Embed Size (px)
Citation preview
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1
TCG 101
Boot Camp9 November 2004
Slide #2
Terminology• Trust
– An entity can be trusted if it always behaves in the expected manner for the intended purpose
Slide #3
What is TCG Technology• Defines a set of services
– Trusted Platform Module = a TPM– Adding protocols and messages that take advantage of
the TPM• The TPM cannot be moved
– Attached to the platform• The TPM contains
– cryptographic engine– protected storage
• Functions and storage are isolated– Provides a “Trust Boundary”
Slide #4
TCG Doc RoadmapTCG DocumentationRoadmap & GlossaryTCG DocumentationRoadmap & Glossary
Architectural Overview
Architectural Overview
Platform-SpecificDesign Guide
Platform-SpecificDesign Guide
TCG Main Specification Parts 1-4
TCG Main Specification Parts 1-4
PC Platform Specification
PC Platform Specification
PC Platform Compliance
PC Platform Compliance
Server Specification
Server Specification
Server Compliance
Server Compliance
Mobile Phone Specification
Mobile Phone Specification
Mobile PhoneCompliance
Mobile PhoneCompliance
OtherPlatformOther
Platform
OtherCompliance
OtherCompliance
TCG Software Stack
(TSS)
TCG Software Stack
(TSS)
ISO-15408 Common Criteria Protection Profiles
- Normative Reference -
Common Criteria
Rev: 1.4
Common Criteria
Common Evaluation
Methodology
Common Evaluation
Methodology
Slide #5
TCG Main Spec Roadmap
Part 1Design Philosophies
Part 1Design Philosophies
Part 3TPM Commands
Part 3TPM Commands
Part 4Test Vectors
Part 4Test Vectors
Part2TPM Structures
Part2TPM Structures
ISO-15408 Common Criteria Protection Profile
Rev 1.1
- Normative Reference -
Slide #6
What is the heart of TCG?• TCG defines TPM’s functionality
– Protected capabilities– Shielded locations
• Not the implementation– Vendors are free to differentiate the
TPM implementation– Must still meet the protected
capabilities and shielded locations requirements
TPMTPM
Slide #7
MCH
TCG PC Client H/W Design
• In 1.1b all designs used the LPC bus– LPC bus was not
required• In 1.2 all designs
MUST use the LPC bus
ICH
AGP
NetworkPort
LPC
RemoteAgent
network
TPM
CPU
RAM
BIOS
TPM is connected to the motherboard
Slide #8
Basic TPM Block Diagram
RNGRNGRSARSA
EngineEngine
NonNon--VolatileVolatile
StorageStorage
Key Key
GenerationGeneration
PlatformPlatform
ConfigurationConfiguration
Register (PCR)Register (PCR)
OptOpt--InIn
SHASHA--11
Trusted Platform Module (TPM)Trusted Platform Module (TPM)
PackagingPackaging
I/OI/O
Exec EngineExec Engine Program CodeProgram Code
Volatile Volatile
StorageStorage
AIKAIK
Slide #9
Functional TPM Diagram• Root of Trust for Reporting RTR
– Provides cryptographic mechanism to digitally sign TPM state and information
• Root of Trust for Storage RTS– Provides cryptographic
mechanism to protect information held outside of the TPM
• Root of Trust for Measurement– Provided by platform to measure platform state– Defined by platform specification
• Interaction between RTR and RTS is important TPM capability
TPM
RTRRTR RTSRTS
Shielded LocationsShielded Locations
Protected CapabilitiesProtected
Capabilities
RTMRTM
Slide #10
Generic Architecture
• TPM attached to platform• Credentials held outside TPM
– Endorsement credential normally provided by TPM manufacturer
– Platform credential normally provided by platform manufacturer
– Conformance credential provided by lab
• TPM can load and use a virtually unlimited number of AIK, signature and encryption keys
TPM
Platform
Platform Credential
Conformance Credential
Endorsement Credential
TPM
PCR
Endorsement Key (EK)
AttestationID Keys
Signature keys
Encryption keys
Slide #11
• Each TPM has a unique EK• The EK is a 2048-bit RSA key• The EK is generated:
– When the entity that issues the EK credential has control and is willing to certify the creation of the EK
• There are mechanisms to change the EK
Endorsement Key (EK) Details
• The EK only participates in two operations– Taking TPM ownership– Creation of Attestation Identity Keys
TPM
Platform
Platform Credential
Conformance Credential
Endorsement Credential
TPM
PCR
Endorsement Key (EK)
AttestationID Keys
Signature keys
Encryption keys
Slide #12
Persistent Keys• Endorsement Key (EK)
– Not part of the key hierarchy
• Storage Root Key (SRK)– All keys are protected by
this key• Root of Key Hierarchy
– Changed on new owner
TPM
Platform
Platform Credential
Conformance Credential
Endorsement Credential
TPM
PCR
EK AttestationID Keys
Signature keys
Encryption keys
SRK
Slide #13
Key HierarchyStorage Root Key
(SRK)
Non-Migratable Storage Key
Migratable Storage Key
Endorsement Key
Migratable Storage Key
Migratable Signing Key
Migratable Signing Key
Non-Migratable Storage Key
Non-Migratable Signing Key
Migratable Signing or Storage Key
Attestation ID Keys
Migratable Signing or Storage Key
Protected by the RTS
Protected by the TPM
Slide #14
Key Types and Classes• Storage Keys
– Protects keys or external data
• Signing Keys– Digital signatures
• Attestation Identity Keys (AIKs)– Special Signing keys– Provides attestation
• Non-Migratable Keys– Permanently bound specific
TPM, i.e., platform
• Migratable Keys– Can be migrated to other
platforms
• Certified Migratable Keys– Can be migrated to only
“certified” authorities
Slide #15
PCR Definition• Platform Configuration Registers (PCR)• Store measurement values in a fixed amount of space
– Size of PCR is 160-bits or the result of a SHA operation– 1.2 PC TPM requires 24 PCR
• Outside entities never write directly to the PCR they must use the Extend operation– Extend is [PCRnew] = SHA-1 ( [PCRold] + extend value)– A property of SHA-1 is that it is infeasible to calculate a value A
such that• PCRdesired = Extend (A)
Slide #16
PCR Types• Two PCR
– Static• Reset on TPM_Startup (ST_CLEAR)• Default value 0x00..00• PC TPM has 16 static PCR (0-15)
– Dynamic• Reset on TPM_PCRReset or any TPM_Init• Default value 0xff..ff• PC TPM has 8 dynamic PCR (16-23)
Slide #17
Sealing Data to the TPM
• Send data, authorization value and requested PCR value– Not the PCR value at the
time of sealing• TPM encrypts data to
create a bound blob– Including the request PCR
values• Blob stored outside TPM
LocalStorage
SealedData
AuthMaterial
Data
Config
Storage key
TPM
PCR
Slide #18
Unsealing Data
• Load sealed blob into TPM– Send in authorization values to
use storage key
• TPM decrypts blob• After decryption TPM validates
that current PCR values match requested PCR values in sealed blob
• Data only returned on matchLocal
StorageSealedData
AuthMaterial
Data
Storage key
TPM
PCR
Slide #19
Transitive TrustRTM Component 1
Code
Data
Component 2Code
Data
Stored Measurement
Log 1. RTM measures component1
11
Event Structure1
Event Data
Extend Value
2. RTM creates event structure
22
3. RTM stores event in SML
33
4. RTM extends PCR with value
5. Comp1 measures component2
55
Event Structure2
Event Data
Extend Value
6. Comp1 creates event structure
66
7. Comp1 stores event in SML
88
8. Comp1 extends PCR with value
77
PCR1
PCR2
TPM 44
Slide #20
Verifying the Measurement Log
Stored Measurement
Log
5. Get PCR value from TPM6. Compare calculated value with PCR – mismatch indicates problem no information as to what the problem is
1. Read struct1 from SML
11 Event Structure1
Event Data
Extend Value
Compare values
2. Calculate PCR value
22
3. Read struct2 from SML
Event Structure2
Event Data
Extend Value
33
Expected Value
4. Calculate PCR value
44
55 66
PCR1
PCR2
TPM
Slide #21
Questions• More in the afternoon
Slide #22
Verifying the Measurement Log
Stored Measurement
Log
11 Event Structure1
Event Data
Extend Value
Compare values
22Event Structure2
Event Data
Extend Value
33
Expected Value
44
55 66
PCR1
PCR2
TPM
What mechanism allows the challenger to believe the report
from the TPM?
Slide #23
CredentialsAIK Credential
ID Label
ID Pub Key
TPM Model
TPM Mfg
Platform Type
Platform Mfg
Ref to TPM Conformance
Ref to Platform Conformance
Ref to signer
Signature
Platform Credential
Ref to EK Cred
Platform Type(e.g., model)
Platform Mfg
Plat Mfg Signature
Endorsement Credential
Public EK
TPM Model
TPM Mfg
TPM Mfg Signature
TPM Conf Credential
Ref to TPMMfg & Model
Conformance Lab Signature
Conformance Lab Signature
Plat Conf CredentialRef to Platform Mfg
& Model
TPMTPM
TPMTPM
Slide #24
Platform
TPM
Certifying an AIK
AIK PubKey
1. Owner bundles into an AIK request:
• New AIK PubKey• Endorsement Cred,• Platform Cred,• Conformance Creds
1
3. TTP verifies Credentials
3
Endorsement Credential
2
2. Owner sends AIK request to P-CA
5
5. Signed AIK sent to TPM
4
4. TTP signs AIK
Endorsement Key (EK)
AttestationID Keys
Platform Credential
Conformance Credentials
Privacy CA(P-CA)Privacy CA
(P-CA)
Slide #25
Platform
TPM
Verifier
Using an AIK1
1. Service requested by Platform User
5. Evaluates trust in AIK
2
2. Challenger requests attestation
[PCR]
3. Integrity signed by an AIK3 4. Attestation sent to
challenger
4
6. Evaluate Platform’s Integrity
6
Attestation = Platform Integrity
signed by AIK
Privacy CA(P-CA)Privacy CA
(P-CA)5
AttestationID Keys
Slide #26
Verifying the Measurement Log
Stored Measurement
Log
11 Event Structure1
Event Data
Extend Value
Compare values
22Event Structure2
Event Data
Extend Value
33
Expected Value
44
55 66
PCR1
PCR2
TPM
This step uses an AIK validation
Slide #27
Questions
Slide #28
TSS Block Architecture
Process 1Process 1
TSS Service Provider
TSS Service Provider
TSS SPITSS SPIProcess 2Process 2
TSS Core ServicesTSS Core ServicesTSS CSITSS CSI
RPC ClientRPC
Client Use
r Pro
cess
Syst
em P
roce
ssK
erne
l Mod
e
TPM Device Driver LibraryTPM Device Driver LibraryTPM DDLI
TPM DDLI
TPM Device DriverTPM Device Driver
TPMTPM
Remote ProcessRemote Process
RPC ClientRPC
Client
TSS Service Provider
TSS Service Provider
TSS enables application
development and
interoperability
TSS enables application
development and
interoperability
Slide #29
Using Crypto Infrastructures
Process 1Process 1
TSS Service ProviderTSS Service Provider
TSS SPITSS SPI
Crypto Infrastructure(e.g., CAPI, PKCS #11)Crypto Infrastructure
(e.g., CAPI, PKCS #11)
TSS Crypto Service Provider (CSP)
TSS Crypto Service Provider (CSP)
Non-TCG Aware Application
Non-TCG Aware Application
Other Crypto Service Provider (CSP)
Other Crypto Service Provider (CSP)
TCG Aware ApplicationTCG Aware Application
Slide #30
PlatformPlatform
The Players
Owner
TPMTPM
One per TPM
User 1
User 2
User N
Challengers(Service Provider)
OperatorMany
per TPM
One at a time per platform
![Specification Version 1.00 Revision 1 · Trusted Computing Group (TCG), “TCG Storage Interface Interactions Specification“, Version 1.04 [4]. Trusted Computing Group (TCG), “TCG](https://img.dokumen.tips/doc/110x75/5f39adf33c4513021d47c659/specification-version-100-revision-1-trusted-computing-group-tcg-aoetcg-storage.jpg)
