Is Trusted Platform Module (TPM) supported by Red Hat?

Environment

• Red Hat Enterprise Linux (RHEL) 9
• Red Hat Enterprise Linux (RHEL) 8
• Red Hat Enterprise Linux (RHEL) 7
• Red Hat Enterprise Linux (RHEL) 6
• Red Hat Enterprise Linux (RHEL) 5

Issue

• What is the current status of RHEL interfacing with the TPM?
• Are you currently tracking the development of the trusted GRUB boot loader developed by the Trusted Computing Group?
• Is this product intended to be integrated with the standard Red Hat delivery?
• Is the use of Trusted GRUB supported by Red Hat as part of its standard product delivery?
• What are the current plans for Red Hat Enterprise Linux to support a Trusted Network Connect?
• Does RHEL support TPM 2.0 devices?

Resolution

Trusted Platform Module v1.2 (TPM 1.2)
i.e.: tpm-tools & trousers

• Included since RHEL 7.0 and discussed in the Security Guide Trusted and Encrypted Keys section.
• Per RHEL 6.9 Technical Notes tpm-tools & trousers is a Security Technology Preview
• Per RHEL 5.11 Technical Notes tpm-tools & trousers (TSS) is a Technology Preview

Trusted Platform Module v2.0 (TPM 2.0)
i.e.: tpm2-tools, tpm2-tss, tpm2-abrmd, tss, tss2, tpm2-pkcs11

RHEL 9

• Per Considerations in adopting RHEL 9 TPM 2.0 replaces TPM 1.2 on RHEL 9. TPM 2.0 is not backward compatible.
  • tpm2-tss added to RHEL 9 via RHBA-2022:3895
  • tpm2-tools added to RHEL 9 via RHBA-2022:3934
  • tpm2-abrmd added to RHEL 9 via RHBA-2022:3818
  • tss2 added to RHEL 9 via RHBA-2022:4047
  • tpm2-pkcs11 added to RHEL 9 via RHBA-2022:3820
• RHEL 9.1 introduces keylime, a remote machine attestation tool using the trusted platform module (TPM) technology. Major changes in RHEL 9.1

RHEL 8

• Per RHEL 8.1 Release Notes TPM 1.2 is deprecated
• Updated packages:
  • trousers is updated for RHEL 8. RHBA-2019:3638
  • tpm-tools updated to version 2.0. RHBA-2019:3512
  • tpm-tools updated to version 3.2.1. RHBA-2020:1801
  • tpm2-tools rebased to version 4.1.1 RHBA-2020:4496
  • tpm2-abrmd rebased to version 2.3.3.2 RHBA-2021:1660
  • IBM TSS 2.0 package rebased to 1.6.0 , Update IBM TSS 2.0 for ppc64le
  • tpm-quote-tools, tpm-tools, tpm-tools-pkcs11 have been deprecated since RHEL 8.7 Deprecated packages

Note Red Hat Enterprise Linux 8 also needs the tpm2* packages installed when working with TPM 2.x chips

RHEL 7

• Per RHEL 7.2 Release Notes New Features - Kernel TPM v2 is moved from Technology Preview to supported
• Per RHEL 7.4 Release notes Hardware Enablement Technology Preview, the following were added as Technology Preview:
  • tpm2-tools via RHEA-2017:2272
  • tpm2-tss via RHEA-2017:2245
  • tss2 via RHEA-2017:2246 for ppc64le architecture.
• RHEL 7.5 Release Notes indicate the following are move into Technology Preview or fully supported:
  • tpm2-abrmd added via RHEA-2018:0901
  • tpm2-tss updated via RHBA-2018:0848
  • tpm2-tools updated via RHBA-2018:0881
  • tss2 updated via RHEA-2017:2246 to Technology Preview
• Per RHEL 7.6 Release Notes
  • tss is still in Technology Preview
  • clevis now supports TPM v2

Trusted Boot
ie. tboot

• RHEL 6.2 added tboot per Release Notes - Security, Standards, and Certification section for x86_64 architectures via RHEA-2011:1633
• Per RHEL 7.4 Release Notes New Features - Networking tboot rebased to version 1.9.5 which adds the 2nd generation of the Link Control Protocol (LCP) creation utility for Trusted Platform Module (TPM) 2.0, as well as a user guide for the updated LCP creation utility.
• Per RHEL 7.5 Release Notes New Features - Virtualization tboot rebased to version 1.9.6 which adds support for event logs of Trusted Computing Group (TCG) trusted platform modules (TPMs).

Diagnostic Steps

Upstream links:

• tpm-tools - <Content from trousers.sourceforge.net is not included.http://trousers.sourceforge.net/>
• tpm2-abrmd - <Content from github.com is not included.https://github.com/01org/tpm2-abrmd>
• tpm2-tools - <Content from github.com is not included.https://github.com/01org/tpm2-tools>
• tpm2-tss - <Content from github.com is not included.https://github.com/01org/tpm2-tss>

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.