Berkner Tech

Berkner Tech Modern Hardware Security

TPM-Backed Security for Embedded Linux

Using a TPM on embedded Linux, from provisioning to releasing a secret only on a good boot state

A Trusted Platform Module gives an embedded Linux device something a bare MCU cannot: the ability to tie a secret to the exact software that booted. Tamper with the bootloader or kernel and the TPM simply will not hand the secret over. Here is how to use a TPM on embedded Linux and what it actually buys you.

What Measured Boot Buys You

As each stage boots, it hashes the next into the TPM’s platform configuration registers (PCRs) before handing off. The final PCR values are a fingerprint of exactly what ran. Seal a secret to those values and it becomes readable only when the same software boots again.

Step 1: Read the Boot Measurements

The PCRs reflect the boot. Reading them shows the current state the system will be measured against:

Anatomy of a tpm2_unseal command bound to PCR boot-state policy on embedded Linux
tpm2_pcrread sha256:0,1,7
Example output
sha256:
  0 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
  1 : 0x9E8C4B... 
  7 : 0xB2A1F0...

Step 2: Seal and Unseal a Secret

Seal a disk-encryption key to those PCRs. On a clean boot it unseals; after tampering it does not:

# good boot
tpm2_unseal -c sealed.ctx -p pcr:sha256:0,1,7

# after the bootloader was modified
tpm2_unseal -c sealed.ctx -p pcr:sha256:0,1,7
Example output
3a7f2e9c...   # secret released

ERROR: tpm:policy fail: PCR values do not match the sealing policy

Same command, two outcomes. A modified boot chain changes the PCRs, the policy fails, and the secret stays locked. That is the protection a TPM provides that a plain key store cannot.

Three Things a TPM Gives You

Beyond sealed storage, a TPM underpins measured boot and attestation:

Three things a TPM gives an embedded Linux device: sealed storage, measured boot, and attestation

Using a TPM Well

Seal disk-encryption and identity keys to a conservative set of PCRs, plan for legitimate updates by re-sealing when measured components change, and use attestation if a backend needs proof of device state. The common mistake is sealing to too many PCRs, which breaks on every benign update.

Where This Fits

Reviewing how a device uses measured boot, sealing, and attestation is part of an embedded Linux product security assessment. That review is the kind of work we do at Berkner Tech.

References and Further Reading