Skip to content

9elements/tpmtool

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

60 Commits
.github/workflows
.github/workflows
 
 
cmd/tpmtool
cmd/tpmtool
 
 
docs
docs
 
 
pkg
pkg
 
 
scripts
scripts
 
 
vendor
vendor
 
 
.goreleaser.yml
.goreleaser.yml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

tpmtool is a tool for TPM interaction and disk encryption. It is written in pure Go.

Basic Features

  • Supports TPM 1.2 and 2.0 with Go TSS.
  • Higher TPM abstraction layer (TSPI) is implemented.
  • Written in pure Go.
  • TPM states are derived by Linux sysfs.
  • Automatic TSS selection based on TPM version.
  • TPM1 & TPM2 event log parser
  • Currently only TSPI for TPM specification 1.2 is available.

Core Features

  • Shows the TPM status.
TPM Manufacturer:          STMicroelectronics
TPM spec:                  1.2
TPM owned:                 true
TPM activated:             true
TPM enabled:               true
TPM temporary deactivated: false
  • Dumps Endorsement Key into a file and shows the fingerprint.
  • Takes ownership of the TPM.
  • Clears ownership of the TPM.
  • Resets TPM lock in case of active bruteforce detection.
  • Sealing/Unsealing credentials with custom/current set of PCRs.
  • Resealing of credentials using a sealing configuration for PCR pre-calculation
  • List and read PCRs
  • Measures a file into given PCR index.
  • Dump TPM eventlog from OS or custom eventlog binary file input.
  • Cryptsetup:
    • Format device and seal credential.
    • Open device by sealed credential.
    • Close device.
    • Measure device luks header into a given PCR.

Package Availability

Packaging status

Dependencies

  • cryptsetup binary is required for the disk commands.

PCR pre-calculation

PCR pre-calculation is an important feature to reseal credential in case of PCR changes e.g. kernel/firmware update.

Usage:

tpmtool crypt reseal sealing.yml sealed-key.file

Example sealing configuration:

---
pcr0:
  - method: measure
    filepaths:
      - /boot/kernel
      - /boot/initramfs
  - method: extend
    hashes:
      - 8dad1c80be028384f26b929b7e7e251fbe3c1d5
pcr1:
  - method: dynamic
pcr2:
  - method: static
    hash: c3018af653e2f1a16118dd8bab2f409fbc82aa9f
pcr3:
  - method: log
    firmware: UEFI

Calculation methods

Every PCR can contain different calculation methods. The static and dynamic method are standalone and can't be used with other methods.

Static

Overwrites and sets the PCR hash you define.

method: static

hash: 8dad1c80be028384f26b929b7e7e251fbe3c1d5 (string type)

Dynamic

Gets the current PCR of the TPM. Overwrites and sets the hash.

method: dynamic

Extend

Extends a hash into the current PCR.

method: extend

hashes: [ 8dad1c80be028384f26b929b7e7e251fbe3c1d5, c3018af653e2f1a16118dd8bab2f409fbc82aa9f ] (array type)

FimwareLog

Uses the existing firmware log for PCR pre-calculation.

method: log

firmware: BIOS (enum type){UEFI, BIOS}

Measure

Measures a file into the current PCR.

method: measure

filepaths: [ /foo/bash, /test/foo ] (array type)

Luks

Measures a LUKS header of a device into the current PCR.

method: luks

devicepath: /dev/sda (string type)

About

A Linux only tool for TPM interaction

www.tpmtool.org

Topics

tool tpm tpm2 cryptsetup

Resources

Readme

License

BSD-3-Clause license
Activity
Custom properties

Stars

36 stars

Watchers

7 watching

Forks

11 forks
Report repository

Releases 3

v3 Merge TSPI and reduce binary size Latest
Jul 16, 2018
+ 2 releases

Packages

No packages published

Contributors 6

Languages