Skip to content

LetsTrust TPM und los gehts!

So, ich habe nun das Modul, und jetzt?

Es gibt nun ein neues Plug&Play Image: Eines für alle Pi´s.

Hier findest du den Eintrag dazu: Link


Du hast nun drei Möglichkeiten:
1.: Lade das Image für den Raspberry Pi herunter und kopiere dieses via dd auf eine SD-Karte >=4GB.
Image: plug_n_play_image.img
How to Plug and Play Image:PlugandPlayImage_en.txt

Prüfsummen des Images:
MD5: 27aeac85aa4e1ca1588808ad5b988a25
SHA-1: ceab60c4b538313a28d59b8bfce8184a7ad83f02
SHA-256: 88216ab485b93a706d229a9e95c99a0fa32291964b65c8fafb48440dc904eb9c

2.: Die vorkompilierten Module und den passenden Devicetree Eintrag im eigenen Kernel verwenden, die Anleitung und die Module sind gepackt.
Prüfsummen des Archivs:
MD5: 5ea87f7068ff0603d673b017e4175097
SHA-1: 2cd863bdb67260f2eabbf73405a483e6153b5d28
SHA-256: 355b901178c39eb19398d9c352829923492a9e6987e1f3651a9a757955ad2559

3.: Oder der steinige und harte Weg: Kernel selbst bauen und patchen.
Anleitung und den Patch hierzu findest du in diesem Archiv:
Prüfsummen des Archivs:
MD5: 7607cc3c35407f51fef23e44be2c32eb
SHA-1: d5a0b42ca40158ce30ef3a1ddef8f11ae383b732
SHA-256: 2eec1442315a1cd0691626bd6910ff54128d03793bf1eb2701aea4b54e8034bd

Happy Patching!

Das war´s für heute!

Bis bald!


No Trackbacks


Display comments as Linear | Threaded

John Does on :

raspbian rpi2 using precompiled

1. copied the dtbs to /boot
2. copied tpm recursively to lib/modules/4.9.0-2-rpi2/kernel/drivers/char/tpm
3. Boot Problem:

usb 1-1: new full-speed USB device number 3 using dwc_otg
usb 1-1: device not accepting address 3, error -110
Indeeed it is in host mode hprt0 = 00021651
(goes on until address == 5)
ends with: usb usb1-port1: unable to enumerate USB device


John Does on :

precompiled modules are for kernel 4.4.50+ but the boot problem happens as soon as I try using the bcm2709-rpi-2-b.dtb from the zip.

Instead I compiled a 4.12-rc4 bcm2709_defconfig and configured TPM as module together with native SPI as explained in


was given

spidev1: tpm_spi_tis@1{
compatible = "tcg,tpm_spi_tis";

and make dtbs compiled that to dtb (copied over to /boot afterwards).

It doesn't load the modules and when I load the modules manually the /dev/tpm* doesn't show up either.

spi is active it loads the spi_bcmXXXX module.

added dtdebug=1 to config.txt

vcdbg log msg

doesn't show anything related to the tpm device (don't know if that's expected).

Paul Kissinger on :

Hi John Doe ;),

Thank you for your Feedback!
I could reproduce this error on my raspi Zero W!

Please give me some days to find and fix this problem in the precompiled version.

Best regards,

John Does on :

OK I got it - the .compatible is just different! Look

root@pi:~/linux/arch/arm/boot/dts# git diff bcm2709-rpi-2-b.dts
diff --git a/arch/arm/boot/dts/bcm2709-rpi-2-b.dts b/arch/arm/boot/dts/bcm2709-rpi-2-b.dts
index 434c4519..af2eb25a 100644
--- a/arch/arm/boot/dts/bcm2709-rpi-2-b.dts
+++ b/arch/arm/boot/dts/bcm2709-rpi-2-b.dts
@@ -55,12 +55,9 @@
#size-cells = ;
spi-max-frequency = ;
- spidev1: spidev@1{
- compatible = "spidev";
+ spidev1: tpm_spi_tis@1{
+ compatible = "tcg,tpm_tis-spi";
reg = ; / CE1 /
- #address-cells = ;
- #size-cells = ;
spi-max-frequency = ;

so it's actually "tcg,tpm_tis-spi" instead of "tcg,tpm_spi_tis" now :-)

root@pi:~/linux/arch/arm/boot/dts# uname -a
Linux pi 4.12.0-rc4-v7+ #1 SMP Sun Jun 11 15:46:12 UTC 2017 armv7l GNU/Linux

root@pi:~/linux/arch/arm/boot/dts# ls /dev/tp*
/dev/tpm0 /dev/tpmrm0

Anonymous on :

Hi John Doe2,

WoW you´ll find this issue!
Same to you, Thank you for your Feedback!

I´m discoussing this with my Linuxguru.
Here again, please give me some days to find and fix this problem.

Best regards,


John Does on :

Also.. resourcemgr (which is mentioned in the howto as prerequisite to talk to the tpm) was removed from

commit 7966ef8916f79ed09eab966a58d773f413fbb67f
Author: Philip Tricca
Date: Wed May 10 09:32:36 2017 -0700

Remove resourcemgr and fixup build.

tpmclient and test won't work.

John Does on :

so the recoursemgr was replaced with

aber make install you would have to copy the /usr/local/etc/dbus-1/system.d/tpm2-abrmd.conf to /etc/dbus-1/system.d/ and systemctl reload dbus or else the /usr/local/sbin/tpm2-abrmd is not going to work (rasbian stretch).

starting the tpm2-abrmd.service unit should be working then.

recompiling tpm2.0-tools with

./configure --with-tcti-tabrmd --with-tcti-socket --with-tcti-device

unfortunately ends up with problems finding some gio.h includes from glib2..

This is quite a journey :-/

Anonymous on :

Hi JohnDoe,

first of all - thanks for trying it out and reporting the issues to us.
This is really appreciated!!

Yes its currently a bit messy - the TPM2.0 ecosystem currently gains a lot of momentum and thus leads to some churn and chicken egg problems :/
e.g. the resource manager was removed from the stack, since it was added to the kernel.
That the compatible string was changed was also unfortunate.
"infineon,slb9670" would work in both cases.

I hope we can look into that stuff over the weekend and create new tutorials/how-tos on how to use it on a current kernel with the current tools/stack.
We would be happy if you would try them out then and give feedback.

About your question with the missing headers - if you have a look in the .travis.yml you see that you need to have the following packages installed on your system:
- autoconf-archive
- openssl
- libssl-dev
- libcurl4-openssl-dev
- libdbus-1-dev
- libglib2.0-dev

sudo apt-get install autoconf-archive openssl libssl-dev libcurl4-openssl-dev libdbus-1-dev libglib2.0-dev
should do the trick.

Take care!

John Does on :

It should but..

In file included from lib/context-util.c:41:0:
/usr/local/include/tcti/tcti-tabrmd.h:34:21: fatal error: gio/gio.h: No such file or directory
compilation terminated.
Makefile:1568: recipe for target 'lib/context-util.o' failed

even tho

LANG=C apt install autoconf-archive openssl libssl-dev libcurl4-openssl-dev libdbus-1-dev libglib2.0-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
autoconf-archive is already the newest version (20160916-1).
libcurl4-openssl-dev is already the newest version (7.52.1-5).
libdbus-1-dev is already the newest version (1.10.18-1).
libglib2.0-dev is already the newest version (2.50.3-2).
libssl-dev is already the newest version (1.1.0f-3).
openssl is already the newest version (1.1.0f-3).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

it's probably because of (2 days old)

that introduced

John Does on :

But fear not :-)

it compiles after

changing the CC line in Makefile of tpm2.0-tools to

CC = gcc -I/usr/include/glib-2.0 -I/usr/lib/arm-linux-gnueabihf/glib-2.0/include -lglib-2.0

(I know that's really ugly.. but for quick result..)

also need to change tpm2-abrmd accordingly:

diff --git a/src/include/tcti-tabrmd.h b/src/include/tcti-tabrmd.h
index c145eb5..e8e0c7f 100644
--- a/src/include/tcti-tabrmd.h
+++ b/src/include/tcti-tabrmd.h
@@ -35,7 +35,7 @@ extern "C" {

-#include "tabrmd.h"


after make install and systemctl start tpm2-abrmd

win win win win win

Bank/Algorithm: TPM_ALG_SHA1(0x0004)
Bank/Algorithm: TPM_ALG_SHA256(0x000b)


John Does on :

looks like serendipity is eating the greater then '>' and smaller than '

Anonymous on :

Feel free to raise issues on github as well :-)
Phil usually fixes stuff pretty quick.

John Does on :

Things are already getting sorted out it seems :-) is the glib-2.0 gio part

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.

Form options