I am currently working on a project that requires interaction with the Trusted Platform Module (TPM) 2.0, and I am running Ubuntu on Windows Subsystem for Linux version 2 (WSL 2).
I have encountered some challenges in accessing the TPM directly from within WSL 2, I'd like to know if this is even possible and, if so, how it can be achieved.
I attempted to load the tpm_tis kernel module using modprobe, but I received an error indicating that the module is not found. I understand that WSL 2 runs a different kernel and has a virtualized environment. Does this environment support loading TPM kernel modules, and are there any specific modules available for WSL 2?
modprobe: FATAL: Module tpm_tis not found in directory /lib/modules/5.10.16.3-microsoft-standard-WSL2
Given the nature of WSL 2, I am curious to know if it provides any mechanism to access hardware such as TPM directly. Is there any way to interface with the TPM from Ubuntu running on WSL 2, or would it require passing through the hardware to the virtualized environment?
If direct TPM access is not feasible from within WSL 2, could you provide recommendations on alternative setups or configurations? I would prefer to continue my development within WSL 2 if possible but I can also develop directly on windows.
Are there any specific documents or resources that detail the hardware capabilities and limitations of WSL 2, particularly concerning TPM access? Any pointers or guidance would be greatly appreciated.
At the moment, that is a limitation of WSL2. As you can verify in your WSL installation, the linux kernel is compiled without TPM support:
Technically, you might be able to work around that using different strategies.
Firstly, you could use sockets to connect a WSL2 application with a windows daemon (talking to the TPM). I'm not aware of an existing solution here.
Secondly, you could execute programs compiled for Windows directly from within your WSL. This approach is leveraged by e.g. tpm2-send-tbs which connects the WSL domain (
stdin/stdout) with the Windows domain (via TBS). Disclaimer: I am the author and this approach has significant limitations right now.