我正在尝试使用笔记本电脑上提供的 TPM2 来保护 GPG 密钥,但没有取得任何成功。可能我做错了什么,但我无法弄清楚这是什么。我的系统正在运行Ubuntu 22.04
这是我所做的:
验证 TPM2 在我的 Linux 系统中可用并启用:
- 检查启动时是否检测到 tpm 硬件:
$ dmesg | grep -i tpm
[ 0.327325] kernel: tpm_tis STM0125:00: 2.0 TPM (device-id 0x0, rev-id 78)
- 检查 tpm 设备是否可用并且拥有正确的所有者:
$ ls -l /dev/tpm*
crw-rw---- 1 tss tss 10, 224 nov 27 07:42 /dev/tpm0
crw-rw---- 1 tss tss 253, 65536 nov 27 07:42 /dev/tpmrm0
tss
我的用户是该组的成员安装了以下软件包:
clevis-tpm2
libnatpmp1
libtss2-tcti-swtpm0
tpm-udev
tpm2-abrmd
tpm2-openssl
tpm2-tools
libtpm2-pkcs11-tools
libtpm2-pkcs11-1
- 加载tpm模块:
$ modprobe tpm_tis_spi
$ lsmod | grep tpm
tpm_tis_spi 20480 0
- 检查 tpm 代理是否已启动并正在运行
root@NR054-UB:/lib/modules/6.2.0-37-generic# systemctl status tpm2-abrmd
● tpm2-abrmd.service - TPM2 Access Broker and Resource Management Daemon
Loaded: loaded (/lib/systemd/system/tpm2-abrmd.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2023-11-27 07:42:29 CET; 4 days ago
Main PID: 1086 (tpm2-abrmd)
Tasks: 6 (limit: 18082)
Memory: 1.4M
CPU: 9.563s
CGroup: /system.slice/tpm2-abrmd.service
└─1086 /usr/sbin/tpm2-abrmd
我构建了 gpg 版本2.4
(作为默认 gpg 版本ubuntu 22.04
)2.2
并将环境变量设置GNUPGHOME=~/gpg2.tmp/
为使用“干净”密钥环
$ gpg2 --version
gpg (GnuPG) 2.4.3
libgcrypt 1.10.2
Copyright (C) 2023 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /home/<my-username>/gpg2.tmp
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB
- 这是我的
gpgconf
输出:gpg 2.4
已安装,/opt/gpg24
以避免覆盖当前的gpg 2.2
默认安装
$ gpgconf
gpg:OpenPGP:/opt/gpg24/bin/gpg2
gpgsm:S/MIME:/opt/gpg24/bin/gpgsm
keyboxd:Public Keys:/opt/gpg24/libexec/keyboxd
gpg-agent:Private Keys:/opt/gpg24/bin/gpg-agent
scdaemon:Smartcards:/opt/gpg24/libexec/scdaemon
tpm2daemon:TPM:/opt/gpg24/libexec/tpm2daemon
dirmngr:Network:/opt/gpg24/bin/dirmngr
pinentry:Passphrase Entry:/opt/gpg24/bin/pinentry
尝试使用 TPM 保护测试 gpg 密钥
到目前为止,一切都很好。由于我在设置前面的所有步骤时没有收到相关错误或警告,因此我继续遵循以下示例:
[1] https://gnupg.org/blog/20210315-using-tpm-with-gnupg-2.3.html
[2] https://www.monperrus.net/martin/7-things-to-do-with-your-TPM-on-Linux
- 启动 tpm2daemon:
tpm2daemon --log-file ~/gpg2.tmp/tpm2daemon.log --daemon --debug-level 1000
但是,当我尝试将密钥移至 TPM 时,我没有获得
card-no: TPM-Protected
密钥的属性
$ /opt/gpg24/bin/gpg2 --edit-key [email protected]
gpg (GnuPG) 2.4.3; Copyright (C) 2023 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa2048/2E0718AD3A17F52E
created: 2023-12-02 expires: 2026-12-01 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1). [email protected]
gpg> keytotpm
Really move the primary key? (y/N) y
sec rsa2048/2E0718AD3A17F52E
created: 2023-12-02 expires: 2026-12-01 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1). [email protected]
我做错了什么?关于如何调试这个的任何提示?
最后,感谢 gnupg 邮件列表的支持,我解决了这个问题。
看来我构建的 2.4 版本有一个回归导致了这个问题。为了解决这个问题,我需要从分支构建
gngpg
和pinentry
master
如果您对详细信息感兴趣,请查看 ML 主题:
https://lists.gnupg.org/pipermail/gnupg-users/2023-December/066830.html