Skip to content

LetsTrust TPM und los gehts!

So, ich habe nun das Modul, und jetzt?

Es gibt nun ein neues Plug&Play Image: Eines für alle Pi´s.

Hier findest du den Eintrag dazu: Link


Du hast nun drei Möglichkeiten:
1.: Lade das Image für den Raspberry Pi herunter und kopiere dieses via dd auf eine SD-Karte >=4GB.
Image: plug_n_play_image.img
How to Plug and Play Image:PlugandPlayImage_en.txt

Prüfsummen des Images:
MD5: 27aeac85aa4e1ca1588808ad5b988a25
SHA-1: ceab60c4b538313a28d59b8bfce8184a7ad83f02
SHA-256: 88216ab485b93a706d229a9e95c99a0fa32291964b65c8fafb48440dc904eb9c

2.: Die vorkompilierten Module und den passenden Devicetree Eintrag im eigenen Kernel verwenden, die Anleitung und die Module sind gepackt.
Prüfsummen des Archivs:
MD5: 5ea87f7068ff0603d673b017e4175097
SHA-1: 2cd863bdb67260f2eabbf73405a483e6153b5d28
SHA-256: 355b901178c39eb19398d9c352829923492a9e6987e1f3651a9a757955ad2559

3.: Oder der steinige und harte Weg: Kernel selbst bauen und patchen.
Anleitung und den Patch hierzu findest du in diesem Archiv:
Prüfsummen des Archivs:
MD5: 7607cc3c35407f51fef23e44be2c32eb
SHA-1: d5a0b42ca40158ce30ef3a1ddef8f11ae383b732
SHA-256: 2eec1442315a1cd0691626bd6910ff54128d03793bf1eb2701aea4b54e8034bd

Happy Patching!

Das war´s für heute!

Bis bald!


No Trackbacks


Display comments as Linear | Threaded

John Does on :

raspbian rpi2 using precompiled

1. copied the dtbs to /boot
2. copied tpm recursively to lib/modules/4.9.0-2-rpi2/kernel/drivers/char/tpm
3. Boot Problem:

usb 1-1: new full-speed USB device number 3 using dwc_otg
usb 1-1: device not accepting address 3, error -110
Indeeed it is in host mode hprt0 = 00021651
(goes on until address == 5)
ends with: usb usb1-port1: unable to enumerate USB device


John Does on :

precompiled modules are for kernel 4.4.50+ but the boot problem happens as soon as I try using the bcm2709-rpi-2-b.dtb from the zip.

Instead I compiled a 4.12-rc4 bcm2709_defconfig and configured TPM as module together with native SPI as explained in


was given

spidev1: tpm_spi_tis@1{
compatible = "tcg,tpm_spi_tis";

and make dtbs compiled that to dtb (copied over to /boot afterwards).

It doesn't load the modules and when I load the modules manually the /dev/tpm* doesn't show up either.

spi is active it loads the spi_bcmXXXX module.

added dtdebug=1 to config.txt

vcdbg log msg

doesn't show anything related to the tpm device (don't know if that's expected).

Paul Kissinger on :

Hi John Doe ;),

Thank you for your Feedback!
I could reproduce this error on my raspi Zero W!

Please give me some days to find and fix this problem in the precompiled version.

Best regards,

John Does on :

OK I got it - the .compatible is just different! Look

root@pi:~/linux/arch/arm/boot/dts# git diff bcm2709-rpi-2-b.dts
diff --git a/arch/arm/boot/dts/bcm2709-rpi-2-b.dts b/arch/arm/boot/dts/bcm2709-rpi-2-b.dts
index 434c4519..af2eb25a 100644
--- a/arch/arm/boot/dts/bcm2709-rpi-2-b.dts
+++ b/arch/arm/boot/dts/bcm2709-rpi-2-b.dts
@@ -55,12 +55,9 @@
#size-cells = ;
spi-max-frequency = ;
- spidev1: spidev@1{
- compatible = "spidev";
+ spidev1: tpm_spi_tis@1{
+ compatible = "tcg,tpm_tis-spi";
reg = ; / CE1 /
- #address-cells = ;
- #size-cells = ;
spi-max-frequency = ;

so it's actually "tcg,tpm_tis-spi" instead of "tcg,tpm_spi_tis" now :-)

root@pi:~/linux/arch/arm/boot/dts# uname -a
Linux pi 4.12.0-rc4-v7+ #1 SMP Sun Jun 11 15:46:12 UTC 2017 armv7l GNU/Linux

root@pi:~/linux/arch/arm/boot/dts# ls /dev/tp*
/dev/tpm0 /dev/tpmrm0

Anonymous on :

Hi John Doe2,

WoW you´ll find this issue!
Same to you, Thank you for your Feedback!

I´m discoussing this with my Linuxguru.
Here again, please give me some days to find and fix this problem.

Best regards,


John Does on :

Also.. resourcemgr (which is mentioned in the howto as prerequisite to talk to the tpm) was removed from

commit 7966ef8916f79ed09eab966a58d773f413fbb67f
Author: Philip Tricca
Date: Wed May 10 09:32:36 2017 -0700

Remove resourcemgr and fixup build.

tpmclient and test won't work.

John Does on :

so the recoursemgr was replaced with

aber make install you would have to copy the /usr/local/etc/dbus-1/system.d/tpm2-abrmd.conf to /etc/dbus-1/system.d/ and systemctl reload dbus or else the /usr/local/sbin/tpm2-abrmd is not going to work (rasbian stretch).

starting the tpm2-abrmd.service unit should be working then.

recompiling tpm2.0-tools with

./configure --with-tcti-tabrmd --with-tcti-socket --with-tcti-device

unfortunately ends up with problems finding some gio.h includes from glib2..

This is quite a journey :-/

Anonymous on :

Hi JohnDoe,

first of all - thanks for trying it out and reporting the issues to us.
This is really appreciated!!

Yes its currently a bit messy - the TPM2.0 ecosystem currently gains a lot of momentum and thus leads to some churn and chicken egg problems :/
e.g. the resource manager was removed from the stack, since it was added to the kernel.
That the compatible string was changed was also unfortunate.
"infineon,slb9670" would work in both cases.

I hope we can look into that stuff over the weekend and create new tutorials/how-tos on how to use it on a current kernel with the current tools/stack.
We would be happy if you would try them out then and give feedback.

About your question with the missing headers - if you have a look in the .travis.yml you see that you need to have the following packages installed on your system:
- autoconf-archive
- openssl
- libssl-dev
- libcurl4-openssl-dev
- libdbus-1-dev
- libglib2.0-dev

sudo apt-get install autoconf-archive openssl libssl-dev libcurl4-openssl-dev libdbus-1-dev libglib2.0-dev
should do the trick.

Take care!

John Does on :

It should but..

In file included from lib/context-util.c:41:0:
/usr/local/include/tcti/tcti-tabrmd.h:34:21: fatal error: gio/gio.h: No such file or directory
compilation terminated.
Makefile:1568: recipe for target 'lib/context-util.o' failed

even tho

LANG=C apt install autoconf-archive openssl libssl-dev libcurl4-openssl-dev libdbus-1-dev libglib2.0-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
autoconf-archive is already the newest version (20160916-1).
libcurl4-openssl-dev is already the newest version (7.52.1-5).
libdbus-1-dev is already the newest version (1.10.18-1).
libglib2.0-dev is already the newest version (2.50.3-2).
libssl-dev is already the newest version (1.1.0f-3).
openssl is already the newest version (1.1.0f-3).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

it's probably because of (2 days old)

that introduced

John Does on :

But fear not :-)

it compiles after

changing the CC line in Makefile of tpm2.0-tools to

CC = gcc -I/usr/include/glib-2.0 -I/usr/lib/arm-linux-gnueabihf/glib-2.0/include -lglib-2.0

(I know that's really ugly.. but for quick result..)

also need to change tpm2-abrmd accordingly:

diff --git a/src/include/tcti-tabrmd.h b/src/include/tcti-tabrmd.h
index c145eb5..e8e0c7f 100644
--- a/src/include/tcti-tabrmd.h
+++ b/src/include/tcti-tabrmd.h
@@ -35,7 +35,7 @@ extern "C" {

-#include "tabrmd.h"


after make install and systemctl start tpm2-abrmd

win win win win win

Bank/Algorithm: TPM_ALG_SHA1(0x0004)
Bank/Algorithm: TPM_ALG_SHA256(0x000b)


John Does on :

looks like serendipity is eating the greater then '>' and smaller than '

Anonymous on :

Feel free to raise issues on github as well :-)
Phil usually fixes stuff pretty quick.

John Does on :

Things are already getting sorted out it seems :-) is the glib-2.0 gio part

The author does not allow comments to this entry