I was wondering if someone has ideas about integrating the TPM with
Recently I started looking into supporting Secure Device Connection
Protocol (SDCP, ) in libfprint. The general idea is to verify that
the Fingerprint reader can be trusted, but I initially also imagined
that further use-cases like unsealing data in a TPM may be possible
(e.g. to retrieve disk encryption keys).
However, looking into it more, my current conclusion is that there is
little to no advantage to use the TPM. At least not unless one also has
a trusted (userspace) program which is capable of signing TPM
authorizations. One could easily offload the required parts into a
small helper, but that may require ensuring it runs in a trusted
Microsoft seems to run relevant parts as trustlets that are walled off
from the rest of the system. That seems sensible to me, but it also
means requiring all the infrastructure for execution and signing and I
doubt that is feasible currently.
Right now I'll probably go the way of not using the TPM at all. But I
am really not an expert for this. So should someone see scenarios where
a TPM is actually helpful in this context, then I would like to hear
PS: A quick summary of how SDCP works:
* Device has a private ECC key that signs the firmware and ephemeral
keys during boot (and is inaccessible afterwards)
* A certificate proofs that this key was provisioned in factory
* Device builds a shared secret with the host (s)
* Device sends id, HMAC_SHA256(s, "identify" || nonce || id)
when the finger "id" was presented.
* The HMAC proofs knowledge of the shared secret and authorizes the
I am working for Collabora on a list of patches in the Chromeos kernel.
I want to check if I can upstream those patches to the mainline kernel.
There is one patch  to ignore the case that the 'selftest' command failed
when adding the '/dev/tpm' device. The idea is that userspace could still interact with the
device to some extent event if it fails.
I was wandering how do I test such a case.
I thought that I can test it with a tpm emulator and change the emulator code
to fail on 'selftest'.
I am new to TPM and still know little about it so I thought maybe
some of the people here have better ideas?
Thanks a lot,
I had some problems getting the Endorsement Key Certificate on a server using a TPM 2.0 Infineon SLB 9670.
Version of the TPM2 Tools are 4.3 tagged release, compiled from source.
The TPM seems to have the cert in the expected handle (0x1C00002 RSA, 0x1C0000a ECC)
$ tpm2_getcap handles-nv-index
I initially tried to get that with the tpm2_getekcertificate, but when I run the tool, it returns an exit code 0, and a string saying that the cert could not be found
$ tpm2_createek -G rsa -u ek.pub -c key.ctx
$ tpm2_getekcertificate -u ek.pub
Certificate not found
$ echo $?
Then, I executed the tool with --verbose mode, and I saw that is trying to pull the cert from ekop.intel.com.
I could not find the url for Infineon.
Later, I found this post https://www.infineonforums.com/threads/6044-Optiga-Endorsement-Credential...
and I could use that to retrieve the cert from the handle:
$ tpm2_nvread 0x1c00002 > nvread.1c00002.crt
$ tpm2_nvread 0x1c0000a > nvread.1c0000a.crt
So, a couple of questions and comments:
1. I noticed that the latest master tpm2_getekcertificate man page specifies that it will fetch the cert from the nvindex now. So, with the next release, getting the nvindex cert with tpm2_getekcertificate should work right? Also, is this version returning non 0 exit code if the cert was not found?
2. Does Infineon provides a server for fetching the EK Cert? Having that service is important if you are doing bulk operations over several servers.
It took some time to get this figured out for us, so I think any help future users can get in the UX of using this tools is valuable!
I'm trying to find a specific type of guideline and/or certification relating to TPM-based (software) product, and wasn't able to find what I'm looking for here (so far), or at other sites I was advised to check out (i.e. , ), so I'm reaching out here for guidance/advice.
Are there companies or programs (i.e. formally recognized or recommended by TCG or a similar authority) that pen-test/assess the quality of a software-based solution that depends on a TPM (i.e. 2.0) chip? Or, failing that, are there guidelines or certification/assessment programs for qualifying software solutions (i.e. Linux-based) that make use of a TPM device?
I'm putting together some proof-of-concept examples, and while the design seems sound, it's my opinion that the person implementing the solution shouldn't be the same person assessing it for weaknesses. It's effectively a measured-boot-based solution to support full disk encryption via LUKS, and later, remote attestation. I started considering the topic after coming across a post , which strikes me as a bit of a "gotcha" (i.e. secret can be unsealed due to accidentally leaving a blank/default password enabled; "oops").
Any documentation/guides/resources that can help with assessing the quality of a s/w-based solution and "keeping it on the rails" is appreciated.
1. "TPMDeveloper - Topics", <https://developers.tpm.dev/topics>, last accessed 2020-11-16.
2. "Trusted Computing Group - Resources", <https://trustedcomputinggroup.org/resources?>, last accessed 2020-11-16.
3. "Unsealing data despite PCR policy", <https://github.com/tpm2-software/tpm2-tools/issues/1123>, last accessed 2020-11-16.