Trusted Computing Platform Alliance

Trusted Computing Platform Trusted Computing Platform AllianceAlliance

David GrawrockDavid Grawrock

Security ArchitectSecurity Architect

Desktop Architecture LabsDesktop Architecture Labs

Intel CorporationIntel Corporation

April 22, 2023April 22, 2023

2

AgendaAgenda

BackgroundBackground

• AttestationAttestation

• SpecificationSpecification

• What Is NextWhat Is Next

Trusted Computing Platform AllianceTrusted Computing Platform Alliance

3

TCPA HistoryTCPA History

• Established in spring 1999Established in spring 1999• Promoters are:Promoters are:

– Compaq, IBM, Intel, HP and Compaq, IBM, Intel, HP and MicrosoftMicrosoft

• Membership over 160 Membership over 160 companiescompanies

• Web siteWeb site– http://www.http://www.trustedpctrustedpc.org/.org/


4

TCPA Technical ChallengeTCPA Technical Challenge

To maintain the To maintain the privacyprivacy of the platform of the platform owner while providing a owner while providing a ubiquitousubiquitous

interoperable mechanism to validate the interoperable mechanism to validate the identity and identity and integrityintegrity of a computing of a computing

platformplatform


TCPA provides the base for reporting identity and TCPA provides the base for reporting identity and integrityintegrity

TCPA provides the base for reporting identity and TCPA provides the base for reporting identity and integrityintegrity

5

Are You A Dog?Are You A Dog?

• On the Internet no On the Internet no one knows you are one knows you are a doga dog

• On the Internet no one knows if you On the Internet no one knows if you have a proper configurationhave a proper configuration

AttestationAttestation

6

Attestation DefinitionAttestation Definition

• ““To affirm to be true, To affirm to be true, correct or genuine”correct or genuine”11

• Cryptographic proof of Cryptographic proof of information regarding the information regarding the platformplatform

• Information that could be attested to Information that could be attested to includes:includes:– HW on platformHW on platform– BIOSBIOS– Configuration optionsConfiguration options– And much moreAnd much more

1 American 1 American Heritage Heritage DictionaryDictionary


7

Attestation PromiseAttestation Promise

• TCPA never lies about the TCPA never lies about the state of measured state of measured informationinformation

• This requiresThis requires–Accurate measurementAccurate measurement–Protected storageProtected storage–Provable reporting of Provable reporting of

measurementmeasurement


TCPA defines an attestation deviceTCPA defines an attestation device TCPA defines an attestation deviceTCPA defines an attestation device

8

Specifications AvailableSpecifications Available

• Main specification defines Main specification defines Trusted Platform Module Trusted Platform Module (TPM)(TPM)– Definition is platform neutralDefinition is platform neutral– All command to TPM are All command to TPM are

defineddefined

• PC Specific specification defines how to PC Specific specification defines how to implement on a PC platformimplement on a PC platform

• These specs are available on the web site These specs are available on the web site

SpecificationSpecification

TPMTPM

9

TPM

TPM ComponentsTPM Components

• Generate and use RSA keysGenerate and use RSA keys• Provide long-term protected storage of RSA root keyProvide long-term protected storage of RSA root key• Store measurements in PCRStore measurements in PCR• Use anonymous identities to report PCR statusUse anonymous identities to report PCR status

SpecificationSpecification

RNG RSA

Non-Volatile

Storage

Key

Generation

PCR

Anonymous

Identities

Opt-In

TPM definition is completeTPM definition is complete TPM definition is completeTPM definition is complete

10

SummarySummary

• TCPA provides the base for reporting TCPA provides the base for reporting identity and integrityidentity and integrity

• TCPA defines an attestation deviceTCPA defines an attestation device

• TPM definition is completeTPM definition is complete


11

What Next?What Next?

• Design platforms and applications Design platforms and applications for TPM usefor TPM use

• Extend the trust and integrity of Extend the trust and integrity of platforms platforms


12

Questions?Questions?Trusted Computing Platform AllianceTrusted Computing Platform Alliance

13


Backup MaterialBackup Material

14

Non-volatile StorageNon-volatile Storage

• The storage is to hold The storage is to hold secure the endorsement secure the endorsement key (EK)key (EK)– Each TPM has a unique Each TPM has a unique

EKEK

• The endorsement key must be protected The endorsement key must be protected from both exposure and improper usefrom both exposure and improper use

• In addition to the EK there are some flags In addition to the EK there are some flags that are kept in non-volatile storagethat are kept in non-volatile storage

FunctionalityFunctionality

TPM

RNG RSA

Non-Volatile

Storage

Key

Generation

PCR

Anonymous

Identities

Opt-In

15

Key GenerationKey Generation

• The TPM can generate The TPM can generate RSA keysRSA keys– Default size 2048 bitsDefault size 2048 bits– Other algorithms possibleOther algorithms possible

• The keys can be used for signing / The keys can be used for signing / verification or encryption / decryptionverification or encryption / decryption– Use of key must be specified at creation timeUse of key must be specified at creation time

• There is no speed requirement on how long There is no speed requirement on how long or how short a time generation will takeor how short a time generation will take


TPM

RNG RSA

Non-Volatile

Storage

Key

Generation

PCR

Anonymous

Identities

Opt-In

16

Anonymous IdentitiesAnonymous Identities

• All operations attesting All operations attesting to the TPM use an to the TPM use an anonymous identity anonymous identity rather than the EKrather than the EK

• An anonymous identity certifies that the key An anonymous identity certifies that the key came from A TPM not WHICH TPMcame from A TPM not WHICH TPM– Devil is in the details see the main specDevil is in the details see the main spec


TPM

RNG RSA

Non-Volatile

Storage

Key

Generation

PCR

Anonymous

Identities

Opt-In

17

Random Number GeneratorRandom Number Generator

• All TPM’s must have a All TPM’s must have a RNGRNG– Implementation is Implementation is

manufacturer specificmanufacturer specific

• The specification asks for, but does not The specification asks for, but does not require, FIPS evaluation of the RNGrequire, FIPS evaluation of the RNG

• The RNG output is used both internally by The RNG output is used both internally by the TPM and is offered to outside the TPM and is offered to outside consumers of randomnessconsumers of randomness


TPM

RNG RSA

Non-Volatile

Storage

Key

Generation

PCR

Anonymous

Identities

Opt-In

18

PCR RegistersPCR Registers

• The TPM has a minimum The TPM has a minimum of 16 Platform of 16 Platform Configuration Registers Configuration Registers (PCR)(PCR)

• The PCR registers uses the EXTEND The PCR registers uses the EXTEND operation to store measurements regarding operation to store measurements regarding the platformthe platform– PCR value = SHA(new value, old value)PCR value = SHA(new value, old value)


TPM

RNG RSA

Non-Volatile

Storage

Key

Generation

PCR

Anonymous

Identities

Opt-In

19

RSA EngineRSA Engine

• The TPM can encrypt The TPM can encrypt and decrypt using RSA and decrypt using RSA keyskeys

• The use of keys is segregated into signing The use of keys is segregated into signing or encryption usesor encryption uses

• The TPM must handle RSA keys of 2048 bits The TPM must handle RSA keys of 2048 bits in size in size


TPM

RNG RSA

Non-Volatile

Storage

Key

Generation

PCR

Anonymous

Identities

Opt-In

20

Opt-InOpt-In

• The TPM has The TPM has mechanisms that make mechanisms that make the use of the TPM a the use of the TPM a complete Opt-In systemcomplete Opt-In system

• The Opt-in selections are maintained across The Opt-in selections are maintained across power cycles and the TPM can be power cycles and the TPM can be deactivated deactivated


TPM

RNG RSA

Non-Volatile

Storage

Key

Generation

PCR

Anonymous

Identities

Opt-In

21

Version 1.0Version 1.0 TCPA Functional LayoutTCPA Functional Layout

TPS – Trusted Platform TPS – Trusted Platform SubsystemSubsystemBIOSBIOSDriversDriversALL operations come ALL operations come

through TPS through TPS TPM – Trusted Platform TPM – Trusted Platform

ModuleModuleHardwareHardwareMicrocodeMicrocodeProtected functionalityProtected functionalityShielded locationsShielded locations

TPM

TPS

Requests

22

Version 1.0Version 1.0 TCPA System ArchitectureTCPA System Architecture

OS

Pre

sen

t

TPM Hardware and Microcode

BIOS

Application

Ring 3 Library

OS / Driver

Ring 0 Library

TCPA Security Driver

OS Absent Library

Middleware

OS Present TPS Security API

OS Absent TPS Security API

OS

Ab

sen

tH

ard

-w

are

23

Version 1.0Version 1.0 TCPA Software ArchitectureTCPA Software Architecture

Applications

Existing Infrastructure

TPS Interface

TPM Interface

Modified Infrastructure

Application Application Application

CSSM CAPI

TPS

Other API

Application

CDSA

TPM

CSPCSPCSP DL

24

Version 1.0Version 1.0 Possible TPM Placement Possible TPM Placement

CPU

MCH

LP

C

TPMTPM

ICH

SystemMemory

SystemFlash

TPM connecting on TPM connecting on LPC busLPC busTPM has low TPM has low

transaction volume so transaction volume so speed of bus not speed of bus not issueissue

Connection of TPM is Connection of TPM is vendor specific and not vendor specific and not specified in specified in specificationspecification

Specification provides robust set of featuresSpecification provides robust set of featuresSpecification provides robust set of featuresSpecification provides robust set of features

Documents

Trusted Computing Platform Alliance