Mistake on this page? Email us

Connect a Linux device with a TPM

This tutorial explains how to securely connect a Linux device with a Trusted Platform Module (TPM) to Device Management over an IP connection.

Device Management Client supports the PARSEC open-source initiative, which provides a platform-agnostic interface for calling the secure storage and operation services of a TPM on Linux.

This lets you generate the device's bootstrap private key on a TPM during the factory provisioning flow. When the device calls the Device Management bootstrap server, as part of the DTLS handshake, Device Management Client uses the bootstrap key by calling an API without having to export the key.


Connecting the device

  1. Open a terminal, and clone the example repository to a convenient location on your development environment:

    git clone
    cd mbed-cloud-client-example
  2. Deploy the example repository:

    mbed deploy
  3. Delete the add_definitions(-DMBED_CONF_APP_DEVELOPER_MODE=1) line from the define.txt configuration file to compile Device Management Client example in production mode.

  4. Navigate to the Device Management Client example folder, and run:

    python pal-platform/ deploy --target=x86_x64_NativeLinux_mbedtls generate
    cd __x86_x64_NativeLinux_mbedtls
    cmake -G "Unix Makefiles" -DPARSEC_TPM_SE_SUPPORT=ON -DCMAKE_BUILD_TYPE=Release -DCMAKE_TOOLCHAIN_FILE=./../pal-platform/Toolchain/GCC/GCC.cmake -DEXTERNAL_DEFINE_FILE=./../define_linux_psa.txt

    The build creates binaries under mbed-cloud-client-example/__x86_x64_NativeLinux_mbedtls.

    Note: If you experience build problems, see the Troubleshooting section for potential issues and workarounds.

  5. Set the entropy source:

    export ENTROPYSOURCE=<file-name>

    For example:

    export ENTROPYSOURCE=/dev/urandom

    Note: The ENTROPYSOURCE environment variable is optional. If you do not use it, Device Management uses a default entropy source, which is Linux-platform-dependent.

  6. Run the application:


    You should see a message when the device connects to Device Management:

    Client registered
    Endpoint Name: 013584750b3400000000000100100051
    Device Id: 013584750b3400000000000100100051