Intel NUC and TPM

We are using with the Intel NUC image.
Looking for ways to secure the application against an evil hacker with physical access.

What is the chance of seeing TPM support (Trusted platform module) in the near future?

1 Like

Hi, what ways are you thinking of using the TPM to secure your application?

We were looking into adding TPM support on device types that have that available, but it’s a work in progress. It’s also would more along the line of securing the OS so far. Hence our question of how would you use that yourself?

We want to reduce the risk of someone getting access to inspect/change our software. For example as it is now, a person may mount the disk in another system and will then have access to everything thing, e.g. python scripts, configuration files etc.

A solution that requires access to some remote authentication service is not an option. The application must work offline as well.

And I was hoping to use tpm for disk encryption.


Any details on what it means that you are “looking into adding TPM support” ?
Any hope on TPM in 2018?
Any feature ticket I can follow?


Any updates? I’m currently working on an application where I’m creating a private key on the TPM (that never leaves the TPM) to sign tokens to identify itself to our cloud tier. I’m not seeing /dev/tpm0 or /dev/tpmrm0 in my application container.

Would it be possible to add TPM support even if Balena doesn’t take advantage of TPM features to secure the OS?

as far as I understand, in linux TPM services will be provided by kernel modules. So in any case you would need kernel modules for the balena kernel and a device with TMP support.
I will forward your request to the balena kernel team to see what the status of TPM modules is in balena is.

Regards Thomas

That’s great - thanks Thomas. We’re requiring TPM2.0 hardware in our IoT devices (we’re using Intel NUCs).

Hi @rqdq , yes I would imagine it should be fairly easy to add those modules in the intel builds, and initially balenaOS won’t make use of them. Could you create an issue on the intel-nuc repo here: and describe the interfaces you expect to see in /dev and if you know which kernel modules need to be enabled, that would be helpful too. Then we should be able to get it added to the image by default.

Thanks @shaunmulligan. Issue created here:

Issue: Add kernel module(s) for TPM 2.0

opened by rquackenbush on 2019-06-11

We would like to have TPM 2.0 support in Balena on the Intel NUC platform.
Use Case
We’re using TPM 2.0 modules to…

Awesome, thanks @rqdq

Hi @rqdq , im sure you have been following the issue, but just thought I would follow up here and point out that the changes for this were merged into the intel-nuc BSP repo and should be included in the next release (I think balenaOS 2.38)

That’s great news! Thanks for the update!

Note: 2.32.1+rev1 is available.

Just to be sure (since I started this thread):
The newly introduced change only means that TPM kernel modules are available, but full disk encryption is not possible until BalenaOS supports it, right?
Is full disk encryption on the roadmap?

That is correct. We want to support full disk encryption and trusted boot in the future but we don’t have a concrete timeline to share at this point