Forge Home


Manage TPM2.0 devices


158 latest version

4.7 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.7.0 (latest)
  • 0.5.0
  • 0.4.0
  • 0.3.2
  • 0.3.1
  • 0.3.0
  • 0.2.0
  • 0.1.1
  • 0.1.0
released Oct 12th 2023
This version is compatible with:
  • Puppet Enterprise 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
  • Puppet >= 7.0.0 < 9.0.0
  • , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'simp-tpm2', '0.7.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add simp-tpm2
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install simp-tpm2 --version 0.7.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Tags: simp, tpm, tpm20


simp/tpm2 — version 0.7.0 Oct 12th 2023

License CII Best Practices Puppet Forge Puppet Forge Downloads Build Status

Table of Contents


This module manages TPM 2.0 devices and the tpm2-tools software.

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they may be submitted to our bug tracker.

This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:

  • When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
  • If used independently, all SIMP-managed security subsystems are disabled by default and must be explicitly opted into by administrators. Please review the parameters in simp/simp_options for details.


What tpm2 affects

The tpm2 module manages:

  • tpm2-software packages and services (e.g., tpm2-tools, etc.,)
  • The tpm2 Facter fact
  • TODO: Ownership of a TPM2 device's endorsement hierarchy

Beginning with tpm2

include 'tpm2'


To set the authentication passwords on the system:

Include the tpm module and set the following in hiera:

Note: You must indicate the desired status of all three authentications settings. If using tpm2_tools version 4 or later you can use ignore to skip any of the settings. Otherwise they must each be set to 'clear' or 'set'.

tpm2::take_ownership: true tpm2::ownership::owner: set tpm2::ownership::lock: set tpm2::ownership::endorsement: set

The passwords will default to automatically generated passwords using passgen. If you want to set them to specific passwords then set them in hiera using the following settings (it expects a minumum password length of 14 charaters):

tpm2::ownership::owner_auth: 'MyOwnerPassword' tpm2::ownership::lock_auth: 'MyLockPassword' tpm2::ownership::endorse_autt: 'MyEndorsePassword'


The tpm2_takeownership module cannot be used to change the current password. It would continually try to reset the password and would lock out the TPM. It should be used to initialized or clear the TPM only.

If the tpm2_tools are not installed it will take 2 passes to set or clear the authentication settings because it must first determine the version of tpm2_getcap installed. The tpm2::ownership modules can be use directly if you know what version of the tools will be installed. See the examples in the modules.

SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux and compatible distributions, such as CentOS. Please see the metadata.json file for the most up-to-date list of supported operating systems, Puppet versions, and module dependencies.


See for API documentation.


Please read our Contribution Guide.

Acceptance tests

This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:

bundle install
bundle exec rake beaker:suites

TPM2 simulator

The acceptance tests spin up a tpm2-simulator. These simulators have been compiled and package by simp and are available in the simp-project repos, See the spec/acceptance/nodesets for the exact repo.


The TPM2 developers provide a debug flag. Set the environemnt variable G_MESSAGES_DEBUG=all and run tpm2-abrmd in a terminal.

Environment variables

  • BEAKER_download_pre_suite_rpms When 'yes', downloads a tarball of RPMs to install before running the first Beaker suite

  • BEAKER_tpm2_rpms_tarball_url

FIXME: Ensure the Acceptance tests section is correct and complete, including any module-specific instructions, and remove this message!

Please refer to the SIMP Beaker Helpers documentation for more information.