TPM

The phyBOARD-Electra AM64x provides a Trusted Platform Module (TPM) that provides hardware-based security functions. TPM technology is designed to provide hardware-based security functions. This guide will show you how to use the TPM to perform a hash on some data.

Confirming TPM Function

To perform the hash operation and get the resulting output run the following command:

sh-phyboard-electra-am64xx-2:~# echo -n "test" | tpm2_hash -g sha256 | hexdump -C
00000000 9f 86 d0 81 88 4c 7d 65 9a 2f ea a0 c5 5a d0 15 |.....L}e./...Z..|
00000010 a3 bf 4f 1b 2b 0b 82 2c d1 5d 6c 15 b0 f0 0a 08 |..O.+..,.]l.....|
00000020

Random Number Generation

The TPM on the phyBOARD-Electra AM64x supports generating high-quality random numbers using the tpm2-tools utility. This feature can be used to create cryptographic keys or other secure data. The tpm2_getrandom command generates a specified number of random bytes using the TPM’s hardware RNG.

sh-phyboard-electra-am64xx-2:~# tpm2_getrandom --hex 32
4503417e7383d505bf08f93688949842d685910fcf2cd4c4163c1fd73e191229

Random Hash Generation with OpenSSL

By leveraging the libtpm2tss engine, you can utilize the Trusted Platform Module (TPM) to generate random hash values through OpenSSL. This provides an additional method to generate cryptographically secure random numbers backed by the TPM hardware.

The openssl rand command generates a random value in hexadecimal format, using a specified cryptographic engine. The example above demonstrates using the TPM through the libtpm2tss engine to generate 30 bytes of random data.

sh-phyboard-electra-am64xx-2:~# openssl rand -engine libtpm2tss --hex 30
9a2f1c3b4d5e6f708192a3b4c5d6e7f809213a4b5c6d7e8f

RSA Key Generation and Validation

The TPM can be used to generate and validate RSA keys through the libtpm2tss engine. The following examples demonstrate how to generate and verify RSA keys using the TPM hardware.

Generate TPM-backed RSA Key

Generate RSA private keys with different bit lengths (minimum 512 bits, default 2048 bits) using the TPM:

sh-phyboard-electra-am64xx-2:~# openssl genrsa -engine libtpm2tss -out private.key 2048
Engine "tpm2tss" set.

The key will be stored in the file private.key. The number at the end specifies the key length in bits. Using the TPM engine ensures the key is generated with hardware-backed random numbers for enhanced security.

Validate TPM-generated Key

To verify that a TPM-generated RSA private key is valid and well-formed:

sh-phyboard-electra-am64xx-2:~# openssl rsa -engine libtpm2tss -check -in private.key -noout
Engine "tpm2tss" set.
RSA key ok

The validation process uses the TPM engine to ensure proper key formatting and integrity.