Skip to main content

Making use of Trusted Platform Module

Packages

sudo pacman -S tpm2-tss tpm2-tools tpm2-abrmd tpm2-tss-engine tpm2-pkcs11 tpm2-totp
Package Usage
tpm2-tss Implementation of the TCG Trusted Platform Module 2.0 Software Stack (TSS2)
tpm2-tools Trusted Platform Module 2.0 tools based on tpm2-tss
tpm2-abrmd Access Broker and Resource Management Daemon
tpm2-tss-engine OpenSSL engine for Trusted Platform Module 2.0 devices
tpm2-pkcs11 PKCS#11 interface for Trusted Platform Module 2.0 hardware
tpm2-totp Attest the trustworthiness of a device against a human using time-based one-time passwords

Configuration

  1. Add user to the tss group
    sudo usermod -aG tss $USER
  2. Enable access broker
    systemctl enable --now tpm2-abrmd
  3. Logout and login again

Usage

TOPT code during boot

Generate authentication code and seal against PCRs 0 (hash of UEFI firmware) and 7 (Secure Boot state):

tpm2-totp --pcrs=0,7 generate

Test your TOTP:

tpm2-totp --time calculate

Scan the resulting QR code with authenticator app on phone.

Add the tpm2-totp hook to the HOOKS array in /etc/mkinitcpio.conf before the encrypt hook, else you won't be able to see the TOTP during boot.

Back to top