Hardware Reference
In-Depth Information
Extending a PCR
We'll need to extend a PCR so that we can encrypt our GPG key. We'll arbitrarily choose
PCR number 9. First let's view the PCR status to be sure that it is blank:
cat /sys/class/misc/tpm0/device/pcrs | grep PCR-09
This should return the current state of the PCR, which without using secure boot is:
PCR-09:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00
Now, run the
getgpgpin
program from the following section. You should see the LED
turn green on the CryptoCape and you have 10 seconds to enter a five-digit pin. Each time
you press a key, the LED should briefly flash and when five digits have been entered, the
LED will turn off. After 10 seconds, the
getgpgpin
program will silently exit. If you
compiled the program with
#define DEBUG
set to
1
, you should see something like
this:
54321
(Line 53, extend_pcr) Create a Context
returned 0x00000000. Success.
(Line 55, extend_pcr) Connect to TPM
returned 0x00000000. Success.
(Line 59, extend_pcr) GetTPM Handle
returned 0x00000000. Success.
(Line 62, extend_pcr) Owner Policy
returned 0x00000000. Success.
36987(Line 73, extend_pcr) extend
returned 0x00000000. Success.
Now, check your PCR status again:
cat /sys/class/misc/tpm0/device/pcrs | grep PCR-09
You should now have a populated PCR9:
PCR-09:2B 1E 41 10 EB A0 91 9E B4 89 0E 04 83 0B 70 C5 C2 AA
23 44
