ISO/IEC 11889-3:2015
(Main)Information technology - Trusted Platform Module Library - Part 3: Commands
Information technology - Trusted Platform Module Library - Part 3: Commands
ISO/IEC 11889 contains the definitions of the Trusted Platform Module (TPM) commands. These commands make use of the constants, flags, structures, and union definitions defined in ISO/IEC 11889-2. The detailed description of the operation of the commands is written in the C language with extensive comments. The behavior of the C code in this ISO/IEC 11889-3:2015 is normative but does not fully describe the behavior of a TPM. The combination of this ISO/IEC 11889-3:2015 and ISO/IEC 11889-4 is sufficient to fully describe the required behavior of a TPM. ISO/IEC 11889-3:2015 and ISO/IEC 11889-4 is written to define the behavior of a compliant TPM. In some cases it is not possible to provide a compliant implementation. In those cases, any implementation provided by the vendor that meets the general description of the function provided in this part of ISO/IEC 11889 would be compliant.
Technologies de l'information — Bibliothèque de module de plate-forme de confiance — Partie 3: Commandes
General Information
- Status
- Published
- Publication Date
- 14-Dec-2015
- Technical Committee
- ISO/IEC JTC 1 - Information technology
- Drafting Committee
- ISO/IEC JTC 1 - Information technology
- Current Stage
- 9093 - International Standard confirmed
- Start Date
- 06-May-2021
- Completion Date
- 30-Oct-2025
Relations
- Effective Date
- 10-May-2014
Overview
ISO/IEC 11889-3:2015 - "Information technology - Trusted Platform Module Library - Part 3: Commands" defines the Trusted Platform Module (TPM) commands and their normative behavior. The standard specifies detailed command descriptions written in the C language (with extensive comments) and relies on the constants, flags, structures and unions defined in ISO/IEC 11889-2. While Part 3 provides normative C-language command logic, a complete description of TPM behavior requires reading this part together with ISO/IEC 11889-4.
Keywords: ISO/IEC 11889-3:2015, TPM commands, Trusted Platform Module, TPM library, TPM 2.0 commands.
Key Topics and Technical Requirements
- Command definitions and semantics: Formal descriptions of each TPM command (e.g., startup, self-test, session, object, duplication, asymmetric primitives) with command/response formats.
- C-language normative implementation: Command behaviors are specified as C-like code that implementers can follow to produce compliant firmware or software.
- Command processing model: Validation steps (header, handles, modes), session and authorization handling, parameter decryption, unmarshaling, and post-processing rules.
- Error handling and response codes: Standardized response code semantics and tagging for consistent interoperability.
- Implementation-dependent and testing guidance: Sections covering startup/shutdown sequences, self-test and test-result commands, and considerations for vendor-specific implementations.
- Practical allowances: Where a fully compliant implementation is impossible, vendors may provide alternative implementations that meet the general functional description in the standard.
Keywords: TPM command processing, authorization, parameter unmarshaling, response codes, TPM testing.
Practical Applications and Users
ISO/IEC 11889-3:2015 is essential for:
- TPM firmware and microcontroller developers implementing TPM command logic.
- Hardware vendors integrating TPM silicon into platforms.
- OS, BIOS, and hypervisor developers that issue TPM commands or implement middleware.
- Security engineers and integrators designing platform attestation, secure boot, key management, and credential protection.
- Certification labs and interoperability testers verifying TPM conformance.
Using this standard ensures consistent command semantics across implementations, improving interoperability for use cases such as secure boot, measured launch, remote attestation, key storage, and cryptographic operations.
Keywords: secure boot, remote attestation, key management, TPM implementation guide.
Related Standards
- ISO/IEC 11889-2 - data types, constants, structures and union definitions required by Part 3.
- ISO/IEC 11889-4 - complements Part 3 to fully specify the required behavior of a compliant TPM.
For implementers, consult Parts 2 and 4 alongside ISO/IEC 11889-3:2015 to achieve a complete, standards-compliant TPM solution.
Frequently Asked Questions
ISO/IEC 11889-3:2015 is a standard published by the International Organization for Standardization (ISO). Its full title is "Information technology - Trusted Platform Module Library - Part 3: Commands". This standard covers: ISO/IEC 11889 contains the definitions of the Trusted Platform Module (TPM) commands. These commands make use of the constants, flags, structures, and union definitions defined in ISO/IEC 11889-2. The detailed description of the operation of the commands is written in the C language with extensive comments. The behavior of the C code in this ISO/IEC 11889-3:2015 is normative but does not fully describe the behavior of a TPM. The combination of this ISO/IEC 11889-3:2015 and ISO/IEC 11889-4 is sufficient to fully describe the required behavior of a TPM. ISO/IEC 11889-3:2015 and ISO/IEC 11889-4 is written to define the behavior of a compliant TPM. In some cases it is not possible to provide a compliant implementation. In those cases, any implementation provided by the vendor that meets the general description of the function provided in this part of ISO/IEC 11889 would be compliant.
ISO/IEC 11889 contains the definitions of the Trusted Platform Module (TPM) commands. These commands make use of the constants, flags, structures, and union definitions defined in ISO/IEC 11889-2. The detailed description of the operation of the commands is written in the C language with extensive comments. The behavior of the C code in this ISO/IEC 11889-3:2015 is normative but does not fully describe the behavior of a TPM. The combination of this ISO/IEC 11889-3:2015 and ISO/IEC 11889-4 is sufficient to fully describe the required behavior of a TPM. ISO/IEC 11889-3:2015 and ISO/IEC 11889-4 is written to define the behavior of a compliant TPM. In some cases it is not possible to provide a compliant implementation. In those cases, any implementation provided by the vendor that meets the general description of the function provided in this part of ISO/IEC 11889 would be compliant.
ISO/IEC 11889-3:2015 is classified under the following ICS (International Classification for Standards) categories: 35.030 - IT Security; 35.040 - Information coding. The ICS classification helps identify the subject area and facilitates finding related standards.
ISO/IEC 11889-3:2015 has the following relationships with other standards: It is inter standard links to ISO/IEC 11889-3:2009. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.
You can purchase ISO/IEC 11889-3:2015 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of ISO standards.
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 11889-3
Second edition
2015-12-15
Information technology — Trusted
Platform Module Library —
Part 3:
Commands
Technologies de l’information — Bibliothèque de module
de plate-forme de con�iance �
Partie 3: Commandes
Reference number
©
ISO/IEC 2015
© ISO/IEC 2015, Published in Switzerland
���������������������������������������������������������������������������������������������������������������������������������
����������������������������������������������������������������������������������������������������������������������������
����������������������������������������������������������������������������������������������������������������������������
the requester.
��������������������
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
�����������������
www.iso.org
ii © ISO/IEC 2015 – All rights reserved
CONTENTS
Foreword . xxiv
Introduction . xxv
1 Scope . 1
2 Normative references . 2
3 Terms and Definitions . 2
4 Symbols and abbreviated terms . 2
5 Notation . 2
5.1 Introduction . 2
5.2 Table Decorations . 2
5.3 Handle and Parameter Demarcation . 4
5.4 AuthorizationSize and ParameterSize . 4
6 Command Processing . 5
6.1 Introduction . 5
6.2 Command Header Validation . 5
6.3 Mode Checks . 5
6.4 Handle Area Validation . 6
6.5 Session Area Validation . 7
6.6 Authorization Checks . 8
6.7 Parameter Decryption . 10
6.8 Parameter Unmarshaling . 10
6.8.1 Introduction . 10
6.8.2 Unmarshaling Errors . 10
6.9 Command Post Processing . 11
7 Response Values . 13
7.1 Tag . 13
7.2 Response Codes . 13
8 Implementation Dependent . 16
9 Detailed Actions Assumptions . 17
9.1 Introduction . 17
9.2 Pre-processing . 17
9.3 Post Processing . 17
10 Start-up . 18
10.1 Introduction . 18
10.2 _TPM_Init . 18
10.2.1 General Description . 18
10.2.2 Detailed Actions . 19
10.3 TPM2_Startup . 20
10.3.1 General Description . 20
10.3.2 Command and Response . 23
10.3.3 Detailed Actions . 24
10.4 TPM2_Shutdown . 27
10.4.1 General Description . 27
– All rights reserved iii
© ISO/IEC 2015
10.4.2 Command and Response . 28
10.4.3 Detailed Actions . 29
11 Testing . 31
11.1 Introduction . 31
11.2 TPM2_SelfTest . 32
11.2.1 General Description . 32
11.2.2 Command and Response . 33
11.2.3 Detailed Actions . 34
11.3 TPM2_IncrementalSelfTest . 35
11.3.1 General Description . 35
11.3.2 Command and Response . 36
11.3.3 Detailed Actions . 37
11.4 TPM2_GetTestResult . 38
11.4.1 General Description . 38
11.4.2 Command and Response . 39
11.4.3 Detailed Actions . 40
12 Session Commands . 41
12.1 TPM2_StartAuthSession . 41
12.1.1 General Description . 41
12.1.2 Command and Response . 43
12.1.3 Detailed Actions . 44
12.2 TPM2_PolicyRestart . 46
12.2.1 General Description . 46
12.2.2 Command and Response . 47
12.2.3 Detailed Actions . 48
13 Object Commands . 49
13.1 TPM2_Create. 49
13.1.1 General Description . 49
13.1.2 Command and Response . 52
13.1.3 Detailed Actions . 53
13.2 TPM2_Load . 55
13.2.1 General Description . 55
13.2.2 Command and Response . 56
13.2.3 Detailed Actions . 57
13.3 TPM2_LoadExternal . 59
13.3.1 General Description . 59
13.3.2 Command and Response . 61
13.3.3 Detailed Actions . 62
13.4 TPM2_ReadPublic . 64
13.4.1 General Description . 64
13.4.2 Command and Response . 65
© ISO/IEC 2015 – All rights reserved
iv
13.4.3 Detailed Actions . 66
13.5 TPM2_ActivateCredential . 67
13.5.1 General Description . 67
13.5.2 Command and Response . 68
13.5.3 Detailed Actions . 69
13.6 TPM2_MakeCredential . 71
13.6.1 General Description . 71
13.6.2 Command and Response . 72
13.6.3 Detailed Actions . 73
13.7 TPM2_Unseal . 74
13.7.1 General Description . 74
13.7.2 Command and Response . 75
13.7.3 Detailed Actions . 76
13.8 TPM2_ObjectChangeAuth . 77
13.8.1 General Description . 77
13.8.2 Command and Response . 78
13.8.3 Detailed Actions . 79
14 Duplication Commands . 81
14.1 TPM2_Duplicate . 81
14.1.1 General Description . 81
14.1.2 Command and Response . 82
14.1.3 Detailed Actions . 83
14.2 TPM2_Rewrap . 85
14.2.1 General Description . 85
14.2.2 Command and Response . 86
14.2.3 Detailed Actions . 87
14.3 TPM2_Import . 90
14.3.1 General Description . 90
14.3.2 Command and Response . 92
14.3.3 Detailed Actions . 93
15 Asymmetric Primitives . 97
15.1 Introduction . 97
15.2 TPM2_RSA_Encrypt . 97
15.2.1 General Description . 97
15.2.2 Command and Response . 99
15.2.3 Detailed Actions . 100
15.3 TPM2_RSA_Decrypt . 102
15.3.1 General Description . 102
15.3.2 Command and Response . 103
15.3.3 Detailed Actions . 104
15.4 TPM2_ECDH_KeyGen . 106
– All rights reserved v
© ISO/IEC 2015
15.4.1 General Description . 106
15.4.2 Command and Response . 107
15.4.3 Detailed Actions . 108
15.5 TPM2_ECDH_ZGen . 110
15.5.1 General Description . 110
15.5.2 Command and Response . 111
15.5.3 Detailed Actions . 112
15.6 TPM2_ECC_Parameters . 113
15.6.1 General Description . 113
15.6.2 Command and Response . 113
15.6.3 Detailed Actions . 114
15.7 TPM2_ZGen_2Phase . 114
15.7.1 General Description . 114
15.7.2 Command and Response . 116
15.7.3 Detailed Actions . 117
16 Symmetric Primitives . 119
16.1 Introduction . 119
16.2 TPM2_EncryptDecrypt . 121
16.2.1 General Description . 121
16.2.2 Command and Response . 122
16.2.3 Detailed Actions . 123
16.3 TPM2_Hash . 125
16.3.1 General Description . 125
16.3.2 Command and Response . 126
16.3.3 Detailed Actions . 127
16.4 TPM2_HMAC . 128
16.4.1 General Description . 128
16.4.2 Command and Response . 129
16.4.3 Detailed Actions . 130
17 Random Number Generator . 132
17.1 TPM2_GetRandom . 132
17.1.1 General Description . 132
17.1.2 Command and Response . 133
17.1.3 Detailed Actions . 134
17.2 TPM2_StirRandom . 135
17.2.1 General Description . 135
17.2.2 Command and Response . 136
17.2.3 Detailed Actions . 137
18 Hash/HMAC/Event Sequences . 138
18.1 Introduction . 138
18.2 TPM2_HMAC_Start . 138
© ISO/IEC 2015 – All rights reserved
vi
18.2.1 General Description . 138
18.2.2 Command and Response . 140
18.2.3 Detailed Actions . 141
18.3 TPM2_HashSequenceStart . 143
18.3.1 General Description . 143
18.3.2 Command and Response . 144
18.3.3 Detailed Actions . 145
18.4 TPM2_SequenceUpdate . 146
18.4.1 General Description . 146
18.4.2 Command and Response . 147
18.4.3 Detailed Actions . 148
18.5 TPM2_SequenceComplete . 150
18.5.1 General Description . 150
18.5.2 Command and Response . 151
18.5.3 Detailed Actions . 152
18.6 TPM2_EventSequenceComplete . 154
18.6.1 General Description . 154
18.6.2 Command and Response . 155
18.6.3 Detailed Actions . 156
19 Attestation Commands . 158
19.1 Introduction . 158
19.2 TPM2_Certify . 160
19.2.1 General Description . 160
19.2.2 Command and Response . 161
19.2.3 Detailed Actions . 162
19.3 TPM2_CertifyCreation . 164
19.3.1 General Description . 164
19.3.2 Command and Response . 165
19.3.3 Detailed Actions . 166
19.4 TPM2_Quote . 168
19.4.1 General Description . 168
19.4.2 Command and Response . 169
19.4.3 Detailed Actions . 170
19.5 TPM2_GetSessionAuditDigest . 172
19.5.1 General Description . 172
19.5.2 Command and Response . 173
19.5.3 Detailed Actions . 174
19.6 TPM2_GetCommandAuditDigest . 176
19.6.1 General Description . 176
19.6.2 Command and Response . 177
19.6.3 Detailed Actions . 178
19.7 TPM2_GetTime . 180
– All rights reserved vii
© ISO/IEC 2015
19.7.1 General Description . 180
19.7.2 Command and Response . 181
19.7.3 Detailed Actions . 182
20 Ephemeral EC Keys . 184
20.1 Introduction . 184
20.2 TPM2_Commit . 185
20.2.1 General Description . 185
20.2.2 Command and Response . 186
20.2.3 Detailed Actions . 187
20.3 TPM2_EC_Ephemeral . 190
20.3.1 General Description . 190
20.3.2 Command and Response . 191
20.3.3 Detailed Actions . 192
21 Signing and Signature Verification . 193
21.1 TPM2_VerifySignature . 193
21.1.1 General Description . 193
21.1.2 Command and Response . 194
21.1.3 Detailed Actions . 195
21.2 TPM2_Sign . 197
21.2.1 General Description . 197
21.2.2 Command and Response . 198
21.2.3 Detailed Actions . 199
22 Command Audit . 201
22.1 Introduction . 201
22.2 TPM2_SetCommandCodeAuditStatus . 202
22.2.1 General Description . 202
22.2.2 Command and Response . 203
22.2.3 Detailed Actions . 204
23 Integrity Collection (PCR) . 206
23.1 Introduction . 206
23.2 TPM2_PCR_Extend . 207
23.2.1 General Description . 207
23.2.2 Command and Response . 208
23.2.3 Detailed Actions . 209
23.3 TPM2_PCR_Event . 210
23.3.1 General Description . 210
23.3.2 Command and Response . 211
23.3.3 Detailed Actions . 212
23.4 TPM2_PCR_Read . 214
23.4.1 General Description . 214
23.4.2 Command and Response . 215
23.4.3 Detailed Actions . 216
© ISO/IEC 2015 – All rights reserved
viii
23.5 TPM2_PCR_Allocate . 217
23.5.1 General Description . 217
23.5.2 Command and Response . 218
23.5.3 Detailed Actions . 219
23.6 TPM2_PCR_SetAuthPolicy . 220
23.6.1 General Description . 220
23.6.2 Command and Response . 221
23.6.3 Detailed Actions . 222
23.7 TPM2_PCR_SetAuthValue . 223
23.7.1 General Description . 223
23.7.2 Command and Response . 224
23.7.3 Detailed Actions . 225
23.8 TPM2_PCR_Reset . 226
23.8.1 General Description . 226
23.8.2 Command and Response . 227
23.8.3 Detailed Actions . 228
23.9 _TPM_Hash_Start . 229
23.9.1 Description . 229
23.9.2 Detailed Actions . 230
23.10 _TPM_Hash_Data . 231
23.10.1 Description . 231
23.10.2 Detailed Actions . 232
23.11 _TPM_Hash_End . 233
23.11.1 Description . 233
23.11.2 Detailed Actions . 234
24 Enhanced Authorization (EA) Commands . 236
24.1 Introduction . 236
24.2 Signed Authorization Actions . 237
24.2.1 Introduction . 237
24.2.2 Policy Parameter Checks . 237
24.2.3 Policy Digest Update Function (PolicyUpdate()) . 238
24.2.4 Policy Context Updates . 239
24.2.5 Policy Ticket Creation . 240
24.3 TPM2_PolicySigned . 241
24.3.1 General Description . 241
24.3.2 Command and Response . 243
24.3.3 Detailed Actions . 244
24.4 TPM2_PolicySecret . 247
24.4.1 General Description . 247
24.4.2 Command and Response . 248
24.4.3 Detailed Actions . 249
– All rights reserved ix
© ISO/IEC 2015
24.5 TPM2_PolicyTicket . 251
24.5.1 General Description . 251
24.5.2 Command and Response . 252
24.5.3 Detailed Actions . 253
24.6 TPM2_PolicyOR . 255
24.6.1 General Description . 255
24.6.2 Command and Response . 256
24.6.3 Detailed Actions . 257
24.7 TPM2_PolicyPCR . 259
24.7.1 General Description . 259
24.7.2 Command and Response . 261
24.7.3 Detailed Actions . 262
24.8 TPM2_PolicyLocality .
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...