BeagleBone Black: TPM Setup with uBoot

TL;DR

This guide shows you how to enable and use a Trusted Platform Module (TPM) on your BeagleBone Black using the uBoot bootloader. It covers checking for TPM presence, configuring uBoot to detect it, and basic usage.

Prerequisites

• BeagleBone Black
• MicroSD card with a working Linux distribution (e.g., Debian)
• Serial connection to the BeagleBone Black (USB-to-serial adapter recommended)
• uBoot installed on your BeagleBone Black. If not, you’ll need to flash it first.

1. Check for TPM Presence

First, verify that your BeagleBone Black actually has a TPM chip. Some revisions don’t.

1. Physically inspect the board: Look for a small chip labelled ‘TPM’ or similar near the Ethernet port.
2. Use i2cdetect: From your Linux distribution, run i2cdetect -y. You should see an address corresponding to the TPM (usually around 0x54). If you don’t see it, the TPM might not be present or connected correctly.

2. Configure uBoot

uBoot needs to be configured to detect and initialize the TPM.

1. Access uBoot: Boot your BeagleBone Black and interrupt the boot process by pressing any key during startup. You should see the uBoot prompt (=>).
2. Check existing environment variables: Use printenv to list all current environment variables. Look for variables related to TPM, such as tpm_present or similar.
3. Set environment variables (if needed): If the TPM isn’t automatically detected, you might need to set these manually.

   setenv tpm_present "1"

   saveenv

4. Enable TPM support in uBoot: Some uBoot versions require explicitly enabling the TPM driver. This might involve setting a flag or loading a specific module.
   Check your uBoot documentation for details on how to do this for your version.

3. Basic TPM Usage

Once uBoot detects the TPM, you can perform basic operations.

1. Get TPM information: Use a command like tpm_info (if available in your uBoot version) to display details about the TPM.

   tpm_info

2. Clear TPM: Clearing the TPM resets it to its default state. This is often necessary before using it for the first time or if you suspect a security compromise.

   tpm_clear

   Warning: Clearing the TPM will erase all stored keys and configuration data!

3. Create a key (if supported): Some uBoot versions allow creating basic TPM keys. Check your documentation for specific commands.

4. Integrating with Linux

To use the TPM from within your Linux distribution, you need to ensure that the TPM is properly initialized during boot.

1. Load the TPM driver: Make sure the tpm module is loaded automatically at boot.
   You can add it to /etc/modules:

   sudo echo "tpm" >> /etc/modules

2. Verify TPM device node: Check if the TPM device node exists in /dev/tpm*.

   ls -l /dev/tpm*

3. Use TPM tools: Install and use tools like tpm2-tools to manage keys, create signatures, and perform other TPM operations from within Linux.

Troubleshooting

• TPM not detected: Double-check the physical connection of the TPM chip. Ensure that the tpm_present environment variable is set correctly in uBoot.
• Errors during clearing: Make sure you have sufficient permissions to access the TPM device node.
• Module not loading: Verify that the tpm module is installed and configured correctly in your Linux distribution. Check the system logs for any errors related to the TPM driver.