Take ownership of a TPM
The Trusted Platform Module (TPM) is a hardware-based root of trust that enhances device security. TrustEdge supports the TPM 2.0 standard and uses it to securely manage keys, policies, and other critical cryptographic operations. In this tutorial, you’ll learn how to initialize, provision, and configure a TPM using TrustEdge TPM2 tools.
Overview
To use a TPM with TrustEdge, you must:
Clear the module of any existing keys or data.
Take ownership of the TPM and provision it for use with TrustEdge.
Configure module identifiers for TrustEdge.
Before you begin
Make sure you have the following:
TrustEdge TPM2 tools saved to your device. Make sure to download the tools specific to your device’s architecture.
Tip
If you’re unsure about your CPU architecture, you can check it with the
uname -m
command.Administrator (root) privileges on your device.
Compatible TPM 2.0 as defined by the Trusted Computing Group.
Important
Considerations: These steps were performed on a Debian-based Linux distribution running on an ARM64 Raspberry Pi device with an Infineon OPTIGA SLB9670 TPM 2.0 module. While the instructions should work for other setups, some commands or steps may require adjustments based on your hardware or operating system.
Extract TrustEdge TPM2 tools to your working directory.
unzip tpm2_tools-<cpu>-<version>.zip
When extracted, you will have the following scripts and binaries for managing the TPM.
. ├── bin │ ├── digicert_tpm2_provision │ ├── digicert_tpm2_takeownership │ └── smp_tpm2_getidstr_bin ├── conf │ └── tap │ └── tpm2 │ ├── tpm2_prov.conf │ └── tpm2_prov.conf.tmpl ├── provision_tpm2.sh ├── reset_tpm2.sh └── scripts └── tap └── tpm2 ├── tpm2_provision_linux.sh └── tpm2_reset_linux.sh
Important
Always clear a TPM before provisioning to avoid potential security risks from leftover data.
Before using TrustEdge with the TPM, you first need to clear the module. To do this, use the reset_tpm2.sh
script, which resets the TPM to a clean state and removes any previously stored keys or data.
sudo ./reset_tpm2.sh
Notice
What happens when you run this script? The script internally invokes digicert_tpm2_takeownership
to reset the TPM. All existing keys, policies, and configurations are wiped, ensuring no conflicts with previous ownership.
After clearing the TPM, the next step is to take ownership and provision it for use with TrustEdge. This is done using the provision_tpm2.sh
script.
sudo ./provision_tpm2.sh
Notice
What happens when you run this script? The script sets the TPM owner, endorsement, and lockout passwords. These passwords are used to control access to the TPM and its features. It then configures the TPM for TrustEdge by creating necessary keys and establishing a secure environment.
It’s highly recommended to use provision_tpm2.sh
instead of directly invoking digicert_tpm2_takeownership
and digicert_tpm2_provision
to avoid configuration errors and for efficiency.
Once the TPM is provisioned, you need to set the correct moduleidstr
module identifier to ensure the TPM is recognized by TrustEdge. Use the included smp_tpm2_getidstr_bin
binary tool to do this.
sudo ./bin/smp_tpm2_getidstr_bin --w
Notice
What happens when you run this command? This command writes the module identifier string (moduleidstr
) to the TPM, which links it to TrustEdge’s security framework.
You’ve successfully taken ownership of your TPM, provisioned it for TrustEdge, and configured it for secure operation. Your device is now ready to use the enhanced security features provided by the TPM, such as secure key storage and policy management.