{"id":21354949,"url":"https://github.com/salrashid123/tpm2","last_synced_at":"2026-03-14T13:39:42.810Z","repository":{"id":57531651,"uuid":"219776558","full_name":"salrashid123/tpm2","owner":"salrashid123","description":"TPM2 samples with go-tpm and tpm2_tools","archived":false,"fork":false,"pushed_at":"2024-12-20T12:25:10.000Z","size":2808,"stargazers_count":69,"open_issues_count":9,"forks_count":10,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-04-15T07:12:52.208Z","etag":null,"topics":["tpm2","trusted-computing"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/salrashid123.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-11-05T15:20:06.000Z","updated_at":"2025-04-07T16:32:21.000Z","dependencies_parsed_at":"2023-10-26T03:26:48.644Z","dependency_job_id":"56343cc5-0c19-4b14-a727-7903d277d242","html_url":"https://github.com/salrashid123/tpm2","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Ftpm2","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Ftpm2/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Ftpm2/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Ftpm2/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/salrashid123","download_url":"https://codeload.github.com/salrashid123/tpm2/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249023736,"owners_count":21199961,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["tpm2","trusted-computing"],"created_at":"2024-11-22T04:15:24.670Z","updated_at":"2026-03-14T13:39:42.804Z","avatar_url":"https://github.com/salrashid123.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Trusted Platform Module (TPM) recipes with tpm2_tools and go-tpm\n\nJust some sample common flows for use with TPM modules and libraries.\n\nThe primary focus is how use `tpm2_tools` to perform common tasks that i've come across.\n\nAlso shown equivalent use of `go-tpm` library set.\n\n---\n\n### Related items\n\n### Key transfer\n\n* [tpmcopy: Transfer RSA|ECC|AES|HMAC key to a remote Trusted Platform Module (TPM)](https://github.com/salrashid123/tpmcopy)\n* [Go-TPM-Wrapping - Go library for encrypting data using Trusted Platform Module (TPM)](https://github.com/salrashid123/go-tpm-wrapping)\n* [Transferring RSA and Symmetric keys with GCP vTPMs](https://github.com/salrashid123/gcp_tpm_sealed_keys)\n\n### go library\n\n* [TPM backed crypto/rand Reader](https://github.com/salrashid123/tpmrand)\n* [golang-jwt for Trusted Platform Module (TPM)](https://github.com/salrashid123/golang-jwt-tpm)\n* [Json Web Encryption (JWE) using TPM backed keys](https://github.com/salrashid123/jwe-tpm)\n* [crypto.Signer, crypto.MessageSigner implementations for Trusted Platform Modules](https://github.com/salrashid123/tpmsigner)\n* [tpm2genkey go utility](https://github.com/salrashid123/tpm2genkey)\n* [OCICrypt provider for Trusted Platform Modules (TPM)](https://github.com/salrashid123/ocicrypt-tpm-keyprovider)\n\n### Cloud Authentication\n\nFor authentication using TPM based keys to cloud providers\n\n* [Cloud Auth Library using Trusted Platform Module (TPM)](https://github.com/salrashid123/cloud_auth_tpm)\n\n* `AWS HMAC`:  [AWS Credentials for Hardware Security Modules and TPM based AWS_SECRET_ACCESS_KEY](https://github.com/salrashid123/aws_hmac)\n* `AWS Roles Anywhere`: [AWS SDK CredentialProvider for RolesAnywhere](https://github.com/salrashid123/aws_rolesanywhere_signer)\n* `AWS TPM process credentials`: [AWS Process Credentials for Trusted Platform Module (TPM)](https://github.com/salrashid123/aws-tpm-process-credential)\n\n* `Azure` [KMS, TPM and HSM based Azure Certificate Credentials](https://github.com/salrashid123/azsigner)\n\n* `GCP Credential Source Binary`: [TPM Credential Source for Google Cloud SDK](https://github.com/salrashid123/gcp-adc-tpm)\n* `GCP TokenSource`: [GCP TPM AccessTokenSource](https://github.com/salrashid123/oauth2?tab=readme-ov-file#usage-tpmtokensource)\n\n### Kubernetes\n\n* [Kubernetes Trusted Platform Module (TPM) DaemonSet](https://github.com/salrashid123/tpm_daemonset)\n* [Kubernetes Trusted Platform Module (TPM) using Device Plugin and Gatekeeper](https://github.com/salrashid123/tpm_kubernetes)\n\n### TLS examples\n\n* [mTLS with TPM bound private key](https://github.com/salrashid123/go_tpm_https_embed)\n* [TPM based TLS using Attested Keys (experimental)](https://github.com/salrashid123/tls_ak)\n* [TPM One Time Password using TLS SessionKey](https://github.com/salrashid123/tls_tpm_one_time_password)\n\n---\n\nAdditional References:\n\n- [tpm2-tools](https://github.com/tpm2-software/tpm2-tools)\n- [go-tpm](https://github.com/google/go-tpm)\n- [go-tpm-tools](https://github.com/google/go-tpm-tools)\n- [go-attestation](https://github.com/google/go-attestation)\n\n    Simple cli utility similar to [tpm2tss-genkey](https://github.com/tpm2-software/tpm2-tss-engine/blob/master/man/tpm2tss-genkey.1.md) which \n\n    * creates new TPM-based `RSA|ECC` keys and saves the keys in `PEM` format.\n    * converts basic the public/private keyfiles generated using `tpm2_tools` into `PEM` file format.\n    * converts `PEM` TPM keyfiles to public/private structures readable by `tpm2_tools`.\n\n- [tpm-js simulator](https://google.github.io/tpm-js/)\n\n\n- [Trusted Platform Module Library Part 1: Architecture](https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf)\n- [Trusted Platform Module Library Part 2: Structures](https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf)\n- [Trusted Platform Module Library Part 3: Commands](https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-Commands-01.38.pdf)\n- [Trusted Platform Module Library Part 4: Supporting Routines](https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-4-Supporting-Routines-01.38-code.pdf)\n\n- [CPU to TPM Bus Protection Guidance](https://trustedcomputinggroup.org/wp-content/uploads/TCG_CPU_TPM_Bus_Protection_Guidance_Passive_Attack_Mitigation_8May23-3.pdf)\n\n---\n\nUpdate 8/28/21:  Added a gRPC client/server that does full remote attestation, quote/verify and secret sharing:\n\n- [https://github.com/salrashid123/go_tpm_remote_attestation](https://github.com/salrashid123/go_tpm_remote_attestation)\n\n## Usecases:\n\n- `encrypt_with_tpm_rsa`: Encrypt with RSA Key generated on TPM (`tpm2_create`, `tpm2_rsaencrypt, tpm2_decrypt`)\n\n- `chained_keys`: Encrypt/Decrypt using parent-\u003echild-\u003echild keys\n\n- `gcp_ek_ak`: read gcp ek keys from NV using go-tpm-tools and gcloud API\n  \n- `ek_cert_key` read _generic_ the ek cert and key from NV\n\n- `ek_ak`: generate ek and ak\n\n- `tpm2_tools_load_ctx`: convert saved context files between `tpm2_tools\u003c\u003ego-tpm` (experimental)\n\n\n- `go_ek_csr`: issue CSR from EKRSA (signing)\n\n- `ek_import_blob`: Seal data using a _real_ tpm's ekcert signed by Optiga\n\n- `tpm_quote_verify`: Generate TPM Quote blob with PCR23 value (`tpm2_createak`, `tpm2_quote`, `tpm2_checkquote`)\n\n- `event_log`: Generate and Verify a TPM [event log]()\n\n- `srk_seal_unseal`: Seal arbitrary data directly to TPM; use PCR Policy (`tpm2_create`, `tpm2_load`, `tpm2_seal`, `tpm2_unseal`)\n\n- `sign_with_ak`: Sign with Attestation Key (`tpm2_createak`, `tpm2_hash`, `tpm2_sign`, `tpm2_verifysignature`)\n\n- `sign_certify_ak`:  Generate Child key and Sign data with it.  Create Attestation/[Certify](https://godoc.org/github.com/google/go-tpm/tpm2#Certify) child key with AK.  Verify Signature.\n\n- `sign_wth_rsa`: Generate RSA key with TPM  and sign (`tpm2_create`,`tpm2_load`, `tpm2_sign`, `tpm2_verifysignature`)\n\n- `sign_wth_ecc`: Generate ECC key with TPM  and sign, verify\n\n- `public_key_gen`:  Generate the PEM Public key for rsa_srk, ecc_srk, ecc_ek, rsa_ek or h2\n\n- `encrypte_decrypt_aes`:  encrypt and decrypt with aes key on tpm\n\n- `keyfile-go-tpm-tools`: use go-tpm's direct api with `go-tpm-keyfiles` and `go-tpm-tools.client.Key` \n\n- `simulator_swtpm_tcpdump`: run a software tpm locally use tcpdump to decode traffic with wireshark\n\n- `tpm2_tools_load_ctx`: load a key context saved by tpm2_tools using go-tpm\n\n- `tpm_encrypted_session`: demonstrate session encryption to protect cpu-\u003etpm bus interface\n\n- `password`: Encrypt/Decrypt with passwords on parent and key\n\n- `h2_primary_template`: using the H2 primary key template\n\n- `rsa_import`: Import external RSA key to TPM; decrypt data with TPM (`tpm2_import, tpm2_load, tpm2_rsadecrypt`)\n\n- `ecc_import`: Import external ECC key to TPM; decrypt data with TPM (`tpm2_import, tpm2_load, tpm2_rsadecrypt`)\n\n- `tpm_make_activate`: Attestation Protocol using Make-Activate credentials (`tpm2_makecredential`, `tpm2_activatecredential`)\n\n- `tpm2_get_ak_name`: Gets the AK \"name\" given the PEM format of a public key.\n\n- `tpm2_duplicate`: Use (`tpm2_import`, `tpm2_duplicate`) encrypt and transfer a key from one TPM to another.\n\n- `tpm2_duplicate_direct`:  duplicate an rsa key to `TPM-B` manually (i.,e without `TPM-A`)\n\n- `tpm2_duplicate_go`: Duplicate HMAC key from one tpm to another using go-tpm's direct API.  Also calculate HMAC in go using the TPM\n\n- `hmac_import`: Import an external hmac key and use it to do hmac-stuff\n\n- `hmac_import`: Import an external aes key and use it to do hmac-stuff\n\n- `policy`: Samples covering using session policy (pcr, policysigned, password, authvalue)\n\n- `policy_gen`: Extract and use the raw low-level policy command parameters\n\n- `tpm_services`: samples in go for  standalone remote attestation, quote-verify and seal-unseal\n\n- `ek_import_blob`: Transfer secret  using ekPub only. Example only covers `go-tpm` based transfer (TODO: figure out the `tpm2_tools` flow).\n      * see  to [https://github.com/salrashid123/gcp_tpm_sealed_keys](https://github.com/salrashid123/gcp_tpm_sealed_keys) \n\n- `ek_import_rsa_blob`: Transfer RSA key from your local system to a GCP vTPM using its ekPub only. Example only covers `go-tpm` based transfer.  For example, use this mechanism to transfer a Service Account Private key securely such that the key on the vTPM cannot be exported but yet available to sign and authenticate.\n      * see  to [https://github.com/salrashid123/gcp_tpm_sealed_keys](https://github.com/salrashid123/gcp_tpm_sealed_keys)\n\n- `mTLS`:  mTLS using `go-tpm` and nginx\n\n- `ima_policy`:  Sample 'helloworld' configuration of IMA.\n\n- `pcr_utils`:  Read and Extend PCR values\n\n- `PKCS11`:  Access TPM using PKCS-11 and openssl\n\n- `LUKS`:  Use TPM for LUKS encryption\n\n- `attest_verify`: remote attestation using `go-tpm-tools`\n\n- `ak_sign_nv`: read Attestation Key from NV index, sign and verify for Google Compute Engine VMs\n\n- `context_chain`:  create parent, child, grandchild keys\n\n- `resource_manager`:  `tpm0`` vs `tpmrm0`\n\n- `kdf`:  Key Derivation Functions (KDF) based on the recommendations of NIST SP 800-108 using TPM baced HMAC\n\n- `tpm_remote`: Connect to a remote TPM over inscure TCP  socket\n\n- `attribute_certificate`: generate an attribute certificate as a Platform Certificate\n\n\n---\n\n### Software TPM\n\nIf you want to test locally with a software tpm ([swtpm](https://github.com/stefanberger/swtpm)), install the swtpm and launch.\n\nJust note that AFAIK, the swtpm does *not* have a resrouce manager so you'll have to run `tpm2_flushcontext -t` a lot...\n\n\n- `swtpm socket`\n\n```bash\nrm -rf /tmp/myvtpm \u0026\u0026 mkdir /tmp/myvtpm  \u0026\u0026 \\\n   swtpm_setup --tpmstate /tmp/myvtpm --tpm2 --create-ek-cert \u0026\u0026 \\\n   swtpm socket --tpmstate dir=/tmp/myvtpm --tpm2 --server type=tcp,port=2321 --ctrl type=tcp,port=2322 --flags not-need-init,startup-clear\n\nexport TPM2TOOLS_TCTI=\"swtpm:port=2321\"\n```\n\n\n- `swtpm socket` with `socat`\n\n```bash\nrm -rf /tmp/myvtpm \u0026\u0026 mkdir /tmp/myvtpm  \u0026\u0026 \\\n   swtpm_setup --tpmstate /tmp/myvtpm --tpm2 --create-ek-cert \u0026\u0026 \\\n   swtpm socket --tpmstate dir=/tmp/myvtpm --tpm2 --server type=tcp,port=2321 --ctrl type=tcp,port=2322 --flags not-need-init,startup-clear\n\nsudo socat pty,link=/tmp/vtpm,raw,echo=0 tcp:localhost:2321\nsudo chmod go+rw /tmp/vtpm\n\nexport TPM2TOOLS_TCTI=\"device:/tmp/vtpm\"\n```\n\n- `swtpm chardev`\n\nTODO:, \n\n\n---\n\n\n### Usage\n\nExcercising any of the scenarios above requires access to a TPM(!).  You can use `vTPM` included with a Google Cloud [Shielded VM](https://cloud.google.com/shielded-vm/) surfaced at `/dev/tpmrm0` on the VM\n\n#### Create test VM with TPM\n\n```\n gcloud  compute  instances create shielded-1 --zone=us-central1-a --machine-type=n1-standard-1 --no-service-account --no-scopes --image=ubuntu-1804-bionic-v20191002 --image-project=gce-uefi-images --no-shielded-secure-boot --shielded-vtpm --shielded-integrity-monitoring\n```\n\n\u003e note, you may need to update `--image=`\n\n#### Installing tpm2_tools, golang\n\n- Install golang\n\n- Install `tpm2_tools`:\n\n  - [tpm2-tss/INSTALL](https://github.com/tpm2-software/tpm2-tss/blob/master/INSTALL.md)\n  - [tpm2-tools/INSTALL](https://github.com/tpm2-software/tpm2-tools/blob/master/INSTALL.md)\n\neither from debian-testing\n\n```\n$ vi /etc/apt/sources.list\n  deb http://http.us.debian.org/debian/ testing non-free contrib main\n\n\n$ export DEBIAN_FRONTEND=noninteractive \n$ apt-get update \u0026\u0026 apt-get install libtpm2-pkcs11-1 tpm2-tools libengine-pkcs11-openssl opensc -y\n\n```\n\nor from source:\n\n```bash\napt-get update\n\napt -y install   autoconf-archive   libcmocka0   libcmocka-dev   procps   iproute2   build-essential   git   pkg-config   gcc   libtool   automake   libssl-dev   uthash-dev   autoconf   doxygen  libcurl4-openssl-dev dbus-x11 libglib2.0-dev libjson-c-dev acl\n```\n\n```bash\ncd\ngit clone https://github.com/tpm2-software/tpm2-tss.git\n  cd tpm2-tss\n  ./bootstrap\n  ./configure --with-udevrulesdir=/etc/udev/rules.d\n  make -j$(nproc)\n  make install\n  udevadm control --reload-rules \u0026\u0026 sudo udevadm trigger\n  ldconfig\n\n## to enable tss debug, set\n### export TSS2_LOG=esys+debug\n```\n\n```bash\ncd\ngit clone https://github.com/tpm2-software/tpm2-tools.git\n  cd tpm2-tools\n  ./bootstrap\n  ./configure\n  make check\n  make install\n```\n\n\n#### Install tpm2-tss openssl engine (openssl1.x)\n\nThis step is optional an only do this if you intend to use openssl w/ the TPM as the `engine`\n\n\n```bash\ncd\ngit clone https://github.com/tpm2-software/tpm2-tss-engine.git\n  cd tpm2-tss-engine\n  ./bootstrap\n  ./configure\n  make -j$(nproc)\n  sudo make install\n```\n\nCheck if openssl works w/ tpm2 (optional)\n```bash\n$ openssl engine -t -c tpm2tss\n    (tpm2tss) TPM2-TSS engine for OpenSSL\n    [RSA, RAND]\n        [ available ]\n```\n\n```bash\n\nexport OPENSSL_CONF=/path/to/openssl.cnf\n\n$ openssl engine -t\n(rdrand) Intel RDRAND engine\n     [ available ]\n(dynamic) Dynamic engine loading support\n     [ unavailable ]\n(tpm2tss) TPM2-TSS engine for OpenSSL\n     [ available ]\n```\n- `openssl.cnf`\n  \n```conf\n[openssl_init]\nengines = engine_section\n\n[engine_section]\ntpm2tss = tpm2tss_section\n\n[tpm2tss_section]\nengine_id = tpm2tss\ndynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/libtpm2tss.so\ndefault_algorithms = RSA,ECDSA\ninit = 1\n```\n\n#### Install tpm2-openssl provider (openssl3)\n\nfor openssl3 [tpm2-openssl](https://github.com/tpm2-software/tpm2-openssl) installed:\n\n```bash\nexport OPENSSL_MODULES=/usr/lib/x86_64-linux-gnu/ossl-modules/   # or wherever tpm2.so sits, eg /usr/lib/x86_64-linux-gnu/ossl-modules/tpm2.so\n\n$ openssl version\n   OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)\n\n$ openssl list --providers -provider tpm2\nProviders:\n  tpm2\n    name: TPM 2.0 Provider\n    version: 1.2.0-25-g87082a3\n    status: active\n```\n\n#### Non-root access to in-kernel resource manager `/dev/tpmrm0` usint tpm2-tss\n\nFor non-root access using tss resource manager\n\n* [tpm-udev.rules](https://github.com/tpm2-software/tpm2-tss/blob/master/dist/tpm-udev.rules)\n\n```bash\n# cat /etc/udev/rules.d/tpm-udev.rules \n# tpm devices can only be accessed by the tss user but the tss\n# group members can access tpmrm devices\nKERNEL==\"tpm[0-9]*\", TAG+=\"systemd\", MODE=\"0660\", OWNER=\"tss\"\nKERNEL==\"tpmrm[0-9]*\", TAG+=\"systemd\", MODE=\"0660\", GROUP=\"tss\"\n```\n\n```bash\nsudo usermod -a -G tss $USER\nnewgrp tss\n```\n\n#### Clear TPM objects/sessions\n```bash\n        tpm2_flushcontext --loaded-session\n        tpm2_flushcontext --saved-session\n        tpm2_flushcontext --transient-object\n```\n\n\n### mTLS with TPM\n\nGit repo demonstrating running mTLS using go-tpm and nginx webserver:\n\n- [golang TLS with Trusted Platform Module (TPM) based keys](https://github.com/salrashid123/go_tpm_https)\n\n\n### TPM based private key\n\nIf you have openssl and want to issue a cert on the TPM, \n\nusing openssl3 [tpm2-openssl](https://github.com/tpm2-software/tpm2-openssl) installed:\n\n```bash\ngit clone https://github.com/salrashid123/ca_scratchpad.git\ncd ca_scratchpad/\nmkdir -p ca/root-ca/private ca/root-ca/db crl certs\nchmod 700 ca/root-ca/private\ncp /dev/null ca/root-ca/db/root-ca.db\ncp /dev/null ca/root-ca/db/root-ca.db.attr\n\necho 01 \u003e ca/root-ca/db/root-ca.crt.srl\necho 01 \u003e ca/root-ca/db/root-ca.crl.srl\n\nexport SAN=single-root-ca\n\nopenssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 \\\n      -pkeyopt rsa_keygen_pubexp:65537 -out ca/root-ca/private/root-ca.key\n\nopenssl req -new  -config single-root-ca.conf  -key ca/root-ca/private/root-ca.key \\\n   -out ca/root-ca.csr  \n\nopenssl ca -selfsign     -config single-root-ca.conf  \\\n   -in ca/root-ca.csr     -out ca/root-ca.crt  \\\n   -extensions root_ca_ext\n\nexport NAME=tpms\nexport SAN=\"DNS:server.domain.com\"\nopenssl genpkey -provider tpm2 -algorithm RSA -pkeyopt rsa_keygen_bits:2048 \\\n      -pkeyopt rsa_keygen_pubexp:65537 -out certs/$NAME.key\n\nopenssl req -new  -provider tpm2 -provider default \\\n      -config single-root-ca.conf   -out certs/$NAME.csr \\\n          -key certs/$NAME.key   -subj \"/C=US/O=Google/OU=Enterprise/CN=server.domain.com\"\n\nopenssl ca \\\n    -config single-root-ca.conf \\\n    -in certs/$NAME.csr \\\n    -out certs/$NAME.crt \\\n    -extensions server_ext\n```\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsalrashid123%2Ftpm2","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsalrashid123%2Ftpm2","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsalrashid123%2Ftpm2/lists"}