TPM Genie
TPM Genie is an Arduino-based man-in-the-middle (“interposer”) for the Trusted Platform Module I2C serial bus. This tool has been designed to aid in the security research of TPM hardware as well as the host-side drivers that communicate the with them.
In its simplest usage scenario, TPM Genie is capable of sniffing all traffic that is sent across the TPM’s serial bus. Here, TPM Genie will print a textual representation of the command and response packets, so that the user can better understand how the platform firmware interacts with the TPM hardware.
However, TPM Genie can also be leveraged to perform more active attacks against the bus. We demonstrate that a man-in-the-middle on the TPM serial bus can undermine many of the stated purposes of the TPM such as measured boot, remote attestation, sealed storage, and the hardware random number generator.
TPM Genie can be found in our GitHub repository (https://github.com/nccgroup/TPMGenie). Here you will find everything you need to get started:
- Hardware: The bill of materials and circuit wiring instructions.
- Software: The TPM Genie source code, as well as instructions to compile and flash the firmware.
- Demos: TPM Genie comes pre-packaged with some examples that reveal the types of attacks made possible by a serial bus MITM. We show how to control the output of the TPM’s HWRNG, spoof PCR measurements, and even induce Linux kernel memory corruption.
Additionally, the TPM Genie whitepaper can be found here.