TPM emulator, TrouSerS & IMA on Android

In this tutorial, we will cover the installation of TPM emulator, TrouSerS (the open source Trusted Computing Software Stack) and IMA (Integrity Measurement Architecture) on the Android platform. This tutorial is based on Ubuntu 10.10 (x86), Android source code (froyo version) & Android golfish kernel 2.6.29. This tutorial is aimed at relative newbies so each step will be explained in detail. Here are the steps that are needed to successfully download, build and run a specific kernel (with the above mentioned features) on the emulator.

1. Installing the prerequisites

1.1 Installing the JDK

The Sun JDK is no longer in Ubuntu’s main package repository. In order to download it through apt-get, you need to add the appropriate repository and indicate to the system which JDK should be used.

Java 5: for Froyo and older versions of Android

$ sudo add-apt-repository "deb dapper main multiverse"
$ sudo add-apt-repository "deb dapper-updates main multiverse"

$ sudo add-apt-repository "deb hardy  multiverse"
$ sudo add-apt-repository "deb hardy-updates multiverse"
$ sudo apt-get update
$ sudo apt-get install sun-java5-jdk

1.2 Installing required packages for Android source

You will need to install a number of required packages in order to set up your development environment. Run the following command to install these packages:

$ sudo apt-get install git-core gnupg flex bison gperf build-essential zip curl zlib1g-dev libc6-dev libncurses5-dev x11proto-core-dev libx11-dev libreadline5-dev libz-dev libgl1-mesa-dev

2. Building & Running Android Kernel:

2.1 Download Android Source

(a) Installing Repo

repo is a repository management tool that work on top of Git in the context of Android. You will need it to download Android source on your local machine.

Create a bin/ directory in your home directory to install Repo client, and included it in your path:

$ mkdir ~/bin
$ PATH=~/bin:$PATH

Download the Repo script and ensure it is executable:

$ curl > ~/bin/repo

$ curl > ~/bin/repo

$ chmod a+x ~/bin/repo

(b) Initializing Repo Client

Once Repo is installed you will need to initialize it to access Android source repository. In your home directory create an empty directory to hold the Android source code at your machine:

$ mkdir mydroid   # Android Source Directory
$ cd mydroid

Since we want to download the Froyo version, we will specify it in the command as:

$ repo init -u git:// -b froyo

$ repo init -u -b froyo

Repo will prompt you for your name & email address which is used in case you are submitting your own changes/contribution to the Android source code. If the Repo is initialized successfully it will end with a message stating that Repo is initialized in your working directory i.e., mydroid in this case.

Run the following command to start the download process to your working directory from the Android repositories:

$ repo sync

Sit back and relax as it will take some time to complete the download.

(c) Build the Android source code

Initialize the build environment with the script:

$ . build/
$ lunch full-eng

Build the Android source with the following command:

$ make -j4

(The number of threads with the ‘j’ option depends on your hardware, you can specify a higher or lower value accordingly)

2.2 Building custom kernel

In the standard Android open source distribution the kernel is distributed as a pre-built binary in the mydroid/prebuilt/android-arm/kernel folder and the source code is not included. The kernel source was removed from the default manifest for two reasons. One is that it takes a lot of bandwidth and disk-space for a platform component that most people will not work with much. The other reason is that since the kernel is built with the kernel build system and not as part of the Android Open Source Project (AOSP) build system it makes sense to keep it separated. The common branch for the kernel is the one used by the emulator.

The Android emulator runs a virtual CPU that Google calls Goldfish. This is a specific kernel which we will download, build and run on the emulator. You can download the android goldfish kernel from here:

It might take a while for the download to complete. Once downloaded, the name should look something like this:

(a) Extract the kernel:

$ tar -xvzf

For simplicity rename the kernel to a suitable name (goldfish-kernel)

$ mv goldfish-kernel

Copy the goldfish-kernel folder to your home directory. Move to the extracted kernel directory and remove world writable permissions from the source code:

$ cd goldfish-kernel
$ find -print0 | xargs -0 chmod go-w --

You will need a configuration file to compile the kernel. Generate the emulator configuration (qemu emulator runs arm code, i.e. an arm config) as:

$ make ARCH=arm goldfish_defconfig

(b) Download & Apply patches

Download the patches from here and save in a folder in your home directory (/home/yourHomeDir/patches). Apply the patches to the goldfish-kernel (make sure you are in the goldfish-kernel directory).

Patch 1: IBM IMA patch (ibm_ima_2.6.29.1.patch, license: GPL V2)

$ patch -p1 < /home/yourHomeDir/patches/ibm_ima_2.6.29.1.patch

Patch 2: IMA Modification for Android (ima_patch_android.patch, license: GPL V2)

$ patch -p1 < /home/yourHomeDir/patches/ima_patch_android.patch

Patch 3: TPM device driver (tpmd.patch, license: GPL)

$ patch -p1 < /home/yourHomeDir/patches/tpmd.patch

Patch 4: Kernel configuration patch (config.patch, license: GPL)

$ patch -p1 < /home/yourHomeDir/patches/config.patch

(c) Build the kernel:

Executing GNU make command will build the kernel:

$ ARCH=arm CROSS_COMPILE=/home/yourHomeDir/mydroid/prebuilt/linux-x86/toolchain/arm-eabi-4.2.1/bin/arm-eabi- make -j4

Make sure that you set the ANDROID_SOURCE path correctly. After the compilation finishes, the last couple of lines should show:

Kernel: arch/arm/boot/Image is ready
Kernel: arch/arm/boot/zImage is ready

The kernel built this way should end up in the arch/arm/boot folder of goldfish-kernel (where you download the kernel code).

2.3 Compiling the GMP library for Android:

GMP is a free library for arbitrary precision arithmetic, operating on signed integers, rational numbers, and floating point numbers. The main target applications for GMP are cryptography applications and research, Internet security applications, algebra systems, computational algebra research, etc. You can find more about GMP here.

In order to cross compile GMP library for Android we will use Droid-Wrapper. The Droid-Wrapper is used to compile native programs for Android. It is very hard to port software which uses the autotools (autoconf, automake, libtool etc) because different options are needed for linking shared library and program binary. Thanks to Takuya Murakami for providing the Droid-Wrapper script.

(a) Install ruby:

Install ruby if it is not already installed. It is required by the Droid-Wrapper, On Ubuntu/Debian-based Systems:

$ sudo apt-get install ruby

(b) Download and install droid-wrapper:

(i) Download the droid-wrapper script in the home directory:

$ cd ~
$ wget

(ii) Extract the droid-wrapper

$ tar -xvzf tmurakam-droid-wrapper-v1.0.4-5-g04eb4dc.tar.gz (version may change)

(iii) Move to the extracted droid-wrapper source directory

$ cd tmurakam-droid-wrapper-04eb4dc
$ sudo make install

(droid-gcc, droid-g++, and droid-ld commands will be installed under /usr/local/bin)

(c) Specify following environment variables for droid-wrapper:

DROID_ROOT: Android source tree directory

$ export DROID_ROOT=/home/yourHomeDir/mydroid

(Make sure that you set the ANDROID_SOURCE path correctly)

DROID_TARGET: Compile target (generic, dream-open etc)

$ export DROID_TARGET="generic"

(d) Download and cross-compile the GMP library:

The GNU Multiple Precision Arithmetic Library source code is free available. Download the version 4.3.2 (gmp-4.3.2.tar.bz2).

$ cd ~
$ wget

Extract the gmp-4.3.2.tar.bz2 library

$ tar -xvjf gmp-4.3.2.tar.bz2

Move to the extracted directory

$ cd gmp-4.3.2
$ mkdir install
$ CC=droid-gcc LD=droid-ld ./configure -prefix=path/to/install -build=i686-pc-linux-gnu -host=arm-linux-gnueabi

Make sure that you set the -prefix option (path to the install directory) correctly.

Install the GMP library by the executing the following commands:

$ make
$ make install

This will install the GMP library under /path/to/gmp-4.3.2/install/lib. The header file (gmp.h) can be found under install/include.

2.4 Patching TPM emulator, TPM tools and TrouSerS to Android Source:

The TPM emulator, TPM tools & TrouSerS need to be added to the Android source before building it.

(a) Move to the android-source directory & perform clean up of the build directory:

$ cd /home/yourHomeDir/mydroid
$ make clean

(b) Apply the mydroid patch (previously downloaded):

TrouSerS, TPM Emulator, TPM Tools for Android (mydroid.patch, license: CPL)

$ patch -p1 </home/yourHomeDir/patches/mydroid.patch

(c) Copy the previously built GMP library to android-source:

The GMP library (libgmp.a) is residing in /path/to/gmp-4.3.2/install/lib copy it to /home/yourHomeDir/mydroid/frameworks/base/libs/libgmp

$ cp /path/to/gmp-4.3.2/install/lib/libgmp.a /home/yourHomeDir/mydroid/frameworks/base/libs/libgmp

(d) Build the Android source again:

$ make -j4

2.5 Run the Emulator:

The emulator command is used to run the emulator. If you don’t specify the custom compiled kernel with -kernel option, the emulator will load the prebuilt kernel which comes with Android source. Obviously, the prebuilt kernel has no TPM or IMA feautures. So, run the emulator with the goldfish kernel image that is compiled during this tutorial:

$ emulator -kernel /home/yourHomeDir/goldfish-kernel/arch/arm/boot/zImage

To check whether the patched stuff is working or not, open a new terminal and perform the following steps:

(a) Open ADB shell:

Android Debug Bridge (adb) is a tool that comes with Android source. It allows you to manage and interface with the state of an emulator instance or Android-powered device. In order to open adb shell initialize the build environment with the script:

$ cd mydroid/
$ . build/
$ lunch full-eng

Open the shell by the command:

$ adb shell

(b) Start the TPM daemon (tpmd):

The TPM daemon should start during the emulator initialization. It may fails to start if the socket /data/tpmd_socket:0 file already exists. Normally this happens when the emulator is killed. If this is the case remove the socket file and start tpmd manually.

# rm /data/tpmd_socket:0
# tpmd

Optionaly: You can specify the parameters -d -f to retrieve additional debug information and to force tpmd to run in foreground respectively.

(c) Start tcsd:

The tcsd daemon manages Trusted Computing resources. It is a user space daemon & according to the TSS specification, it should be the only interface to the TPM device driver. This daemon should be started at boot time because it is supposed to open the TPM device driver and from that point on, all requests to the TPM should go through the TSS stack.

# tcsd

Optionaly: You can specify the parameter -f to force tcsd to run in foreground.

(d) Mount securityfs & verify that IMA is working correctly:

Securityfs is a pseudo-filesystem where you can only have files and directories in-memory to configure the specified security modules. This filesystem is meant to be used by security modules only. You need to mount the securityfs with read/write permissions:

# mount -o remount,rw -t securityfs securityfs /sys/kernel/security

The hash values of apk files and executables are stored in the /sys/kernel/security/ima you can view the hashes by the following command:

# cat /sys/kernel/security/ima/ascii_runtime_measurements

This will show you the measurement list of all the apk files and executables loaded on the Android.

Common Errors

If you ends up with this error during the GMP compilation:

checking compiler droid-gcc -O2 -pedantic -fomit-frame-pointer … no
configure: error: could not find a working compiler, see config.log for details

It means that either you haven’t set the environment variables DROID_ROOT & DROID_TARGET correctly
or the lib directory is missing in /home/yourHomeDir/mydroid/out/target/product/generic/obj/
The config.log shows that:

configure:4417: droid-gcc -O2 -pedantic -fomit-frame-pointer  conftest.c >&5
arm-eabi-gcc: /home/yourHomeDir/mydroid/out/target/product/generic/obj/lib/crtbegin_dynamic.o: No such file or directory
arm-eabi-gcc: /home/yourHomeDir/mydroid/out/target/product/generic/obj/lib/crtend_android.o: No such file or directory

You can search for the particular file in your Android source directory as:

$ find /home/yourHomeDir/mydroid/ -name crtbegin_dynamic.o
(copy the specific library folder that contain the file to /home/yourHomeDir/mydroid/out/target/product/generic/obj/ and re-run the command)

Sohail Khan is a PhD candidate at Malaysian Institute of Information Technology, University Kuala Lumpur, Malaysia. His research interests include information security and open source mobile platform. His recent research focuses on secure & trusted applications for mobile platforms to leverage Trusted Computing technologies for enhancing the trustworthiness of these platforms. He has a Masters in Information Technology and can be reached at sohail (dot) khan67 (at) gmail (dot) com.

Leave a comment


  1. This is cool Sohail. I’ll be following. I am sorry that I could not attend to IMA problem as my laptop fan is broken and it cannot resist the compilation heat :)

    Whats Nauman’s research topic for PHD? I’d like to stay in touch for synergistic reasons. Jawad Manzoor is also working on TC for VMs but hypervisors. Stay in touch with him.

    Take care.

  2. A.A. Shaz. Good to see you here.

    Sohail did this on his own so this is a pretty good effort — and it’s a pretty stable set of instructions. So, I guess these will be helpful to anyone interested in this stuff.

    Nauman is still working on security ;) Will discuss more soon inshaallah.

    I talked to Jawad as well. I’m not sure if TC is his “area of research”. I got the impression that it was a presentation or exploration session at best. Let’s see. If he’s interested, it would be really good. He’s a very bright kid.

  3. Thank you for this tutorial it has been very helpful to me.

    I need some further help now, I hope you can advise me.

    I followed succesfully step by step but when I want to try commands such as tpm_takeownership or tpm_readpcrs, I have got the following error:
    Tspi_Context_Connect failed: 0x00003011 - layer=tsp, code=0011 (17), Communication failure.
    Using the command su before does not change anything.

    Do you have any idea, where the problem is?

  4. @Moaz The problem might be because either the modprobe isn’t done or the tcsd daemon isn’t started. Can you check that and comment again?

  5. @sohail
    Thank you for your answer.

    I do not really know at which step I should check the modprobe. Can you give me some details about it ?

    As for the tcsd daemon, I just followed the steps in your tuto: removed the tpmd socket, started tpmd and tcsd.
    Running tcsd -f, I got the following error:
    TCSD ERROR: Setting thread signal mask: Invalid argument
    TCSD Config file /data/tcsd.conf not found, using defaults.
    TCSD TDDL ERROR: Could not find a device to open!

  6. @Moaz I checked it and the problem seems to be of tcsd not running. On the TPM emulator mailing list, you can find that there is a bug in some files of tcsd configuration. Don’t worry, you will soon find updates about this problem here.

  7. OK I see. When you wrote this tutorial, did not you face this problem ?
    I have the same problem as mentioned in the link you provided.
    I will try to repeat the tuto from the beginning and I keep you posted.

  8. I guess I should find the tpm in /dev/tpm0 when I run ls in the adb shell but I cannot see it.

  9. You can find /dev/tpm when you ls in the adb shell. A quick-fix for the tcsd to run is that create the directories /data/lib/tpm. Since the /data directory is already created you will have to create the other two one-by-one as the -p option with mkdir will not work :)
    Then run the tcsd command. if you run it with -f option it will show result like:

    # tcsd -f
    TCSD ERROR: Setting thread signal mask: Invalid argument
    TCSD Config file /data/tcsd.conf not found, using defaults.
    TCSD resetting mode of /data/lib/tpm from 40777 to: 700
    TCSD trousers 0.3.4cvs: TCSD up and running.

    If you are unable to execute any command after the above then exit from the current location (ctrl+X) and run the tscd without -f option.

    You can run the take_ownership command and it will result in:

    # tpm_takeownership
    Enter owner password: ownerpass
    Confirm password: ownerpass
    Enter SRK password: srkpass
    Confirm password: srkpass

    You can execute the # tpm_readpcrs and see what’s the result. If you get the “Segmentation fault” then let us know so that we can remove that error as well.

  10. AA,

    I am following your tutorial but could’nt find patches on the link you given. Although, I downloaded these from another link but when I apply ‘mydroid.patch’ to android source it fails.

    Hunk #1 FAILED at 6.
    Hunk #2 succeeded at 124 with fuzz 2 (offset 38 lines).
    Hunk #3 succeeded at 285 with fuzz 1 (offset 52 lines).
    Hunk #4 succeeded at 434 (offset 63 lines).
    1 out of 4 hunks FAILED — saving rejects to file system/core/rootdir/init.rc.rej

    Why its happening? If you can guide me.
    Thanks in advance.


  11. WS Luqman,

    Glad to see you here. I think you are still working with Sir Qasim Rajpoot. You can download the patches from the link now and it will work fine.

  12. AA,

    Thanks for your response. I downloaded the respective patches from the given link. But seems there is some problem in archive and it can’t be extracted.

  13. Thank you sohail for your last answer to me.
    I finally succeeded in using tpmd and tcsd.

    However I am facing another problem: I am using TrouSerS fonctions Tspi_TPM_CollateIdentityRequest(arguments) and Tspi_TPM_GetPubEndorsementKey(hTPM, TRUE, NULL, &hPubEK). They output the same error: TPM_E_AUTHFAIL.

    It seems that it comes from the TPM OWNER SECRET because if I change the boolean argument in Tspi_TPM_GetPubEndorsementKey to FALSE, I don’t get the error: Do you have some hints to give me to solve this issue?
    I took the ownership of the TPM of course.

    Thanks in advance.

  14. It seems that the ownership key isn’t correct or may be a hash is required which isn’t provided. Paste your code somewhere (i.e., ) and send the link in reply to this comment. We will take a look at it and will reply accordingly.

  15. @Luqman WS,

    The problem is now fixed, you can check it.

  16. Hello. I’m following the steps to use TPM functions (TPM_Extend, TPM_Quote). Thanks a lot for your work.
    But there is a problem. I tried to run tpm_readpcrs on ADB Shell and got the “Segmentation fault”. How can I remove that error?

  17. AoA.

    Thanks for your guidance. I have followed steps given in this tutorial.
    tpm_takeownership command works fine but tpm_readpcrs throw segmentation fault. It throws following two types of error messages.

    # tpm_readpcrs
    [1] + Stopped (signal) tpm_readpcrs
    [2] Segmentation fault tpm_readpcrs

    and sometimes.
    # tpm_readpcrs
    [1] Segmentation fault tpm_readpcrs

    Please guide me how to remove this error messages.?

  18. Thanks for your guidance.Now I want to write an android project which will utilize tpm.Can I simply use TrouSers ported on Android? But TrouSers is written in C,while android project is written in java. Please guide me on how to do this? Thank you very much.

  19. Hi all
    Thank you very much for this tutorial
    I hope you can help me with my questions as I am a pure newbie.
    I know what IMA is about and I played with it on my Fedora distribution recently. However, this was without a TPM enabled. I was wondering if this tutorial was valid for Fedora (1) and if it is mandatory to enable the tpm driver or can I just skip it if all what i want to get is a runtime display of the measurement list (2)
    Thank you very much in advance

  20. We haven’t tried it on Fedora yet. You can try it and skip the “TPM driver” step and see whether it works or not.

  21. Thank you for your reply
    also what do you mean please by set the prefix correctly i get errors saying i don’t have a working compiler can you please help me

  22. Also it does not recognize the emulator command Can you please help me out
    thank you in advance

  23. I tried it and I could get the runtime list without the TPM driver. Thank you for your time

    Also, I would like to ask you whether the IMA patch can work on newer versions of Android such as Ice cream sandwich. If not, is there anything I can do to make it work?
    Thank you very much

  24. Hi!
    Your posting is very helpful to me. I really appreciate your kindness and consideration.

    Well, I have a few questions to you.

    1. Are Your patch files applicabe to ICS version and also goldfish version (higher than 2.6.29)?

    2. If not, how do I do?

    3. Could you please explain about your patch files in detail? I really know about that.

    I’m waiting for your reply!!

    Thank you very much.

  25. Tip!!

    When you input # tpm_readpcrs command,
    pcr index number is needed!!

    Actually, # tpm_readpcrs 0 (or 1… 15)
    And also, # tpm_extendpcrs needs pcr index number and input value.

    For example, # tpm_readpcrs 0 1111

    Try again!!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="">