tcti-spi-ltt2go enhancement

- Replacing libusb_open_device_with_vid_pid() with appropriate APIs - Updating the unit tests - Adding udev rules and updating the documentation Signed-off-by: wenxin.leong <wenxin.leong@infineon.com>
tpm2-software · Jul 10, 2024 · 310e04f · 310e04f
1 parent f5d851e
commit 310e04f
Show file tree

Hide file tree

Showing 6 changed files with 420 additions and 99 deletions.
diff --git a/Makefile-test.am b/Makefile-test.am
@@ -543,16 +543,19 @@ test_unit_tcti_spi_ltt2go_CFLAGS  = $(CMOCKA_CFLAGS) $(TESTS_CFLAGS)
 test_unit_tcti_spi_ltt2go_LDADD   = $(CMOCKA_LIBS) $(libtss2_tcti_spi_helper)
 test_unit_tcti_spi_ltt2go_LDFLAGS = -Wl,--wrap=libusb_bulk_transfer \
                                    -Wl,--wrap=libusb_claim_interface \
+                                   -Wl,--wrap=libusb_open \
                                    -Wl,--wrap=libusb_close \
                                    -Wl,--wrap=libusb_control_transfer \
                                    -Wl,--wrap=libusb_dev_mem_alloc \
                                    -Wl,--wrap=libusb_dev_mem_free \
                                    -Wl,--wrap=libusb_exit \
                                    -Wl,--wrap=libusb_free_config_descriptor \
+                                   -Wl,--wrap=libusb_free_device_list \
                                    -Wl,--wrap=libusb_get_config_descriptor \
-                                   -Wl,--wrap=libusb_get_device \
+                                   -Wl,--wrap=libusb_get_device_list \
+                                   -Wl,--wrap=libusb_get_device_descriptor \
+                                   -Wl,--wrap=libusb_get_string_descriptor_ascii \
                                    -Wl,--wrap=libusb_init \
-                                   -Wl,--wrap=libusb_open_device_with_vid_pid \
                                    -Wl,--wrap=libusb_release_interface \
                                    -Wl,--wrap=libusb_set_auto_detach_kernel_driver \
                                    -Wl,--wrap=libusb_strerror \

diff --git a/Makefile.am b/Makefile.am
@@ -204,7 +204,8 @@ include Makefile-fuzz.am
 
 ### Distribution files ###
 # Add udev rule
-udevrules_DATA   = dist/tpm-udev.rules
+udevrules_DATA   = dist/tpm-udev.rules \
+                   dist/ltt2go-udev.rules
 
 # Adding user and developer information
 EXTRA_DIST += \
@@ -976,7 +977,8 @@ install-man: install-man3 install-man7
 	$(LN_S) -f Tss2_TctiLdr_Initialize.3 $(DESTDIR)$(man3dir)/Tss2_TctiLdr_Initialize_Ex.3
 endif #FAPI
 
-EXTRA_DIST += dist/tpm-udev.rules
+EXTRA_DIST += dist/tpm-udev.rules \
+              dist/ltt2go-udev.rules
 
 install-dirs:
 if HOSTOS_LINUX
@@ -1003,10 +1005,12 @@ endif
 install-data-hook: install-dirs
 	-if [ ! -z "$(udevrulesprefix)" ]; then \
 		mv $(DESTDIR)$(udevrulesdir)/tpm-udev.rules $(DESTDIR)$(udevrulesdir)/$(udevrulesprefix)tpm-udev.rules; \
+		mv $(DESTDIR)$(udevrulesdir)/ltt2go-udev.rules $(DESTDIR)$(udevrulesdir)/$(udevrulesprefix)ltt2go-udev.rules; \
 	fi
 
 uninstall-local:
 	-rm $(DESTDIR)$(udevrulesdir)/$(udevrulesprefix)tpm-udev.rules
+	-rm $(DESTDIR)$(udevrulesdir)/$(udevrulesprefix)ltt2go-udev.rules
 	cd $(DESTDIR)$(man3dir) && \
 		[ -L Tss2_TctiLdr_Initialize_Ex.3 ] && \
 			rm -f Tss2_TctiLdr_Initialize_Ex.3 || true

diff --git a/dist/ltt2go-udev.rules b/dist/ltt2go-udev.rules
@@ -0,0 +1,2 @@
+# ltt2go USB devices can only be accessed by the tss user
+SUBSYSTEM=="usb", ATTRS{idVendor}=="365d", ATTRS{idProduct}=="1337", TAG+="systemd", MODE="0600", OWNER="tss"
diff --git a/doc/tcti-spi-ltt2go.md b/doc/tcti-spi-ltt2go.md
@@ -5,18 +5,8 @@ and the `libusb-1.0-0-dev` library for USB communication.
 
 # EXAMPLES
 
-Set udev rules for LetsTrust-TPM2Go by creating a file `/etc/udev/rules.d/60-tpm2go.rules`:
-```
-ATTRS{idVendor}=="365d", ATTRS{idProduct}=="1337", TAG+="uaccess"
-```
-
-Activate the udev rules:
-```console
-sudo udevadm control --reload
-```
-
 You should see the following after plugging in the LetsTrust-TPM2Go:
-```
+```console
 dmesg
  [ 1019.115823] usb 3-2: new full-speed USB device number 5 using xhci_hcd
  [ 1019.480333] usb 3-2: New USB device found, idVendor=365d, idProduct=1337, bcdDevice= 0.00
@@ -31,18 +21,148 @@ sudo udevadm info -e | grep LetsTrust
  E: ID_SERIAL=www.pi3g.com_LetsTrust-TPM2Go_Y23CW29NR00000RND987654321012
 ```
 
-Use tcti-spi-ltt2go to communicate with LetsTrust-TPM2Go:
+After plugging in the LetsTrust-TPM2Go, the USB interface access permission is granted to the user `tss`. The `tcti-spi-ltt2go` can now be used to communicate with the TPM.
 ```console
-tpm2_startup -Tspi-ltt2go -c
-tpm2_getrandom -Tspi-ltt2go 8 --hex
+sudo -u tss tpm2_startup -Tspi-ltt2go -c
+sudo -u tss tpm2_getrandom -Tspi-ltt2go 8 --hex
 ```
 
-Enable abrmd:
+If multiple LetsTrust-TPM2Go devices are plugged in, it is possible to choose which one to address by specifying the serial number. The input format supports regex.
 ```console
+sudo -u tss tpm2_getrandom -Tspi-ltt2go:Y23CW29NR00000RND987654321012 8 --hex
+sudo -u tss tpm2_getrandom -Tspi-ltt2go:RND98765 8 --hex
+sudo -u tss tpm2_getrandom -Tspi-ltt2go:21012$ 8 --hex
+```
+
+## ABRMD (Alone)
+
+Manually launch the abrmd (log in as root user):
+```console
+sudo su
+
 export DBUS_SESSION_BUS_ADDRESS=`dbus-daemon --session --print-address --fork`
 tpm2-abrmd --allow-root --session --tcti=spi-ltt2go &
 
 export TPM2TOOLS_TCTI="tabrmd:bus_name=com.intel.tss2.Tabrmd,bus_type=session"
 tpm2_startup -c
 tpm2_getrandom 8 --hex
+```
+
+## ABRMD (As a Systemd Service)
+
+Launch the abrmd as a service (supports only **a single** LetsTrust-TPM2Go at a time).
+
+Edit the service file using `systemctl edit --full tpm2-abrmd`. Then, update the service file content to:
+```
+[Unit]
+Description=TPM2 Access Broker and Resource Management Daemon
+# These settings are needed when using the device TCTI. If the
+# TCP mssim is used then the settings should be commented out.
+#After=dev-tpm0.device
+#Requires=dev-tpm0.device
+
+[Service]
+Type=dbus
+BusName=com.intel.tss2.Tabrmd
+ExecStart=/usr/local/sbin/tpm2-abrmd --tcti=spi-ltt2go
+User=tss
+
+[Install]
+WantedBy=multi-user.target
+```
+
+After editing the service file, the TPM is accessible by:
+```console
+sudo systemctl start tpm2-abrmd
+
+export TPM2TOOLS_TCTI="tabrmd:bus_name=com.intel.tss2.Tabrmd"
+sudo -u tss tpm2_startup -c
+sudo -u tss tpm2_getrandom 8 --hex
+```
+
+## ABRMD (Udev + Systemd Service)
+
+By configuring the udev rules to automatically start the abrmd service when a LetsTrust-TPM2Go is plugged in and stop the service upon removal (supports only **a single** LetsTrust-TPM2Go at a time).
+
+Make the following modifications to `tpm2-abrmd/dist/tpm2-abrmd.service.in`:
+```
+[Unit]
+Description=TPM2 Access Broker and Resource Management Daemon
+# These settings are needed when using the device TCTI. If the
+# TCP mssim is used then the settings should be commented out.
+#After=dev-tpm0.device
+#Requires=dev-tpm0.device
+
+[Service]
+Type=dbus
+BusName=com.intel.tss2.Tabrmd
+ExecStart=@SBINDIR@/tpm2-abrmd --tcti=spi-ltt2go:%i
+User=tss
+
+[Install]
+WantedBy=multi-user.target
+```
+
+After (re)installing the tpm2-abrmd, rename the service file on your host from `tpm2-abrmd.service` to `tpm2-abrmd@.service`.
+
+Make the following modifications to `tpm2-tss/dist/ltt2go-udev.rules`:
+```
+SUBSYSTEM=="usb", ATTRS{idVendor}=="365d", ATTRS{idProduct}=="1337", ACTION=="add", TAG+="systemd", MODE="0600", OWNER="tss", RUN+="/bin/ltt2go_add.sh $env{DEVNAME}"
+SUBSYSTEM=="usb", ACTION=="remove", TAG+="systemd", ENV{PRODUCT}=="365d/1337/0", RUN+="/bin/ltt2go_remove.sh $env{DEVNAME}"
+```
+
+Create a script at `/bin/ltt2go_add.sh` and make it executable.
+```
+#!/bin/sh
+
+DEVNAME=$1
+
+ID_SERIAL_SHORT=$(udevadm info --query=env --name=$DEVNAME | grep ID_SERIAL_SHORT | cut -d= -f2)
+
+if [ -z "${ID_SERIAL_SHORT}" ]; then
+    exit 1
+fi
+
+mkdir -p /run/ltt2go/$DEVNAME
+echo $ID_SERIAL_SHORT > /run/ltt2go/${DEVNAME}/sn
+
+systemctl start tpm2-abrmd@${ID_SERIAL_SHORT}.service
+
+exit 0
+```
+
+Create a script at `/bin/ltt2go_remove.sh` and make it executable:
+```
+#!/bin/sh
+
+DEVNAME=$1
+
+SN_DIR=/run/ltt2go/$DEVNAME
+
+if [ -f ${SN_DIR}/sn ]; then
+    SERIAL_NUMBER=$(cat ${SN_DIR}/sn)
+
+    systemctl stop tpm2-abrmd@${SERIAL_NUMBER}.service
+
+    rm -f ${SN_DIR}/sn
+    find /run/ltt2go -type d -empty -not -path /run/ltt2go -delete
+else
+    exit 1
+fi
+
+exit 0
+```
+
+After (re)installing the tpm2-tss, reload the udev rules and systemd:
+```console
+sudo udevadm control --reload-rules
+sudo udevadm trigger
+sudo systemctl daemon-reload
+```
+
+Now, plug in the LetsTrust-TPM2Go and access it by:
+```console
+export TPM2TOOLS_TCTI="tabrmd:bus_name=com.intel.tss2.Tabrmd"
+sudo -u tss tpm2_startup -c
+sudo -u tss tpm2_getrandom 8 --hex
 ```
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# ltt2go USB devices can only be accessed by the tss user
		SUBSYSTEM=="usb", ATTRS{idVendor}=="365d", ATTRS{idProduct}=="1337", TAG+="systemd", MODE="0600", OWNER="tss"