Manage TPM2.0 devices




201 latest version

5.0 quality score

Version information

  • 0.3.1 (latest)
  • 0.3.0
  • 0.2.0
  • 0.1.1
  • 0.1.0
released Nov 30th 2020
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x
  • Puppet >= 5.0.0 < 7.0.0
  • CentOS

Start using this module

Tags: simp, tpm, tpm20


simp/tpm2 — version 0.3.1 Nov 30th 2020

License CII Best Practices Puppet Forge Puppet Forge Downloads Build Status

Table of Contents


This module manages TPM 2.0 devices and the tpm2-tools software.

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they may be submitted to our bug tracker.

This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:

  • When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
  • If used independently, all SIMP-managed security subsystems are disabled by default and must be explicitly opted into by administrators. Please review the parameters in simp/simp_options for details.


What tpm2 affects

The tpm2 module manages:

  • tpm2-software packages and services (e.g., tpm2-tools, etc.,)
  • The tpm2 Facter fact
  • TODO: Ownership of a TPM2 device's endorsement hierarchy

Beginning with tpm2

include 'tpm2'


To set the authentication passwords on the system:

Include the tpm module and set the following in hiera:

Note: You must indicate the desired status of all three authentications settings. They can be either 'set' or 'clear'.

tpm2::take_ownership: true tpm2::ownership::owner: set tpm2::ownership::lock: set tpm2::ownership::endorsement: set

The passwords will default to automatically generated passwords using passgen. If you want to set them to specific passwords then set them in hiera using the following settings (it expects a minumum password length of 14 charaters):

tpm2::ownership::owner_auth: 'MyOwnerPassword' tpm2::ownership::lock_auth: 'MyLockPassword' tpm2::ownership::endorse_autt: 'MyEndorsePassword'


The tpm2_takeownership module cannot be used to change the current password. It would continually try to reset the password and would lock out the TPM. It should be used to initialized or clear the TPM only.

SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux and compatible distributions, such as CentOS. Please see the metadata.json file for the most up-to-date list of supported operating systems, Puppet versions, and module dependencies.


See for API documentation.


Please read our Contribution Guide.

Acceptance tests

This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:

bundle install
bundle exec rake beaker:suites

TPM2 simulator

The acceptance tests spin up a tpm2-simulator. These simulators have been compiled and package by simp and are available in the simp-project repos, See the spec/acceptance/nodesets for the exact repo.


The TPM2 developers provide a debug flag. Set the environemnt variable G_MESSAGES_DEBUG=all and run tpm2-abrmd in a terminal.

Environment variables

  • BEAKER_download_pre_suite_rpms When 'yes', downloads a tarball of RPMs to install before running the first Beaker suite

  • BEAKER_tpm2_rpms_tarball_url

FIXME: Ensure the Acceptance tests section is correct and complete, including any module-specific instructions, and remove this message!

Please refer to the SIMP Beaker Helpers documentation for more information.