Introduction

This allows enumerating Trusted Platform Modules, also known as “TPM” devices, although it does not allow the user to update the firmware on them.

The TPM Event Log records which events are registered for the PCR0 hash, which may help in explaining why PCR0 values are differing for some firmware.

The device exposed is not upgradable in any way and is just for debugging. The created device will be a child device of the system TPM device, which may or may not be upgradable.

GUID Generation

These devices use custom GUIDs:

TPM\VEN_$(manufacturer)&DEV_$(type)
TPM\VEN_$(manufacturer)&MOD_$(vendor-string)
TPM\VEN_$(manufacturer)&DEV_$(type)_VER_$(family),
TPM\VEN_$(manufacturer)&MOD_$(vendor-string)_VER_$(family)

…where family is either 2.0 or 1.2

Example GUIDs from a real system containing a TPM from Intel:

  Guid:                 34801700-3a50-5b05-820c-fe14580e4c2d <- TPM\VEN_INTC&DEV_0000
  Guid:                 03f304f4-223e-54f4-b2c1-c3cf3b5817c6 <- TPM\VEN_INTC&DEV_0000&VER_2.0

Vendor ID Security

The device is not upgradable and thus requires no vendor ID set.

External Interface Access

This plugin uses the tpm2-tss library to access the TPM. It requires access to /sys/class/tpm and optionally requires read only access to /sys/kernel/security/tpm0/binary_bios_measurements.