Listing content of a TPM 2.0 chip

Question

I would like to list the information stored on a TPM chip, by type, just to see that all relevant data was migrated to a new machine before clearing the TPM chip of the old machine. I am not looking for dumping private keys, etc., just a list of IDs and uses (E.g. Bitlocker encryption keys, Virtual Smart card, etc.). Is this possible in any way in Windows and/or in Linux?

(I have both dTPM and fTPM configurations.)

With powershell, try the cmdlets `Get-Tpm` and `Get-TpmEndorsementKeyInfo`. — Reddy Lutonadio, Jul 12 '22 at 08:04

score 5 · Accepted Answer · edited Jun 06 '23 at 17:54

It's impossible to have a complete listing, because such data is not actually stored on the chip at all. A TPM actually has very little persistent storage – Windows only stores a single "Storage Root Key" in it (aka the SRK), everything else is encrypted using the SRK and returned to the OS for storage.

This means that the TPM is completely unaware of what has been deleted and what's still stored in a file somewhere. (It also means the TPM can never "fill up", unlike smartcards.)

For example, BitLocker "TPM" protectors are still stored within the volume header, only encrypted using TPM_Seal() or TPM2_Create() with a policy attached. Every time the protector needs to be unsealed, the OS has to load it back into the TPM's RAM, where the TPM decrypts it with the SRK, verifies the policy (comparing the PCR values if needed), then either returns the clear data to the OS or refuses.

So you can't list all BitLocker volumes that use a specific TPM because that information isn't tracked anywhere. (Fortunately, Windows only uses the TPM protectors for the OS C:\ volume, so you can safely rule out all "data" volumes.)

LUKS in Linux uses the same approach, although only recently was the LUKS2 token format "agreed upon" – in the past various hand-rolled scripts were used, some of which might have stored the sealed data directly in the TPM's NV storage. However, with systemd and cryptsetup now having TPM support as a standard feature, the sealed keyslot is always written back to the LUKS2 on-disk header.

(Here's an example of how a LUKS key is sealed using TPM 2.0. The piece of JSON with "tpm2-blob" is what holds the TPM-sealed data.)
Similarly, Certificate keypairs that are kept "in" the TPM (through the "Platform Crypto Provider" KSP) are actually stored in %USERPROFILE%\AppData\Local\Microsoft\Crypto\PCPKSP, within your own profile for keys created directly through CAPI/CNG, or within the LocalService profile for keys stored in VSC.

(That's only the private keys – unlike with smartcards, certificates themselves never touch the TPM in the first place. When using a VSC they're stored in the VSC's "emulated smartcard" storage, which appears to be at %SYSTEMROOT%\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\SmartCard\Tpm, and when using direct CNG they go wherever all other certificates go.)

You can use certutil to get a list of all your certificates in CAPI together with the KSP that they use – look for either "Microsoft Platform Crypto Provider" (direct CNG) or "Microsoft Smart Card Provider" (VSC) to recognize such certificates:
```
certutil -store -silent -user My
```
There's no direct Linux equivalent because there's no CAPI/CNG equivalent on Linux in the first place – programs could use tpm2-pkcs11 (which stores certificates in a SQLite database), or .pem keys generated using openssl-tpm2-engine (which are just files scattered wherever), or even directly use tpm2-tss APIs.

That being said, TPM 2.0 does have some persistent storage, and as unlikely as it is that it'll have been used directly, you could use Linux tpm2-tools to try listing the contents:

There's usually space for 3 or so keypairs, which can be listed using tpm2_getcap handles-persistent (applying tpm2_readpublic -c <handle> to each of the shown handles in turn). Typically, only the RSA-based "storage root key" (for encrypting data) and the "endorsement key" (for identifying the TPM itself) are stored there – and the latter doesn't get reset through a TPM clear anyway.

The handle 0x81000001 is most commonly used for the RSA-based SRK, 0x81010001 for the RSA-based EK. Sometimes you might see 0x81000000 on Linux if an older version of the tpm2-pkcs11 tool has been used.

(Systemd LUKS support uses an ECDSA-based SRK and doesn't bother storing it persistently – just regenerates it from the "storage hierarchy seed" every time.)
There's also some amount of generic "NV storage" space, which can be listed using tpm2_getcap handles-nv-index and tpm2_nvread. In most cases it only contains some manufacturer predefined data, such as the EK certificate (at 0x01C00002). Since there are no names for anything, you have to basically guess – assuming the NV index in question was made readable in the first place.

I think the version of the TPM on which your answer is based is not the latest, because it does store certificates. Microsoft says: "TPM-based certificates are standard certificates. **The certificate can never leave the TPM** from which the keys are generated" ([link](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-fundamentals)). — harrymc, Jul 12 '22 at 15:33
@harrymc: In the sense that you can't *use* it without the TPM, yes. (That sentence wouldn't make any sense if taken literally, as a certificate that can't be extracted would be completely useless – the whole point of having a cert is that you can present it to others, so even the public key has to leave the TPM or the smartcard out of necessity, e.g. so that it could be signed to make the certificate in the first place.) The answer is based on TPM 2.0 while the MS article talks about 1.2 but it's mostly the same in both variants. — u1686_grawity, Jul 12 '22 at 18:38
I think you described here one TPM implementation in Linux, that apparently only uses it as a crypto engine. — harrymc, Jul 12 '22 at 19:08
@user1686: Thank you! I was under an impression that TPM works like a HSM (e.g. Yubikey HSM) and it can store keys, create cert signing requests and sign requests as a CA, etc. So much to learn, now I need to read the TPM 2.0 standard... Basically based on this answer, Microsoft "TPM" is actually a Trusted Platform **Service**, not a monolitic physical **module**. Your answer helped a lot, thanks again. — TFuto, Jul 12 '22 at 19:59
I actually discovered that a TPM can store more data. On this link: https://trustedcomputinggroup.org/wp-content/uploads/2019_TCG_TPM2_BriefOverview_DR02web.pdf , 5 TPM implementations are described: discrete, integrated, firmware, software and virtual TPM. So in theory, if a system used a discrete TPM chip, then it indeed would provide crypto services, RNG, protected storage, protected pseudo-store for unlimited amount of keys, identities, signing and verification - all in hardware. — TFuto, Jul 12 '22 at 20:17
Another example is a common dTPM hardware: [GC-TPM20_S](https://www.gigabyte.com/Motherboard/GC-TPM20_S). It uses Infineon's SLB9665, and the [documentation](https://www.infineon.com/dgdl/Infineon-data-sheet-SLB9665_2.0_Rev1.2-DS-v01_02-EN.pdf?fileId=5546d462689a790c016929d1d3054feb) says it contains PCR banks, 7206 Byte free NV memory, up to 7 loaded persistent objects. So anything stored there would be lost if the TPM chip is cleared. — TFuto, Jul 12 '22 at 20:24
@TFUto: PCR banks are volatile (reset on every system reboot). Persistent objects and NV indices would indeed be lost, but they're rarely used like that in practice – usually systems just mimic the TPM1.2 style single SRK and store everything else on disk. Part of the reason is that persistent objects can only be raw keypairs, not certificates; only NV indexes could store a whole signed certificate (like how 0x01C00002 stores the Endorsement cert; it's usually marked permanent). But if you suspect that kind of usage, use the `tpm2` CLI tools I mentioned to examine the NV storage. — u1686_grawity, Jul 12 '22 at 20:57
@TFUto: I haven't worked with Yubikey HSM, but I assume it has specific understanding of actual certificates and CAs? I'd instead compare a TPM with a basic consumer smartcard (such as Yubikey PIV mode, or a Safenet eToken) in the sense that TPMs can indeed be used to sign certificates and other things (there are PKCS#11 modules for bridging to a TPM), but they are not actually *aware* that they're signing a certificate, and cannot enforce policies – all they have is a blob of data. (I've actually used TPMs for running small internal CAs.) — u1686_grawity, Jul 12 '22 at 21:05
@TFuto: But regarding key storage, that's where "unlimited" comes from – the internal storage is definitely not unlimited, so if an article says that, then offloading storage to the OS is the trick. (U2F keys also use the same trick to support unique keypairs for an unlimited number of websites, without having any writable storage at all.) — u1686_grawity, Jul 12 '22 at 21:07
Would love your thoughts on https://security.stackexchange.com/questions/270400/is-it-possible-to-see-the-pubkeys-that-pair-with-private-keys-inside-the-tpm-in?noredirect=1#comment562583_270400 if you have the time. — mikemaccana, May 25 '23 at 13:00

score 1 · Answer 2 · answered Jul 12 '22 at 07:59

This is not possible, and in fact is contrary to the purpose of the TPM in being a safe and inviolate repository.

The Microsoft article of Trusted Platform Module lists the PowerShell commands used for managing the TPM:

Clear-Tpm : Resets a TPM to its default state.

ConvertTo-TpmOwnerAuth : Creates a TPM owner authorization value from a supplied string.

Disable-TpmAutoProvisioning : Disables TPM auto-provisioning.

Enable-TpmAutoProvisioning : Enables TPM auto-provisioning.

Get-Tpm : Gets an object that contains information about a TPM.

Get-TpmEndorsementKeyInfo : Gets information about the endorsement key and certificates of the TPM.

Get-TpmSupportedFeature : Verifies whether a TPM supports specified features.

Import-TpmOwnerAuth : Imports a TPM owner authorization value to the registry.

Initialize-Tpm : Performs part of the provisioning process for a TPM.

Set-TpmOwnerAuth : Changes the TPM owner authorization value.

Unblock-Tpm : Resets a TPM lockout.

As you can see, one can manage the TPM itself as an object, but not its contents.

Partly because it being "a safe and inviolate repository" is nowhere near the actual reason (so are smartcards and HSMs, but all of them support listing the contents regardless – just not _extracting_ them, but with any smartcard you can list the stored keys), partly because relying exclusively on PS cmdlet list is misleading – many operations exist that just don't have cmdlets. (For example, TPM can store keys yet there's no cmdlet to create a TPM key, or to sign data using one – that's because on Windows it's done through generic CryptoAPI, so a 'raw' cmdlet was thought unneeded.) — u1686_grawity, Jul 12 '22 at 14:30

Listing content of a TPM 2.0 chip

2 Answers2