Linux: Configure and use your TPM 2.0 module on Linux

In this article we’ll see how to configure and use a TPM 2.0 module (Trusted Platform Module)  on CentOS 7 (RHEL 7, PacketLinux 2 and Scientific Linux and Fedora) and Debian (Kali, Ubuntu, Kubuntu and others).

Disclaimer

Before reading this article make sure you have read and understood my article about the TPM module per se (click here to read it), it explains how the TPM actually works and gives you a ton of resources to learn all the possible details.

The article here below explains how to install and configure TPM 2.0 on a Linux system. You can use it only if you have a TPM 2.0 on your computer and have fully understood what mentioned on the previous paragraph.

Please note(1): You cannot use Microsoft WSL to follow this procedure, not even for testing purposes. Microsoft WSL will not allow you to have access to the TPM seen and used by Windows under the Services for Linux.

Please Note(2): To follow this procedure you need either a Linux OS running on bare-metal OR a Linux OS running on a Virtual Machine that supports and that has been configured to use a vTPM (more details in the article mentioned on the first paragraph above).

Please Note(3): To use TPM 2.0 under CentOS 7/RHEL 7 make sure you are using a CentOS or RHEL release higher than 7.3.

Intro

A TPM module (or Trusted Platform Module) is an international standard for a secure cryptoprocessor, which is a dedicated micro-controller designed to secure hardware by integrating cryptographic keys into devices. You can find more info about what it is and how it works at this link: here.

Let’s configure TPM 2.0 on Linux

To use TPM 2.0 on CentOS 7 (RHEL 7, PacketLinux 2, Scientific Linux and Fedora), first of all you need to configure your PC “BIOS” (nowadays UEFI) to enable it. The exact steps for this procedure will depend on the BIOS you have, the motherboard you have and the also the release of your TPM module, so for this step please check your motherboard manual.

Please Note: If you install a TPM module and leave it disabled as TPM (but you have enabled your BIOS Security CHIP flag) then you most likely will get the following error when Linux Kernel will boot up: “a tpm error (7) occurred attempting to read a pcr value”. To fix this please enable your TPM module in your BIOS/UEFI.

When you have completed the full activation process of your TPM, boot up your Linux system and login as root on your console (you can also login with a user account that has sudo privileges, in which case remember to prefix each command below using “sudo ” before the command).

First of all verify that your kernel can see the TPM module correctly. One way to do that (after your system has just booted) is by checking your /var/log/messages or using dmesg like this:

# dmesg | grep -i tpm

If the kernel can’t see the TPM module OR if the TPM module is not being installed or present then you’ll get a message similar to this one:

ima: No TPM chip found, activating TPM-bypass!

If you have got the message above then stop, shutdown your system and verify the TPM chip is installed or check your computer service manual to see if it has one of the types described in the article I pointed you in the disclaimed above.

If you are absolutely sure you have the TPM installed then check again your BIOS/UEFI configuration and activation state of the TPM module and retry.

If you already retried then please contact your system vendor for more details and check their Linux compatibility list to see if your Linux Distro is considered compatible with your computer and/or is supported.

If all goes well for the previous check then it should display your tpm module release, something similar to the following string:

Mar 17 20:37:15 vmm kernel: tpm_tis 00:05: 2.0 TPM (device-id 0xD, rev-id xy)

Another way is to check if in /dev/ you have a tpm0 device:

ls /dev/tpm0

Finally another method is to have a look at the keys in /proc with:

cat /proc/keys

However both the two extra methods above are not as good as the first one to determine if you have a TPM 2.0. The procedure below is good only for TPM 2.0 Modules, if you have a TPM 1.2 please read my other article about configuring Linux for your TPM 1.2.

If your Linux has a Kernel release from 5.6 or higher you can also try:

cat /sys/class/tpm/tpm*/tpm_version_major

Make sure that the output of the above is 2. If instead is one then again use my other article for the TPM 1.2.

If you have verified that you have a TPM 2.0 module on your system then you can proceed with the next steps, otherwise you need to get an appropriate TPM module for your computer. If you are unsure on which TPM version is supported by your chip them please refer to your computer manuals or ask your manufacturer support team. Generally speaking every Maintenance Manual has the correct details about the TPM module used on every specific board.

Configuring the required services to control the TPM 2.0 Module

First off check if the tpm2-abrmd daemon is installed and it’s up and running:

# systemctl status tpm2-abrmd

If you can’t find tpm2-abrmd you can install it via:

On CentOS, Fedora, PacketLinux, RHEL and ScientificLinux:

yum -y install tpm2-abrmd

On Debian, Kali and Ubuntu:

apt install tpm2-abrmd

On OpenSuse:

zypper install tpm2.0-abrmd

Please Note: Some Linux packaging may NOT load the TPM drivers automatically after installting, so, in some cases you may have to run modprobe manualy (or reboot your Linux system).

For example:

  sudo modprobe tpm_tis_spi

Or

  sudo modprobe tpm_infineon

Depending on your system. If unsure, I recommend to reboot your Linux 😉

If tpm2-abrmd is installed, but not running then you can run it via:

# systemctl start tpm2-abrmd

If it starts correctly then you can make sure it will start at every system reboot via:

# systemctl enable tpm2-abrmd

At this point you can install all your tpm2 tools via:

On Fedora, CentOS, PacketLinux, RHEL and Scientific Linux

# yum -y install tpm2-tools

On Debian, Kali, Ubuntu

# apt install tpm2-tools

After the installation is completed you’ll be ready to get ownership of your TPM module and start the fun 🙂

In future articles we’ll see how we can use it and also how we can program it…

What next?

• Read what is a TPM module (for all platforms included mac and Raspberry Pi) here.
• Read about what you can do with a TPM either as a software developer or as a system administrator here.
• Read how to configure Linux to use your TPM 1.2 and how to check if your system has got one here.

Ok that’s it for now, thanks for reading and I hope you’ve found some useful information here. If you enjoyed this post, please don’t forget to support my blog by:

• Visiting my on-line hacking and engineering merchandise shop on redbubble.com by clicking here
• Or you can also make a donation with the PayPal link in the column on your right
• Or share this article

If you like my articles and want to keep getting informed on new ones you can follow me on on of those 21st Century thingies called Facebook, Twitter, Instagram or Pinterest

And as always if you have any questions please feel free to use the comments section below.

Thank you!