35

Wanting to play around with Trusted Platform Module stuff, I installed TrouSerS and tried to start tcsd, but I got this error:

TCSD TDDL ERROR: Could not find a device to open!

However, my kernel has multiple TPM modules loaded:

# lsmod | grep tpm
tpm_crb                16384  0
tpm_tis                16384  0
tpm_tis_core           20480  1 tpm_tis
tpm                    40960  3 tpm_tis,tpm_crb,tpm_tis_core

So, how do I determine if my computer is lacking TPM vs TrouSerS having a bug?

Neither dmidecode nor cpuid output anything about "tpm" or "trust". Looking in /var/log/messages, on the one hand I see rngd: /dev/tpm0: No such file or directory, but on the other hand I see kernel: Initialise system trusted keyrings and according to this kernel doc trusted keys use TPM.

EDIT: My computer's BIOS setup menus mention nothing about TPM.

Also, looking at /proc/keys:

# cat /proc/keys 
******** I--Q---     1 perm 1f3f0000     0 65534 keyring   _uid_ses.0: 1
******** I--Q---     7 perm 3f030000     0     0 keyring   _ses: 1
******** I--Q---     3 perm 1f3f0000     0 65534 keyring   _uid.0: empty
******** I------     2 perm 1f0b0000     0     0 keyring   .builtin_trusted_keys: 1
******** I------     1 perm 1f0b0000     0     0 keyring   .system_blacklist_keyring: empty
******** I------     1 perm 1f0f0000     0     0 keyring   .secondary_trusted_keys: 1
******** I------     1 perm 1f030000     0     0 asymmetri Fedora kernel signing key: 34ae686b57a59c0bf2b8c27b98287634b0f81bf8: X509.rsa b0f81bf8 []
Matthew Cline
  • 3,265
  • 4
  • 24
  • 38
  • 1
    The TPM is typically described by the ACPI tables set up by the bios. If `dmesg | grep -w tpm` doesn't give messages about initializing a tpm then you haven't got one which is recognised by the kernel. Most laptops and desktops don't have TPMs, they are pretty standard on machines sold as servers (i.e. things big enough to run IPMI), and also on chromebooks where they are part of the security story. – icarus Feb 01 '17 at 01:17
  • 4
    To play, ibm developed a [soft tpm](https://sourceforge.net/projects/ibmswtpm/) you can compile and run, and there is also [this](https://github.com/PeterHuewe/tpm-emulator) easier to use emulator. – meuh Feb 01 '17 at 10:31

2 Answers2

41

TPMs don't necessarily appear in the ACPI tables, but the modules do print a message when they find a supported module; for example

[  134.026892] tpm_tis 00:08: 1.2 TPM (device-id 0xB, rev-id 16)

So dmesg | grep -i tpm is a good indicator.

The definitive indicator is your firmware's setup tool: TPMs involve ownership procedures which are managed from the firmware setup. If your setup doesn't mention anything TPM-related then you don't have a TPM.

TPMs were initially found in servers and business laptops (and ChromeBooks, as explained by icarus), and were rare in desktops or "non-business" laptops; that’s changed over the last few years, and Windows 11 requires a TPM now. Anything supporting Intel TXT has a TPM.

Stephen Kitt
  • 411,918
  • 54
  • 1,065
  • 1,164
  • 3
    Year 2020 update: Most newly manufactured PCs, even consumer models, are now shipping with a TPM. Microsoft [officially recommends them](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-recommendations) in all new PCs, and a growing number of Windows features require it. – Lily Finley Mar 28 '20 at 10:40
  • 2
    My SLIMBOOK Pro X 15 (on kernel 5.13) does not show anything when I do "dmesg | grep -i tpm" however "cat /sys/class/tpm/tpm*/tpm_version_major" says "2". – retromuz Aug 08 '21 at 01:26
29

Also can also detect it via sysfs:

[ -d $(ls -d /sys/kernel/security/tpm* 2>/dev/null | head -1) ] && \
    echo "TPM available" || echo "TPM missing"

And since kernel 5.6 (commit 7084eddf6be9 tpm: Add tpm_version_major sysfs file), version can be detected with sysfs file:

$ cat /sys/class/tpm/tpm*/tpm_version_major
1

NOTE: some TPM don't export sysfs (firmware bug).

Other way is to check for /dev/tpm0 or /dev/tpmrm0. All TPM devices should have /dev/tpm0. /dev/tpmrm0 is only for TPM 2.0, but it was added in v4.12-rc1 (fdc915f7f719 tpm: expose spaces via a device link /dev/tpmrm):

[ -c /dev/tpmrm0 ] && echo "TPM 2.0" # since v4.12-rc1

[ -c /dev/tpm0 ] && echo "TPM 1.2 or 2.0"
pevik
  • 1,397
  • 15
  • 27
  • First check fails but last two succeed on my system. – Matt F. Oct 21 '21 at 21:18
  • The first check returns always true, I'd suggest using something like: `[ ! -z "$(ls /dev/tpm* 2>/dev/null)" ] && echo "TPM available" || echo "TPM missing"` – Tombart Mar 01 '23 at 09:11