Enable OPTIGA™ TPM 2.0 on Raspberry Pi 4.
- Prerequisites
- Install Raspberry Pi OS (using Ubuntu)
- Install Raspberry Pi OS (using Windows)
- Set Up Network & SSH without Having a Monitor
- Enable SPI TPM 2.0
- Enable I2C TPM 2.0
- Enable I2C TPM 2.0 (Linux-6.1)
- Set Up TSS and Tools
- What's Next
- References
- License
- Raspberry Pi 4 Model B with the following board mounted:
- Host machine:
$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04.2 LTS Release: 20.04 Codename: focal $ uname -a Linux ubuntu 5.8.0-59-generic #66~20.04.1-Ubuntu SMP Thu Jun 17 11:14:10 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
This section is intended for Ubuntu users.
First, install dependencies.
$ sudo apt update
$ sudo apt -u install \
curl
Download the Raspberry Pi OS with desktop image (Linux 5.15.32-v7l+) onto your Ubuntu machine.
$ curl https://downloads.raspberrypi.org/raspios_armhf/images/raspios_armhf-2022-04-07/2022-04-04-raspios-bullseye-armhf.img.xz --output ~/2022-04-04-raspios-bullseye-armhf.img.xz
$ cd ~
$ unxz 2022-04-04-raspios-bullseye-armhf.img.xz
Connect your microSD card to the Ubuntu machine. Execute command sudo fdisk -l to find your microSD (e.g., /dev/sdc). Be cautious and strongly advise you to confirm the path /dev/??? by either checking the total storage size (e.g., 7.3 GiB), or remove the microSD and check if it is still visible on the fdisk utility.
$ sudo fdisk -l
Disk /dev/???: 7.3 GiB, 7876902912 bytes, 15384576 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x1fa31320
Device Boot Start End Sectors Size Id Type
/dev/???1 8192 532479 524288 256M c W95 FAT32 (LBA)
/dev/???2 532480 15384575 14852096 7.1G 83 Linux
Unmount all partitions.
$ sudo umount /dev/???1
$ sudo umount /dev/???2
!!! Warning, following command will write to the path /dev/???, selecting the wrong path will most certainly result in data loss or killing your operating system !!!
$ sudo dd if=~/2022-04-04-raspios-bullseye-armhf.img of=/dev/??? bs=100M status=progress oflag=sync
This section is intended for Windows users.
- Download the Raspberry Pi Imager for Windows.
- Put the SD card you'll use with your Raspberry Pi into the reader and run Raspberry Pi Imager.
- Select the Operating System
- Select a microSD
- Write the OS
Connect the microSD card to your machine (Windows/Ubuntu) and add the following files to the boot partition:
- Create an empty file
sshwith no file extension. When Raspberry Pi OS sees the file, it will enable SSH. - Create a file
wpa_supplicant.confwith the following content. This will tell the Raspberry Pi OS which network to connect to. Remember to update the country code.ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev update_config=1 country=SG network={ scan_ssid=1 ssid="wifi-ssid" psk="wifi-password" }
Enable the TPM driver by using device tree overlay. Set the overlay in the bootloader config file. Run the following command after booting into Raspberry Pi OS:
$ sudo su -c "echo 'dtoverlay=tpm-slb9670' >> /boot/config.txt"
Power down your Raspberry Pi and attach the Iridium 9670 TPM 2.0 board according to the following image.
Power up your Raspberry Pi and check if the TPM is enabled by looking for the device nodes.
$ ls /dev | grep tpm
/dev/tpm0
/dev/tpmrm0
On your host machine.
Install dependencies:
$ sudo apt update
$ sudo apt install git bc bison flex libssl-dev make libc6-dev libncurses5-dev
Install 32-bit toolchain:
$ sudo apt install crossbuild-essential-armhf
Download kernel source:
$ git clone https://github.com/raspberrypi/linux ~/linux
$ cd ~/linux
$ git checkout 1.20220331
$ make kernelversion
5.15.32
Patch the kernel (the changes are taken from [4][5]):
$ git clone https://github.com/wxleong/tpm2-rpi4 ~/tpm2-rpi4
$ cd ~/linux
$ git am ~/tpm2-rpi4/patch/0001-tpm-Remove-read16-read32-write32-calls-from-tpm_tis_.patch
$ git am ~/tpm2-rpi4/patch/0002-Tpm-i2c-driver-patch-pre-release-test.patch
Build:
$ KERNEL=kernel7l
$ make -j$(nproc) ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- bcm2711_defconfig
$ make -j$(nproc) ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- menuconfig
Device Drivers --->
Character devices --->
<M> TPM Hardware Support --->
<M> TPM Interface Specification 1.3 Interface / TPM 2.0 FIFO Interface - (I2C - generic)
$ make -j$(nproc) ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- zImage modules dtbs
Copy to microSD card:
$ mkdir mnt
$ mkdir mnt/fat32
$ mkdir mnt/ext4
$ sudo umount /dev/sd?1
$ sudo umount /dev/sd?2
$ sudo mount /dev/sd?1 mnt/fat32
$ sudo mount /dev/sd?2 mnt/ext4
$ sudo env PATH=$PATH make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- INSTALL_MOD_PATH=mnt/ext4 modules_install
$ sudo cp mnt/fat32/$KERNEL.img mnt/fat32/$KERNEL-backup.img
$ sudo cp arch/arm/boot/zImage mnt/fat32/$KERNEL.img
$ sudo cp arch/arm/boot/dts/*.dtb mnt/fat32/
$ sudo cp arch/arm/boot/dts/overlays/*.dtb* mnt/fat32/overlays/
$ sudo cp arch/arm/boot/dts/overlays/README mnt/fat32/overlays/
$ sudo umount mnt/fat32
$ sudo umount mnt/ext4
Install device tree compiler on your host machine:
$ sudo snap install device-tree-compiler
Build the device tree blob overlay:
$ git clone https://github.com/wxleong/tpm2-rpi4 ~/tpm2-rpi4
$ dtc -@ -I dts -O dtb -o tpm-tis-i2c.dtbo ~/tpm2-rpi4/dts/tpm-tis-i2c.dts
Copy the tpm-tis-i2c.dtbo to /boot/overlays/ and add the following line to the file /boot/config.txt:
dtoverlay=tpm-tis-i2c
Power up your Raspberry Pi and check if the TPM is enabled by looking for the device nodes.
$ ls /dev | grep tpm
/dev/tpm0
/dev/tpmrm0
As of March 13th, 2023, the latest release of Raspberry Pi OS comes with Kernel v5.15. However, it's worth noting that the TPM 2.0 I2C driver (TCG_TIS_I2C) is only available starting from Kernel version v6.0. Fortunately, it is possible to manually update to version v6.1 of Raspberry Pi OS to gain access to the TCG_TIS_I2C driver:
$ sudo apt update
$ sudo rpi-update next
$ reboot
$ uname -a
Linux raspberrypi 6.1.10-v8+ #1628 SMP PREEMPT Mon Feb 6 19:22:54 GMT 2023 aarch64 GNU/Linux
The TCG_TIS_I2C driver module is enabled by default on the bcm2711_defconfig build, so there is no need to rebuild the kernel. However, we do need to enable the driver on the device tree blob (DTB). To do this, you should first install the device tree compiler on your host machine:
$ sudo snap install device-tree-compiler
Build the device tree blob overlay:
$ git clone https://github.com/wxleong/tpm2-rpi4 ~/tpm2-rpi4
$ dtc -@ -I dts -O dtb -o tpm-tis-i2c.dtbo ~/tpm2-rpi4/dts/tpm-tis-i2c-2.dts
Copy the tpm-tis-i2c.dtbo to /boot/overlays/ and add the following line to the file /boot/config.txt:
dtoverlay=tpm-tis-i2c
Power up your Raspberry Pi and check if the TPM is enabled by looking for the device nodes.
$ ls /dev | grep tpm
/dev/tpm0
/dev/tpmrm0
Update the package list:
$ sudo apt update
Install dependencies for tpm2-tss:
$ sudo apt -y install \
autoconf-archive \
libcmocka0 \
libcmocka-dev \
procps \
iproute2 \
build-essential \
git \
pkg-config \
gcc \
libtool \
automake \
libssl-dev \
uthash-dev \
autoconf \
doxygen \
libjson-c-dev \
libini-config-dev \
libcurl4-openssl-dev
Additional dependencies for tpm2-tools:
$ sudo apt -y install \
uuid-dev \
pandoc
Download tpm2-tss:
$ git clone https://github.com/tpm2-software/tpm2-tss ~/tpm2-tss
$ cd ~/tpm2-tss
$ git checkout 3.2.0
Build tpm2-tss:
$ ./bootstrap
$ ./configure
$ make -j$(nproc)
Install tpm2-tss:
$ sudo make install
$ sudo ldconfig
Check installation:
$ ls /usr/local/lib/
Download tpm2-tools:
$ git clone https://github.com/tpm2-software/tpm2-tools ~/tpm2-tools
$ cd ~/tpm2-tools
$ git checkout 5.2
Build tpm2-tools:
$ ./bootstrap
$ ./configure
$ make -j$(nproc)
Install tpm2-tools:
$ sudo make install
$ sudo ldconfig
Check installation:
$ ls /usr/local/bin/
Grant access permission to TPM device nodes:
$ sudo chmod a+rw /dev/tpm0
$ sudo chmod a+rw /dev/tpmrm0
Execute any tpm2_ command, e.g.,
$ tpm2_getrandom --hex 16
Download tpm2-tss-engine:
$ git clone https://github.com/tpm2-software/tpm2-tss-engine ~/tpm2-tss-engine
$ cd ~/tpm2-tss-engine
$ git checkout v1.1.0
Build tpm2-tss-engine:
$ ./bootstrap
$ ./configure
$ make -j$(nproc)
Install tpm2-tss-engine:
$ sudo make install
$ sudo ldconfig
Check installation:
$ ls /usr/lib/arm-linux-gnueabihf/engines-1.1/
To debug tpm2-tss [6]:
# possible levels are: NONE, ERROR, WARNING, INFO, DEBUG, TRACE
$ export TSS2_LOG=all+TRACE
More examples of tpm2-tools on [2].
[1] https://www.infineon.com/cms/en/product/evaluation-boards/iridium9670-tpm2.0-linux/
[2] https://github.com/wxleong/tpm2-cmd-ref
[3] https://forums.raspberrypi.com/viewtopic.php?t=236915
[4] https://patchwork.kernel.org/project/linux-integrity/list/?series=628665
[5] https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git/commit/?id=0961f3b0457388111b92a8306d3718e0ad3932c8
[6] https://github.com/tpm2-software/tpm2-tss/blob/master/doc/logging.md
[7] https://www.infineon.com/cms/en/product/evaluation-boards/optiga-tpm-9672-rpi-eval/
[8] https://www.infineon.com/cms/en/product/security-smart-card-solutions/optiga-embedded-security-solutions/optiga-tpm/optiga-tpm-slb-9673-fw26/
This project is licensed under the MIT License - see the LICENSE file for details.