Hardware Reference
In-Depth Information
Unlocking your key at startup
Finally, we need to automate this process. When the BBB boots, we want it to collect the
code, extend the PCR, and unwrap the GPG keys so that they are ready to use. We'll make
an init.d script that will handle this, but we still need to deal with the GPG key. We
don't want an unwrapped GPG key lying around the disk, even if it is protected with a pass-
word. Instead, we'll keep the GPG keys on a ramfs , which will never touch persistent
To create the ramfs , add the following to /etc/fstab :
ramfs /mnt/ramdisk ramfs
nodev,nosuid,noexec,nodiratime,size=1M,uid=1000,gid=1002 0
Be sure to replace your uid and gid with the appropriate values for your user. This can be
obtained by running the id command. Either reboot or run mount -a to reload the
fstab . Since GPG expects the secring.gpg to live in ~/.gnupg/secring.gpg ,
we'll create a link from there to the ramdisk. Create the following symlink:
ln -s /mnt/ramdisk/secring.gpg ~/.gnupg/secring.gpg
Now, we want a script to run on boot. In the beagle-bone-for-secret-agents/
ch4 repository, there is a script, tpm_gpg , which you can copy to /etc/init.d/ . This
script expects getgpgpin to live in /usr/local/bin and that your secring.gpg
is in the normal place. Edit as desired. To register this script, run as root:
update-rc.d tpm_gpg defaults
With the script in place, the ramdisk set to mount at boot, the ATmega programmed to col-
lect the code, and the hardware attached, reboot one more time. Watch for the CryptoCape
LED to turn on, enter your pin, and then log back in to the BBB. If your GPG key is in
/mnt/ramdisk , congratulations, you have just used your TPM to protect your GPG key!
Because of the symlink, all GPG-related programs will use the keys just as usual. If not, re-
compile keypad.c with debug set to 1 to make sure everything is working.
Search WWH ::

Custom Search