3
Trousers is an open-source TCG Software Stack (TSS), released under
4
the Common Public License. Trousers aims to be compliant with the
5
1.1b and 1.2 TSS specifications available from the Trusted Computing
8
http://www.trustedcomputinggroup.org
13
For information on the TrouSerS project, please send mail to the
16
Use of the TSS API and TrouSerS:
17
trousers-users@lists.sf.net
19
Discussion of the internals of the TrouSerS implementation:
20
trousers-tech@lists.sf.net
22
Possibly sensitive security related bugs:
23
Kent Yoder <yoder1@us.ibm.com>
25
Run-of-the-mill bug reports should use the TrouSerS bug tracker:
26
http://sourceforge.net/tracker/?group_id=126012&atid=704358
31
Packages needed to build:
39
openssl-devel >= 0.9.7
40
pthreads library (glibc-devel)
43
BUILDING the TSS 32-bit
45
Build and install the latest TPM device driver from
46
sf.net/projects/tpmdd either compiled in or loaded as a
47
module. UPDATE: This driver is now included in the vanilla 2.6.12
48
kernel! If you are doing this, trousers should just work after a
49
vanilla build. Follow the build instructions below and read
50
RUNNING the TSS, below.
52
To build trousers after you have the device driver installed:
55
$ ./configure [--enable-debug] [--enable-gprof] [--enable-gcov]
59
Here are the default locations of files that trousers installs:
62
/usr/local/etc/tcsd.conf
63
/usr/local/lib/libtspi.so.0.0.X
64
/usr/local/lib/libtspi.so.0 -> libtspi.so.0.0.X
65
/usr/local/lib/libtspi.so -> libtspi.so.0.0.X
66
/usr/local/lib/libtspi.la
67
/usr/local/lib/libtddl.a
68
/usr/local/var/lib/tpm
70
By default the build will place everything in /usr/local. To install
71
in a slightly more predictable place, use `./configure --prefix=/usr`.
73
'make install' will run ldconfig, but if /usr/local/lib is not in
74
your /etc/ld.so.conf, this won't make a difference. You may need to
75
manually add it and run ldconfig as root to allow your apps to link at
76
run time to libtspi.so.
79
BUILDING the TSS 64-bit
81
TrouSerS has been built and tested on ppc64 and x86_64, so please
82
don't hesitate to report bugs on these platforms. Building everything
83
64-bit will require a few more flags than are necessary for a 32-bit
84
platform. Here are some example instructions for SLES9 ppc64:
87
$ CFLAGS="-L/usr/lib64 -L/opt/gnome/lib64" LDFLAGS="-L/usr/lib64 \
88
-L/opt/gnome/lib64" ./configure --libdir="/usr/local/lib64"
92
Hopefully the above example will get you going on building in your
93
64-bit environment. If you need to do anything special, please send
94
your build steps to trousers-users@lists.sf.net and I'll include it
98
USING TROUSERS ON AN ALREADY OWNED TPM
100
If you've already taken ownership of your TPM using a TSS under another
101
operating system, there are a few issues you should be aware of.
103
Auth vs No-Auth SRK: In order to trick trousers into thinking it has taken
104
ownership of the TPM it's running on, you will need to create a persistent
105
storage file for trousers to use. Normally trousers would create this file
106
itself at the time ownership is taken. If your SRK has been given an
107
authorization password by the non-Linux OS, you will need to move the file
108
dist/system.data.auth to /usr/local/var/lib/tpm/system.data. If you've
109
taken ownership of your TPM without issuing a password, move
110
dist/system.data.noauth to /usr/local/var/lib/tpm/system.data.
112
Passwords: When entering passwords for keys you'd like to use in both
113
Linux and other OS's, you'll need to take note of how you entered those
114
passwords. The TSS spec states that when a password is entered through a
115
GUI popup dialog box provided by the TSS library, the password should be
116
converted to the UTF-16 encoding and then hashed using SHA-1, including
117
the UTF-16 null terminator in the hash calculation.
119
In order to work around this problem, specify the -u option to the
120
tpm-tools command line to convert the password to UTF-16 before hashing.
121
This, however, unfolds yet another problem...
123
Some TSS stacks aren't compliant with the TSS spec, in that they hash
124
their passwords without including the terminating null character. This
125
means that there are effectively two versions of any password set through
126
a popup dialog box. Trousers will include the terminating null character
127
in its hashes of UTF-16 data.
129
We'll do our best to track other TSS software and how it behaves. Please
130
see the trousers FAQ at http://trousers.sf.net for more information.
135
This TSS implementation has several components.
137
A) The TCS Daemon - A user space daemon that should be (according to
138
the TSS spec) the only portal to the TPM device driver. At boot
139
time, the TCS Daemon should be started, it should open the TPM
140
device driver and from that point on, all requests to the TPM
141
should go through the TSS stack. The TCSD manages TPM resources
142
and handles requests from TSP's both local and remote.
144
B) The TSP shared library - The TSP (TCG Service Provider) is a
145
shared library that enables applications to talk to TCSD's both
146
locally and remotely. The TSP also manages resources used in
147
commicating with the application and the TCSD and transparently
148
contacts the TCSD whenever necessary.
150
C) Persistent Storage (PS) files - TSS's have 2 different kinds of
151
PS for keys. PS can be thought of as a database for keys, with
152
each key in the database indexed by a UUID.
154
'User' persistent storage is maintained by the application's TSP
155
library. Upon writing the first key to User PS, the TSP library
156
creates a new file at ~/.trousers/user.data, using the effective
157
user id of the process executing the call to find ~. An environment
158
variable, TSS_USER_PS_FILE, can also be set to point the TSP library
159
to a different location for the User PS. This environment variable
160
has the lifetime of the TSP context, so to store 2 keys in 2
161
different files, you will need to call Tspi_Context_Close, set the
162
new location, and open the context again.
164
'System' persistent storage is controlled by the TCS and stays
165
valid across all application lifetimes, TCSD restarts and system
166
resets. Data registered in system PS stays valid until an application
167
requests that it be removed. The System PS file by default is
168
/usr/local/var/lib/tpm/system.data. The system PS file is initially
169
created when ownership of the TPM is first taken.
171
D) A config file. By default located in /usr/local/etc/tcsd.conf.
176
By default, the TCS daemon is not reachable over the internet, so if
177
you just plan to access it locally, running it as root with a root owned
178
device node is probably ok. Just make sure your device driver is loaded
179
and start the tcsd as root.
181
If you would like to run the TCS daemon as an unprivleged user,
182
please follow these instructions:
184
If you're using the device driver from a linux 2.6.12+ kernel and have
185
udev enabled, you need to add the following line to your
186
udev.permissions file (usually in /etc/udev somewhere):
188
tpm[0-9]:tss:tss:0600
190
and then just load the device driver with:
195
start the TCS Core Services daemon, by default /usr/local/sbin/tcsd.
196
# startproc -u tss /usr/local/sbin/tcsd
201
If you've compiled trousers with './configure --enable-debug' and would like
202
to turn debugging output off at run-time, set the environment variable
203
TSS_DEBUG_OFF to any value.
211
# mv trousers trousers-${version}
212
# tar zcvf /usr/src/packages/SOURCES/trousers-${version}.tar.gz \
214
# rpmbuild -bb trousers-${version}/dist/trousers.spec