A command-line tool to verify the authenticity of a TPM (Trusted Platform Module) by validating its Endorsement Key (EK) certificate against a trusted bundle of TPM manufacturer root certificates.
Important
This tool is in early stage and it's quite difficult to test it on various hardware. That's why I would highly appreciate any feedback from users, don't hesitate to open issues if you encounter any problems or have suggestions!
This project demonstrates the utility of tpm-ca-certificates, which provides a single bundle centralizing TPM manufacturer root certificates, making TPM validation straightforward and secure.
Note
If you want to know how security is ensured, please read tpm-ca-certificates's core concepts
- 📚 Read-only TPM operations: No writes to the TPM, purely verification
- ✅ Latest EK Specifications: Supports high-range handles and EK certificate chains
- 📜 Uses
tpm-ca-certificates: Leverages native library features- Centralized trust roots provided by TPM manufacturers
- Bundle integrity verification
- Auto-update of the trust bundle
- 🔒 Revocation Checking:
tpm-trustwill by default check if a certificate in EK's chain has been revoked - 🪶 Zero Additional Dependencies: install
tpm-trustand you are ready to go!
Installation
go install github.com/loicsikidi/tpm-trust@latestgit clone https://github.com/loicsikidi/tpm-trust.git
cd tpm-trust
go build -o tpm-trust
sudo mv tpm-trust /usr/local/bin/For reproducible, declarative installations, use Nix update your shell.nix with the following content:
{ pkgs ? import <nixpkgs> {} }:
let
tpm-trust = import (fetchTarball "https://github.com/loicsikidi/tpm-trust/archive/main.tar.gz") {};
in
pkgs.mkShell {
buildInputs = [
tpm-trust
];
}tpm-trust is available in the AUR and can be installed with paru -S tpm-trust-git.
tpm-trust provides shell completion for bash, zsh, and fish. Enable it for a smoother experience:
For bash:
# Load completion for the current session
source <(tpm-trust completion bash)
# Add to your ~/.bashrc for persistent completion
echo 'source <(tpm-trust completion bash)' >> ~/.bashrcFor zsh:
# Load completion for the current session
source <(tpm-trust completion zsh)
# Add to your ~/.zshrc for persistent completion
echo 'source <(tpm-trust completion zsh)' >> ~/.zshrcFor fish:
# Load completion for the current session
tpm-trust completion fish | source
# Add to your fish config for persistent completion
tpm-trust completion fish > ~/.config/fish/completions/tpm-trust.fishNote: when installing via Nix, shell completions are automatically installed to the appropriate directories and should work out of the box.
Verify your TPM's authenticity:
tpm-trust auditTip
Linux: If TPM device needs privileged access, the CLI will automatically ask for elevated permissions using sudo 💫.
Windows: You must run the CLI from an administrator terminal (Run as Administrator) to access the TPM device.
If CRL endpoints are unavailable or you want to skip revocation checking:
tpm-trust audit --skip-revocation-checkEnable detailed logging to see each validation step:
tpm-trust audit --verbose0: TPM is trusted and verification succeeded1: TPM is not trusted or validation failed
Display TPM information (manufacturer, model, firmware, supported key types, etc.):
tpm-trust infoList available key types:
tpm-trust certificates listGet certificate details for a specific key type:
tpm-trust certificates get $KTYtpm-trust version- Platform: Linux or Windows with TPM 2.0
- Linux: Privileged access will be requested automatically via sudo if needed
- Windows: Must be run from an administrator terminal (Run as Administrator)
- Internet Connection (for initial setup):
- Download and verify the trust bundle from
tpm-ca-certificates - Fetch CRLs (if revocation checking is enabled)
- Download intermediate certificates (if needed)
- Download and verify the trust bundle from
The following TPM devices have been successfully verified using tpm-trust audit:
| Manufacturer | Model | Revision | Firmware |
|---|---|---|---|
| Nuvoton Technology (NTC) | NPCT75x | 1.59 | 7.2 |
Note
If you've successfully verified your TPM with tpm-trust and don't see your hardware in the table above, please consider creating a PR to add it!
How to find your TPM information
To add your TPM to this list, follow these steps:
-
List available key types:
tpm-trust certificates list
This will show the available key types (kty) on your TPM (e.g.,
rsa-2048,ecc-nist-p384). -
List certificates for a specific key type:
tpm-trust certificates get <kty>
Replace
<kty>with one of the key types from step 1 (e.g.,tpm-trust certificates get rsa-2048). -
Find the TPM Model from the SAN (Subject Alternative Name):
In the certificate output, look for the
X509v3 Subject Alternative Namesection:
The
TPM Modelfield contains your TPM model (e.g.,NPCT75x). -
Get manufacturer, revision, and firmware:
tpm-trust info
This command will display the manufacturer name, revision, and firmware version.
- Platform Support: Only TPM 2.0 is currently supported
- I don't plan to support TPM 1.2 as it's largely obsolete
tpm-ca-certificatescurrently only supports a limited set of TPM manufacturers. Check its documentation here for the latest supported vendors.- If you need support for a specific TPM manufacturer, please open an issue in the
tpm-ca-certificatesrepository.
- If you need support for a specific TPM manufacturer, please open an issue in the
Tip
You won't need to update tpm-trust to get newest bundle version.
Why? Internally, tpm-trust uses tpm-ca-certificates library to always get the latest trust bundle.
nix-shellThis will set up a development environment with all required dependencies.
Tip
This will also add git hooks thanks to git-hooks.nix.
go build -o tpm-trust# alias provided by nix-shell
gotest# alias provided by nix-shell
lintSee LICENSE file for details.