Skip to content

Linux 6.3 Might Provide Support For Pluton’s CRB TPM2 On AMD Ryzen CPUs

paul pon raj

The Linux 6.3 operating system may soon support the TPM2 device found within Microsoft’s Pluton security processor on the latest AMD Ryzen SoCs.

The Pluton security processor, which has been found on AMD Ryzen SoCs since the 6000 mobile series, has been a cause for concern among Linux and open-source enthusiasts due to its “black box” nature and the unknowns surrounding its root of trust, secure identity, secure attestation, and cryptographic services.

Software security expert Matthew Garrett has been working on getting the Pluton TPM2 device exposed to Linux. The TPM 2.0 Command Response Buffer (CRB) is a standardized interface for the OS kernel to communicate with the Trusted Platform Module, regardless of architecture or TPM. However, some changes to the Linux “tpm_crb” kernel driver are needed to support Pluton.

Garrett explained in a Linux TPM CRB patch that the Pluton TPM2 device uses a previously undefined start method identifier and includes 16 bytes of startup data, corresponding to one 64-bit address for a start message and one 64-bit address for a complete response.

He also noted that the chip needs to be explicitly asked to transition into ready status on every command.

The patch adding support for Pluton was picked up by the linux-tpmdd.git “next” branch, making it part of the TPM device driver changes for the upcoming Linux 6.3 cycle.

This means that if all goes according to plan, Linux 6.3 will support the Pluton TPM2 device on AMD Ryzen CPUs, providing more security options for users of these processors.