Initializing and Backing Up TPM on Oracle Solaris Systems

Language:

This section contains procedures for initializing TPM on Oracle Solaris systems and for backing up TPM data and keys. The procedures vary between SPARC and x86 systems. However, to initialize TPM, certain prerequisites are common for both platforms.

The TPM device /dev/tpm must be installed on the system.
TPM must be using TCG Trusted Platform Module specification Version 1.2, otherwise known as ISO/IEC 11889-1:2009. Refer to the specification published in https://trustedcomputinggroup.org//tpm-main-specification/.
The following Oracle Solaris TPM packages must be installed:
- Trusted Platform Module driver (driver/crypto/TPM)
- TrouSerS TCG software (library/security/trousers)
To install these packages, use the following commands:
```
# pkg install driver/crypto/tpm
# pkg install library/security/trousers
```

How to Check Whether the TPM Device Is Recognized by the Operating System

Use this procedure to determine whether Oracle Solaris recognizes the installed TPM device. This procedure applies to both SPARC and x86 systems.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

In a terminal window, issue the following command:
```
# prtconf -v |grep tpm
```
If the TPM device is recognized, the command generates output similar to the following:
```
# prtconf -v |grep tpm
tpm, instance #0
dev_path=/pci@0,0/isa@lf/tpm@0,fed40000:tpm
dev_link=/dev/tpm
```
If no output is generated, then TPM might be disabled. For information about how to enable the device, see either How to Initialize TPM Using the Oracle ILOM Interface or How to Initialize TPM Using BIOS depending on your system's platform.
Note - As an alternative, you can also use the ls command to obtain the same information. However, the output would contain less information than the prtconf command provides.
```
# ls -l /dev/tpm
lrwxrwxrwx  1 root root  44 May 22 2012 /dev/tpm ->
../devices/pci@0,0/isa@lf/tpm@0,fed40000:tpm
```

SPARC: How to Initialize TPM Using the Oracle ILOM Interface

On SPARC systems, you use both the system's ILOM and Oracle Solaris interfaces to initialize TPM.

This procedure includes instructions for backing up the TPM data and keys.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

At the ILOM prompt, stop the host system.
- For single-host servers:
```
-> stop /System
```
- For multidomain servers:
```
-> stop /Servers/PDomains/PDomain_n/HOST
```
Stopping the server can take some time. You must wait until the host console displays the following message before proceeding to the next step.
```
-> SP NOTICE: Host is off
```
Note - Add the –f|force option to stop the host system only if the preceding step does not shut down the host.
Activate TPM.
Activate TPM with one of the following sets of commands depending on the SPARC system.
- On SPARC M5-Series servers and SPARC T5-Series servers, use the following command:
```
-> set /HOST/tpm mode=activated
```
- On SPARC M5-32 Series servers, use the following command:
```
-> set /HOST0/tpm mode=activated
```
- On SPARC T4 servers, use the following commands:
```
-> set /HOST/tpm enable=true activate=true
-> show /HOST/tpm
```
At the Oracle Solaris prompt, initialize TPM.
Initializing TPM causes you to become a TPM owner and requires you to assign an owner password, also called the Owner PIN.
```
# tpmadm init
TPM Owner PIN:
Confirm TPM Owner PIN
```

Verify the status of TPM.

# tpmadm status
TPM Version: 1.2 (ATML Rev: 13.9, SpecLevel: 2, ErrataRev: 1)
TPM resources
Contexts: 16/16 available
Sessions: 2/3 available
Auth Sessions: 2/3 available
Loaded Keys: 18/21 available
Platform Configuration Registers (24)
PCR 0: E1 EE 40 D8 66 28 A9 08 B6 22 8E AF DC 3C BC 23 71 15 49 31
PCR 1: 5B 93 BB A0 A6 64 A7 10 52 59 4A 70 95 B2 07 75 77 03 45 0B
PCR 2: 5B 93 BB A0 A6 64 A7 10 52 59 4A 70 95 B2 07 75 77 03 45 0B
PCR 3: 5B 93 BB A0 A6 64 A7 10 52 59 4A 70 95 B2 07 75 77 03 45 0B
PCR 4: AF 98 77 B8 72 82 94 7D BE 09 25 10 2E 60 F9 60 80 1E E6 7C
PCR 5: E1 AA 8C DF 53 A4 23 BF DB 2F 4F 0F F2 90 A5 45 21 D8 BF 27
PCR 6: 5B 93 BB A0 A6 64 A7 10 52 59 4A 70 95 B2 07 75 77 03 45 0B
PCR 7: 5B 93 BB A0 A6 64 A7 10 52 59 4A 70 95 B2 07 75 77 03 45 0B
PCR 8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR 9: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR 10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR 11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR 12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR 13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR 14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR 15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR 17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR 18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR 19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR 20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR 21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR 22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR 23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Back up TPM data and keys for future use during system migration or hardware replacement.
- For multidomain systems with Oracle Solaris installed, enable failover of the SP board that contains the TPM.
```
# tpmadm failover
Enter TPM Owner PIN:
Enter PIN for the migration key:
Confirm PIN for the migration key:
```
  Note - The TPM owner PIN is the PIN used when TPM was initialized.
  
  Make a note of the PIN you supply for the migration key, so you can use that PIN to backup and restore the TPM keystore for future system migrations or hardware replacements. For more information, see TPM Failover Option and the tpmadm(1M) man page.
- For all other platforms, perform a manual backup of TPM data and keys. For instructions, see How to Back Up TPM Data and Keys.
(Optional) Enable the TPM crypto provider.
Note - The TPM crypto provider is slower than Oracle Solaris. Perform this step only if you want TPM to perform cryptographic operations.
```
# cryptoadm install provider='/usr/lib/security/$ISA/pkcs11_tpm.so'
# cryptoadm list -mv provider='/usr/lib/security/$ISA/pkcs11_tpm.so'
```

SPARC: How to Back Up TPM Data and Keys

After you boot the system for the first time, you should back up the TPM data and keys so that they could be used during future system migrations or hardware replacements.

For multi-domain systems with Oracle Solaris installed, use the tpmadm failover command to specify that TPM data and keys are automatically backed up to the Standby SP on the server. You can use the backed-up TPM data and keys on the new SP for a system migration or hardware replacement. For instructions, see the backup step in How to Initialize TPM Using BIOS.

For all other platforms, use the following procedure to manually back up TPM data and keys for use during a system migration or hardware replacement.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

In a terminal window, ensure that TPM is enabled.
```
# tpmadm status
```
If the system notes that no TPM owner is installed, TPM is not initialized. Do not proceed.
Back up the migration data using the ID of the storage root key (SRK).
```
#  tpmadm migrate export 00000000-0000-0000-0000-00000000000b
```
If the key requires authorization, the system will prompt you for a key password. You will also be prompted for the migration key password.

Verify that the data has been backed up by locating the migration files in /var/tpm/system.

# ls -l /var/tpm/system/tpm-migration.*
-rw-------   1 root  root  563 July 21 10:45 /var/tpm/system/tpm-migration.dat
-r--------   1 root  root  766 July 21 10:36 /var/tpm/system/tpm-migration.key

x86: How to Initialize TPM Using BIOS

On x86 systems, you perform steps on the system's BIOS before initializing the service using Oracle Solaris.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

In a terminal window, reboot the system.
```
# reboot -p
```
While the system is booting, press F2 to access the BIOS menu.
Using BIOS menu options, configure TPM.
1. Navigate to Advanced → Trusted Computing.
2. Set TPM by specifying values for the following menu items.
```
TCG/TPM Support [Yes]
Execute TPM Command [Enabled]
```
3. Press the Esc key to exit the BIOS menu.
4. Choose Save Changes and Exit.
5. To proceed with the boot process, choose Ok.
After the boot process is completed, enable the tcsd daemon.
```
# svcadm enable -s svc:/application/security/tcsd
```
Initialize TPM.
Initializing TPM causes you to become a TPM owner and requires you to assign an owner password.
```
# tpmadm init
TPM Owner PIN:
Confirm TPM Owner PIN
```

Verify the status of TPM.

# tpmadm status
TPM Version: 1.2 (ATML Rev: 13.9, SpecLevel: 2, ErrataRev: 1)
TPM resources
Contexts: 16/16 available
Sessions: 2/3 available
Auth Sessions: 2/3 available
Loaded Keys: 18/21 available
Platform Configuration Registers (24)
PCR 0: E1 EE 40 D8 66 28 A9 08 B6 22 8E AF DC 3C BC 23 71 15 49 31
PCR 1: 5B 93 BB A0 A6 64 A7 10 52 59 4A 70 95 B2 07 75 77 03 45 0B
PCR 2: 5B 93 BB A0 A6 64 A7 10 52 59 4A 70 95 B2 07 75 77 03 45 0B
PCR 3: 5B 93 BB A0 A6 64 A7 10 52 59 4A 70 95 B2 07 75 77 03 45 0B
PCR 4: AF 98 77 B8 72 82 94 7D BE 09 25 10 2E 60 F9 60 80 1E E6 7C
PCR 5: E1 AA 8C DF 53 A4 23 BF DB 2F 4F 0F F2 90 A5 45 21 D8 BF 27
PCR 6: 5B 93 BB A0 A6 64 A7 10 52 59 4A 70 95 B2 07 75 77 03 45 0B
PCR 7: 5B 93 BB A0 A6 64 A7 10 52 59 4A 70 95 B2 07 75 77 03 45 0B
PCR 8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR 9: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR 10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR 11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR 12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR 13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR 14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR 15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR 17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR 18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR 19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR 20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR 21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR 22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR 23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

(Optional) Enable the TPM crypto provider.
Note - The TPM crypto provider is slower than Oracle Solaris. Perform this step only if you want TPM to perform cryptographic operations.
```
# cryptoadm install provider='/usr/lib/security/$ISA/pkcs11_tpm.so'
# cryptoadm list -mv provider='/usr/lib/security/$ISA/pkcs11_tpm.so'
```

How to Enable PKCS #11 Consumers to Use TPM as a Secure Keystore

Before You Begin

To perform this procedure, you must install and enable TPM on the system. Ensure that the tcsd daemon is also running.

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

(Optional) If the TPM PKCS #11 token provider has not been installed, install that provider.
Note - To see if this step needed, check that the pkcs11_tpm.so provider is included when you run the cryptoadm list command.
```
# pkg install pkcs11_tpm
# cryptoadm install provider='/usr/lib/security/$ISA/pkcs11_tpm.so'
```

Verify that the TPM device is installed.

# ls -alF /dev/tpm
lrwxrwxrwx 1 root 39 Dec 27 2011 /dev/tpm -> ../devices/pci@0,0/isa@1/tpm@1,1670:tpm

Enable the tcsd daemon.
```
# svcadm enable tcsd
```
(Optional) If no TPM owner has been installed, initialize the TPM.
Note - To see if this step is needed, run the tpmadm status command.
```
# tpmadm init
```
Initialize the personal TPM-protected token storage area.
```
$ pktool inittoken currlabel=TPM
```
Note - All individual users must perform this step.
Set the token PIN for the security officer.
```
$ pktool setpin token=tpm/TPM usertype=so
```
Set the user's PIN.
```
$ pktool setpin token=tpm/TPM
```
Generate keys and certificates that use the TPM device by specifying the token name that was used when the token was initialized.
```
$ pktool gencert token=tpm/TPM -i
$ pktool list token=tpm/TPM
```
Any existing applications that already use the Cryptographic Framework in libpkcs11 can use the TPM token for their operations by making the applications select the TPM token device for the sessions.

Example 2 Enabling PKCS #11 Consumers to Use TPM

In this example, the TPM token is first assigned a new name. All subsequent actions on the token refer to the new name.

$ pktool inittoken currlabel=TPM newlabel=JanDoeTPM
$ pktool setpin token=tpm/JanDoeTPM so
$ pktool gencert token=tpm/JanDoeTPM -i
$ pktool list token=tpm/JanDoeTPM