|
|
|
|
|
|
by zxcvgm
1508 days ago
|
|
|
It depends on how the TPM is being used by the OS and its apps. If it’s purely being used for the crypto key storage and crypto operations, then you can probably use something like the MS reference implementation [0]. If the OS requires attestation and endorsement, there is a manufacturer key pair that is embedded into the chip that you can use to attest and verify that the TPM you are interacting with is indeed from a particular manufacturer. That aspect would not be doable for an emulated DIY TPM. [0] https://github.com/microsoft/ms-tpm-20-ref |
|
|
This link has some useful details on attestation.
For a lot of software you should be able to still use a custom TPM since you could use the EKPub based attestation which is per-device. This would allow you to bake your custom key into the device prior to installation and then whitelist it.
I'm by no means an expert but since this is mostly handled at the OS level, provided you control the infra you should be able to roll your own custom TPM and still support attestation & endorsement. So if you are dealing with this on your own personal hardware or in your company (and you have IT's blessing), you should be able to do it but it won't work out of the box.