Einrichten von TPM auf vorgeschlagenen Plattformen
Einrichten des Firmware-TPM (fTPM)
Firmware TPM (fTPM) erfordert spezielle Prozessor-/SoC-Unterstützung, und wenn fTPM derzeit nicht auf Raspberry Pi2 implementiert ist.
Sie benötigen MBM mit UEFI-Version 0.80 oder höher.
Aktivieren Sie fTPM, indem Sie die folgenden UEFI-Einstellungen ändern:
Device Manager -> System Setup -> Security Configuration -> PTT = <Enable>Stellen Sie sicher, dass Sie nicht über C:\Windows\System32\ACPITABL.dat für sTPM/dTPM verfügen (lösen Sie den Konflikt, oder löschen Sie die Datei, falls nicht erforderlich).
Vergewissern Sie sich, dass die richtige TPM-Version aktiviert ist: Führen Sie das TPM 2.0-Tool auf dem Windows IoT Core-Gerät aus.
C:\>t2t.exe -cap TBS detected 2.0 firmware TPM (fTPM) using Intel TEE. Capabilities: PT_FIXED: TPM_PT_FAMILY_INDICATOR = '2.0' TPM_PT_LEVEL = 0 (0x00000000) TPM_PT_REVISION = 0.93 TPM_PT_DAY_OF_YEAR = 283 (0x0000011b) TPM_PT_YEAR = 2012 (0x000007dc) TPM_PT_MANUFACTURER = 'INTC' TPM_PT_VENDOR_STRING = 'Intel' TPM_PT_VENDOR_TPM_TYPE = 3 (0x00000003) TPM_PT_FIRMWARE_VERSION_1 = 1.0 (0x1.0x0) TPM_PT_FIRMWARE_VERSION_2 = 2.1060 (0x2.0x424) TPM_PT_INPUT_BUFFER = 1024 (0x00000400) TPM_PT_HR_TRANSIENT_MIN = 3 (0x00000003) TPM_PT_HR_PERSISTENT_MIN = 2 (0x00000002) TPM_PT_HR_LOADED_MIN = 3 (0x00000003) TPM_PT_ACTIVE_SESSIONS_MAX = 64 (0x00000040) TPM_PT_PCR_COUNT = 24 (0x00000018) TPM_PT_PCR_SELECT_MIN = 3 (0x00000003) TPM_PT_CONTEXT_GAP_MAX = 65535 (0x0000ffff) TPM_PT_NV_COUNTERS_MAX = 16 (0x00000010) TPM_PT_NV_INDEX_MAX = 2048 (0x00000800) TPM_PT_MEMORY = sharedNV objectCopiedToRam TPM_PT_CLOCK_UPDATE = 4096ms TPM_PT_CONTEXT_HASH = TPM_ALG_SHA256 TPM_PT_CONTEXT_SYM = TPM_ALG_AES TPM_PT_CONTEXT_SYM_SIZE = 128 (0x00000080) TPM_PT_ORDERLY_COUNT = 255 (0x000000ff) TPM_PT_MAX_COMMAND_SIZE = 3968 (0x00000f80) TPM_PT_MAX_RESPONSE_SIZE = 3968 (0x00000f80) TPM_PT_MAX_DIGEST = 32 (0x00000020) TPM_PT_MAX_OBJECT_CONTEXT = 924 (0x0000039c) TPM_PT_MAX_SESSION_CONTEXT = 244 (0x000000f4) TPM_PT_PS_FAMILY_INDICATOR = TPM_PS_MAIN TPM_PT_PS_LEVEL = 0 (0x00000000) TPM_PT_PS_REVISION = 0 TPM_PT_PS_DAY_OF_YEAR = 0 (0x00000000) TPM_PT_PS_YEAR = 0 (0x00000000) TPM_PT_SPLIT_MAX = 0 (0x00000000) TPM_PT_TOTAL_COMMANDS = 70 (0x00000046) TPM_PT_LIBRARY_COMMANDS = 70 (0x00000046) TPM_PT_VENDOR_COMMANDS = 0 (0x00000000) PT_VAR: TPM_PT_PERMANENT = lockoutAuthSet tpmGeneratedEPS TPM_PT_STARTUP_CLEAR = phEnable shEnable ehEnable TPM_PT_HR_NV_INDEX = 2 (0x00000002) TPM_PT_HR_LOADED = 0 (0x00000000) TPM_PT_HR_LOADED_AVAIL = 3 (0x00000003) TPM_PT_HR_ACTIVE = 0 (0x00000000) TPM_PT_HR_ACTIVE_AVAIL = 64 (0x00000040) TPM_PT_HR_TRANSIENT_AVAIL = 3 (0x00000003) TPM_PT_HR_PERSISTENT = 3 (0x00000003) TPM_PT_HR_PERSISTENT_AVAIL = 18 (0x00000012) TPM_PT_NV_COUNTERS = 2 (0x00000002) TPM_PT_NV_COUNTERS_AVAIL = 14 (0x0000000e) TPM_PT_ALGORITHM_SET = 0 (0x00000000) TPM_PT_LOADED_CURVES = 0 (0x00000000) TPM_PT_LOCKOUT_COUNTER = 0 (0x00000000) TPM_PT_MAX_AUTH_FAIL = 10 (0x0000000a) TPM_PT_LOCKOUT_INTERVAL = 2h 0" 0' TPM_PT_LOCKOUT_RECOVERY = 2h 0" 0' TPM_PT_AUDIT_COUNTER = 0 c:\>Überprüfen Sie, ob fTPM funktioniert: Führen Sie die Urchin-Komponententests auf dem Windows IoT Core-Gerät aus.
Es sollten mehrere PASS-Tests angezeigt werden (beachten Sie, dass einige der Funktionen von fTPM nicht unterstützt werden, sodass einige Fehlercodes erwartet werden):C:\>urchintest.exe ---SETUP---------------------------------------- PASS...........CreateAuthorities() PASS...........CreateEkObject() PASS...........CreateSrkObject() (0x80280400)...CreateAndLoadAikObject() PASS...........CreateAndLoadKeyObject() ---TESTS---------------------------------------- PASS...........TestGetCapability() PASS...........TestGetEntropy() PASS...........TestPolicySession() PASS...........TestSignWithPW() PASS...........TestSignHMAC() PASS...........TestSignBound() PASS...........TestSignSalted() PASS...........TestSignSaltedAndBound() PASS...........TestSignParameterEncryption() PASS...........TestSignParameterDecryption() PASS...........TestReadPcrWithEkSeededSession() (0x80280400)...TestCreateHashAndHMAC() (0x80280400)...TestCreateHashAndHMACSequence() (0x80280400)...TestSymKeyImport() PASS...........TestRsaKeyImport() (0x00000184)...TestCredentialActivation() PASS...........TestKeyExport() (0x80280400)...TestSymEncryption() (0x80280400)...TestCertifiedMigration() (0x0000014b)...TestNVIndexReadWrite() (0x80280400)...TestVirtualization() PASS...........TestObjectChangeAuth() PASS...........TestUnseal() PASS...........TestDynamicPolicies() (0x80280400)...TestRSADecrypt() (0x000002ca)...TestECDSASign() (0x00000184)...TestKeyAttestation() (0x00000184)...TestPlatformAttestation() ---CLEANUP-------------------------------------- (0x000001c4)...UnloadKeyObjects() C:\>
Einrichten des diskreten TPM (dTPM)
Diese Anweisungen gelten für alle dTPM-Module, die auf MBM, RPi2 oder RPi3 unterstützt werden.
Rufen Sie ein diskretes TPM-Modul ab, und fügen Sie es an MBM/RPi2/RPi3 an.
(Gilt für MBM) Deaktivieren Sie fTPM, indem Sie die folgenden UEFI-Einstellungen ändern:
Device Manager -> System Setup -> Security Configuration -> PTT = <Disable>(Gilt für MBM) Aktivieren Sie dTPM, indem Sie die folgenden UEFI-Einstellungen ändern:
Device Manager -> System Setup -> Security Configuration -> Discrete TPM = <Enable>Identifizieren Sie basierend auf Ihrem diskreten TPM-Modul ihrer Wahl hier die entsprechende ACPI-Tabelle.
Kopieren Sie diese ACPI-Tabelle nach MBM/RPi2/RPi3 C:\Windows\System32\ACPITABL.dat.
Aktivieren Sie die Testsignierung auf dem Gerät:
bcdedit /set {current} integrityservices disable bcdedit /set testsigning onStarten Sie das Gerät neu.
Vergewissern Sie sich, dass die richtige TPM-Version aktiviert ist: Führen Sie das TPM 2.0-Tool auf dem Windows IoT Core-Gerät aus.
C:\>t2t.exe -cap TBS detected 2.0 discrete TPM (dTPM) using TIS on SPB. Capabilities: PT_FIXED: TPM_PT_FAMILY_INDICATOR = '2.0' TPM_PT_LEVEL = 0 (0x00000000) TPM_PT_REVISION = 1.16 TPM_PT_DAY_OF_YEAR = 303 (0x0000012f) TPM_PT_YEAR = 2014 (0x000007de) TPM_PT_MANUFACTURER = 'NTZ' TPM_PT_VENDOR_STRING = 'NTZ' TPM_PT_VENDOR_TPM_TYPE = 17 (0x00000011) TPM_PT_FIRMWARE_VERSION_1 = 4.31 (0x4.0x1f) TPM_PT_FIRMWARE_VERSION_2 = 5378.4617 (0x1502.0x1209) TPM_PT_INPUT_BUFFER = 2220 (0x000008ac) TPM_PT_HR_TRANSIENT_MIN = 4 (0x00000004) TPM_PT_HR_PERSISTENT_MIN = 7 (0x00000007) TPM_PT_HR_LOADED_MIN = 4 (0x00000004) TPM_PT_ACTIVE_SESSIONS_MAX = 64 (0x00000040) TPM_PT_PCR_COUNT = 24 (0x00000018) TPM_PT_PCR_SELECT_MIN = 3 (0x00000003) TPM_PT_CONTEXT_GAP_MAX = 65535 (0x0000ffff) TPM_PT_NV_COUNTERS_MAX = 0 (0x00000000) TPM_PT_NV_INDEX_MAX = 1639 (0x00000667) TPM_PT_MEMORY = objectCopiedToRam TPM_PT_CLOCK_UPDATE = 4096000ms TPM_PT_CONTEXT_HASH = TPM_ALG_SHA256 TPM_PT_CONTEXT_SYM = TPM_ALG_AES TPM_PT_CONTEXT_SYM_SIZE = 128 (0x00000080) TPM_PT_ORDERLY_COUNT = 255 (0x000000ff) TPM_PT_MAX_COMMAND_SIZE = 2220 (0x000008ac) TPM_PT_MAX_RESPONSE_SIZE = 2220 (0x000008ac) TPM_PT_MAX_DIGEST = 32 (0x00000020) TPM_PT_MAX_SESSION_CONTEXT = 244 (0x000000f4) TPM_PT_PS_FAMILY_INDICATOR = TPM_PS_PDA TPM_PT_PS_LEVEL = 0 (0x00000000) TPM_PT_PS_REVISION = 25600 TPM_PT_PS_DAY_OF_YEAR = 0 (0x00000000) TPM_PT_PS_YEAR = 0 (0x00000000) TPM_PT_SPLIT_MAX = 128 (0x00000080) TPM_PT_TOTAL_COMMANDS = 101 (0x00000065) TPM_PT_LIBRARY_COMMANDS = 99 (0x00000063) TPM_PT_VENDOR_COMMANDS = 2 (0x00000002) TPM_PT_NV_BUFFER_MAX = 1639 (0x00000667) PT_VAR: TPM_PT_STARTUP_CLEAR = phEnable shEnable ehEnable ehEnableNV TPM_PT_HR_NV_INDEX = 2 (0x00000002) TPM_PT_HR_LOADED = 0 (0x00000000) TPM_PT_HR_LOADED_AVAIL = 4 (0x00000004) TPM_PT_HR_ACTIVE = 0 (0x00000000) TPM_PT_HR_ACTIVE_AVAIL = 64 (0x00000040) TPM_PT_HR_TRANSIENT_AVAIL = 4 (0x00000004) TPM_PT_HR_PERSISTENT = 3 (0x00000003) TPM_PT_HR_PERSISTENT_AVAIL = 4 (0x00000004) TPM_PT_NV_COUNTERS = 2 (0x00000002) TPM_PT_NV_COUNTERS_AVAIL = 30 (0x0000001e) TPM_PT_ALGORITHM_SET = 0 (0x00000000) TPM_PT_LOADED_CURVES = 3 (0x00000003) TPM_PT_LOCKOUT_COUNTER = 0 (0x00000000) TPM_PT_MAX_AUTH_FAIL = 32 (0x00000020) TPM_PT_LOCKOUT_INTERVAL = 2h 0" 0' TPM_PT_LOCKOUT_RECOVERY = 24h 0" 0' TPM_PT_NV_WRITE_RECOVERY = 0ms TPM_PT_AUDIT_COUNTER = 0 C:\>Überprüfen Sie, ob dTPM funktioniert: Führen Sie die Urchin-Komponententests auf dem Windows IoT Core-Gerät aus.
Es sollten mehrere PASS-Tests angezeigt werden (beachten Sie, dass einige der Funktionen möglicherweise nicht von dTPM unterstützt werden, sodass einige Fehlercodes erwartet werden):C:\>urchintest.exe ---SETUP---------------------------------------- PASS...........CreateAuthorities() PASS...........CreateEkObject() PASS...........CreateSrkObject() PASS...........CreateAndLoadAikObject() PASS...........CreateAndLoadKeyObject() ---TESTS---------------------------------------- PASS...........TestGetCapability() PASS...........TestGetEntropy() PASS...........TestPolicySession() PASS...........TestSignWithPW() PASS...........TestSignHMAC() PASS...........TestSignBound() PASS...........TestSignSalted() PASS...........TestSignSaltedAndBound() (0xc000000d)...TestSignParameterEncryption() PASS...........TestSignParameterDecryption() PASS...........TestReadPcrWithEkSeededSession() PASS...........TestCreateHashAndHMAC() PASS...........TestCreateHashAndHMACSequence() PASS...........TestSymKeyImport() (0xc000000d)...TestRsaKeyImport() PASS...........TestCredentialActivation() PASS...........TestKeyExport() (0x00000182)...TestSymEncryption() PASS...........TestCertifiedMigration() PASS...........TestNVIndexReadWrite() (0x80280400)...TestVirtualization() PASS...........TestObjectChangeAuth() PASS...........TestUnseal() PASS...........TestDynamicPolicies() PASS...........TestRSADecrypt() PASS...........TestECDSASign() (0xc000000d)...TestKeyAttestation() (0xc000000d)...TestPlatformAttestation() ---CLEANUP-------------------------------------- PASS...........UnloadKeyObjects() C:\>
Aktivieren und Überprüfen von Software-TPM (sTPM)
Beachten Sie, dass sTPM nur zu Entwicklungszwecken vorgesehen ist und keine echten Sicherheitsvorteile bietet.
(Gilt für MBM) Deaktivieren Sie fTPM, indem Sie die folgenden UEFI-Einstellungen ändern:
Device Manager -> System Setup -> Security Configuration -> PTT = <Disable>(Gilt für MBM) Aktivieren Sie dTPM, indem Sie die folgenden UEFI-Einstellungen ändern:
Device Manager -> System Setup -> Security Configuration -> Discrete TPM = <Enable>Aktivieren Sie die Testsignierung auf dem Gerät:
bcdedit /set {current} integrityservices disable bcdedit /set testsigning onKopieren Sie die ACPI-Tabelle von hier nach MBM/RPi2/RPi3 C:\Windows\System32\ACPITABL.dat.
Starten Sie das Gerät neu.
Vergewissern Sie sich, dass die richtige TPM-Version aktiviert ist: Führen Sie das TPM 2.0-Tool auf dem Windows IoT Core-Gerät aus.
C:\>t2t.exe -cap TBS detected 2.0 simulated TPM (sTPM). Capabilities: PT_FIXED: TPM_PT_FAMILY_INDICATOR = '2.0' TPM_PT_LEVEL = 0 (0x00000000) TPM_PT_REVISION = 1.15 TPM_PT_DAY_OF_YEAR = 163 (0x000000a3) TPM_PT_YEAR = 2014 (0x000007de) TPM_PT_MANUFACTURER = 'MSFT' TPM_PT_VENDOR_STRING = 'IoT Software TPM' TPM_PT_VENDOR_TPM_TYPE = 1 (0x00000001) TPM_PT_FIRMWARE_VERSION_1 = 8213.275 (0x2015.0x113) TPM_PT_FIRMWARE_VERSION_2 = 21.18466 (0x15.0x4822) TPM_PT_INPUT_BUFFER = 1024 (0x00000400) TPM_PT_HR_TRANSIENT_MIN = 3 (0x00000003) TPM_PT_HR_PERSISTENT_MIN = 2 (0x00000002) TPM_PT_HR_LOADED_MIN = 3 (0x00000003) TPM_PT_ACTIVE_SESSIONS_MAX = 64 (0x00000040) TPM_PT_PCR_COUNT = 24 (0x00000018) TPM_PT_PCR_SELECT_MIN = 3 (0x00000003) TPM_PT_CONTEXT_GAP_MAX = 65535 (0x0000ffff) TPM_PT_NV_COUNTERS_MAX = 0 (0x00000000) TPM_PT_NV_INDEX_MAX = 2048 (0x00000800) TPM_PT_MEMORY = sharedNV objectCopiedToRam TPM_PT_CLOCK_UPDATE = 4096ms TPM_PT_CONTEXT_HASH = TPM_ALG_SHA256 TPM_PT_CONTEXT_SYM = TPM_ALG_AES TPM_PT_CONTEXT_SYM_SIZE = 256 (0x00000100) TPM_PT_ORDERLY_COUNT = 255 (0x000000ff) TPM_PT_MAX_COMMAND_SIZE = 4096 (0x00001000) TPM_PT_MAX_RESPONSE_SIZE = 4096 (0x00001000) TPM_PT_MAX_DIGEST = 48 (0x00000030) TPM_PT_MAX_OBJECT_CONTEXT = 1520 (0x000005f0) TPM_PT_MAX_SESSION_CONTEXT = 308 (0x00000134) TPM_PT_PS_FAMILY_INDICATOR = TPM_PS_MAIN TPM_PT_PS_LEVEL = 0 (0x00000000) TPM_PT_PS_REVISION = 0 TPM_PT_PS_DAY_OF_YEAR = 0 (0x00000000) TPM_PT_PS_YEAR = 0 (0x00000000) TPM_PT_SPLIT_MAX = 128 (0x00000080) TPM_PT_TOTAL_COMMANDS = 106 (0x0000006a) TPM_PT_LIBRARY_COMMANDS = 105 (0x00000069) TPM_PT_VENDOR_COMMANDS = 1 (0x00000001) PT_VAR: TPM_PT_PERMANENT = lockoutAuthSet tpmGeneratedEPS TPM_PT_STARTUP_CLEAR = phEnable shEnable ehEnable ehEnableNV TPM_PT_HR_NV_INDEX = 2 (0x00000002) TPM_PT_HR_LOADED = 0 (0x00000000) TPM_PT_HR_LOADED_AVAIL = 3 (0x00000003) TPM_PT_HR_ACTIVE = 0 (0x00000000) TPM_PT_HR_ACTIVE_AVAIL = 64 (0x00000040) TPM_PT_HR_TRANSIENT_AVAIL = 3 (0x00000003) TPM_PT_HR_PERSISTENT = 3 (0x00000003) TPM_PT_HR_PERSISTENT_AVAIL = 5 (0x00000005) TPM_PT_NV_COUNTERS = 2 (0x00000002) TPM_PT_NV_COUNTERS_AVAIL = 31 (0x0000001f) TPM_PT_ALGORITHM_SET = 0 (0x00000000) TPM_PT_LOADED_CURVES = 3 (0x00000003) TPM_PT_LOCKOUT_COUNTER = 3 (0x00000003) TPM_PT_MAX_AUTH_FAIL = 32 (0x00000020) TPM_PT_LOCKOUT_INTERVAL = 2h 0" 0' TPM_PT_LOCKOUT_RECOVERY = 24h 0" 0' TPM_PT_AUDIT_COUNTER = 0 C:\>Überprüfen Sie, ob sTPM funktioniert: Führen Sie die Urchin-Komponententests auf dem Windows IoT Core-Gerät aus.
Es sollten mehrere PASS-Tests angezeigt werden (beachten Sie, dass einige der Funktionen von sTPM nicht unterstützt werden, sodass einige Fehlercodes erwartet werden):C:\>urchintest.exe ---SETUP---------------------------------------- PASS...........CreateAuthorities() PASS...........CreateEkObject() PASS...........CreateSrkObject() PASS...........CreateAndLoadAikObject() PASS...........CreateAndLoadKeyObject() ---TESTS---------------------------------------- PASS...........TestGetCapability() PASS...........TestGetEntropy() PASS...........TestPolicySession() PASS...........TestSignWithPW() PASS...........TestSignHMAC() PASS...........TestSignBound() PASS...........TestSignSalted() PASS...........TestSignSaltedAndBound() (0xc000000d)...TestSignParameterEncryption() PASS...........TestSignParameterDecryption() PASS...........TestReadPcrWithEkSeededSession() PASS...........TestCreateHashAndHMAC() PASS...........TestCreateHashAndHMACSequence() PASS...........TestSymKeyImport() (0xc000000d)...TestRsaKeyImport() PASS...........TestCredentialActivation() PASS...........TestKeyExport() (0x00000182)...TestSymEncryption() PASS...........TestCertifiedMigration() PASS...........TestNVIndexReadWrite() (0x80280400)...TestVirtualization() PASS...........TestObjectChangeAuth() PASS...........TestUnseal() PASS...........TestDynamicPolicies() PASS...........TestECDSASign()) PASS........ (0xc000000d)...TestKeyAttestation() (0xc000000d)...TestPlatformAttestation() ---CLEANUP-------------------------------------- PASS...........UnloadKeyObjects() C:\>