TPM 1.2

ITFan · October 1, 2021, 9:45am

HI! I have just installed OS Tumbleweed and want to make use of tpm 1.2 (to avoid entering password at each boot). How to activate TPM and configure it to make it work? do I need to enable in BIOS secure boot? Currently it is in status disabled.

hcvv · October 1, 2021, 10:27am

I do not know much about TPM, but I assume that you must first install the software that belongs to it. So in YaST > Software > Software management, search for tpm and look which one of those packages you think you need (probably when choosing the main one those needed for it will checked for install also). Then you will probably have tools, etc. and maybe man pages.

ITFan · October 1, 2021, 10:46am

Thanks for the fast response. I in fact have already installed tpm-tools and Trousers with some extras which I can see in Yast2 now. But there is no GUI to open program to make changes and activate TPM. there probably is a command line which I cannot find. By the way TPM is activated in BIOS, but secure boot is not enabled in BIOS (due to strange bios behavior). As soon as I choose secure boot in BIOS and restart, there is no way to get into BIOS anymore except clearing CMOS. I have HP Prodesk 600 G1 machine. I guess there would be no harm in just entering password to decript SSD at each boot, but knowing there is TPM processor built in, and not using it feels somehow incomplete.

Svyatko · October 5, 2021, 6:25pm

https://en.wikipedia.org/wiki/Trusted_Platform_Module

TPM helps to prevent some dangers, but not all (IMHO Evil maid attack, but you need other settings).

To protect your info you need:

FDE - full disk encryption (but what about ESP = EFI system partition?)
EFI boot
Enabled secure boot
Enabled TPM boot

You may enable secure boot and TPM boot with YaST boot loader settings.

Using TPM boot without FDE is stupid.
Using TPM boot without secure boot impossible or not useful.

Svyatko · October 5, 2021, 6:37pm

Consult with tech support. Possibly you need to set passwords in BIOS (admin and/or user).

If you can break protection with clearing CMOS then why you need such protection?

suse_rasputin · October 5, 2021, 6:59pm

…evil maid? really?

https://twitter.com/SecurityJon/status/1445020890555691012

ITFan · October 5, 2021, 7:17pm

Clearing CMOS will also remove BIOS passwords (if these will be set). I have full disk encryption anyway, so there is data protection. Just wanted to make things easier with TPM, to avoid entering password at each boot. With Bitlocker in Win 10 it works like a charm - thought same could be done in Open Suse OS.

Svyatko · October 5, 2021, 7:42pm

Svyatko · October 5, 2021, 7:52pm

But this is for Windows and storing keys in TPM module.
What about Linux with FDE without storing keys inside laptop and using firmware TPM and secure boot?

mdarge · February 18, 2022, 12:37pm

No useful answer yet.
OK, to mention FDE, secure boot and trusted boot shows application examples but the question was to find TMP in hardware list, access and control the TPM and readout accessible keys, generate secure random numbers using the TPM. For getting started TrouSerS for a TCG Software Stack (TSS) or tpm-tools may be the entrance. Where are good tutorials about that?