AIX 7.3 TL3 SP1 introduces support for Trusted Platform Module 2.0 (TPM 2.0) which can be enabled on IBM Power10 and Power11 systems. This support aligns with modern security standards and provides a foundation for trusted boot and remote attestation, in compliance with the TPM 2.0 specifications defined by the Trusted Computing Group (TCG). TCG is a non-profit organization that develops and promotes open, vendor-neutral, global industry standards for trusted computing and security technologies.
Trusted Platform Module (TPM)
A Trusted Platform Module (TPM) is a cryptographically secured device embedded in Power platform that stores various measurements securely which can later be retrieved to view the entire booting sequence of the system.
The following is the reference architecture for TPM:
The secured IO is the input/output path through which all the interactions happen with the TPM device. TPM contains different components like –
Cryptographic Processor, which has the implementation of all the various cryptographic algorithms
Persistent Memory, which is the memory segment in which the data resides across reboots
Versatile Memory where the data does not reside across reboots
TPM uses persistent memory to store long-term cryptographic keys. Two key components stored are Endorsement Key(EK) and Storage Root Key(SRK) which forms the basis of TPM’s key hierarchy.
Endorsement Key (EK) : EK is a unique public/private key pair embedded directly into TPM. This EK is exclusive to each TPM. The private key never leaves the TPM and public key is used to verify authenticity of the TPM.
Storage Root Key (SRK) : The SRK acts as root key for other keys generated within the TPM. It protects the other keys generated by the applications.
The key functions of the TPM include:
1. TPM ensures the integrity of the boot process by recording cryptographic hashes of firmware and operating system components into Platform Configuration Registers (PCRs).
2. PCRs securely store and report integrity measurements that reflect the state of the software components during the boot process. These measurements help detect unauthorized changes and determine whether the system should proceed with the booting.
3. Remote attestation is a process in which device’s hardware and software integrity is verified by a remote party. The client uses signed PCR values from TPM to provide cryptographic proof of its current system state. These signed values are sent to a remote server, which checks the integrity of PCRs values to assess the trustworthiness of the client device.
Virtual Trusted Platform Module (vTPM)
A virtual Trusted Platform Module 2.0 (vTPM 2.0) is a virtual version of the traditional TPM 2.0 hardware chip. It provides the same core security functionalities such as a physical TPM such as cryptographic key storage, attestation and random number generation enabling virtual machines to use TPM functionalities. On Power platforms, TPM capability is provided as virtual entity for each partition by partition firmware (PFW).
File set Installation
To enable and use vTPM 2.0 in AIX, the following file sets must be installed:
Provides the device driver required to detect and interact with vTPM2.0
Provides a framework and interfaces for applications to interact with vTPM2.0
Provides a framework to enable remote attestation capabilities. It includes support for both attestation client and server.
These file sets are shipped as part of base media ISO image from AIX 7.3 TL3 SP1 onwards.
Verify File Set Installation
# lslpp -l | grep powersc
powerscStd.vtpm.rte 1.1.4.4 COMMITTED Virtual Trusted Platform
powerscStd.vtpm.rte 1.1.4.4 COMMITTED Virtual Trusted Platform
# lslpp -l | grep tss
ibmtss.base 2.4.1.0 COMMITTED IBM Trusted Secure Software
ibmtss.license 2.4.1.0 COMMITTED IBM Trusted Secure Software
ibmtss.base 2.4.1.0 COMMITTED IBM Trusted Secure Software
# lslpp -l | grep acs
ibmacs.base.client 1.1.0.0 COMMITTED TPM Attestation - client
ibmacs.base.server 1.1.0.0 COMMITTED TPM Attestation - server
ibmacs.license 1.1.0.0 COMMITTED TPM Attestation client server
ibmacs.base.client 1.1.0.0 COMMITTED TPM Attestation - client
ibmacs.base.server 1.1.0.0 COMMITTED TPM Attestation – server
Enable vTPM 2.0 in AIX
vTPM2.0 is supported on both Power10 and Power11 platforms. It can be enabled for AIX systems through the Hardware Management Console (HMC)
Steps to Enable VTPM 2.0 on Virtual Machine:
1. Shutdown the virtual machine on which vTPM 2.0 needs to be enabled.
2. Login to HMC. Navigate to Systems -> select the target system -> click on desired virtual machine -> go to partition properties
3. Check the box labelled Virtualized Trusted Platform Module(vTPM) -> select the desired encryption level
Note: On Power 11, only vTPM 2.0 version is supported while on Power10 both vTPM1.2 and vTPM2.0 are supported.
Verify vTPM is enabled
# lsdev | grep vtpm*
vtpm0 Available Virtual Trusted Platform Module (VTPM)
# lsdevinfo -c -q name="vtpm0"
name="vtpm0",status="1",chgstatus="0",ddins="vtpmdd",aixloc="",uniquetype="adapter/vdevice/IBM,vtpm20",class="adapter",subclass="vdevice",type="IBM,vtpm20",prefix="vtpm",devid="IBM,vtpm20",base="0",hasvpd="0",detectable="0",busext="0",fru="0",led="0",catalog="vtpm.cat",setno="1",msgno="1",driver="vtpmdd",define="/usr/lib/methods/define",configure="/usr/lib/methods/cfgvtpm",change="/usr/lib/methods/chggent",unconfigure="/usr/lib/methods/ucfgdevice",undefine="/usr/lib/methods/undefine",start="",stop="",inventory="0",timeout="30",trace_debug="no",desired_mapmem="256",path=(parent="vio0",connection="30000004",physloc="U9080.HEU.78BA5A8-V10-C4")
# odmget -q name=vtpm0 CuDv
CuDv:
name = "vtpm0"
status = 1
chgstatus = 0
ddins = "vtpmdd"
location = ""
parent = "vio0"
connwhere = "30000004"
PdDvLn = "adapter/vdevice/IBM,vtpm20"
Configure Client and Server for Remote Attestation on AIX
One of the prominent usecases of TPM device is attestation. This can be achieved using the files provided through ibmtss and ibmacs filesets.
The Trusted Software Stack (TSS) provides several command-line utilities for interacting with the vTPM. Before running any TSS commands, one must export the vTPM device.
For example:
# export TPM_DEVICE=”/dev/vtpm0”
Here is the snapshot of TSS commands
Attestation capabilities are provided by the Attestation Client Server (ACS) framework which includes both client and server components.
Currently AIX supports only pre-OS events.
The client component includes two key binaries:
· acsclientenroll : for client partitions to enroll with the attestation server
· acsclient: for sharing Platform Configuration Register (PCR) values and event logs from client to server
The server component includes single binary:
· acsserver: starts the attestation server on port 2323
To perform remote attestation, both the client and server must be configured properly. The following guide provides information about setting up attestation client and server on two separate AIX partitions.
Configure Attestation Server
Install AIX Toolbox packages on attestation server
NOTE: Some required file-sets, such as SQL database and community-mysql-libs etc are not included in the base AIX operating system. These are used by attestation server to store client information. To install these dependencies, one must install AIX Toolbox for Opensource Software
# Download the AIX Toolbox script. Get dnf_aixtoolbox.sh from here:
Get Started with the AIX Toolbox for Open Source Software
# Increase /opt and /tmp file system size
chfs -a size=+2G /opt; chfs -a size=+2G /opt
# Run the script to install DNF package manager
chmod 777 dnf_aixtoolbox.sh; dnf_aixtoolbox.sh -y
export PATH=$PATH:/opt/freeware/bin
# Use DNF to install the required packages from toolbox
dnf install <package name>
Example: dnf install json-c.ppc json-c-devel.ppc
# To check if package is installed
dnf list --installed json-c*
Install the Following Packages from AIX Toolbox
# dnf install json-c.ppc json-c-devel.ppc
# dnf install community-mysql-libs
# dnf install libstdc++10*
# dnf install pcre2
# dnf install httpd.ppc
# dnf install php.ppc php-mysqlnd
# dnf install mariadb10.11.ppc mariadb10.11-server.ppc
Setup Database for Attestation Server
# which mysql_install_db
/opt/freeware/bin/mysql_install_db
# /opt/freeware/bin/mysql_install_db
Installing MariaDB/MySQL system tables in '/opt/freeware/var/lib/mysql/data'...
OK
Start the mySQL Database
# /opt/freeware/libexec/mysqld --user=root --port=3306 --bind-address=127.0.0.1
(No output for this command)
Note: There is no password set for database now. We need to set the password for root user
Run mysql command line to set password for user root@localhost
# mysql
# show databases;
# use mysql; (use mysql database listed)
# show tables;
# select * from user; (select from user table)
# ALTER USER 'root'@'localhost' IDENTIFIED BY 'Passw0rd123';
# flush privileges;
# select * from user;
# quit;
Create tpm2 Database in mySQL
# mysql -u root -p
Enter password: Passw0rd123
# show databases;
# create database tpm2;
# show databases;
# quit;
Load the tpm2 Database with Tables
# mysql -D tpm2 -u root -p < /var/acs/dbinit.sql
Enter password: Passw0rd123
Create Keys and Certificates on Attestation Server
# mkdir /vtpm
# cd /vtpm
# openssl genrsa -out pcakey.pem -aes256 -passout pass:rrrr 2048
# openssl req -new -x509 -key pcakey.pem -out pcacert.pem -days 3560
Enter pass phrase for pcakey.pem: rrrr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:NY
Locality Name (eg, city) []:Yorktown
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IBM
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:AK CA
Email Address []:
(Note: Use AK CA as common name)
# openssl x509 -text -in pcacert.pem -noout
Configure Attestation Client
Provision Endorsement Key Certificates on Client
# mkdir /vtpm
# cd /vtpm
# export TPM_DEVICE="/dev/vtpm0"
One needs to provision the EK certificate CA signing keys if using the test environment. In the production environment, EK as a self signed certified is already provisioned by PFW and the below steps can be skipped. which can be based on RSA or ECC algorithm. Below is the example for both the algorithm methods.
Provision RSA EK Certificate CA signing Keys
# openssl genrsa -out cakey.pem -aes256 -passout pass:rrrr 2048
# openssl req -new -x509 -key cakey.pem -out cacert.pem -days 3650
Enter pass phrase for cakey.pem: rrrr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:NY
Locality Name (eg, city) []:Yorktown
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IBM
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:EK CA
# openssl x509 -text -in cacert.pem -noout
# tpm2createekcert -rsa 2048 -cakey cakey.pem -capwd rrrr -v
Provision ECC EK Certificate CA signing Keys
# openssl genpkey -out cakeyecc.pem -outform PEM -pass pass:rrrr -aes256 -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 -pkeyopt ec_param_enc:named_curve
# openssl req -new -x509 -key cakeyecc.pem -out cacertecc.pem -days 3650
Enter pass phrase for cakeyecc.pem: rrrr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:NY
Locality Name (eg, city) []:Yorktown
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IBM
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:EK EC CA
Email Address []:
# openssl x509 -text -in cacertecc.pem -noout
# tpm2createekcert -ecc nistp256 -cakey cakeyecc.pem -capwd rrrr -caalg ec -v
Once the EK certificate is provisioned, it needs to be copied to server for verification purpose.
# Copy the certificates from client to server
# scp /vtpm/cacert.pem root@<server machine>:/vtpm
# scp /vtpm/cacertecc.pem root@<server machine>:/vtpm
# Copy the certificates from server to client
# scp /vtpm/pcacert.pem root@<client machine>:/vtpm
# Update the rootcerts.txt file on the server with client certificate details
# cat /vtpm/rootcerts.txt
/vtpm/cacert.pem
/vtpm/cacertecc.pem
Set Environment Variables on both Client and Server
Export the following environment variables on client:
# export LIBPATH=/usr/opt/oss/lib/:$LIBPATH
Export the following environment variables on Server:
# export ACS_PORT=2323
# export ACS_SQL_PASSWORD="Passw0rd123"
# export ACS_SQL_HOST=127.0.0.1
# export ACS_SQL_PORT=3306
# export ACS_SQL_USERID=root
# export TPM_DEVICE="/dev/vtpm0"
# export PATH=/opt/freeware/bin/:$PATH (set if dnf or mysql commands fail with
command not found error)
Start Attestation Server in CLI and GUI
Start the server:
# cd /vtpm
# acsserver -root /vtpm/rootcerts.txt -imacert /etc/security/certificates/acs/imakey.der -vv
Start the server in web interface:
# /opt/freeware/sbin/apachectl_64 stop
# /opt/freeware/sbin/apachectl_64 start
In browser enter : http://<server hostname>/acs/machines.php
Client Enrollment and Attestation
Client enrollment is a one-time operation, while attestation can be performed as desired. To enroll the client with the server and perform attestation, follow the steps outlined below on the client system. One can use -v or -vv option for the verbose output.
Enroll client with server
# cd /vtpm
If using RSA algorithm
# acsclientenroll -alg rsa -ho <server hostname> -co akcert.pem -v
(or) with user-defined client machine name as below
# acsclientenroll -alg rsa -ma <machine name> -ho <server hostname> -co akcert.pem -v
Ex: acsclientenroll -alg rsa -ma lp9-vtpm-test-demo -ho lp10.aix-test.ibm.com -co akcert.pem -v
If using ECC algorithm
# acsclientenroll -alg ec -ho <server hostname> -co akeccert.pem -v (or)
# acsclientenroll -alg ec -ma <machine name> -ho <server hostname> -co akcert.pem -v
Verify the client is enrolled in GUI at http://<server hostname>/acs/machines.php
Perform attestation now
# date +"%F %T" > bootfile
# cat bootfile
# ls -l /var/adm/ras/trustedboot.log
If using RSA algorithm
# acsclient -alg rsa -ifb /var/adm/ras/trustedboot.log -ho <server hostname> -bf bootfile -v
(or) with user-defined client machine name
# acsclient -alg rsa -ma <machine name> -ifb /var/adm/ras/trustedboot.log -ho <server hostname> -bf bootfile -v
Ex: acsclient -alg rsa -ma lp9-vtpm-test-demo -ifb /var/adm/ras/trustedboot.log
-ho lp10.aix-test.ibm.com -bf bootfile -v
If using ECC algorithm
# acsclient -alg ec -ifb /var/adm/ras/trustedboot.log -ho <server hostname> -bf bootfile -v (or)
# acsclient -alg ec -ma <machine name> -ifb /var/adm/ras/trustedboot.log
-ho <server hostname> -bf bootfile -v
Verify the attestation results at http:// ://<server hostname>/acs/reports.php
Authors:
RajyaLakshmi Marathu (rajyalakshmi.marathu@in.ibm.com)
Sandeep Umesh (sanumesh@in.ibm.com)
References
1. https://github.com/kgoldman/ibmtss
2. https://github.com/kgoldman/acs
3. https://trustedcomputinggroup.org/resource/tpm-library-specification/