This document provides an overview of trusted computing and the Trusted Platform Module (TPM). It describes the components and functions of the TPM chip, including the endorsement key (EK), storage root key (SRK), platform configuration registers (PCRs), and operational states. The TPM uses cryptographic functions like RSA and SHA-1 to securely store keys and platform measurements within the chip. It maintains a hash-based integrity measurement of the software/firmware components executed during boot to enable remote attestation of the platform's state.
3. Introduction to Trusted Computing
• Trusted computing (TC) is the concept that technologies have built-in
processes to revolve basic security problems and user challenges [1].
• It is also a term used by a trade group called the Trusted Computing
Group (TCG) that helps to set standards for devices and technologies.
4. TPM Provisioning
• Components of TMP Chip are shown in Figure 1 [2].
• RSA: 1024, 2048 bit modulus
• SHA-1: Outputs 20 byte digest
Figure 1: TPM Components
5. Non-Volatile Storage
1. Endorsement Key (EK) – 2048-bit RSA
• Created at manufacturing time. Cannot be changed.
• Used for attestation
2. Storage Key (SRK) – 2048-bit RSA
• Used for implementing encrypted storage
• Created after running – TPM_TakeOwnership (OwnerPassword, …)
• Can be cleared later with TPM_ForceClear from BIOS
3. Storage Key (SRK) – 160 bits and persistent flags
Private EK, SRK and OwnerPwd never leave the TPM
6. PCR – Platform Configuration Registers
• Lots of PCR registers on chip (At least 16)
• PCRs are initialized to default value (e.g. 0) at boot time
• After boot, PCRs contain hash chain of booted software
• Collision resistance of SHA1 ensures commitment
• Embedding PCR values in blob ensures that only certain applications
can decrypt the data
7. Exact Mechanics of TPM
• TPM accepts a value from outside software and a hash of the protocols
that produced the value [3].
• This allows the platform to use whatever they want to set the value
from secure time to the local PC clock.
• TPM just keeps the audit digest and no other information.
8. Exact Mechanics of TPM
• Startup Mode – Startup transitions the TPM from the initialization
state to an operational state.
• The transition includes information from the platform to inform the
TPM of the platform operating state.
• TPM_Startup has three options: Clear, State and Deactivated.
9. Exact Mechanics of TPM
• Operational Mode – After the TPM completes both TPM_Startup and
self-tests, the TPM is ready for operation.
• There are three discrete states, enabled or disabled, active or inactive
and owned or un-owned.
• These three states when combined form eight operational modes.
10. Exact Mechanics of TPM
• Clearing the TPM – Clearing the TPM is the process of returning the
TPM to factory defaults.
• It is possible the platform owner will change when in this state.
• The commands to clear a TPM require either TPM Owner
authentication or the assertion of physical presence.
11. References
1. Maene, P., Götzfried, J., De Clercq, R., Müller, T., Freiling, F., & Verbauwhede,
I. (2018). Hardware-based trusted computing architectures for isolation and
attestation. IEEE Transactions on Computers, 67(3), 361-374.
2. https://crypto.stanford.edu/cs155old/cs155-spring11/lectures/08-TCG.pdf
3. https://trustedcomputinggroup.org/resource/tpm-main-specification/
Editor's Notes
Trusted computing is a broad term that refers to technologies and proposals for resolving computer security problems through hardware enhancements and associated software modifications.
Several major hardware manufacturers and software vendors, collectively known as the Trusted Computing Group (TCG), are cooperating in this venture and have come up with specific plans.
The TCG develops and promotes specifications for the protection of computer resources from threats posed by malicious entities without infringing on the rights of end users.
Clear – Informs the TPM that the platform is starting in a “cleared” state or most likely a complete reboot
State - This option informs the TPM that the platform is requesting the TPM to recover a saved state and continue operation from the saved state
Deactivated - informs the TPM that it should not allow further operations and should fail all subsequent command requests.
Enable - The TPM MUST provide an enable and disable command that is executed with TPM Owner authorization.
Active - The TPM MUST maintain a non-volatile flag that indicates the activation state.
Ownership - The owner of the TPM has ultimate control of the TPM. The owner of the TPM can enable or disable the TPM, create AIK and set policies for the TPM. The process of taking ownership must be a tightly controlled process with numerous checks and balances.
Clear operations MUST be authenticated by either the TPM Owner or physical presence
TPM must support mechanisms to disable the clear operations