Ability™ Developer Portal
Try Sandbox for free
Get a month of free access to ABB Ability™ Platform to learn and experiment!
API Playground
Play with ABB Ability™ Platform APIs (no time limits)

# TPM 2.0 Usage and Operations

To properly secure your Edge devices it is suggested that your Edge devices are equipped with a TPM chip. TPM stands for Trusted Platform Module, which is a international standard for a secure cryptoprocessor. This module is dedicated and designed to secure your hardware through integrated cryptographic keys. It is up to the BL to secure their edge devices as desired, but this article contains a list of suggested best practice operations and capabilities to implement in your solution. It is also up to the BL to obtain an edge device with a TPM chip or to install a TPM chip themselves. The following article explains some critical processes for TPM usage as well as suggested best practice algorithms and cryptographic keys to implement.

# TPM Requirements

# TPM Software Stack Used in Ability Edge

The TCG Software Stack (TSS) from Mocana is used by the Ability Edge to access the TPM.

The TSS requires a minimum memory footprint of 1MB. Typical memory usage is with a full set of ciphers and may vary (decrease or increase) based on 32/64-bit, x86/ARM/MIPS, reduced set of ciphers, static/shared library, and compile flags.

The TSS supports the following operating systems:

  • Linux (Ubuntu, Debian, Raspbian, CentOS)

The TSS supports the following Operating Platforms:

  • Infineon® TPM 2.0
  • ST-Micro® TPM 2.0
  • Atmel® TPM 2.0

# Best Practice Operations and Capabilities Suggestions

The following two lists are suggested best practice algorithms and keys to implement from your TPM chip.

# TPM Capabilities suggested for an Ability Edge

  • Storage Hierarchy Access and Provision
  • Endorsement Hierarchy Access and Provision
  • Pseudo Random Number Generation
  • Cryptographic Services like Hashing, Asymmetric Key Operations, Key Generation
  • Authorization Session Creation

# TPM Operations suggest for an Ability Edge

  • Storage Hierarchy Provision And Clear
  • Endorsement Hierarchy Provision And Clear
  • DA Lockout Reset
  • Random Number Generation
  • RSA Key Pair Generation
  • RSA Encrypt
  • RSA Decrypt
  • RSA Sign
  • RSA Sign Verify
  • SHA256 Generation
  • NV Memory Operations

# Clear ARM TPM2.0 Ownership

Formatting SD card or removing TPM2.0 chip Raspberry PI without clearing ownership ) may break the device & TPM chip. The TPM2.0 chip should be cleared whenever:

  • the device is reloaded
  • the step to acquire TPM ownership completed successfully but edge configuration failed
  • if edge un-installation does not clear the ownership properly

# Prerequisites

# Install the Decommissioning Package

Identify the correct version of the decommissioning package and install the software if not already installed.

# Clear the TPM ownership

The following command will clear the TPM.

sudo abb_TPMClear_tpm20

# Unlock ARM TPM 2.0

On multiple attempts to setup the edge without clearing ownership, may lock the TPM chip on a Raspberry PI and on removal of chip without unlocking, may break the device & TPM chip. Use this procedure to unlock the TPM2.0 chip.

# Prerequisites

# Unlock Process

  1. Pull all Edge dependencies and install supporting tools.
sudo apt-get update && sudo apt-get install build-essential libtspi-dev autoconf autoconf-archive automake libtool pkg-config doxygen libcurl4-gnutls-dev unzip
  1. Download pre-compiled TPM folders to Raspberry PI home directory & execute below commands. Acquire a zip archive of TPM utilities from ABB and verify the MD5 checksums listed.
1f0b88ef0956fd5c8f89cf07025d8092  tpm2-tools.zip
972ba13b8d806bbdf07c87be3a61d58f  tpm2-tss.zip
  1. Follow the steps below to unzip the TPM files. The procedures below expect the files in the /home/ubuntu folder.
sudo unzip tpm2-tss.zip
cd tpm2-tss/
chmod 755 ./bootstrap
./bootstrap
chmod 755 ./configure
./configure
make
sudo make install
sudo ldconfig

~/tpm2-tss$ cd ..

sudo unzip tpm2-tools.zip
cd tpm2-tools/
chmod 755 ./bootstrap
./bootstrap
chmod 755 ./configure
./configure
make
sudo make install

# Unlock the TPM

Execute the below command to unlock the TPM2.0 chip

cd ~/tpm2-tools/tools
sudo tpm2_clear -p

The above sudo tpm2_clear -p command will clear all hierarchies of the TPM chip and any data that exists within the hierarchies.

Last updated: 1/10/2022, 11:05:26 AM

Cross Compile Security Components for ARM

Feedback