Clearing the compliance vectors from the TPM

This post will show you how to clear the compliance keys from your TPM and create a new and unique Endorsement Key. If you bought the CryptoCape v02, which is the current revision as of this writing, you’ll want to perform these actions. Otherwise, the keys on your TPM are set to “well-known” test keys.

Atmel I2C TPM AT97SC3204T ships with a compliance EK.
Atmel I2C TPM AT97SC3204T ships with a compliance EK.

Installing the TPM packages

Under Debian, the TrouSerS (from now on just “trousers”) package provides the software to interface to your TPM. While you are installing trousers, go ahead and install some other TPM related software that will come in handy later on. You’ll want to run this command with the CryptoCape attached and after a reboot. If the TPM kernel driver isn’t loaded when you install trousers, apt will grumble at you since it tries to start the TPM daemon and it will fail.

sudo apt-get install trousers tpm-tools libtspi-dev opencryptoki

If you have already taken ownership of your TPM, the following status registers should indicate this:

cat /sys/class/misc/tpm0/device/enabled
cat /sys/class/misc/tpm0/device/owned

Understanding compliance mode

This is the state in which you want your TPM. The issue is, the TPMs as shipped from SparkFun, are in compliance mode. Compliance mode means that the Endorsement Key, the root key on the TPM, is a well-known value. This is extremely useful in testing to validate that the TPM meets the specification, hence the “compliance” moniker. This is not so useful if you want to store unique secrets on the TPM.

TPMs have different order codes from distributors and the one I chose for the CryptoCape means that the TPM ships in compliance mode. I didn’t realize this until some engineers at Atmel pointed it out to me (thank you!). Fortunately, it is relatively easily fixed.

More information about compliance mode can be found in Trusted Platform Module Basics over at Google Books.

Clearing the TPM and creating a new EK

The general procedure is as follows: we must clear the TPM of the compliance vectors, enable the TPM, activate the TPM, reboot, and then create a new, random EK. The benefit of this procedure is that your EK will be unique and not known to Atmel, SparkFun, or me. If I had a better marketing department, I would have said that I meant to do this 🙂

Let’s get started. With the CryptoCape attached and tcsd running, which you can verify with pgrep tcsd, switch over to root with sudo su.

Then clear the TPM. You’ll be prompted to enter your owner password. I like running these commands with the -l debug option so I can see what’s going on:

$ tpm_clear -l debug
Tspi_Context_Create success
Tspi_Context_Connect success
Tspi_Context_GetTpmObject success
Enter owner password: 
Tspi_GetPolicyObject success
Tspi_Policy_SetSecret success
Tspi_TPM_ClearOwner success
tpm_clear succeeded
TPM Successfuly Cleared.  You need to reboot to complete this operation.  After reboot the TPM will be in the default state: unowned, disabled and inactive.
Tspi_Context_FreeMemory success
Tspi_Context_Close success

Then reboot. On the CryptoCape, the TPM reset line is tied to the BeagleBone reset line, but I always do a full sudo halt and re-power the board.

After you power on, if you dmesg | tpm you should see the following, which confirms the TPM is cleared.

[    5.143291] tpm_i2c_atmel 1-0029: Issuing TPM_STARTUP
[    5.680399] tpm_i2c_atmel 1-0029: TPM is disabled/deactivated (0x6)

Setting physical presence

Now for the tricky part. To enable and activate the TPM we must prove to the TPM that we are physically at the device, known as physical presence. If you follow the trousers rules, the way to do this is to boot in single user mode, which disables network access, and issue the commands. Booting in single user mode on the BBB is a pain. It requires modifying uBoot parameters and then connecting to the BBB over serial. With a cape attached, getting access to the serial debug header is very awkward.

Fortunately, my DEF CON 22 co-presenter helped me out. You can download and compile the following code which will issue the command to set presence, without requiring single user mode.




gcc tpm_assertpp.c -o tpm_assertpp

Kill tcsd, as it is monopolizing access to the TPM at the moment:

sudo pkill tcsd

Run the physical presence command:

sudo ./tpm_assertpp 
Physical presence asserted.

Restart tcsd:

sudo tcsd

Enabling and activating the TPM

Now we are ready to enable and activate the TPM. Run as root the following commands:

$ tpm_setenable -e -f -l debug
Tspi_Context_Create success
Tspi_Context_Connect success
Tspi_Context_GetTpmObject success
Tspi_TPM_SetStatus success
tpm_setenable succeeded
Tspi_Context_FreeMemory success
Tspi_Context_Close success


tpm_setactive -a -l debug
Tspi_Context_Create success
Tspi_Context_Connect success
Tspi_Context_GetTpmObject success
Tspi_TPM_SetStatus success
Action requires a reboot to take effect
tpm_setactive succeeded
Tspi_Context_FreeMemory success
Tspi_Context_Close success

Power down the board and bring it back up one last time.

Creating a new EK

Now you should be able to create a new EK with tpm_createek.1 After that, take ownership again with:

tpm_takeownership -z -l debug

You’ll be prompted for a new owner password. To confirm you have real EK on the TPM, run tpm_getpubek. If it starts with 0xab567c0e than you still have the compliance vector loaded and something went wrong. Otherwise, you now have a unique EK.

Using the TPM

In a following post, I’ll show how to use the TPM’s random number generator and use it to protect SSH client keys.

  1. When I re-tried these instructions to test them, I couldn’t re-create my EK. I’m not sure if it’s a one-time operation or not, but at some point, I did run the command. Feel free to contact me if there are issues. 

One thought on “Clearing the compliance vectors from the TPM

Comments are closed.