Trusted Platform Module/1.2

From ArchWiki

TPM 1.2 uses the "TrouSerS" TSS (TCG software stack) by IBM, which is packaged as trousersAUR (tcsd) and tpm-toolsAUR (userspace). All software access the TPM through the tcsd daemon.

Drivers

TPM drivers are natively supported in modern kernels, but might need to be loaded: 

# modprobe tpm

Depending on your chipset, you might also need to load one of the following: 

# modprobe -a tpm_{atmel,infineon,nsc,tis,crb}

Usage

TPM 1.2 is managed by tcsd, a userspace daemon that manages Trusted Computing resources and should be (according to the TSS spec) the only portal to the TPM device driver. tcsd is part of the trousersAUR package, which was created and released by IBM, and can be configured via /etc/tcsd.conf.

To start tcsd and watch the output, run: 

# tcsd -f

or simply start and enable tcsd.service.

Once tcsd is running you might also want to install tpm-toolsAUR which provides many of the command line tools for managing the TPM.

Some other tools of interest:

  • tpmmanager — A Qt front-end to tpm-tools
https://github.com/Rohde-Schwarz/TPMManager || tpmmanagerAUR
  • opencryptoki — A PKCS#11 implementation for Linux. It includes drivers and libraries to enable IBM cryptographic hardware as well as a software token for testing.
https://sourceforge.net/projects/opencryptoki || opencryptokiAUR

Basics

Start off by getting basic version info: 

$ tpm_version

and running a selftest: 

$ tpm_selftest -l info
TPM Test Results: 00000000 ...
tpm_selftest succeeded

Securing SSH keys

There are several methods to use TPM to secure keys, but here we show a simple method based on simple-tpm-pk11-gitAUR.

First, create a new directory and generate the key: 

$ mkdir ~/.simple-tpm-pk11
$ stpm-keygen -o ~/.simple-tpm-pk11/my.key

Point the configuration to the key: 

~/.simple-tpm-pk11/config
key my.key

Now configure SSH to use the right PKCS11 provider: 

~/.ssh/config
Host *
    PKCS11Provider /usr/lib/libsimple-tpm-pk11.so

It is now possible to generate keys with the PKCS11 provider: 

$ ssh-keygen -D /usr/lib/libsimple-tpm-pk11.so
Note: This method currently does not allow for multiple keys to be generated and used.

Troubleshooting

tcsd.service failed to start

After installing trousersAUR, the tcsd.service service may not start correctly due to permission issues.[1] It is possible to fix this either by rebooting or by triggering the udev rule that is included in the trousersAUR package: 

# udevadm control --reload-rules
# udevadm trigger

See also