Skip to content



I've ported mjg59's tpmtotp to run from inside the boot ROM of a Thinkpad x230 using CoreBoot with a Linux payload. This provides attestation that the firmware hasn't been tampered with, since the TPM won't unseal the secret to used in the TOTP HMAC unless the PCR values match those expected for the ROM image.

Garrett presented tpmtotp at 32c3 and I really liked the idea, but felt that it ran "too late" -- the system has already fetched the kernel and initrd from the disk and potentially had the chain of trust compromised. Since my version of code is executed from the difficult-to-write SPI flash ROM and the read-only boot block initializes the root of trust with measurements of itself as well as the rest of the ROM, it is much harder to compromise.

Additionally, since my ROM image is very size constrained, I didn't want to use OpenSSL and liboath and all of the other dependencies. My branch replaces them with mbedtls and my own TOTP code, which reduces the size of the executables from 5MB to 180KB.

The source is available from, although it is currently not usable outside of my build environment. As Heads is more developed it will be merged into that project (and likely re-written as a shell script).

2016 Security

Last update: November 8, 2020