Trusted Platform Module Basics (eBook)

Front Cover 1
Trusted Platform Module Basics: Using TPM in Embedded Systems 4
Copyright Page 5
Contents 6
Acknowledgments 12
Introduction 14
Chapter 1: TCG Prerequisites 18
1.1 The Trusted Computing Group 18
1.2 The TCG Specification Suite 18
1.3 The PC Specific Specification and the Embedded Design 19
1.4 The TSS Specification Version 1.1 26
Chapter 2: Cryptographic Basics 28
2.1 The Symmetric and Asymmetric Keys 28
2.2 Using RSA to Encrypt Private Information 31
2.3 Using RSA to Sign and Verify Signatures 33
Chapter 3: Overview of the TPM Architecture 38
3.1 The TPM CPU or Microcontroller 38
3.2 Asymmetric Functional Block Requirements 39
3.3 TPM Memory Blocks 42
3.4 Platform Configuration Registers 43
3.5 Hardware Power Management and Tamper Circuitry 44
3.6 The TPM, System-on-a-Chip 45
Chapter 4: Root-of-Trust—the TPM Endorsement Key 48
4.1 Root-of-Trust 48
4.2 The Endorsement Key 49
4.3 X509 Certificate 50
4.4 Security and the EK 52
Chapter 5: Key Hierarchy and Key Management 56
5.1 TPM-Specific Key Hierarchy 56
5.2 Types of Keys Found within the TPM 57
5.3 Typical PC-Based Key Hierarchy 59
5.4 Key Flags and Their Meaning 61
5.5 Key Cryptographic Algorithm Definition 63
5.6 Putting It All Together 66
5.7 Key Migration and Archiving 67
Chapter 6: Platform Configuration Registers 70
6.1 What in the World Is a Platform Configuration Register? 70
6.2 How PCR Values Are Initialized 74
6.3 How PCRs Govern TPM Command Execution 78
6.4 Other PCR Tidbits 80
Chapter 7: TPM Command Message Overview 82
7.1 Non-authorized TPM Command Messages 82
7.2 Single Authorized TPM Command Messages 84
7.3 Dual Authorized TPM Command Messages 86
Chapter 8: Rolling Nonces and Anti-replay Protection 90
Chapter 9: Command Authorization, Typical 100
9.1 TPM Authorization Overview 100
9.2 The TPM Authorization Input/Output Block(s) 101
9.3 Types of Command Authorization(s) 103
9.4 Object Independent Authorization Protocol 105
9.5 Calculating the Authorization Digest 107
9.6 Object Specific Authorization Protocol 112
9.7 Command Authorization Examples, Typical 117
Chapter 10: Command Authorization, Atypical 134
10.1 Exception Case, the Deferred Authorization Protocol 134
10.2 Exception Case, Non-authorized Command Execution of Normally Authorized Commands 140
10.3 Exception Case, the EncAuth 146
Chapter 11: Initialization and Low-Level Command Suite 150
11.1 Determining TPM Compliance State 150
11.2 TPM Initialization Regarding Compliance State 152
11.3 The Compliance Endorsement Key 154
Chapter 12: Compliance Vectors and Their Purpose 156
12.1 The Compliance RSA Keying Material 156
12.2 The Compliance Nonces, Secrets, and Random Numbers 160
12.3 The Compliance PCR Digest Values 162
Chapter 13: Establishing a TPM Owner 166
13.1 The TPM_CreateEndorsementKeyPair Command 166
13.2 The TPM_ReadPubek Command 171
13.3 The TPM_TakeOwnership Command 173
Chapter 14: Owner-Authorized Command Suite 184
14.1 The TPM_GetCapabilityOwner 185
14.2 The TPM_DisablePubekRead 190
14.3 The TPM_OwnerReadPubek 192
14.4 The TPM_OwnerClear 193
14.5 The TPM_DisableOwnerClear 195
14.6 The TPM_OwnerSetDisable 196
14.7 The TPM_ChangeAuthOwner 196
14.8 The TPM_AuthorizeMigrationKey 199
Chapter 15: The Key Management Command Suite 204
15.1 The TPM_CreateWrapKey Command 205
15.2 The TPM_LoadKey Command 216
15.3 The TPM_EvictKey Command 219
15.4 The TPM_GetPubKey Command 220
Chapter 16: The RSA Encryption and Decryption Command Suite 224
16.1 The TSS_Bind or Tspi_Data_Bind (TSS Specification) 225
16.2 The TPM_UnBind Command 229
16.3 The TPM_Seal Command 231
16.4 The TPM_UnSeal Command 235
Chapter 17: The TPM Signature Command 240
Chapter 18: The RNG Command Suite 246
18.1 The TPM_GetRandom 247
18.2 The TPM_StirRandom 248
Chapter 19: The PCR Command Suite 250
19.1 The TPM_PcrRead 251
19.2 The TPM_Extend 253
19.3 The TPM_Quote 255
Chapter 20: The TPM Capability and Self-Test Command Suite 260
20.1 The TPM_GetCapability 261
20.2 The TPM_GetCapabilitySigned 268
20.3 The TPM_SelfTestFull 270
20.4 The TPM_GetTestResult 272
20.5 The TPM_CertifySelfTest 272
Chapter 21: The Key Migration and Secret Management Suite 276
21.1 The TPM_CreateMigrationBlob 276
21.2 The TPM_ConvertMigrationKey 281
21.3 The TPM_ChangeAuth 283
Chapter 22: The Trusted Device Driver 286
22.1 The TDDL Interface 287
22.2 The Tddli_Open 288
22.3 The Tddli_Close 289
22.4 The Tddli_Cancel 289
22.5 The Tddli_GetCapability 291
22.6 The Tddli_SetCapability 292
22.7 The Tddli_GetStatus 293
22.8 The Tddli_TransmitData 294
Chapter 23: TPM System Deployment Initialization 296
Chapter 24: Migrating to Version 1.2 of the TPM 304
24.1 TCG Version 1.2-Based Platform Workgroups 305
24.2 EK Properties 308
24.3 Extended Context Storage and Restoration 310
24.4 Available Counters 311
24.5 Transport Protection – Encrypted Command(s) 313
24.6 Summary 316
Chapter 25: Example One: TPM Ownership 318
Chapter 26: More Command Examples 334
26.1 TPM_CreateWrapKey Using Compliance Key 0 334
26.2 TPM_Sign Using Compliance Key 2 344
26.3 TPM_UnBind Using Compliance Key Handle 4 349
Index 362
A 362
B 362
C 362
D 363
E 363
H 363
I 363
K 364
L 364
M 364
N 364
O 364
P 365
R 365
S 366
T 366
U 368
V 368
W 368
X 368