Hardware Reference
In-Depth Information
Unlocking your key at startup
Finally, we need to automate this process. When the BBB boots, we want it to collect the
code, extend the PCR, and unwrap the GPG keys so that they are ready to use. We'll make
an
init.d
script that will handle this, but we still need to deal with the GPG key. We
don't want an unwrapped GPG key lying around the disk, even if it is protected with a pass-
word. Instead, we'll keep the GPG keys on a
ramfs
, which will never touch persistent
storage.
To create the
ramfs
, add the following to
/etc/fstab
:
ramfs /mnt/ramdisk ramfs
nodev,nosuid,noexec,nodiratime,size=1M,uid=1000,gid=1002 0
0
Be sure to replace your uid and gid with the appropriate values for your user. This can be
obtained by running the
id
command. Either reboot or run
mount -a
to reload the
fstab
. Since GPG expects the
secring.gpg
to live in
~/.gnupg/secring.gpg
,
we'll create a link from there to the ramdisk. Create the following symlink:
ln -s /mnt/ramdisk/secring.gpg ~/.gnupg/secring.gpg
Now, we want a script to run on boot. In the
beagle-bone-for-secret-agents/
ch4
repository, there is a script,
tpm_gpg
, which you can copy to
/etc/init.d/
. This
script expects
getgpgpin
to live in
/usr/local/bin
and that your
secring.gpg
is in the normal place. Edit as desired. To register this script, run as root:
update-rc.d tpm_gpg defaults
With the script in place, the ramdisk set to mount at boot, the ATmega programmed to col-
lect the code, and the hardware attached, reboot one more time. Watch for the CryptoCape
LED to turn on, enter your pin, and then log back in to the BBB. If your GPG key is in
/mnt/ramdisk
, congratulations, you have just used your TPM to protect your GPG key!
Because of the symlink, all GPG-related programs will use the keys just as usual. If not, re-
compile
keypad.c
with debug set to
1
to make sure everything is working.
