TPM 2 - Lanyon

TPM

Introduction to Ne
Trusted Platf

M 2.0

ext Generation of
form Module

What is a TPM?

Stands for Trusted Platform Module
Holds tamper-resistant values that a
platform
Traditionally, has been a separate co
motherboard but now is also being in
TPM is the flagship product of the Tr
First TCG version of the specification

•  Derived from TPM 1.1 specificati
•  Became ISO/IEC 11889:2009

2 Sept. 11

are used to help establish trust in a
omponent on the system
ntegrated into the chipset
rusted Computing Group (TCG)
n (TPM 1.2) was released in 2003

ion of TCPA

1, 2013

Reason for a TPM

A primary function for the TPM is to

•  The identity of a programmable d

and the software that it is runnin

TPM reports on platform identity so t
not to trust the platform

•  A TPM is a “reliable witness” but
•  The TPM just provides response

intrude on system operation

It’s kind of like a smart card for your
software for a PIN

•  Can protect secrets so that they

software is running on the syste

3 Sept. 11

identify a system

device is a combination of the hardware
ng

that others can decide whether or

t it does not make value judgments
es to requests but is not able to directly

computer using the identity of the

are only accessible when the right
em

1, 2013

The Hardware Identity

The TPM uses an asymmetric key to

•  Key is statistically unique
•  In TPM 1.2, it is an RSA key,
•  In TPM 2.0, can be either RSA

•  This key is generated within the

is unknown outside of the TPM

•  Except, manufactures can “inj
•  The key uniquely identifies the T

it is attached

•  The key might not tell us what

supercomputer) but it unambi

•  When the type of the system m

disambiguate

4 Sept. 11

o identity the hardware

A or ECC
TPM and the private portion of the key
ject” the key to save time in production
TPM and the computer system to which
t the system is (cell phone or
iguously tells us which system it is
matters, there are ways to

1, 2013

The Software Identity

Accepted way to identify software is

•  In TCG speak, this is called “mea

Collecting the hashes of all of the so
identity but it is next to impossible to
However, the identity of the system’s
smaller and more comprehensible

•  If the TCB can be can be identifie

then informed decisions can be
system

•  For example, we’d like to know if

software was loaded and run be

5 Sept. 11

s to hash it

asuring” software

oftware that has run is the full
o evaluate
s trusted computing base (TCB) is

ed and the policy it enforces is known,
made about whether or not to trust that
f the correct OS and anti-malware
efore any application code was loaded

1, 2013

TIdheenStiotyftwofatrheeIdTeCnBtity

6 Sept. 11

1, 2013

Identity of the TCB

The TCB is the part of a system that
security policy of the system

•  In an OS like Windows, it include

applications such as anti-malwa

•  TCB also includes the platform fi

(the system BIOS/UEFI)

We identify the TCB by measuring it

7 Sept. 11

t is responsible for enforcing the

es the kernel and some privileged
are
irmware/software used to load the TCB

t

1, 2013

Measured Boot of the TC

System Reset

DCPRETI M Pre EFI Initialization

DXE Driver Execut

Boot Bo
Manager

OS

Measurements of the software go into a TPM reg
called a Platform Configuration Register (PCR)

8 Sept. 11

CB

tion Environment As the system boots,
oot Device Select measurements of the
TCB components are
accumulated in the TPM
in a way that lets the

TPM provide the identity
of the TCB software

S Loader System Load

EPLoAlicMy OS Policy Engine

Application
Environment

gister

1, 2013

Reporting on the TCB

Measured boot leaves a characteris
in one or more PCR in the TPM
The TPM can report these accumula
cryptographically verifiable way

•  Uses standard schemes (e.g., EC
•  A good use is as part of health c

the corporate network

•  The PCR contents can often disa
•  Code identity for a cell phone

supercomputer

9 Sept. 11

stic fingerprint of the boot sequence
ated measurements in a

CDSA) to sign the PCR values
check of a client system when it joins
ambiguate the type of device

will differ from code identity for a

1, 2013

Trusting the TPM

How does one trust what the TPM is
How does one know that they are de

10 Sept. 11

s saying?
ealing with an actual TPM?

1, 2013

Trusting the TPM

The TPM has a asymmetric Endorse
identity of the TPM

•  Certificate could be an x509 cert

manufacturer

•  The certificate could be an email

says “I just shipped systems to y

•  Combination of the above or som

When attaching to the corporate net
accumulated PCR measurements an

•  Signing key identifies the client h
•  The Quote of PCR identifies the

Protect privacy by using pseudonym
EK

11 Sept. 11

ement Key (EK) that is the certified

tificate placed in the TPM by the TPM

l from the platform manufacturer that
you with these TPM EKs…”
mething different

twork, use certified key to sign the
nd give them to a server

hardware
client software

mous keys for signing instead of the

1, 2013

Why TPM

12 Sept. 11

M 2.0?

1, 2013

Why TPM 2.0?

Had to

TPM 1.2 uses SHA1 and RSA 2048
algorithms

•  SHA1 is no longer considered ad
•  RSA is not being recommended

RSA Key Size in Bits Sec

1024

2048

3072 SECRET



7680 TOP SECRE

From SP800-57, Table 2

13 Sept. 11

as the only fully-supported

dequate
for security strengths above 112 bits

curity Strength in Bits Key bits / bit of
80 (12.5) security strength
112 (18.3)



128 (24)
ET

192 (40)

1, 2013

Other Issues to Deal Wit

Crypto agility

•  Don’t want to have to rewrite the

algorithm is broken/retired

•  Need to accommodate geograph
•  Need to accommodate different

Authorization agility

•  Need simpler authorization
•  Need more complex authorizatio

Hardware agility

•  Implement in PC
•  Implement in SoC (phone and ta
•  Implement in embedded systems

14 Sept. 11

th in TPM 2.0

e TPM specification every time an
hic/government requirements
security levels

on

ablet)
s

1, 2013

Other Issues to Deal Wit

Crypto agility
Authorization agility
Hardware agility
Authorization agility

Hardware agility

15 Sept. 11

th in TPM 2.0

1, 2013

What is Crypto Agility?

Simply means that the interface to th
changes to cryptography

•  Different asymmetric algorithms
•  Different symmetric algorithms a
•  Different hash algorithms and dig

Achieving this required a complete r

•  Maintained many of the concepts
•  Tossed all the data structures, an
•  Redid all of the commands

Made sure that the new data structu
accommodate new algorithms

•  In the future, will add to the spec

16 Sept. 11

he TPM should accommodate

and key sizes
and key sizes
gest sizes

redo of the TPM specification

s, but
nd

ures are flexible and able to

cification rather than replace it

1, 2013

Other Issues to Deal Wit

Crypto agility
Authorization agility
Hardware agility

17 Sept. 11

th in TPM 2.0

1, 2013

Authorization Agility

TPM••••     1.2 has only 3 authorization ele

Authorization value
PCR state

“Locality” – hardware privilege le
8 total combinations of these sim

TPM 2.0 has 12 authorization eleme

•  Authorization value
•  Locality
•  Asymmetric signature
•  Symmetric shared secret
•  Time Limited
•  Specific Command

Authorization elements can be comb
(AND / OR) to give fine-grained acce
data

18 Sept. 11

ements

evel
mple elements

ents… so far

•  PCR State
•  “Physical Presence”
•  Specific objects
•  Duplication
•  NV Written
•  Contents of NV

bined using logical constructs
ess control over TPM 2.0 keys and

1, 2013

Authorization Policy Exa

Scenario:

Multiple systems are used by multipl
different set of systems. Want each u
on each system on which they are au

Solution:

•  Give each person an identity car

that card.

•  The identity card will sign a nu

password (PIN).

•  Each system then has a master

Master key is required to use the

•  Create a policy for the Master ke

each of the identity cards author
measurements indicate that the

19 Sept. 11

ample

le users. Each user has access to a
user to have their identity recognized
uthorized.

rd (such as, CAC) and a password for

umber when it is given the proper

key in the TPM so that access to the
e system.
ey that is the OR of a “signature” from
rized on that system AND
system is in a “trusted” state

1, 2013

More Policy Examples

Use input from biologic sensor as a

•  Retina scanner
•  Fingerprint scanner
•  Facial recognition
•  Etc.

Use input from GPS so that a TPM k
geographic constraints
Have key expire unless authorization

20 Sept. 11

factor for authorization
key can only be used within specific
n is refreshed periodically

1, 2013

Other Issues to Deal Wit

Crypto agility
Authorization agility
Hardware agility

21 Sept. 11

th in TPM 2.0

1, 2013

Hardware AVagriliiatbyility

22 Sept. 11

1, 2013

Hardware Variability

Almost all TPM 1.2 were implemente

•  Provides the necessary isolation
•  Secrets not accessible outside o

Many SoC implementations have an
isolated from the OS

•  TrustZone on ARM
•  Platform Trust Technology (PTT)
•  Etc.

SP800-164 provides guidance on ho
so that they are as secure as many

•  Usually, the only thing missing is

23 Sept. 11

ed as discrete devices

n from the OS
of the physical TPM device

n execution environment that is

) on some Intel systems

ow to host a TPM on these systems
discrete TPM implementations

s advanced tamper resistance

1, 2013

Firmware TPM

Because TPM 2.0 comes with sourc
directly to TPM 2.0 instead of doing
These implementations are often ref
to distinguish them from a TPM in a

•  Code runs in the isolated execut

Because of product cycles, it is hard
evaluation of an fTPM
But, expect to see FIPS certified fTP

•  Level 1 is probable
•  Level 2 is possibility because TP

as TPM 1.2

•  In TPM 1.2, can’t do level 2 co

24 Sept. 11

ce code, SoC vendors are going
TPM 1.2
ferred to as firmware TPMs (fTPM)
discrete chip

tion environment of the SoC

d to get a Common Criteria

PM within a year-ish

PM 2.0 does not have the same issues
ompliance without breaking a lot of SW

1, 2013

Other TPM 2.0

25 Sept. 11

Improvements

1, 2013