It seems most systems have a TPM 2 module in them now, and it seems those modules often have a physical presence pin. Are these pins actually used by any typical laptop manufactures?
I have a laptop and a YubiKey. The YubiKey requires a physical touch for any crypto operations. It seems like those operations could be done in the TPM, but I'm not seeing information on how to require physical presence checking outside of the pre-boot environment. Am I missing something?
Although both TPM Physical Presence and YubiKey button share the property of confirming some operations by cryptographic means upon user action, its usage might be quite different. If from Physical Presence you are expecting real time confirmation when some signature is issued by TPM upon some user action, then this might not be the right tool. Although the standard might give more possibilities, usual implementation of TPM PP is used to perform changes by Operating System on NVRAM/UEFI related stuff - like introducing new Machine Owner Key by OS to control how UEFI Secure Boot will behave might need entering your UEFI password on the very next boot. Physical Presence here means that without the user action the change will not be applied.
Consult section 'Physical Presence Interface Pseudo Code' of the standard. The actual implementation will always be device specific. If you would like to perform deep research start from geting UEFI firmware for your specific device and extract all modules using UEFI Tool. Then you can use IRFExtractor to search for Physical Presence specific strings. When you will locate specific module you can identify its format and use standard reverse engeneering techniques to work on it.
You can also develop own EFI module - I was actually thinking about doing so with built-in fingerprint reader in Dell XPS9310 towards implementing FIDO2 compatible interface.
