Skip to content
/ tpm-trust Public

🧿 Simple tool able to certify if a TPM is a real one

License

BSD-3-Clause license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

loicsikidi/tpm-trust

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
.github/workflows
.github/workflows
 
 
cmd
cmd
 
 
internal
internal
 
 
nix
nix
 
 
.envrc
.envrc
 
 
.gitignore
.gitignore
 
 
.golangci.yml
.golangci.yml
 
 
.goreleaser.yaml
.goreleaser.yaml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
cli.gif
cli.gif
 
 
default.nix
default.nix
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 
shell.nix
shell.nix
 
 

Repository files navigation

tpm-trust

A command-line tool to verify the authenticity of a TPM (Trusted Platform Module) by validating its Endorsement Key (EK) certificate against a trusted bundle of TPM manufacturer root certificates.

Important

This tool is in early stage and it's quite difficult to test it on various hardware. That's why I would highly appreciate any feedback from users, don't hesitate to open issues if you encounter any problems or have suggestions!

Motivation

This project demonstrates the utility of tpm-ca-certificates, which provides a single bundle centralizing TPM manufacturer root certificates, making TPM validation straightforward and secure.

Note

If you want to know how security is ensured, please read tpm-ca-certificates's core concepts

Primitives

  • 📚 Read-only TPM operations: No writes to the TPM, purely verification
  • 📜 Uses tpm-ca-certificates: Leverages native library features
    • Centralized trust roots provided by TPM manufacturers
    • Bundle integrity verification
    • Auto-update of the trust bundle
  • 🔒 Revocation Checking: tpm-trust will by default check if a certificate in EK's chain has been revoked
  • 🪶 Zero Additional Dependencies: install tpm-trust and you are ready to go!

Demo

Usage

Installation

Using Go Install

go install github.com/loicsikidi/tpm-trust@latest

From Source

git clone https://github.com/loicsikidi/tpm-trust.git
cd tpm-trust
go build -o tpm-trust
sudo mv tpm-trust /usr/local/bin/

Using Nix

For reproducible, declarative installations, use Nix update your shell.nix with the following content:

{ pkgs ? import <nixpkgs> {} }:

let
  tpm-trust = import (fetchTarball "https://github.com/loicsikidi/tpm-trust/archive/main.tar.gz") {};
in
pkgs.mkShell {
  buildInputs = [
    tpm-trust
  ];
}

Shell Completion

tpm-trust provides shell completion for bash, zsh, and fish. Enable it for a smoother experience:

For bash:

# Load completion for the current session
source <(tpm-trust completion bash)

# Add to your ~/.bashrc for persistent completion
echo 'source <(tpm-trust completion bash)' >> ~/.bashrc

For zsh:

# Load completion for the current session
source <(tpm-trust completion zsh)

# Add to your ~/.zshrc for persistent completion
echo 'source <(tpm-trust completion zsh)' >> ~/.zshrc

For fish:

# Load completion for the current session
tpm-trust completion fish | source

# Add to your fish config for persistent completion
tpm-trust completion fish > ~/.config/fish/completions/tpm-trust.fish

Note: when installing via Nix, shell completions are automatically installed to the appropriate directories and should work out of the box.

Audit command

Verify your TPM's authenticity:

tpm-trust audit

Tip

Linux: If TPM device needs privileged access, the CLI will automatically ask for elevated permissions using sudo 💫.

Windows: You must run the CLI from an administrator terminal (Run as Administrator) to access the TPM device.

Skip Revocation Check

If CRL endpoints are unavailable or you want to skip revocation checking:

tpm-trust audit --skip-revocation-check

Verbose Output

Enable detailed logging to see each validation step:

tpm-trust audit --verbose

Exit Codes

  • 0: TPM is trusted and verification succeeded
  • 1: TPM is not trusted or validation failed

Version command

tpm-trust version

Requirements

  • Platform: Linux or Windows with TPM 2.0
    • Linux: Privileged access will be requested automatically via sudo if needed
    • Windows: Must be run from an administrator terminal (Run as Administrator)
  • Internet Connection (for initial setup):
    • Download and verify the trust bundle from tpm-ca-certificates
    • Fetch CRLs (if revocation checking is enabled)
    • Download intermediate certificates (if needed)

Known Limitations

  • Platform Support: Only TPM 2.0 is currently supported
    • I don't plan to support TPM 1.2 as it's largely obsolete
  • External EK Certificate URLs: AMD and Intel TPMs that store EK certificates externally (via URL) are not yet supported due to lack of test hardware
    • If you have AMD/Intel hardware and would like to help test this feature, please open an issue or contact me directly via mail at rat_9_epics@icloud.com
  • tpm-ca-certificates currently only supports a limited set of TPM manufacturers. Check its documentation here for the latest supported vendors.
    • If you need support for a specific TPM manufacturer, please open an issue in the tpm-ca-certificates repository.

Tip

You won't need to update tpm-trust to get newest bundle version.

Why? Internally, tpm-trust uses tpm-ca-certificates library to always get the latest trust bundle.

Development

Prerequisites

nix-shell

This will set up a development environment with all required dependencies.

Tip

This will also add git hooks thanks to git-hooks.nix.

Building

go build -o tpm-trust

Testing

# alias provided by nix-shell
gotest

Lint

# alias provided by nix-shell
lint

License

See LICENSE file for details.

About

🧿 Simple tool able to certify if a TPM is a real one

Resources

Readme

License

BSD-3-Clause license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 3

v0.2.0 Latest
Dec 29, 2025
+ 2 releases

Languages