ISO/IEC 11889-1:2015
(Main)Information technology — Trusted platform module library — Part 1: Architecture
Information technology — Trusted platform module library — Part 1: Architecture
ISO/IEC 11889-1:2015 defines the architectural elements of the Trusted Platform Module (TPM), a device which enables trust in computing platforms in general. Some TPM concepts are explained adequately in the context of the TPM itself. Other TPM concepts are explained in the context of how a TPM helps establish trust in a computing platform. When describing how a TPM helps establish trust in a computing platform, ISO/IEC 11889-1:2015 provides some guidance for platform requirements. However, the scope of ISO/IEC 11889 is limited to TPM requirements. ISO/IEC 11889-1:2015 illustrates TPM security and privacy techniques in the context of a platform through the use of cryptography. It includes definitions of how different cryptographic techniques are implemented by a TPM. The scope of ISO/IEC 11889 does not include cryptographic analysis or guidance about the applicability of different algorithms for specific uses cases. TPM requirements in ISO/IEC 11889-1:2015 are general, covering concepts like integrity protection, isolation and confidentially. Defining a specific strength of function or assurance level is out of scope for ISO/IEC 11889. This approach limits the guarantees provided by ISO/IEC 11889 itself, but it does allow the TPM architectural elements defined to be adapted to meet diverse implementation and platform specific needs.
Technologies de l'information — Bibliothèque de module de plate-forme de confiance — Partie 1: Architecture
General Information
Relations
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 11889-1
Second edition
2015-12-15
Corrected version
2016-04-01
Information technology — Trusted
Platform Module Library —
Part 1:
Architecture
Technologies de l’information — Bibliothèque de module
de plate-forme de confiance —
Partie 1: Architecture
Reference number
©
ISO/IEC 2015
© ISO/IEC 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2015 – All rights reserved
CONTENTS
Foreword . xiv
Introduction . xv
1 Scope . 1
2 Normative references . 2
3 Terms and definitions . 3
4 Symbols and Abbreviated Terms . 12
4.1 Symbols . 12
4.2 Abbreviations . 13
5 Conventions . 15
5.1 Bit and Octet Numbering and Order . 15
5.2 Sized Buffer References . 15
5.3 Numbers . 16
5.4 KDF Label Parameters . 16
6 ISO/IEC 11889 Organization . 17
7 Compliance . 19
8 Changes from Previous Versions . 20
9 Trusted Platforms . 21
9.1 Trust . 21
9.2 Trust Concepts . 21
9.2.1 Trusted Building Block . 21
9.2.2 Trusted Computing Base . 21
9.2.3 Trust Boundaries . 21
9.2.4 Transitive Trust . 22
9.2.5 Trust Authority . 22
9.3 Trusted Platform Module . 23
9.4 Roots of Trust . 23
9.4.1 Introduction . 23
9.4.2 Root of Trust for Measurement (RTM) . 24
9.4.3 Root of Trust for Storage (RTS) . 24
9.4.4 Root of Trust for Reporting (RTR) . 24
9.5 Basic Trusted Platform Features . 25
9.5.1 Introduction . 25
9.5.2 Certification . 26
9.5.3 Attestation and Authentication . 26
9.5.4 Protected Location . 29
9.5.5 Integrity Measurement and Reporting . 30
10 TPM Protections . 31
10.1 Introduction . 31
10.2 Protection of Protected Capabilities . 31
10.3 Protection of Shielded Locations . 31
10.4 Exceptions and Clarifications . 31
11 TPM Architecture . 33
11.1 Introduction . 33
11.2 TPM Command Processing Overview . 33
11.3 I/O Buffer . 37
11.4 Cryptography Subsystem . 37
© ISO/IEC 2015 – All rights reserved
ii
11.4.1 Introduction . 37
11.4.2 Hash Functions . 37
11.4.3 HMAC Algorithm . 38
11.4.4 Asymmetric Operations . 38
11.4.5 Signature Operations . 39
11.4.6 Symmetric Encryption . 41
11.4.7 Extend . 43
11.4.8 Key Generation . 43
11.4.9 Key Derivation Function . 43
11.4.10 Random Number Generator (RNG) Module . 47
11.4.11 Algorithms . 49
11.5 Authorization Subsystem . 50
11.6 Random Access Memory . 51
11.6.1 Introduction . 51
11.6.2 Platform Configuration Registers (PCR) . 51
11.6.3 Object Store . 52
11.6.4 Session Store. 52
11.6.5 Size Requirements . 52
11.7 Non-Volatile (NV) Memory . 53
11.8 Power Detection Module . 53
12 TPM Operational States . 54
12.1 Introduction . 54
12.2 Basic TPM Operational States . 54
12.2.1 Power-off State . 54
12.2.2 Initialization State . 54
12.2.3 Startup State . 55
12.2.4 Shutdown State . 58
12.2.5 Startup Alternatives . 58
12.3 Self-Test Modes . 59
12.4 Failure Mode . 60
12.5 Field Upgrade . 61
12.5.1 Introduction . 61
12.5.2 Field Upgrade Mode . 61
12.5.3 Preserved TPM State . 64
12.5.4 Field Upgrade Implementation Options . 65
13 TPM Control Domains . 66
13.1 Introduction . 66
13.2 Controls . 66
13.3 Platform Controls . 67
13.4 Owner Controls . 68
13.5 Privacy Administrator Controls . 68
13.6 Primary Seed Authorizations . 69
13.7 Lockout Control . 69
13.8 TPM Ownership . 70
13.8.1 Taking Ownership . 70
13.8.2 Releasing Ownership . 70
14 Primary Seeds . 72
© ISO/IEC 2015 – All rights reserved iii
14.1 Introduction . 72
14.2 Rationale . 72
14.3 Primary Seed Properties . 73
14.3.1 Introduction . 73
14.3.2 Endorsement Primary Seed (EPS) . 73
14.3.3 Platform Primary Seed (PPS) . 74
14.3.4 Storage Primary Seed (SPS) . 74
14.3.5 The Null Seed . 74
14.4 Hierarchy Proofs . 74
15 TPM Handles . 76
15.1 Introduction . 76
15.2 PCR Handles (MSO=00 ) . 76
15.3 NV Index Handles (MSO=01 ) . 76
15.4 Session Handles (MSO=02 and 03 ) . 76
16 16
15.5 Permanent Resource Handles (MSO=40 ) . 77
15.6 Transient Object Handles (MSO=80 ) . 77
15.7 Persistent Object Handles (MSO=81 ) . 77
16 Names . 78
17 PCR Operations . 80
17.1 Initializing PCR . 80
17.2 Extend of a PCR . 80
17.3 Using Extend with PCR Banks . 80
17.4 Recording Events . 81
17.5 Selecting Multiple PCR . 81
17.6 Reporting on PCR . 82
17.6.1 Reading PCR . 82
17.6.2 Attesting to PCR . 82
17.7 PCR Authorizations . 83
17.7.1 Introduction . 83
17.7.2 PCR Not in a Set . 83
17.7.3 Authorization Set . 83
17.7.4 Policy Set . 84
17.7.5 Order of Checking . 84
17.8 PCR Allocation . 84
17.9 PCR Change Tracking . 84
17.10 Other Uses for PCR . 85
18 TPM Command/Response Structure . 86
18.1 Introduction . 86
18.2 Command/Response Header Fields . 88
18.2.1 Introduction . 88
18.2.2 tag . 88
18.2.3 commandSize/responseSize . 88
18.2.4 commandCode. 88
18.2.5 responseCode. 88
18.3 Handles . 89
18.4 Parameters . 89
18.5 authorizationSize/parameterSize . 90
© ISO/IEC 2015 – All rights reserved
iv
18.6 Authorization Area . 90
18.6.1 Introduction . 90
18.6.2 Authorization Structure . 92
18.6.3 Session Handles . 93
18.6.4 Session Attributes (sessionAttributes) . 93
18.7 Command Parameter Hash (cpHash) . 95
18.8 Response Parameter Hash (rpHash) . 95
18.9 Command Example . 96
18.10 Response Example . 97
19 Authorizations and Acknowledgments . 99
19.1 Introduction . 99
19.2 Authorization Roles . 99
19.3 Physical Presence Authorization . 100
19.4 Password Authorizations . 101
19.5 Sessions . 102
19.6 Session-Based Authorizations . 102
19.6.1 Introduction . 102
19.6.2 Authorization Session Formats . 103
19.6.3 Session Nonces . 103
19.6.4 Authorization Values . 105
19.6.5 HMAC Computation . 106
19.6.6 Note on Use of Nonces in HMAC Computations . 107
19.6.7 Starting an Authorization Session . 107
19.6.8 sessionKey Creation . 108
19.6.9 Unbound and Unsalted Session Key Generation . 109
19.6.10 Bound Session Key Generation . 110
19.6.11 Salted Session Key Generation . 112
19.6.12 Salted and Bound Session Key Generation . 113
19.6.13 Encryption of salt . 114
19.6.14 Caution on use of Unsalted Authorization Sessions . 115
19.6.15 No HMAC Authorization . 115
19.6.16 Authorization Selection Logic for Objects . 116
19.6.17 Authorization Session Termination. 116
19.7 Enhanced Authorization . 117
19.7.1 Introduction . 117
19.7.2 Policy Assertion . 118
19.7.3 Policy AND . 118
19.7.4 Policy OR . 120
19.7.5 Order of Evaluation . 122
19.7.6 Policy Assertions (Policy Commands) . 122
19.7.7 Policy Session Context Values . 125
19.7.8 Policy Example . 126
19.7.9 Trial Policy . 127
19.7.10 Modification of Policies . 127
19.7.11 TPM2_PolicySigned(), TPM2_PolicySecret(), and TPM2_PolicyTicket() . 128
19.8 Policy Session Creation . 130
19.9 Use of TPM for authPolicy Computation . 131
© ISO/IEC 2015 – All rights reserved v
19.10 Trial Policy Session . 131
19.11 Dictionary Attack Protection . 132
19.11.1 Introduction . 132
19.11.2 Lockout Mode Configuration Parameters . 132
19.11.3 Lockout Mode . 133
19.11.4 Recovering from Lockout Mode . 133
19.11.5 Authorization Failures Involving lockoutAuth . 134
19.11.6 Non-orderly Shutdown . 134
19.11.7 Justification for Lockout Due to Session Binding . 134
19.11.8 Sample Configurations for Lockout Parameters . 135
20 Audit Session . 136
20.1 Introduction . 136
20.2 Exclusive Audit Sessions . 137
20.3 Command Gating Based on Exclusivity . 137
20.4 Audit Session Reporting . 137
20.5 Audit Establishment Failures . 138
21 Session-based encryption . 139
21.1 Introduction . 139
21.2 XOR Parameter Obfuscation . 140
21.3 CFB Mode Parameter Encryption . 140
22 Protected Storage . 142
22.1 Introduction . 142
22.2 Object Protections . 142
22.3 Protection Values . 142
22.4 Symmetric Encryption . 143
22.5 Integrity . 144
23 Protected Storage Hierarchy . 146
23.1 Introduction . 146
23.2 Hierarchical Relationship between Objects. 146
23.3 Duplication . 147
23.3.1 Definition . 147
23.3.2 Protections . 148
23.4 Duplication Group . 153
23.5 Protection Group . 155
23.6 Summary of Hierarchy Attributes . 156
23.7 Primary Seed Hierarchies . 156
23.8 Hierarchy Attributes Settings Matrix . 156
24 Credential Protection . 158
24.1 Introduction . 158
24.2 Protocol . 158
24.3 Protection of Credential . 159
24.4 Symmetric Encrypt . 159
24.5 HMAC . 159
24.6 Summary of Protection Process . 161
25 Object Attributes . 162
25.1 Base Attributes . 162
25.1.1 Introduction . 162
25.1.2 Restricted Attribute . 162
25.1.3 Sign Attribute . 162
© ISO/IEC 2015 – All rights reserved
vi
25.1.4 Decrypt Attribute . 163
25.1.5 Uses . 163
25.2 Other Attributes . 165
25.2.1 fixedTPM and fixedParent . 165
25.2.2 stClear . 165
25.2.3 sensitiveDataOrigin . 165
25.2.4 userWithAuth . 165
25.2.5 adminWithPolicy . 165
25.2.6 noDA . 166
25.2.7 encryptedDuplication . 166
26 Object Structure Elements . 167
26.1 Introduction . 167
26.2 Public Area . 167
26.3 Sensitive Area . 168
26.4 Private Area . 168
26.5 Qualified Name . 169
26.6 Sensitive Area Encryption . 169
26.7 Sensitive Area Integrity . 170
27 Object Creation . 171
27.1 Introduction . 171
27.2 Public Area Template . 171
27.2.1 Introduction . 171
27.2.2 type . 171
27.2.3 nameAlg . 172
27.2.4 objectAttributes . 172
27.2.5 authPolicy . 172
27.2.6 parameters . 172
27.2.7 unique . 172
27.3 Sensitive Values . 172
27.3.1 Overview . 172
27.3.2 userAuth . 173
27.3.3 data . 173
27.4 Creation PCR . 173
27.5 Public Area Creation . 173
27.5.1 Introduction . 173
27.5.2 type, nameAlg, objectAttributes, authPolicy, and parameters . 173
27.5.3 unique . 174
27.6 Sensitive Area Creation . 175
27.6.1 Introduction . 175
27.6.2 type . 175
27.6.3 authValue . 175
27.6.4 seedValue . 175
27.6.5 sensitive . 176
27.7 Creation Data and Ticket. 177
27.8 Creation Resources . 178
28 Object Loading . 179
© ISO/IEC 2015 – All rights reserved vii
28.1 Introduction . 179
28.2 Load of an Ordinary Object . 179
28.3 Public-only Load . 179
28.4 External Object Load .
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...