On boot the router card should do two things to the TPM
1) Reset the dictionary lockout
2) Set the platform authorization to a random password and throw it away
The first is necessary because the TPM will lock itself after some number of improper shutdowns. Since the router card is never shutdown properly --- power is just cut --- this will eventually manifest. Resetting the dictionary lockout on boot resets that counter.
The second prevents malicious applications from performing administrative actions on the TPM. On desktop/server systems, this is done by the BIOS. On an embedded device, we have to take care of it.
The most recent release of U-Boot has TPM2 commands that can perform this full sequence
TPM Startup
TPM Self Test
TPM Dictionary Lockout Reset
TPM Change Hierarchy Auth
So I propose the following approach:
[ ] Update to the most recent version of U-Boot
[ ] Configure U-Boot to include the TPM2 driver
[ ] Add the TPM to the device tree file in U-Boot (arch/arm/dts/at91-xaprc001.dts). The relevant section can be copied from the arch/arm/dts/at91-xaprc001.dts in this repo.
[ ] Add a function configure_tpm() to our U-Boot board/xaptum/xaprc001/xaprc001.c and call it from board_late_init().
The configure_tpm() function should
Call tpm2_startup()
Call tpm2_self_test()
Call tpm2_dam_reset()
Call tpm2_change_auth() on the Platform Hierarchy to a random password and throw away the password.
The random password can be generated by issuing a GetRandom command to the TPM.
On boot the router card should do two things to the TPM
1) Reset the dictionary lockout 2) Set the platform authorization to a random password and throw it away
The first is necessary because the TPM will lock itself after some number of improper shutdowns. Since the router card is never shutdown properly --- power is just cut --- this will eventually manifest. Resetting the dictionary lockout on boot resets that counter.
The second prevents malicious applications from performing administrative actions on the TPM. On desktop/server systems, this is done by the BIOS. On an embedded device, we have to take care of it.
The most recent release of U-Boot has TPM2 commands that can perform this full sequence
So I propose the following approach:
arch/arm/dts/at91-xaprc001.dtsin this repo.configure_tpm()to our U-Bootboard/xaptum/xaprc001/xaprc001.cand call it fromboard_late_init().The
configure_tpm()function shouldtpm2_startup()tpm2_self_test()tpm2_dam_reset()tpm2_change_auth()on the Platform Hierarchy to a random password and throw away the password.The random password can be generated by issuing a GetRandom command to the TPM.