Take ownership of a TPM
3 minute read
The Trusted Platform Module (TPM) is a hardware-based root of trust that enhances device security. TrustEdge supports the TPM 2.0 standard and uses it to securely manage keys, policies, and other critical cryptographic operations. In this tutorial, you’ll learn how to initialize, provision, and configure a TPM using TrustEdge TPM2 tools.
Before you begin
TPM2 tools saved to your device. Make sure to download the tools specific to your device’s architecture.
Tip
If you’re unsure about your CPU architecture, you can check it with the <code>uname -m</code> command.
sudo (root) privileges on your device is needed.Important
Considerations: These steps were performed on a Debian-based Linux distribution running on an ARM64 Raspberry Pi device with an Infineon OPTIGA SLB9670 TPM 2.0 module. While the instructions should work for other setups, some commands or steps may require adjustments based on your hardware or operating system.Overview
To use a TPM with TrustEdge, you must:
- Clear the module of any existing keys or data.
- Take ownership of the TPM and provision it for use with TrustEdge.
- Configure module identifiers for TrustEdge.
Step 1: Unzip TrustEdge TPM2 tools
Extract TrustEdge TPM2 tools to your working directory.
unzip tpm2_tools-<cpu>-<version>.zip
When extracted, you will have the following scripts and binaries for managing the TPM.
.
├── bin
│ ├── digicert_tpm2_provision
│ ├── digicert_tpm2_takeownership
│ └── smp_tpm2_getidstr_bin
├── conf
│ └── tap
│ └── tpm2
│ ├── tpm2_prov.conf
│ └── tpm2_prov.conf.tmpl
├── provision_tpm2.sh
├── reset_tpm2.sh
└── scripts
└── tap
└── tpm2
├── tpm2_provision_linux.sh
└── tpm2_reset_linux.sh
Step 2: Clear the TPM
Important
Always clear a TPM before provisioning to avoid potential security risks from leftover data.Before using TrustEdge with the TPM, you first need to clear the module. To do this, use the reset_tpm2.sh script, which resets the TPM to a clean state and removes any previously stored keys or data.
sudo ./reset_tpm2.sh
Note
What happens when you run this script? The script internally invokesdigicert_tpm2_takeownership to reset the TPM. All existing keys, policies, and configurations are wiped, ensuring no conflicts with previous ownership.Step 3: Take ownership and provision the TPM
After clearing the TPM, the next step is to take ownership and provision it for use with TrustEdge. This is done using the provision_tpm2.sh script.
sudo ./provision_tpm2.sh
Note
What happens when you run this script? The script sets the TPM owner, endorsement, and lockout passwords. These passwords are used to control access to the TPM and its features. It then configures the TPM for TrustEdge by creating necessary keys and establishing a secure environment.
It’s highly recommended to use provision_tpm2.sh instead of directly invoking digicert_tpm2_takeownership and digicert_tpm2_provision to avoid configuration errors and for efficiency.
Step 4: Configure the TPM module identifier
Once the TPM is provisioned, you need to set the correct moduleidstr module identifier to ensure the TPM is recognized by TrustEdge. Use the included smp_tpm2_getidstr_bin binary tool to do this.
sudo ./bin/smp_tpm2_getidstr_bin --w
Note
What happens when you run this command? This command writes the module identifier string (moduleidstr) to the TPM, which links it to TrustEdge’s security framework.You’ve successfully taken ownership of your TPM, provisioned it for TrustEdge, and configured it for secure operation. Your device is now ready to use the enhanced security features provided by the TPM, such as secure key storage and policy management.