HIRS TPM 2.0 Provisioner Custom TPM2 Software Stack Installation Guide

This brief guide is designed to provide both end-users and developers with a rapid walkthrough on installing the TPM2 Software Stack necessary for the HIRS TPM 2.0 Provisioner to function. This is useful and necessary when alternate TPM2 Library versions are desired/required and are not present in the target environment's package repository for easy installation or the target environment is offline.

For experienced users who simply need to install the necessary TPM 2.0 Libraries and have the rest of the necessary pre-requisites, feel free to jump to the section on Building/Installing TPM2-TSS and TPM2-Tools From Source.

(NOTE: This is presently the only means for supporting Ubuntu and other non-RHEL-based Unix environments.)

Table of Contents

• Environment Setup
  • Dependency Install Commands
• Building/Installing TPM2-TSS and TPM2-Tools From Source
  • Getting the Source
  • Building/Installing the Source
• Post-Installation
  • Adding the tss User and User Group
  • Running the Daemon Manually
  • Enabling the Service On Boot
  • Additional Considerations

Environment Setup

As with the standard build/installation process, the target packaging/installation environment will require some pre-requisite dependencies to be installed to successfully navigate the remainder of this guide.

These dependencies are as follows:

• Autoconf
• Autoconf-Archive
• Automake
• Libtool
• PkgConfig
• m4
• GCC (w/ C++ Extensions)
• OpenSSL Development Libraries
• SSH2 Development Libraries (RHEL-based environments)
• Build-Essential (Debian-based environments)

NOTE: These dependencies may have some overlap with the regular TPM 2.0 Provisioner Build and Install, but they are not identical and care should be taken to install all dependencies specified by the HIRS guides.

Dependency Install Commands

The following commands have been provided to quickly install the necessary dependencies for known supported environments.

Debian

sudo apt-get install autoconf autoconf-archive automake libtool pkg-config m4 gcc g++ build-essential libssl-dev

RHEL

sudo yum install autoconf autoconf-archive automake libtool pkgconfig m4 gcc-c++ libssh2-devel openssl

Building/Installing TPM2-TSS and TPM2-Tools From Source

This is the most critical portion of this walkthrough and should be followed as closely as possible. Please make sure the installation environment is setup per the previous section before attempting any building/installation.

The HIRS TPM 2.0 Provisioner relies on the tpm2-tss library and tpm2-tools toolkit to function properly. Both of these dependencies have undergone numerous revisions and updates and not all of them could be vetted, much less supported. That being said, the most important thing to note is that, as of the time of this writing, the TPM 2.0 Provisioner is known to handle tpm2-tools Version 3.X.X.

It is highly recommended, that any custom installation restrict themselves to the aforementioned Major Version coupled with compatible supporting versions of tpm2-tss and tpm2-abrmd. For a quick reference, please consult the dependency versioning chart for these libraries.

Getting the Source

It is left to the reader's discretion to determine the best means to retrieve the tpm2-tss, tpm2-abrmd, and tpm2-tools libraries' source code from Github or otherwise. That being said, please use a tagged version from 3.X.X for tpm2-tools as the master branch could increment to 4.X.X, which is unsupported.

Getting the Source Example Commands

TPM2-TSS

wget https://github.com/tpm2-software/tpm2-tss/releases/download/1.3.0/tpm2-tss-1.3.0.tar.gz

TPM2-Abrmd

wget https://github.com/tpm2-software/tpm2-abrmd/releases/download/1.3.1/tpm2-abrmd-1.3.1.tar.gz

TPM2-Tools

wget https://github.com/tpm2-software/tpm2-tools/releases/download/3.0.1/tpm2-tools-3.0.1.tar.gz

Building/Installing the Source

Once a source package has been procured and made available on the target environment, then the reader should be able to install the dependencies using the provided example commands with minimal, if any, modifications.

Building/Installing the Source Example Commands

TPM2-TSS

tar -xzf tpm2-tss-1.3.0.tar.gz
pushd tpm2-tss-1.3.0
./configure --prefix=/usr
make -j5
sudo make install
popd

TPM2-Abrmd

tar -xzf tpm2-abrmd-1.3.1.tar.gz
pushd tpm2-abmrd-1.3.1
./configure --with-dbuspolicydir=/etc/dbus-1/system.d --with-udevrulesdir=/usr/lib/udev/rules.d --with-systemdsystemunitdir=/usr/lib/systemd/system --libdir=/usr/lib64 --prefix=/usr
make -j5
sudo make install
popd

TPM2-Tools

tar -xzf tpm2-tools-3.0.1.tar.gz
pushd tpm2-tools-3.0.1
./configure --prefix=/usr
make -j5
sudo make install
popd

With these libraries installed, the reader should be able to continue building and packaging the HIRS TPM 2.0 Provisioner as directed from the Build guide.

For readers looking to simply install the TPM 2.0 Provisioner who have installed the pre-requisite libraries from above and have secured an installation package for their chosen environment (RPM, DEB, etc.), there are several courses of action to consider.

It is recommended for RHEL-based users to follow the instructions in the formal Installation guide.

For Debian-based users, the following command can be used:

sudo apt install ./HIRS_Provisioner_TPM_2_0*.deb

For all other users, please consult your operating system's general means for supporting package installation. At this time, anything aside from CentOS and Ubuntu should be considered the wild west and your mileage will definitely vary.

Post-Installation

After installing the desired TPM2 Software Stack, some minor configuration is recommended regarding the TPM2-Abrmd daemon.

Adding the tss User and User Group

It is suggested that tpm2-abrmd be run as an unprivileged user, as opposed to root. As such, TPM2-Abrmd is configured to run using the tss user account. To create this user and its corresponding usergroup the following command is provided as a quick reference:

sudo useradd --system --user-group tss

Running the Daemon Manually

Once TPM2-Abrmd is installed, it is recommended that it be configured to run as a service on system boot. Alternatively, one can start the daemon manually. The following commands have been provided to demonstrate this on systems with either a Hardware TPM or a TPM 2.0 Simulator (Software TPM)

Hardware TPM

sudo -u tss tpm2-abrmd &

Software TPM

sudo -u tss tpm2-abrmd --tcti=socket &

Enabling the Service on Boot

In addition to adding the new user account and group, the TPM2-Abrmd should be configured to start on system boot. TPM2-Abrmd provides a Systemd service file during installation that should allow for enabling this quickly. The following commands have been provided to quickly enable it as a system service for environments that support Systemd.

(IMPORTANT: This section can and should be skipped if a Software TPM is being used in place of a physical TPM-device, unless the Software TPM is also being enabled on boot.)

If you just installed TPM2-Abrmd, then Systemd needs to be reloaded.

systemctl daemon-reload

If Systemd has been reloaded from either the above command or a system reboot, then the following command will enable TPM2-Abrmd as a service that will begin on system boot.

systemctl enable tpm2-abrmd.service

Additional Considerations

For any other issues, troubleshooting, or custom configuration, e.g. configuring SELinux, please consult the TPM2-Abrmd Install Guide.