On 9/27/18 1:24 PM, Scheie, Peter M wrote:
What is the best way to verify the TPM is available, that is, that it
hasn’t died? I have a requirement to send an alert if the TPM stops working. We have
snmp processes that run every five seconds, so I figure I can, say, check for something in
/sys/class/tpm/tpm0 and as long as I get an expected response, I’ll report that everything
is fine. But what exactly should I look for? Is the simple presence of
/sys/class/tpm/tpm0 sufficient, because it means the kernel thinks the TPM is there? If I
cat /sys/class/tpm/tpm0/dev I get the major and minor numbers; I could look at those, or
just test for the presence of the dev file on the premise that if the TPM failed that file
would disappear. Is that a good test? Suggestions?
I would say that the best test would be to send an actual command.
tpm2_get_random would be a good candidate. If the TPM responds
with a valid response it means that it is alive, if not it is dead.
The presence of the /sys/class/tpm/tpm0 file doesn't guarantee that
the TPM is still healthy.