Take ownership of a TPM

3 minute read

The Trusted Platform Module (TPM) is a hardware-based root of trust that enhances device security. TrustEdge supports the TPM 2.0 standard and uses it to securely manage keys, policies, and other critical cryptographic operations. In this tutorial, you’ll learn how to initialize, provision, and configure a TPM using TrustEdge TPM2 tools.

Before you begin

TrustEdge must be installed on a supported device.

TPM2 tools saved to your device. Make sure to download the tools specific to your device’s architecture.

If you’re unsure about your CPU architecture, you can check it with the uname -m command.

sudo (root) privileges on your device is needed.

Compatible TPM 2.0 as defined by Trusted Computing Group.

Considerations: These steps were performed on a Debian-based Linux distribution running on an ARM64 Raspberry Pi device with an Infineon OPTIGA SLB9670 TPM 2.0 module. While the instructions should work for other setups, some commands or steps may require adjustments based on your hardware or operating system.

Overview

To use a TPM with TrustEdge, you must:

Clear the module of any existing keys or data.
Take ownership of the TPM and provision it for use with TrustEdge.
Configure module identifiers for TrustEdge.

Step 1: Unzip TrustEdge TPM2 tools

Extract TrustEdge TPM2 tools to your working directory.

unzip tpm2_tools-<cpu>-<version>.zip

When extracted, you will have the following scripts and binaries for managing the TPM.

.
├── bin
│   ├── digicert_tpm2_provision
│   ├── digicert_tpm2_takeownership
│   └── smp_tpm2_getidstr_bin
├── conf
│   └── tap
│       └── tpm2
│           ├── tpm2_prov.conf
│           └── tpm2_prov.conf.tmpl
├── provision_tpm2.sh
├── reset_tpm2.sh
└── scripts
    └── tap
        └── tpm2
            ├── tpm2_provision_linux.sh
            └── tpm2_reset_linux.sh

Step 2: Clear the TPM

Always clear a TPM before provisioning to avoid potential security risks from leftover data.

Before using TrustEdge with the TPM, you first need to clear the module. To do this, use the reset_tpm2.sh script, which resets the TPM to a clean state and removes any previously stored keys or data.

sudo ./reset_tpm2.sh

What happens when you run this script? The script internally invokes digicert_tpm2_takeownership to reset the TPM. All existing keys, policies, and configurations are wiped, ensuring no conflicts with previous ownership.

Step 3: Take ownership and provision the TPM

After clearing the TPM, the next step is to take ownership and provision it for use with TrustEdge. This is done using the provision_tpm2.sh script.

sudo ./provision_tpm2.sh

What happens when you run this script? The script sets the TPM owner, endorsement, and lockout passwords. These passwords are used to control access to the TPM and its features. It then configures the TPM for TrustEdge by creating necessary keys and establishing a secure environment.

It’s highly recommended to use provision_tpm2.sh instead of directly invoking digicert_tpm2_takeownership and digicert_tpm2_provision to avoid configuration errors and for efficiency.

Step 4: Configure the TPM module identifier

Once the TPM is provisioned, you need to set the correct moduleidstr module identifier to ensure the TPM is recognized by TrustEdge. Use the included smp_tpm2_getidstr_bin binary tool to do this.

sudo ./bin/smp_tpm2_getidstr_bin --w

What happens when you run this command? This command writes the module identifier string (moduleidstr) to the TPM, which links it to TrustEdge’s security framework.

You’ve successfully taken ownership of your TPM, provisioned it for TrustEdge, and configured it for secure operation. Your device is now ready to use the enhanced security features provided by the TPM, such as secure key storage and policy management.

Was this page helpful?

Provide feedback