/raspi4-setup

raspi4-setup

  1. Install Raspbian on the SD card. I picked the Desktop version of the 32-bit image from here.

  2. Boot it for the first time (username is pi, password is raspi4) and follow the tutorial to update the base system.

  3. Enable the TPM chip by following the instructions. Adjust the formating such that it looks like below.

# and load the TPM device tree overlay with
dtoverlay=tpm-slb9670

  1. Install build-time dependencies with sudo apt-get install autotools-dev autoconf libtool libssl-dev libjson-c-dev libcurl4-openssl-dev uuid-dev libglib2.0-dev

  2. Install the latest releases of tpm2-tss, tpm2-tools, tpm2-tss-engine, and tpm2-abrmd in this order using ./configure; make; sudo make install. Notice that each of these packages has their own dependencies, listed in the corresponding pages. Copy the DBUS authorization file below and create the tss group:

sudo cp dist/tpm2-abrmd.conf etc/dbus-1/system.d
sudo useradd --system --user-group tss
sudo usermod -a -G tss pi
  1. Change the permissions for the device nodes to not require root by creating file /etc/udev/rules.d/tpm-udev.rules with contents:
KERNEL=="tpm[0-9]*", TAG+="systemd", MODE="0660", OWNER="tss", GROUP="tss"
KERNEL=="tpmrm[0-9]*", TAG+="systemd", MODE="0660", OWNER="tss", GROUP="tss"

Reboot for the latter changes to have effect.

WolfSSL

  1. Build wolfssl and wolfTPM with /dev/tpmX support as described here.

  2. Run a TLS server from wolfTPM with sudo ./examples/tls/tls_server -ecc and verify it works from a browser in another machine by pointing to the device with port 11111. Notice that you will get a warning about certificate validation that can be eliminated by accepting/installing the CA certificates in the browser.

The many examples in the examples folder should be sufficient for writing applications using TLS and keys stored in the TPM.

OpenSSL

  1. The resource management daemon can now be executed with:
sudo systemctl enable tpm2-abrmd.service
sudo systemctl start tpm2-abrmd.service
  1. Follow this tutorial.

Troubleshooting

After a couple of failed attempts, I usually start getting errors 0x902 (TPM_RC_OBJECT_MEMORY) which seems to be related to exhaustion of TPM memory space to hold keys. I manage to solve this by running sudo tpm2_clear and running the TLS server setup again.