level: advanced
Growing need for security in computer systems led to customer requests and calls for using the new hardware, which supports latest security standards. We recently received such request, to support TPM 2.0 LPC module in coreboot based device. Many such modules are available on market for different platforms, so this work could be reused on different mainboards. In this presentation we want to share our experiences and issues during the enablement of TPM2.0 hardware in coreboot/SeaBIOS environment.
Our objective is to present crypto capabilities and secure storage features of TPM 2.0 specification. We also present our triage and analysis of using measured boot in coreboot.
We examined previous work of various developers. We found some TPM 2.0 support in UEFI, SeaBIOS and Linux kernel. We started to triage the chip under Linux, using some libraries found on GitHub, since there are no readily available userspace tools supporting TPM2.0. We found out that TCGBIOS support in SeaBIOS is lacking, since it hadn’t detected our chip out of the box, so we had to add the support for it.
Adding the TPM2.0 support proved not to be so easy, since the Linux userspace have little support for it, and it is difficult to test thoroughly.