Image Credit: Military & Aerospace Electronics, June 6, 2018.
A newly completed Trusted Platform Module 2.0 (TPM2) software stack is being introduced, developed to comply with the most recent Trusted Computing Group (TCG)
v1.38 specification and work on any TPM2 implementation. Partnering with key players within the domain of Trusted Computing such as Infineon and Fraunhofer SIT, Intel has made large investments in code improvements and new functionality compared to the previous version. This includes the initialization of the TSS Stack development and the SAPI, TCTI and abrmd layer. Based on this development, Infineon
and Fraunhofer SIT
enabled the support of the Enhanced System API (ESAPI) layer, which is intended to reduce programming complexity and to simplify the use and integration of the TPM.
A TPM is a cryptographic coprocessor with secure storage and hardware-enforced access control. It is commonly used for software attestation, cryptographic key storage, storing root certificates, full disk encryption, and as an anchor for trusted execution environments. TPM has a variety of use cases, but a common use case is for the hardware to be used for secure boot, to ensure that secrets can be used only when known, trusted software has been loaded. Additionally, TPM can be used similar to a smart card, to verify that the correct software stack is trying to access the encryption keys.
Having an open-source TPM software stack allows systems developers to inspect the security-sensitive code, increasing their confidence in how it operates and permitting them to verify that it matches the TCG specifications.
The components that make up the new TPM2 software stack include:
- tpm2-tss v2.0.x
- Enhanced System API (ESAPI): supports cryptographic session operations and reduces programming complexity contributed by Fraunhofer SIT and enabled by Infineon.
- TPM Command Transmission Interface (TCTI): handles communications between the upper and lower layers of the stack.
- System API (SAPI): can provide a smaller footprint than ESPI, but it is more complex to use.
- Marshalling library (LibMU): provides a set of marshaling and unmarshaling functions for all data types defined by the TPM library specification.
- tpm2-tools v3.0.x: both low-level and aggregate command line tools that provide access to a TPM 2.0 compatible device from a shell environment.
- tpm2-abrmd v2.0: a system daemon implementing the TPM2 access broker (TAB) and Resource Manager (RM) specification. It manages multi-process synchronization to the TPM.
- tpm2 kernel driver: provides direct access to the TPM through the operating system kernel
The TPM2 software stack is developed to be compliant with the most recent TCG v1.38 specification and works on any TPM2 implementation.
The project to improve the TPM2 software stack was started by Intel open source software developers. They envisioned a stable and scalable software stack that would be embraced by the open source community, and they successfully reached out to community partners to coordinate contributions around the project. With currently around 40 contributors being involved, Fraunhofer SIT and Infineon are the main contributors to enable the ESAPI layer.
We continue to work on software stack hardening, maintenance and features, and we invite other contributors to the project. Our goal is to make this TPM 2.0 software stack a key part of the Linux* infrastructure, and key Linux distros and vendors.
Our project implements modern software development best practices and aims to role-model a healthy open source project. Our goal is to continue working with the TCG to keep influencing the spec to be more flexible and robust. We want the TPM 2.0 software stack to be scalable and to be used across many layers of the infrastructure, across multiple operating environments, including Linux and Windows.
Some of the project’s specific goals include:
- A test harness with ~80% test coverage between unit and integration tests, benefiting the collective testing and use by all users of the open source software code base.
- Continuous build and integration tasks: every commit and pull request is built automatically and run through our full test harness.
- Support for Linux and Microsoft* Windows operating systems.
- Regular release cadence.
For More Information
The APIs and infrastructure are specified in standards linked below from the TCG TPM Software Stack working group:
Editor’s Note: We’ve updated this blog to fix an inaccurate claim, and we would like to acknowledge our partners and contributors to this project.