Usage

Install the Ubuntu 20.04 UEFI vagrant box.

Install the Windows 2022 UEFI vagrant box.

Install the swtpm packages as described in swtpm-vagrant.

Start the environment then do a self-test attestation:

# start the server.
time vagrant up --provider=libvirt --no-destroy-on-error --no-tty server
# start the ubuntu client.
time vagrant up --provider=libvirt --no-destroy-on-error --no-tty client0
# enter the envirment.
vagrant ssh client0
# switch to root.
sudo -i
# show information about the tpm.
attest-tool info
# show the swtpm root ca certificate (this signs the swtpm ca).
openssl x509 -noout -text -in /opt/swtpm-localca/swtpm-localca-rootca-cert.pem
# show the swtpm ca intermediate certificate (this signs the tpm ek).
openssl x509 -noout -text -in /opt/swtpm-localca/swtpm-localca-cert.pem
# list the tpm endorsement keys (ek) certificates.
attest-tool list-eks | openssl x509 -noout -text
# do a self-test attestation.
attest-tool self-test

Access the server page to see the known clients:

http://10.11.0.101:8000

Click one of the clients to go to its Remove Attestation page.

Click the "Start Remote Attestation" button and go through the remote attestation steps.

Real-World Projects

• Secure Production Identity Framework For Everyone (SPIFFE)
• SPIFFE Runtime Environment (SPIRE)
  • TPM2 based node attestation plugin
• Keylime (Bootstrap & Maintain Trust on the Edge / Cloud and IoT)

References

• Go-Attestation library
  • attest-tool self-test
• Remote Attestation with TPM (in the context of SPIRE)
• Remote Attestation With TPM2 Tools
• tpm-js (experiment with a software Trusted Platform Module (TPM) in your browser)
• Using the TPM - It's Not Rocket Science (Anymore) - Johannes Holland & Peter Huewe