Content of this blog is originally written by Shubhrata Priyadarshinee. 

This blog provide steps for TPM 2.0 enablement in bios, kernel, TPM-2.0 user space utility and uses of TPM ownership in TPM 2.0 in SLES12 SP2.

It also helps to find out solutions to the below error messages.

  • tcsd service failed with TPM 2.0 under UEFI/BIOS mode.
  • Failed to run tpm_takeownwership, tpm_clear commands.
  • Failed to run TPM2.0 commands.

Trusted Platform Module (TPM)

  • A Trusted Platform Module, also known as a TPM is a cryptographic coprocessor. TCG (Trusted Computing Group) created a library specification which describes all the commands and features that are implemented and is capable of communicating with the platforms servers.
  • TPM is used to refer to both the name of a published specification by the Trusted Computing Group for a secure crypto processor and the implementation of that specification in the form of a TPM chip. A TPM chip’s main purpose is the secure generation of cryptographic keys, the protection of those keys, and the ability to act as a hardware pseudo-random number generator. In addition, it can also provide remote attestation and sealed storage.
  • TPMs are passive device because they only receive commands and return responses. So they don’t have intelligence to communicate.
  • TPM 1.2 PCRs (platform configuration register is a TPM register holding a hash value) were hard-coded to use the SHA-1 algorithm, whereas TPM 2.0 PCRs can use other hash algorithms.
  • TPM 2.0 supports newer hash algorithms SHA256, which can improve drive signing and key generation performance. SHA-256 hash is 256 bits or 32 bytes whereas SHA-1 hash is 20 bytes. The SHA-1 algorithm is being deprecated in favor of stronger algorithms SHA-256. This command, which can do both algorithms simultaneously, permits a staged phase-out of SHA-1, because it can return multiple results and extend multiple PCR banks.
  • In TPM 2.0, there are three separate domains
    • Security – functions that protect the security of the user.
    • Privacy – functions that expose the identity of the platform/user.
    • Platform – functions that protect the integrity of the platform/firmware services.
  • Each domain has its own resources and controls
    • Security – storage hierarchy, hierarchy enable.
    • Privacy – endorsement hierarchy.
    • Platform – Platform hierarchy.
  • TPM 2.0 is not fully supported in legacy bios mode because there is no pointer to TCG logs in legacy bios mode.
  • Below table shows algorithms supports for TPM 2.0 and TPM 1.2 

Three things that needs to be done before running TPM2.0 commands:-

  1. Enable TPM 2.0 in BIOS/UEFI.
  2. Install TPM 2.0 driver and check device information in kernel.
  3. Install user space utility.

1- Enabling TPM 2.0 in the BIOS/UEFI

Dell PowerEdge have the TPM 2.0 chip built on the motherboard. However, it is not enabled by default. Therefore, we need to enable the TPM in the BIOS.

To enable TPM 2.0 in BIOS:- 

Press F2 while system boots -> System setup -> System BIOS -> System Security -> TPM security -> turn ON TPM security if not and Enable TPM hierarchy

Under TPM advanced security do the following

  • Clear the 'TPM PPI bypass clear'
  • Select algorithm allows user to change the cryptographic hash algorithms used in TPM 2.0. ”SHA1” hash algorithm is default one. But SHA-256 is recommended for TPM 2.0
  • Save and exit from BIOS

                                     

 Screenshot showing TPM configuration setup page for 13G dell PowerEdge server.

     

Screenshot showing TPM advanced configuration page for 13G dell PowerEdge server.

2- TPM 2.0 in Kernel

  • Freshly install SLES12 SP2 GM and boot into OS.
  • To Check whether the kernel supports TPM 2.0 by default, execute the below command:

#cat /boot/config-4.4.21-69.1.x86_64 | grep TPM

output will look like this: CONFIG_TCG_TPM=Y

  • Check below command to verify tpm 2.0 chip

# cat /sys/class/tpm/tpm0/device/description

output of above command will look like this: TPM 2.0 Device

  • TPM 2.0 uses tpm_crb driver. Run the below command to verify it.

    # lsmod | grep  -i tpm           


    Output will look something like this.

3- TPM 2.0 userspace packages

TPM 2.0 uses tpm2-0-tss package that provides an open-source TCG software stack (TSS) implementation and tpm2.0-tools package that provides the tpm-2.0 tools based on tpm2.0-tss.

TPM 2.0 does not work with TPM 1.2 trousers package and tpm-tools. So when working with TPM 2.0, install below two packages.

  • tpm2-0-tss
  • tpm2.0-tools

Mount SLES 12SP2 GM DVD or configure SLES12 SP2 repository and install both of the packages, by running below commands.

#zypper install tpm2-0-tss

#zypper install tpm2.0-tools


  • To check resourcemgr.service status, run below command.

#systemctl status resourcemgr.service

  • If resource manager service is not activated then run below command to start resource manager service.

#systemctl enable resourcemgr.service

#systemctl start resourcemgr.service


  • Once resource manager service is activate, use tpm2.0-tools commands to test TPM-2.0 functionality.

TPM 2.0 ownership

  • Set owner, endorsement and lockout Authorization password for first time. Run below command.  

#tpm2_takeownership -o new -e new -l new


  • Change to a new Authorization password for owner, endorsement and lockout.

#tpm2_takeownership -o new1 -e new1 -l new1 -O new -E new -L new

 

References:

https://github.com/01org/tpm2.0-tools/blob/master/manual

https://github.com/01org/TPM2.0-TSS

https://github.com/01org/tpm2.0-tools

https://en.wikipedia.org/wiki/Trusted_Platform_Module

https://link.springer.com/book/10.1007%2F978-1-4302-6584-9