From 41d7a1a45e322b0bd73489bb3f58d9d3bef18691 Mon Sep 17 00:00:00 2001 From: Ian Date: Fri, 25 Feb 2022 16:09:27 +0200 Subject: [PATCH] Added pytss python tutorials (quote) --- PythonExamples/README.md | 17 +++++++++ PythonExamples/quote.md | 76 ++++++++++++++++++++++++++++++++++++++ PythonExamples/quote.py | 79 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 172 insertions(+) create mode 100644 PythonExamples/README.md create mode 100644 PythonExamples/quote.md create mode 100644 PythonExamples/quote.py diff --git a/PythonExamples/README.md b/PythonExamples/README.md new file mode 100644 index 0000000..bd318c5 --- /dev/null +++ b/PythonExamples/README.md @@ -0,0 +1,17 @@ +# Python Examples with PYTSS + +Now that tpm2_pytss is stable I've started collecting worked examples for some common situations, eg: reading PCRs, quotes etc. + +tpm_pytss is here: https://github.com/tpm2-software/tpm2-pytss + +## Running the examples + +First you will need a TPM, either a real TPM or the IBM SW TPM is a good substitute. + +Each example can be run just by typing `python3 example.py` + +## Available Examples + +Each example has an accompanying description as markdown file, plus annotated code. + + * [quote] \ No newline at end of file diff --git a/PythonExamples/quote.md b/PythonExamples/quote.md new file mode 100644 index 0000000..5cc33e0 --- /dev/null +++ b/PythonExamples/quote.md @@ -0,0 +1,76 @@ +# Quote + +This example demonstrates the use of ESAPI.quote + +The code will: + + * setup the ESAPI interface + * send a TPM_STARTUP clear command + * request a quote using the given attestation key, pcrs and extradata + * unmarshal the returned data structures and print these as a python dict and convert to JSON and pretty print + +## Setup and Variables + +The following code might need to be modified for you local setup + +```python3 +tcti_to_use = None +attestation_key_handle = 0x810100AA +pcrs_to_quote = "sha256:0,1,2,3" +extradata_to_use = b"Ian12345" +``` + +## Running + +To run type `python3 quote.py` + +Errors might be generated as the pytss libraries search for a suitable TPM device. If everything is successful then a pretty printed JSON structure will be shown. + +## Example Output + +```bash +~/tpm.dev.tutorials/PythonExamples$ python3 quote.py +ERROR:tcti:src/tss2-tcti/tcti-device.c:442:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory +ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 +ERROR:tcti:src/tss2-tcti/tcti-device.c:442:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: No such file or directory +ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 +ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:222:tcti_control_command() Control command failed with error: 1 +ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:330:tcti_swtpm_set_locality() Failed to set locality: 0xa000a +WARNING:tcti:src/tss2-tcti/tcti-swtpm.c:599:Tss2_Tcti_Swtpm_Init() Could not set locality via control channel: 0xa000a +ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 +att= +ae= + {'attested': {'pcrDigest': '38723a2e5e8a17aa7950dc008209944e898f69a7bd10a23c839d341e935fd5ca', 'pcrSelect': [{'hash': 'sha256', 'pcrSelect': [0, 1, 2, 3]}]}, 'clockInfo': {'clock': 308418200, 'resetCount': 22, 'restartCount': 0, 'safe': 1}, 'extraData': '49616e3132333435', 'firmwareVersion': [538513443, 1455670], 'magic': 4283712327, 'qualifiedSigner': '000bff3ea118be81e7f10ead098c900b93c885785e828bf27d824a87add847b5ec56', 'type': 'attest_quote'} + + { + "attested": { + "pcrDigest": "38723a2e5e8a17aa7950dc008209944e898f69a7bd10a23c839d341e935fd5ca", + "pcrSelect": [ + { + "hash": "sha256", + "pcrSelect": [ + 0, + 1, + 2, + 3 + ] + } + ] + }, + "clockInfo": { + "clock": 308418200, + "resetCount": 22, + "restartCount": 0, + "safe": 1 + }, + "extraData": "49616e3132333435", + "firmwareVersion": [ + 538513443, + 1455670 + ], + "magic": 4283712327, + "qualifiedSigner": "000bff3ea118be81e7f10ead098c900b93c885785e828bf27d824a87add847b5ec56", + "type": "attest_quote" +} + +``` \ No newline at end of file diff --git a/PythonExamples/quote.py b/PythonExamples/quote.py new file mode 100644 index 0000000..4f47cd8 --- /dev/null +++ b/PythonExamples/quote.py @@ -0,0 +1,79 @@ +# +# Import the tpm2_pytss libraries and the encoders +# + +from tpm2_pytss import * +from tpm2_pytss.encoding import ( + base_encdec, + json_encdec, +) + +# +# We also need this too, for convenience later +# + +import json + +# +# Setting up some variables here for convenience +# + +tcti_to_use = None +attestation_key_handle = 0x810100AA +pcrs_to_quote = "sha256:0,1,2,3" +extradata_to_use = b"Ian12345" + +# +# Make a connection to a TPM and use the ESAPI interface +# tcti=None means that the pytss libraries will search for an available TCTI +# +# +# When this is run, then as the various TCTI interfaces are searched errors are written if those interfaces are not foud +# + +tpm = ESAPI(tcti=None) + +# +# Send a startup message, just in case (actually this is because I'm using the IBM SW TPM and haven't started it properly) +# + +tpm.startup(TPM2_SU.CLEAR) + +# +# Create the necessary parameters for making a quote +# + + +handle = tpm.tr_from_tpmpublic(attestation_key_handle) +pcrsels = TPML_PCR_SELECTION.parse(pcrs_to_quote) +extradata_to_use = TPM2B_DATA(extradata_to_use) + +# +# Now to make the quote and return the attested values and signature +# + +quote,signature = tpm.quote( + handle, pcrsels, extradata_to_use + ) + +# +# Now to unmarshal the attested values and we'll print them out which'll give a tpm2_pytss.types.TPMS_ATTEST object +# + +att,_ = TPMS_ATTEST.unmarshal( bytes(quote) ) +print("att=",att) + +# +# We construct an encoder and encode that structure in a python dict +# + +enc = json_encdec() +ae = enc.encode(att) +print("ae=",type(ae),"\n",ae) + +# +# Now we'll use the json library to convert that to JSON and pretty print it +# + +js = json.dumps(ae,indent=4) +print("\n",js) \ No newline at end of file