PASS...........TestSignParameterDecryption() PASS...........TestReadPcrWithEkSeededSession() (0x80280400)...TestCreateHashAndHMAC() (0x80280400)...TestCreateHashAndHMACSequence() (0x80280400)...TestSymKeyImport() PASS...........TestRsaKeyImport() (0x00000184)...TestCredentialActivation() PASS...........TestKeyExport() (0x80280400)...TestSymEncryption() (0x80280400)...TestCertifiedMigration() (0x0000014b)...TestNVIndexReadWrite() (0x80280400)...TestVirtualization() PASS...........TestObjectChangeAuth() PASS...........TestUnseal() PASS...........TestDynamicPolicies() (0x80280400)...TestRSADecrypt() (0x000002ca)...TestECDSASign() (0x00000184)...TestKeyAttestation() (0x00000184)...TestPlatformAttestation() ---CLEANUP-------------------------------------- (0x000001c4)...UnloadKeyObjects() C:\>
개별 TPM 설정(dTPM)
이러한 지침은 MBM, RPi2 또는 RPi3에서 지원되는 모든 dTPM 모듈에 적용됩니다.
개별 TPM 모듈을 가져와서 MBM/RPi2/RPi3에 연결합니다.
(MBM에 적용) 다음 UEFI 설정을 변경하여 fTPM을 사용하지 않도록 설정합니다.
Device Manager -> System Setup -> Security Configuration -> PTT = <Disable>(MBM에 적용) 다음 UEFI 설정을 변경하여 dTPM을 사용하도록 설정합니다.
Device Manager -> System Setup -> Security Configuration -> Discrete TPM = <Enable>선택한 개별 TPM 모듈에 따라 여기에서 일치하는 ACPI 테이블을 식별 합니다.
해당 ACPI 테이블을 MBM/RPi2/RPi3 C:\Windows\System32\ACPITABL.dat에 복사합니다.
디바이스에서 테스트 서명 사용:
bcdedit /set {current} integrityservices disable bcdedit /set testsigning on디바이스를 다시 부팅합니다.
올바른 TPM 버전을 사용하도록 설정했는지 확인합니다. Windows IoT Core 디바이스에서 TPM 2.0 도구를 실행합니다.
C:\>t2t.exe -cap TBS detected 2.0 discrete TPM (dTPM) using TIS on SPB. Capabilities: PT_FIXED: TPM_PT_FAMILY_INDICATOR = '2.0' TPM_PT_LEVEL = 0 (0x00000000) TPM_PT_REVISION = 1.16 TPM_PT_DAY_OF_YEAR = 303 (0x0000012f) TPM_PT_YEAR = 2014 (0x000007de) TPM_PT_MANUFACTURER = 'NTZ' TPM_PT_VENDOR_STRING = 'NTZ' TPM_PT_VENDOR_TPM_TYPE = 17 (0x00000011) TPM_PT_FIRMWARE_VERSION_1 = 4.31 (0x4.0x1f) TPM_PT_FIRMWARE_VERSION_2 = 5378.4617 (0x1502.0x1209) TPM_PT_INPUT_BUFFER = 2220 (0x000008ac) TPM_PT_HR_TRANSIENT_MIN = 4 (0x00000004) TPM_PT_HR_PERSISTENT_MIN = 7 (0x00000007) TPM_PT_HR_LOADED_MIN = 4 (0x00000004) TPM_PT_ACTIVE_SESSIONS_MAX = 64 (0x00000040) TPM_PT_PCR_COUNT = 24 (0x00000018) TPM_PT_PCR_SELECT_MIN = 3 (0x00000003) TPM_PT_CONTEXT_GAP_MAX = 65535 (0x0000ffff) TPM_PT_NV_COUNTERS_MAX = 0 (0x00000000) TPM_PT_NV_INDEX_MAX = 1639 (0x00000667) TPM_PT_MEMORY = objectCopiedToRam TPM_PT_CLOCK_UPDATE = 4096000ms TPM_PT_CONTEXT_HASH = TPM_ALG_SHA256 TPM_PT_CONTEXT_SYM = TPM_ALG_AES TPM_PT_CONTEXT_SYM_SIZE = 128 (0x00000080) TPM_PT_ORDERLY_COUNT = 255 (0x000000ff) TPM_PT_MAX_COMMAND_SIZE = 2220 (0x000008ac) TPM_PT_MAX_RESPONSE_SIZE = 2220 (0x000008ac) TPM_PT_MAX_DIGEST = 32 (0x00000020) TPM_PT_MAX_SESSION_CONTEXT = 244 (0x000000f4) TPM_PT_PS_FAMILY_INDICATOR = TPM_PS_PDA TPM_PT_PS_LEVEL = 0 (0x00000000) TPM_PT_PS_REVISION = 25600 TPM_PT_PS_DAY_OF_YEAR = 0 (0x00000000) TPM_PT_PS_YEAR = 0 (0x00000000) TPM_PT_SPLIT_MAX = 128 (0x00000080) TPM_PT_TOTAL_COMMANDS = 101 (0x00000065) TPM_PT_LIBRARY_COMMANDS = 99 (0x00000063) TPM_PT_VENDOR_COMMANDS = 2 (0x00000002) TPM_PT_NV_BUFFER_MAX = 1639 (0x00000667) PT_VAR: TPM_PT_STARTUP_CLEAR = phEnable shEnable ehEnable ehEnableNV TPM_PT_HR_NV_INDEX = 2 (0x00000002) TPM_PT_HR_LOADED = 0 (0x00000000) TPM_PT_HR_LOADED_AVAIL = 4 (0x00000004) TPM_PT_HR_ACTIVE = 0 (0x00000000) TPM_PT_HR_ACTIVE_AVAIL = 64 (0x00000040) TPM_PT_HR_TRANSIENT_AVAIL = 4 (0x00000004) TPM_PT_HR_PERSISTENT = 3 (0x00000003) TPM_PT_HR_PERSISTENT_AVAIL = 4 (0x00000004) TPM_PT_NV_COUNTERS = 2 (0x00000002) TPM_PT_NV_COUNTERS_AVAIL = 30 (0x0000001e) TPM_PT_ALGORITHM_SET = 0 (0x00000000) TPM_PT_LOADED_CURVES = 3 (0x00000003) TPM_PT_LOCKOUT_COUNTER = 0 (0x00000000) TPM_PT_MAX_AUTH_FAIL = 32 (0x00000020) TPM_PT_LOCKOUT_INTERVAL = 2h 0" 0' TPM_PT_LOCKOUT_RECOVERY = 24h 0" 0' TPM_PT_NV_WRITE_RECOVERY = 0ms TPM_PT_AUDIT_COUNTER = 0 C:\>dTPM이 작동하는지 확인 - Windows IoT Core 디바이스에서 Urchin 단위 테스트를 실행합니다 .
몇 가지 PASS 테스트가 표시되어야 합니다(일부 기능은 dTPM에서 지원되지 않을 수 있으므로 몇 가지 오류 코드가 필요합니다.).C:\>urchintest.exe ---SETUP---------------------------------------- PASS...........CreateAuthorities() PASS...........CreateEkObject() PASS...........CreateSrkObject() PASS...........CreateAndLoadAikObject() PASS...........CreateAndLoadKeyObject() ---TESTS---------------------------------------- PASS...........TestGetCapability() PASS...........TestGetEntropy() PASS...........TestPolicySession() PASS...........TestSignWithPW() PASS...........TestSignHMAC() PASS...........TestSignBound() PASS...........TestSignSalted() PASS...........TestSignSaltedAndBound() (0xc000000d)...TestSignParameterEncryption() PASS...........TestSignParameterDecryption() PASS...........TestReadPcrWithEkSeededSession() PASS...........TestCreateHashAndHMAC() PASS...........TestCreateHashAndHMACSequence() PASS...........TestSymKeyImport() (0xc000000d)...TestRsaKeyImport() PASS...........TestCredentialActivation() PASS...........TestKeyExport() (0x00000182)...TestSymEncryption() PASS...........TestCertifiedMigration() PASS...........TestNVIndexReadWrite() (0x80280400)...TestVirtualization() PASS...........TestObjectChangeAuth() PASS...........TestUnseal() PASS...........TestDynamicPolicies() PASS...........TestRSADecrypt() PASS...........TestECDSASign() (0xc000000d)...TestKeyAttestation() (0xc000000d)...TestPlatformAttestation() ---CLEANUP-------------------------------------- PASS...........UnloadKeyObjects() C:\>
STPM(소프트웨어 TPM) 사용 및 확인
sTPM은 개발 목적으로만 사용되며 실제 보안 혜택을 제공하지 않습니다.
(MBM에 적용) 다음 UEFI 설정을 변경하여 fTPM을 사용하지 않도록 설정합니다.
Device Manager -> System Setup -> Security Configuration -> PTT = <Disable>(MBM에 적용) 다음 UEFI 설정을 변경하여 dTPM을 사용하도록 설정합니다.
Device Manager -> System Setup -> Security Configuration -> Discrete TPM = <Enable>디바이스에서 테스트 서명 사용:
bcdedit /set {current} integrityservices disable bcdedit /set testsigning on여기에서 ACPI 테이블을 MBM/RPi2/RPi3 C:\Windows\System32\ACPITABL.dat로 복사합니다.
디바이스를 다시 부팅합니다.
올바른 TPM 버전을 사용하도록 설정했는지 확인합니다. Windows IoT Core 디바이스에서 TPM 2.0 도구를 실행합니다.
C:\>t2t.exe -cap TBS detected 2.0 simulated TPM (sTPM). Capabilities: PT_FIXED: TPM_PT_FAMILY_INDICATOR = '2.0' TPM_PT_LEVEL = 0 (0x00000000) TPM_PT_REVISION = 1.15 TPM_PT_DAY_OF_YEAR = 163 (0x000000a3) TPM_PT_YEAR = 2014 (0x000007de) TPM_PT_MANUFACTURER = 'MSFT' TPM_PT_VENDOR_STRING = 'IoT Software TPM' TPM_PT_VENDOR_TPM_TYPE = 1 (0x00000001) TPM_PT_FIRMWARE_VERSION_1 = 8213.275 (0x2015.0x113) TPM_PT_FIRMWARE_VERSION_2 = 21.18466 (0x15.0x4822) TPM_PT_INPUT_BUFFER = 1024 (0x00000400) TPM_PT_HR_TRANSIENT_MIN = 3 (0x00000003) TPM_PT_HR_PERSISTENT_MIN = 2 (0x00000002) TPM_PT_HR_LOADED_MIN = 3 (0x00000003) TPM_PT_ACTIVE_SESSIONS_MAX = 64 (0x00000040) TPM_PT_PCR_COUNT = 24 (0x00000018) TPM_PT_PCR_SELECT_MIN = 3 (0x00000003) TPM_PT_CONTEXT_GAP_MAX = 65535 (0x0000ffff) TPM_PT_NV_COUNTERS_MAX = 0 (0x00000000) TPM_PT_NV_INDEX_MAX = 2048 (0x00000800) TPM_PT_MEMORY = sharedNV objectCopiedToRam TPM_PT_CLOCK_UPDATE = 4096ms TPM_PT_CONTEXT_HASH = TPM_ALG_SHA256 TPM_PT_CONTEXT_SYM = TPM_ALG_AES TPM_PT_CONTEXT_SYM_SIZE = 256 (0x00000100) TPM_PT_ORDERLY_COUNT = 255 (0x000000ff) TPM_PT_MAX_COMMAND_SIZE = 4096 (0x00001000) TPM_PT_MAX_RESPONSE_SIZE = 4096 (0x00001000) TPM_PT_MAX_DIGEST = 48 (0x00000030) TPM_PT_MAX_OBJECT_CONTEXT = 1520 (0x000005f0) TPM_PT_MAX_SESSION_CONTEXT = 308 (0x00000134) TPM_PT_PS_FAMILY_INDICATOR = TPM_PS_MAIN TPM_PT_PS_LEVEL = 0 (0x00000000) TPM_PT_PS_REVISION = 0 TPM_PT_PS_DAY_OF_YEAR = 0 (0x00000000) TPM_PT_PS_YEAR = 0 (0x00000000) TPM_PT_SPLIT_MAX = 128 (0x00000080) TPM_PT_TOTAL_COMMANDS = 106 (0x0000006a) TPM_PT_LIBRARY_COMMANDS = 105 (0x00000069) TPM_PT_VENDOR_COMMANDS = 1 (0x00000001) PT_VAR: TPM_PT_PERMANENT = lockoutAuthSet tpmGeneratedEPS TPM_PT_STARTUP_CLEAR = phEnable shEnable ehEnable ehEnableNV TPM_PT_HR_NV_INDEX = 2 (0x00000002) TPM_PT_HR_LOADED = 0 (0x00000000) TPM_PT_HR_LOADED_AVAIL = 3 (0x00000003) TPM_PT_HR_ACTIVE = 0 (0x00000000) TPM_PT_HR_ACTIVE_AVAIL = 64 (0x00000040) TPM_PT_HR_TRANSIENT_AVAIL = 3 (0x00000003) TPM_PT_HR_PERSISTENT = 3 (0x00000003) TPM_PT_HR_PERSISTENT_AVAIL = 5 (0x00000005) TPM_PT_NV_COUNTERS = 2 (0x00000002) TPM_PT_NV_COUNTERS_AVAIL = 31 (0x0000001f) TPM_PT_ALGORITHM_SET = 0 (0x00000000) TPM_PT_LOADED_CURVES = 3 (0x00000003) TPM_PT_LOCKOUT_COUNTER = 3 (0x00000003) TPM_PT_MAX_AUTH_FAIL = 32 (0x00000020) TPM_PT_LOCKOUT_INTERVAL = 2h 0" 0' TPM_PT_LOCKOUT_RECOVERY = 24h 0" 0' TPM_PT_AUDIT_COUNTER = 0 C:\>sTPM이 작동하는지 확인 - Windows IoT Core 디바이스에서 Urchin 단위 테스트를 실행합니다 .
몇 가지 PASS 테스트가 표시되어야 합니다(일부 기능은 sTPM에서 지원되지 않으므로 몇 가지 오류 코드가 필요합니다.)C:\>urchintest.exe ---SETUP---------------------------------------- PASS...........CreateAuthorities() PASS...........CreateEkObject() PASS...........CreateSrkObject() PASS...........CreateAndLoadAikObject() PASS...........CreateAndLoadKeyObject() ---TESTS---------------------------------------- PASS...........TestGetCapability() PASS...........TestGetEntropy() PASS...........TestPolicySession() PASS...........TestSignWithPW() PASS...........TestSignHMAC() PASS...........TestSignBound() PASS...........TestSignSalted() PASS...........TestSignSaltedAndBound() (0xc000000d)...TestSignParameterEncryption() PASS...........TestSignParameterDecryption() PASS...........TestReadPcrWithEkSeededSession() PASS...........TestCreateHashAndHMAC() PASS...........TestCreateHashAndHMACSequence() PASS...........TestSymKeyImport() (0xc000000d)...TestRsaKeyImport() PASS...........TestCredentialActivation() PASS...........TestKeyExport() (0x00000182)...TestSymEncryption() PASS...........TestCertifiedMigration() PASS...........TestNVIndexReadWrite() (0x80280400)...TestVirtualization() PASS...........TestObjectChangeAuth() PASS...........TestUnseal() PASS...........TestDynamicPolicies() PASS...........TestECDSASign()) PASS........ (0xc000000d)...TestKeyAttestation() (0xc000000d)...TestPlatformAttestation() ---CLEANUP-------------------------------------- PASS...........UnloadKeyObjects() C:\>