Information technology — Trusted platform module library — Part 1: Architecture

ISO/IEC 11889-1:2015 defines the architectural elements of the Trusted Platform Module (TPM), a device which enables trust in computing platforms in general. Some TPM concepts are explained adequately in the context of the TPM itself. Other TPM concepts are explained in the context of how a TPM helps establish trust in a computing platform. When describing how a TPM helps establish trust in a computing platform, ISO/IEC 11889-1:2015 provides some guidance for platform requirements. However, the scope of ISO/IEC 11889 is limited to TPM requirements. ISO/IEC 11889-1:2015 illustrates TPM security and privacy techniques in the context of a platform through the use of cryptography. It includes definitions of how different cryptographic techniques are implemented by a TPM. The scope of ISO/IEC 11889 does not include cryptographic analysis or guidance about the applicability of different algorithms for specific uses cases. TPM requirements in ISO/IEC 11889-1:2015 are general, covering concepts like integrity protection, isolation and confidentially. Defining a specific strength of function or assurance level is out of scope for ISO/IEC 11889. This approach limits the guarantees provided by ISO/IEC 11889 itself, but it does allow the TPM architectural elements defined to be adapted to meet diverse implementation and platform specific needs.

Technologies de l'information — Bibliothèque de module de plate-forme de confiance — Partie 1: Architecture

General Information

Status
Published
Publication Date
14-Dec-2015
ICS
35.030 - IT Security
 
35.040 - Information coding
Technical Committee
ISO/IEC JTC 1 - Information technology
Drafting Committee
ISO/IEC JTC 1 - Information technology
Current Stage
9020 - International Standard under periodical review
Start Date
15-Apr-2026
Completion Date
15-Apr-2026

Relations

Revises
ISO/IEC 11889-1:2009 - Information technology — Trusted Platform Module — Part 1: Overview
Effective Date
10-May-2014

Overview

ISO/IEC 11889-1:2015 - "Information technology - Trusted Platform Module Library - Part 1: Architecture" defines the architectural elements of the Trusted Platform Module (TPM). Published by ISO/IEC (second edition 2015, corrected 2016), the standard explains TPM concepts both as a standalone device and in the context of how a TPM helps establish trust in a computing platform. It focuses on TPM requirements, security and privacy techniques, and the cryptographic capabilities a TPM implements, while intentionally excluding cryptographic analysis and algorithm-strength recommendations.

Key topics and technical requirements

  • TPM architecture and operational states: command processing, I/O buffer, power and startup/shutdown modes, self-test and failure modes.
  • Roots of Trust: definitions and roles for Root of Trust for Measurement (RTM), Storage (RTS) and Reporting (RTR).
  • Cryptography subsystem: hash functions, HMAC, asymmetric and signature operations, symmetric encryption, key generation, key derivation functions (KDF), and the Random Number Generator (RNG) module.
  • Integrity and protected storage: Platform Configuration Registers (PCRs), protected/shielded locations, extend and PCR operations, and non-volatile (NV) memory.
  • Authorization and control domains: authorization subsystem, session and object management, owner/privacy/primary-seed controls, ownership lifecycle and lockout control.
  • Object, session and NV stores: transient and persistent object handles, session store, object store and naming/handle conventions.
  • Primary seeds and hierarchy proofs: endorsement, platform and storage primary seeds and their properties.
  • TPM protections and limitations: integrity protection, isolation, confidentiality concepts; standard does not prescribe assurance levels or exact strength-of-function metrics.
  • Field upgrade and lifecycle: procedures and preserved TPM state during updates.

Practical applications

  • Implementing secure boot and integrity measurement frameworks that rely on PCRs and RTM.
  • Storing and protecting cryptographic keys and credentials in hardware-backed storage (NV memory, shielded locations).
  • Enabling platform attestation and device authentication for enterprise, cloud, IoT and edge systems.
  • Guiding firmware and TPM silicon vendors, platform architects and security engineers on required TPM behaviors and interfaces.

Who should use this standard

  • TPM hardware and firmware designers
  • Platform and motherboard architects
  • Security architects implementing trusted computing and attestation solutions
  • IoT device integrators and enterprise security teams adopting hardware-backed trust
  • Compliance officers and evaluators using TPM behavior as part of system security assessments

Related standards

  • Part of the ISO/IEC 11889 series (the TPM library). Note: ISO/IEC 11889-1:2015 focuses on architecture and TPM requirements rather than algorithm selection or cryptographic strength guidance.

Buy Documents

ISO/IEC 11889-1:2015 - Information technology — Trusted platform module library — Part 1: Architecture Released:3/21/2016 - Page 1 previewISO/IEC 11889-1:2015 - Information technology — Trusted platform module library — Part 1: Architecture Released:3/21/2016 - Page 2 previewISO/IEC 11889-1:2015 - Information technology — Trusted platform module library — Part 1: Architecture Released:3/21/2016 - Page 3 previewISO/IEC 11889-1:2015 - Information technology — Trusted platform module library — Part 1: Architecture Released:3/21/2016 - Page 4 preview
PreviousNext
Standard

ISO/IEC 11889-1:2015 - Information technology — Trusted platform module library — Part 1: Architecture Released:3/21/2016

English language (257 pages)
sale 15% off
Preview
sale 15% off
Preview

Get Certified

Connect with accredited certification bodies for this standard

BSI Group

BSI (British Standards Institution) is the business standards company that helps organizations make excellence a habit.

UKAS United Kingdom Verified
Visit Website

Bureau Veritas

Bureau Veritas is a world leader in laboratory testing, inspection and certification services.

COFRAC France Verified
Visit Website

DNV

DNV is an independent assurance and risk management provider.

NA Norway Verified
Visit Website

Sponsored listings

Frequently Asked Questions

ISO/IEC 11889-1:2015 is a standard published by the International Organization for Standardization (ISO). Its full title is "Information technology — Trusted platform module library — Part 1: Architecture". This standard covers: ISO/IEC 11889-1:2015 defines the architectural elements of the Trusted Platform Module (TPM), a device which enables trust in computing platforms in general. Some TPM concepts are explained adequately in the context of the TPM itself. Other TPM concepts are explained in the context of how a TPM helps establish trust in a computing platform. When describing how a TPM helps establish trust in a computing platform, ISO/IEC 11889-1:2015 provides some guidance for platform requirements. However, the scope of ISO/IEC 11889 is limited to TPM requirements. ISO/IEC 11889-1:2015 illustrates TPM security and privacy techniques in the context of a platform through the use of cryptography. It includes definitions of how different cryptographic techniques are implemented by a TPM. The scope of ISO/IEC 11889 does not include cryptographic analysis or guidance about the applicability of different algorithms for specific uses cases. TPM requirements in ISO/IEC 11889-1:2015 are general, covering concepts like integrity protection, isolation and confidentially. Defining a specific strength of function or assurance level is out of scope for ISO/IEC 11889. This approach limits the guarantees provided by ISO/IEC 11889 itself, but it does allow the TPM architectural elements defined to be adapted to meet diverse implementation and platform specific needs.

ISO/IEC 11889-1:2015 defines the architectural elements of the Trusted Platform Module (TPM), a device which enables trust in computing platforms in general. Some TPM concepts are explained adequately in the context of the TPM itself. Other TPM concepts are explained in the context of how a TPM helps establish trust in a computing platform. When describing how a TPM helps establish trust in a computing platform, ISO/IEC 11889-1:2015 provides some guidance for platform requirements. However, the scope of ISO/IEC 11889 is limited to TPM requirements. ISO/IEC 11889-1:2015 illustrates TPM security and privacy techniques in the context of a platform through the use of cryptography. It includes definitions of how different cryptographic techniques are implemented by a TPM. The scope of ISO/IEC 11889 does not include cryptographic analysis or guidance about the applicability of different algorithms for specific uses cases. TPM requirements in ISO/IEC 11889-1:2015 are general, covering concepts like integrity protection, isolation and confidentially. Defining a specific strength of function or assurance level is out of scope for ISO/IEC 11889. This approach limits the guarantees provided by ISO/IEC 11889 itself, but it does allow the TPM architectural elements defined to be adapted to meet diverse implementation and platform specific needs.

ISO/IEC 11889-1:2015 is classified under the following ICS (International Classification for Standards) categories: 35.030 - IT Security; 35.040 - Information coding. The ICS classification helps identify the subject area and facilitates finding related standards.

ISO/IEC 11889-1:2015 has the following relationships with other standards: It is inter standard links to ISO/IEC 11889-1:2009. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.

ISO/IEC 11889-1:2015 is available in PDF format for immediate download after purchase. The document can be added to your cart and obtained through the secure checkout process. Digital delivery ensures instant access to the complete standard document.

Standards Content (Sample)


INTERNATIONAL ISO/IEC
STANDARD 11889-1
Second edition
2015-12-15
Corrected version
2016-04-01
Information technology — Trusted
Platform Module Library —
Part 1:
Architecture
Technologies de l’information — Bibliothèque de module
de plate-forme de confiance —
Partie 1: Architecture
Reference number
©
ISO/IEC 2015
© ISO/IEC 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2015 – All rights reserved

CONTENTS
Foreword . xiv
Introduction . xv
1 Scope . 1
2 Normative references . 2
3 Terms and definitions . 3
4 Symbols and Abbreviated Terms . 12
4.1 Symbols . 12
4.2 Abbreviations . 13
5 Conventions . 15
5.1 Bit and Octet Numbering and Order . 15
5.2 Sized Buffer References . 15
5.3 Numbers . 16
5.4 KDF Label Parameters . 16
6 ISO/IEC 11889 Organization . 17
7 Compliance . 19
8 Changes from Previous Versions . 20
9 Trusted Platforms . 21
9.1 Trust . 21
9.2 Trust Concepts . 21
9.2.1 Trusted Building Block . 21
9.2.2 Trusted Computing Base . 21
9.2.3 Trust Boundaries . 21
9.2.4 Transitive Trust . 22
9.2.5 Trust Authority . 22
9.3 Trusted Platform Module . 23
9.4 Roots of Trust . 23
9.4.1 Introduction . 23
9.4.2 Root of Trust for Measurement (RTM) . 24
9.4.3 Root of Trust for Storage (RTS) . 24
9.4.4 Root of Trust for Reporting (RTR) . 24
9.5 Basic Trusted Platform Features . 25
9.5.1 Introduction . 25
9.5.2 Certification . 26
9.5.3 Attestation and Authentication . 26
9.5.4 Protected Location . 29
9.5.5 Integrity Measurement and Reporting . 30
10 TPM Protections . 31
10.1 Introduction . 31
10.2 Protection of Protected Capabilities . 31
10.3 Protection of Shielded Locations . 31
10.4 Exceptions and Clarifications . 31
11 TPM Architecture . 33
11.1 Introduction . 33
11.2 TPM Command Processing Overview . 33
11.3 I/O Buffer . 37
11.4 Cryptography Subsystem . 37
© ISO/IEC 2015 – All rights reserved
ii
11.4.1 Introduction . 37
11.4.2 Hash Functions . 37
11.4.3 HMAC Algorithm . 38
11.4.4 Asymmetric Operations . 38
11.4.5 Signature Operations . 39
11.4.6 Symmetric Encryption . 41
11.4.7 Extend . 43
11.4.8 Key Generation . 43
11.4.9 Key Derivation Function . 43
11.4.10 Random Number Generator (RNG) Module . 47
11.4.11 Algorithms . 49
11.5 Authorization Subsystem . 50
11.6 Random Access Memory . 51
11.6.1 Introduction . 51
11.6.2 Platform Configuration Registers (PCR) . 51
11.6.3 Object Store . 52
11.6.4 Session Store. 52
11.6.5 Size Requirements . 52
11.7 Non-Volatile (NV) Memory . 53
11.8 Power Detection Module . 53
12 TPM Operational States . 54
12.1 Introduction . 54
12.2 Basic TPM Operational States . 54
12.2.1 Power-off State . 54
12.2.2 Initialization State . 54
12.2.3 Startup State . 55
12.2.4 Shutdown State . 58
12.2.5 Startup Alternatives . 58
12.3 Self-Test Modes . 59
12.4 Failure Mode . 60
12.5 Field Upgrade . 61
12.5.1 Introduction . 61
12.5.2 Field Upgrade Mode . 61
12.5.3 Preserved TPM State . 64
12.5.4 Field Upgrade Implementation Options . 65
13 TPM Control Domains . 66
13.1 Introduction . 66
13.2 Controls . 66
13.3 Platform Controls . 67
13.4 Owner Controls . 68
13.5 Privacy Administrator Controls . 68
13.6 Primary Seed Authorizations . 69
13.7 Lockout Control . 69
13.8 TPM Ownership . 70
13.8.1 Taking Ownership . 70
13.8.2 Releasing Ownership . 70
14 Primary Seeds . 72
© ISO/IEC 2015 – All rights reserved iii

14.1 Introduction . 72
14.2 Rationale . 72
14.3 Primary Seed Properties . 73
14.3.1 Introduction . 73
14.3.2 Endorsement Primary Seed (EPS) . 73
14.3.3 Platform Primary Seed (PPS) . 74
14.3.4 Storage Primary Seed (SPS) . 74
14.3.5 The Null Seed . 74
14.4 Hierarchy Proofs . 74
15 TPM Handles . 76
15.1 Introduction . 76
15.2 PCR Handles (MSO=00 ) . 76
15.3 NV Index Handles (MSO=01 ) . 76
15.4 Session Handles (MSO=02 and 03 ) . 76
16 16
15.5 Permanent Resource Handles (MSO=40 ) . 77
15.6 Transient Object Handles (MSO=80 ) . 77
15.7 Persistent Object Handles (MSO=81 ) . 77
16 Names . 78
17 PCR Operations . 80
17.1 Initializing PCR . 80
17.2 Extend of a PCR . 80
17.3 Using Extend with PCR Banks . 80
17.4 Recording Events . 81
17.5 Selecting Multiple PCR . 81
17.6 Reporting on PCR . 82
17.6.1 Reading PCR . 82
17.6.2 Attesting to PCR . 82
17.7 PCR Authorizations . 83
17.7.1 Introduction . 83
17.7.2 PCR Not in a Set . 83
17.7.3 Authorization Set . 83
17.7.4 Policy Set . 84
17.7.5 Order of Checking . 84
17.8 PCR Allocation . 84
17.9 PCR Change Tracking . 84
17.10 Other Uses for PCR . 85
18 TPM Command/Response Structure . 86
18.1 Introduction . 86
18.2 Command/Response Header Fields . 88
18.2.1 Introduction . 88
18.2.2 tag . 88
18.2.3 commandSize/responseSize . 88
18.2.4 commandCode. 88
18.2.5 responseCode. 88
18.3 Handles . 89
18.4 Parameters . 89
18.5 authorizationSize/parameterSize . 90
© ISO/IEC 2015 – All rights reserved
iv
18.6 Authorization Area . 90
18.6.1 Introduction . 90
18.6.2 Authorization Structure . 92
18.6.3 Session Handles . 93
18.6.4 Session Attributes (sessionAttributes) . 93
18.7 Command Parameter Hash (cpHash) . 95
18.8 Response Parameter Hash (rpHash) . 95
18.9 Command Example . 96
18.10 Response Example . 97
19 Authorizations and Acknowledgments . 99
19.1 Introduction . 99
19.2 Authorization Roles . 99
19.3 Physical Presence Authorization . 100
19.4 Password Authorizations . 101
19.5 Sessions . 102
19.6 Session-Based Authorizations . 102
19.6.1 Introduction . 102
19.6.2 Authorization Session Formats . 103
19.6.3 Session Nonces . 103
19.6.4 Authorization Values . 105
19.6.5 HMAC Computation . 106
19.6.6 Note on Use of Nonces in HMAC Computations . 107
19.6.7 Starting an Authorization Session . 107
19.6.8 sessionKey Creation . 108
19.6.9 Unbound and Unsalted Session Key Generation . 109
19.6.10 Bound Session Key Generation . 110
19.6.11 Salted Session Key Generation . 112
19.6.12 Salted and Bound Session Key Generation . 113
19.6.13 Encryption of salt . 114
19.6.14 Caution on use of Unsalted Authorization Sessions . 115
19.6.15 No HMAC Authorization . 115
19.6.16 Authorization Selection Logic for Objects . 116
19.6.17 Authorization Session Termination. 116
19.7 Enhanced Authorization . 117
19.7.1 Introduction . 117
19.7.2 Policy Assertion . 118
19.7.3 Policy AND . 118
19.7.4 Policy OR . 120
19.7.5 Order of Evaluation . 122
19.7.6 Policy Assertions (Policy Commands) . 122
19.7.7 Policy Session Context Values . 125
19.7.8 Policy Example . 126
19.7.9 Trial Policy . 127
19.7.10 Modification of Policies . 127
19.7.11 TPM2_PolicySigned(), TPM2_PolicySecret(), and TPM2_PolicyTicket() . 128
19.8 Policy Session Creation . 130
19.9 Use of TPM for authPolicy Computation . 131
© ISO/IEC 2015 – All rights reserved v

19.10 Trial Policy Session . 131
19.11 Dictionary Attack Protection . 132
19.11.1 Introduction . 132
19.11.2 Lockout Mode Configuration Parameters . 132
19.11.3 Lockout Mode . 133
19.11.4 Recovering from Lockout Mode . 133
19.11.5 Authorization Failures Involving lockoutAuth . 134
19.11.6 Non-orderly Shutdown . 134
19.11.7 Justification for Lockout Due to Session Binding . 134
19.11.8 Sample Configurations for Lockout Parameters . 135
20 Audit Session . 136
20.1 Introduction . 136
20.2 Exclusive Audit Sessions . 137
20.3 Command Gating Based on Exclusivity . 137
20.4 Audit Session Reporting . 137
20.5 Audit Establishment Failures . 138
21 Session-based encryption . 139
21.1 Introduction . 139
21.2 XOR Parameter Obfuscation . 140
21.3 CFB Mode Parameter Encryption . 140
22 Protected Storage . 142
22.1 Introduction . 142
22.2 Object Protections . 142
22.3 Protection Values . 142
22.4 Symmetric Encryption . 143
22.5 Integrity . 144
23 Protected Storage Hierarchy . 146
23.1 Introduction . 146
23.2 Hierarchical Relationship between Objects. 146
23.3 Duplication . 147
23.3.1 Definition . 147
23.3.2 Protections . 148
23.4 Duplication Group . 153
23.5 Protection Group . 155
23.6 Summary of Hierarchy Attributes . 156
23.7 Primary Seed Hierarchies . 156
23.8 Hierarchy Attributes Settings Matrix . 156
24 Credential Protection . 158
24.1 Introduction . 158
24.2 Protocol . 158
24.3 Protection of Credential . 159
24.4 Symmetric Encrypt . 159
24.5 HMAC . 159
24.6 Summary of Protection Process . 161
25 Object Attributes . 162
25.1 Base Attributes . 162
25.1.1 Introduction . 162
25.1.2 Restricted Attribute . 162
25.1.3 Sign Attribute . 162
© ISO/IEC 2015 – All rights reserved
vi
25.1.4 Decrypt Attribute . 163
25.1.5 Uses . 163
25.2 Other Attributes . 165
25.2.1 fixedTPM and fixedParent . 165
25.2.2 stClear . 165
25.2.3 sensitiveDataOrigin . 165
25.2.4 userWithAuth . 165
25.2.5 adminWithPolicy . 165
25.2.6 noDA . 166
25.2.7 encryptedDuplication . 166
26 Object Structure Elements . 167
26.1 Introduction . 167
26.2 Public Area . 167
26.3 Sensitive Area . 168
26.4 Private Area . 168
26.5 Qualified Name . 169
26.6 Sensitive Area Encryption . 169
26.7 Sensitive Area Integrity . 170
27 Object Creation . 171
27.1 Introduction . 171
27.2 Public Area Template . 171
27.2.1 Introduction . 171
27.2.2 type . 171
27.2.3 nameAlg . 172
27.2.4 objectAttributes . 172
27.2.5 authPolicy . 172
27.2.6 parameters . 172
27.2.7 unique . 172
27.3 Sensitive Values . 172
27.3.1 Overview . 172
27.3.2 userAuth . 173
27.3.3 data . 173
27.4 Creation PCR . 173
27.5 Public Area Creation . 173
27.5.1 Introduction . 173
27.5.2 type, nameAlg, objectAttributes, authPolicy, and parameters . 173
27.5.3 unique . 174
27.6 Sensitive Area Creation . 175
27.6.1 Introduction . 175
27.6.2 type . 175
27.6.3 authValue . 175
27.6.4 seedValue . 175
27.6.5 sensitive . 176
27.7 Creation Data and Ticket. 177
27.8 Creation Resources . 178
28 Object Loading . 179
© ISO/IEC 2015 – All rights reserved vii

28.1 Introduction . 179
28.2 Load of an Ordinary Object . 179
28.3 Public-only Load . 179
28.4 External Object Load .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...