Decorative Cryptography: How TCG_TPM2_HMAC Inverts the Chain of Trust

TL;DR

A Linux kernel feature, TCG_TPM2_HMAC, was designed to add HMACs and encryption to TPM bus traffic to detect interposer attacks, but its current implementation hands a critical attestation step to userspace. That inversion of trust lets an active interposer defeat protections; the feature was disabled by default in kernel 6.18 (August 2025).

What happened

A recent examination of the Linux kernel feature TCG_TPM2_HMAC finds that, while it adds HMACs and encrypted transactions on the TPM bus to detect or prevent snooping and interposer attacks, its design delegates a key attestation responsibility to userspace. The kernel generates an auth session key for TPM operations by key-encapsulating to a Null Primary Key (a P-256 ECDH key derived from the Null hierarchy that changes on each boot) and records that key’s Name under /sys/class/tpm/tpm0/null_name. The kernel then relies on userspace to attest that key later using the Endorsement Key (EK). That ordering inverts the chain of trust: an active interposer that can both manipulate the TPM bus and replace or hijack the userspace attestation component can present a fake Null Primary Key, intercept TPM2_PCR_Extend calls, and substitute measurements to defeat measured-boot protections. The feature was disabled by default starting in kernel 6.18 (August 2025).

Why it matters

• Measured-boot guarantees can be undermined if the kernel trusts an attestation step that userspace is supposed to perform later.
• Encryption and HMACs do not solve security gaps in key management; poorly anchored keys make cryptography ineffective.
• Active physical interposers that can read and write the TPM bus can alter measurements or unseal secrets despite the added crypto.
• Users and administrators may be given a false sense of protection when features are enabled without resolving the underlying trust and key-management problems.

Key facts

• TCG_TPM2_HMAC is a kernel config option intended to add HMACs and encrypted transactions on the TPM bus.
• The feature’s code mainly lives in drivers/char/tpm/sessions.c and is discussed in Documentation/security/tpm/tpm-security.rst.
• Each session is key-encapsulated to a Null Primary Key (a P-256 ECDH key from the Null hierarchy) which changes on every boot.
• The kernel stores the Name (hash) of the Null Primary Key at /sys/class/tpm/tpm0/null_name and expects userspace to attest it using the EK.
• An active interposer that can modify bus traffic and replace the userspace attestation component can create a fake Null Primary Key and substitute PCR measurements.
• Passive interposers (snoopers) can read bus traffic and potentially obtain unsealed secrets if encryption is not used for those exchanges.
• security/keys/trusted-keys/trusted_tpm2.c uses an encrypt session helper (tpm_buf_append_hmac_session) that is entangled with the TCG_TPM2_HMAC feature.
• TCG_TPM2_HMAC was disabled by default again in August 2025 starting with Linux kernel version 6.18.
• The author recommends an integrated root-of-trust in the CPU (for example, Caliptra providing TCG DICE APIs) as a path that can address active physical interposer threats.

What to watch next

• Kernel discussions and patches related to TCG_TPM2_HMAC and the attestation ordering around the Null Primary Key (not confirmed in the source).
• Adoption or integration of integrated roots-of-trust such as Caliptra or other SoC-level solutions that expose on-chip attestation primitives (mentioned in the source).
• Changes to userspace attestation tooling to ensure the kernel does not rely on later attestations for boot-time trust (not confirmed in the source).

Quick glossary

• TPM: Trusted Platform Module; a discrete or integrated hardware component that can securely store keys and perform cryptographic operations for platform integrity and attestation.
• PCR: Platform Configuration Register; a TPM register that records measurements (hashes) of boot components and can be used to enforce or attest platform state.
• EK: Endorsement Key; a long-lived TPM asymmetric key used as a trust anchor for certain TPM operations and key attestation.
• HMAC: Hash-based Message Authentication Code; a cryptographic construct used to verify data integrity and authenticity using a shared key.
• Root of Trust: A component or set of components that is inherently trusted and forms the basis for verifying the integrity of other system elements.

Reader FAQ

Is TCG_TPM2_HMAC enabled by default in mainline Linux?
No — the feature was disabled by default starting with kernel version 6.18 in August 2025.

Can TCG_TPM2_HMAC prevent an active interposer on its own?
No — the examined implementation can be defeated by an active interposer that also compromises or replaces the userspace attestation component, because the kernel trusts a Null Primary Key Name written to sysfs.

Does adding encryption and HMACs eliminate the threat?
Not by itself; the article argues that without addressing key-management and the attestation ordering, the cryptography is effectively decorative.

Is there a recommended architectural fix?
The source suggests an integrated root-of-trust inside the CPU (for example, Caliptra exposing TCG DICE APIs) as a way to address active physical interposer threats.

Decorative Cryptography Jan 3, 2026 All encryption is end-to-end, if you’re not picky about the ends. config TCG_TPM2_HMAC bool "Use HMAC and encrypted transactions on the TPM bus" default n…

Sources

• Decorative Cryptography
• TPM 2.0 Keys for Device Identity and Attestation
• TCG Trusted Boot Chain in EDK II · GitBook
• Chain of trust and tpm?

Related posts

• ICE Uses Facial-Recognition Technology to Speed Up Arrests Nationwide
• Techie turned the tables on office bullies with remote access rumble
• California residents can request all data brokers to delete personal data