Hinweis
Für den Zugriff auf diese Seite ist eine Autorisierung erforderlich. Sie können versuchen, sich anzumelden oder das Verzeichnis zu wechseln.
Für den Zugriff auf diese Seite ist eine Autorisierung erforderlich. Sie können versuchen, das Verzeichnis zu wechseln.
Einrichten des Firmware-TPM (fTPM)
Firmware TPM (fTPM) erfordert spezielle Prozessor-/SoC-Unterstützung, und wenn fTPM derzeit nicht auf Raspberry Pi2 implementiert ist.
Sie benötigen MBM mit UEFI-Version 0.80 oder höher.
Aktivieren Sie fTPM, indem Sie die folgenden UEFI-Einstellungen ändern:
Device Manager -> System Setup -> Security Configuration -> PTT = <Enable>Stellen Sie sicher, dass Sie nicht über C:\Windows\System32\ACPITABL.dat für sTPM/dTPM verfügen (lösen Sie den Konflikt, oder löschen Sie die Datei, falls nicht erforderlich).
Vergewissern Sie sich, dass die richtige TPM-Version aktiviert ist: Führen Sie das TPM 2.0-Tool auf dem Windows IoT Core-Gerät aus.
C:\>t2t.exe -cap TBS detected 2.0 firmware TPM (fTPM) using Intel TEE. Capabilities: PT_FIXED: TPM_PT_FAMILY_INDICATOR = '2.0' TPM_PT_LEVEL = 0 (0x00000000) TPM_PT_REVISION = 0.93 TPM_PT_DAY_OF_YEAR = 283 (0x0000011b) TPM_PT_YEAR = 2012 (0x000007dc) TPM_PT_MANUFACTURER = 'INTC' TPM_PT_VENDOR_STRING = 'Intel' TPM_PT_VENDOR_TPM_TYPE = 3 (0x00000003) TPM_PT_FIRMWARE_VERSION_1 = 1.0 (0x1.0x0) TPM_PT_FIRMWARE_VERSION_2 = 2.1060 (0x2.0x424) TPM_PT_INPUT_BUFFER = 1024 (0x00000400) TPM_PT_HR_TRANSIENT_MIN = 3 (0x00000003) TPM_PT_HR_PERSISTENT_MIN = 2 (0x00000002) TPM_PT_HR_LOADED_MIN = 3 (0x00000003) TPM_PT_ACTIVE_SESSIONS_MAX = 64 (0x00000040) TPM_PT_PCR_COUNT = 24 (0x00000018) TPM_PT_PCR_SELECT_MIN = 3 (0x00000003) TPM_PT_CONTEXT_GAP_MAX = 65535 (0x0000ffff) TPM_PT_NV_COUNTERS_MAX = 16 (0x00000010) TPM_PT_NV_INDEX_MAX = 2048 (0x00000800) TPM_PT_MEMORY = sharedNV objectCopiedToRam TPM_PT_CLOCK_UPDATE = 4096ms TPM_PT_CONTEXT_HASH = TPM_ALG_SHA256 TPM_PT_CONTEXT_SYM = TPM_ALG_AES TPM_PT_CONTEXT_SYM_SIZE = 128 (0x00000080) TPM_PT_ORDERLY_COUNT = 255 (0x000000ff) TPM_PT_MAX_COMMAND_SIZE = 3968 (0x00000f80) TPM_PT_MAX_RESPONSE_SIZE = 3968 (0x00000f80) TPM_PT_MAX_DIGEST = 32 (0x00000020) TPM_PT_MAX_OBJECT_CONTEXT = 924 (0x0000039c) TPM_PT_MAX_SESSION_CONTEXT = 244 (0x000000f4) TPM_PT_PS_FAMILY_INDICATOR = TPM_PS_MAIN TPM_PT_PS_LEVEL = 0 (0x00000000) TPM_PT_PS_REVISION = 0 TPM_PT_PS_DAY_OF_YEAR = 0 (0x00000000) TPM_PT_PS_YEAR = 0 (0x00000000) TPM_PT_SPLIT_MAX = 0 (0x00000000) TPM_PT_TOTAL_COMMANDS = 70 (0x00000046) TPM_PT_LIBRARY_COMMANDS = 70 (0x00000046) TPM_PT_VENDOR_COMMANDS = 0 (0x00000000) PT_VAR: TPM_PT_PERMANENT = lockoutAuthSet tpmGeneratedEPS TPM_PT_STARTUP_CLEAR = phEnable shEnable ehEnable TPM_PT_HR_NV_INDEX = 2 (0x00000002) TPM_PT_HR_LOADED = 0 (0x00000000) TPM_PT_HR_LOADED_AVAIL = 3 (0x00000003) TPM_PT_HR_ACTIVE = 0 (0x00000000) TPM_PT_HR_ACTIVE_AVAIL = 64 (0x00000040) TPM_PT_HR_TRANSIENT_AVAIL = 3 (0x00000003) TPM_PT_HR_PERSISTENT = 3 (0x00000003) TPM_PT_HR_PERSISTENT_AVAIL = 18 (0x00000012) TPM_PT_NV_COUNTERS = 2 (0x00000002) TPM_PT_NV_COUNTERS_AVAIL = 14 (0x0000000e) TPM_PT_ALGORITHM_SET = 0 (0x00000000) TPM_PT_LOADED_CURVES = 0 (0x00000000) TPM_PT_LOCKOUT_COUNTER = 0 (0x00000000) TPM_PT_MAX_AUTH_FAIL = 10 (0x0000000a) TPM_PT_LOCKOUT_INTERVAL = 2h 0" 0' TPM_PT_LOCKOUT_RECOVERY = 2h 0" 0' TPM_PT_AUDIT_COUNTER = 0 c:\>Überprüfen Sie, ob fTPM funktioniert: Führen Sie die Urchin-Komponententests auf dem Windows IoT Core-Gerät aus.
Es sollten mehrere PASS-Tests angezeigt werden (beachten Sie, dass einige der Funktionen von fTPM nicht unterstützt werden, sodass einige Fehlercodes erwartet werden):C:\>urchintest.exe ---SETUP---------------------------------------- PASS...........CreateAuthorities() PASS...........CreateEkObject() PASS...........CreateSrkObject() (0x80280400)...CreateAndLoadAikObject() PASS...........CreateAndLoadKeyObject() ---TESTS---------------------------------------- PASS...........TestGetCapability() PASS...........TestGetEntropy() PASS...........TestPolicySession() PASS...........TestSignWithPW() PASS...........TestSignHMAC() PASS...........TestSignBound() PASS...........TestSignSalted() PASS...........TestSignSaltedAndBound() PASS...........TestSignParameterEncryption() PASS...........TestSignParameterDecryption() PASS...........TestReadPcrWithEkSeededSession() (0x80280400)...TestCreateHashAndHMAC() (0x80280400)...TestCreateHashAndHMACSequence() (0x80280400)...TestSymKeyImport() PASS...........TestRsaKeyImport() (0x00000184)...TestCredentialActivation() PASS...........TestKeyExport() (0x80280400)...TestSymEncryption() (0x80280400)...TestCertifiedMigration() (0x0000014b)...TestNVIndexReadWrite() (0x80280400)...TestVirtualization() PASS...........TestObjectChangeAuth() PASS...........TestUnseal() PASS...........TestDynamicPolicies() (0x80280400)...TestRSADecrypt() (0x000002ca)...TestECDSASign() (0x00000184)...TestKeyAttestation() (0x00000184)...TestPlatformAttestation() ---CLEANUP-------------------------------------- (0x000001c4)...UnloadKeyObjects() C:\>
Einrichten des diskreten TPM (dTPM)
Diese Anweisungen gelten für alle dTPM-Module, die auf MBM, RPi2 oder RPi3 unterstützt werden.
Rufen Sie ein diskretes TPM-Modul ab, und fügen Sie es an MBM/RPi2/RPi3 an.
(Gilt für MBM) Deaktivieren Sie fTPM, indem Sie die folgenden UEFI-Einstellungen ändern:
Device Manager -> System Setup -> Security Configuration -> PTT = <Disable>(Gilt für MBM) Aktivieren Sie dTPM, indem Sie die folgenden UEFI-Einstellungen ändern:
Device Manager -> System Setup -> Security Configuration -> Discrete TPM = <Enable>Identifizieren Sie basierend auf Ihrem diskreten TPM-Modul ihrer Wahl hier die entsprechende ACPI-Tabelle.
Kopieren Sie diese ACPI-Tabelle nach MBM/RPi2/RPi3 C:\Windows\System32\ACPITABL.dat.
Aktivieren Sie die Testsignierung auf dem Gerät:
bcdedit /set {current} integrityservices disable bcdedit /set testsigning onStarten Sie das Gerät neu.
Vergewissern Sie sich, dass die richtige TPM-Version aktiviert ist: Führen Sie das TPM 2.0-Tool auf dem Windows IoT Core-Gerät aus.
C:\>t2t.exe -cap TBS detected 2.0 discrete TPM (dTPM) using TIS on SPB. Capabilities: PT_FIXED: TPM_PT_FAMILY_INDICATOR = '2.0' TPM_PT_LEVEL = 0 (0x00000000) TPM_PT_REVISION = 1.16 TPM_PT_DAY_OF_YEAR = 303 (0x0000012f) TPM_PT_YEAR = 2014 (0x000007de) TPM_PT_MANUFACTURER = 'NTZ' TPM_PT_VENDOR_STRING = 'NTZ' TPM_PT_VENDOR_TPM_TYPE = 17 (0x00000011) TPM_PT_FIRMWARE_VERSION_1 = 4.31 (0x4.0x1f) TPM_PT_FIRMWARE_VERSION_2 = 5378.4617 (0x1502.0x1209) TPM_PT_INPUT_BUFFER = 2220 (0x000008ac) TPM_PT_HR_TRANSIENT_MIN = 4 (0x00000004) TPM_PT_HR_PERSISTENT_MIN = 7 (0x00000007) TPM_PT_HR_LOADED_MIN = 4 (0x00000004) TPM_PT_ACTIVE_SESSIONS_MAX = 64 (0x00000040) TPM_PT_PCR_COUNT = 24 (0x00000018) TPM_PT_PCR_SELECT_MIN = 3 (0x00000003) TPM_PT_CONTEXT_GAP_MAX = 65535 (0x0000ffff) TPM_PT_NV_COUNTERS_MAX = 0 (0x00000000) TPM_PT_NV_INDEX_MAX = 1639 (0x00000667) TPM_PT_MEMORY = objectCopiedToRam TPM_PT_CLOCK_UPDATE = 4096000ms TPM_PT_CONTEXT_HASH = TPM_ALG_SHA256 TPM_PT_CONTEXT_SYM = TPM_ALG_AES TPM_PT_CONTEXT_SYM_SIZE = 128 (0x00000080) TPM_PT_ORDERLY_COUNT = 255 (0x000000ff) TPM_PT_MAX_COMMAND_SIZE = 2220 (0x000008ac) TPM_PT_MAX_RESPONSE_SIZE = 2220 (0x000008ac) TPM_PT_MAX_DIGEST = 32 (0x00000020) TPM_PT_MAX_SESSION_CONTEXT = 244 (0x000000f4) TPM_PT_PS_FAMILY_INDICATOR = TPM_PS_PDA TPM_PT_PS_LEVEL = 0 (0x00000000) TPM_PT_PS_REVISION = 25600 TPM_PT_PS_DAY_OF_YEAR = 0 (0x00000000) TPM_PT_PS_YEAR = 0 (0x00000000) TPM_PT_SPLIT_MAX = 128 (0x00000080) TPM_PT_TOTAL_COMMANDS = 101 (0x00000065) TPM_PT_LIBRARY_COMMANDS = 99 (0x00000063) TPM_PT_VENDOR_COMMANDS = 2 (0x00000002) TPM_PT_NV_BUFFER_MAX = 1639 (0x00000667) PT_VAR: TPM_PT_STARTUP_CLEAR = phEnable shEnable ehEnable ehEnableNV TPM_PT_HR_NV_INDEX = 2 (0x00000002) TPM_PT_HR_LOADED = 0 (0x00000000) TPM_PT_HR_LOADED_AVAIL = 4 (0x00000004) TPM_PT_HR_ACTIVE = 0 (0x00000000) TPM_PT_HR_ACTIVE_AVAIL = 64 (0x00000040) TPM_PT_HR_TRANSIENT_AVAIL = 4 (0x00000004) TPM_PT_HR_PERSISTENT = 3 (0x00000003) TPM_PT_HR_PERSISTENT_AVAIL = 4 (0x00000004) TPM_PT_NV_COUNTERS = 2 (0x00000002) TPM_PT_NV_COUNTERS_AVAIL = 30 (0x0000001e) TPM_PT_ALGORITHM_SET = 0 (0x00000000) TPM_PT_LOADED_CURVES = 3 (0x00000003) TPM_PT_LOCKOUT_COUNTER = 0 (0x00000000) TPM_PT_MAX_AUTH_FAIL = 32 (0x00000020) TPM_PT_LOCKOUT_INTERVAL = 2h 0" 0' TPM_PT_LOCKOUT_RECOVERY = 24h 0" 0' TPM_PT_NV_WRITE_RECOVERY = 0ms TPM_PT_AUDIT_COUNTER = 0 C:\>Überprüfen Sie, ob dTPM funktioniert: Führen Sie die Urchin-Komponententests auf dem Windows IoT Core-Gerät aus.
Es sollten mehrere PASS-Tests angezeigt werden (beachten Sie, dass einige der Funktionen möglicherweise nicht von dTPM unterstützt werden, sodass einige Fehlercodes erwartet werden):C:\>urchintest.exe ---SETUP---------------------------------------- PASS...........CreateAuthorities() PASS...........CreateEkObject() PASS...........CreateSrkObject() PASS...........CreateAndLoadAikObject() PASS...........CreateAndLoadKeyObject() ---TESTS---------------------------------------- PASS...........TestGetCapability() PASS...........TestGetEntropy() PASS...........TestPolicySession() PASS...........TestSignWithPW() PASS...........TestSignHMAC() PASS...........TestSignBound() PASS...........TestSignSalted() PASS...........TestSignSaltedAndBound() (0xc000000d)...TestSignParameterEncryption() PASS...........TestSignParameterDecryption() PASS...........TestReadPcrWithEkSeededSession() PASS...........TestCreateHashAndHMAC() PASS...........TestCreateHashAndHMACSequence() PASS...........TestSymKeyImport() (0xc000000d)...TestRsaKeyImport() PASS...........TestCredentialActivation() PASS...........TestKeyExport() (0x00000182)...TestSymEncryption() PASS...........TestCertifiedMigration() PASS...........TestNVIndexReadWrite() (0x80280400)...TestVirtualization() PASS...........TestObjectChangeAuth() PASS...........TestUnseal() PASS...........TestDynamicPolicies() PASS...........TestRSADecrypt() PASS...........TestECDSASign() (0xc000000d)...TestKeyAttestation() (0xc000000d)...TestPlatformAttestation() ---CLEANUP-------------------------------------- PASS...........UnloadKeyObjects() C:\>
Aktivieren und Überprüfen von Software-TPM (sTPM)
Beachten Sie, dass sTPM nur zu Entwicklungszwecken vorgesehen ist und keine echten Sicherheitsvorteile bietet.
(Gilt für MBM) Deaktivieren Sie fTPM, indem Sie die folgenden UEFI-Einstellungen ändern:
Device Manager -> System Setup -> Security Configuration -> PTT = <Disable>(Gilt für MBM) Aktivieren Sie dTPM, indem Sie die folgenden UEFI-Einstellungen ändern:
Device Manager -> System Setup -> Security Configuration -> Discrete TPM = <Enable>Aktivieren Sie die Testsignierung auf dem Gerät:
bcdedit /set {current} integrityservices disable bcdedit /set testsigning onKopieren Sie die ACPI-Tabelle von hier nach MBM/RPi2/RPi3 C:\Windows\System32\ACPITABL.dat.
Starten Sie das Gerät neu.
Vergewissern Sie sich, dass die richtige TPM-Version aktiviert ist: Führen Sie das TPM 2.0-Tool auf dem Windows IoT Core-Gerät aus.
C:\>t2t.exe -cap TBS detected 2.0 simulated TPM (sTPM). Capabilities: PT_FIXED: TPM_PT_FAMILY_INDICATOR = '2.0' TPM_PT_LEVEL = 0 (0x00000000) TPM_PT_REVISION = 1.15 TPM_PT_DAY_OF_YEAR = 163 (0x000000a3) TPM_PT_YEAR = 2014 (0x000007de) TPM_PT_MANUFACTURER = 'MSFT' TPM_PT_VENDOR_STRING = 'IoT Software TPM' TPM_PT_VENDOR_TPM_TYPE = 1 (0x00000001) TPM_PT_FIRMWARE_VERSION_1 = 8213.275 (0x2015.0x113) TPM_PT_FIRMWARE_VERSION_2 = 21.18466 (0x15.0x4822) TPM_PT_INPUT_BUFFER = 1024 (0x00000400) TPM_PT_HR_TRANSIENT_MIN = 3 (0x00000003) TPM_PT_HR_PERSISTENT_MIN = 2 (0x00000002) TPM_PT_HR_LOADED_MIN = 3 (0x00000003) TPM_PT_ACTIVE_SESSIONS_MAX = 64 (0x00000040) TPM_PT_PCR_COUNT = 24 (0x00000018) TPM_PT_PCR_SELECT_MIN = 3 (0x00000003) TPM_PT_CONTEXT_GAP_MAX = 65535 (0x0000ffff) TPM_PT_NV_COUNTERS_MAX = 0 (0x00000000) TPM_PT_NV_INDEX_MAX = 2048 (0x00000800) TPM_PT_MEMORY = sharedNV objectCopiedToRam TPM_PT_CLOCK_UPDATE = 4096ms TPM_PT_CONTEXT_HASH = TPM_ALG_SHA256 TPM_PT_CONTEXT_SYM = TPM_ALG_AES TPM_PT_CONTEXT_SYM_SIZE = 256 (0x00000100) TPM_PT_ORDERLY_COUNT = 255 (0x000000ff) TPM_PT_MAX_COMMAND_SIZE = 4096 (0x00001000) TPM_PT_MAX_RESPONSE_SIZE = 4096 (0x00001000) TPM_PT_MAX_DIGEST = 48 (0x00000030) TPM_PT_MAX_OBJECT_CONTEXT = 1520 (0x000005f0) TPM_PT_MAX_SESSION_CONTEXT = 308 (0x00000134) TPM_PT_PS_FAMILY_INDICATOR = TPM_PS_MAIN TPM_PT_PS_LEVEL = 0 (0x00000000) TPM_PT_PS_REVISION = 0 TPM_PT_PS_DAY_OF_YEAR = 0 (0x00000000) TPM_PT_PS_YEAR = 0 (0x00000000) TPM_PT_SPLIT_MAX = 128 (0x00000080) TPM_PT_TOTAL_COMMANDS = 106 (0x0000006a) TPM_PT_LIBRARY_COMMANDS = 105 (0x00000069) TPM_PT_VENDOR_COMMANDS = 1 (0x00000001) PT_VAR: TPM_PT_PERMANENT = lockoutAuthSet tpmGeneratedEPS TPM_PT_STARTUP_CLEAR = phEnable shEnable ehEnable ehEnableNV TPM_PT_HR_NV_INDEX = 2 (0x00000002) TPM_PT_HR_LOADED = 0 (0x00000000) TPM_PT_HR_LOADED_AVAIL = 3 (0x00000003) TPM_PT_HR_ACTIVE = 0 (0x00000000) TPM_PT_HR_ACTIVE_AVAIL = 64 (0x00000040) TPM_PT_HR_TRANSIENT_AVAIL = 3 (0x00000003) TPM_PT_HR_PERSISTENT = 3 (0x00000003) TPM_PT_HR_PERSISTENT_AVAIL = 5 (0x00000005) TPM_PT_NV_COUNTERS = 2 (0x00000002) TPM_PT_NV_COUNTERS_AVAIL = 31 (0x0000001f) TPM_PT_ALGORITHM_SET = 0 (0x00000000) TPM_PT_LOADED_CURVES = 3 (0x00000003) TPM_PT_LOCKOUT_COUNTER = 3 (0x00000003) TPM_PT_MAX_AUTH_FAIL = 32 (0x00000020) TPM_PT_LOCKOUT_INTERVAL = 2h 0" 0' TPM_PT_LOCKOUT_RECOVERY = 24h 0" 0' TPM_PT_AUDIT_COUNTER = 0 C:\>Überprüfen Sie, ob sTPM funktioniert: Führen Sie die Urchin-Komponententests auf dem Windows IoT Core-Gerät aus.
Es sollten mehrere PASS-Tests angezeigt werden (beachten Sie, dass einige der Funktionen von sTPM nicht unterstützt werden, sodass einige Fehlercodes erwartet werden):C:\>urchintest.exe ---SETUP---------------------------------------- PASS...........CreateAuthorities() PASS...........CreateEkObject() PASS...........CreateSrkObject() PASS...........CreateAndLoadAikObject() PASS...........CreateAndLoadKeyObject() ---TESTS---------------------------------------- PASS...........TestGetCapability() PASS...........TestGetEntropy() PASS...........TestPolicySession() PASS...........TestSignWithPW() PASS...........TestSignHMAC() PASS...........TestSignBound() PASS...........TestSignSalted() PASS...........TestSignSaltedAndBound() (0xc000000d)...TestSignParameterEncryption() PASS...........TestSignParameterDecryption() PASS...........TestReadPcrWithEkSeededSession() PASS...........TestCreateHashAndHMAC() PASS...........TestCreateHashAndHMACSequence() PASS...........TestSymKeyImport() (0xc000000d)...TestRsaKeyImport() PASS...........TestCredentialActivation() PASS...........TestKeyExport() (0x00000182)...TestSymEncryption() PASS...........TestCertifiedMigration() PASS...........TestNVIndexReadWrite() (0x80280400)...TestVirtualization() PASS...........TestObjectChangeAuth() PASS...........TestUnseal() PASS...........TestDynamicPolicies() PASS...........TestECDSASign()) PASS........ (0xc000000d)...TestKeyAttestation() (0xc000000d)...TestPlatformAttestation() ---CLEANUP-------------------------------------- PASS...........UnloadKeyObjects() C:\>