HP-UX Trusted Computing Services Administrator's Guide HP-UX 11i v2 HP Part Number: 5991-7466 Published: February 2007 Edition: 1
© Copyright 2007 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Table of Contents About This Document.........................................................................................................5 Intended Audience.................................................................................................................................5 New and Changed Information in This Edition.....................................................................................5 Typographic Conventions...................................................................
Restoring or Migrating the TPM.....................................................................................................25 5 On-Demand Encryption...............................................................................................27 6 EVFS Keys with HP-UX TCS..........................................................................................29 Overview..................................................................................................................................
About This Document This document describes how to install, configure, and troubleshoot HP-UX Trusted Computing Services (TCS) on HP-UX 11i v2 platforms. Intended Audience This document is intended for system and network administrators responsible for installing, configuring, and managing HP-UX TCS. Administrators are expected to have knowledge of operating system concepts, commands, and configuration. It is helpful to have knowledge of Trusted Platform Modules (TPMs). This document is not a tutorial.
NOTE A note contains additional information to emphasize or supplement important points of the main text. Related Information The latest documentation relating to HP-UX TCS is available in the English language as follows: • HP-UX TCS web page on SW Depot provides access to TCS Software at: http://www.software.hp.com • HP-UX Trusted Computing Services Release Notes at: http://docs.hp.com/en/internet.
1 HP-UX TCS Overview This chapter provides an overview of the HP-UX Trusted Computing Services. It addresses the following topics: • • • • • “Technology Overview” (page 7) “Architecture” (page 8) “TPM Key Hierarchy” (page 10) “TPM Utilities” (page 10) “HP-UX TCS-EVFS Integration” (page 11) Technology Overview HP-UX Trusted Computing Services (TCS) provides software support for hardware enforced key management on supported HP Integrity servers running HP-UX 11i v2.
Figure 1-1 TPM Random Number Generator Processor I/O Hash HMAC Asymmetric Key Generation Clock/Timer Nonvolatile Memory Memory Signing and Encryption Power Detection TrouSerS is a Common Public License (CPL) licensed TSS that enables multiple applications to simultaneously access and use the TPM without requiring the applications to explicitly synchronize access. HP-UX TCS complies with the TSS 1.1 Golden specification.
Figure 1-2 HP-UX TCS Architecture EVFS TPM mgmt Commands tpmadm tpmlist evfsvol 3rd Party Applications TPM EVFS Lib libevfs_tcspbe.so On-Demand Encryption tpmencrypt tpmdecrypt TSPI Library libtspi.sl tcsd.conf Localhost:30003 TCS Daemon tcsd TCSD Persistent Key Storage TDDL - libtddl.a /etc/opt/tcs/system.data /dev/tpm HP-UX TPM Device Driver System Firmware TPM Hardware The first layer of software, up one level in the stack, consists of the HP-UX TPM device driver for the TPM.
The primary user interface to the TPM consists of the applications and commands built on the TSPI. The primary application for accessing the TPM is the Encrypted Volume and File System (EVFS) key storage and retrieval mechanism. In addition to EVFS integration, the TPM is accessed by the management commands delivered as part of the HP-UX TCS product.
tpmlist tpmencrypt , tpmdecrypt restoration of the information stored in the TPM. HP recommends backing up the TPM immediately after installation to enable recovery in the event of a hardware failure. Extracts state information from the TPM. It also provides a list of the TPM keys saved in System Persistent Storage (a local database for storing encrypted keys outside of the TPM). Encrypts a set of files or directories using the system processor for bulk encryption performance.
2 Acquiring and Installing HP-UX TCS HP-UX TCS software is intended for use on ZX2-based Integrity servers with embedded security hardware (TPM) and one of the HP-UX 11i v2 operating environments. The TPM hardware must be present and enabled for the configuration phase of TCS to complete successfully. For further details on TPM enablement, see the HP-UX Trusted Computing Services Release Notes in the HP-UX Trusted Computing Services section at: http://docs.hp.com/en/internet.
3. From the Security Configuration menu, select Set Trusted Platform Module State and press Enter. 4. From the Set Trusted Platform Module State menu, select Y and press Enter to initiate the TPM enablement process.
5. A menu appears asking if you want to reset the system. Select Y and press Enter.
6. After initiating a system reset, you can verify that the TPM is enabled by selecting Set Trusted Platform Module from the Security Configuration Menu and pressing Enter. The Set Trusted Platform Module window appears with Current Setting: Enabled (if the TPM is enabled). Enabling the TPM from the EFI Shell To enable the TPM from the EFI Shell, enter the secconfig tpm on command.
Acquiring the HP-UX TCS Software HP-UX TCS software is available free of charge at HP Software Depot. To download HP-UX TCS, follow these steps: 1. Go to HP Software Depot at http://www.software.hp.com 2. 3. 4. 5. 6. 7. Search for HP-UX TCS (keyword HP-UX TCS) and read the information on the HP-UX TCS release web page. Select Receive for Free >> at the bottom of the page. Enter your registration information. Review and accept the Warranty and Terms and Conditions statements.
After clearing the TPM hardware, establish ownership using the swconfig -u TCS; swconfig TCS 10 command. NOTE: The TPM driver is a Dynamically Loadable Kernel Module (DLKM) and does not require a reboot. However, after the first load of the TPM driver, the TPM device still appears as unclaimed until a new ioscan command is issued. This is expected behavior. If the installation requires a reboot, a separate ioscan is not needed because the TPM device is claimed by the DLKM driver at boot time.
/opt/tcs/src/ /etc/opt/tcs/tcsd.conf /opt/tcs/misc/ /etc/opt/tcs/passwd /var/opt/tcs/system.data /var/opt/tcs/keys/ /sbin/init.d/tcs /usr/conf/mod/tpm TSS source code tcsd configuration file HP-UX EVFS configuration files TPM password file TPM persistent storage For applications to store TPM keys as files instead of registering them in persistent storage Initialization script Device driver Removing the HP-UX TCS Software To remove (uninstall) HP-UX TCS A.01.
3 HP-UX TCS Driver and Management Utilities This chapter provides an overview of the HP-UX TPM driver and the HP-UX APIs that provide a management interface to the TPM and the TSS stack. This chapter addresses the following topics: • • “TPM Driver” (page 21) “HP-UX TCS Management Commands” (page 21) TPM Driver The TPM driver does not require a reboot after installation, because it is a dynamically loadable kernel module (DLKM).
system_ps_file firmware_log_file kernel_log_file firmware_pcrs kernel_pcrs remote_ops The location of the system persistent storage file. The path to the file containing the current firmware PCR event log data. The path to the file containing the current kernel PCR event log data. A list of PCR indices that are manipulated only by the system firmware. A list of PCR indices that are manipulated only by the kernel.
4 Basic HP-UX TCS Administration This chapter contains information on basic HP-UX TCS administrative tasks, including security concepts and basic TPM administration. For information on advanced administrative tasks see Chapter 7 (page 33).
Administering the TPM Password The TPM password cannot generally be used to reveal the private keys protected by the TPM, it only controls some of the TPM management operations. The TPM password is set automatically during the taking ownership phase of the HP-UX TCS installation process, and is stored in an obscured form in the /etc/opt/tcs/passwd file.
Ownable: Owner clear: Force clear: yes disabled disabled Backing Up and Restoring Keys Use the tpmadm backup and tpmadm restore commands to back up and restore keys stored in the system persistent storage file /etc/opt/tcs/system.data. The backup operation creates a backup copy of all TPM keys under the RK in system persistent storage and prepares the RK for migration as follows: # tpmadm backup filename=/tmp/backup Please enter a secret used to encrypt backup information: Backup in progress...
4. 5. 6. 26 Enter tpmadm restore to restore the TPM to its previous state (or to migrate TPM status). Enter tpmlist keys to confirm the restoration or migration is successful. On a new system, restore other application data, such as EVFS, if needed.
5 On-Demand Encryption This chapter describes the TCS mechanisms for on-demand encryption and decryption. There are a number of mechanisms for protecting files on HP-UX. One of those mechanisms, EVFS, provides a solution for encrypting entire volumes of sensitive information. Inherent with this protection is a need for key management, recovery, data management, and other processes for ensuring the security and availability of that information.
6 EVFS Keys with HP-UX TCS This chapter explains using HP-UX TCS to protect EVFS private keys. This chapter addresses the following topics: • • • • “Overview” (page 29) “User Interface” (page 30) “Configuration” (page 31) “Key Storage and Management ” (page 31) Overview One benefit of HP-UX TCS is the secure storage it offers for protecting application sensitive information, boosting overall application security.
the private key. In a configuration where the system must boot without an administrator in attendance to enter in the passphrase, the passphrase itself can be stored and protected on the system using system-intrinsic information. On a system with a TPM that is running HP-UX TCS, the key management solution described above can be made more secure. Instead of using a passphrase to protect the private key directly, you can protect the private key using a TPM key.
pKcep0NVZVXzwJoLorVKkVsrKdqM+609OGP+EPtcqCQRh32TUQTzN1ZJ0qZKV3y1 TlzYFeHTSZOLRQsUDvSwhIAAaMyMy+Ebs2awHVMW1Nc= -----END EVFS ENCRYPTED PRIVATE KEY----- After creating a volume and associating the EVFS encrypted private key with the volume, you must enable the volume using the evfsvol enable command. To enable the volume, the evfsvol command must make the user's private key available to the kernel by prompting the user for a password, then invoking the libevfs_tcspbe.so.1 library to decrypt the private key.
7 Advanced HP-UX TCS Administration The majority of the day-to-day management of the TPM can be accomplished with a few simple commands, as described in Chapter 4 (page 23). However, the TCS management commands also offer many options for advanced administration. A selection of these command options are described in this chapter.
4b609166 fe4eea3e 7459bf10 8dbdbe52 05b44323 dd380699 b0a25ad1 05e1d7aa f2adb64a fa16a5f4 53cd0c10 5ac0ae15 3f964ce7 d2361557 72867c62 42918b10 16130505 ee391f2f 539977a8 7d28cbed 52ad11ed 8ac3591b 0892cde2 5510d597 The tpmlist keys command searches for keys matching the specified criteria. In the following example, tpmlist keys searches for all keys that are descendants of the RK.
Note: key 00000000-0000-0000-0000-000000000001 can not be deleted. Note: key 00000000-0000-0000-0000-000000000002 can not be deleted. Are you sure you want to delete the above 146 key(s)? (y|n): y … Deleting key 142: 8a7ed68e-5ece-4d71-9ec1-429bdf9960f1 ... Deleting key 143: 411957a5-9279-491c-a903-95dab264f239 ... Deleting key 144: 5f5308b3-031e-4097-85e7-f5e875ef8b31 ... Deleting key 145: 8609a773-f862-41ce-8c5b-51c1f524972f ... Deleting key 146: 9715a011-9d6d-4199-aa84-1d3695c07407 ...
each product has specific guidelines for key propagation according to how and where the keys are stored. The following procedure illustrates the configuration of HP-UX TCS key protection for EVFS volumes. EVFS provides key-protected encrypted volumes and is supported on active/passive cluster configurations. To enable HP-UX TCS key protection on cluster-defined EVFS volumes, follow these steps: 1. 2. In the most general case, you can define separate EVFS volumes locally on a node and as part of a cluster.
8 HP-UX TCS Troubleshooting and Known Issues This chapter describes potential HP-UX TCS problems. It addresses the following topics: • • • • • “Troubleshooting tcsd” (page 37) “Troubleshooting EVFS/HP-UX TCS Integration” (page 38) “The tpmadm restore Command Fails” (page 38) “Commands Fail When Run as a Non-Privileged User” (page 38) “Reporting Problems” (page 38) Troubleshooting tcsd The main entry point for applications accessing the TPM is through tcsd, which is closely tied to the TPM driver.
6. If the /etc/opt/tcs directory is not accessible, or the system persistent storage (system.data) is corrupted, tcsd does not start. 7. The TPM device driver might not have been installed or configured properly. 8. For HP-UX TCS system data restoration, see Chapter 7 (page 33). 9. Make sure the TPM is owned, enabled, and activated. 10. Use the swconfig TCS command or enable the TPM. See Chapter 2 (page 13).
or by calling HP Support. If your warranty has expired or if you do not have a valid support contract for your product, you can still obtain support services for a fee, based on the amount of time and material required to solve your problem. 4. If you are asked to supply any information pertaining to the problem, gather the requested information and submit it.
A TSPI APIs The authoritative Trusted Computing Group (TCG) Transport Service Provider Interface (TSPI) reference document (TSS specification) is available at the TCG website at: http://www.trustedcomputinggroup.org The current version of HP-UX TCS contains version 0.2.8 of the TrouSerS stack implementation. A good source of sample TSPI code is located at the TrouSerS website at: http://trousers.sourceforge.net/ Table A-1 lists the TSPI (TrouSerS) APIs and indicates if they are supported with HP-UX TCS.
Table A-1 Supported TSPI APIs (continued) TSPI Function Supported Tspi_Context_GetKeyByPublicInfo Yes Tspi_Context_GetRegisteredKeysByUUID Yes Notes Tspi_Policy Tspi_SetAttribUint32 Yes Tspi_GetAttribUint32 Yes Tspi_SetAttribData Yes Tspi_GetAttribData Yes Tspi_Policy_SetSecret Yes Tspi_Policy_FlushSecret Yes Tspi_Policy_AssignToObject Yes Tspi_TPM 42 Tspi_SetAttribUint32 Yes Tspi_GetAttribUint32 Yes Tspi_SetAttribData Yes Tspi_GetAttribData Yes Tspi_TPM_CreateEndorsementKey N
Table A-1 Supported TSPI APIs (continued) TSPI Function Supported Tspi_TPM_AuthorizeMigrationTicket Yes Tspi_TPM_GetEvent Yes Tspi_TPM_GetEvents Yes Tspi_TPM_GetEventLog Yes Tspi_TPM_Quote Y Yes Tspi_TPM_PcrExtend Yes Tspi_TPM_PcrRead Yes Tspi_TPM_DirWrite Yes Tspi_TPM_DirRead Yes Tspi_ChangeAuth Yes Tspi_GetPolicyObject Yes Notes Tspi_Key Tspi_SetAttribUint32 Yes Tspi_GetAttribUint32 Yes Tspi_SetAttribData Yes Tspi_GetAttribData Yes Tspi_Key_LoadKey Yes Tspi_Key_UnloadKey
Table A-1 Supported TSPI APIs (continued) TSPI Function Supported Tspi_SetAttribData Yes Tspi_GetAttribData Yes Tspi_Data_Bind Yes Tspi_Data_Unbind Yes Tspi_Data_Seal Yes Tspi_Data_Unseal Yes Tspi_ChangeAuth Yes Tspi_ChangeAuthAsym No Tspi_GetPolicyObject Yes Notes Not implemented Tspi_PcrComposite Tspi_PcrComposite_SelectPcrIndex Yes Tspi_PcrComosite_SetPcrValue Yes Tspi_PcrComposite_GetPcrValue Yes Callback 44 Tspicb_CallbackHMACAuth No Callback routines are not supported T
B Sample TSS Application This sample program creates and registers a new key in TSS. The new key is then used to encrypt a secret. The results are displayed in the output. Makefile.hpux and example.c are located in the /opt/tcs/src/example/ directory. The make –f Makefile.hpux command compiles both 32-bit and 64-bit versions of example.c. Example of Makefile.hpux: CC=cc INC=/opt/tcs/include LIBS=-L/usr/lib -ltspi -lcrypto CFLAGS=-Ae -I$(INC) -DHPUX -g all: example example64 example: example.
// Connect to TCSD if(host) { tResult = Tspi_Context_Connect(hContext, (UNICODE *)Trspi_Native_To_UNICODE((BYTE *)host, NULL)); } else { tResult = Tspi_Context_Connect(hContext, NULL); } if (tResult != TSS_SUCCESS) { fprintf(stderr, "Tspi_Context_Connect failed. Error: %s\n", Trspi_Error_String(tResult)); goto out_close; } // Get a software representation of the TPM if (Tspi_Context_GetTpmObject(hContext, &hTpm) != TSS_SUCCESS) { fprintf(stderr, "Tspi_Context_GetTpmObject failed.
// Create the encrypted blob object (in software) tResult = Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_ENCDATA, dataInitFlags, &hEncData); if (tResult != TSS_SUCCESS) { fprintf(stderr, "Tspi_Context_CreateObject failed. Error: %s\n", Trspi_Error_String(tResult)); goto out_close; } // Set blob password to NULL tResult = Tspi_GetPolicyObject(hEncData, TSS_POLICY_USAGE, &hPolicy); if (tResult != TSS_SUCCESS) { fprintf(stderr, "Tspi_GetPolicyObject failed.
uuid->usTimeHigh |= (4 << 12); uuid->bClockSeqHigh &= 0x3F; uuid->bClockSeqHigh |= 0x80; return uuid; } void usage() { fprintf(stderr, "usage: tpm_addsecret [-p password] [-s secretdata] [-h host]\n"); } void printHex(BYTE *blob, UINT32 blobLen) { int i; for(i=0; i < blobLen; i++) { fprintf(stdout, "%02x", blob[i]); if((i+1) % 32 == 0) { fprintf(stdout, "\n"); } } } 48 Sample TSS Application
Glossary API Application Programming Interface. The definition of a set of functions that a library supports. DLKM Dynamically Loadable Kernel Module. A kernel module that can be installed without requiring a system reboot. EVFS HP-UX Encrypted Volumes and File Systems. EVFS protects data by encrypting data volumes to protect data at rest, that is, data on disks. EVFS can also be used to create encrypted backup media.
