TPM零知识学习十一 —— tpm全安装流程复盘（下）

接前一篇文章《TPM零知识学习十 —— tpm全安装流程复盘（中）》，链接为：

TPM零知识学习十 —— tpm全安装流程复盘（中）_蓝天居士的博客-CSDN博客

五、TPM模拟器做成服务

本步骤前导步骤参见《TPM零知识学习九 —— tpm全安装流程复盘（上）》—— 一、模拟器安装全流程。在步骤6之后插入以下步骤：

1. 配置TPM服务

创建tpm.server.service文件和配置服务

sudo vim /lib/systemd/system/tpm-server.service

在文件中添加以下内容：

[Unit]
Description=TPM2.0 Simulator Server Daemon
Before=tpm2-abrmd.service[Service]
ExecStart=/usr/bin/tpm_server
Restart=always
Environment=PATH=/usr/bin:/usr/local/bin[Install]
WantedBy=multi-user.target

保存退出。

2. 测试TPM配置情况，启动TPM服务

penghao@Ding-Perlis-MP260S48:~$ sudo systemctl daemon-reload
[sudo] penghao 的密码：penghao@Ding-Perlis-MP260S48:~$ sudo systemctl start tpm-server.service penghao@Ding-Perlis-MP260S48:~$ sudo systemctl status tpm-server.service
● tpm-server.service - TPM2.0 Simulator Server DaemonLoaded: loaded (/usr/lib/systemd/system/tpm-server.service; disabled; vendor preset: enabled)Active: active (running) since Fri 2023-01-13 11:21:10 CST; 14s agoMain PID: 29025 (tpm_server)Tasks: 3 (limit: 18940)Memory: 968.0KCPU: 10msCGroup: /system.slice/tpm-server.service└─29025 /usr/bin/tpm_server1月 13 11:21:10 Ding-Perlis-MP260S48 tpm_server[29025]: Manufacturing NV state...
1月 13 11:21:10 Ding-Perlis-MP260S48 tpm_server[29025]: Size of OBJECT = 2600
1月 13 11:21:10 Ding-Perlis-MP260S48 tpm_server[29025]: Size of components in TPMT_SENSITIVE = 1096
1月 13 11:21:10 Ding-Perlis-MP260S48 tpm_server[29025]:     TPMI_ALG_PUBLIC                 2
1月 13 11:21:10 Ding-Perlis-MP260S48 tpm_server[29025]:     TPM2B_AUTH                      66
1月 13 11:21:10 Ding-Perlis-MP260S48 tpm_server[29025]:     TPM2B_DIGEST                    66
1月 13 11:21:10 Ding-Perlis-MP260S48 tpm_server[29025]:     TPMU_SENSITIVE_COMPOSITE        962
1月 13 11:21:10 Ding-Perlis-MP260S48 tpm_server[29025]: Starting ACT thread...
1月 13 11:21:10 Ding-Perlis-MP260S48 tpm_server[29025]: TPM command server listening on port 2321
1月 13 11:21:10 Ding-Perlis-MP260S48 tpm_server[29025]: Platform server listening on port 2322

说明此时TPM模拟器已经成功配置，并启动服务。

但是有一个问题，重启后再查看服务状态，又回到inactive状态了，如下所示：

penghao@Ding-Perlis-MP260S48:~$ sudo systemctl status tpm-server
○ tpm-server.service - TPM2.0 Simulator Server DaemonLoaded: loaded (/usr/lib/systemd/system/tpm-server.service; disabled; vendor preset: enabled)Active: inactive (dead)

应该如何解决这个问题？使用systemctl enable命令。如下所示：

penghao@Ding-Perlis-MP260S48:~$ sudo systemctl enable tpm-server.service
Created symlink /etc/systemd/system/multi-user.target.wants/tpm-server.service → /usr/lib/systemd/system/tpm-server.service.

再次重启并查看tpm_server服务的状态。如下所示：

penghao@Ding-Perlis-MP260S48:~$ sudo systemctl status tpm-server.service
[sudo] penghao 的密码：● tpm-server.service - TPM2.0 Simulator Server DaemonLoaded: loaded (/usr/lib/systemd/system/tpm-server.service; enabled; vendor preset: enabled)Active: active (running) since Fri 2023-01-13 11:58:39 CST; 32s agoMain PID: 369 (tpm_server)Tasks: 3 (limit: 18940)Memory: 1.2MCPU: 6msCGroup: /system.slice/tpm-server.service└─369 /usr/bin/tpm_server1月 13 11:58:39 Ding-Perlis-MP260S48 systemd[1]: Started TPM2.0 Simulator Server Daemon.
1月 13 11:58:39 Ding-Perlis-MP260S48 tpm_server[369]: LIBRARY_COMPATIBILITY_CHECK is ON
1月 13 11:58:39 Ding-Perlis-MP260S48 tpm_server[369]: Starting ACT thread...
1月 13 11:58:39 Ding-Perlis-MP260S48 tpm_server[369]: TPM command server listening on port 2321
1月 13 11:58:39 Ding-Perlis-MP260S48 tpm_server[369]: Platform server listening on port 2322

可见，TPM模拟器服务已经正常启动了。

至此，TPM模拟器服务配置流程就完全结束了。

六、tpm2-abrmd做成服务

本步骤前导步骤参见《TPM零知识学习十 —— tpm全安装流程复盘（中）》—— 四、tpm2-abrmd安装全流程。在步骤11之后插入以下步骤：

1. 修改tpm2-abrmd.service服务配置

修改服务配置文件/lib/systemd/system/tpm2-abrmd.service。原始内容如下：

[Unit]
Description=TPM2 Access Broker and Resource Management Daemon
# These settings are needed when using the device TCTI. If the
# TCP mssim is used then the settings should be commented out.
After=dev-tpm0.device
Requires=dev-tpm0.device[Service]
Type=dbus
BusName=com.intel.tss2.Tabrmd
ExecStart=/usr/local/sbin/tpm2-abrmd
User=tss[Install]
WantedBy=multi-user.target

在启动服务时加载tss动态库并将服务启动到本地2321端口。将文件中“ExecStart=/usr/local/sbin/tpm2-abrmd”修改为“ExecStart=/usr/local/sbin/tpm2-abrmd --allow-root --tcti=mssim”。修改后文件内容如下：

[Unit]
Description=TPM2 Access Broker and Resource Management Daemon
# These settings are needed when using the device TCTI. If the
# TCP mssim is used then the settings should be commented out.
After=dev-tpm0.device
Requires=dev-tpm0.device[Service]
Type=dbus
BusName=com.intel.tss2.Tabrmd
ExecStart=/usr/local/sbin/tpm2-abrmd --allow-root --tcti=mssim
User=tss[Install]
WantedBy=multi-user.target

修改后保存退出。

2. 测试TPM配置情况，启动tpm2-abrmd服务

Bug#995925: tpm2-tss: Latest version breaks tpm2-abrmd due to outdated udev rule

笔者环境的实际情况：

penghao@Ding-Perlis-MP260S48:~$ sudo systemctl status tpm2-abrmd.service
[sudo] penghao 的密码：○ tpm2-abrmd.service - TPM2 Access Broker and Resource Management DaemonLoaded: loaded (/usr/local/lib/systemd/system/tpm2-abrmd.service; enabled; vendor preset: enabled)Active: inactive (dead)1月 13 13:07:15 Ding-Perlis-MP260S48 systemd[1]: Dependency failed for TPM2 Access Broker and Resource Management Daemon.
1月 13 13:07:15 Ding-Perlis-MP260S48 systemd[1]: tpm2-abrmd.service: Job tpm2-abrmd.service/start failed with result 'dependency'.
1月 13 13:42:25 Ding-Perlis-MP260S48 systemd[1]: Dependency failed for TPM2 Access Broker and Resource Management Daemon.
1月 13 13:42:25 Ding-Perlis-MP260S48 systemd[1]: tpm2-abrmd.service: Job tpm2-abrmd.service/start failed with result 'dependency'.
1月 13 15:25:49 Ding-Perlis-MP260S48 systemd[1]: Dependency failed for TPM2 Access Broker and Resource Management Daemon.
1月 13 15:25:49 Ding-Perlis-MP260S48 systemd[1]: tpm2-abrmd.service: Job tpm2-abrmd.service/start failed with result 'dependency'.

penghao@Ding-Perlis-MP260S48:~$ sudo systemctl status dev-tpm0.device
[sudo] penghao 的密码：○ dev-tpm0.device - /dev/tpm0Loaded: loadedActive: inactive (dead)1月 13 13:07:15 Ding-Perlis-MP260S48 systemd[1]: dev-tpm0.device: Job dev-tpm0.device/start timed out.
1月 13 13:07:15 Ding-Perlis-MP260S48 systemd[1]: Timed out waiting for device /dev/tpm0.
1月 13 13:07:15 Ding-Perlis-MP260S48 systemd[1]: dev-tpm0.device: Job dev-tpm0.device/start failed with result 'timeout'.
1月 13 13:42:25 Ding-Perlis-MP260S48 systemd[1]: dev-tpm0.device: Job dev-tpm0.device/start timed out.
1月 13 13:42:25 Ding-Perlis-MP260S48 systemd[1]: Timed out waiting for device /dev/tpm0.
1月 13 13:42:25 Ding-Perlis-MP260S48 systemd[1]: dev-tpm0.device: Job dev-tpm0.device/start failed with result 'timeout'.
1月 13 15:25:49 Ding-Perlis-MP260S48 systemd[1]: dev-tpm0.device: Job dev-tpm0.device/start timed out.
1月 13 15:25:49 Ding-Perlis-MP260S48 systemd[1]: Timed out waiting for device /dev/tpm0.
1月 13 15:25:49 Ding-Perlis-MP260S48 systemd[1]: dev-tpm0.device: Job dev-tpm0.device/start failed with result 'timeout'.

可见，是和上述网页中的情况一致的。

笔者环境的实际情况：

penghao@Ding-Perlis-MP260S48:~$ cat TPM/tss/tpm2-tss/dist/tpm-udev.rules
# tpm devices can only be accessed by the tss user but the tss
# group members can access tpmrm devices
KERNEL=="tpm[0-9]*", TAG+="systemd", MODE="0660", OWNER="tss"
KERNEL=="tpmrm[0-9]*", TAG+="systemd", MODE="0660", GROUP="tss"

并不存在/lib/udev/rules.d/60-tpm-udev.rules文件。

可见，需要拷贝~/TPM/tss/tpm2-tss/dist/tpm-udev.rules文件到/lib/udev/rules.d/下，并重命名为60-tpm-udev.rules。

$ sudo cp TPM/tss/tpm2-tss/dist/tpm-udev.rules /lib/udev/rules.d/60-tpm-udev.rules

重启。重启后查看tpm-abrmd服务运行状态：

penghao@Ding-Perlis-MP260S48:~$ sudo systemctl status tpm2-abrmd.service
● tpm2-abrmd.service - TPM2 Access Broker and Resource Management DaemonLoaded: loaded (/usr/local/lib/systemd/system/tpm2-abrmd.service; enabled; vendor preset: enabled)Active: active (running) since Fri 2023-01-13 18:49:25 CST; 1min 4s agoMain PID: 343 (tpm2-abrmd)Tasks: 6 (limit: 18940)Memory: 5.7MCPU: 30msCGroup: /system.slice/tpm2-abrmd.service└─343 /usr/local/sbin/tpm2-abrmd --allow-root1月 13 18:49:25 Ding-Perlis-MP260S48 systemd[1]: Starting TPM2 Access Broker and Resource Management Daemon...
1月 13 18:49:25 Ding-Perlis-MP260S48 systemd[1]: Started TPM2 Access Broker and Resource Management Daemon.
1月 13 18:49:25 Ding-Perlis-MP260S48 systemd[1]: tpm2-abrmd.service: Current command vanished from the unit file, execution of the command list won't be resumed.

penghao@Ding-Perlis-MP260S48:~$ ps -ef | grep abrmd
tss          343       1  0 18:49 ?        00:00:00 /usr/local/sbin/tpm2-abrmd --allow-root
penghao     6947    1585  0 18:52 pts/1    00:00:00 grep --color=auto abrmd

可见，问题已经解决。

至此，tpm-abrmd服务配置流程就完全结束了！