Trusted Platform Module

TPM drivers are natively supported in modern kernels, but might need to be loaded:

# modprobe tpm

Depending on your chipset, you might also need to load one of the following:

# modprobe -a tpm_{atmel,infineon,nsc,tis,crb}

TPM 1.2 is managed by , a userspace daemon that manages Trusted Computing resources and should be (according to the TSS spec) the only portal to the TPM device driver. is part of the trousers^AUR package, which was created and released by IBM, and can be configured via .

To start tcsd and watch the output, run:

# tcsd -f

or simply start and enable tcsd.service.

Once is running you might also want to install tpm-tools^AUR which provides many of the command line tools for managing the TPM.

Some other tools of interest:

Start off by getting basic version info:

$ tpm_version

and running a selftest:

There are several methods to use TPM to secure keys, but here we show a simple method based on simple-tpm-pk11-git^AUR.

First, create a new directory and generate the key:

$ mkdir ~/.simple-tpm-pk11
$ stpm-keygen -o ~/.simple-tpm-pk11/my.key

Point the configuration to the key:

Now configure SSH to use the right PKCS11 provider:

It is now possible to generate keys with the PKCS11 provider:

$ ssh-keygen -D /usr/lib/libsimple-tpm-pk11.so

Platform Configuration Registers (PCR) contain hashes that can be read at any time but can only be written via the extend operation, which depends on the previous hash value, thus making a sort of blockchain. They are intended to be used for platform hardware and software integrity checking between boots (e.g. protection against Evil Maid attack). They can be used to unlock encryption keys and proving that the correct OS was booted.

The TCG PC Client Specific Platform Firmware Profile Specification defines the registers in use:

Documentation from tianocore.

facilitates this check with a human observer and dedicated trusted device.

# cat /sys/kernel/security/tpm0/ascii_bios_measurements

A TPM 2.0 chip has been a requirement for computers certified to run Windows 10 since 2016-07-28. Linux has support for TPM 2.0 since version 3.20 and should not require any other steps to be enabled on a default Arch install.

Two ways to verify whether TPM 2.0 is setup without specific software:

• checking the logs, e.g., by running journalctl -k --grep=tpm as root
• read the value of or

There are two methods for unlocking a LUKS volume using a TPM. An older method using , and a newer method using systemd-cryptenroll. The newer method will be detailed first.

Using either method, an encrypted volume or volumes may be unlocked using keys stored in a TPM, either automatically at boot or manually at a later time. Using a TPM for this purpose ensures that your drives will not unlock unless certain conditions are met, such as your firmware not having been modified and Secure Boot not having been disabled (see #Accessing PCR registers).

Since version 248, systemd has had native support for enrolling LUKS keys in TPMs. This functionality is managed through the systemd-cryptenroll util. This method requires the following:

• A LUKS2 device (currently the default type used by cryptsetup),
• If you intend to use this method on your root partition, use of the and hooks in the initramfs. See Mkinitcpio#HOOKS and Using sd-encrypt hook.

To begin, run the following command to list your installed TPMs and the driver in use:

$ systemd-cryptenroll --tpm2-device=list

A key may be enrolled in both the TPM and the LUKS volume using only one command. The following example binds the key to PCRs 0 and 7 (the system firmware and Secure Boot state):

# systemd-cryptenroll --tpm2-device=/path/to/tpm2_device --tpm2-pcrs=0+7 /dev/sdX

where is the full path to the encrypted LUKS volume and is the full path to the TPM as given in the output of the first command.

To test that the key works, run the following command while the LUKS volume is closed:

# /usr/lib/systemd/systemd-cryptsetup attach mapping_name /dev/sdX - tpm2-device=/path/to/tpm2_device

where is your chosen name for the volume once opened. If the volume successfully unlocks, you are ready to add the required information to the crypttab so that systemd can automatically unlock the device at boot.

Alternatively, you can mention your TPM driver inside of .

If the volume you wish to unlock contains your root filesystem, you must take the following additional steps:

• Ensure you are using and in the HOOKS array of
• Configure your initramfs to unlock the root volume with one of the following methods:
  • Specifying the root volume using the configuration outlined above in (see tip at the top of Using sd-encrypt hook)
  • Setting in addition to or in the kernel command line

To remove a key enrolled using this method, run:

# systemd-cryptenroll /dev/sdX --wipe-slot=slot_number

where slot_number is the numeric LUKS slot number in which your TPM key is stored.

Alternatively, run:

# systemd-cryptenroll /dev/sdX --wipe-slot=tpm2

to remove all TPM-associated keys from your LUKS volume.

See and for more information and examples.

allows binding a LUKS volume to a system by creating a key and encrypting it using the TPM, and sealing the key using PCR values which represent the system state at the time of the Clevis pin creation.

To bind a LUKS volume to the TPM, use:

# clevis luks bind -d /dev/sdX tpm2 '{}'

where contains the configuration. Even with no parameters, the drive cannot be decrypted from another computer (unless the attacker knows the backup password).

To seal the LUKS key against, for example, the UEFI settings and the Secure Boot policy, use:

If the UEFI or Secure Boot settings are modified, the TPM will compute different PCR values and decryption will fail. This gives protection against evil maid attacks.

For a list of parameters, see clevis-encrypt-tpm2(1) § CONFIG.

For a full explanation of the meanings of PCRs, see the TCG specification (§ 2.3.4).

To generate a new Clevis pin after changes in system configuration that result in different PCR values, for example updating the UEFI when PCR 0 is used, run

to find the slot used for the Clevis pin, then

# clevis luks regen -d /dev/sdX -s keyslot

To remove the Clevis binding, run:

# clevis luks unbind -d /dev/sdX -s keyslot 

You can unlock a TPM-bound volume using:

# clevis luks unlock -d /dev/sdX

For automated decryption of volumes in /etc/crypttab, enable .

For automated decryption of the root volume, use Booster, Dracut or mkinitcpio-clevis-hook. Booster automatically decrypts LUKS volumes bound using Clevis out of the box. Dracut and mkinitcpio-clevis-hook needs the following extra packages:

• nmap (For Dracut)
• (For mkinitcpio-clevis-hook)

followed by an initramfs regeneration:

Dracut:

# dracut -f

mkinitcpio-clevis-hook:

# mkinitcpio -P

• SSH: 's SSH configuration and Using a TPM for SSH authentication (2020-01)
• Configuring Secure Boot + TPM 2 (2018-06, Debian)
• Using the TPM - It's Not Rocket Science (Anymore) - Johannes Holland & Peter Huewe (2020-11, Youtube): examples for OpenSSL with

After installing trousers^AUR, the tcsd.service service may not start correctly due to permission issues. It is possible to fix this either by rebooting or by triggering the udev rule that is included in the trousers^AUR package:

# udevadm control --reload-rules
# udevadm trigger