How computers tellwho they are using TPM2
Jarkko Sakkinen, Software Engineer, Opinsys Oy
jarkko.sakkinen@ opinsys.fi
jarkko@ kernel.org
October 7, 2025
2.
How computers tellwho they are using TPM2
Pre-existing science on computer identification.
• IP and MAC addresses of the network interface.
‣ /dcc send in the pre-NAT times ;-)
• Certificates and keys stored in the hard drive.
‣ /etc/ssh/ssh_host_ed25519_key.
• Nitrokey, Yubikey
‣ systemd-cryptenroll --fido2-device=auto <device>
echo "onlyfans <device> - fido2-device=auto" >>
/etc/crypttab
update-initramfs -u
‣ After reboot: /dev/mapper/onlyfans.
Jarkko Sakkinen, October 2025 2
3.
How computers tellwho they are using TPM2
Issues with pre-existing science
• Opportunities for unauthorized access flourish in all of the solutions.
• Standalone devices are decoupled from the computer’s identity.
• Private keys can be relocated, even when the keys are protected.
Jarkko Sakkinen, October 2025 3
4.
How computers tellwho they are using TPM2
Identity with TPM2
• A TPM2 chip is somewhat more tightly coupled with a computer.
• Endorsement keys (EKs): keys derived from factory generated random seed.
• Endersement certificates (ECs): X.509 certificates signed by the vendor.
• Attestation identity keys (AIKs): subkeys of endorsement keys.
Jarkko Sakkinen, October 2025 4
5.
How computers tellwho they are using TPM2
Verifying EKs
$ tpm2_getekcertificate -o rsa-ek.cer -o ecc-ek.cer
$ openssl x509 -in rsa-ek.cer -text -noout | grep "CA Issuers"
CA Issuers - URI:http://pki.infineon.com/OptigaRsaMfrCA042/OptigaRsaMfrCA042.crt
$ curl -so signer.cer http://pki.infineon.com/OptigaRsaMfrCA042/OptigaRsaMfrCA042.crt
$ sudo openssl x509 -in signer.cer -text -noout | grep "CA Issuers"
CA Issuers - URI:http://pki.infineon.com/OptigaRsaRootCA/OptigaRsaRootCA.crt
$ curl -so root.cer http://pki.infineon.com/OptigaRsaRootCA/OptigaRsaRootCA.crt
$ openssl x509 -inform der -in root.cer -outform pem -out root.pem
$ openssl x509 -inform der -in signer.cer -outform pem -out signer.pem
$ openssl x509 -inform der -in rsa-ek.cer -outform pem -out rsa-ek.pem
$ openssl verify -CAfile root.pem -untrusted signer.pem rsa-ek.pem
rsa-ek.pem: OK
Jarkko Sakkinen, October 2025 5
6.
How computers tellwho they are using TPM2
Verifying AIKs in the cloud
1. TPM2_Create
2. AIK_pub (AIK_priv is retained inside TPM)
3. AIK_pub, EK_cert
4. C = Encrypt(S + AIK_name, EK_pub)
5. TPM2_ActivateCredential(C, AIK_name)
6. S_guess (from Decrypt(C, EK_priv))
Client TPM Cloud
1. TPM2_Create
2. AIK_pub (AIK_priv is retained inside TPM)
3. AIK_pub, EK_cert
4. C = Encrypt(S + AIK_name, EK_pub)
5. TPM2_ActivateCredential(C, AIK_name)
6. S_guess (from Decrypt(C, EK_priv))
7. S_guess
,
Jarkko Sakkinen, October 2025 6
7.
How computers tellwho they are using TPM2
What can one do with AIKs?
• Deliver secrets from cloud to the client, which the econd application for
TPM2_ActivateCredential.
• Provide cryptographic proofs about platform state using platform configuration registers
(PCRs) and TPM2_Quote.
• Provide evidence of the origin of storage keys using TPM2_Certify.
‣ Storage keys support encryption, migration and more application specific cryptographic
operations.
Jarkko Sakkinen, October 2025 7
8.
How computers tellwho they are using TPM2
Authenticating client
• EKs only guarantee that we are talking to the computer we expect.
• They don’t guarantee computer’s state i.e., software configuration.
• By requesting a quote from TPM and event log from UEFI firmware the full boot sequence
can be verified.
Jarkko Sakkinen, October 2025 8
9.
How computers tellwho they are using TPM2
Platform configuration registers (PCRs)
• There are to 24 PCR registers.
• Write ops: TPM2_PCR_Extend or TPM2_PCR_Event.
‣ H(PCR + measurement)
• Multiple banks (SHA-1, SHA-256)
• Reset to zero at power on.
• Each layer of the boot chain will extend some of them.
• TPM2_Quote provides a tool sign subset PCRs.
Jarkko Sakkinen, October 2025 9
10.
How computers tellwho they are using TPM2
TPM2_Quote command
• As defined in tpm2-protocol Rust crate:
tpm_struct! {
#[derive(Debug, PartialEq, Eq, Clone)]
kind: Command,
name: TpmQuoteCommand,
cc: TpmCc::Quote,
handles: {
pub sign_handle: crate::data::TpmiDhObject,
},
parameters: {
pub qualifying_data: Tpm2bData,
pub in_scheme: TpmtSignature,
pub pcr_select: TpmlPcrSelection,
}
}
• qualifying_data is challenge sent by the server.
Jarkko Sakkinen, October 2025 10
11.
How computers tellwho they are using TPM2
TPM2_Quote response
tpm_struct! {
#[derive(Debug, PartialEq, Eq, Clone)]
kind: Response,
name: TpmQuoteResponse,
cc: TpmCc::Quote,
handles: {},
parameters: {
pub quoted: Tpm2bAttest,
pub signature: TpmtSignature,
}
}
Jarkko Sakkinen, October 2025 11
12.
How computers tellwho they are using TPM2
UEFI firmware event log
• From quoted PCR values server only knows that those are the final values.
• UEFI firmware event log is a binary log extended by firmware, boot loaders, kernel etc.
during the boot process when PCRs are extended.
• Binary format s specified by UEFI standard.
‣ /sys/kernel/security/tpm0/binary_bios_measurement
• UEFI secure boot needs to be enabled in order to have it available.
Jarkko Sakkinen, October 2025 12
13.
How computers tellwho they are using TPM2
Authenticating in the cloud
1. Cloud sends challenge data.
2. Client calculates TPM2_Quote and piggybacks it with the event log, and sends them to the
cloud.
3. Cloud enumerates the event log and checks that the final values match to the quote.
4. This provides TPM sealed details of the full boot process to the cloud in the spirit of
merkle-tree and similar hash pointer data types.
Jarkko Sakkinen, October 2025 13
14.
How computers tellwho they are using TPM2
Applications
• Windows Hello or Azure/Intune (trying to make sense MS naming conventions).
• Data center nodes (can dictate e.g. IP address delivery for a node).
• Military drones as TPM2 delivers ultra secure command and control.
• Class room computers for students ;-)
Jarkko Sakkinen, October 2025 14