I am working to provision firmware TPM on Orin NX. I learned that the main process of fTPM provisioning is loading the EK certificate from EKB to fTPM NVStorage.
However, in my specific case, I do not rely on a centralized CA. Therefore, a EK certificate is optional. I understand that without being provisioned, fTPM will not have EK certificate. As a result, an attestation service has to have another way to identify or authenticate EK.
I am wondering, if I do not provision fTPM with the EK cert on Orin NX, can fTPM functions still work, e.g., generating attestation report with secure boot integrity measurements, or support other TPM functions?
it’s $ sudo modprobe tpm_ftpm_tee to load the fTPM driver module.
you may running the script, ftpm_device_provision.sh script to have provision and activate the fTPM.
please see-also.. $public_sources/r36.4.4/Linux_for_Tegra/source/atf_and_optee/optee/samples/ftpm-helper/host/tool/ftpm_device_provision.sh
FYI,
we’ve enabled fTPM simulation feature after r36.4 public release.
you may run simulated TPM to verify all TPM functions without actually burning the fuse.
we have a sample procedure to test with Keylime,
you can evaluate and try the flow with keylime on an unfused board (no fTPM provisioning or fusing is required).
here’s readme file, $public_sources/r36.4.4/Linux_for_Tegra/source/atf_and_optee/optee/samples/ftpm-helper/host/tool/README_keylime_TPM_for_unfused_Jetson.md
Thank you for your prompt response and help. When I tested the fTPM, the sudo user cannot find tpm2 commands. what am I missing here. I cannot see ftpm device in /dev/
root@localhost:~# modprobe tpm_ftpm_tee
root@localhost:~# tpm2_createak
-bash: tpm2_createak: command not found
root@localhost:~# tpm2_clear
-bash: tpm2_clear: command not found
root@localhost:~#
for evaluation, please try the script ftpm_sim_provisioning_tool.sh.
this script can help you provision the fTPM on an unfused board for testing purposes.
you can find the script at the source code location below. $public_sources/r36.4.4/Linux_for_Tegra/source/atf_and_optee/optee/samples/ftpm-helper/host/tool/
please copy the script “ftpm_sim_provisioning_tool.sh” and “conf/” folder onto the device. and, using the command below to provision and clear the device.
# Provisioning the fTPM (for test only)
./ftpm_sim_provisioning_tool.sh ek_prov
# Clear fTPM content
./ftpm_sim_provisioning_tool.sh clear
Hi, @yanlin.li you don’t need to provision EK etc in order to use crypto and keys. But to use the attestation functions of the fTPM you absolutely need to start with the EK, unless you want to re-write your own attestation logic from ground up. Here is the nVidia link to your easier path: SecEdge SEC-TPM development kits available online now .
You can at least try it for free, get an fTPM license, activate it a try it with the kit that does not require you to burn the fuses.