Finally, we need to automate this process. When the BBB boots, we want it to collect the code, extend the PCR, and unwrap the GPG keys so that they are ready to use. We'll make an init.d script that will handle this, but we still need to deal with the GPG key. We don't want an unwrapped GPG key lying around the disk, even if it is protected with a password. Instead, we'll keep the GPG keys on a ramfs, which will never touch persistent storage.

To create the ramfs, add the following to /etc/fstab:

ramfs    /mnt/ramdisk ramfs nodev,nosuid,noexec,nodiratime,size=1M,uid=1000,gid=1002   0 0

Be sure to replace your uid and gid with the appropriate values for your user. This can be obtained by running the id command. Either reboot or run mount -a to reload the fstab. Since GPG expects the secring.gpg to live in ~/.gnupg/secring.gpg, we'll create a link from there to the ramdisk. Create the following symlink:

ln -s /mnt/ramdisk/secring.gpg ~/.gnupg/secring.gpg

Now, we want a script to run on boot. In the beagle-bone-for-secret-agents/ch4 repository, there is a script, tpm_gpg, which you can copy to /etc/init.d/. This script expects getgpgpin to live in /usr/local/bin and that your secring.gpg is in the normal place. Edit as desired. To register this script, run as root:

update-rc.d tpm_gpg defaults

With the script in place, the ramdisk set to mount at boot, the ATmega programmed to collect the code, and the hardware attached, reboot one more time. Watch for the CryptoCape LED to turn on, enter your pin, and then log back in to the BBB. If your GPG key is in /mnt/ramdisk, congratulations, you have just used your TPM to protect your GPG key! Because of the symlink, all GPG-related programs will use the keys just as usual. If not, recompile keypad.c with debug set to 1 to make sure everything is working.