Documentation related to the MTM implementation

On this page we have collected textual material related to the MTM emulator, and the MTM specification in general.

• TCG Specification page (our implementation is for the v.1 version of the specification)
• MTM introduction (background material distributed for a lecture at ETISS 2007, Nokia Research Center Technical Report 2007015)
• Establishing Mobile Secure (TMC feature article by Janne Uusilehto)

• tpm_rimcert_create - Create RIM certificate
• tpm_rimcert_dump - Dump RIM certificate
• tpm_vkey_create - Create verification key
• tpm_vkey_dump - Dump verification key
• tpm_verifyrimcert - Verify RIM certificate (optionally extend PCR)
• tpm_setverifiedpcrselection - Set verified PCRs
• tpm_loadverificationrootkeydisable - Disable root key loading
• tpm_loadverificationkey - Load verification key
• tpm_installrim - Install RIM certificate
• tpm_incrementbootstrapcounter - Increment bootstrap counter

• tpm_verifyrimcertandextend command is "missing": The Extend functionality is included into tpm_verifyrimcert command. There is an option '-e', which extends PCR value. If a separate command is needed the following script can be used:
  #!/bin/sh
  tpm_verifyrimcert -e $@
  
• AIK initialization in code is incorrect: The module mtmemu-0.1/tpm/tpm_data.c (function tpm_init_data) is initializing AIK in MTM permanent data structure field, which is TPM_KEY structure as tpm_private_key_t structure.
• mtmcontrol init script contains unnecessarily large sleep values: The script was also used in test scripts, where there is a need to independently start and stop both mtmd and tcsd daemons without a risk that connection fails because the connection port is still used by the previous test.
• mtmcontrol command assumes that the directory $HOME/tmp exists: If mtmcontrol command is used to start mtmd and tcsd daemons then log files go to $HOME/tmp directory. If the directory does not exist the command will fail.
• mtmcontrol start/stop/restart and state file: Mtmcontrol stop command removes $HOME/tmp/mtm_emulator.data state file when daemons are stopped. If daemons are started or stopped without mtmcontrol script remember to remove the state file before starting again.
• Permission problems with TrouSerS if daemons are not run as root: TrouSerS installation process sets /etc/tcsd.conf as non-readable and /var/lib/tpm/system.data as non-writable for others that root or tss. If TrouSerS is installed by root and the system is started using some other UID then connection fails, because these files/directories cannot be accessed.
• Compilation in Ubuntu requires intallation of additional packages::
  $ sudo apt-get install libtool
  $ sudo apt-get install libgmp3-dev
  $ sudo apt-get install libssl-dev
  and possibly set --with-gui=none for TrouSerS in configure.
• Logging MTM state:
  MTM emulator state after each command is logged into $HOME/tmp/mtmd.log file. (Note that $HOME/tmp directory must exist.)
• Configuration of MTM features:
  MTM/TPM commands can be enabled/disabled in mtmd configuration file (-c option). Configuration file should list TPM/MTM command keywords one entry per line with either value 1 (enable) or 0 (disable). Line entry example: "TPM_ORD_CreateCounter 0" (disable TPM_CreateCounter command).
• MTM emulator is implemented as server daemon:
  There is no device entry (/dev/tpm or /dev/mtm) for MTM emulator. It is implemented as userspace server daemon mtmd and TrouSerS daemon tcsd is modified to communicate with mtmd using socket interface.