This document summarizes information from a presentation on practical Trusted Platform Module (TPM) programming. It discusses TPM hierarchies, keys, and the problems TPMs help solve such as secure device identification, key generation and storage, device health attestation, and algorithm agility. It provides examples from the resource "A Practical Guide to TPM 2.0" and the TPM simulator tool "tpm2_tools".

1. Practical Trusted
Platform Module
(TPM2) Programming
Brandon Arvanaghi

2. Who am I?
● Security Engineer at Gemini
● Gemini dollar, smart contract auditing
● Work closely with HSMs, smart cards, TPMs

3. ● “A Practical Guide to TPM 2.0”
● Google’s TPM-JS
○ https://google.github.io/tpm-js/#pg_welcome
○ All images and GIFs created from here
Helpful resources

4. TPM Hierarchies
1. Owner/Storage hierarchy
2. Platform hierarchy
3. Endorsement hierarchy
4. Null hierarchy
● Logical collections of keys

5. TPM Hierarchies
1. Owner/Storage hierarchy
2. Platform hierarchy
3. Endorsement hierarchy
4. Null hierarchy
● Logical collections of keys
● Each hierarchy has a different seed at its root that is used
to generate keys within that hierarchy

7. Key points:
● These seeds never leave the TPM, and serve as secret inputs into KDFs
● Seeds never change on reboots, except for in Null hierarchy
○ Other seeds can be manually changed
● Key derivation for primary key is fixed + repeatable
○ Providing the same template generates the same primary key every time!

8. Key points:
● Any key you create can also seal a small amount of arbitrary data
○ A secret message
● You can create authorization policies that restrict when that sealed can
be read
○ When the OS is in a known state
○ When a password is provided as an input
○ Etc.

9. Seeds
From Google’s TPM-JS

10. TPM Hierarchies
1. Owner/Storage hierarchy
a. Used by end users of TPM
b. Seed changes with TPM2_CC_CLEAR -- reprovisioning a laptop, for
example
2. Platform hierarchy
a. Used by BIOS, not end users.
b. Seed can be changed
3. Endorsement hierarchy
a. Used for attesting TPM
b. Seed never changes. Primary key can be used to identify device.
4. Null hierarchy
a. Used for ephemeral keys
b. Seed changes at reboot

11. From Google’s TPM-JS

12. ● Decrypt
○ General encryption/decryption key
○ Can’t have children
● Sign
○ Signing key
● Restricted
○ Can only sign and encrypt internal TPM data
○ Can’t be used for general decryption -- this could leak a child key!
Key attributes

14. Creating child keys
● Keys in the TPM are parents and children
● Any time you create a new key in the TPM, that key must
point to a parent key
○ Except the primary key, which is the first key in the hierarchy
● The parent key protects the child key
○ The child key is wrapped to the parent key
● Only when the parent key is loaded into the TPM can the
child key be unwrapped in the TPM and used!

15. From Google’s TPM-JS

16. Output:
From Google’s TPM-JS

17. tpm2_create
● When you generate a key in the TPM, the key (both
private and public keys) get spit out as a file on your
filesystem
○ Not usable in the TPM yet!
● These files can only be understood by the TPM.
● To use that key on the TPM, you must first load those files
into the TPM, so the key is usable by the TPM

18. From Google’s TPM-JS

19. Problems Solved by TPMs

20. Problems Solved by TPMs
1. Identification of device
a. Prior to TPMs, this was done with MAC addresses
Examples from A Practical Guide to TPM2

21. 1. Identification of device
a. Prior to TPMs, this was done with MAC addresses
2. Secure key generation
a. Hardware RNG > arbitrary software RNG (often a point of failure)
Problems Solved by TPMs
Examples from A Practical Guide to TPM2

22. 1. Identification of device
a. Prior to TPMs, this was done with MAC addresses
2. Secure key generation
a. Hardware RNG > arbitrary software RNG (often a point of failure)
3. Secure key storage
4. NVRAM storage
a. When device wiped by IT, NVRAM can keep a certificate store
5. Device health attestation via PCRs
a. Used to use software to attest health of device. Spoofable!
Problems Solved by TPMs
Examples from A Practical Guide to TPM2

23. 1. Identification of device
a. Prior to TPMs, this was done with MAC addresses
2. Secure key generation
a. Hardware RNG > arbitrary software RNG (often a point of failure)
3. Secure key storage
4. NVRAM storage
a. When device wiped by IT, NVRAM can keep a certificate store
5. Device health attestation via PCRs
a. Used to use software to attest health of device. Spoofable!
6. Algorithm agility
Problems Solved by TPMs
Examples from A Practical Guide to TPM2

24. 1. Non-Volatile RAM
2. Can store, read keys from here early in the boot cycle
before the PC has access to disk
NVRAM

25. Platform Configuration Registers
(PCRs)
● TPMs are different from smart cards in that they are on
the motherboard, and available when the machine boots
● TPMs can thus be used to take measurements of machine
state during the boot process
● PCRs store hashes of measurements taken by external
software, and the TPM can later attest to these
measurements by signing them

26. ● TPM initializes all PCRs at boot time (typically all 0s or
1s)
● Caller can’t directly write to PCRs, but can do an extend
operation
● Takes old PCR value, concatenates with new data you
want to measure, stores the result in that same PCR slot

27. tpm2_tools

30. TPM2 Simulator
● https://sourceforge.net/projects/ibmswtpm2/

31. Thanks!
Brandon Arvanaghi
@arvanaghi