Skip to content

loicsikidi/tpm-trust

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

37 Commits
.github/workflows
.github/workflows
 
 
cmd
cmd
 
 
internal
internal
 
 
nix
nix
 
 
.envrc
.envrc
 
 
.gitignore
.gitignore
 
 
.golangci.yml
.golangci.yml
 
 
.goreleaser.yaml
.goreleaser.yaml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
cli.gif
cli.gif
 
 
default.nix
default.nix
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 
san.png
san.png
 
 
shell.nix
shell.nix
 
 
treefmt.toml
treefmt.toml
 
 

Repository files navigation

tpm-trust

go version latest license

A command-line tool to verify the authenticity of a TPM (Trusted Platform Module) by validating its Endorsement Key (EK) certificate against a trusted bundle of TPM manufacturer root certificates.

Important

This tool is in early stage and it's quite difficult to test it on various hardware. That's why I would highly appreciate any feedback from users, don't hesitate to open issues if you encounter any problems or have suggestions!

Motivation

This project demonstrates the utility of tpm-ca-certificates, which provides a single bundle centralizing TPM manufacturer root certificates, making TPM validation straightforward and secure.

Note

If you want to know how security is ensured, please read tpm-ca-certificates's core concepts

Primitives

  • 📚 Read-only TPM operations: No writes to the TPM, purely verification
  • ✅ Latest EK Specifications: Supports high-range handles and EK certificate chains
  • 📜 Uses tpm-ca-certificates: Leverages native library features
    • Centralized trust roots provided by TPM manufacturers
    • Bundle integrity verification
    • Auto-update of the trust bundle
  • 🔒 Revocation Checking: tpm-trust will by default check if a certificate in EK's chain has been revoked
  • 🪶 Zero Additional Dependencies: install tpm-trust and you are ready to go!

Demo

Usage

Installation

Using Go Install

go install github.com/loicsikidi/tpm-trust@latest

From Source

git clone https://github.com/loicsikidi/tpm-trust.git
cd tpm-trust
go build -o tpm-trust
sudo mv tpm-trust /usr/local/bin/

Using Nix

For reproducible, declarative installations, use Nix update your shell.nix with the following content:

{ pkgs ? import <nixpkgs> {} }:

let
  tpm-trust = import (fetchTarball "https://github.com/loicsikidi/tpm-trust/archive/main.tar.gz") {};
in
pkgs.mkShell {
  buildInputs = [
    tpm-trust
  ];
}

On Arch Linux

tpm-trust is available in the AUR and can be installed with paru -S tpm-trust-git.

Shell Completion

tpm-trust provides shell completion for bash, zsh, and fish. Enable it for a smoother experience:

For bash:

# Load completion for the current session
source <(tpm-trust completion bash)

# Add to your ~/.bashrc for persistent completion
echo 'source <(tpm-trust completion bash)' >> ~/.bashrc

For zsh:

# Load completion for the current session
source <(tpm-trust completion zsh)

# Add to your ~/.zshrc for persistent completion
echo 'source <(tpm-trust completion zsh)' >> ~/.zshrc

For fish:

# Load completion for the current session
tpm-trust completion fish | source

# Add to your fish config for persistent completion
tpm-trust completion fish > ~/.config/fish/completions/tpm-trust.fish

Note: when installing via Nix, shell completions are automatically installed to the appropriate directories and should work out of the box.

Audit command

Verify your TPM's authenticity:

tpm-trust audit

Tip

Linux: If TPM device needs privileged access, the CLI will automatically ask for elevated permissions using sudo 💫.

Windows: You must run the CLI from an administrator terminal (Run as Administrator) to access the TPM device.

Skip Revocation Check

If CRL endpoints are unavailable or you want to skip revocation checking:

tpm-trust audit --skip-revocation-check

Verbose Output

Enable detailed logging to see each validation step:

tpm-trust audit --verbose

Exit Codes

  • 0: TPM is trusted and verification succeeded
  • 1: TPM is not trusted or validation failed

Info command

Display TPM information (manufacturer, model, firmware, supported key types, etc.):

tpm-trust info

Certificates commands

List available key types:

tpm-trust certificates list

Get certificate details for a specific key type:

tpm-trust certificates get $KTY

Display EK certificate chains stored in TPM NVRAM:

tpm-trust certificates bundle

Version command

tpm-trust version

Requirements

  • Platform: Linux or Windows with TPM 2.0
    • Linux: Privileged access will be requested automatically via sudo if needed
    • Windows: Must be run from an administrator terminal (Run as Administrator)
  • Internet Connection (for initial setup):
    • Download and verify the trust bundle from tpm-ca-certificates
    • Fetch CRLs (if revocation checking is enabled)
    • Download intermediate certificates (if needed)

Tested TPM Hardware

The following TPM devices have been successfully verified using tpm-trust audit:

Manufacturer Model Revision Firmware
Nuvoton Technology (NTC) NPCT75x 1.59 7.2

Note

If you've successfully verified your TPM with tpm-trust and don't see your hardware in the table above, please consider creating a PR to add it!

How to find your TPM information

To add your TPM to this list, follow these steps:

  1. List available key types:

    tpm-trust certificates list

    This will show the available key types (kty) on your TPM (e.g., rsa-2048, ecc-nist-p384).

  2. List certificates for a specific key type:

    tpm-trust certificates get <kty>

    Replace <kty> with one of the key types from step 1 (e.g., tpm-trust certificates get rsa-2048).

  3. Find the TPM Model from the SAN (Subject Alternative Name):

    In the certificate output, look for the X509v3 Subject Alternative Name section:

    The TPM Model field contains your TPM model (e.g., NPCT75x).

  4. Get manufacturer, revision, and firmware:

    tpm-trust info

    This command will display the manufacturer name, revision, and firmware version.

Known Limitations

  • Platform Support: Only TPM 2.0 is currently supported
    • I don't plan to support TPM 1.2 as it's largely obsolete
  • tpm-ca-certificates currently only supports a limited set of TPM manufacturers. Check its documentation here for the latest supported vendors.
    • If you need support for a specific TPM manufacturer, please open an issue in the tpm-ca-certificates repository.

Tip

You won't need to update tpm-trust to get newest bundle version.

Why? Internally, tpm-trust uses tpm-ca-certificates library to always get the latest trust bundle.

Dependency Update Policy

Note

For those interested in understanding the motivations behind this approach, I recommend reading Filippo Valsorda's thoughts on Dependabot.

This project does not rely on automated dependency update tools like Dependabot. When managing multiple projects in parallel, such tools generate more noise than value.

Instead, this project follows a pragmatic, security-first approach:

  1. govulncheck runs daily to detect vulnerable dependencies. When a vulnerability is identified → we bump the affected dependency.
  2. Feature-driven updates: Dependencies are updated when the project needs a new feature or capability provided by a newer version.

This approach balances security with intentionality, ensuring updates happen for concrete reasons rather than on autopilot.

Development

Prerequisites

nix-shell

This will set up a development environment with all required dependencies.

Tip

This will also add git hooks thanks to git-hooks.nix.

Building

go build -o tpm-trust

Testing

# alias provided by nix-shell
gotest

Lint

# alias provided by nix-shell
lint

License

See LICENSE file for details.

About

🧿 Simple tool able to certify if a TPM is a real one

Resources

Readme

License

BSD-3-Clause license
Activity

Stars

5 stars

Watchers

0 watching

Forks

2 forks
Report repository

Releases 6

v0.4.1 Latest
Apr 15, 2026
+ 5 releases

Contributors

Languages