Beta version

Scope of this post

From Wikipedia: Trusted Platform Module (TPM, also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys.
In this post I will describe how to owned and use the TPM (1.2 implementation) from running filesystem (initramfs or rootfs, build with Buildroot) on an embedded Linux platform. To distinguish from the use of the TPM on another platforms (e.g. your Windows laptop) or in prior boot stages: BIOS/first bootloader and second bootloader.
I’m assuming you know how to build your own image.

Many thanks to Sami Pietikäinen from PAGE FAULT BLOG for giving me quick start with TPM.

Configuring the kernel

Device tree

From Wikipedia: a device tree (also written devicetree) is a data structure describing the hardware components of a particular computer so that the operating system’s kernel can use and manage those components.
In other words, the devicetree translate the hardware schematic into a code that the OS can read.
Since the TPM is a hardware component (microcontroller) we need to tell the OS about its existence and how to manage it. You can find a documentation about the syntax of the TPM’s node in the devicetree in the kernel source tree:

Documentation/devicetree/bindings/security/tpm/

Device driver

For TPM hardware support and access from within Linux, you can search the kernel menuconfig for:

CONFIG_TCG_TPM

and say Yes (check) the first result.

Configuring Buildroot

In order to be able to access and use the TPM, we need to configure Buildroot to build (among other packages) INIT_SYSV and tpm-tools.
INIT_SYSV - when enabling and activating the TPM, you should be in single user mode (runlevel 1). This package required only for activating the TPM, once you activated the TPM, you can switch back to busybox init.
tpm-tools - tools to manage and diagnose a TPM, this package selects TrouSerS (tcsd) - daemon that manages Trusted Computing resources and OpenSSL.

TPM states and usage

The TPM can be in a differnt states:

Cleared: the default state, the TPM is unowned, disabled and inactive.
Active: the TPM is physically presented, enabled and active.
Owned: set owner and SRK passwords.

Once the TPM is owned, you can use it to:

Seal data: seading raw data to the TPM to be encrypted.
Unseal data: sending encrypted data to the TPM to be decrypted.

See here for full Manpages for the tpm-tools package of TrouSerS.
You can add -l (--log) flag to any of the tpm_* commands and set the logging level (none, error, info or debug).

Clearing the TPM

Run tcsd in the background:

tcsd -f -e &

Force clearing the TPM:

tpm_clear -f

Hard reset/power cycle (not just reboot from the command line) the board.

Activating the TPM

After hard reset, run again tcsd:

tcsd -f -e &

Insert into single user mode:

init 1

Allow use of hardware signals to signal an admin is physically present:

tpm_setpresence --enable-hw

Make the TPM enabled, the -f (--force) overrides the prompt for owner authorization and uses physical presence to authorize the action:

tpm_setenable -e -f

Make the TPM active:

tpm_setactive -a

Hard reset/power cycle the board.

Take ownership on the TPM

After hard reset, run again tcsd:

tcsd -f -e &

Setup an owner on the TPM, the -y and the -z flags are for well-known (20 bytes of zeros) owner and SRK passwords:

tpm_takeownership -y -z