Learn through the super-clean Baeldung Pro experience:
>> Membership and Baeldung Pro.
No ads, dark-mode and 6 months free of IntelliJ Idea Ultimate to start with.
1. Overview
Trusted Platform Module (TPM) is a security technology that provides hardware-level protection against security attacks. The generation and storage of cryptographic keys, system integrity checking, and device authentication are examples of the common uses of TPM.
TPM has two versions. TPM 2.0 is the current version while TPM 1.2 is the old version.
In this tutorial, we’ll discuss how to check if a computer supports TPM in Linux.
2. TPM Overview
TPM is an international standard for providing a secure cryptoprocessor to execute cryptographic operations within hardware. It aims to be a hardware root of trust for software including operating systems and applications.
The TPM functionality might be provided using a dedicated TPM chip. However, most modern CPUs have built-in support for TPM 2.0. In addition to TPM support using hardware, there are firmware, software, and virtual TPM solutions. But, hardware implementations are safer.
TPM provides many cryptographic functionalities. Random number generation, hash functions, generation and storage of cryptographic keys, and symmetric and asymmetric encryption are a few features of TPM.
An application of TPM is checking the system’s integrity. The firmware, like BIOS or UEFI, checks hardware during startup. Similarly, the bootloader can check several things like the kernel images and Operating System (OS) parameters before or during the boot. TPM can store these measurements in its registers, and later use them to ensure the boot process uses a secure combination of hardware and software.
Another application of TPM is disk encryption. For example, Linux Unified Key Setup (LUKS) in Linux and BitLocker in Windows use TPM. Windows 11 runs only on computers that support TPM 2.0.
As a result of the proliferation of TPM 2.0 hardware, Advanced Configuration and Power Interface (ACPI) included a TPM2 table within ACPI tables, which are loaded during the boot process.
3. Using journalctl
The journalctl command is useful for printing the log entries in the systemd journal. If TPM hardware is available, log entries about TPM will exist in the systemd log.
Therefore, journalctl is one option for checking the availability of TPM:
$ journalctl –g tpm
-- Logs begin at Thu 2024-08-08 07:48:04 UTC, end at Thu 2024-08-08 14:54:16 UTC. --
Aug 08 07:48:04 machine-01 kernel: ACPI: TPM2 0x0000000079BD0C80 000034 (v03 Tpm2Tabl 00000001 AMI 00000000)
Aug 08 07:48:04 machine-01 kernel: ACPI: Reserving TPM2 table memory at [mem 0x79bd0c80-0x79bd0cb3]
Aug 08 07:48:04 machine-01 kernel: tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1A, rev-id 16)
The -g option of journalctl filters the output using the specified regular expression. We filter the log messages containing tpm using -g tpm.
Note that running the journalctl command requires root privileges.
As is apparent from the output, the TPM2 table exists within the ACPI tables loaded into the memory. Therefore, TPM hardware is available on this computer.
Let’s run the same command on a computer that doesn’t have TPM support:
$ journalctl –g tpm
-- Logs begin at Thu 2024-08-08 07:47:57 UTC, end at Thu 2024-08-08 14:53:12 UTC. --
Aug 08 07:47:57 machine-02 kernel: ima: No TPM chip found, activating TPM-bypass!The output reports that there isn’t any TPM chip found.
4. Using dmesg
Another option to check for the existence of TPM support is the dmesg command. Running the dmesg command without options displays all messages within the kernel ring buffer. We can filter the messages using the grep command:
$ dmesg | grep -i tpm
[ 0.000000] ACPI: TPM2 0x0000000079BD0C80 000034 (v03 Tpm2Tabl 00000001 AMI 00000000)
[ 0.000000] ACPI: Reserving TPM2 table memory at [mem 0x79bd0c80-0x79bd0cb3]
[ 1.633137] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1A, rev-id 16)
Obviously, the output reports that the TPM2 table has been loaded to the memory. Therefore, TPM is available on this computer.
Let’s run the same command on a computer that doesn’t have TPM hardware:
$ dmesg | grep -i tpm
[ 1.369796] ima: No TPM chip found, activating TPM-bypass!
The output shows that there isn’t any TPM hardware found.
Running these commands may require root privileges depending on the Linux distro.
5. Using sysfs
The sysfs pseudo file system, which is mounted at /sys, provides information about devices and kernel subsystems within the system. Specifically, we can use the /sys/class/tpm directory to check the existence of TPM hardware.
Let’s check the content of /sys/class/tpm:
$ ls -l /sys/class/tpm/tpm0/
total 0
-r--r--r-- 1 root root 4096 Aug 8 15:00 dev
lrwxrwxrwx 1 root root 0 Aug 8 15:00 device -> ../../../MSFT0101:00
drwxr-xr-x 2 root root 0 Aug 8 15:00 pcr-sha1
drwxr-xr-x 2 root root 0 Aug 8 15:00 power
drwxr-xr-x 2 root root 0 Aug 8 15:00 ppi
lrwxrwxrwx 1 root root 0 Aug 8 07:48 subsystem -> ../../../../../class/tpm
-r--r--r-- 1 root root 4096 Aug 8 15:00 tpm_version_major
-rw-r--r-- 1 root root 4096 Aug 8 07:48 uevent
There’s a tpm0 subdirectory within /sys/class/tpm. Therefore, TPM hardware exists on this computer. Furthermore, we can check the version of TPM by printing the content of tpm_version_major in the tpm0 subdirectory:
$ cat /sys/class/tpm/tpm0/tpm_version_major
2
The hardware implements TPM 2.0.
Since the /dev directory shows the hardware devices connected to the system, there are also files corresponding to the TPM hardware in the /dev directory:
$ ls -l /dev/tpm0
crw-rw---- 1 tss root 10, 224 Aug 8 15:00 /dev/tpm0
$ ls -l /dev/tpmrm0
crw-rw---- 1 tss tss 253, 65536 Aug 8 15:00 /dev/tpmrm0
/dev/tpm0 is the path to the TPM hardware. Only one process can access the TPM using this path. On the other hand, /dev/tpmrm0 corresponds to the resource manager for the TPM. Multiple processes can use the TPM using the resource manager.
Finally, let’s check the content of /sys/class/tpm on a computer that doesn’t have TPM support:
$ ls -l /sys/class/tpm/
total 0
The /sys/class/tpm directory is empty.
6. Using the TPM Tools
The tpm-tools package provides several tools to manage and use TPM hardware. If this package is installed, we can use the tools this package provides to check the availability of TPM.
The exact name of the package we use on our computer, which is using RHEL 8, is tpm2-tools-4.1.1-5.el8.x86_64.
The tpm2_getrandom command is one of the tools we can use. tpm2_getrandom retrieves random bytes from the TPM hardware. We need root privileges to use the TPM tools:
$ tpm2_getrandom --hex 16
78fddffa4c8654f09058f52336c180c1
This example generates a random 16-byte number and prints it in hexadecimal format. Successful retrieval of a random number using tpm2_getrandom means that TMP hardware exists.
If we run the same command on a computer that doesn’t have TPM hardware, we get an error:
$ tpm2_getrandom --hex 16
ERROR:tcti:src/tss2-tcti/tcti-device.c:447:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpmrm0: No such file or directory
...
$ echo $?
1
We abbreviated the output of tpm2_getrandom since the error message is long. The exit status of running the tpm2_getrandom –hex 16 command is 1 as echo $? shows. Therefore, we aren’t successful in running the tmp2_getrandom command when there isn’t any TPM hardware.
7. Conclusion
In this article, we discussed how to check if a computer supports TPM in Linux.
Firstly, we learned that TPM is a security standard providing a secure cryptoprocessor. It establishes a hardware-based root of trust for operating systems and applications. We saw that hardware-based key and random number generation, hash functions, and symmetric and asymmetric encryption and decryption are a few usages of TPM.
Then, we learned that journalctl and dmesg are two commands that we can use for checking TPM support in Linux. We saw that we can also use the sysfs. Finally, we learned that using the TPM tools is another option. We used the tpm2_getrandom utility to generate a random 16 bytes as an example.