Dell M65 - Security Hardware

One major point in looking at this machine was to investigate the integration of fingerprint reader, smartcard reader and TPM chip for Linux compatibility. It is hoped that at some point this system can be used as a test system connected to the new NHS IT framework. The smartcard reader is therefore essential, and the other two facilities highly desirable. At present, however, we have failed to make much progress.

Broadcom TPM

 Description:  Broadcom TPM Device
 Device ID:    ACPI BCM0102 4&25E2FF18&0

Now, if my assumptions are correct, then this chip is built into the BCM5752M NetXtreme® Gigabit Ethernet Controller.

This is supported by the current kernel. The required modules are TCG_TPM & TCG_TIS. This will then allow access to the TPM device at /dev/tpm0.

TODO: Describe what this is, what it can do, and how we might be able to use it.

TrouSerS compiles cleanly. Have not yet managed to get the daemon to run, though!

. Compile & Install TrouSerS v0.3.1
. TPM-Tools v1.3.0
.

This then provides you with the following tools:

/sbin/tpm_changeownerauth
/sbin/tpm_clear
/sbin/tpm_createek
/sbin/tpm_getpubek
/sbin/tpm_restrictpubek
/sbin/tpm_selftest
/sbin/tpm_setactive
/sbin/tpm_setclearable
/sbin/tpm_setenable
/sbin/tpm_setownable
/sbin/tpm_setpresence
/sbin/tpm_takeownership
/sbin/tpm_version
/bin/tpm_sealdata

O2-Micro Oz776 SmartCard Reader

As far as I can tell, there are THREE methods to get your smartcard working under Linux :

So far, I have PARTIALLY got things to work (mainly due to a lack of suitable smartcards).

Obtain a driver for the card reader: either

          * Compile 
  > ./compile --enable-udev 
  > make 
  > make install 
  > ./src/parse > ccid.txt the driver source code for the O2 Micro Card Reader v1.2.1 or higher.

OpenCT ccid driver.

   2. Install your choice of SmartCard daemon
          * libpcsclite v1.4.0
            /etc/reader.conf
          * libchipcard v3
            Not Configured Yet!
          * OpenCT
   3. Use your new hardware with a smartcard!
      pcsc will give you a log message along the lines of
      May 3 23:52:42 [pcscd] Card ATR: 0C 88 65 36 5C 65 14 8D B5 3E 47 D9 20 11 9F 90
   4. I have an ongoing page about using Auth.NHS-Smartcards (an unsupported GemSAFE card).
   5. Use your nice SmartCard as a security or login token for the laptop.

> lsusb -v Bus 003 Device 004: ID 0b97:7762 O2 Micro, Inc. Oz776 SmartCard Reader Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0b97 O2 Micro, Inc. idProduct 0x7762 Oz776 SmartCard Reader bcdDevice 1.10 iManufacturer 1 O2 iProduct 2 O2Micro CCID SC Reader iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 93 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xe0 Self Powered Remote Wakeup MaxPower 0mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 3 bInterfaceClass 11 Chip/SmartCard bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x03 EP 3 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0003 1x 3 bytes bInterval 255 UNRECOGNIZED: 36 21 00 01 00 07 03 00 00 00 a0 0f 00 00 a0 0f 00 00 00 80 25 00 00 00 b0 04 00 00 fe 00 00 00 00 00 00 00 00 00 00 00 30 00 00 00 0f 01 00 00 00 00 00 00 00 01 cannot read device status, Protocol error (71)

Fingerprint Reader

UPEK/SGS Thompson Microelectronics TouchChip TFM/ESS Fingerprint BSP.

> lsusb -v Bus 003 Device 003: ID 0483:2016 SGS Thomson Microelectronics Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0483 SGS Thomson Microelectronics idProduct 0x2016 bcdDevice 0.01 iManufacturer 1 STMicroelectronics iProduct 2 Biometric Coprocessor iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 39 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 Remote Wakeup MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 3 bInterfaceClass 255 Vendor Specific Class bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x83 EP 3 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0004 1x 4 bytes bInterval 20

There have been recorded instances, under both Linux and Windows, of the TouchChip overheating - and when it did so, I could not reboot and log in with a finger swipe. Turning off the machine and allowing to cool before a reboot worked. So did an unknown update I did later, as I no longer get this problem...[1]

So far, I have only got first stage booting to work. In theory, it should be possible to pass the authentication token to Linux, as you can under Windows. Not played with this yet - I do not yet know how to access it under Linux. Help would be appreciated.

Fortunately, there is a UPEK Linux driver for this device.

    * Install the Official BioAPI or the patched BioAPI framework.
    * Obtain the TFM/ESS BSP for Linux (Biometric Service Provider). Install. Closed Source.
    * ThinkFinger is an OpenSource suite for utilising the TouchChip, and integrated with PAM.

So, what's the point?

More pages will appear, linked from here, as I get time to work out how to do things! Recipies, hints, tips and suggestions gratefully received.

    * Encrypted Home Directory (or part of).
    * Integration with Grub / Lilo / Other. - to be put in the Grimoire.Index
    * Smartcards with gpg - scdaemon

1. TouchChip still overheating on an intermittant basis. I can find no pattern to the occurrances. There also seems to be an issue with the device being recognised/registered as a USB device, as it appears/disappears all the time. This seems to have resolved. The problem with running Gentoo is that quite frequently you can update a package, and inadvertantly fix other issues that you are not concentrating on at that particular time. I have no idea how I fixed the issue, but it seems to be working fine now...

Software

Software for fingerprint recognition achieves one of two functions:

1:1 fingerprint verification
1:n fingerprint identification.

Digital Persona
NeuroTechnology - home of VeriFinger.
http://www.futronic.com.hk/product_linux.html

MUSCLE
5
6