2023可信计算技术最佳实践白皮书

白皮书作者 龙蜥社区及龙蜥操作系统也获得了一定的行业认可， ， 、 、荣获、 “OSCAR开源尖峰案例奖”等25项行业奖项。 实验室简介    实验室设施及业务概况         实验室建设     SIG       �SIG地址：https://openanolis.cn/sig/tc-sig 钉钉群：“龙蜥-可信计算SIG技术交流群”，群号：15370024496 微信群：“龙蜥-可信计算SIG技术交流群” 1.                                             1.3.3futureTPM工作组与主要目标     2.   国家标准化管理委员会      ISO/IEC11889系列标准               TSS规范官网入口：https://trustedcomputinggroup.org/resource/tcg-software-stack-tss-specification/ 缩略语 PTP–PlatformTPMProfile CRB–CommandResponseBufferinterface DDWG–DeviceDriver’sWritersGuide CertificationPP–CertificationProtectionProfile TIS–TPMInterfaceSpecification PCClient标准及配套文档体系: 缩略语 PFP–PlatformFirmwareProfile PPI–PhysicalPresenceInterface FIM–FirmwareIntegrityMeasurement MOR–ResetAttackMitigation Memoryonresetattackmitigation RIM–ReferenceIntegrityManifest DRTM–DynamicRootofTrustforMeasurement 标准编制 应用场景 标准推广 3. swtpm swtpm libtpms 1.#安装依赖包2.yuminstall-yautomakeautoconflibtoolgccgcc-c++make\3.openssl-develpkg-configsocatnet-tools-deprecated\4.libtasn1-develgnutlsgnutls-devellibseccomp-devel\5.json-glib-develexpectsofthsm6.#下载libtpms源码7.gitclonehttps://github.com/stefanberger/libtpms8.cdlibtpms9.#编译并安装libtpms10../autogen.sh--prefix=/usr--libdir=/usr/lib64--with-openssl\11.--with-tpm212.13.make-j414.make-j4check15.sudomakeinstall16.#下载swtpm源码17.gitclonehttps://github.com/stefanberger/swtpm18.cdswtpm19.#编译并安装swtpm20../autogen.sh--prefix=/usr--libdir=/usr/lib64--with-openssl\21.--with-tss-user=root--with-tss-group=tss--with-cuse22.make-j423.sudomakecheck-j424.sudomakeinstall 1.yuminstalllibtpmsswtpmswtpm-develswtpm-tools swtpm编译。 1.#安装内核cuse模块 2.yuminstallkernel-modules-extra 3.modprobecuse 1.#1.初始tpm2state2.mkdir/tmp/myvtpm0;3.chown–Rtss:root/tmp/myvtpm04.swtpm_setup–tpm2–tpm-state/tmp/myvtpm05.6.#2.创建tpm2字符设备7.exportTPM_PATH=/tmp/myvtpm08.swtpm_cuse--tpm2-ntpm09.#3.启动tpm设备10.swtpm_ioctl-i--tpm-device/dev/tpm0 1.[root@localhostswtpm]#tpm2_pcrread2.sha1:3.sha256:4.0:0x00000000000000000000000000000000000000000000000000000000000000005.1:0x00000000000000000000000000000000000000000000000000000000000000006.2:0x00000000000000000000000000000000000000000000000000000000000000007.3:0x00000000000000000000000000000000000000000000000000000000000000008.4:0x00000000000000000000000000000000000000000000000000000000000000009.5:0x000000000000000000000000000000000000000000000000000000000000000010.6:0x000000000000000000000000000000000000000000000000000000000000000011.7:0x000000000000000000000000000000000000000000000000000000000000000012.8:0x000000000000000000000000000000000000000000000000000000000000000013.9:0x000000000000000000000000000000000000000000000000000000000000000014.10:0x0000000000000000000000000000000000000000000000000000000000000000 15.11:0x0000000000000000000000000000000000000000000000000000000000000000 16.12:0x0000000000000000000000000000000000000000000000000000000000000000 17.13:0x0000000000000000000000000000000000000000000000000000000000000000 18.14:0x0000000000000000000000000000000000000000000000000000000000000000 19.15:0x0000000000000000000000000000000000000000000000000000000000000000 20.16:0x0000000000000000000000000000000000000000000000000000000000000000 21.17:0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 22.18:0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 23.19:0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 24.20:0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 25.21:0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 26.22:0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 27.23:0x0000000000000000000000000000000000000000000000000000000000000000 28.sha384: 29.sha512: 1.$mkdir$[path_to_vm]/mytpm0 1.$swtpmsocket--tpmstatedir=$[path_to_vm]/mytpm0\ 3. --loglevel=20 --ctrltype=unixio,path=$[path_to_vm]/mytpm0/swtpm-sock\ 2. 1.swtpmsocket--tpm2--tpmstatedir=$[path_to_vm]/mytpm0\ 3. --loglevel=20 --ctrltype=unixio,path=$[path_to_vm]/mytpm0/swtpm-sock\ 2. X86_64 1.-chardevsocket,id=chrtpm,path=$[path_to_vm]/mytpm0/swtpm-sock\ 2.-tpmdevemulator,id=tpm0,chardev=chrtpm\ 3.-devicetpm-tis,tpmdev=tpm0 aarch64 -chardevsocket,id=chrtpm,path=$[path_to_vm]/mytpm0/swtpm-sock\ -tpmdevemulator,id=tpm0,chardev=chrtpm\ -devicetpm-tis-device,tpmdev=tpm0 1.<devices> 3. <backendtype='emulator'version='2.0'/> 5.</devices> </tpm> 4. <tpmmodel='tpm-tis'> 2.  1.chmod-R777/var/lib/swtpm-localca/ 2.virshstartvm 1.#lsmod|greptpm2.#tpm_tis163840 3.# 4.# yum list installed | grep -E 'tpm2-tss|tpm2-tools' 5. # 6.#yuminstalltpm2-tsstpm2-tools 1.[root@localhost~]#tpm2_pcrread2.sha1: 3.0:0xB88919A8FA33C7A11CEB80A1B9772B499BDAABC84.1:0xED92EDC2A