Demystifying Trusted Platform Modules, Part 3

This is part of a 6-part series on Trusted Platform Modules. If you missed the earlier parts, be sure to check those out first!

Summit Embedded Blog: TPM Series

1. TPM Set-up/Overview

2. Inspect the Non-Private Contents of a TPM

3. Store Non-Private Data (NVRAM) (this post)

4. Encrypt & Decrypt Data

5. Generate a Device Identity Certificate

6. Sign Data With A Certificate

Store Non-Private Data (NVRAM)

This is a quick post (because TPMs are so simple to use!). In Parts 1 & 2, we set up a RaspberryPi with an OPTIGA SLB9670 TPM2.0 eval board. Then, we poked around and got familiar with the concept of “handles” in TPMs. Now let’s write something of our own to a new handle in non-volatile memory:

First we reserve our own handle with:

sudo tpm2_nvdefine 0x01000000 -C o -s 32 -a "ownerread|ownerwrite|authread|authwrite";

That reserves 32 bytes at 0x01000000. It uses the owner hierarchy, which is a permissions structure that’s beyond the scope of this tutorial. There’s a brief overview of hierarchies in the Appendix of Part 2, but we’ll skip over hierarchies here. Let’s write to our new handle:

echo -n "Summit was here in NVRAM." | sudo tpm2_nvwrite -C o -i - 0x01000000;

Now read it back with:

sudo tpm2_nvread 0x01000000; echo;

That’s it! You’ve saved data to non-volatile memory and can read it back. In our next post, we’ll store a similar string in an encrypted format.