| |
| TPM_Init |
| |
| 286Start of informative comment: |
| 287TPM_Init is a physical method of initializing a TPM. There is no TPM_Init ordinal as this is a |
| 288platform message sent on the platform internals to the TPM. On a PC this command arrives |
| 289at the TPM via the LPC bus and informs the TPM that the platform is performing a boot |
| 290process. |
| 291TPM_Init puts the TPM into a state where it waits for the command TPM_Startup (which |
| 292specifies the type of initialization that is required. |
| 293End of informative comment. |
| 294Definition |
| 295TPM_Init(); |
| 296 |
| 297Operation of the TPM. This is not a command that any software can execute. It is inherent |
| 298in the design of the TPM and the platform that the TPM resides on. |
| 299Parameters |
| 300None |
| 301Description |
| 3021. |
| 303 |
| 304 |
| 305 |
| |
| The TPM_Init signal indicates to the TPM that platform initialization is taking place. The |
| TPM SHALL set the TPM into a state such that the only legal command to receive after |
| the TPM_Init is the TPM_Startup command. The TPM_Startup will further indicate to the |
| TPM how to handle and initialize the TPM resources. |
| |
| 3062. |
| 307 |
| 308 |
| 309 |
| 310 |
| 311 |
| |
| The platform design MUST be that the TPM is not the only component undergoing |
| initialization. If the TPM_Init signal forces the TPM to perform initialization then the |
| platform MUST ensure that ALL components of the platform receive an initialization |
| signal. This is to prevent an attacker from causing the TPM to initialize to a state where |
| various masquerades are allowable. For instance, on a PC causing the TPM to initialize |
| and expect measurements in PCR0 but the remainder of the platform does not initialize. |
| |
| 3123. The design of the TPM MUST be such that the ONLY mechanism that signals TPM_Init |
| 313 |
| also signals initialization to the other platform components. |
| 314Actions |
| 3151. The TPM sets TPM_STANY_FLAGS -> postInitialise to TRUE. |
| |
| 75 |
| 76 |
| |
| 6 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 77TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 78Specification Version 1.2 |
| |
| 3163.2 |
| |
| TPM_Startup |
| |
| 317Start of informative comment: |
| 318TPM_Startup is always preceded by TPM_Init, which is the physical indication (a system319wide reset) that TPM initialization is necessary. |
| 320There are many events on a platform that can cause a reset and the response to these |
| 321events can require different operations to occur on the TPM. The mere reset indication does |
| 322not contain sufficient information to inform the TPM as to what type of reset is occurring. |
| 323Additional information known by the platform initialization code needs transmitting to the |
| 324TPM. The TPM_Startup command provides the mechanism to transmit the information. |
| 325The TPM can startup in three different modes: |
| 326A “clear” start where all variables go back to their default or non-volatile set state |
| 327A “save” start where the TPM recovers appropriate information and restores various values |
| 328based on a prior TPM_SaveState. This recovery requires an invocation of TPM_Init to be |
| 329successful. |
| 330A failing "save" start must shut down the TPM. The CRTM cannot leave the TPM in a state |
| 331where an untrusted upper software layer could issue a "clear" and then extend PCR's and |
| 332thus mimic the CRTM. |
| 333A “deactivated” start where the TPM turns itself off and requires another TPM_Init before |
| 334the TPM will execute in a fully operational state. |
| 335End of informative comment. |
| 336Incoming Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal TPM_ORD_Startup |
| |
| 4 |
| |
| 2 |
| |
| 2S |
| |
| 2 |
| |
| TPM_STARTUP_TYPE |
| |
| startupType |
| |
| Type of startup that is occurring |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 337Outgoing Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Startup |
| |
| 338Description |
| 339TPM_Startup MUST be generated by a trusted entity (the RTM or the TPM, for example). |
| 340 |
| |
| 1. If the TPM is in failure mode |
| |
| 79Level 2 Revision 116 28 February 2011 |
| 80 |
| |
| 7 |
| TCG Published |
| |
| 81Copyright © TCG |
| 82 |
| 83 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 341 |
| |
| a. TPM_STANY_FLAGS -> postInitialize is still set to FALSE |
| |
| 342 |
| |
| b. The TPM returns TPM_FAILEDSELFTEST |
| |
| 343Actions |
| 3441. If TPM_STANY_FLAGS -> postInitialise is FALSE, |
| 345 |
| |
| a. Then the TPM MUST return TPM_INVALID_POSTINIT, and exit this capability |
| |
| 3462. If stType = TPM_ST_CLEAR |
| 347 |
| 348 |
| |
| a. Ensure that sessions associated with resources TPM_RT_CONTEXT, TPM_RT_AUTH, |
| TPM_RT_DAA_TPM, and TPM_RT_TRANS are invalidated |
| |
| 349 |
| |
| b. Reset TPM_STCLEAR_DATA -> PCR[] values to each correct default value |
| |
| 350 |
| |
| i. |
| |
| 351 |
| |
| ii. pcrReset is TRUE, set to 0xFF..FF |
| |
| 352 |
| |
| pcrReset is FALSE, set to 0x00..00 |
| |
| c. Set the following TPM_STCLEAR_FLAGS to their default state |
| |
| 353 |
| |
| i. |
| |
| 354 |
| |
| ii. PhysicalPresenceLock |
| |
| 355 |
| |
| iii. disableForceClear |
| |
| 356 |
| |
| PhysicalPresence |
| |
| d. The TPM MAY initialize auditDigest to all zeros |
| |
| 357 |
| 358 |
| |
| i. If not initialized to all zeros, the TPM SHALL ensure that auditDigest contains |
| a valid value. |
| |
| 359 |
| 360 |
| 361 |
| |
| ii. If initialization fails, the TPM SHALL set auditDigest to all zeros and SHALL set |
| the internal TPM state so that the TPM returns TPM_FAILEDSELFTEST to all |
| subsequent commands. |
| |
| 362 |
| 363 |
| |
| e. The TPM SHALL set TPM_STCLEAR_FLAGS -> deactivated to the same state as |
| TPM_PERMANENT_FLAGS -> deactivated |
| |
| 364 |
| |
| f. The TPM MUST set the TPM_STANY_DATA fields to: |
| |
| 365 |
| |
| i. |
| |
| 366 |
| |
| ii. TPM_STANY_DATA->contextCount is set to 0 |
| |
| 367 |
| |
| iii. TPM_STANY_DATA->contextList is set to 0 |
| |
| 368 |
| |
| TPM_STANY_DATA->contextNonceSession is set to all zeros |
| |
| g. The TPM MUST set TPM_STCLEAR_DATA fields to: |
| |
| 369 |
| |
| i. |
| |
| 370 |
| |
| ii. countID to zero |
| |
| 371 |
| |
| iii. ownerReference to TPM_KH_OWNER |
| |
| 372 |
| |
| h. The TPM MUST set the following TPM_STCLEAR_FLAGS to |
| |
| 373 |
| 374 |
| |
| i. |
| i. |
| |
| 375 |
| 84 |
| 85 |
| |
| Invalidate contextNonceKey |
| |
| bGlobalLock to FALSE |
| |
| Determine which keys should remain in the TPM |
| i. |
| |
| For each key that has a valid preserved value in the TPM |
| |
| 8 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 86TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 87Specification Version 1.2 |
| |
| 376 |
| |
| (1) |
| |
| if parentPCRStatus is TRUE then call TPM_FlushSpecific(keyHandle) |
| |
| 377 |
| |
| (2) |
| |
| if isVolatile is TRUE then call TPM_FlushSpecific(keyHandle) |
| |
| 378 |
| |
| ii. Keys under control of the OwnerEvict flag MUST stay resident in the TPM |
| |
| 3793. If stType = TPM_ST_STATE |
| 380 |
| 381 |
| |
| a. If the TPM has no state to restore, the TPM MUST set the internal state such that it |
| returns TPM_FAILEDSELFTEST to all subsequent commands. |
| |
| 382 |
| 383 |
| 384 |
| |
| b. The TPM MAY determine for each session type (authorization, transport, DAA, …) to |
| release or maintain the session information. The TPM reports how it manages sessions |
| in the TPM_GetCapability command. |
| |
| 385 |
| 386 |
| 387 |
| |
| c. The TPM SHALL take all necessary actions to ensure that all PCRs contain valid |
| preserved values. If the TPM is unable to successfully complete these actions, it SHALL |
| enter the TPM failure mode. |
| |
| 388 |
| 389 |
| 390 |
| |
| i. For resettable PCR the TPM MUST set the value of TPM_STCLEAR_DATA -> |
| PCR[]to the resettable PCR default value. The TPM MUST NOT restore a resettable |
| PCR to a preserved value |
| |
| 391 |
| 392 |
| 393 |
| 394 |
| 395 |
| 396 |
| 397 |
| |
| d. The TPM MAY initialize auditDigest to all zeros. |
| i. Otherwise, the TPM SHALL take all actions necessary to ensure that |
| auditDigest contains a valid value. If the TPM is unable to successfully complete |
| these actions, the TPM SHALL initialize auditDigest to all zeros and SHALL set the |
| internal state such that the TPM returns TPM_FAILEDSELFTEST to all |
| subsequent commands. |
| e. The TPM MUST restore the following flags to their preserved states: |
| |
| 398 |
| |
| i. |
| |
| 399 |
| |
| ii. All values in TPM_STCLEAR_DATA |
| |
| All values in TPM_STCLEAR_FLAGS |
| |
| 400 |
| |
| f. The TPM MUST restore all keys that have a valid preserved value. |
| |
| 401 |
| 402 |
| |
| g. The TPM resumes normal operation. If the TPM is unable to resume normal |
| operation, it SHALL enter the TPM failure mode. |
| |
| 4034. If stType = TPM_ST_DEACTIVATED |
| 404 |
| |
| a. Invalidate sessions |
| |
| 405 |
| 406 |
| |
| i. Ensure that all resources associated with saved and active sessions are |
| invalidated |
| |
| 407 |
| |
| b. Set the TPM_STCLEAR_FLAGS to their default state. |
| |
| 408 |
| |
| c. Set TPM_STCLEAR_FLAGS -> deactivated to TRUE |
| |
| 4095. The TPM MUST ensure that state associated with TPM_SaveState is invalidated |
| 4106. The TPM MUST set TPM_STANY_FLAGS -> postInitialise to FALSE |
| |
| 88Level 2 Revision 116 28 February 2011 |
| 89 |
| |
| 9 |
| TCG Published |
| |
| 90Copyright © TCG |
| 91 |
| 92 |
| |
| 4113.3 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_SaveState |
| |
| 412Start of informative comment: |
| 413This warns a TPM to save some state information. |
| 414If the relevant shielded storage is non-volatile, this command need have no effect. |
| 415If the relevant shielded storage is volatile and the TPM alone is unable to detect the loss of |
| 416external power in time to move data to non-volatile memory, this command should be |
| 417presented before the TPM enters a low or no power state. |
| 418Resettable PCRs are tied to platform state that does not survive a sleep state. If the PCRs |
| 419did not reset, they would falsely indicate that the platform state was already present when it |
| 420came out of sleep. Since some setup is required first, there would be a gap where PCRs |
| 421indicated the wrong state. Therefore, the PCRs must be recreated. |
| 422Any loaded keys may be preserved. Keys with parentPCRStatus TRUE are not given priority |
| 423because of security concerns. Rather, since the key might be part of a storage tree that |
| 424requires PCR value transitions, it might not be directly loadable after |
| 425TPM_Startup(ST_STATE). For a TPM implementation that does not save all loaded keys, the |
| 426platform should issue a TPM_SaveContext / TPM_LoadContext sequence for those loaded |
| 427keys. contextNonceKey will be restored, guaranteeing that the saved key context can be |
| 428restored. |
| 429End of informative comment. |
| 430Incoming Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_SaveState. |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| 431Outgoing Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_SaveState. |
| |
| 432Description |
| 4331. Preserved values MUST be non-volatile. |
| 4342. If data is never stored in a volatile medium, that data MAY be used as preserved data. In |
| 435 |
| such cases, no explicit action may be required to preserve that data. |
| |
| 93 |
| 94 |
| |
| 10 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 95TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 96Specification Version 1.2 |
| |
| 4363. If an explicit action is required to preserve data, it MUST be possible for the TPM to |
| 437 |
| determine whether preserved data is valid. |
| 4384. If a parameter mirrored by any preserved value is altered, all preserved values MUST be |
| 439 |
| declared invalid. |
| 4405. The TPM MAY declare all preserved values invalid in response to any command other |
| 441 |
| than TPM_Init. |
| 442Actions |
| 4431. Store TPM_STCLEAR_DATA -> PCR contents except for |
| 444 |
| |
| a. If the PCR attribute pcrReset is TRUE |
| |
| 445 |
| |
| b. Any platform identified debug PCR |
| |
| 4462. The auditDigest MUST be handled according to the audit requirements as reported by |
| 447 |
| TPM_GetCapability. |
| 448 |
| 449 |
| 450 |
| |
| a. If the ordinalAuditStatus is TRUE for the TPM_SaveState ordinal and the auditDigest |
| is being stored in the saved state, the saved auditDigest MUST include the |
| TPM_SaveState input parameters and MUST NOT include the output parameters. |
| |
| 4513. All values in TPM_STCLEAR_DATA MUST be preserved. |
| 4524. All values in TPM_STCLEAR_FLAGS MUST be preserved. |
| 4535. The contents of any key that is currently loaded SHOULD be preserved if the key's |
| 454 |
| parentPCRStatus indicator is TRUE. |
| 4556. The contents of any key that has TPM_KEY_CONTROL_OWNER_EVICT set MUST be |
| 456 |
| preserved |
| 4577. The contents of any key that is currently loaded MAY be preserved. |
| 4588. The contents of sessions (authorization, transport, DAA, etc.) MAY be preserved as |
| 459 |
| reported by TPM_GetCapability. |
| |
| 97Level 2 Revision 116 28 February 2011 |
| 98 |
| |
| 11 |
| TCG Published |
| |
| 99Copyright © TCG |
| 100 |
| 101 |
| |
| 4604. |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| Admin Testing |
| |
| 4614.1 |
| |
| TPM_SelfTestFull |
| |
| 462Start of informative comment: |
| 463TPM_SelfTestFull tests all of the TPM capabilities. |
| 464Unlike TPM_ContinueSelfTest, which may optionally return immediately and then perform |
| 465the tests, TPM_SelfTestFull always performs the tests and then returns success or failure. |
| 466End of informative comment. |
| 467Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_SelfTestFull |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 468Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_SelfTestFull |
| |
| 469Actions |
| 4701. TPM_SelfTestFull SHALL cause a TPM to perform self-test of each TPM internal function. |
| 471 |
| |
| a. If the self-test succeeds, return TPM_SUCCESS. |
| |
| 472 |
| |
| b. If the self-test fails, return TPM_FAILEDSELFTEST. |
| |
| 4732. Failure of any test results in overall failure, and the TPM goes into failure mode. |
| 4743. If the TPM has not executed the action of TPM_ContinueSelfTest, the TPM |
| 475 |
| |
| a. MAY perform the full self-test. |
| |
| 476 |
| |
| b. MAY return TPM_NEEDS_SELFTEST. |
| |
| 102 |
| 103 |
| |
| 12 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 104TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 105Specification Version 1.2 |
| |
| 4774.2 |
| |
| TPM_ContinueSelfTest |
| |
| 478Start of informative comment: |
| 479TPM_ContinueSelfTest informs the TPM that it should complete the self-test of all TPM |
| 480functions. |
| 481The TPM may return success immediately and then perform the self-test, or it may perform |
| 482the self-test and then return success or failure. |
| 483End of informative comment. |
| 484Incoming Operands and Sizes |
| PARAM |
| # |
| |
| SZ |
| |
| 1 |
| |
| 4 |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| Name |
| |
| Description |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| UINT32 |
| |
| 4 |
| |
| 3 |
| |
| # |
| |
| Type |
| |
| 2 |
| |
| 2 |
| |
| HMAC |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ContinueSelfTest |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 485Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ContinueSelfTest |
| |
| 486Description |
| 4871. Prior to executing the actions of TPM_ContinueSelfTest, if the TPM receives a command |
| 488 |
| C1 that uses an untested TPM function, the TPM MUST take one of these actions: |
| 489 |
| |
| a. The TPM MAY return TPM_NEEDS_SELFTEST |
| |
| 490 |
| 491 |
| |
| i. This indicates that the TPM has not tested the internal resources required to |
| execute C1. |
| |
| 492 |
| |
| ii. The TPM does not execute C1. |
| |
| 493 |
| 494 |
| |
| iii. The caller MUST issue TPM_ContinueSelfTest before re-issuing the command |
| C1. |
| |
| 495 |
| 496 |
| 497 |
| |
| (1) If the TPM permits TPM_SelfTestFull prior to completing the actions of |
| TPM_ContinueSelfTest, the caller MAY issue TPM_SelfTestFull rather than |
| TPM_ContinueSelfTest. |
| |
| 498 |
| |
| b. The TPM MAY return TPM_DOING_SELFTEST |
| |
| 499 |
| 500 |
| |
| i. This indicates that the TPM is doing the actions of TPM_ContinueSelfTest |
| implicitly, as if the TPM_ContinueSelfTest command had been issued. |
| |
| 501 |
| |
| ii. The TPM does not execute C1. |
| |
| 106Level 2 Revision 116 28 February 2011 |
| 107 |
| |
| 13 |
| TCG Published |
| |
| 108Copyright © TCG |
| 109 |
| 110 |
| |
| 502 |
| 503 |
| 504 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| iii. The caller MUST wait for the actions of TPM_ContinueSelfTest to complete |
| before reissuing the command C1. |
| c. The TPM MAY return TPM_SUCCESS or an error code associated with C1. |
| |
| 505 |
| 506 |
| |
| i. This |
| indicates |
| that |
| the |
| TPM |
| has |
| completed |
| TPM_ContinueSelfTest and has completed the command C1. |
| |
| 507 |
| |
| ii. The error code MAY be TPM_FAILEDSELFTEST. |
| |
| the |
| |
| actions |
| |
| of |
| |
| 508Actions |
| 5091. If TPM_PERMANENT_FLAGS -> FIPS is TRUE or TPM_PERMANENT_FLAGS -> TPMpost |
| 510 |
| is TRUE |
| 511 |
| |
| a. The TPM MUST run all self-tests |
| |
| 5122. Else |
| 513 |
| |
| a. The TPM MUST complete all self-tests that are outstanding |
| |
| 514 |
| |
| i. |
| |
| Instead of completing all outstanding self-tests the TPM MAY run all self-tests |
| |
| 5153. The TPM either |
| 516 |
| |
| a. MAY immediately return TPM_SUCCESS |
| |
| 517 |
| 518 |
| 519 |
| 520 |
| |
| 111 |
| 112 |
| |
| i. When TPM_ContinueSelfTest finishes execution, it MUST NOT respond to the |
| caller with a return code. |
| b. MAY |
| complete |
| the |
| TPM_FAILEDSELFTEST. |
| |
| self-test |
| |
| and |
| |
| 14 |
| |
| then |
| |
| return |
| |
| TPM_SUCCESS |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| or |
| |
| 113TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 114Specification Version 1.2 |
| |
| 5214.3 |
| |
| TPM_GetTestResult |
| |
| 522Start of informative comment: |
| 523TPM_GetTestResult provides manufacturer specific information regarding the results of the |
| 524self-test. This command will work when the TPM is in self-test failure mode. The reason for |
| 525allowing this command to operate in the failure mode is to allow TPM manufacturers to |
| 526obtain diagnostic information. |
| 527End of informative comment. |
| 528Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_GetTestResult |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| 529Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_GetTestResult |
| |
| 4 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| outDataSize |
| |
| The size of the outData area |
| |
| 5 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE[] |
| |
| outData |
| |
| The outData this is manufacturer specific |
| |
| 530Description |
| 531This command will work when the TPM is in self test failure mode or limited operation |
| 532mode. |
| 533Actions |
| 5341. The TPM SHALL respond to this command with a manufacturer specific block of |
| 535 |
| information that describes the result of the latest self-test |
| 5362. The information MUST NOT contain any data that uniquely identifies an individual TPM. |
| |
| 115Level 2 Revision 116 28 February 2011 |
| 116 |
| |
| 15 |
| TCG Published |
| |
| 117Copyright © TCG |
| 118 |
| 119 |
| |
| 5375. |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| Admin Opt-in |
| |
| 5385.1 |
| |
| TPM_SetOwnerInstall |
| |
| 539Start of informative comment: |
| 540When enabled but without an owner this command sets the PERMANENT flag that allows or |
| 541disallows the ability to insert an owner. |
| 542End of informative comment. |
| 543Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_SetOwnerInstall |
| |
| 4 |
| |
| 1 |
| |
| 2S |
| |
| 1 |
| |
| BOOL |
| |
| state |
| |
| State to which ownership flag is to be set. |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 544Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_SetOwnerInstall |
| |
| 545Action |
| 5461. If the TPM has a current owner, this command immediately returns with |
| 547 |
| TPM_SUCCESS. |
| 5482. The TPM validates the assertion of physical presence. The TPM then sets the value of |
| 549 |
| TPM_PERMANENT_FLAGS -> ownership to the value in state. |
| |
| 120 |
| 121 |
| |
| 16 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 122TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 123Specification Version 1.2 |
| |
| 5505.2 |
| |
| TPM_OwnerSetDisable |
| |
| 551Start of informative comment: |
| 552The TPM owner sets the PERMANENT disable flag to TRUE or FALSE. |
| 553End of informative comment. |
| 554Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_OwnerSetDisable |
| |
| 4 |
| |
| 1 |
| |
| 2S |
| |
| 1 |
| |
| BOOL |
| |
| disableState |
| |
| Value for disable state |
| |
| 5 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for owner authentication. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 6 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 7 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 8 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| The authorization session digest for inputs and owner authentication. |
| HMAC key: ownerAuth. |
| |
| 555Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 5 |
| |
| 1 |
| |
| 6 |
| |
| 20 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_OwnerSetDisable |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| 4 |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| ownerAuth. |
| |
| 556Action |
| 5571. The TPM SHALL authenticate the command as coming from the TPM Owner. If |
| 558 |
| unsuccessful, the TPM SHALL return TPM_AUTHFAIL. |
| 5592. The TPM SHALL set the TPM_PERMANENT_FLAGS -> disable flag to the value in the |
| 560 |
| disableState parameter. |
| |
| 124Level 2 Revision 116 28 February 2011 |
| 125 |
| |
| 17 |
| TCG Published |
| |
| 126Copyright © TCG |
| 127 |
| 128 |
| |
| 5615.3 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_PhysicalEnable |
| |
| 562Start of informative comment: |
| 563Sets the PERMANENT disable flag to FALSE using physical presence as authorization. |
| 564End of informative comment. |
| 565Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_PhysicalEnable |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 566Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_PhysicalEnable |
| |
| 567Action |
| 5681. Validate that physical presence is being asserted, if not return TPM_BAD_PRESENCE |
| 5692. The TPM SHALL set the TPM_PERMANENT_FLAGS.disable value to FALSE. |
| |
| 129 |
| 130 |
| |
| 18 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 131TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 132Specification Version 1.2 |
| |
| 5705.4 |
| |
| TPM_PhysicalDisable |
| |
| 571Start of informative comment: |
| 572Sets the PERMANENT disable flag to TRUE using physical presence as authorization |
| 573End of informative comment. |
| 574Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| 1 |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_PhysicalDisable |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 575Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_PhysicalDisable |
| |
| 576Action |
| 5771. Validate that physical presence is being asserted, if not return TPM_BAD_PRESENCE |
| 5782. The TPM SHALL set the TPM_PERMANENT_FLAGS.disable value to TRUE. |
| |
| 133Level 2 Revision 116 28 February 2011 |
| 134 |
| |
| 19 |
| TCG Published |
| |
| 135Copyright © TCG |
| 136 |
| 137 |
| |
| 5795.5 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_PhysicalSetDeactivated |
| |
| 580Start of informative comment: |
| 581Changes the TPM persistant deactivated flag using physical presence as authorization. |
| 582This command is not available when the TPM is disabled. |
| 583End of informative comment. |
| 584Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_PhysicalSetDeactivated |
| |
| 4 |
| |
| 1 |
| |
| 2S |
| |
| 1 |
| |
| BOOL |
| |
| state |
| |
| State to which deactivated flag is to be set. |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 585Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_PhysicalSetDeactivated |
| |
| 586Action |
| 5871. Validate that physical presence is being asserted, if not return TPM_BAD_PRESENCE |
| 5882. The TPM SHALL set the TPM_PERMANENT_FLAGS.deactivated flag to the value in the |
| 589 |
| state parameter. |
| |
| 138 |
| 139 |
| |
| 20 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 140TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 141Specification Version 1.2 |
| |
| 5905.6 |
| |
| TPM_SetTempDeactivated |
| |
| 591Start of informative comment: |
| 592This command allows the operator of the platform to deactivate the TPM until the next boot |
| 593of the platform. |
| 594This command requires operator authentication. The operator can provide the |
| 595authentication by either the assertion of physical presence or presenting the operator |
| 596AuthData value. |
| 597End of informative comment. |
| 598Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_SetTempDeactivated |
| |
| 4 |
| |
| 4 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| Auth handle for operation validation. Session type MUST be OIAP |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 5 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 6 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 7 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| operatorAuth |
| |
| HMAC key: operatorAuth |
| |
| 599Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 5 |
| |
| 1 |
| |
| 6 |
| |
| 20 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_SetTempDeactivated |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| 4 |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| operatorAuth. |
| |
| 600Action |
| 6011. If tag = TPM_TAG_RQU_AUTH1_COMMAND |
| 602 |
| |
| a. If TPM_PERMANENT_FLAGS -> operator is FALSE return TPM_NOOPERATOR |
| |
| 603 |
| 604 |
| |
| b. Validate command |
| TPM_AUTHFAIL |
| |
| and |
| |
| 142Level 2 Revision 116 28 February 2011 |
| 143 |
| |
| parameters |
| |
| using |
| |
| 21 |
| TCG Published |
| |
| operatorAuth, |
| |
| on |
| |
| error |
| |
| return |
| |
| 144Copyright © TCG |
| 145 |
| 146 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 6052. Else |
| 606 |
| |
| a. If physical presence is not asserted the TPM MUST return TPM_BAD_PRESENCE |
| |
| 6073. The TPM SHALL set the TPM_STCLEAR_FLAGS.deactivated flag to the value TRUE. |
| |
| 147 |
| 148 |
| |
| 22 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 149TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 150Specification Version 1.2 |
| |
| 6085.7 |
| |
| TPM_SetOperatorAuth |
| |
| 609Start of informative comment: |
| 610This command allows the setting of the operator AuthData value. |
| 611There is no confidentiality applied to the operator authentication as the value is sent under |
| 612the assumption of being local to the platform. If there is a concern regarding the path |
| 613between the TPM and the keyboard then unless the keyboard is using encryption and a |
| 614secure channel an attacker can read the values. |
| 615End of informative comment. |
| 616Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_SetOperatorAuth |
| |
| 4 |
| |
| 20 |
| |
| 2S |
| |
| 20 |
| |
| TPM_SECRET |
| |
| operatorAuth |
| |
| The operator AuthData |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 617Outgoing Operands and Sizes |
| PARAM |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| 2 |
| |
| 4 |
| |
| 3 |
| |
| 4 |
| |
| HMAC |
| # |
| |
| SZ |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_SetOperatorAuth |
| |
| 618Action |
| 6191. If physical presence is not asserted the TPM MUST return TPM_BAD_PRESENCE |
| 6202. The TPM SHALL set the TPM_PERMANENT_DATA -> operatorAuth |
| 6213. The TPM SHALL set TPM_PERMANENT_FLAGS -> operator to TRUE |
| |
| 151Level 2 Revision 116 28 February 2011 |
| 152 |
| |
| 23 |
| TCG Published |
| |
| 153Copyright © TCG |
| 154 |
| 155 |
| |
| 6226. |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| Admin Ownership |
| |
| 6236.1 |
| |
| TPM_TakeOwnership |
| |
| 624Start of informative comment: |
| 625This command inserts the TPM Ownership value into the TPM. |
| 626End of informative comment. |
| 627Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_TakeOwnership |
| |
| 4 |
| |
| 2 |
| |
| 2S |
| |
| 2 |
| |
| TPM_PROTOCOL_ID |
| |
| protocolID |
| |
| The ownership protocol in use. |
| |
| 5 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| encOwnerAuthSize |
| |
| The size of the encOwnerAuth field |
| |
| 6 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE[ ] |
| |
| encOwnerAuth |
| |
| The owner AuthData encrypted with PUBEK |
| |
| 7 |
| |
| 4 |
| |
| 5S |
| |
| 4 |
| |
| UINT32 |
| |
| encSrkAuthSize |
| |
| The size of the encSrkAuth field |
| |
| 8 |
| |
| <> |
| |
| 6S |
| |
| <> |
| |
| BYTE[ ] |
| |
| encSrkAuth |
| |
| The SRK AuthData encrypted with PUBEK |
| |
| 9 |
| |
| <> |
| |
| 7S |
| |
| <> |
| |
| TPM_KEY12 |
| |
| srkParams |
| |
| Structure containing all parameters of new SRK. pubKey.keyLength & |
| encSize are both 0. This structure MAY be TPM_KEY12. |
| |
| 10 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for this command |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 11 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 12 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 13 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| Authorization session digest for input params. HMAC key: the new |
| ownerAuth value. See actions for validation operations |
| |
| 628 |
| |
| 156 |
| 157 |
| |
| 24 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 158TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 159Specification Version 1.2 |
| |
| 629Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_TakeOwnership |
| |
| 4 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| TPM_KEY |
| |
| srkPub |
| |
| Structure containing all parameters of new SRK. srkPub.encData is set to |
| 0. This structure MAY be TPM_KEY12. |
| |
| 5 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| the new ownerAuth value |
| |
| 6 |
| |
| 1 |
| |
| 7 |
| |
| 20 |
| |
| 630Description |
| 631The type of the output srkPub MUST be the same as the type of the input srkParams, either |
| 632both TPM_KEY or both TPM_KEY12. |
| 633Actions |
| 6341. If TPM_PERMANENT_DATA -> ownerAuth is valid return TPM_OWNER_SET |
| 6352. If TPM_PERMANENT_FLAGS -> ownership is FALSE return TPM_INSTALL_DISABLED |
| 6363. If |
| TPM_PERMANENT_DATA |
| 637 |
| TPM_NO_ENDORSEMENT |
| |
| -> |
| |
| endorsementKey |
| |
| is |
| |
| invalid |
| |
| return |
| |
| 6384. Verify that authHandle is of type OIAP on error return TPM_AUTHFAIL |
| 6395. If protocolID is not TPM_PID_OWNER, the TPM MAY return TPM_BAD_PARAMETER |
| 6406. Create A1 a TPM_SECRET by decrypting encOwnerAuth using PRIVEK as the key |
| 641 |
| |
| a. This requires that A1 was encrypted using the PUBEK |
| |
| 642 |
| |
| b. Validate that A1 is a length of 20 bytes, on error return TPM_BAD_KEY_PROPERTY |
| |
| 6437. Validate the command and parameters using A1 and ownerAuth, on error return |
| 644 |
| TPM_AUTHFAIL |
| 6458. Validate srkParams |
| 646 |
| 647 |
| |
| a. If |
| srkParams |
| -> |
| TPM_INVALID_KEYUSAGE |
| |
| 648 |
| |
| b. If srkParams -> migratable is TRUE return TPM_INVALID_KEYUSAGE |
| |
| 649 |
| 650 |
| |
| c. If srkParams -> algorithmParms -> algorithmID is NOT TPM_ALG_RSA return |
| TPM_BAD_KEY_PROPERTY |
| |
| 651 |
| 652 |
| |
| d. If |
| srkParams |
| -> |
| algorithmParms |
| -> |
| encScheme |
| TPM_ES_RSAESOAEP_SHA1_MGF1 return TPM_BAD_KEY_PROPERTY |
| |
| 160Level 2 Revision 116 28 February 2011 |
| 161 |
| |
| keyUsage |
| |
| is |
| |
| 25 |
| TCG Published |
| |
| not |
| |
| TPM_KEY_STORAGE |
| |
| is |
| |
| return |
| |
| NOT |
| |
| 162Copyright © TCG |
| 163 |
| 164 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 653 |
| 654 |
| |
| e. If srkParams -> algorithmParms -> sigScheme is NOT TPM_SS_NONE return |
| TPM_BAD_KEY_PROPERTY |
| |
| 655 |
| 656 |
| |
| f. srkParams -> algorithmParms -> parms -> keyLength MUST be greater than or equal |
| to 2048, on error return TPM_BAD_KEY_PROPERTY |
| |
| 657 |
| 658 |
| |
| g. If srkParams -> algorithmParms -> parms -> exponentSize is not 0, return |
| TPM_BAD_KEY_PROPERTY |
| |
| 659 |
| |
| h. If TPM_PERMANENT_FLAGS -> FIPS is TRUE |
| |
| 660 |
| 661 |
| |
| i. If srkParams |
| TPM_NOTFIPS |
| |
| -> |
| |
| authDataUsage |
| |
| specifies |
| |
| TPM_AUTH_NEVER |
| |
| return |
| |
| 6629. Generate K1 according to the srkParams, on error return TPM_BAD_KEY_PROPERTY |
| 663 |
| |
| a. This includes copying PCRInfo from srkParams to K1 |
| |
| 66410.Create A2 a TPM_SECRET by decrypting encSrkAuth using the PRIVEK |
| 665 |
| |
| a. This requires A2 to be encrypted using the PUBEK |
| |
| 666 |
| |
| b. Validate that A2 is a length of 20 bytes, on error return TPM_BAD_KEY_PROPERTY |
| |
| 667 |
| |
| c. Store A2 in K1 -> usageAuth |
| |
| 66811.Store K1 in TPM_PERMANENT_DATA -> srk |
| 66912.Store A1 in TPM_PERMANENT_DATA -> ownerAuth |
| 67013.Create TPM_PERMANENT_DATA -> contextKey according to the rules for the algorithm |
| 671 |
| in use by the TPM to save context blobs |
| 67214.Create TPM_PERMANENT_DATA -> delegateKey according to the rules for the algorithm |
| 673 |
| in use by the TPM to save delegate blobs |
| 67415.Create TPM_PERMANENT_DATA -> tpmProof by using the TPM RNG |
| 67516.Export TPM_PERMANENT_DATA -> srk as srkPub |
| 67617.Set TPM_PERMANENT_FLAGS -> readPubek to FALSE |
| 67718.Calculate resAuth using the newly established TPM_PERMANENT_DATA -> ownerAuth |
| |
| 165 |
| 166 |
| |
| 26 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 167TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 168Specification Version 1.2 |
| |
| 6786.2 |
| |
| TPM_OwnerClear |
| |
| 679Start of informative comment: |
| 680The TPM_OwnerClear command performs the clear operation under Owner authentication. |
| 681This command is available until the Owner executes the TPM_DisableOwnerClear, at which |
| 682time any further invocation of this command returns TPM_CLEAR_DISABLED. |
| 683End of informative comment. |
| 684Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_OwnerClear |
| |
| 4 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for owner authentication. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 5 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 6 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Ignored |
| |
| 7 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| The authorization session digest for inputs and owner authentication. |
| HMAC key: ownerAuth. |
| |
| 685Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 5 |
| |
| 1 |
| |
| 6 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_OwnerClear |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| 4 |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Fixed value FALSE |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| old ownerAuth. |
| |
| 20 |
| |
| 686Actions |
| 6871. Verify that the TPM Owner authorizes the command and all of the input, on error return |
| 688 |
| TPM_AUTHFAIL. |
| 6892. If TPM_PERMANENT_FLAGS |
| 690 |
| TPM_CLEAR_DISABLED. |
| |
| -> |
| |
| disableOwnerClear |
| |
| 6913. Unload all loaded keys. |
| 692 |
| |
| a. This includes owner evict keys |
| |
| 169Level 2 Revision 116 28 February 2011 |
| 170 |
| |
| 27 |
| TCG Published |
| |
| is |
| |
| TRUE |
| |
| then |
| |
| return |
| |
| 171Copyright © TCG |
| 172 |
| 173 |
| |
| 693 |
| 694 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| b. If TPM_PERMANENT_FLAGS -> FIPS is TRUE, the memory locations containing |
| secret or private keys MUST be set to all zeros. |
| |
| 6954. The TPM MUST NOT modify the following TPM_PERMANENT_DATA items |
| 696 |
| |
| a. endorsementKey |
| |
| 697 |
| |
| b. revMajor |
| |
| 698 |
| |
| c. revMinor |
| |
| 699 |
| |
| d. manuMaintPub |
| |
| 700 |
| |
| e. auditMonotonicCounter |
| |
| 701 |
| |
| f. monotonicCounter |
| |
| 702 |
| |
| g. pcrAttrib |
| |
| 703 |
| |
| h. rngState |
| |
| 704 |
| |
| i. |
| |
| EKReset |
| |
| 705 |
| |
| j. |
| |
| lastFamilyID |
| |
| 706 |
| |
| k. tpmDAASeed |
| |
| 707 |
| |
| l. |
| |
| 708 |
| |
| m. daaProof |
| |
| 709 |
| |
| n. daaBlobKey |
| |
| authDIR[0] |
| |
| 7105. The TPM MUST invalidate the following TPM_PERMANENT_DATA items and any internal |
| 711 |
| resources associated with these items |
| 712 |
| |
| a. ownerAuth |
| |
| 713 |
| |
| b. srk |
| |
| 714 |
| |
| c. delegateKey |
| |
| 715 |
| |
| d. delegateTable |
| |
| 716 |
| |
| e. contextKey |
| |
| 717 |
| |
| f. tpmProof |
| |
| 718 |
| |
| g. operatorAuth |
| |
| 7196. The TPM MUST reset to manufacturing defaults the following TPM_PERMANENT_DATA |
| 720 |
| items |
| 721 |
| |
| a. noOwnerNVWrite MUST be set to 0 |
| |
| 722 |
| |
| b. ordinalAuditStatus |
| |
| 723 |
| |
| c. restrictDelegate |
| |
| 7247. The TPM MUST invalidate or reset all fields of TPM_STANY_DATA |
| 725 |
| |
| a. Nonces SHALL be reset |
| |
| 726 |
| |
| b. Lists (e.g. contextList) SHALL be invalidated |
| |
| 7278. The TPM MUST invalidate or reset all fields of TPM_STCLEAR_DATA except the PCR’s |
| 174 |
| 175 |
| |
| 28 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 176TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 177Specification Version 1.2 |
| |
| 728 |
| |
| a. Nonces SHALL be reset |
| |
| 729 |
| |
| b. Lists (e.g. contextList) SHALL be invalidated |
| |
| 730 |
| |
| c. deferredPhysicalPresence MUST be set to 0 |
| |
| 7319. The TPM MUST set the following TPM_PERMANENT_FLAGS to their default values |
| 732 |
| |
| a. disable |
| |
| 733 |
| |
| b. deactivated |
| |
| 734 |
| |
| c. readPubek |
| |
| 735 |
| |
| d. disableOwnerClear |
| |
| 736 |
| |
| e. disableFullDALogicInfo |
| |
| 737 |
| |
| f. allowMaintenance |
| |
| 738 |
| |
| g. readSRKPub |
| |
| 73910.The TPM MUST set the following TPM_PERMANENT_FLAGS |
| 740 |
| |
| a. ownership to TRUE |
| |
| 741 |
| |
| b. operator to FALSE |
| |
| 742 |
| |
| c. maintenanceDone to FALSE |
| |
| 74311.The TPM releases all TPM_PERMANENT_DATA -> monotonicCounter settings |
| 744 |
| 745 |
| 746 |
| |
| a. This includes invalidating all currently allocated counters. The result will be no |
| currently allocated counters and the new owner will need to allocate counters. The |
| actual count value will continue to increase. |
| |
| 74712.The TPM MUST deallocate all defined NV storage areas where |
| 748 |
| |
| a. |
| |
| TPM_NV_PER_OWNERWRITE is TRUE if nvIndex does not have the “D” bit set |
| |
| 749 |
| |
| b. |
| |
| TPM_NV_PER_OWNERREAD is TRUE if nvIndex does not have the “D” bit set |
| |
| 750 |
| |
| c. The TPM MUST NOT deallocate any other currently defined NV storage areas. |
| |
| 75113.The TPM MUST invalidate all familyTable entries |
| 75214.The TPM MUST terminate all sessions, active or saved. |
| |
| 178Level 2 Revision 116 28 February 2011 |
| 179 |
| |
| 29 |
| TCG Published |
| |
| 180Copyright © TCG |
| 181 |
| 182 |
| |
| 7536.3 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_ForceClear |
| |
| 754Start of informative comment: |
| 755The TPM_ForceClear command performs the Clear operation under physical access. This |
| 756command is available until the execution of the TPM_DisableForceClear, at which time any |
| 757further invocation of this command returns TPM_CLEAR_DISABLED. |
| 758TPM_ForceClear can succeed even if no owner is installed. In that case, it does whatever |
| 759TPM_OwnerClear actions that it can. |
| 760End of informative comment. |
| 761Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ForceClear |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 762Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ForceClear |
| |
| 763Actions |
| 7641. The TPM SHALL check for the assertion of physical presence, if not present return |
| 765 |
| TPM_BAD_PRESENCE |
| 7662. If TPM_STCLEAR_FLAGS -> disableForceClear is TRUE return TPM_CLEAR_DISABLED |
| 7673. The TPM SHALL execute the actions of TPM_OwnerClear (except for the TPM Owner |
| 768 |
| authentication check) |
| |
| 183 |
| 184 |
| |
| 30 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 185TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 186Specification Version 1.2 |
| |
| 7696.4 |
| |
| TPM_DisableOwnerClear |
| |
| 770Start of informative comment: |
| 771The TPM_DisableOwnerClear command disables the ability to execute the TPM_OwnerClear |
| 772command permanently. Once invoked the only method of clearing the TPM will require |
| 773physical access to the TPM. |
| 774After the execution of TPM_ForceClear, ownerClear is re-enabled and must be explicitly |
| 775disabled again by the new TPM Owner. |
| 776End of informative comment. |
| 777Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_DisableOwnerClear |
| |
| 4 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for owner authentication. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 5 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 6 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 7 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| The authorization session digest for inputs and owner authentication. |
| HMAC key: ownerAuth. |
| |
| 778Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 5 |
| |
| 1 |
| |
| 6 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_DisableOwnerClear |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| 4 |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| ownerAuth. |
| |
| 20 |
| |
| 779Actions |
| 7801. The TPM verifies that the authHandle properly authorizes the owner. |
| 7812. The TPM sets the TPM_PERMANENT_FLAGS -> disableOwnerClear flag to TRUE. |
| |
| 187Level 2 Revision 116 28 February 2011 |
| 188 |
| |
| 31 |
| TCG Published |
| |
| 189Copyright © TCG |
| 190 |
| 191 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 7823. When this flag is TRUE the only mechanism that can clear the TPM is the |
| 783 |
| TPM_ForceClear command. The TPM_ForceClear command requires physical access to |
| 784 |
| the TPM to execute. |
| |
| 192 |
| 193 |
| |
| 32 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 194TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 195Specification Version 1.2 |
| |
| 7856.5 |
| |
| TPM_DisableForceClear |
| |
| 786Start of informative comment: |
| 787The TPM_DisableForceClear command disables the execution of the TPM_ForceClear |
| 788command until the next startup cycle. Once this command is executed, the TPM_ForceClear |
| 789is disabled until another startup cycle is run. |
| 790End of informative comment. |
| 791Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_DisableForceClear |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 792Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_DisableForceClear |
| |
| 793Actions |
| 7941. The TPM sets the TPM_STCLEAR_FLAGS.disableForceClear flag in the TPM that disables |
| 795 |
| the execution of the TPM_ForceClear command. |
| |
| 196Level 2 Revision 116 28 February 2011 |
| 197 |
| |
| 33 |
| TCG Published |
| |
| 198Copyright © TCG |
| 199 |
| 200 |
| |
| 7966.6 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TSC_PhysicalPresence |
| |
| 797Start of informative comment: |
| 798Some TPM operations require the indication of a human’s physical presence at the platform. |
| 799The presence of the human either provides another indication of platform ownership or a |
| 800mechanism to ensure that the execution of the command is not the result of a remote |
| 801software process. |
| 802This command allows a process on the platform to indicate the assertion of physical |
| 803presence. As this command is executable by software there must be protections against the |
| 804improper invocation of this command. |
| 805The physicalPresenceHWEnable and physicalPresenceCMDEnable indicate the ability for |
| 806either SW or HW to indicate physical presence. These flags can be reset until the |
| 807physicalPresenceLifetimeLock is set. The platform manufacturer should set these flags to |
| 808indicate the capabilities of the platform the TPM is bound to. |
| 809The command provides two sets of functionality. The first is to enable, permanently, either |
| 810the HW or the SW ability to assert physical presence. The second is to allow SW, if enabled, |
| 811to assert physical presence. |
| 812End of informative comment. |
| 813Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TSC_ORD_PhysicalPresence. |
| |
| 4 |
| |
| 2 |
| |
| 2S |
| |
| 2 |
| |
| TPM_PHYSICAL_PRESENCE |
| |
| physicalPresence |
| |
| The state to set the TPM’s Physical Presence flags. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 814Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TSC_ORD_PhysicalPresence. |
| |
| 815Actions |
| 8161. For documentation ease, the bits break into two categories. The first is the lifetime |
| 817 |
| settings and the second is the assertion settings. |
| 818 |
| 819 |
| 820 |
| 821 |
| 201 |
| 202 |
| |
| a. Define A1 to be the lifetime settings: TPM_PHYSICAL_PRESENCE_LIFETIME_LOCK, |
| TPM_PHYSICAL_PRESENCE_HW_ENABLE, TPM_PHYSICAL_PRESENCE_CMD_ENABLE, |
| TPM_PHYSICAL_PRESENCE_HW_DISABLE, |
| and |
| TPM_PHYSICAL_PRESENCE_CMD_DISABLE |
| 34 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 203TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 204Specification Version 1.2 |
| |
| 822 |
| 823 |
| |
| b. Define A2 to be the assertion settings: TPM_PHYSICAL_PRESENCE_LOCK, |
| TPM_PHYSICAL_PRESENCE_PRESENT, and TPM_PHYSICAL_PRESENCE_NOTPRESENT |
| |
| 824Lifetime lock settings |
| 8252. If any A1 setting is present |
| 826 |
| 827 |
| |
| a. If TPM_PERMANENT_FLAGS -> physicalPresenceLifetimeLock is TRUE, return |
| TPM_BAD_PARAMETER |
| |
| 828 |
| |
| b. If any A2 setting is present return TPM_BAD_PARAMETER |
| |
| 829 |
| 830 |
| 831 |
| |
| c. If both physicalPresence -> TPM_PHYSICAL_PRESENCE_HW_ENABLE and |
| physicalPresence -> TPM_PHYSICAL_PRESENCE_HW_DISABLE are TRUE, return |
| TPM_BAD_PARAMETER. |
| |
| 832 |
| 833 |
| 834 |
| |
| d. If both physicalPresence -> TPM_PHYSICAL_PRESENCE_CMD_ENABLE and |
| physicalPresence -> TPM_PHYSICAL_PRESENCE_CMD_DISABLE are TRUE, return |
| TPM_BAD_PARAMETER. |
| |
| 835 |
| 836 |
| |
| e. If physicalPresence -> TPM_PHYSICAL_PRESENCE_HW_ENABLE is TRUE Set |
| TPM_PERMANENT_FLAGS -> physicalPresenceHWEnable to TRUE |
| |
| 837 |
| 838 |
| |
| f. If physicalPresence -> TPM_PHYSICAL_PRESENCE_HW_DISABLE is TRUE Set |
| TPM_PERMANENT_FLAGS -> physicalPresenceHWEnable to FALSE |
| |
| 839 |
| 840 |
| |
| g. If physicalPresence -> TPM_PHYSICAL_PRESENCE_CMD_ENABLE is TRUE, Set |
| TPM_PERMANENT_FLAGS -> physicalPresenceCMDEnable to TRUE. |
| |
| 841 |
| 842 |
| |
| h. If physicalPresence -> TPM_PHYSICAL_PRESENCE_CMD_DISABLE is TRUE, Set |
| TPM_PERMANENT_FLAGS -> physicalPresenceCMDEnable to FALSE. |
| |
| 843 |
| |
| i. |
| |
| 844 |
| 845 |
| |
| If physicalPresence -> TPM_PHYSICAL_PRESENCE_LIFETIME_LOCK is TRUE |
| i. |
| |
| j. |
| |
| Set TPM_PERMANENT_FLAGS -> physicalPresenceLifetimeLock to TRUE |
| |
| Return TPM_SUCCESS |
| |
| 846SW physical presence assertion |
| 8473. If any A2 setting is present |
| 848 |
| |
| a. If any A1 setting is present return TPM_BAD_PARAMETER |
| |
| 849 |
| 850 |
| |
| i. This check here just for consistency, the prior checks would have already |
| ensured that this was ok |
| |
| 851 |
| 852 |
| |
| b. If TPM_PERMANENT_FLAGS -> physicalPresenceCMDEnable is FALSE, return |
| TPM_BAD_PARAMETER |
| |
| 853 |
| 854 |
| |
| c. If both physicalPresence -> TPM_PHYSICAL_PRESENCE_LOCK and physicalPresence |
| -> TPM_PHYSICAL_PRESENCE_PRESENT are TRUE, return TPM_BAD_PARAMETER |
| |
| 855 |
| 856 |
| 857 |
| |
| d. If |
| both |
| physicalPresence |
| -> |
| TPM_PHYSICAL_PRESENCE_PRESENT |
| and |
| physicalPresence -> TPM_PHYSICAL_PRESENCE_NOTPRESENT are TRUE, return |
| TPM_BAD_PARAMETER |
| |
| 858 |
| 859 |
| |
| e. If |
| TPM_STCLEAR_FLAGS |
| TPM_BAD_PARAMETER |
| |
| 205Level 2 Revision 116 28 February 2011 |
| 206 |
| |
| -> |
| |
| physicalPresenceLock |
| |
| 35 |
| TCG Published |
| |
| is |
| |
| TRUE, |
| |
| return |
| |
| 207Copyright © TCG |
| 208 |
| 209 |
| |
| 860 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| f. If physicalPresence -> TPM_PHYSICAL_PRESENCE_LOCK is TRUE |
| |
| 861 |
| |
| i. |
| |
| 862 |
| |
| ii. Set TPM_STCLEAR_FLAGS -> physicalPresenceLock to TRUE |
| |
| 863 |
| |
| iii. Return TPM_SUCCESS |
| |
| 864 |
| |
| g. If physicalPresence -> TPM_PHYSICAL_PRESENCE_PRESENT is TRUE |
| |
| 865 |
| 866 |
| |
| i. |
| |
| Set TPM_STCLEAR_FLAGS -> physicalPresence to TRUE |
| |
| h. If physicalPresence -> TPM_PHYSICAL_PRESENCE_NOTPRESENT is TRUE |
| |
| 867 |
| 868 |
| |
| Set TPM_STCLEAR_FLAGS -> physicalPresence to FALSE |
| |
| i. |
| i. |
| |
| Set TPM_STCLEAR_FLAGS -> physicalPresence to FALSE |
| |
| Return TPM_SUCCESS |
| |
| 8694. Else // There were no A1 or A2 parameters set |
| 870 |
| |
| 210 |
| 211 |
| |
| a. Return TPM_BAD_PARAMETER |
| |
| 36 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 212TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 213Specification Version 1.2 |
| |
| 8716.7 |
| |
| TSC_ResetEstablishmentBit |
| |
| 872Start of informative comment: |
| 873The PC TPM Interface Specification (TIS) specifies setting tpmEstablished to TRUE upon |
| 874execution of the HASH_START sequence. The setting implies the creation of a Trusted |
| 875Operating System on the platform. Platforms will use the value of tpmEstablished to |
| 876determine if operations necessary to maintain the security perimeter are necessary. |
| 877The tpmEstablished bit provides a non-volatile, secure reporting that a HASH_START was |
| 878previously run on the platform. When a platform makes use of the tpmEstablished bit, the |
| 879platform can reset tpmEstablished as the operation is no longer necessary. |
| 880For example, a platform could use tpmEstablished to ensure that, if HASH_START had ever |
| 881been, executed the platform could use the value to invoke special processing. Once the |
| 882processing is complete the platform will wish to reset tpmEstablished to avoid invoking the |
| 883special process again. |
| 884The TPM_PERMANENT_FLAGS -> tpmEstablished bit described in the TPM specifications |
| 885uses positive logic. The TPM_ACCESS register uses negative logic, so that TRUE is reflected |
| 886as a 0. |
| 887End of informative comment. |
| 888Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TSC_ORD_ResetEstablishmentBit |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 889Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TSC_ORD_ResetEstablishmentBit |
| |
| 890Actions |
| 8911. Validate the assertion of locality 3 or locality 4 |
| 8922. Set TPM_PERMANENT_FLAGS -> tpmEstablished to FALSE |
| 8933. Return TPM_SUCCESS |
| |
| 214Level 2 Revision 116 28 February 2011 |
| 215 |
| |
| 37 |
| TCG Published |
| |
| 216Copyright © TCG |
| 217 |
| 218 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 8947. The Capability Commands |
| 895Start of informative comment: |
| 896The TPM has numerous capabilities that a remote entity may wish to know about. These |
| 897items include support of algorithms, key sizes, protocols and vendor-specific additions. The |
| 898TPM_GetCapability command allows the TPM to report back to the requestor what type of |
| 899TPM it is dealing with. |
| 900The request for information requires the requestor to specify which piece of information that |
| 901is required. The request does not allow the “merging” of multiple requests and returns only |
| 902a single piece of information. |
| 903In failure mode, the TPM returns a limited set of information that includes the TPM |
| 904manufacturer and version. |
| 905In version 1.2 with the deletion of TPM_GetCapabilitySigned the way to obtain a signed |
| 906listing of the capabilities is to create a transport session, perform TPM_GetCapability |
| 907commands to list the information and then close the transport session using |
| 908TPM_ReleaseTransportSigned. |
| 909End of informative comment. |
| 9101. The standard information provided in TPM_GetCapability MUST NOT provide unique |
| 911 |
| information |
| 912 |
| 913 |
| 914 |
| |
| 219 |
| 220 |
| |
| a. The TPM has no control of information placed into areas on the TPM like the NV store |
| that is reported by the TPM. Configuration information for these areas could conceivably |
| be unique |
| |
| 38 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 221TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 222Specification Version 1.2 |
| |
| 9157.1 |
| |
| TPM_GetCapability |
| |
| 916Start of informative comment: |
| 917This command returns current information regarding the TPM. |
| 918The limitation on what can be returned in failure mode restricts the information a |
| 919manufacturer may return when capArea indicates TPM_CAP_MFR. |
| 920End of informative comment. |
| 921Incoming Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_GetCapability |
| |
| 4 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| TPM_CAPABILITY_AREA |
| |
| capArea |
| |
| Partition of capabilities to be interrogated |
| |
| 5 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| subCapSize |
| |
| Size of subCap parameter |
| |
| 6 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE[] |
| |
| subCap |
| |
| Further definition of information |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 922Outgoing Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_GetCapability |
| |
| 4 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| respSize |
| |
| The length of the returned capability response |
| |
| 5 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE[ ] |
| |
| resp |
| |
| The capability response |
| |
| 923 |
| |
| 223Level 2 Revision 116 28 February 2011 |
| 224 |
| |
| 39 |
| TCG Published |
| |
| 225Copyright © TCG |
| 226 |
| 227 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 924Actions |
| 9251. The TPM validates the capArea and subCap indicators. If the information is available, |
| 926 |
| the TPM creates the response field and fills in the actual information. |
| 9272. The structure document contains the list of caparea and subCap values |
| 9283. If the TPM is in failure mode or limited operation mode, the TPM MUST return |
| 929 |
| |
| a. TPM_CAP_VERSION |
| |
| 930 |
| |
| b. TPM_CAP_VERSION_VAL |
| |
| 931 |
| |
| c. TPM_CAP_MFR |
| |
| 932 |
| |
| d. TPM_CAP_PROPERTY -> TPM_CAP_PROP_MANUFACTURER |
| |
| 933 |
| |
| e. TPM_CAP_PROPERTY -> TPM_CAP_PROP_DURATION |
| |
| 934 |
| |
| f. TPM_CAP_PROPERTY -> TPM_CAP_PROP_TIS_TIMEOUT |
| |
| 935 |
| |
| g. The TPM MAY return any other capability. |
| |
| 228 |
| 229 |
| |
| 40 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 230TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 231Specification Version 1.2 |
| |
| 9367.2 |
| |
| TPM_SetCapability |
| |
| 937Start of informative comment: |
| 938This command sets values in the TPM. |
| 939A setValue that is inconsistent with the capArea and subCap is considered a bad |
| 940parameter. |
| 941End of informative comment. |
| 942Incoming Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| ordinal: TPM_ORD_SetCapability |
| |
| 4 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| TPM_CAPABILITY_AREA |
| |
| capArea |
| |
| Partition of capabilities to be set |
| |
| 5 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| subCapSize |
| |
| Size of subCap parameter |
| |
| 6 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE[] |
| |
| subCap |
| |
| Further definition of information |
| |
| 7 |
| |
| 4 |
| |
| 5S |
| |
| 4 |
| |
| UINT32 |
| |
| setValueSize |
| |
| The size of the value to set |
| |
| 8 |
| |
| <> |
| |
| 6S |
| |
| <> |
| |
| BYTE[] |
| |
| setValue |
| |
| The value to set |
| |
| 9 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for owner authentication. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 10 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 11 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 12 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| Authorization. HMAC key: owner.usageAuth. |
| |
| 232Level 2 Revision 116 28 February 2011 |
| 233 |
| |
| 41 |
| TCG Published |
| |
| 234Copyright © TCG |
| 235 |
| 236 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 943Outgoing Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 5 |
| |
| 1 |
| |
| 6 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| ordinal: TPM_ORD_SetCapability |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| 4 |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| Authorization HMAC key:owner.usageAuth. |
| |
| 20 |
| |
| 944Actions |
| 9451. If tag = TPM_TAG_RQU_AUTH1_COMMAND, validate the command and parameters |
| 946 |
| using ownerAuth, return TPM_AUTHFAIL on error |
| 9472. The TPM validates the capArea and subCap indicators, including the ability to set value |
| 948 |
| based on any set restrictions |
| 9493. If the capArea and subCap indicators conform with one of the entries in the structure |
| 950 |
| TPM_CAPABILITY_AREA (Values for TPM_SetCapability) |
| 951 |
| |
| a. The TPM sets the relevant flag/data to the value of setValue parameter. |
| |
| 9524. Else |
| 953 |
| |
| 237 |
| 238 |
| |
| a. Return the error code TPM_BAD_PARAMETER. |
| |
| 42 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 239TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 240Specification Version 1.2 |
| |
| 9547.3 |
| |
| TPM_GetCapabilityOwner |
| |
| 955Start of informative comment: |
| 956TPM_GetCapabilityOwner enables the TPM Owner to retrieve all the non-volatile flags and |
| 957the volatile flags in a single operation. |
| 958The flags summarize many operational aspects of the TPM. The information represented by |
| 959some flags is private to the TPM Owner. So, for simplicity, proof of ownership of the TPM |
| 960must be presented to retrieve the set of flags. When necessary, the flags that are not private |
| 961to the Owner can be deduced by Users via other (more specific) means. |
| 962The normal TPM authentication mechanisms are sufficient to prove the integrity of the |
| 963response. No additional integrity check is required. |
| 964End of informative comment. |
| 965Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| # |
| |
| Type |
| |
| SZ |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_GetCapabilityOwner |
| |
| 4 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization handle used for Owner authorization. |
| |
| 1S |
| |
| 4 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 5 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 6 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization handle |
| |
| 7 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| The authorization digest for inputs and owner authorization. HMAC key: |
| OwnerAuth. |
| |
| 966 |
| 967Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| # |
| |
| Type |
| |
| SZ |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. See section 4.3. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Ordinal: TPM_ORD_GetCapabilityOwner |
| |
| 4 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| TPM_VERSION |
| |
| version |
| |
| A properly filled out version structure. |
| |
| 5 |
| |
| 4 |
| |
| 4S |
| |
| 4 |
| |
| UINT32 |
| |
| non_volatile_flags |
| |
| The current state of the non-volatile flags. |
| |
| 6 |
| |
| 4 |
| |
| 5S |
| |
| 4 |
| |
| UINT32 |
| |
| volatile_flags |
| |
| The current state of the volatile flags. |
| |
| 7 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization digest for the returned parameters. HMAC key: OwnerAuth. |
| |
| 8 |
| |
| 1 |
| |
| 9 |
| |
| 20 |
| |
| 241Level 2 Revision 116 28 February 2011 |
| 242 |
| |
| 43 |
| TCG Published |
| |
| 243Copyright © TCG |
| 244 |
| 245 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 968 |
| 969Description |
| 970For 31>=N>=0 |
| 9711. |
| 972 |
| 973 |
| 974 |
| |
| Bit-N of the TPM_PERMANENT_FLAGS structure is the Nth bit after the opening bracket |
| in the definition of TPM_PERMANENT_FLAGS in the version of the specification |
| indicated by the parameter “version”. The bit immediately after the opening bracket is |
| the 0th bit. |
| |
| 9752. Bit-N of the TPM_STCLEAR_FLAGS structure is the Nth bit after the opening bracket in |
| 976 |
| the definition of TPM_STCLEAR_FLAGS in the version of the specification indicated by |
| 977 |
| the parameter “version”. The bit immediately after the opening bracket is the 0 th bit. |
| 9783. Bit-N of non_volatile_flags corresponds to the Nth bit in TPM_PERMANENT_FLAGS, and |
| 979 |
| the lsb of non_volatile_flags corresponds to bit0 of TPM_PERMANENT_FLAGS |
| 9804. Bit-N of volatile_flags corresponds to the Nth bit in TPM_STCLEAR_FLAGS, and the lsb |
| 981 |
| of volatile_flags corresponds to bit0 of TPM_STCLEAR_FLAGS |
| 982Actions |
| 9831. The TPM validates that the TPM Owner authorizes the command. |
| 9842. The TPM creates the parameter non_volatile_flags by setting each bit to the same state |
| 985 |
| as the corresponding bit in TPM_PERMANENT_FLAGS. Bits in non_volatile_flags for |
| 986 |
| which there is no corresponding bit in TPM_PERMANENT_FLAGS are set to zero. |
| 9873. The TPM creates the parameter volatile_flags by setting each bit to the same state as the |
| 988 |
| corresponding bit in TPM_STCLEAR_FLAGS. Bits in volatile_flags for which there is no |
| 989 |
| corresponding bit in TPM_STCLEAR_FLAGS are set to zero. |
| 9904. The TPM generates the parameter “version”. |
| 9915. The TPM returns non_volatile_flags, volatile_flags and version to the caller. |
| |
| 246 |
| 247 |
| |
| 44 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 248TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 249Specification Version 1.2 |
| |
| 9928. |
| |
| Auditing |
| |
| 9938.1 |
| |
| Audit Generation |
| |
| 994Start of informative comment: |
| 995The TPM generates an audit event in response to the TPM successfully executing a |
| 996command that has the audit flag set to TRUE for that command ordinal. |
| 997The TPM maintains an extended value for all audited operations. |
| 998End of informative comment. |
| 999Description |
| 10001. The TPM extends the audit digest whenever the ordinalAuditStatus is TRUE for the |
| 1001 |
| ordinal about to be executed. |
| 10022. The TPM extends the audit digest only when a command is successfully executed. |
| 1003 |
| 1004 |
| |
| a. If the ordinal is unknown, unimplemented, or cannot be determined, no auditing is |
| performed. |
| |
| 10053. Corner cases |
| 1006 |
| 1007 |
| 1008 |
| |
| a. TPM_SaveState: Only the input parameters are audited, and the audit occurs before |
| the state is saved. If an error occurs while or after the state is saved, the audit still |
| occurs. |
| |
| 1009 |
| 1010 |
| 1011 |
| |
| b. TPM_SetOrdinalAuditStatus: In the case where the ordinalToAudit is TPM_ORD_SetOrdinalAuditStatus, audit is based on the initial state, not the final |
| state. |
| |
| 1012Actions |
| 1013The TPM will execute the ordinal and perform auditing in the following manner: |
| 10141. Execute command |
| 1015 |
| |
| a. Execution implies the performance of the listed actions for the ordinal. |
| |
| 10162. If the command will return TPM_SUCCESS |
| 1017 |
| 1018 |
| 1019 |
| |
| a. If TPM_STANY_DATA -> auditDigest is all zeros |
| i. Increment TPM_PERMANENT_DATA -> auditMonotonicCounter by 1 |
| b. Create A1 a TPM_AUDIT_EVENT_IN structure |
| |
| 1020 |
| 1021 |
| |
| i. Set A1 -> inputParms to the digest of the input parameters from the |
| command |
| |
| 1022 |
| 1023 |
| |
| 1. Digest value according to the HMAC digest rules of the "above the |
| line" parameters (i.e. the first HMAC digest calculation). |
| |
| 1024 |
| 1025 |
| |
| ii. Set |
| A1 |
| -> |
| auditCount |
| auditMonotonicCounter |
| |
| 250Level 2 Revision 116 28 February 2011 |
| 251 |
| |
| 45 |
| TCG Published |
| |
| to |
| |
| TPM_PERMANENT_DATA |
| |
| -> |
| |
| 252Copyright © TCG |
| 253 |
| 254 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 1026 |
| 1027 |
| |
| c. Set TPM_STANY_DATA |
| auditDigest || A1) |
| |
| 1028 |
| |
| d. Create A2 a TPM_AUDIT_EVENT_OUT structure |
| |
| -> |
| |
| auditDigest |
| |
| to |
| |
| SHA-1 |
| |
| (TPM_STANY_DATA |
| |
| -> |
| |
| 1029 |
| 1030 |
| |
| i. Set A2 -> outputParms to the digest of the output parameters from the |
| command |
| |
| 1031 |
| 1032 |
| |
| 1. Digest value according to the HMAC digest rules of the "above the |
| line" parameters (i.e. the first HMAC digest calculation). |
| |
| 1033 |
| 1034 |
| |
| ii. Set |
| A2 |
| -> |
| auditCount |
| auditMonotonicCounter |
| |
| 1035 |
| 1036 |
| |
| e. Set TPM_STANY_DATA |
| auditDigest || A2) |
| |
| -> |
| |
| auditDigest |
| |
| to |
| |
| TPM_PERMANENT_DATA |
| |
| to |
| |
| SHA-1 |
| |
| (TPM_STANY_DATA |
| |
| 1037 |
| |
| 255 |
| 256 |
| |
| 46 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| -> |
| -> |
| |
| 257TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 258Specification Version 1.2 |
| |
| 10388.2 |
| |
| Effect of audit failing |
| |
| 1039Start of informative comment: |
| 1040The TPM audit process could have an internal error when attempting to audit a command. |
| 1041To indicate the audit failure, the TPM will return TPM_AUDITFAIL_SUCCESSFUL. This new |
| 1042functionality changes the 1.1 TPM functionality when this condition occurs. |
| 1043Since no audit occurs if the command fails, The TPM_AUDITFAIL_UNSUCCESSFUL return |
| 1044code is no longer used. |
| 1045End of informative comment. |
| 10461. When, in performing the audit process, the TPM has an internal failure (unable to write, |
| 1047 |
| SHA-1 failure etc.) the TPM MUST set the internal TPM state such that the TPM returns |
| 1048 |
| the TPM_FAILEDSELFTEST error on subsequent attempts to execute a command. |
| 10492. The return code for the command uses the following rules |
| 1050 |
| |
| a. Command result success, audit success -> return TPM_SUCCESS |
| |
| 1051 |
| |
| b. Command result failure, no audit -> return command result failure |
| |
| 1052 |
| |
| c. Command result success, audit failure -> return TPM_AUDITFAIL_SUCCESSFUL |
| |
| 10533. |
| 1054 |
| 1055 |
| 1056 |
| |
| If the TPM is permanently nonrecoverable after an audit failure, then the TPM MUST |
| always |
| return |
| TPM_FAILEDSELFTEST |
| for |
| every |
| command |
| other |
| than |
| TPM_GetTestResult. This state must persist regardless of power cycling, the execution |
| of TPM_Init or any other actions. |
| |
| 259Level 2 Revision 116 28 February 2011 |
| 260 |
| |
| 47 |
| TCG Published |
| |
| 261Copyright © TCG |
| 262 |
| 263 |
| |
| 10578.3 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_GetAuditDigest |
| |
| 1058Start of informative comment: |
| 1059This returns the current audit digest. The external audit log has the responsibility to track |
| 1060the parameters that constitute the audit digest. |
| 1061This value may be unique to an individual TPM. The value however will be changing at a |
| 1062rate set by the TPM Owner. Those attempting to use this value may find it changing without |
| 1063their knowledge. This value represents a very poor source of tracking uniqueness. |
| 1064End of informative comment. |
| 1065Incoming Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_GetAuditDigest |
| |
| 4 |
| |
| 4 |
| |
| UINT32 |
| |
| startOrdinal |
| |
| The starting ordinal for the list of audited ordinals |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1066Outgoing Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| Tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 5 |
| |
| 10 |
| |
| TPM_COUNTER_VALUE |
| |
| counterValue |
| |
| The current value of the audit monotonic counter |
| |
| 4 |
| |
| 20 |
| |
| TPM_DIGEST |
| |
| auditDigest |
| |
| Log of all audited events |
| |
| 5 |
| |
| 1 |
| |
| BOOL |
| |
| more |
| |
| TRUE if the output does not contain a full list of audited ordinals |
| |
| 5 |
| |
| 4 |
| |
| UINT32 |
| |
| ordSize |
| |
| Size of the ordinal list in bytes |
| |
| 6 |
| |
| <> |
| |
| BYTE[] |
| |
| ordList |
| |
| List of ordinals that are audited. |
| |
| 1067Description |
| 10681. This command is never audited. |
| 1069Actions |
| 10701. The TPM sets auditDigest to TPM_STANY_DATA -> auditDigest |
| 10712. The TPM sets counterValue to TPM_PERMANENT_DATA -> auditMonotonicCounter |
| 10723. The TPM creates an ordered list of audited ordinals. The list starts at startOrdinal listing |
| 1073 |
| each ordinal that is audited. |
| 1074 |
| 1075 |
| 264 |
| 265 |
| |
| a. If startOrdinal is 0 then the first ordinal that could be audited would be TPM_OIAP |
| (ordinal 0x0000000A) |
| |
| 48 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 266TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 267Specification Version 1.2 |
| |
| 1076 |
| |
| b. The next ordinal would be TPM_OSAP (ordinal 0x0000000B) |
| |
| 10774. If the ordered list does not fit in the output buffer the TPM sets more to TRUE |
| 10785. Return TPM_STANY_DATA -> auditDigest as auditDigest |
| |
| 268Level 2 Revision 116 28 February 2011 |
| 269 |
| |
| 49 |
| TCG Published |
| |
| 270Copyright © TCG |
| 271 |
| 272 |
| |
| 10798.4 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_GetAuditDigestSigned |
| |
| 1080Start of informative comment: |
| 1081The signing of the audit log returns the entire digest value and the list of currently audited |
| 1082commands. |
| 1083The inclusion of the list of audited commands as an atomic operation is to tie the current |
| 1084digest value with the list of commands that are being audited. |
| 1085Note to future architects |
| 1086When auditing functionality is active in a TPM, it may seem logical to remove this ordinal |
| 1087from the active set of ordinals as the signing functionality of this command could be |
| 1088handled in a signed transport session. While true, this command has a secondary affect |
| 1089also, resetting the audit log digest. As the reset requires TPM Owner authentication, there |
| 1090must be some way in this command to reflect the TPM Owner wishes. By requiring that a |
| 1091TPM Identity key be the only key that can sign and reset, the TPM Owner’s authentication is |
| 1092implicit in the execution of the command (TPM Identity Keys are created and controlled by |
| 1093the TPM Owner only). Hence, while one might want to remove an ordinal this is not one that |
| 1094can be removed if auditing is functional. |
| 1095End of informative comment. |
| 1096Incoming Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_GetAuditDigestSigned |
| |
| 4 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| keyHandle |
| |
| The handle of a loaded key that can perform digital signatures. |
| |
| 5 |
| |
| 1 |
| |
| 2S |
| |
| 1 |
| |
| BOOL |
| |
| closeAudit |
| |
| Indication if audit session should be closed |
| |
| 6 |
| |
| 20 |
| |
| 3S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| antiReplay |
| |
| A nonce to prevent replay attacks |
| |
| 7 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for key authentication. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 8 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 10 |
| |
| 273 |
| 274 |
| |
| 20 |
| |
| 9 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| keyAuth |
| |
| Authorization. HMAC key: key.usageAuth. |
| |
| 50 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 275TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 276Specification Version 1.2 |
| |
| 1097Outgoing Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_GetAuditDigestSigned |
| |
| 4 |
| |
| 10 |
| |
| 3S |
| |
| 10 |
| |
| TPM_COUNTER_VALUE |
| |
| counterValue |
| |
| The value of the audit monotonic counter |
| |
| 5 |
| |
| 20 |
| |
| 4S |
| |
| 20 |
| |
| TPM_DIGEST |
| |
| auditDigest |
| |
| Log of all audited events |
| |
| 6 |
| |
| 20 |
| |
| 5S |
| |
| 20 |
| |
| TPM_DIGEST |
| |
| ordinalDigest |
| |
| Digest of all audited ordinals |
| |
| 7 |
| |
| 4 |
| |
| 6S |
| |
| 4 |
| |
| UINT32 |
| |
| sigSize |
| |
| The size of the sig parameter |
| |
| 8 |
| |
| <> |
| |
| 7S |
| |
| <> |
| |
| BYTE[] |
| |
| sig |
| |
| The signature of the area |
| |
| 9 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| Authorization HMAC key: key.usageAuth. |
| |
| 10 |
| |
| 1 |
| |
| 11 |
| |
| 20 |
| |
| 1098Actions |
| 10991. Validate the AuthData and parameters using keyAuth, return TPM_AUTHFAIL on error |
| 11002. Validate that keyHandle -> keyUsage is TPM_KEY_SIGNING, TPM_KEY_IDENTITY or |
| 1101 |
| TPM_KEY_LEGACY, if not return TPM_INVALID_KEYUSAGE |
| 11023. The TPM validates that the key pointed to by keyHandle has a signature scheme of |
| 1103 |
| TPM_SS_RSASSAPKCS1v15_SHA1 |
| or |
| TPM_SS_RSASSAPKCS1v15_INFO, |
| return |
| 1104 |
| TPM_INVALID_KEYUSAGE on error |
| 11054. Create D1 a TPM_SIGN_INFO structure and set the structure defaults |
| 1106 |
| |
| a. Set D1 -> fixed to “ADIG” |
| |
| 1107 |
| |
| b. Set D1 -> replay to antiReplay |
| |
| 1108 |
| 1109 |
| |
| c. Create D3 a list of all audited ordinals as defined in the TPM_GetAuditDigest |
| UINT32[] ordList outgoing parameter |
| |
| 1110 |
| |
| d. Create D4 the SHA-1 of D3 |
| |
| 1111 |
| |
| e. Set auditDigest to TPM_STANY_DATA -> auditDigest |
| |
| 1112 |
| |
| f. Set counterValue to TPM_PERMANENT_DATA -> auditMonotonicCounter |
| |
| 1113 |
| |
| g. Create D2 the concatenation of auditDigest || counterValue || D4 |
| |
| 1114 |
| |
| h. Set D1 -> data to D2 |
| |
| 1115 |
| 1116 |
| |
| i. Create a digital signature of the SHA-1 of D1 by using the signature scheme for |
| keyHandle |
| |
| 1117 |
| |
| j. |
| |
| Set ordinalDigest to D4 |
| |
| 11185. If closeAudit == TRUE |
| 277Level 2 Revision 116 28 February 2011 |
| 278 |
| |
| 51 |
| TCG Published |
| |
| 279Copyright © TCG |
| 280 |
| 281 |
| |
| 1119 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| a. If keyHandle->keyUsage is TPM_KEY_IDENTITY |
| |
| 1120 |
| |
| i. |
| |
| 1121 |
| |
| b. Else |
| |
| 1122 |
| |
| i. |
| |
| 282 |
| 283 |
| |
| TPM_STANY_DATA -> auditDigest MUST be set to all zeros. |
| Return TPM_INVALID_KEYUSAGE |
| |
| 52 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 284TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 285Specification Version 1.2 |
| |
| 11238.5 |
| |
| TPM_SetOrdinalAuditStatus |
| |
| 1124Start of informative comment: |
| 1125Set the audit flag for a given ordinal. Requires the authentication of the TPM Owner. |
| 1126End of informative comment. |
| 1127Incoming Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_SetOrdinalAuditStatus |
| |
| 4 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinalToAudit |
| |
| The ordinal whose audit flag is to be set |
| |
| 5 |
| |
| 1 |
| |
| 3S |
| |
| 1 |
| |
| BOOL |
| |
| auditState |
| |
| Value for audit flag |
| |
| 6 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for owner authentication. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 7 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 8 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 9 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| HMAC key: ownerAuth. |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 1128Outgoing Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 5 |
| |
| 1 |
| |
| 6 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_SetOrdinalAuditStatus |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| 4 |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| ownerAuth. |
| |
| 20 |
| |
| 1129Actions |
| 11301. Validate the AuthData to execute the command and the parameters |
| 11312. Validate that the ordinal points to a valid TPM ordinal, return TPM_BADINDEX on error |
| 1132 |
| |
| a. Valid TPM ordinal means an ordinal that the TPM implementation supports |
| |
| 11333. Set the non-volatile flag associated with ordinalToAudit to the value in auditState |
| |
| 286Level 2 Revision 116 28 February 2011 |
| 287 |
| |
| 53 |
| TCG Published |
| |
| 288Copyright © TCG |
| 289 |
| 290 |
| |
| 11349. |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| Administrative Functions - Management |
| |
| 11359.1 |
| |
| TPM_FieldUpgrade |
| |
| 1136Start of informative comment: |
| 1137The TPM needs a mechanism to allow for updating the protected capabilities once a TPM is |
| 1138in the field. Given the varied nature of TPM implementations there will be numerous |
| 1139methods of performing an upgrade of the protected capabilities. This command, when |
| 1140implemented, provides a manufacturer specific method of performing the upgrade. |
| 1141The manufacturer can determine, within the listed requirements, how to implement this |
| 1142command. The command may be more than one command and actually a series of |
| 1143commands. |
| 1144The IDL definition is to create an ordinal for the command. However, the remaining |
| 1145parameters are manufacturer specific. |
| 1146The policy to determine when it is necessary to perform the actions of TPM_RevokeTrust is |
| 1147outside the TPM spec and determined by other TCG workgroups. |
| 1148TPM_FieldUpgrade is gated by either owner authorization or deferred assertion of Physical |
| 1149Presence |
| (via |
| the |
| TPM_STCLEAR_DATA |
| -> |
| deferredPhysicalPresence |
| -> |
| 1150unownedFieldUpgrade flag). This gating is acknowledgement that the entity that sets the |
| 1151security policy for a platform must approve field upgrade for that platform. This gating can |
| 1152block a global attack on TPMs when the TPME’s privilege information (private key) has been |
| 1153compromised. For blocking to be effective in an unowned TPM, the TPM’s ownership flag |
| 1154must be FALSE. (This prevents software from taking ownership and executing |
| 1155TPM_FieldUpgrade with owner authorization.) |
| 1156If an owner is present, field upgrade MUST be owner authorized, as the actions indicate. |
| 1157This prevents an attacker from using physical presence to upgrade a TPM without detection |
| 1158by the owner. |
| 1159The advantages of deferred assertion of Physical Presence are that it: |
| 1160 |
| |
| • |
| |
| permits a TPM to be upgraded if taking ownership is undesirable or impractical. |
| |
| 1161 |
| 1162 |
| |
| • |
| |
| permits a TPM to be upgraded in the OS environment (where Physical Presence |
| typically cannot be asserted), when the TPM has no owner. |
| |
| 1163If it is acceptable to take ownership of a TPM temporarily, an alternative to deferred |
| 1164assertion of Physical Presence is the process: (1) take ownership; (2) perform an owner |
| 1165authorized field upgrade; (3) clear the owner from the TPM. |
| 1166There is no requirement for patch confidentiality. Confidentiality may be implemented |
| 1167using a manufacturer specific mechanism, and may use a global secret such as a |
| 1168symmetric encryption key. |
| 1169The TPM may set the volatile deactivated flag to TRUE if a reboot is required after the field |
| 1170upgrade. There is no requirement to do so. |
| 1171The TPM must check owner authorization before changing the TPM state or beginning the |
| 1172upgrade. This prevents a non-owner from mounting a denial-of-service attack. It is |
| 1173understood that a TPM may not be able to stage the entire upgrade patch inside the TPM |
| 291 |
| 292 |
| |
| 54 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 293TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 294Specification Version 1.2 |
| |
| 1174before checking owner authorization. That TPM may be forced to move the patch outside |
| 1175the owner authorization HMAC. |
| 1176Ideally, if the upgrade fails (e.g., due to an authentication failure) the TPM firmware should |
| 1177remain unchanged. It is understood that a TPM may not be able to stage the entire upgrade |
| 1178patch inside the TPM for authentication before beginning the upgrade. On a failure, that |
| 1179TPM may be forced to roll the firmware back to a ROMed version. It may go into an upgrade |
| 1180failure state, where it requires a successful field upgrade before continuing. |
| 1181If a field upgrade adds or deletes features, the security implications must be analyzed. The |
| 1182associated state must be set to prevent attacks. See, for example, allowMaintenance in Part |
| 11832. In addition, if a field upgrade adds maintenance commands, it must atomically install |
| 1184the manufacturer’s maintenance public key. |
| 1185End of informative comment. |
| 1186IDL Definition |
| 1187TPM_RESULT TPM_FieldUpgrade( |
| 1188 |
| [in, out] TPM_AUTH* ownerAuth, |
| 1189 |
| …); |
| 1190Type |
| 1191This is an optional command and a TPM is not required to implement this command in any |
| 1192form. |
| 1193Parameters |
| Type |
| |
| Name |
| |
| Description |
| |
| TPM_AUTH |
| |
| ownerAuth |
| |
| Authentication from TPM owner to execute command |
| |
| … |
| |
| Remaining parameters are manufacturer specific |
| |
| 1194Description |
| 1195The patch integrity and authenticity verification mechanisms in the TPM MUST not require |
| 1196the TPM to hold a global secret. The definition of global secret is a secret value shared by |
| 1197more than one TPM. |
| 1198The TPME is not allowed to pre-store or use unique identifiers in the TPM for the purpose of |
| 1199field upgrade. The TPM MUST NOT use the endorsement key for identification or encryption |
| 1200in the upgrade process. The upgrade process MAY use a TPM Identity to deliver upgrade |
| 1201information to specific TPM’s. |
| 1202The upgrade process SHOULD only change protected capabilities. The upgrade process |
| 1203SHOULD NOT change shielded locations. |
| 1204The upgrade process MUST NOT change the disabled or deactivated state from TRUE to |
| 1205FALSE. |
| 1206The upgrade process SHOULD only access data in shielded locations where this data is |
| 1207necessary to validate the TPM Owner, validate the TPME and manipulate the blob. |
| |
| 295Level 2 Revision 116 28 February 2011 |
| 296 |
| |
| 55 |
| TCG Published |
| |
| 297Copyright © TCG |
| 298 |
| 299 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 1208The execution of a TPM_FieldUpgrade command in a TPM MUST leave the TPM in a state |
| 1209that conforms to a version of TCG's TPM specification and conforms to any extant TCG1210defined credentials (certificates) that attest to that upgraded TPM. |
| 1211The security target used to valuate this TPM MUST include this command in the TOE. |
| 1212If the owner authorization fails, the state of the TPM (volatile, nonvolatile, and firmware) |
| 1213MUST remain unchanged. The only exception shall be the dictionary attack mitigation |
| 1214state, which should process the authentication failure. |
| 1215Actions |
| 1216The TPM SHALL perform the following when executing the command: |
| 12171. If TPM Owner is installed |
| 1218 |
| 1219 |
| |
| a. Validate the command and parameters using TPM owner authentication, return |
| TPM_AUTHFAIL on error |
| |
| 12202. Else |
| 1221 |
| 1222 |
| |
| a. If TPM_STCLEAR_DATA -> deferredPhysicalPresence -> unownedFieldUpgrade is |
| FALSE return TPM_BAD_PRESENCE. |
| |
| 12233. Validate that the upgrade information was sent by the TPME. The validation mechanism |
| 1224 |
| MUST use a strength of function that is at least the same strength of function as a |
| 1225 |
| digital signature performed using a 2048 bit RSA key. |
| 12264. Validate that the upgrade target is the appropriate TPM model and version. |
| 12275. Process the upgrade information and update the protected capabilities |
| 12286. Set the TPM_PERMANENT_DATA -> revMajor and TPM_PERMANENT_DATA -> revMinor |
| 1229 |
| to the values indicated in the upgrade. The selection of the value is a manufacturer |
| 1230 |
| option. |
| 1231 |
| 1232 |
| |
| a. The TPM MAY validate that the upgrade major and minor revision are monotonically |
| increasing. |
| |
| 1233 |
| 1234 |
| |
| b. The TPM MAY allow upgrade with a major and minor revision that is less than |
| currently installed in the TPM. |
| |
| 12357. The TPM MAY set the TPM_STCLEAR_FLAGS.deactivated to TRUE |
| |
| 300 |
| 301 |
| |
| 56 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 302TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 303Specification Version 1.2 |
| |
| 12369.2 |
| |
| TPM_SetRedirection |
| |
| 1237Start of informative comment: |
| 1238The redirection command attaches a key to a redirection receiver. |
| 1239When making the connection to a GPIO channel the authorization restrictions are set at |
| 1240connection time and not for each invocation that uses the channel. |
| 1241End of informative comment. |
| 1242Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_SetRedirection |
| |
| 4 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| keyHandle |
| |
| The keyHandle identifier of a loaded key that can implement redirection. |
| |
| 5 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| redirCmd |
| |
| The command to execute |
| |
| 6 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| inputDataSize |
| |
| The size of the input data |
| |
| 7 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE |
| |
| inputData |
| |
| Manufacturer parameter |
| |
| 8 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for keyHandle authorization |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 9 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 10 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 11 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| HMAC key ownerAuth |
| |
| 1243Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| # |
| |
| Type |
| |
| SZ |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 5 |
| |
| 1 |
| |
| 6 |
| |
| 20 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_SetRedirection |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| 4 |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| key.usageAuth |
| |
| 1244 |
| 1245Action |
| 12461. If tag == TPM_TAG_RQU_AUTH1_COMMAND |
| 304Level 2 Revision 116 28 February 2011 |
| 305 |
| |
| 57 |
| TCG Published |
| |
| 306Copyright © TCG |
| 307 |
| 308 |
| |
| 1247 |
| 1248 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| a. Validate the command and parameters using TPM Owner authentication, on error |
| return TPM_AUTHFAIL |
| |
| 12492. if redirCmd == TPM_REDIR_GPIO |
| 1250 |
| 1251 |
| |
| a. Validate that keyHandle points to a loaded key, return TPM_INVALID_KEYHANDLE |
| on error |
| |
| 1252 |
| |
| b. Validate the key attributes specify redirection, return TPM_BAD_TYPE on error |
| |
| 1253 |
| |
| c. Validate that inputDataSize is 4, return TPM_BAD_PARAM_SIZE on error |
| |
| 1254 |
| 1255 |
| |
| d. Validate |
| that |
| inputData |
| TPM_BAD_PARAMETER on error |
| |
| 1256 |
| |
| e. Map C1 to the TPM_GPIO_CONFIG_CHANNEL structure indicated by inputData |
| |
| 1257 |
| |
| f. If C1 -> attr specifies TPM_GPIO_ATTR_OWNER |
| |
| 1258 |
| 1259 |
| |
| i. |
| |
| to |
| |
| a |
| |
| valid |
| |
| GPIO |
| |
| channel, |
| |
| return |
| |
| If tag != TPM_TAG_RQU_AUTH1_COMMAND return TPM_AUTHFAIL |
| |
| g. If C1 -> attr specifies TPM_GPIO_ATTR_PP |
| |
| 1260 |
| 1261 |
| 1262 |
| |
| points |
| |
| i. If TPM_STCLEAR_FLAGS |
| TPM_BAD_PRESENCE |
| |
| -> |
| |
| physicalPresence |
| |
| == |
| |
| FALSE, |
| |
| then |
| |
| return |
| |
| h. Return TPM_SUCCESS |
| |
| 12633. The TPM MAY support other redirection types. These types may be specified by TCG or |
| 1264 |
| provided by the manufacturer. |
| |
| 309 |
| 310 |
| |
| 58 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 311TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 312Specification Version 1.2 |
| |
| 12659.3 |
| |
| TPM_ResetLockValue |
| |
| 1266Start of informative comment: |
| 1267Command that resets the TPM dictionary attack mitigation values |
| 1268This allows the TPM owner to cancel the effect of a number of successive authorization |
| 1269failures. Dictionary attack mitigation is vendor specific, and the actions here are one |
| 1270possible implementation. The TPM may treat an authorization failure outside the mitigation |
| 1271time as a normal failure and not disable the command. |
| 1272If this command itself has an authorization failure, it is blocked for the remainder of the |
| 1273lock out period. This prevents a dictionary attack on the owner authorization using this |
| 1274command. |
| 1275It is understood that this command allows the TPM owner to perform a dictionary attack on |
| 1276other authorization values by alternating a trial and this command. Similarly, delegating |
| 1277this command allows the owner’s delegate to perform a dictionary attack. |
| 1278End of informative comment. |
| 1279Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ResetLockValue |
| |
| 4 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for TPM Owner authorization |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 5 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 6 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 7 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| HMAC key TPM Owner auth |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 1280Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 5 |
| |
| 1 |
| |
| 6 |
| |
| 20 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ResetLockValue |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| 4 |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| HMAC key: TPM Owner auth |
| |
| 313Level 2 Revision 116 28 February 2011 |
| 314 |
| |
| 59 |
| TCG Published |
| |
| 315Copyright © TCG |
| 316 |
| 317 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 1281Action |
| 12821. If TPM_STCLEAR_DATA -> disableResetLock is TRUE return TPM_AUTHFAIL |
| 1283 |
| 1284 |
| |
| a. The internal dictionary attack mechanism will set TPM_STCLEAR_DATA -> |
| disableResetLock to FALSE when the timeout period expires |
| |
| 12852. If the command and parameters validation using ownerAuth fails |
| 1286 |
| |
| a. Set TPM_STCLEAR_DATA -> disableResetLock to TRUE |
| |
| 1287 |
| |
| b. Restart the TPM dictionary attack lock out period |
| |
| 1288 |
| |
| c. Return TPM_AUTHFAIL |
| |
| 12893. Reset the internal TPM dictionary attack mitigation mechanism |
| 1290 |
| 1291 |
| |
| 318 |
| 319 |
| |
| a. The mechanism is vendor specific and can include time outs, reboots, and other |
| mitigation strategies |
| |
| 60 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 320TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 321Specification Version 1.2 |
| |
| 129210. |
| 129310.1 |
| |
| Storage functions |
| TPM_Seal |
| |
| 1294Start of informative comment: |
| 1295The SEAL operation allows software to explicitly state the future “trusted” configuration that |
| 1296the platform must be in for the secret to be revealed. The SEAL operation also implicitly |
| 1297includes the relevant platform configuration (PCR-values) when the SEAL operation was |
| 1298performed. The SEAL operation uses the tpmProof value to BIND the blob to an individual |
| 1299TPM. |
| 1300If the UNSEAL operation succeeds, proof of the platform configuration that was in effect |
| 1301when the SEAL operation was performed is returned to the caller, as well as the secret data. |
| 1302This proof may, or may not, be of interest. If the SEALed secret is used to authenticate the |
| 1303platform to a third party, a caller is normally unconcerned about the state of the platform |
| 1304when the secret was SEALed, and the proof may be of no interest. On the other hand, if the |
| 1305SEALed secret is used to authenticate a third party to the platform, a caller is normally |
| 1306concerned about the state of the platform when the secret was SEALed. Then the proof is of |
| 1307interest. |
| 1308For example, if SEAL is used to store a secret key for a future configuration (probably to |
| 1309prove that the platform is a particular platform that is in a particular configuration), the |
| 1310only requirement is that that key can be used only when the platform is in that future |
| 1311configuration. Then there is no interest in the platform configuration when the secret key |
| 1312was SEALed. An example of this case is when SEAL is used to store a network |
| 1313authentication key. |
| 1314On the other hand, suppose an OS contains an encrypted database of users allowed to log |
| 1315on to the platform. The OS uses a SEALED blob to store the encryption key for the user1316database. However, the nature of SEAL is that any SW stack can SEAL a blob for any other |
| 1317software stack. Hence, the OS can be attacked by a second OS replacing both the SEALED1318blob encryption key, and the user database itself, allowing untrusted parties access to the |
| 1319services of the OS. To thwart such attacks, SEALED blobs include the past SW |
| 1320configuration. Hence, if the OS is concerned about such attacks, it may check to see |
| 1321whether the past configuration is one that is known to be trusted. |
| 1322TPM_Seal requires the encryption of one parameter (“Secret”). For the sake of uniformity |
| 1323with other commands that require the encryption of more than one parameter, the string |
| 1324used for XOR encryption is generated by concatenating a nonce (created during the OSAP |
| 1325session) with the session shared secret and then hashing the result. |
| 1326The sealed data blob does not have a protected identifier. On a platform that does not |
| 1327prevent unauthorized access to data, a data blob can be exchanged by a lower layer without |
| 1328detection. The upper layer software must take additional measures to protect the relation |
| 1329between its identifier of the data blob and the blob itself. |
| 1330End of informative comment. |
| |
| 322Level 2 Revision 116 28 February 2011 |
| 323 |
| |
| 61 |
| TCG Published |
| |
| 324Copyright © TCG |
| 325 |
| 326 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 1331Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Seal. |
| |
| 4 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| keyHandle |
| |
| Handle of a loaded key that can perform seal operations. |
| |
| 5 |
| |
| 20 |
| |
| 2S |
| |
| 20 |
| |
| TPM_ENCAUTH |
| |
| encAuth |
| |
| The encrypted AuthData for the sealed data. |
| |
| 6 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| pcrInfoSize |
| |
| The size of the pcrInfo parameter. If 0 there are no PCR registers in use |
| |
| 7 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| TPM_PCR_INFO |
| |
| pcrInfo |
| |
| The PCR selection information. The caller MAY use TPM_PCR_INFO_LONG. |
| |
| 8 |
| |
| 4 |
| |
| 5S |
| |
| 4 |
| |
| UINT32 |
| |
| inDataSize |
| |
| The size of the inData parameter |
| |
| 9 |
| |
| <> |
| |
| 6S |
| |
| <> |
| |
| BYTE[ ] |
| |
| inData |
| |
| The data to be sealed to the platform and any specified PCRs |
| |
| 10 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for keyHandle authorization. |
| Must be an OSAP session for this command. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 11 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 12 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Ignored |
| |
| 13 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| pubAuth |
| |
| The authorization session digest for inputs and keyHandle. HMAC key: |
| key.usageAuth. |
| |
| 1332Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Seal. |
| |
| 4 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| TPM_STORED_DATA |
| |
| sealedData |
| |
| Encrypted, integrity-protected data object that is the result of the TPM_Seal operation. |
| |
| 5 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, fixed value of FALSE |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| key.usageAuth. |
| |
| 6 |
| |
| 1 |
| |
| 7 |
| |
| 20 |
| |
| 1333Description |
| 1334TPM_Seal is used to encrypt private objects that can only be decrypted using TPM_Unseal. |
| 1335Actions |
| 13361. Validate the authorization to use the key pointed to by keyHandle |
| 13372. If the inDataSize is 0 the TPM returns TPM_BAD_PARAMETER |
| 327 |
| 328 |
| |
| 62 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 329TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 330Specification Version 1.2 |
| |
| 13383. If the keyUsage field of the key indicated by keyHandle does not have the value TPM_KEY_STORAGE, the TPM must return the error code TPM_INVALID_KEYUSAGE. |
| 13404. If the keyHandle points to a migratable key then the TPM MUST return the error code TPM_INVALID_KEY_USAGE. |
| 13425. Determine the version of pcrInfo |
| 1343 |
| |
| a. If pcrInfoSize is 0 |
| |
| 1344 |
| |
| i. |
| |
| 1345 |
| |
| b. Else |
| |
| 1346 |
| |
| i. |
| |
| 1347 |
| |
| ii. If X1 -> tag is TPM_TAG_PCR_INFO_LONG |
| |
| 1348 |
| |
| set V1 to 1 |
| Point X1 as TPM_PCR_INFO_LONG structure to pcrInfo |
| (1) |
| |
| 1349 |
| |
| Set V1 to 2 |
| |
| iii. Else |
| |
| 1350 |
| |
| (1) |
| |
| Set V1 to 1 |
| |
| 13516. If V1 is 1 then |
| 1352 |
| |
| a. Create S1 a TPM_STORED_DATA structure |
| |
| 13537. else |
| 1354 |
| |
| a. Create S1 a TPM_STORED_DATA12 structure |
| |
| 1355 |
| |
| b. Set S1 -> et to 0 |
| |
| 13568. Set S1 -> encDataSize to 0 |
| 13579. Set S1 -> encData to all zeros |
| 135810.Set S1 -> sealInfoSize to pcrInfoSize |
| 135911.If pcrInfoSize is not 0 then |
| 1360 |
| |
| a. if V1 is 1 then |
| |
| 1361 |
| 1362 |
| |
| i. Validate pcrInfo as a valid TPM_PCR_INFO structure, return TPM_BADINDEX |
| on error |
| |
| 1363 |
| |
| ii. Set S1 -> sealInfo -> pcrSelection to pcrInfo -> pcrSelection |
| |
| 1364 |
| |
| iii. Create h1 the composite hash of the PCR selected by pcrInfo -> pcrSelection |
| |
| 1365 |
| |
| iv. Set S1 -> sealInfo -> digestAtCreation to h1 |
| |
| 1366 |
| |
| v. Set S1 -> sealInfo -> digestAtRelease to pcrInfo -> digestAtRelease |
| |
| 1367 |
| |
| b. else |
| |
| 1368 |
| 1369 |
| |
| i. Validate pcrInfo as TPM_BADINDEX on error |
| |
| 1370 |
| |
| ii. Set S1 -> sealInfo -> creationPCRSelection to pcrInfo -> creationPCRSelection |
| |
| 1371 |
| |
| iii. Set S1 -> sealInfo -> releasePCRSelection to pcrInfo -> releasePCRSelection |
| |
| 1372 |
| |
| iv. Set S1 -> sealInfo -> digestAtRelease to pcrInfo -> digestAtRelease |
| |
| 331Level 2 Revision 116 28 February 2011 |
| 332 |
| |
| a |
| |
| valid |
| |
| TPM_PCR_INFO_LONG |
| |
| 63 |
| TCG Published |
| |
| structure, |
| |
| return |
| |
| 333Copyright © TCG |
| 334 |
| 335 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 1373 |
| |
| v. Set S1 -> sealInfo -> localityAtRelease to pcrInfo -> localityAtRelease |
| |
| 1374 |
| 1375 |
| |
| vi. Create h2 the composite hash of the TPM_STCLEAR_DATA -> PCR selected by |
| pcrInfo -> creationPCRSelection |
| |
| 1376 |
| |
| vii. Set S1 -> sealInfo -> digestAtCreation to h2 |
| |
| 1377 |
| 1378 |
| |
| viii. |
| Set S1 -> sealInfo -> localityAtCreation to TPM_STANY_FLAGS -> |
| localityModifier |
| |
| 137912.Create a1 by decrypting encAuth according to the ADIP indicated by authHandle. |
| 138013.The TPM provides NO validation of a1. Well-known values (like all zeros) are valid and |
| 1381 |
| possible. |
| 138214.Create S2 a TPM_SEALED_DATA structure |
| 1383 |
| |
| a. Set S2 -> payload to TPM_PT_SEAL |
| |
| 1384 |
| |
| b. Set S2 -> tpmProof to TPM_PERMANENT_DATA -> tpmProof |
| |
| 1385 |
| |
| c. Create h3 the SHA-1 of S1 |
| |
| 1386 |
| |
| d. Set S2 -> storedDigest to h3 |
| |
| 1387 |
| |
| e. Set S2 -> authData to a1 |
| |
| 1388 |
| |
| f. Set S2 -> dataSize to inDataSize |
| |
| 1389 |
| |
| g. Set S2 -> data to inData |
| |
| 139015.Validate that the size of S2 can be encrypted by the key pointed to by keyHandle, return |
| 1391 |
| TPM_BAD_DATASIZE on error |
| 139216.Create s3 the encryption of S2 using the key pointed to by keyHandle |
| 139317.Set continueAuthSession to FALSE |
| 139418.Set S1 -> encDataSize to the size of s3 |
| 139519.Set S1 -> encData to s3 |
| 139620.Return S1 as sealedData |
| |
| 336 |
| 337 |
| |
| 64 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 338TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 339Specification Version 1.2 |
| |
| 139710.2 |
| |
| TPM_Unseal |
| |
| 1398Start of informative comment: |
| 1399The TPM_Unseal operation will reveal TPM_Seal’ed data only if it was encrypted on this |
| 1400platform and the current configuration (as defined by the named PCR contents) is the one |
| 1401named as qualified to decrypt it. Internally, TPM_Unseal accepts a data blob generated by a |
| 1402TPM_Seal operation. TPM_Unseal decrypts the structure internally, checks the integrity of |
| 1403the resulting data, and checks that the PCR named has the value named during TPM_Seal. |
| 1404Additionally, the caller must supply appropriate AuthData for blob and for the key that was |
| 1405used to seal that data. |
| 1406If the integrity, platform configuration and authorization checks succeed, the sealed data is |
| 1407returned to the caller; otherwise, an error is generated. |
| 1408End of informative comment. |
| 1409Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH2_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Unseal. |
| |
| 4 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| parentHandle |
| |
| Handle of a loaded key that can unseal the data. |
| |
| 5 |
| |
| <> |
| |
| TPM_STORED_DATA |
| |
| inData |
| |
| The encrypted data generated by TPM_Seal. |
| |
| 6 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for parentHandle. |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 7 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 8 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 9 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| parentAuth |
| |
| The authorization session digest for inputs and parentHandle. HMAC |
| key: parentKey.usageAuth. |
| |
| 10 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| dataAuthHandle |
| |
| The authorization session handle used to authorize inData. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| 2S |
| |
| SZ |
| |
| 4 |
| |
| <> |
| |
| 2H2 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| dataLastNonceEven |
| |
| Even nonce previously generated by TPM |
| |
| 11 |
| |
| 20 |
| |
| 3H2 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| datanonceOdd |
| |
| Nonce generated by system associated with entityAuthHandle |
| |
| 12 |
| |
| 1 |
| |
| 4H2 |
| |
| 1 |
| |
| BOOL |
| |
| continueDataSession |
| |
| Continue usage flag for dataAuthHandle. |
| |
| 13 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| dataAuth |
| |
| The authorization session digest for the encrypted entity. HMAC key: |
| entity.usageAuth. |
| |
| 340Level 2 Revision 116 28 February 2011 |
| 341 |
| |
| 65 |
| TCG Published |
| |
| 342Copyright © TCG |
| 343 |
| 344 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 1410Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH2_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Unseal. |
| |
| 4 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| secretSize |
| |
| The used size of the output area for secret |
| |
| 5 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE[ ] |
| |
| secret |
| |
| Decrypted data that had been sealed |
| |
| 6 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC |
| key: parentKey.usageAuth. |
| |
| 7 |
| |
| 1 |
| |
| 8 |
| |
| 20 |
| |
| 9 |
| |
| 20 |
| |
| 1 |
| |
| 11 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| dataNonceEven |
| |
| Even nonce newly generated by TPM. |
| |
| 3H2 |
| 10 |
| |
| 2H2 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| datanonceOdd |
| |
| Nonce generated by system associated with dataAuthHandle |
| |
| 4H2 |
| |
| 1 |
| |
| BOOL |
| |
| continueDataSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| dataAuth |
| |
| The authorization session digest used for the dataAuth session. HMAC |
| key: entity.usageAuth. |
| |
| 20 |
| |
| 1411Actions |
| 14121. The TPM MUST validate that parentAuth authorizes the use of the key in parentHandle, |
| 1413 |
| on error return TPM_AUTHFAIL |
| 14142. If the keyUsage field of the key indicated by parentHandle does not have the value |
| 1415 |
| TPM_KEY_STORAGE, the TPM MUST return the error code TPM_INVALID_KEYUSAGE. |
| 14163. The TPM MUST check that the TPM_KEY_FLAGS -> Migratable flag has the value FALSE |
| 1417 |
| in the key indicated by parentHandle. If not, the TPM MUST return the error code |
| 1418 |
| TPM_INVALID_KEYUSAGE |
| 14194. Determine the version of inData |
| 1420 |
| |
| a. If inData -> tag = TPM_TAG_STORED_DATA12 |
| |
| 1421 |
| |
| i. |
| |
| 1422 |
| |
| ii. Map S2 a TPM_STORED_DATA12 structure to inData |
| |
| 1423 |
| |
| Set V1 to 2 |
| |
| b. Else If inData -> ver = 1.1 |
| |
| 1424 |
| |
| i. |
| |
| 1425 |
| |
| ii. Map S2 a TPM_STORED_DATA structure to inData |
| |
| 1426 |
| |
| c. Else |
| |
| 1427 |
| |
| i. |
| |
| Set V1 to 1 |
| |
| Return TPM_BAD_VERSION |
| |
| 14285. Create d1 by decrypting S2 -> encData using the key pointed to by parentHandle |
| 14296. Validate d1 |
| 345 |
| 346 |
| |
| 66 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 347TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 348Specification Version 1.2 |
| |
| 1430 |
| |
| a. d1 MUST be a TPM_SEALED_DATA structure |
| |
| 1431 |
| |
| b. d1 -> tpmProof MUST match TPM_PERMANENT_DATA -> tpmProof |
| |
| 1432 |
| |
| c. Set S2 -> encDataSize to 0 |
| |
| 1433 |
| |
| d. Set S2 -> encData to all zeros |
| |
| 1434 |
| |
| e. Create h1 the SHA-1 of S2 |
| |
| 1435 |
| |
| f. d1 -> storedDigest MUST match h1 |
| |
| 1436 |
| |
| g. d1 -> payload MUST be TPM_PT_SEAL |
| |
| 1437 |
| |
| h. Any failure MUST return TPM_NOTSEALED_BLOB |
| |
| 14387. If S2 -> sealInfoSize is not 0 then |
| 1439 |
| |
| a. If V1 is 1 then |
| |
| 1440 |
| |
| i. |
| |
| 1441 |
| 1442 |
| |
| ii. Create h2 the composite hash of the PCR selected by S2 -> pcrInfo -> |
| pcrSelection |
| |
| 1443 |
| |
| Validate that S2 -> pcrInfo is a valid TPM_PCR_INFO structure |
| |
| b. If V1 is 2 then |
| |
| 1444 |
| |
| i. |
| |
| 1445 |
| 1446 |
| |
| ii. Create h2 the composite hash of the TPM_STCLEAR_DATA -> PCR selected by |
| S2 -> pcrInfo -> releasePCRSelection |
| |
| 1447 |
| 1448 |
| |
| iii. Check that S2 -> pcrInfo -> localityAtRelease for TPM_STANY_DATA -> |
| localityModifier is TRUE |
| |
| 1449 |
| 1450 |
| |
| (1) |
| For example if TPM_STANY_DATA -> localityModifier was 2 then S2 -> |
| pcrInfo -> localityAtRelease -> TPM_LOC_TWO would have to be TRUE |
| |
| 1451 |
| 1452 |
| |
| Validate that S2 -> pcrInfo is a valid TPM_PCR_INFO_LONG structure |
| |
| c. Compare h2 with |
| TPM_WRONGPCRVAL |
| |
| S2 |
| |
| -> |
| |
| pcrInfo |
| |
| -> |
| |
| digestAtRelease, |
| |
| on |
| |
| mismatch |
| |
| return |
| |
| 14538. The TPM MUST validate authorization to use d1 by checking that the HMAC calculation |
| 1454 |
| using d1 -> authData as the shared secret matches the dataAuth. Return |
| 1455 |
| TPM_AUTHFAIL on mismatch. |
| 14569. If V1 is 2 and S2 -> et specifies encryption (i.e. is not all zeros) then |
| 1457 |
| |
| a. If tag is not TPM_TAG_RQU_AUTH2_COMMAND, return TPM_AUTHFAIL |
| |
| 1458 |
| 1459 |
| |
| b. Verify that the authHandle session type is TPM_PID_OSAP or TPM_PID_DSAP, return |
| TPM_BAD_MODE on error. |
| |
| 1460 |
| |
| c. If the MSB of S2 -> et is TPM_ET_XOR |
| |
| 1461 |
| 1462 |
| 1463 |
| |
| i. Use MGF1 to create string X1 of length sealedDataSize. The inputs to MGF1 |
| are; authLastnonceEven, nonceOdd, “XOR”, and authHandle -> sharedSecret. The |
| four concatenated values form the Z value that is the seed for MFG1. |
| |
| 1464 |
| |
| ii. Create o1 by XOR of d1 -> data and X1 |
| |
| 1465 |
| |
| d. Else |
| |
| 349Level 2 Revision 116 28 February 2011 |
| 350 |
| |
| 67 |
| TCG Published |
| |
| 351Copyright © TCG |
| 352 |
| 353 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 1466 |
| 1467 |
| |
| i. Create o1 by encrypting d1 -> data using the algorithm indicated by inData -> |
| et |
| |
| 1468 |
| |
| ii. Key is from authHandle -> sharedSecret |
| |
| 1469 |
| |
| iii. IV is SHA-1 of (authLastNonceEven || nonceOdd) |
| |
| 1470 |
| |
| e. Set continueAuthSession to FALSE |
| |
| 147110.else |
| 1472 |
| |
| a. Set o1 to d1 -> data |
| |
| 147311.Set the return secret as o1 |
| 147412.Return TPM_SUCCESS |
| |
| 354 |
| 355 |
| |
| 68 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 356TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 357Specification Version 1.2 |
| |
| 147510.3 |
| |
| TPM_UnBind |
| |
| 1476Start of informative comment: |
| 1477TPM_UnBind takes the data blob that is the result of a Tspi_Data_Bind command and |
| 1478decrypts it for export to the User. The caller must authorize the use of the key that will |
| 1479decrypt the incoming blob. |
| 1480TPM_UnBind operates on a block-by-block basis, and has no notion of any relation between |
| 1481one block and another. |
| 1482End of informative comment. |
| 1483Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_UnBind. |
| |
| 4 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| keyHandle |
| |
| The keyHandle identifier of a loaded key that can perform UnBind |
| operations. |
| |
| 5 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| UINT32 |
| |
| inDataSize |
| |
| The size of the input blob |
| |
| 6 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| BYTE[ ] |
| |
| inData |
| |
| Encrypted blob to be decrypted |
| |
| 7 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The handle used for keyHandle authorization |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 8 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 9 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 10 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| privAuth |
| |
| The authorization session digest that authorizes the inputs and use of |
| keyHandle. HMAC key: key.usageAuth. |
| |
| 358Level 2 Revision 116 28 February 2011 |
| 359 |
| |
| 69 |
| TCG Published |
| |
| 360Copyright © TCG |
| 361 |
| 362 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 1484Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_UnBind |
| |
| 4 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| outDataSize |
| |
| The length of the returned decrypted data |
| |
| 5 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE[ ] |
| |
| outData |
| |
| The resulting decrypted data. |
| |
| 6 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| key.usageAuth. |
| |
| 7 |
| |
| 1 |
| |
| 8 |
| |
| 20 |
| |
| 1485Description |
| 1486TPM_UnBind SHALL operate on a single block only. |
| 1487Actions |
| 1488The TPM SHALL perform the following: |
| 14891. If the inDataSize is 0 the TPM returns TPM_BAD_PARAMETER |
| 14902. Validate the AuthData to use the key pointed to by keyHandle |
| 14913. If the keyUsage field of the key referenced by keyHandle does not have the value |
| 1492 |
| TPM_KEY_BIND or TPM_KEY_LEGACY, the TPM must return the error code |
| 1493 |
| TPM_INVALID_KEYUSAGE |
| 14944. Decrypt the inData using the key pointed to by keyHandle |
| 14955. if (keyHandle -> encScheme does not equal TPM_ES_RSAESOAEP_SHA1_MGF1) and |
| 1496 |
| (keyHandle -> keyUsage equals TPM_KEY_LEGACY), |
| 1497 |
| 1498 |
| |
| a. The payload does not have TPM specific markers to validate, so no consistency check |
| can be performed. |
| |
| 1499 |
| 1500 |
| |
| b. Set the output parameter outData to the value of the decrypted value of inData. |
| (Padding associated with the encryption wrapping of inData SHALL NOT be returned.) |
| |
| 1501 |
| 1502 |
| |
| c. Set the output parameter outDataSize to the size of outData, as deduced from the |
| decryption process. |
| |
| 15036. else |
| 1504 |
| 1505 |
| |
| a. Interpret the decrypted data under the assumption that it is a TPM_BOUND_DATA |
| structure, and validate that the payload type is TPM_PT_BIND |
| |
| 1506 |
| 1507 |
| 1508 |
| |
| b. Set the output parameter outData to the value of TPM_BOUND_DATA -> |
| payloadData. (Other parameters of TPM_BOUND_DATA SHALL NOT be returned. |
| Padding associated with the encryption wrapping of inData SHALL NOT be returned.) |
| |
| 363 |
| 364 |
| |
| 70 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 365TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 366Specification Version 1.2 |
| |
| 1509 |
| 1510 |
| |
| c. Set the output parameter outDataSize to the size of outData, as deduced from the |
| decryption process and the interpretation of TPM_BOUND_DATA. |
| |
| 15117. Return the output parameters. |
| |
| 367Level 2 Revision 116 28 February 2011 |
| 368 |
| |
| 71 |
| TCG Published |
| |
| 369Copyright © TCG |
| 370 |
| 371 |
| |
| 151210.4 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_CreateWrapKey |
| |
| 1513Start of informative comment: |
| 1514The TPM_CreateWrapKey command both generates and creates a secure storage bundle for |
| 1515asymmetric keys. |
| 1516The newly created key can be locked to a specific PCR value by specifying a set of PCR |
| 1517registers. |
| 1518The key blob does not have a protected identifier. On a platform that does not prevent |
| 1519unauthorized access to data, a key blob can be exchanged by a lower layer without |
| 1520detection. The upper layer software must take additional measures to protect the relation |
| 1521between its identifier of the key blob and the blob itself. |
| 1522End of informative comment. |
| 1523Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_CreateWrapKey |
| |
| 4 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| parentHandle |
| |
| Handle of a loaded key that can perform key wrapping. |
| |
| 5 |
| |
| 20 |
| |
| 2S |
| |
| 20 |
| |
| TPM_ENCAUTH |
| |
| dataUsageAuth |
| |
| Encrypted usage AuthData for the key. |
| |
| 6 |
| |
| 20 |
| |
| 3S |
| |
| 20 |
| |
| TPM_ENCAUTH |
| |
| dataMigrationAuth |
| |
| Encrypted migration AuthData for the key. |
| |
| 7 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| TPM_KEY |
| |
| keyInfo |
| |
| Information about key to be created, pubkey.keyLength and |
| keyInfo.encData elements are 0. MAY be TPM_KEY12 |
| |
| 8 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| parent key authorization. Must be an OSAP session. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 9 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 10 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Ignored |
| |
| 11 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| pubAuth |
| |
| Authorization HMAC key: parentKey.usageAuth. |
| |
| 1524Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_CreateWrapKey |
| |
| 4 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| TPM_KEY |
| |
| wrappedKey |
| |
| The TPM_KEY structure which includes the public and encrypted private |
| key. MAY be TPM_KEY12 |
| |
| 5 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, fixed at FALSE |
| |
| 6 |
| |
| 372 |
| 373 |
| |
| 1 |
| |
| 72 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 374TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 375Specification Version 1.2 |
| |
| 7 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| 376Level 2 Revision 116 28 February 2011 |
| 377 |
| |
| resAuth |
| |
| 73 |
| TCG Published |
| |
| Authorization HMAC key: parentKey.usageAuth. |
| |
| 378Copyright © TCG |
| 379 |
| 380 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 1525 Actions |
| 1526The TPM SHALL do the following: |
| 15271. Validate the AuthData to use the key pointed to by parentHandle. Return |
| 1528 |
| TPM_AUTHFAIL on any error. |
| 15292. Validate the session type for parentHandle is OSAP. |
| 15303. If the TPM is not designed to create a key of the type requested in keyInfo, return the |
| 1531 |
| error code TPM_BAD_KEY_PROPERTY |
| 15324. Verify that parentHandle->keyUsage equals TPM_KEY_STORAGE |
| 15335. If parentHandle -> keyFlags -> migratable is TRUE and keyInfo -> keyFlags -> migratable |
| 1534 |
| is FALSE then return TPM_INVALID_KEYUSAGE |
| 15356. Validate key parameters |
| 1536 |
| 1537 |
| |
| a. keyInfo |
| -> |
| keyUsage |
| MUST |
| NOT |
| be |
| TPM_KEY_IDENTITY |
| TPM_KEY_AUTHCHANGE. If it is, return TPM_INVALID_KEYUSAGE |
| |
| 1538 |
| 1539 |
| |
| b. If |
| keyInfo |
| -> |
| keyFlags |
| TPM_INVALID_KEYUSAGE |
| |
| -> |
| |
| migrateAuthority |
| |
| is |
| |
| TRUE |
| |
| then |
| |
| or |
| return |
| |
| 15407. If TPM_PERMANENT_FLAGS -> FIPS is TRUE then |
| 1541 |
| |
| a. If keyInfo -> keySize is less than 1024 return TPM_NOTFIPS |
| |
| 1542 |
| |
| b. If keyInfo -> authDataUsage specifies TPM_AUTH_NEVER return TPM_NOTFIPS |
| |
| 1543 |
| |
| c. If keyInfo -> keyUsage specifies TPM_KEY_LEGACY return TPM_NOTFIPS |
| |
| 15448. If keyInfo -> keyUsage equals TPM_KEY_STORAGE or TPM_KEY_MIGRATE |
| 1545 |
| |
| i. |
| |
| 1546 |
| |
| ii. encScheme MUST be TPM_ES_RSAESOAEP_SHA1_MGF1 |
| |
| 1547 |
| |
| iii. sigScheme MUST be TPM_SS_NONE |
| |
| 1548 |
| |
| iv. key size MUST be 2048 |
| |
| 1549 |
| |
| v. exponentSize MUST be 0 |
| |
| algorithmID MUST be TPM_ALG_RSA |
| |
| 15509. Determine the version of key |
| 1551 |
| |
| a. If keyInfo -> ver is 1.1 |
| |
| 1552 |
| |
| i. |
| |
| 1553 |
| |
| ii. Map wrappedKey to a TPM_KEY structure |
| |
| 1554 |
| |
| iii. Validate all remaining TPM_KEY structures |
| |
| 1555 |
| |
| Set V1 to 1 |
| |
| b. Else if keyInfo -> tag is TPM_TAG_KEY12 |
| |
| 1556 |
| |
| i. |
| |
| 1557 |
| |
| ii. Map wrappedKey to a TPM_KEY12 structure |
| |
| 1558 |
| |
| iii. Validate all remaining TPM_KEY12 structures |
| |
| 381 |
| 382 |
| |
| Set V1 to 2 |
| |
| 74 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 383TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 384Specification Version 1.2 |
| |
| 155910.Create DU1 by decrypting dataUsageAuth according to the ADIP indicated by |
| 1560 |
| authHandle |
| 156111.Create DM1 by decrypting dataMigrationAuth according to the ADIP indicated by |
| 1562 |
| authHandle |
| 156312.Set continueAuthSession to FALSE |
| 156413.Generate asymmetric key according to algorithm information in keyInfo |
| 156514.Fill in the wrappedKey structure with information from the newly generated key. |
| 1566 |
| |
| a. Set wrappedKey -> encData -> usageAuth to DU1 |
| |
| 1567 |
| 1568 |
| |
| b. If the KeyFlags -> migratable bit is set to 1, the wrappedKey -> encData -> |
| migrationAuth SHALL contain the decrypted value from dataMigrationAuth. |
| |
| 1569 |
| 1570 |
| |
| c. If the KeyFlags -> migratable bit is set to 0, the wrappedKey -> encData -> |
| migrationAuth SHALL be set to the value tpmProof |
| |
| 157115.If keyInfo->PCRInfoSize is non-zero |
| 1572 |
| 1573 |
| 1574 |
| |
| a. If V1 is 1 |
| i. Set wrappedKey -> pcrInfo to a TPM_PCR_INFO structure using the |
| pcrSelection to indicate the PCR’s in use |
| |
| 1575 |
| |
| b. Else |
| |
| 1576 |
| |
| i. |
| |
| 1577 |
| |
| c. Set wrappedKey -> pcrInfo to keyInfo -> pcrInfo |
| |
| Set wrappedKey -> pcrInfo to a TPM_PCR_INFO_LONG structure |
| |
| 1578 |
| 1579 |
| |
| d. Set wrappedKey -> digestAtCreation to the TPM_COMPOSITE_HASH indicated by |
| creationPCRSelection |
| |
| 1580 |
| |
| e. If V1 is 2 set wrappedKey -> localityAtCreation to TPM_STANY_DATA -> locality |
| |
| 158116.Encrypt the private portions of the wrappedKey structure using the key in parentHandle |
| 158217.Return the newly generated key in the wrappedKey parameter |
| |
| 385Level 2 Revision 116 28 February 2011 |
| 386 |
| |
| 75 |
| TCG Published |
| |
| 387Copyright © TCG |
| 388 |
| 389 |
| |
| 158310.5 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_LoadKey2 |
| |
| 1584Start of informative comment: |
| 1585Before the TPM can use a key to either wrap, unwrap, unbind, seal, unseal, sign or perform |
| 1586any other action, it needs to be present in the TPM. The TPM_LoadKey2 function loads the |
| 1587key into the TPM for further use. |
| 1588The TPM assigns the key handle. The TPM always locates a loaded key by use of the handle. |
| 1589The assumption is that the handle may change due to key management operations. It is the |
| 1590responsibility of upper level software to maintain the mapping between handle and any |
| 1591label used by external software. |
| 1592To permit this mapping between handle and upper software labels (called key handle |
| 1593virtualization), the key handle returned by TPM_LoadKey2 must not be included in the |
| 1594response HMAC. This may cause problems if several keys are authorized using the same |
| 1595authorization data. Care should be taken to assign different authorization data to each key. |
| 1596This command has the responsibility of enforcing restrictions on the use of keys. For |
| 1597example, when attempting to load a STORAGE key it will be checked for the restrictions on |
| 1598a storage key (2048 size etc.). |
| 1599The load command must maintain a record of whether any previous key in the key |
| 1600hierarchy was bound to a PCR using parentPCRStatus. |
| 1601The flag parentPCRStatus enables the possibility of checking that a platform passed |
| 1602through some particular state or states before finishing in the current state. A grandparent |
| 1603key could be linked to state-1, a parent key could linked to state-2, and a child key could be |
| 1604linked to state-3, for example. The use of the child key then indicates that the platform |
| 1605passed through states 1 and 2 and is currently in state 3, in this example. TPM_Startup |
| 1606with stType == TPM_ST_CLEAR indicates that the platform has been reset, so the platform |
| 1607has not passed through the previous states. Hence keys with parentPCRStatus==TRUE |
| 1608must be unloaded if TPM_Startup is issued with stType == TPM_ST_CLEAR. |
| 1609If a TPM_KEY structure has been decrypted AND the integrity test using "pubDataDigest" |
| 1610has passed AND the key is non-migratory, the key must have been created by the TPM. So |
| 1611there is every reason to believe that the key poses no security threat to the TPM. While there |
| 1612is no known attack from a rogue migratory key, there is a desire to verify that a loaded |
| 1613migratory key is a real key, arising from a general sense of unease about execution of |
| 1614arbitrary data as a key. Ideally a consistency check would consist of an encrypt/decrypt |
| 1615cycle, but this may be expensive. For RSA keys, it is therefore suggested that the |
| 1616consistency test consists of dividing the supposed RSA product by the supposed RSA prime, |
| 1617and checking that there is no remainder. |
| 1618End of informative comment. |
| |
| 390 |
| 391 |
| |
| 76 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 392TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 393Specification Version 1.2 |
| |
| 1619Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_LoadKey2. |
| |
| 4 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| parentHandle |
| |
| TPM handle of parent key. |
| |
| 5 |
| |
| <> |
| |
| TPM_KEY |
| |
| inKey |
| |
| Incoming key structure, both encrypted private and clear public portions. |
| MAY be TPM_KEY12 |
| |
| 6 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for parentHandle authorization. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 2S |
| |
| 4 |
| |
| <> |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 7 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 8 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 9 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| parentAuth |
| |
| The authorization session digest for inputs and parentHandle. HMAC key: |
| parentKey.usageAuth. |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 1620Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 20 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_LoadKey2 |
| |
| TPM_KEY_HANDLE |
| |
| inkeyHandle |
| |
| Internal TPM handle where decrypted key was loaded. |
| |
| 4 |
| |
| 5 |
| |
| 4 |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 1 |
| |
| 7 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| 6 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| parentKey.usageAuth. |
| |
| 20 |
| |
| 1621Actions |
| 1622The TPM SHALL perform the following steps: |
| 16231. Validate the command and the parameters using parentAuth and parentHandle -> |
| 1624 |
| usageAuth |
| 16252. If |
| parentHandle |
| -> |
| 1626 |
| TPM_INVALID_KEYUSAGE |
| |
| keyUsage |
| |
| is |
| |
| NOT |
| |
| TPM_KEY_STORAGE |
| |
| return |
| |
| 16273. If the TPM is not designed to operate on a key of the type specified by inKey, return the |
| 1628 |
| error code TPM_BAD_KEY_PROPERTY |
| 16294. The TPM MUST handle both TPM_KEY and TPM_KEY12 structures |
| 16305. Decrypt the inKey -> privkey to obtain TPM_STORE_ASYMKEY structure using the key |
| 1631 |
| in parentHandle |
| 394Level 2 Revision 116 28 February 2011 |
| 395 |
| |
| 77 |
| TCG Published |
| |
| 396Copyright © TCG |
| 397 |
| 398 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 16326. Validate the integrity of inKey and decrypted TPM_STORE_ASYMKEY |
| 1633 |
| 1634 |
| |
| a. Reproduce inKey -> TPM_STORE_ASYMKEY -> pubDataDigest using the fields of |
| inKey, and check that the reproduced value is the same as pubDataDigest |
| |
| 16357. Validate the consistency of the key and it’s key usage. |
| 1636 |
| 1637 |
| 1638 |
| 1639 |
| 1640 |
| 1641 |
| |
| a. If inKey -> keyFlags -> migratable is TRUE, the TPM SHALL verify consistency of the |
| public and private components of the asymmetric key pair. If inKey -> keyFlags -> |
| migratable is FALSE, the TPM MAY verify consistency of the public and private |
| components of the asymmetric key pair. The consistency of an RSA key pair MAY be |
| verified by dividing the supposed (P*Q) product by a supposed prime and checking that |
| there is no remainder. |
| |
| 1642 |
| 1643 |
| |
| b. If inKey -> keyUsage is TPM_KEY_IDENTITY, verify that inKey->keyFlags->migratable |
| is FALSE. If it is not, return TPM_INVALID_KEYUSAGE |
| |
| 1644 |
| |
| c. If inKey -> keyUsage is TPM_KEY_AUTHCHANGE, return TPM_INVALID_KEYUSAGE |
| |
| 1645 |
| 1646 |
| |
| d. If inKey -> keyFlags -> migratable equals 0 then verify that TPM_STORE_ASYMKEY |
| -> migrationAuth equals TPM_PERMANENT_DATA -> tpmProof |
| |
| 1647 |
| |
| e. Validate the mix of encryption and signature schemes |
| |
| 1648 |
| |
| f. If TPM_PERMANENT_FLAGS -> FIPS is TRUE then |
| |
| 1649 |
| |
| i. |
| |
| 1650 |
| 1651 |
| |
| ii. If keyInfo |
| TPM_NOTFIPS |
| |
| 1652 |
| |
| iii. If keyInfo -> keyUsage specifies TPM_KEY_LEGACY return TPM_NOTFIPS |
| |
| 1653 |
| |
| If keyInfo -> keySize is less than 1024 return TPM_NOTFIPS |
| -> |
| |
| authDataUsage |
| |
| specifies |
| |
| TPM_AUTH_NEVER |
| |
| return |
| |
| g. If inKey -> keyUsage is TPM_KEY_STORAGE or TPM_KEY_MIGRATE |
| |
| 1654 |
| |
| i. |
| |
| 1655 |
| |
| ii. Key size MUST be 2048 |
| |
| 1656 |
| |
| iii. exponentSize MUST be 0 |
| |
| 1657 |
| |
| iv. sigScheme MUST be TPM_SS_NONE |
| |
| 1658 |
| |
| algorithmID MUST be TPM_ALG_RSA |
| |
| h. If inKey -> keyUsage is TPM_KEY_IDENTITY |
| |
| 1659 |
| |
| i. |
| |
| 1660 |
| |
| ii. Key size MUST be 2048 |
| |
| 1661 |
| |
| iii. exponentSize MUST be 0 |
| |
| 1662 |
| |
| iv. encScheme MUST be TPM_ES_NONE |
| |
| 1663 |
| |
| i. |
| |
| 1664 |
| 1665 |
| 1666 |
| |
| If the decrypted inKey -> pcrInfo is NULL, |
| i. The TPM MUST set the internal indicator to indicate that the key is not using |
| any PCR registers. |
| |
| j. |
| |
| 1667 |
| 1668 |
| |
| 399 |
| 400 |
| |
| algorithmID MUST be TPM_ALG_RSA |
| |
| Else |
| i. The TPM MUST store pcrInfo in a manner that allows the TPM to calculate a |
| composite hash whenever the key will be in use |
| |
| 78 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 401TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 402Specification Version 1.2 |
| |
| 1669 |
| 1670 |
| |
| ii. The TPM MUST handle both version 1.1 TPM_PCR_INFO and 1.2 |
| TPM_PCR_INFO_LONG structures according to the type of TPM_KEY structure |
| |
| 1671 |
| 1672 |
| 1673 |
| |
| (1) |
| The TPM MUST validate the TPM_PCR_INFO or TPM_PCR_INFO_LONG |
| structures for legal values. |
| However, the digestAtRelease and |
| localityAtRelease are not validated for authorization until use time. |
| |
| 16748. Perform any processing necessary to make TPM_STORE_ASYMKEY key available for |
| 1675 |
| operations |
| 16769. Load key and key information into internal memory of the TPM. If insufficient memory |
| 1677 |
| exists return error TPM_NOSPACE. |
| 167810.Assign inKeyHandle according to internal TPM rules. |
| 167911.Set InKeyHandle -> parentPCRStatus to parentHandle -> parentPCRStatus. |
| 168012.If parentHandle indicates that it is using PCR registers, then set inKeyHandle -> |
| 1681 |
| parentPCRStatus to TRUE. |
| |
| 403Level 2 Revision 116 28 February 2011 |
| 404 |
| |
| 79 |
| TCG Published |
| |
| 405Copyright © TCG |
| 406 |
| 407 |
| |
| 10.6 |
| |
| 1682 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_GetPubKey |
| |
| 1683Start of informative comment: |
| 1684The owner of a key may wish to obtain the public key value from a loaded key. This |
| 1685information may have privacy concerns so the command must have authorization from the |
| 1686key owner. |
| 1687End of informative comment. |
| 1688Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_GetPubKey. |
| |
| 4 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| keyHandle |
| |
| TPM handle of key. |
| |
| 5 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for keyHandle authorization. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 7 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 8 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| keyAuth |
| |
| Authorization HMAC key: key.usageAuth. |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 6 |
| |
| 1689Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_GetPubKey. |
| |
| 4 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| TPM_PUBKEY |
| |
| pubKey |
| |
| Public portion of key in keyHandle. |
| |
| 5 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| Authorization. HMAC key: key.usageAuth. |
| |
| 6 |
| |
| 1 |
| |
| 7 |
| |
| 20 |
| |
| 1690Actions |
| 1691The TPM SHALL perform the following steps: |
| 16921. If tag = TPM_TAG_RQU_AUTH1_COMMAND then |
| 1693 |
| 1694 |
| |
| a. Validate the command parameters using keyHandle -> usageAuth, on error return |
| TPM_AUTHFAIL |
| |
| 16952. Else |
| 408 |
| 409 |
| |
| 80 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 410TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 411Specification Version 1.2 |
| |
| 1696 |
| 1697 |
| |
| a. Verify that keyHandle -> authDataUsage is TPM_NO_READ_PUBKEY_AUTH |
| TPM_AUTH_NEVER, on error return TPM_AUTHFAIL |
| |
| or |
| |
| 16983. If keyHandle == TPM_KH_SRK then |
| 1699 |
| 1700 |
| |
| a. If |
| TPM_PERMANENT_FLAGS |
| TPM_INVALID_KEYHANDLE |
| |
| -> |
| |
| readSRKPub |
| |
| is |
| |
| FALSE |
| |
| then |
| |
| return |
| |
| 17014. If keyHandle -> pcrInfoSize is not 0 |
| 1702 |
| |
| a. If keyHandle -> keyFlags has pcrIgnoredOnRead set to FALSE |
| |
| 1703 |
| 1704 |
| |
| i. Create a digestAtRelease according to the specified PCR registers and compare |
| to keyHandle -> digestAtRelease and if a mismatch return TPM_WRONGPCRVAL |
| |
| 1705 |
| |
| ii. If specified validate any locality requests |
| |
| 17065. Create a TPM_PUBKEY structure and return |
| |
| 412Level 2 Revision 116 28 February 2011 |
| 413 |
| |
| 81 |
| TCG Published |
| |
| 414Copyright © TCG |
| 415 |
| 416 |
| |
| 170710.7 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_Sealx |
| |
| 1708Start of informative comment: |
| 1709The TPM_Sealx command works exactly like the TPM_Seal command with the additional |
| 1710requirement of encryption for the inData parameter. This command also places in the |
| 1711sealed blob the information that the TPM_Unseal also requires encryption. |
| 1712TPM_Sealx requires the use of 1.2 data structures. The actions are the same as TPM_Seal |
| 1713without the checks for 1.1 data structure usage. |
| 1714The method of incrementing the symmetric key counter value is different from that used by |
| 1715some standard crypto libraries (e.g. openSSL, Java JCE) that increment the entire counter |
| 1716value. TPM users should be aware of this to avoid errors when the counter wraps. |
| 1717End of informative comment. |
| 1718Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Sealx |
| |
| 4 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| keyHandle |
| |
| Handle of a loaded key that can perform seal operations. |
| |
| 5 |
| |
| 20 |
| |
| 2S |
| |
| 20 |
| |
| TPM_ENCAUTH |
| |
| encAuth |
| |
| The encrypted AuthData for the sealed data. |
| |
| 6 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| pcrInfoSize |
| |
| The size of the pcrInfo parameter. If 0 there are no PCR registers in use |
| |
| 7 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| TPM_PCR_INFO |
| |
| pcrInfo |
| |
| MUST use TPM_PCR_INFO_LONG. |
| |
| 8 |
| |
| 4 |
| |
| 5S |
| |
| 4 |
| |
| UINT32 |
| |
| inDataSize |
| |
| The size of the inData parameter |
| |
| 9 |
| |
| <> |
| |
| 6S |
| |
| <> |
| |
| BYTE[ ] |
| |
| inData |
| |
| The data to be sealed to the platform and any specified PCRs |
| |
| 10 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for keyHandle authorization. |
| Must be an OSAP session for this command. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 11 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 12 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Ignored |
| |
| 13 |
| |
| 417 |
| 418 |
| |
| 20 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| pubAuth |
| |
| The authorization session digest for inputs and keyHandle. HMAC key: key.usageAuth. |
| |
| 82 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 419TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 420Specification Version 1.2 |
| |
| 1719Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Sealx |
| |
| 4 |
| |
| <> |
| |
| 3S |
| |
| 4 |
| |
| TPM_STORED_DATA |
| |
| sealedData |
| |
| Encrypted, integrity-protected data object that is the result of the TPM_Sealx operation. |
| |
| 5 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, fixed value of FALSE |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| key.usageAuth. |
| |
| 6 |
| |
| 1 |
| |
| 7 |
| |
| 20 |
| |
| 1720Actions |
| 17211. Validate the authorization to use the key pointed to by keyHandle |
| 17222. If the inDataSize is 0 the TPM returns TPM_BAD_PARAMETER |
| 17233. If the keyUsage field of the key indicated by keyHandle does not have the value |
| 1724 |
| TPM_KEY_STORAGE, the TPM must return the error code TPM_INVALID_KEYUSAGE. |
| 17254. If the keyHandle points to a migratable key then the TPM MUST return the error code |
| 1726 |
| TPM_INVALID_KEY_USAGE. |
| 17275. Create S1 a TPM_STORED_DATA12 structure |
| 17286. Set S1 -> encDataSize to 0 |
| 17297. Set S1 -> encData to all zeros |
| 17308. Set S1 -> sealInfoSize to pcrInfoSize |
| 17319. If pcrInfoSize is not 0 then |
| 1732 |
| 1733 |
| |
| a. Validate pcrInfo as a valid TPM_PCR_INFO_LONG structure, return TPM_BADINDEX |
| on error |
| |
| 1734 |
| |
| b. Set S1 -> sealInfo -> creationPCRSelection to pcrInfo -> creationPCRSelection |
| |
| 1735 |
| |
| c. Set S1 -> sealInfo -> releasePCRSelection to pcrInfo -> releasePCRSelection |
| |
| 1736 |
| |
| d. Set S1 -> sealInfo -> digestAtRelease to pcrInfo -> digestAtRelease |
| |
| 1737 |
| |
| e. Set S1 -> sealInfo -> localityAtRelease to pcrInfo -> localityAtRelease |
| |
| 1738 |
| 1739 |
| |
| f. Create h2 the composite hash of the TPM_STCLEAR_DATA -> PCR selected by |
| pcrInfo -> creationPCRSelection |
| |
| 1740 |
| |
| g. Set S1 -> sealInfo -> digestAtCreation to h2 |
| |
| 1741 |
| |
| h. Set S1 -> sealInfo -> localityAtCreation to TPM_STANY_DATA -> localityModifier |
| |
| 174210.Create S2 a TPM_SEALED_DATA structure |
| 421Level 2 Revision 116 28 February 2011 |
| 422 |
| |
| 83 |
| TCG Published |
| |
| 423Copyright © TCG |
| 424 |
| 425 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 174311.Create a1 by decrypting encAuth according to the ADIP indicated by authHandle. |
| 1744 |
| |
| a. If authHandle indicates XOR encryption for the AuthData secrets |
| |
| 1745 |
| |
| i. |
| |
| 1746 |
| 1747 |
| |
| (1) TPM_ET_KEY is added because TPM_Unseal uses zero as a special value |
| indicating no encryption. |
| |
| 1748 |
| |
| b. Else |
| |
| 1749 |
| |
| i. |
| |
| Set S1 -> et to TPM_ET_XOR || TPM_ET_KEY |
| |
| Set S1 -> et to the algorithm indicated by authHandle |
| |
| 175012.The TPM provides NO validation of a1. Well-known values (like all zeros) are valid and |
| 1751 |
| possible. |
| 175213.If authHandle indicates XOR encryption |
| 1753 |
| 1754 |
| 1755 |
| |
| a. Use MGF1 to create string X2 of length inDataSize. The inputs to MGF1 are; |
| authLastNonceEven, nonceOdd, “XOR”, and authHandle -> sharedSecret. The four |
| concatenated values form the Z value that is the seed for MFG1. |
| |
| 1756 |
| |
| b. Create o1 by XOR of inData and X2 |
| |
| 175714.Else |
| 1758 |
| |
| a. Create o1 by decrypting inData using the algorithm indicated by authHandle |
| |
| 1759 |
| |
| b. Key is from authHandle -> sharedSecret |
| |
| 1760 |
| |
| c. CTR is SHA-1 of (authLastNonceEven || nonceOdd) |
| |
| 176115.Create S2 a TPM_SEALED_DATA structure |
| 1762 |
| |
| a. Set S2 -> payload to TPM_PT_SEAL |
| |
| 1763 |
| |
| b. Set S2 -> tpmProof to TPM_PERMANENT_DATA -> tpmProof |
| |
| 1764 |
| |
| c. Create h3 the SHA-1 of S1 |
| |
| 1765 |
| |
| d. Set S2 -> storedDigest to h3 |
| |
| 1766 |
| |
| e. Set S2 -> authData to a1 |
| |
| 1767 |
| |
| f. Set S2 -> dataSize to inDataSize |
| |
| 1768 |
| |
| g. Set S2 -> data to o1 |
| |
| 176916.Validate that the size of S2 can be encrypted by the key pointed to by keyHandle, return |
| 1770 |
| TPM_BAD_DATASIZE on error |
| 177117.Create s3 the encryption of S2 using the key pointed to by keyHandle |
| 177218.Set continueAuthSession to FALSE |
| 177319.Set S1 -> encDataSize to the size of s3 |
| 177420.Set S1 -> encData to s3 |
| 177521.Return S1 as sealedData |
| |
| 426 |
| 427 |
| |
| 84 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 428TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 429Specification Version 1.2 |
| |
| 177611. |
| Migration |
| 1777Start of informative comment: |
| 1778The migration of a key from one TPM to another is a vital aspect to many use models of the |
| 1779TPM. The migration commands are the commands that allow this operation to occur. |
| 1780There are two types of migratable keys, the version 1.1 migratable keys and the version 1.2 |
| 1781certifiable migratable keys. |
| 1782End of informative comment. |
| 178311.1 |
| |
| TPM_CreateMigrationBlob |
| |
| 1784Start of informative comment: |
| 1785The TPM_CreateMigrationBlob command implements the first step in the process of moving |
| 1786a migratable key to a new parent or platform. Execution of this command requires |
| 1787knowledge of the migrationAuth field of the key to be migrated. |
| 1788Migrate mode is generally used to migrate keys from one TPM to another for backup, |
| 1789upgrade or to clone a key on another platform. To do this, the TPM needs to create a data |
| 1790blob that another TPM can deal with. This is done by loading in a backup public key that |
| 1791will be used by the TPM to create a new data blob for a migratable key. |
| 1792The TPM Owner does the selection and authorization of migration public keys at any time |
| 1793prior |
| to |
| the |
| execution |
| of |
| TPM_CreateMigrationBlob |
| by |
| performing |
| the |
| 1794TPM_AuthorizeMigrationKey command. |
| 1795IReWrap mode is used directly to move the key to a new parent (on either this platform or |
| 1796another). The TPM simply re-encrypts the key using a new parent, and outputs a normal |
| 1797encrypted element that can be subsequently used by a TPM_LoadKey command. |
| 1798TPM_CreateMigrationBlob implicitly cannot be used to migrate a non-migratory key. No |
| 1799explicit check is required. Only the TPM knows tpmProof. Therefore, it is impossible for the |
| 1800caller to submit an AuthData value equal to tpmProof and migrate a non-migratory key. |
| 1801End of informative comment. |
| |
| 430Level 2 Revision 116 28 February 2011 |
| 431 |
| |
| 85 |
| TCG Published |
| |
| 432Copyright © TCG |
| 433 |
| 434 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 1802Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH2_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_CreateMigrationBlob |
| |
| 4 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| parentHandle |
| |
| Handle of the parent key that can decrypt encData. |
| |
| 5 |
| |
| 2 |
| |
| 2S |
| |
| 2 |
| |
| TPM_MIGRATE_SCHEME |
| |
| migrationType |
| |
| The migration type, either MIGRATE or REWRAP |
| |
| 6 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| TPM_MIGRATIONKEYAUTH |
| |
| migrationKeyAuth |
| |
| Migration public key and its authorization session digest. |
| |
| 7 |
| |
| 4 |
| |
| 4S |
| |
| 4 |
| |
| UINT32 |
| |
| encDataSize |
| |
| The size of the encData parameter |
| |
| 8 |
| |
| <> |
| |
| 5S |
| |
| <> |
| |
| BYTE[ ] |
| |
| encData |
| |
| The encrypted entity that is to be modified. |
| |
| 9 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| parentAuthHandle |
| |
| The authorization session handle used for the parent key. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with parentAuthHandle |
| |
| 11 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag for parent session |
| |
| 12 |
| |
| 20 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| parentAuth |
| |
| Authorization HMAC key: parentKey.usageAuth. |
| |
| 13 |
| |
| 4 |
| |
| 10 |
| |
| TPM_AUTHHANDLE |
| |
| entityAuthHandle |
| |
| The authorization session handle used for the encrypted entity. |
| |
| 2H2 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| entitylastNonceEven |
| |
| Even nonce previously generated by TPM |
| |
| 14 |
| |
| 20 |
| |
| 3H2 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| entitynonceOdd |
| |
| Nonce generated by system associated with entityAuthHandle |
| |
| 15 |
| |
| 1 |
| |
| 4H2 |
| |
| 1 |
| |
| BOOL |
| |
| continueEntitySession |
| |
| Continue use flag for entity session |
| |
| 16 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| entityAuth |
| |
| Authorization HMAC key: entity.migrationAuth. |
| |
| 1803 |
| |
| 435 |
| 436 |
| |
| 86 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 437TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 438Specification Version 1.2 |
| |
| 1804Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH2_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_CreateMigrationBlob |
| |
| 4 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| randomSize |
| |
| The used size of the output area for random |
| |
| 5 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE[ ] |
| |
| random |
| |
| String used for xor encryption |
| |
| 6 |
| |
| 4 |
| |
| 5S |
| |
| 4 |
| |
| UINT32 |
| |
| outDataSize |
| |
| The used size of the output area for outData |
| |
| 7 |
| |
| <> |
| |
| 6S |
| |
| <> |
| |
| BYTE[ ] |
| |
| outData |
| |
| The modified, encrypted entity. |
| |
| 8 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 4H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with parentAuthHandle |
| |
| 5H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag for parent key session |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| Authorization. HMAC key: parentKey.usageAuth. |
| |
| 3H2 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| entityNonceEven |
| |
| Even nonce newly generated by TPM to cover entity |
| |
| 4H2 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| entitynonceOdd |
| |
| Nonce generated by system associated with entityAuthHandle |
| |
| 5 H2 |
| |
| 1 |
| |
| BOOL |
| |
| continueEntitySession |
| |
| Continue use flag for entity session |
| |
| TPM_AUTHDATA |
| |
| entityAuth |
| |
| Authorization HMAC key: entity.migrationAuth. |
| |
| 9 |
| |
| 1 |
| |
| 10 |
| |
| 20 |
| |
| 11 |
| |
| 20 |
| |
| 12 |
| |
| 1 |
| |
| 13 |
| |
| 20 |
| |
| 1805Description |
| 1806The TPM does not check the PCR values when migrating values locked to a PCR. |
| 1807The second authorization session (using entityAuth) MUST be OIAP because OSAP does not |
| 1808have a suitable entityType |
| 1809Actions |
| 18101. Validate that parentAuth authorizes the use of the key pointed to by parentHandle. |
| 18112. Validate that parentHandle -> keyUsage is TPM_KEY_STORAGE, if not return |
| 1812 |
| TPM_INVALID_KEYUSAGE |
| 18133. Create d1 a TPM_STORE_ASYMKEY structure by decrypting encData using the key |
| 1814 |
| pointed to by parentHandle. |
| 1815 |
| |
| a. Verify that d1 -> payload is TPM_PT_ASYM. |
| |
| 18164. Validate that entityAuth authorizes the migration of d1. The validation MUST use d1 -> |
| 1817 |
| migrationAuth as the secret. |
| 18185. Validate that migrationKeyAuth -> digest is the SHA-1 hash of (migrationKeyAuth -> |
| 1819 |
| migrationKey || migrationKeyAuth -> migrationScheme || TPM_PERMANENT_DATA -> |
| 1820 |
| tpmProof). |
| 18216. If migrationType == TPM_MS_MIGRATE the TPM SHALL perform the following actions: |
| 1822 |
| |
| a. Build two byte arrays, K1 and K2: |
| |
| 439Level 2 Revision 116 28 February 2011 |
| 440 |
| |
| 87 |
| TCG Published |
| |
| 441Copyright © TCG |
| 442 |
| 443 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 1823 |
| 1824 |
| |
| i. K1 = d1.privKey[0..19] (d1.privKey.keyLength + 16 bytes of d1.privKey.key), |
| sizeof(K1) = 20 |
| |
| 1825 |
| |
| ii. K2 = d1.privKey[20..131] (position 16-127 of d1 . privKey.key), sizeof(K2) = 112 |
| |
| 1826 |
| |
| b. Build M1 a TPM_MIGRATE_ASYMKEY structure |
| |
| 1827 |
| |
| i. |
| |
| 1828 |
| |
| ii. TPM_MIGRATE_ASYMKEY.usageAuth = d1.usageAuth |
| |
| 1829 |
| |
| iii. TPM_MIGRATE_ASYMKEY.pubDataDigest = d1. pubDataDigest |
| |
| 1830 |
| |
| iv. TPM_MIGRATE_ASYMKEY.partPrivKeyLen = 112 – 127. |
| |
| 1831 |
| |
| v. TPM_MIGRATE_ASYMKEY.partPrivKey = K2 |
| |
| 1832 |
| 1833 |
| |
| TPM_MIGRATE_ASYMKEY.payload = TPM_PT_MIGRATE |
| |
| c. Create o1 (which SHALL be 198 bytes for a 2048 bit RSA key) by performing the |
| OAEP encoding of m using OAEP parameters of |
| |
| 1834 |
| |
| i. |
| |
| 1835 |
| |
| ii. pHash = d1->migrationAuth |
| |
| 1836 |
| |
| iii. seed = s1 = K1 |
| |
| m = M1 the TPM_MIGRATE_ASYMKEY structure |
| |
| 1837 |
| 1838 |
| |
| d. Create r1 a random value from the TPM RNG. The size of r1 MUST be the size of o1. |
| Return r1 in the Random parameter. |
| |
| 1839 |
| |
| e. Create x1 by XOR of o1 with r1 |
| |
| 1840 |
| |
| f. Copy r1 into the output field “random”. |
| |
| 1841 |
| |
| g. Encrypt x1 with the migration public key included in migrationKeyAuth. |
| |
| 18427. If migrationType == TPM_MS_REWRAP the TPM SHALL perform the following actions: |
| 1843 |
| 1844 |
| |
| a. Rewrap the key using the public key in migrationKeyAuth, keeping the existing |
| contents of that key. |
| |
| 1845 |
| |
| b. Set randomSize to 0 in the output parameter array |
| |
| 18468. Else |
| 1847 |
| |
| 444 |
| 445 |
| |
| a. Return TPM_BAD_PARAMETER |
| |
| 88 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 446TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 447Specification Version 1.2 |
| |
| 184811.2 |
| |
| TPM_ConvertMigrationBlob |
| |
| 1849Start of informative comment: |
| 1850This command takes a migration blob and creates a normal wrapped blob. The migrated |
| 1851blob must be loaded into the TPM using the normal TPM_LoadKey function. |
| 1852Note that the command migrates private keys, only. The migration of the associated public |
| 1853keys is not specified by TPM because they are not security sensitive. Migration of the |
| 1854associated public keys may be specified in a platform specific specification. A TPM_KEY |
| 1855structure must be recreated before the migrated key can be used by the target TPM in a |
| 1856TPM_LoadKey command. |
| 1857End of informative comment. |
| 1858Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ConvertMigrationBlob. |
| |
| 4 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| parentHandle |
| |
| Handle of a loaded key that can decrypt keys. |
| |
| 5 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| UINT32 |
| |
| inDataSize |
| |
| Size of inData |
| |
| 6 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| BYTE [ ] |
| |
| inData |
| |
| The XOR’d and encrypted key |
| |
| 7 |
| |
| 4 |
| |
| 4S |
| |
| 4 |
| |
| UINT32 |
| |
| randomSize |
| |
| Size of random |
| |
| 8 |
| |
| <> |
| |
| 5S |
| |
| <> |
| |
| BYTE [ ] |
| |
| random |
| |
| Random value used to hide key data. |
| |
| 9 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for keyHandle. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 10 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 11 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 12 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| parentAuth |
| |
| The authorization session digest that authorizes the inputs and the |
| migration of the key in parentHandle. HMAC key: parentKey.usageAuth |
| |
| 1859 |
| |
| 448Level 2 Revision 116 28 February 2011 |
| 449 |
| |
| 89 |
| TCG Published |
| |
| 450Copyright © TCG |
| 451 |
| 452 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 1860Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ConvertMigrationBlob |
| |
| 4 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| outDataSize |
| |
| The used size of the output area for outData |
| |
| 5 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE[ ] |
| |
| outData |
| |
| The encrypted private key that can be loaded with TPM_LoadKey |
| |
| 6 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| parentKey.usageAuth |
| |
| 7 |
| |
| 1 |
| |
| 8 |
| |
| 20 |
| |
| 1861Action |
| 1862The TPM SHALL perform the following: |
| 18631. Validate the AuthData to use the key in parentHandle |
| 18642. If the keyUsage field of the key referenced by parentHandle does not have the value |
| 1865 |
| TPM_KEY_STORAGE, the TPM must return the error code TPM_INVALID_KEYUSAGE |
| 18663. Create d1 by decrypting the inData area using the key in parentHandle |
| 18674. Create o1 by XOR d1 and random parameter |
| 18685. Create m1 a TPM_MIGRATE_ASYMKEY structure, seed and pHash by OAEP decoding o1 |
| 18696. Create k1 by combining seed and the TPM_MIGRATE_ASYMKEY -> partPrivKey field |
| 18707. Create d2 a TPM_STORE_ASYMKEY structure |
| 1871 |
| |
| a. |
| |
| 1872 |
| |
| b. Set d2 -> payload = TPM_PT_ASYM |
| |
| 1873 |
| |
| c. Set d2 -> usageAuth to m1 -> usageAuth |
| |
| 1874 |
| |
| d. Set d2 -> migrationAuth to pHash |
| |
| 1875 |
| |
| e. Set d2 -> pubDataDigest to m1 -> pubDataDigest |
| |
| 1876 |
| |
| f. Set d2 -> privKey field to k1 |
| |
| Verify that m1 -> payload == TPM_PT_MIGRATE |
| |
| 18778. Create outData using the key in parentHandle to perform the encryption |
| |
| 453 |
| 454 |
| |
| 90 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 455TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 456Specification Version 1.2 |
| |
| 187811.3 |
| |
| TPM_AuthorizeMigrationKey |
| |
| 1879Start of informative comment: |
| 1880This command creates an authorization blob, to allow the TPM owner to specify which |
| 1881migration facility they will use and allow users to migrate information without further |
| 1882involvement with the TPM owner. |
| 1883It is the responsibility of the TPM Owner to determine whether migrationKey is appropriate |
| 1884for migration. The TPM checks just the cryptographic strength of migrationKey. |
| 1885End of informative comment. |
| 1886Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_AuthorizeMigrationKey |
| |
| 4 |
| |
| 2 |
| |
| 2S |
| |
| 2 |
| |
| TPM_MIGRATE_SCHEME |
| |
| migrationScheme |
| |
| Type of migration operation that is to be permitted for this key. |
| |
| 4 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| TPM_PUBKEY |
| |
| migrationKey |
| |
| The public key to be authorized. |
| |
| 5 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for owner authentication. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 6 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 7 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 8 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| The authorization session digest for inputs and owner authorization. |
| HMAC key: ownerAuth. |
| |
| 1887Outgoing Operands and Sizes |
| PARAM |
| # |
| |
| SZ |
| |
| 1 |
| |
| 4 |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| TPM_TAG |
| |
| 2 |
| |
| 2 |
| |
| HMAC |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_AuthorizeMigrationKey |
| |
| 4 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| TPM_MIGRATIONKEYAUTH |
| |
| outData |
| |
| Returned public key and authorization session digest. |
| |
| 5 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC |
| key: ownerAuth. |
| |
| 6 |
| |
| 1 |
| |
| 7 |
| |
| 20 |
| |
| 1888 |
| 1889Action |
| 1890The TPM SHALL perform the following: |
| 457Level 2 Revision 116 28 February 2011 |
| 458 |
| |
| 91 |
| TCG Published |
| |
| 459Copyright © TCG |
| 460 |
| 461 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 18911. Check that the cryptographic strength of migrationKey is at least that of a 2048 bit RSA |
| 1892 |
| key. If migrationKey is an RSA key, this means that migrationKey MUST be 2048 bits or |
| 1893 |
| greater and MUST use the default exponent. |
| 18942. Validate the AuthData to use the TPM by the TPM Owner |
| 18953. Create a f1 a TPM_MIGRATIONKEYAUTH structure |
| 18964. Verify |
| that |
| migrationKey-> |
| 1897 |
| TPM_ES_RSAESOAEP_SHA1_MGF1, |
| 1898 |
| TPM_INAPPROPRIATE_ENC if it is not |
| |
| algorithmParms |
| and |
| return |
| |
| -> |
| the |
| |
| encScheme |
| error |
| |
| is |
| code |
| |
| 18995. Set f1 -> migrationKey to the input migrationKey |
| 19006. Set f1 -> migrationScheme to the input migrationScheme |
| 19017. Create |
| v1 |
| by |
| concatenating |
| 1902 |
| TPM_PERMANENT_DATA -> tpmProof) |
| |
| (migrationKey |
| |
| || |
| |
| migrationScheme |
| |
| 19038. Create h1 by performing a SHA-1 hash of v1 |
| 19049. Set f1 -> digest to h1 |
| 190510.Return f1 as outData |
| |
| 462 |
| 463 |
| |
| 92 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| || |
| |
| 464TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 465Specification Version 1.2 |
| |
| 190611.4 |
| |
| TPM_MigrateKey |
| |
| 1907Start of informative comment: |
| 1908The TPM_MigrateKey command performs the function of a migration authority. |
| 1909The command is relatively simple; it just decrypts the input packet (coming from |
| 1910TPM_CreateMigrationBlob or TPM_CMK_CreateBlob) and then re-encrypts it with the input |
| 1911public key. The output of this command would then be sent to TPM_ConvertMigrationBlob |
| 1912or TPM_CMK_ConvertMigration on the target TPM. |
| 1913TPM_MigrateKey does not make ANY assumptions about the contents of the encrypted blob. |
| 1914Since it does not have the XOR string, it cannot actually determine much about the key |
| 1915that is being migrated. |
| 1916This command exists to permit the TPM to be a migration authority. If used in this way, it is |
| 1917expected that the physical security of the system containing the TPM and the AuthData |
| 1918value for the MA key would be tightly controlled. |
| 1919To prevent the execution of this command using any other key as a parent key, this |
| 1920command works only if keyUsage for maKeyHandle is TPM_KEY_MIGRATE. |
| 1921End of informative comment. |
| 1922Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_MigrateKey |
| |
| 4 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| maKeyHandle |
| |
| Handle of the key to be used to migrate the key. |
| |
| 5 |
| |
| <> |
| |
| 2S |
| |
| <> |
| |
| TPM_PUBKEY |
| |
| pubKey |
| |
| Public key to which the blob is to be migrated |
| |
| 6 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| inDataSize |
| |
| The size of inData |
| |
| 7 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE[ ] |
| |
| inData |
| |
| The input blob |
| |
| 8 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| maAuthHandle |
| |
| The authorization session handle used for maKeyHandle. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 9 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with certAuthHandle |
| |
| 10 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 11 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| keyAuth |
| |
| The authorization session digest for the inputs and key to be signed. |
| HMAC key: maKeyHandle.usageAuth. |
| |
| 466Level 2 Revision 116 28 February 2011 |
| 467 |
| |
| 93 |
| TCG Published |
| |
| 468Copyright © TCG |
| 469 |
| 470 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 1923Outgoing Operands and Sizes |
| Param |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| Sz |
| |
| 1 |
| |
| # |
| |
| Sz |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_MigrateKey |
| |
| 4 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| outDataSize |
| |
| The used size of the output area for outData |
| |
| 5 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE[ ] |
| |
| outData |
| |
| The re-encrypted blob |
| |
| 6 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with certAuthHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag for cert key session |
| |
| TPM_AUTHDATA |
| |
| keyAuth |
| |
| The authorization session digest for the target key. HMAC key: |
| maKeyHandle.usageAuth |
| |
| 7 |
| |
| 1 |
| |
| 8 |
| |
| 20 |
| |
| 1924Actions |
| 19251. Validate that keyAuth authorizes the use of the key pointed to by maKeyHandle |
| 19262. The TPM validates that the key pointed to by maKeyHandle has a key usage value of |
| 1927 |
| TPM_KEY_MIGRATE, |
| and |
| that |
| the |
| allowed |
| encryption |
| scheme |
| is |
| 1928 |
| TPM_ES_RSAESOAEP_SHA1_MGF1. |
| 19293. The TPM validates that pubKey is of a size supported by the TPM and that its size is |
| 1930 |
| consistent with the input blob and maKeyHandle. |
| 19314. The TPM decrypts inData and re-encrypts it using pubKey. |
| |
| 471 |
| 472 |
| |
| 94 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 473TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 474Specification Version 1.2 |
| |
| 193211.5 |
| |
| TPM_CMK_SetRestrictions |
| |
| 1933Start of informative comment: |
| 1934This command is used by the Owner to dictate the usage of a certified-migration key with |
| 1935delegated authorization (authorization other than actual owner authorization). |
| 1936This command is provided for privacy reasons and must not itself be delegated, because a |
| 1937certified-migration-key may involve a contractual relationship between the Owner and an |
| 1938external entity. |
| 1939Since restrictions are validated at DSAP session use, there is no need to invalidate DSAP |
| 1940sessions when the restriction value changes. |
| 1941End of informative comment. |
| 1942Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes incl. paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Ordinal: TPM_ORD_CMK_SetRestrictions |
| |
| 4 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| TPM_CMK_DELEGATE |
| |
| restriction |
| |
| The bit mask of how to set the restrictions on CMK keys |
| |
| 5 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle TPM Owner authentication |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 6 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 7 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 8 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| The authorization session digest. HMAC key:ownerAuth |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 1943Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes |
| |
| 3 |
| |
| 4 |
| |
| 5 |
| |
| 1 |
| |
| 6 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Ordinal: TPM_ORD_CMK_SetRestrictions |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| 4 |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| Authorization HMAC key: ownerAuth. |
| |
| 20 |
| |
| 1944Description |
| 1945TPM_PERMANENT_DATA -> restrictDelegate is used as follows |
| 19461. If the session type is TPM_PID_DSAP and TPM_KEY -> keyFlags -> migrateAuthority is |
| 1947 |
| TRUE |
| 475Level 2 Revision 116 28 February 2011 |
| 476 |
| |
| 95 |
| TCG Published |
| |
| 477Copyright © TCG |
| 478 |
| 479 |
| |
| 1948 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| a. If |
| |
| 1949TPM_KEY_USAGE |
| is |
| TPM_KEY_SIGNING |
| 1950TPM_CMK_DELEGATE_SIGNING is TRUE, or |
| |
| and |
| |
| restrictDelegate |
| |
| -> |
| |
| 1951TPM_KEY_USAGE |
| is |
| TPM_KEY_STORAGE |
| 1952TPM_CMK_DELEGATE_STORAGE is TRUE, or |
| |
| and |
| |
| restrictDelegate |
| |
| -> |
| |
| 1953TPM_KEY_USAGE is TPM_KEY_BIND and restrictDelegate -> TPM_CMK_DELEGATE_BIND |
| 1954is TRUE, or |
| 1955TPM_KEY_USAGE |
| is |
| TPM_KEY_LEGACY |
| 1956TPM_CMK_DELEGATE_LEGACY is TRUE, or |
| |
| and |
| |
| restrictDelegate |
| |
| -> |
| |
| 1957TPM_KEY_USAGE |
| is |
| TPM_KEY_MIGRATE |
| 1958TPM_CMK_DELEGATE_MIGRATE is TRUE |
| |
| and |
| |
| restrictDelegate |
| |
| -> |
| |
| 1959then the key can be used. |
| 1960 |
| |
| b. Else return TPM_INVALID_KEYUSAGE. |
| |
| 1961Actions |
| 19621. Validate the ordinal and parameters using TPM Owner authentication, return |
| 1963 |
| TPM_AUTHFAIL on error |
| 19642. Set TPM_PERMANENT_DATA -> TPM_CMK_DELEGATE -> restrictDelegate = restriction |
| 19653. Return TPM_SUCCESS |
| |
| 480 |
| 481 |
| |
| 96 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 482TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 483Specification Version 1.2 |
| |
| 196611.6 |
| |
| TPM_CMK_ApproveMA |
| |
| 1967Start of informative comment: |
| 1968This command creates an authorization ticket, to allow the TPM owner to specify which |
| 1969Migration Authorities they approve and allow users to create certified-migration-keys |
| 1970without further involvement with the TPM owner. |
| 1971It is the responsibility of the TPM Owner to determine whether a particular Migration |
| 1972Authority is suitable to control migration |
| 1973End of informative comment. |
| 1974Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_CMK_ApproveMA |
| |
| 4 |
| |
| 20 |
| |
| 2S |
| |
| 20 |
| |
| TPM_DIGEST |
| |
| migrationAuthorityDigest |
| |
| A digest of a TPM_MSA_COMPOSITE structure (itself one or more |
| digests of public keys belonging to migration authorities) |
| |
| 5 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for owner authentication. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 6 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 7 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 8 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| Authorization HMAC, key: ownerAuth. |
| |
| 1975Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_CMK_ApproveMA |
| |
| 4 |
| |
| 20 |
| |
| 3S |
| |
| 20 |
| |
| TPM_HMAC |
| |
| outData |
| |
| HMAC of migrationAuthorityDigest |
| |
| 5 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| Authorization HMAC, key: ownerAuth. |
| |
| 6 |
| |
| 1 |
| |
| 7 |
| |
| 20 |
| |
| 1976Action |
| 1977The TPM SHALL perform the following: |
| 19781. Validate the AuthData to use the TPM by the TPM Owner |
| 19792. Create M2 a TPM_CMK_MA_APPROVAL structure |
| 484Level 2 Revision 116 28 February 2011 |
| 485 |
| |
| 97 |
| TCG Published |
| |
| 486Copyright © TCG |
| 487 |
| 488 |
| |
| 1980 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| a. Set M2 ->migrationAuthorityDigest to migrationAuthorityDigest |
| |
| 19813. Set outData = HMAC(M2) using tpmProof as the secret |
| 19824. Return TPM_SUCCESS |
| |
| 489 |
| 490 |
| |
| 98 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 491TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 492Specification Version 1.2 |
| |
| 198311.7 |
| |
| TPM_CMK_CreateKey |
| |
| 1984Start of informative comment: |
| 1985The TPM_CMK_CreateKey command both generates and creates a secure storage bundle for |
| 1986asymmetric keys whose migration is controlled by a migration authority. |
| 1987TPM_CMK_CreateKey is very similar to TPM_CreateWrapKey, but: (1) the resultant key must |
| 1988be a migratable key and can be migrated only by TPM_CMK_CreateBlob; (2) the command is |
| 1989Owner authorized via a ticket. |
| 1990TPM_CMK_CreateKey creates an otherwise normal migratable key except that (1) |
| 1991migrationAuth is an HMAC of the migration authority and the new key’s public key, signed |
| 1992by tpmProof (instead of being tpmProof); (2) the migrationAuthority bit is set TRUE; (3) the |
| 1993payload type is TPM_PT_MIGRATE_RESTRICTED. |
| 1994The migration-selection/migration authority is specified by passing in a public key (actually |
| 1995the digests of one or more public keys, so more than one migration authority can be |
| 1996specified). |
| 1997End of informative comment. |
| 1998Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_CMK_CreateKey |
| |
| TPM_KEY_HANDLE |
| |
| parentHandle |
| |
| Handle of a loaded key that can perform key wrapping. |
| |
| 20 |
| |
| TPM_ENCAUTH |
| |
| dataUsageAuth |
| |
| Encrypted usage AuthData for the key. |
| |
| 3S |
| |
| <> |
| |
| TPM_KEY12 |
| |
| keyInfo |
| |
| Information about key to be created, pubkey.keyLength and |
| keyInfo.encData elements are 0. MUST be TPM_KEY12 |
| |
| 20 |
| |
| 4S |
| |
| 20 |
| |
| TPM_HMAC |
| |
| migrationAuthorityApproval |
| |
| A ticket, created by the TPM Owner using TPM_CMK_ApproveMA, |
| approving a TPM_MSA_COMPOSITE structure |
| |
| 8 |
| |
| 20 |
| |
| 5S |
| |
| 20 |
| |
| TPM_DIGEST |
| |
| migrationAuthorityDigest |
| |
| The digest of a TPM_MSA_COMPOSITE structure |
| |
| 9 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for parent key authorization. |
| Must be an OSAP session. |
| |
| # |
| |
| SZ |
| |
| # |
| |
| 1 |
| 2 |
| 3 |
| |
| 4 |
| |
| 4 |
| |
| 4 |
| |
| 5 |
| |
| 20 |
| |
| 2S |
| |
| 6 |
| |
| <> |
| |
| 7 |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 10 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 11 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Ignored |
| |
| 12 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| pubAuth |
| |
| The authorization session digest that authorizes the use of the public |
| key in parentHandle. HMAC key: parentKey.usageAuth. |
| |
| 493Level 2 Revision 116 28 February 2011 |
| 494 |
| |
| 99 |
| TCG Published |
| |
| 495Copyright © TCG |
| 496 |
| 497 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 1999Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_CMK_CreateKey |
| |
| 4 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| TPM_KEY12 |
| |
| wrappedKey |
| |
| The TPM_KEY structure which includes the public and encrypted private |
| key. MUST be TPM_KEY12 |
| |
| 5 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, fixed at FALSE |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| parentKey.usageAuth. |
| |
| 6 |
| |
| 1 |
| |
| 7 |
| |
| 20 |
| |
| 2000Actions |
| 2001The TPM SHALL do the following: |
| 20021. Validate the AuthData to use the key pointed to by parentHandle. Return |
| 2003 |
| TPM_AUTHFAIL on any error |
| 20042. Validate the session type for parentHandle is OSAP |
| 20053. If the TPM is not designed to create a key of the type requested in keyInfo, return the |
| 2006 |
| error code TPM_BAD_KEY_PROPERTY |
| 20074. Verify that parentHandle->keyUsage equals TPM_KEY_STORAGE |
| 20085. Verify that parentHandle-> keyFlags-> migratable == FALSE |
| 20096. If keyInfo -> keyFlags -> migratable is FALSE, return TPM_INVALID_KEYUSAGE |
| 20107. If keyInfo -> keyFlags -> migrateAuthority is FALSE , return TPM_INVALID_KEYUSAGE |
| 20118. Verify that the migration authority is authorized |
| 2012 |
| |
| a. Create M1 a TPM_CMK_MA_APPROVAL structure |
| |
| 2013 |
| 2014 |
| 2015 |
| |
| i. |
| |
| Set M1 ->migrationAuthorityDigest to migrationAuthorityDigest |
| |
| b. Verify that migrationAuthorityApproval == HMAC(M1) using tpmProof as the secret |
| and return error TPM_MA_AUTHORITY on mismatch |
| |
| 20169. Validate key parameters |
| 2017 |
| 2018 |
| |
| a. keyInfo |
| -> |
| keyUsage |
| MUST |
| NOT |
| be |
| TPM_KEY_IDENTITY |
| TPM_KEY_AUTHCHANGE. If it is, return TPM_INVALID_KEYUSAGE |
| |
| 201910.If TPM_PERMANENT_FLAGS -> FIPS is TRUE then |
| 2020 |
| |
| a. If keyInfo -> keySize is less than 1024 return TPM_NOTFIPS |
| |
| 2021 |
| |
| b. If keyInfo -> authDataUsage specifies TPM_AUTH_NEVER return TPM_NOTFIPS |
| |
| 2022 |
| |
| c. If keyInfo -> keyUsage specifies TPM_KEY_LEGACY return TPM_NOTFIPS |
| |
| 498 |
| 499 |
| |
| 100 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| or |
| |
| 500TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 501Specification Version 1.2 |
| |
| 202311.If keyInfo -> keyUsage equals TPM_KEY_STORAGE or TPM_KEY_MIGRATE |
| 2024 |
| |
| a. algorithmID MUST be TPM_ALG_RSA |
| |
| 2025 |
| |
| b. encScheme MUST be TPM_ES_RSAESOAEP_SHA1_MGF1 |
| |
| 2026 |
| |
| c. sigScheme MUST be TPM_SS_NONE |
| |
| 2027 |
| |
| d. key size MUST be 2048 |
| |
| 2028 |
| |
| e. exponentSize MUST be 0 |
| |
| 202912.If keyInfo -> tag is NOT TPM_TAG_KEY12 return error TPM_INVALID_STRUCTURE |
| 203013.Map wrappedKey to a TPM_KEY12 structure |
| 203114.Create DU1 by decrypting dataUsageAuth according to the ADIP indicated by |
| 2032 |
| authHandle. |
| 203315.Set continueAuthSession to FALSE |
| 203416.Generate asymmetric key according to algorithm information in keyInfo |
| 203517.Fill in the wrappedKey structure with information from the newly generated key. |
| 2036 |
| |
| a. Set wrappedKey -> encData -> usageAuth to DU1 |
| |
| 2037 |
| |
| b. Set wrappedKey -> encData -> payload to TPM_PT_MIGRATE_RESTRICTED |
| |
| 2038 |
| 2039 |
| |
| c. Create thisPubKey, a TPM_PUBKEY structure containing wrappedKey’s public key |
| and algorithm parameters |
| |
| 2040 |
| |
| d. Create M2 a TPM_CMK_MIGAUTH structure |
| |
| 2041 |
| |
| i. |
| |
| 2042 |
| |
| ii. Set M2 -> pubKeyDigest to SHA-1 (thisPubKey) |
| |
| 2043 |
| 2044 |
| |
| Set M2 -> msaDigest to migrationAuthorityDigest |
| |
| e. Set wrappedKey -> encData -> migrationAuth equal to HMAC(M2), using tpmProof as |
| the shared secret |
| |
| 204518.If keyInfo->PCRInfoSize is non-zero |
| 2046 |
| |
| a. Set wrappedKey -> pcrInfo to a TPM_PCR_INFO_LONG structure |
| |
| 2047 |
| |
| b. Set wrappedKey -> pcrInfo to keyInfo -> pcrInfo |
| |
| 2048 |
| 2049 |
| |
| c. Set wrappedKey -> digestAtCreation to the TPM_COMPOSITE_HASH indicated by |
| creationPCRSelection |
| |
| 2050 |
| |
| d. Set wrappedKey -> localityAtCreation to TPM_STANY_FLAGS -> localityModifier |
| |
| 205119.Encrypt the private portions of the wrappedKey structure using the key in parentHandle |
| 205220.Return the newly generated key in the wrappedKey parameter |
| |
| 502Level 2 Revision 116 28 February 2011 |
| 503 |
| |
| 101 |
| TCG Published |
| |
| 504Copyright © TCG |
| 505 |
| 506 |
| |
| 205311.8 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_CMK_CreateTicket |
| |
| 2054Start of informative comment: |
| 2055The TPM_CMK_CreateTicket command uses a public key to verify the signature over a |
| 2056digest. |
| 2057TPM_CMK_CreateTicket returns a ticket that can be used to prove to the same TPM that |
| 2058signature verification with a particular public key was successful. |
| 2059End of informative comment. |
| 2060Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_CMK_CreateTicket |
| |
| <> |
| |
| TPM_PUBKEY |
| |
| verificationKey |
| |
| The public key to be used to check signatureValue |
| |
| 3S |
| |
| 20 |
| |
| TPM_DIGEST |
| |
| signedData |
| |
| The data to be verified |
| |
| 4 |
| |
| 4S |
| |
| 4 |
| |
| UINT32 |
| |
| signatureValueSize |
| |
| The size of the signatureValue |
| |
| 7 |
| |
| <> |
| |
| 5S |
| |
| <> |
| |
| BYTE[] |
| |
| signatureValue |
| |
| The signatureValue to be verified |
| |
| 8 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for owner authentication. |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| 2 |
| |
| 4 |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| 4 |
| |
| <> |
| |
| 2S |
| |
| 5 |
| |
| 20 |
| |
| 6 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 9 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 10 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Ignored |
| |
| 11 |
| |
| 507 |
| 508 |
| |
| 20 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| pubAuth |
| |
| The authorization session digest for inputs and owner. HMAC key: |
| ownerAuth. |
| |
| 102 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 509TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 510Specification Version 1.2 |
| |
| 2061Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_CMK_CreateTicket |
| |
| 4 |
| |
| 20 |
| |
| 3S |
| |
| 20 |
| |
| TPM_HMAC |
| |
| sigTicket |
| |
| Ticket that proves digest created on this TPM |
| |
| 5 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| Authorization. HMAC key:. ownerAuth. |
| |
| 6 |
| |
| 1 |
| |
| 7 |
| |
| 20 |
| |
| 2062Actions |
| 2063The TPM SHALL do the following: |
| 20641. Validate the TPM Owner authentication to use the command |
| 20652. Validate that the key type and algorithm are correct |
| 2066 |
| |
| a. Validate that verificationKey -> algorithmParms -> algorithmID == TPM_ALG_RSA |
| |
| 2067 |
| |
| b. Validate that verificationKey -> algorithmParms ->encScheme == TPM_ES_NONE |
| |
| 2068 |
| 2069 |
| |
| c. Validate |
| that |
| verificationKey |
| ->algorithmParms |
| ->sigScheme |
| TPM_SS_RSASSAPKCS1v15_SHA1 or TPM_SS_RSASSAPKCS1v15_INFO |
| |
| is |
| |
| 20703. Use verificationKey to verify that signatureValue is a valid signature on signedData, and |
| 2071 |
| return error TPM_BAD_SIGNATURE on mismatch |
| 20724. Create M2 a TPM_CMK_SIGTICKET |
| 2073 |
| |
| a. Set M2 -> verKeyDigest to the SHA-1 (verificationKey) |
| |
| 2074 |
| |
| b. Set M2 -> signedData to signedData |
| |
| 20755. Set sigTicket = HMAC(M2) signed by using tpmProof as the secret |
| 20766. Return TPM_SUCCESS |
| |
| 511Level 2 Revision 116 28 February 2011 |
| 512 |
| |
| 103 |
| TCG Published |
| |
| 513Copyright © TCG |
| 514 |
| 515 |
| |
| 207711.9 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_CMK_CreateBlob |
| |
| 2078Start of informative comment: |
| 2079TPM_CMK_CreateBlob command is very similar to TPM_CreateMigrationBlob, except that it: |
| 2080(1) uses an extra ticket (restrictedKeyAuth) instead of a migrationAuth authorization |
| 2081session; |
| (2) |
| uses |
| the |
| migration |
| options |
| TPM_MS_RESTRICT_MIGRATE |
| or |
| 2082TPM_MS_RESTRICT_APPROVE; (3) produces a wrapped key blob whose migrationAuth is |
| 2083independent of tpmProof. |
| 2084If the destination (parent) public key is the MA, migration is implicitly permitted. Further |
| 2085checks are required if the MA is not the destination (parent) public key, and merely selects |
| 2086a migration destination: (1) sigTicket must prove that restrictTicket was signed by the MA; |
| 2087(2) restrictTicket must vouch that the target public key is approved for migration to the |
| 2088destination (parent) public key. (Obviously, this more complex method may also be used by |
| 2089an MA to approve migration to that MA.) In both cases, the MA must be one of the MAs |
| 2090implicitly listed in the migrationAuth of the target key-to-be-migrated. |
| 2091When the migrationType is TPM_MS_RESTRICT_MIGRATE, restrictTicket and sigTicket are |
| 2092unused. The TPM may test that the corresponding sizes are zero, so the caller should set |
| 2093them to zero for interoperability. |
| 2094End of informative comment. |
| |
| 516 |
| 517 |
| |
| 104 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 518TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 519Specification Version 1.2 |
| |
| 2095Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_CMK_CreateBlob |
| |
| 4 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| parentHandle |
| |
| Handle of the parent key that can decrypt encData. |
| |
| 5 |
| |
| 2 |
| |
| 2S |
| |
| 2 |
| |
| TPM_MIGRATE_SCHEME |
| |
| migrationType |
| |
| The migration type, either TPM_MS_RESTRICT_MIGRATE or TPM_MS_RESTRICT_APPROVE. |
| |
| 6 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| TPM_MIGRATIONKEYAUTH |
| |
| migrationKeyAuth |
| |
| Migration public key and its authorization session digest. |
| |
| 7 |
| |
| 20 |
| |
| 4S |
| |
| 20 |
| |
| TPM_DIGEST |
| |
| pubSourceKeyDigest |
| |
| The digest of the TPM_PUBKEY of the entity to be migrated |
| |
| 8 |
| |
| 4 |
| |
| 5S |
| |
| 4 |
| |
| UINT32 |
| |
| msaListSize |
| |
| The size of the msaList parameter, which is a variable length |
| TPM_MSA_COMPOSITE structure |
| |
| 9 |
| |
| <> |
| |
| 6S |
| |
| <> |
| |
| TPM_MSA_COMPOSITE |
| |
| msaList |
| |
| One or more digests of public keys belonging to migration authorities |
| |
| 10 |
| |
| 4 |
| |
| 7S |
| |
| 4 |
| |
| UINT32 |
| |
| restrictTicketSize |
| |
| The size of the restrictTicket parameter |
| |
| 11 |
| |
| <> |
| |
| 8S |
| |
| <> |
| |
| BYTE[] |
| |
| restrictTicket |
| |
| If migrationType is TPM_MS_RESTRICT_APPROVE, a TPM_CMK_AUTH structure, containing the digests of the public keys |
| belonging to the Migration Authority, the destination parent key and the key-to-be-migrated. |
| |
| 12 |
| |
| 4 |
| |
| 9S |
| |
| 4 |
| |
| UINT32 |
| |
| sigTicketSize |
| |
| The size of the sigTicket parameter |
| |
| 13 |
| |
| <> |
| |
| 10S |
| |
| <> |
| |
| BYTE[] |
| |
| sigTicket |
| |
| If migrationType is TPM_MS_RESTRICT_APPROVE, a TPM_HMAC |
| structure, generated by the TPM, signaling a valid signature over |
| restrictTicket |
| |
| 14 |
| |
| 4 |
| |
| 11S |
| |
| 4 |
| |
| UINT32 |
| |
| encDataSize |
| |
| The size of the encData parameter |
| |
| 15 |
| |
| <> |
| |
| 12S |
| |
| <> |
| |
| BYTE[] |
| |
| encData |
| |
| The encrypted entity that is to be modified. |
| |
| 16 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| parentAuthHandle |
| |
| The authorization session handle used for the parent key. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 17 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with parentAuthHandle |
| |
| 18 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag for parent session |
| |
| 19 |
| |
| 20 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| parentAuth |
| |
| HMAC key: parentKey.usageAuth. |
| |
| 520Level 2 Revision 116 28 February 2011 |
| 521 |
| |
| 105 |
| TCG Published |
| |
| 522Copyright © TCG |
| 523 |
| 524 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 2096Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_CMK_CreateBlob |
| |
| 4 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| randomSize |
| |
| The used size of the output area for random |
| |
| 5 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE[ ] |
| |
| random |
| |
| String used for xor encryption |
| |
| 6 |
| |
| 4 |
| |
| 5S |
| |
| 4 |
| |
| UINT32 |
| |
| outDataSize |
| |
| The used size of the output area for outData |
| |
| 7 |
| |
| <> |
| |
| 6S |
| |
| <> |
| |
| BYTE[ ] |
| |
| outData |
| |
| The modified, encrypted entity. |
| |
| 8 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 4H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with parentAuthHandle |
| |
| 5H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag for parent key session |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| HMAC key: parentKey.usageAuth. |
| |
| 9 |
| |
| 1 |
| |
| 10 |
| |
| 20 |
| |
| 2097Description |
| 2098The TPM does not check the PCR values when migrating values locked to a PCR. |
| 2099Actions |
| 21001. Validate that parentAuth authorizes the use of the key pointed to by parentHandle. |
| 21012. The TPM MAY verify that migrationType == migrationKeyAuth -> migrationScheme and |
| 2102 |
| return TPM_BAD_MODE on error. |
| 2103 |
| |
| a. The TPM MAY ignore migrationType. |
| |
| 21043. Verify that parentHandle-> keyFlags-> migratable == FALSE |
| 21054. Create d1 by decrypting encData using the key pointed to by parentHandle. |
| 21065. Verify that the digest within migrationKeyAuth is legal for this TPM and public key |
| 21076. Verify |
| that |
| d1 |
| -> |
| payload |
| 2108 |
| TPM_PT_MIGRATE_EXTERNAL |
| |
| == |
| |
| TPM_PT_MIGRATE_RESTRICTED |
| |
| or |
| |
| 21097. Verify that the migration authorities in msaList are authorized to migrate this key |
| 2110 |
| |
| a. Create M2 a TPM_CMK_MIGAUTH structure |
| |
| 2111 |
| |
| i. |
| |
| 2112 |
| |
| ii. Set M2 -> pubKeyDigest to pubSourceKeyDigest |
| |
| 2113 |
| 2114 |
| |
| Set M2 -> msaDigest to SHA-1[msaList] |
| |
| b. Verify that d1 -> migrationAuth == HMAC(M2) using tpmProof as the secret and |
| return error TPM_MA_AUTHORITY on mismatch |
| |
| 21158. If migrationKeyAuth -> migrationScheme == TPM_MS_RESTRICT_MIGRATE |
| 2116 |
| |
| 525 |
| 526 |
| |
| a. Verify that intended migration destination is an MA: |
| |
| 106 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 527TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 528Specification Version 1.2 |
| |
| 2117 |
| 2118 |
| 2119 |
| |
| i. For one of n=1 to n=(msaList -> MSAlist), verify that SHA-1[migrationKeyAuth |
| -> migrationKey] == msaList -> migAuthDigest[n] |
| b. Validate that the MA key is the correct type |
| |
| 2120 |
| 2121 |
| |
| i. Validate that migrationKeyAuth -> migrationKey -> algorithmParms -> |
| algorithmID == TPM_ALG_RSA |
| |
| 2122 |
| 2123 |
| |
| ii. Validate that migrationKeyAuth -> migrationKey -> algorithmParms -> |
| encScheme is an encryption scheme supported by the TPM |
| |
| 2124 |
| 2125 |
| |
| iii. Validate that migrationKeyAuth |
| sigScheme is TPM_SS_NONE |
| |
| 2126 |
| |
| c. The TPM MAY validate that restrictTicketSize is zero. |
| |
| 2127 |
| |
| d. The TPM MAY validate that sigTicketSize is zero. |
| |
| -> |
| |
| migrationKey |
| |
| ->algorithmParms |
| |
| -> |
| |
| 21289. else If migrationKeyAuth -> migrationScheme == TPM_MS_RESTRICT_APPROVE |
| 2129 |
| 2130 |
| 2131 |
| 2132 |
| |
| a. Verify that the intended migration destination has been approved by the MSA: |
| i. Verify that for one of the n=1 to n=(msaList -> MSAlist) values of msaList -> |
| migAuthDigest[n], sigTicket == HMAC (V1) using tpmProof as the secret where V1 |
| is a TPM_CMK_SIGTICKET structure such that: |
| |
| 2133 |
| |
| (1) |
| |
| V1 -> verKeyDigest = msaList -> migAuthDigest[n] |
| |
| 2134 |
| |
| (2) |
| |
| V1 -> signedData = SHA-1[restrictTicket] |
| |
| 2135 |
| 2136 |
| |
| ii. If [restrictTicket -> destinationKeyDigest] != SHA-1[migrationKeyAuth -> |
| migrationKey], return error TPM_MA_DESTINATION |
| |
| 2137 |
| 2138 |
| |
| iii. If [restrictTicket -> sourceKeyDigest] != pubSourceKeyDigest, return error |
| TPM_MA_SOURCE |
| |
| 213910.Else return with error TPM_BAD_PARAMETER. |
| 214011.Build two bytes array, K1 and K2, using d1: |
| 2141 |
| 2142 |
| 2143 |
| |
| a. K1 |
| = |
| TPM_STORE_ASYMKEY.privKey[0..19] |
| (TPM_STORE_ASYMKEY.privKey.keyLength |
| + |
| 16 |
| bytes |
| of |
| TPM_STORE_ASYMKEY.privKey.key), sizeof(K1) = 20 |
| |
| 2144 |
| 2145 |
| |
| b. K2 |
| = |
| TPM_STORE_ASYMKEY.privKey[20..131] |
| TPM_STORE_ASYMKEY . privKey.key), sizeof(K2) = 112 |
| |
| (position |
| |
| 16-127 |
| |
| of |
| |
| 214612.Build M1 a TPM_MIGRATE_ASYMKEY structure |
| 2147 |
| |
| a. TPM_MIGRATE_ASYMKEY.payload = TPM_PT_CMK_MIGRATE |
| |
| 2148 |
| |
| b. TPM_MIGRATE_ASYMKEY.usageAuth = TPM_STORE_ASYMKEY.usageAuth |
| |
| 2149 |
| |
| c. TPM_MIGRATE_ASYMKEY.pubDataDigest = TPM_STORE_ASYMKEY. pubDataDigest |
| |
| 2150 |
| |
| d. TPM_MIGRATE_ASYMKEY.partPrivKeyLen = 112 – 127. |
| |
| 2151 |
| |
| e. TPM_MIGRATE_ASYMKEY.partPrivKey = K2 |
| |
| 215213.Create o1 (which SHALL be 198 bytes for a 2048 bit RSA key) by performing the OAEP |
| 2153 |
| encoding of m using OAEP parameters m, pHash, and seed |
| 2154 |
| |
| a. m is the previously created M1 |
| |
| 529Level 2 Revision 116 28 February 2011 |
| 530 |
| |
| 107 |
| TCG Published |
| |
| 531Copyright © TCG |
| 532 |
| 533 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 2155 |
| |
| b. pHash = SHA-1( SHA-1[msaList] || pubSourceKeyDigest) |
| |
| 2156 |
| |
| c. seed = s1 = the previously created K1 |
| |
| 215714.Create r1 a random value from the TPM RNG. The size of r1 MUST be the size of o1. |
| 2158 |
| Return r1 in the random parameter |
| 215915.Create x1 by XOR of o1 with r1 |
| 216016.Copy r1 into the output field “random” |
| 216117.Encrypt x1 with the migrationKeyAuth-> migrationKey |
| |
| 534 |
| 535 |
| |
| 108 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 536TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 537Specification Version 1.2 |
| |
| 216211.10 |
| |
| TPM_CMK_ConvertMigration |
| |
| 2163Start of informative comment: |
| 2164TPM_CMK_ConvertMigration completes the migration of certified migration blobs. |
| 2165This command takes a certified migration blob and creates a normal wrapped blob with |
| 2166payload type TPM_PT_MIGRATE_EXTERNAL. The migrated blob must be loaded into the |
| 2167TPM using the normal TPM_LoadKey function. |
| 2168Note that the command migrates private keys, only. The migration of the associated public |
| 2169keys is not specified by TPM because they are not security sensitive. Migration of the |
| 2170associated public keys may be specified in a platform specific specification. A TPM_KEY |
| 2171structure must be recreated before the migrated key can be used by the target TPM in a |
| 2172TPM_LoadKey command. |
| 2173TPM_CMK_ConvertMigration checks that one of the MAs implicitly listed in the |
| 2174migrationAuth of the target key has approved migration of the target key to the destination |
| 2175(parent) key, and that the settings (flags etc.) in the target key are those of a CMK. |
| 2176End of informative comment. |
| 2177Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_CMK_ConvertMigration |
| |
| TPM_KEY_HANDLE |
| |
| parentHandle |
| |
| Handle of a loaded key that can decrypt keys. |
| |
| 60 |
| |
| TPM_CMK_AUTH |
| |
| restrictTicket |
| |
| The digests of public keys belonging to the Migration Authority, the |
| destination parent key and the key-to-be-migrated. |
| |
| 3S |
| |
| 20 |
| |
| TPM_HMAC |
| |
| sigTicket |
| |
| A signature ticket, generated by the TPM, signaling a valid signature |
| over restrictTicket |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| TPM_KEY12 |
| |
| migratedKey |
| |
| The public key of the key-to-be-migrated. The private portion MUST be |
| TPM_MIGRATE_ASYMKEY properly XOR’d |
| |
| 8 |
| |
| 4 |
| |
| 5S |
| |
| 4 |
| |
| UINT32 |
| |
| msaListSize |
| |
| The size of the msaList parameter, which is a variable length |
| TPM_MSA_COMPOSITE structure |
| |
| 9 |
| |
| <> |
| |
| 6S |
| |
| <> |
| |
| TPM_MSA_COMPOSITE |
| |
| msaList |
| |
| One or more digests of public keys belonging to migration authorities |
| |
| 10 |
| |
| 4 |
| |
| 7S |
| |
| 4 |
| |
| UINT32 |
| |
| randomSize |
| |
| Size of random |
| |
| 11 |
| |
| <> |
| |
| 8S |
| |
| <> |
| |
| BYTE [ ] |
| |
| random |
| |
| Random value used to hide key data. |
| |
| 12 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for keyHandle. |
| |
| # |
| |
| SZ |
| |
| # |
| |
| 1 |
| 2 |
| 3 |
| |
| 4 |
| |
| 4 |
| |
| 4 |
| |
| 5 |
| |
| 60 |
| |
| 2S |
| |
| 6 |
| |
| 20 |
| |
| 7 |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 13 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 14 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 15 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| parentAuth |
| |
| Authorization HMAC: parentKey.usageAuth |
| |
| 538Level 2 Revision 116 28 February 2011 |
| 539 |
| |
| 109 |
| TCG Published |
| |
| 540Copyright © TCG |
| 541 |
| 542 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 2178Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_CMK_ConvertMigration |
| |
| 4 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| outDataSize |
| |
| The used size of the output area for outData |
| |
| 5 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE[ ] |
| |
| outData |
| |
| The encrypted private key that can be loaded with TPM_LoadKey |
| |
| 6 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| Authorization HMAC key .usageAuth |
| |
| 7 |
| |
| 1 |
| |
| 8 |
| |
| 20 |
| |
| 2179Action |
| 21801. Validate the AuthData to use the key in parentHandle |
| 21812. If the keyUsage field of the key referenced by parentHandle does not have the value |
| 2182 |
| TPM_KEY_STORAGE, the TPM must return the error code TPM_INVALID_KEYUSAGE |
| 21833. Create d1 by decrypting the migratedKey -> encData area using the key in parentHandle |
| 21844. Create o1 by XOR d1 and random parameter |
| 21855. Create m1 a TPM_MIGRATE_ASYMKEY, seed and pHash by OAEP decoding o1 |
| 21866. Create migratedPubKey a TPM_PUBKEY structure corresponding to migratedKey |
| 2187 |
| |
| a. Verify that pHash == SHA-1( SHA-1[msaList] || SHA-1(migratedPubKey ) |
| |
| 21887. Create k1 by combining seed and the TPM_MIGRATE_ASYMKEY -> partPrivKey field |
| 21898. Create d2 a TPM_STORE_ASYMKEY structure. |
| 2190 |
| |
| a. Set the TPM_STORE_ASYMKEY -> privKey field to k1 |
| |
| 2191 |
| |
| b. Set d2 -> usageAuth to m1 -> usageAuth |
| |
| 2192 |
| |
| c. Set d2 -> pubDataDigest to m1 -> pubDataDigest |
| |
| 21939. Verify that parentHandle-> keyFlags -> migratable == FALSE |
| 219410.Verify that m1 -> payload == TPM_PT_CMK_MIGRATE then set d2-> payload = |
| 2195 |
| TPM_PT_MIGRATE_EXTERNAL |
| 219611.Verify that for one of the n=1 to n=(msaList -> MSAlist) values of msaList -> |
| 2197 |
| migAuthDigest[n] sigTicket == HMAC (V1) using tpmProof as the secret where V1 is a |
| 2198 |
| TPM_CMK_SIGTICKET structure such that: |
| 2199 |
| |
| a. V1 -> verKeyDigest = msaList -> migAuthDigest[n] |
| |
| 2200 |
| |
| b. V1 -> signedData = SHA-1[restrictTicket] |
| |
| 220112.Create parentPubKey, a TPM_PUBKEY structure corresponding to parentHandle |
| 543 |
| 544 |
| |
| 110 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 545TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 546Specification Version 1.2 |
| |
| 220213.If [restrictTicket -> destinationKeyDigest] != SHA-1(parentPubKey), return error |
| 2203 |
| TPM_MA_DESTINATION |
| 220414.Verify that migratedKey is corresponding to d2 |
| 220515.If migratedKey -> keyFlags |
| 2206 |
| TPM_INVALID_KEYUSAGE |
| |
| -> |
| |
| migratable |
| |
| 220716.If migratedKey -> keyFlags |
| 2208 |
| TPM_INVALID_KEYUSAGE |
| |
| -> |
| |
| migrateAuthority |
| |
| 220917.If [restrictTicket -> |
| 2210 |
| TPM_MA_SOURCE |
| |
| sourceKeyDigest] |
| |
| != |
| |
| is |
| |
| FALSE, |
| is |
| |
| and |
| |
| return |
| |
| error |
| |
| FALSE, |
| |
| return |
| |
| error |
| |
| return |
| |
| error |
| |
| SHA-1(migratedPubKey), |
| |
| 221118.Create M2 a TPM_CMK_MIGAUTH structure |
| 2212 |
| |
| a. Set M2 -> msaDigest to SHA-1[msaList] |
| |
| 2213 |
| |
| b. Set M2 -> pubKeyDigest to SHA-1[migratedPubKey] |
| |
| 221419.Set d2 -> migrationAuth = HMAC(M2) using tpmProof as the secret |
| 221520.Create outData using the key in parentHandle to perform the encryption |
| |
| 547Level 2 Revision 116 28 February 2011 |
| 548 |
| |
| 111 |
| TCG Published |
| |
| 549Copyright © TCG |
| 550 |
| 551 |
| |
| 221612. |
| Maintenance |
| 2217Start of informative comment: |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| Functions (optional) |
| |
| 2218When a maintenance archive is created with generateRandom FALSE, the maintenance blob |
| 2219is XOR encrypted with the owner authorization before encryption with the maintenance |
| 2220public key. This prevents the manufacturer from obtaining plaintext data. The receiving |
| 2221TPM must have the same owner authorization as the sending TPM in order to XOR decrypt |
| 2222the archive. |
| 2223When generateRandom is TRUE, the maintenance blob is XOR encrypted with random data, |
| 2224which is also returned. This permits someone trusted by the Owner to load the |
| 2225maintenance archive into the replacement platform in the absence of the Owner and |
| 2226manufacturer, without the Owner having to reveal information about his auth value. The |
| 2227receiving and sending TPM's may have different owner authorizations. The random data is |
| 2228transferred from the sending TPM owner to the receiving TPM owner out of band, so the |
| 2229maintenance blob remains hidden from the manufacturer. |
| 2230This is a typical maintenance sequence: |
| 22311. Manufacturer: |
| 2232• |
| |
| generates maintenance key pair |
| |
| 2233• |
| |
| gives public key to TPM1 owner |
| |
| 22342. TPM1: TPM_LoadManuMaintPub |
| 2235• |
| |
| load maintenance public key |
| |
| 22363. TPM1: TPM_CreateMaintenanceArchive |
| 2237• |
| |
| XOR encrypt with owner auth or random |
| |
| 2238• |
| |
| encrypt the maintenance archive with maintenance public key |
| |
| 22394. TPM2: |
| 2240• |
| |
| Take ownership |
| |
| 2241• |
| |
| Create and activate an AIK |
| |
| 2242• |
| |
| Certify the SRK with the AIK, proving that the SRK came from a legitimate TPM |
| |
| 22434. Manufacturer: |
| 2244• |
| |
| decrypt maintenance archive with maintenance private key |
| |
| 2245• |
| |
| (still XOR encrypted with owner auth or random) |
| |
| 2246• |
| |
| validate the TPM2 SRK certification |
| |
| 2247• |
| |
| encrypt the maintenance archive with TPM2 SRK public key |
| |
| 22485. TPM2: TPM_LoadMaintenanceArchive |
| 2249• |
| |
| decrypt the maintenance archive with SRK private key |
| |
| 2250• |
| |
| XOR decrypt with owner auth or random |
| |
| 2251End of informative comment. |
| 552 |
| 553 |
| |
| 112 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 554TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 555Specification Version 1.2 |
| |
| 2252 |
| |
| 556Level 2 Revision 116 28 February 2011 |
| 557 |
| |
| 113 |
| TCG Published |
| |
| 558Copyright © TCG |
| 559 |
| 560 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 2253 |
| 225412.1 |
| |
| TPM_CreateMaintenanceArchive |
| |
| 2255Start of informative comment: |
| 2256This command creates the maintenance archive. It can only be executed by the owner, and |
| 2257may be shut off with the TPM_KillMaintenanceFeature command. |
| 2258End of informative comment. |
| 2259Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Cmd ordinal: TPM_ORD_CreateMaintenanceArchive |
| |
| 4 |
| |
| 1 |
| |
| 2S |
| |
| 1 |
| |
| BOOL |
| |
| generateRandom |
| |
| Use RNG or Owner auth to generate ‘random’. |
| |
| 5 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for owner authentication. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 7 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 8 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| HMAC key: ownerAuth. |
| |
| 6 |
| |
| 2260Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| # |
| |
| Type |
| |
| SZ |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Cmd ordinal: TPM_ORD_CreateMaintenanceArchive |
| |
| 4 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| randomSize |
| |
| Size of the returned random data. Will be 0 if generateRandom is FALSE. |
| |
| 5 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE [ ] |
| |
| random |
| |
| Random data to XOR with result. |
| |
| 6 |
| |
| 4 |
| |
| 5S |
| |
| 4 |
| |
| UINT32 |
| |
| archiveSize |
| |
| Size of the encrypted archive |
| |
| 7 |
| |
| <> |
| |
| 6S |
| |
| <> |
| |
| BYTE [ ] |
| |
| archive |
| |
| Encrypted key archive. |
| |
| 8 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| ownerAuth. |
| |
| 9 |
| |
| 1 |
| |
| 10 |
| |
| 20 |
| |
| 2261Actions |
| 2262Upon authorization being confirmed this command does the following: |
| 561 |
| 562 |
| |
| 114 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 563TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 564Specification Version 1.2 |
| |
| 22631. Validates that the TPM_PERMANENT_FLAGS -> allowMaintenance is TRUE. If it is |
| 2264 |
| FALSE, the TPM SHALL return TPM_DISABLED_CMD and exit this capability. |
| 22652. Validates the TPM Owner AuthData. |
| 22663. If the value of TPM_PERMANENT_DATA -> manuMaintPub is zero, the TPM MUST |
| 2267 |
| return the error code TPM_KEYNOTFOUND |
| 22684. Build a1 a TPM_KEY structure using the SRK. The encData field is not a normal |
| 2269 |
| TPM_STORE_ASYMKEY structure but rather a TPM_MIGRATE_ASYMKEY structure built |
| 2270 |
| using the following actions. |
| 22715. Build a TPM_STORE_PRIVKEY structure from the SRK. This privKey element should be |
| 2272 |
| 132 bytes long for a 2K RSA key. |
| 22736. Create k1 and k2 by splitting the privKey element created in step 4 into 2 parts. k1 is |
| 2274 |
| the first 20 bytes of privKey, k2 contains the remainder of privKey. |
| 22757. Build m1 by creating and filling in a TPM_MIGRATE_ASYMKEY structure |
| 2276 |
| |
| a. m1 -> usageAuth is set to TPM_PERMANENT_DATA -> tpmProof |
| |
| 2277 |
| |
| b. m1 -> pubDataDigest is set to the digest value of the SRK fields from step 4 |
| |
| 2278 |
| |
| c. m1 -> payload is set to TPM_PT_MAINT |
| |
| 2279 |
| |
| d. m1 -> partPrivKey is set to k2 |
| |
| 22808. Create o1 (which SHALL be 198 bytes for a 2048 bit RSA key) by performing the OAEP |
| 2281 |
| encoding of m using OAEP parameters of |
| 2282 |
| |
| a. m = TPM_MIGRATE_ASYMKEY structure (step 7) |
| |
| 2283 |
| |
| b. pHash = TPM_PERMANENT_DATA -> ownerAuth |
| |
| 2284 |
| |
| c. seed = s1 = k1 (step 6) |
| |
| 22859. If generateRandom = TRUE |
| 2286 |
| 2287 |
| |
| a. Create r1 by obtaining values from the TPM RNG. The size of r1 MUST be the same |
| size as o1. Set random parameter to r1 |
| |
| 228810.If generateRandom = FALSE |
| 2289 |
| 2290 |
| |
| a. Create r1 by applying MGF1 to the TPM Owner AuthData. The size of r1 MUST be the |
| same size as o1. Set randomSize to 0. |
| |
| 229111.Create x1 by XOR of o1 with r1 |
| 229212.Encrypt x1 with the manuMaintPub key using the TPM_ES_RSAESOAEP_SHA1_MGF1 |
| 2293 |
| encryption scheme. |
| 229413.Set a1 -> encData to the encryption of x1 |
| 229514.Set TPM_PERMANENT_FLAGS -> maintenanceDone to TRUE |
| 229615.Return a1 in the archive parameter |
| |
| 565Level 2 Revision 116 28 February 2011 |
| 566 |
| |
| 115 |
| TCG Published |
| |
| 567Copyright © TCG |
| 568 |
| 569 |
| |
| 229712.2 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_LoadMaintenanceArchive |
| |
| 2298Start of informative comment: |
| 2299This command loads in a Maintenance archive that has been massaged by the |
| 2300manufacturer to load into another TPM. |
| 2301If the maintenance archive was created using the owner authorization for XOR encryption, |
| 2302the current owner authorization must be used for decryption. The owner authorization does |
| 2303not change. |
| 2304If the maintenance archive was created using random data for the XOR encryption, the |
| 2305vendor specific arguments must include the random data. The owner authorization may |
| 2306change. |
| 2307End of informative comment. |
| 2308Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_LoadMaintenanceArchive |
| |
| 4 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| UINT32 |
| |
| archiveSize |
| |
| Sice of the encrypted archive |
| |
| 5 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| BYTE[] |
| |
| archive |
| |
| Encrypted key archive |
| |
| … |
| |
| … |
| |
| Vendor specific arguments |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for owner authentication. |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| - |
| |
| # |
| |
| SZ |
| |
| 4 |
| |
| - |
| |
| 20 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| - |
| |
| 1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| -- |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| The authorization session digest for inputs and owner authentication. |
| HMAC key: ownerAuth. |
| |
| 2309 |
| |
| 570 |
| 571 |
| |
| 116 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 572TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 573Specification Version 1.2 |
| |
| 2310Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_LoadMaintenanceArchive |
| |
| .. |
| |
| .. |
| |
| Vendor specific arguments |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| ownerAuth, the original value and not the new auth value |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| - |
| |
| # |
| |
| SZ |
| |
| 20 |
| |
| - |
| |
| 1 |
| |
| - |
| |
| 20 |
| |
| 2311Description |
| 2312The maintenance mechanisms in the TPM MUST not require the TPM to hold a global |
| 2313secret. The definition of global secret is a secret value shared by more than one TPM. |
| 2314The TPME is not allowed to pre-store or use unique identifiers in the TPM for the purpose of |
| 2315maintenance. The TPM MUST NOT use the endorsement key for identification or encryption |
| 2316in the maintenance process. The maintenance process MAY use a TPM Identity to deliver |
| 2317maintenance information to specific TPM’s. |
| 2318The maintenance process can only change the SRK, tpmProof and TPM Owner AuthData |
| 2319fields. |
| 2320The maintenance process can only access data in shielded locations where this data is |
| 2321necessary to validate the TPM Owner, validate the TPME and manipulate the blob |
| 2322The TPM MUST be conformant to the TPM specification, protection profiles and security |
| 2323targets after maintenance. The maintenance MAY NOT decrease the security values from |
| 2324the original security target. |
| 2325The security target used to evaluate this TPM MUST include this command in the TOE. |
| 2326Actions |
| 2327The TPM SHALL perform the following when executing the command |
| 23281. Validate the TPM Owner’s AuthData |
| 23292. Validate that the maintenance information was sent by the TPME. The validation |
| 2330 |
| mechanism MUST use a strength of function that is at least the same strength of |
| 2331 |
| function as a digital signature performed using a 2048 bit RSA key. |
| 23323. The packet MUST contain m2 as defined in section 12.1. |
| 23334. Ensure that only the target TPM can interpret the maintenance packet. The protection |
| 2334 |
| mechanism MUST use a strength of function that is at least the same strength of |
| 2335 |
| function as a digital signature performed using a 2048 bit RSA key. |
| |
| 574Level 2 Revision 116 28 February 2011 |
| 575 |
| |
| 117 |
| TCG Published |
| |
| 576Copyright © TCG |
| 577 |
| 578 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 23365. Execute the actions of TPM_OwnerClear. |
| 23376. Process the maintenance information |
| 2338 |
| |
| a. Update the SRK |
| |
| 2339 |
| |
| i. |
| |
| Set the SRK usageAuth to be the same as the source TPM owner's AuthData |
| |
| 2340 |
| |
| b. Update TPM_PERMANENT_DATA -> tpmProof |
| |
| 2341 |
| |
| c. Update TPM_PERMANENT_DATA -> ownerAuth |
| |
| 23427. Set TPM_PERMANENT_FLAGS -> maintenanceDone to TRUE |
| 2343 |
| |
| 579 |
| 580 |
| |
| 118 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 581TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 582Specification Version 1.2 |
| |
| 234412.3 |
| |
| TPM_KillMaintenanceFeature |
| |
| 2345Start of informative comment: |
| 2346The TPM_KillMaintencanceFeature is a permanent action that prevents ANYONE from |
| 2347creating a maintenance archive. This action, once taken, is permanent until a new TPM |
| 2348Owner is set. |
| 2349This action is to allow those customers who do not want the maintenance feature to not |
| 2350allow the use of the maintenance feature. |
| 2351At the discretion of the Owner, it should be possible to kill the maintenance feature in such |
| 2352a way that the only way to recover maintainability of the platform would be to wipe out the |
| 2353root keys. This feature is mandatory in any TPM that implements the maintenance feature. |
| 2354End of informative comment. |
| 2355Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_KillMaintenanceFeature |
| |
| 4 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for owner authentication. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 5 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 6 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 7 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| HMAC key: ownerAuth. |
| |
| 2356Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 5 |
| |
| 1 |
| |
| 6 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_KillMaintenanceFeature |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| 4 |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| HMAC key: ownerAuth. |
| |
| 20 |
| |
| 2357Actions |
| 23581. Validate the TPM Owner AuthData |
| 23592. Set the TPM_PERMANENT_FLAGS.allowMaintenance flag to FALSE. |
| 583Level 2 Revision 116 28 February 2011 |
| 584 |
| |
| 119 |
| TCG Published |
| |
| 585Copyright © TCG |
| 586 |
| 587 |
| |
| 236012.4 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_LoadManuMaintPub |
| |
| 2361Start of informative comment: |
| 2362The TPM_LoadManuMaintPub command loads the manufacturer’s public key for use in the |
| 2363maintenance process. The command installs manuMaintPub in PERMANENT data storage |
| 2364inside a TPM. Maintenance enables duplication of non-migratory data in protected storage. |
| 2365There is therefore a security hole if a platform is shipped before the maintenance public key |
| 2366has been installed in a TPM. |
| 2367The command is expected to be used before installation of a TPM Owner or any key in TPM |
| 2368protected storage. It therefore does not use authorization. |
| 2369End of informative comment. |
| 2370Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_LoadManuMaintPub |
| |
| 4 |
| |
| 20 |
| |
| 2S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| antiReplay |
| |
| AntiReplay and validation nonce |
| |
| 5 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| TPM_PUBKEY |
| |
| pubKey |
| |
| The public key of the manufacturer to be in use for maintenance |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 2371Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 20 |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_LoadManuMaintPub |
| |
| 3S |
| |
| 20 |
| |
| TPM_DIGEST |
| |
| checksum |
| |
| Digest of pubKey and antiReplay |
| |
| 2372Description |
| 2373The pubKey MUST specify an algorithm whose strength is not less than the RSA algorithm |
| 2374with 2048bit keys. |
| 2375pubKey SHOULD unambiguously identify the entity that will perform the maintenance |
| 2376process with the TPM Owner. |
| 2377TPM_PERMANENT_DATA -> manuMaintPub SHALL exist in a TPM-shielded location, only. |
| 2378If an entity (Platform Entity) does not support the maintenance process but issues a |
| 2379platform credential for a platform containing a TPM that supports the maintenance process, |
| 2380the value of TPM_PERMANENT_DATA -> manuMaintPub MUST be set to zero before the |
| 2381platform leaves the entity’s control. That is, this ordinal can only be run once, and used to |
| 2382either load the key or load a NULL key. |
| 588 |
| 589 |
| |
| 120 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 590TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 591Specification Version 1.2 |
| |
| 2383Actions |
| 2384The first valid TPM_LoadManuMaintPub command received by a TPM SHALL |
| 23851. Store the parameter pubKey as TPM_PERMANENT_DATA -> manuMaintPub. |
| 23862. Set checksum to SHA-1 of (pubKey || antiReplay) |
| 23873. Export the checksum |
| 23884. Subsequent |
| calls |
| 2389 |
| TPM_DISABLED_CMD. |
| |
| to |
| |
| 592Level 2 Revision 116 28 February 2011 |
| 593 |
| |
| TPM_LoadManuMaintPub |
| |
| 121 |
| TCG Published |
| |
| SHALL |
| |
| return |
| |
| code |
| |
| 594Copyright © TCG |
| 595 |
| 596 |
| |
| 239012.5 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_ReadManuMaintPub |
| |
| 2391Start of informative comment: |
| 2392The TPM_ReadManuMaintPub command is used to check whether the manufacturer’s |
| 2393public maintenance key in a TPM has the expected value. This may be useful during the |
| 2394manufacture process. The command returns a digest of the installed key, rather than the |
| 2395key itself. This hinders discovery of the maintenance key, which may (or may not) be useful |
| 2396for manufacturer privacy. |
| 2397The command is expected to be used before installation of a TPM Owner or any key in TPM |
| 2398protected storage. It therefore does not use authorization. |
| 2399End of Informative Comments |
| 2400Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ReadManuMaintPub |
| |
| 4 |
| |
| 20 |
| |
| 2S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| antiReplay |
| |
| AntiReplay and validation nonce |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 2401Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 20 |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ReadManuMaintPub |
| |
| 3S |
| |
| 20 |
| |
| TPM_DIGEST |
| |
| checksum |
| |
| Digest of pubKey and antiReplay |
| |
| 2402Description |
| 2403This command returns the hash of the antiReplay nonce and the previously loaded |
| 2404manufacturer’s maintenance public key. |
| 2405Actions |
| 2406The TPM_ReadManuMaintPub command SHALL |
| 24071. Create “checksum” by concatenating data to form (TPM_PERMANENT_DATA -> |
| 2408 |
| manuMaintPub ||antiReplay) and passing the concatenated data through SHA-1. |
| 24092. Export the checksum |
| |
| 597 |
| 598 |
| |
| 122 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 599TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 600Specification Version 1.2 |
| |
| 241013. |
| |
| Cryptographic Functions |
| |
| 241113.1 |
| |
| TPM_SHA1Start |
| |
| 2412Start of informative comment: |
| 2413This capability starts the process of calculating a SHA-1 digest. |
| 2414The exposure of the SHA-1 processing is a convenience to platforms in a mode that do not |
| 2415have sufficient memory to perform SHA-1 themselves. As such, the use of SHA-1 is |
| 2416restrictive on the TPM. |
| 2417The TPM may not allow any other types of processing during the execution of a SHA-1 |
| 2418session. There is only one SHA-1 session active on a TPM. The exclusivity of a SHA-1 |
| 2419context is due to the relatively large volatile buffer it requires in order to hold the |
| 2420intermediate results between the SHA-1 context commands. This buffer can be in |
| 2421contradiction to other command needs. |
| 2422After the execution of TPM_SHA1Start, and prior to TPM_SHA1Complete or |
| 2423TPM_SHA1CompleteExtend, the receipt of any command other than TPM_SHA1Update will |
| 2424cause the invalidation of the SHA-1 session. |
| 2425End of informative comment. |
| 2426Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_SHA1Start |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| 2427Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 4 |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_SHA1Start |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| maxNumBytes |
| |
| Maximum number of bytes that can be sent to TPM_SHA1Update. Must be a |
| multiple of 64 bytes. |
| |
| 2428Description |
| 24291. This capability prepares the TPM for a subsequent TPM_SHA1Update, |
| 2430 |
| TPM_SHA1Complete or TPM_SHA1CompleteExtend command. The capability SHALL |
| 2431 |
| open a thread that calculates a SHA-1 digest. |
| |
| 601Level 2 Revision 116 28 February 2011 |
| 602 |
| |
| 123 |
| TCG Published |
| |
| 603Copyright © TCG |
| 604 |
| 605 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 24322. After receipt of TPM_SHA1Start, and prior to the receipt of TPM_SHA1Complete or |
| 2433 |
| TPM_SHA1CompleteExtend, receipt of any command other than TPM_SHA1Update |
| 2434 |
| invalidates the SHA-1 session. |
| 2435 |
| 2436 |
| |
| a. If the command received is TPM_ExecuteTransport, the SHA-1 session invalidation is |
| based on the wrapped command, not the TPM_ExecuteTransport ordinal. |
| |
| 2437 |
| 2438 |
| |
| b. A SHA-1 thread (start, update, complete) MUST take place either completely outside |
| a transport session or completely within a single transport session. |
| |
| 606 |
| 607 |
| |
| 124 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 608TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 609Specification Version 1.2 |
| |
| 243913.2 |
| |
| TPM_SHA1Update |
| |
| 2440Start of informative comment: |
| 2441This capability inputs complete blocks of data into a pending SHA-1 digest. At the end of |
| 2442the process, the digest remains pending. |
| 2443End of informative comment. |
| 2444Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_SHA1Update |
| |
| 4 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| UINT32 |
| |
| numBytes |
| |
| The number of bytes in hashData. Must be a multiple of 64 bytes. |
| |
| 5 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| BYTE [ ] |
| |
| hashData |
| |
| Bytes to be hashed |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 2445Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_SHA1Update |
| |
| 2446Description |
| 2447This command SHALL incorporate complete blocks of data into the digest of an existing |
| 2448SHA-1 thread. Only integral numbers of complete blocks (64 bytes each) can be processed. |
| 2449Actions |
| 24501. If there is no existing SHA-1 thread, return TPM_SHA_THREAD |
| 24512. If numBytes is not a multiple of 64 |
| 2452 |
| |
| a. Return TPM_SHA_ERROR |
| |
| 2453 |
| |
| b. The TPM MAY terminate the SHA-1 thread |
| |
| 24543. If numBytes is greater than maxNumBytes returned by TPM_SHA1Start |
| 2455 |
| |
| a. Return TPM_SHA_ERROR |
| |
| 2456 |
| |
| b. The TPM MAY terminate the SHA-1 thread |
| |
| 24574. Incorporate hashData into the digest of the existing SHA-1 thread. |
| 2458 |
| |
| 610Level 2 Revision 116 28 February 2011 |
| 611 |
| |
| 125 |
| TCG Published |
| |
| 612Copyright © TCG |
| 613 |
| 614 |
| |
| 245913.3 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_SHA1Complete |
| |
| 2460Start of informative comment: |
| 2461This capability terminates a pending SHA-1 calculation. |
| 2462End of informative comment. |
| 2463Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_SHA1Complete |
| |
| 4 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| UINT32 |
| |
| hashDataSize |
| |
| Number of bytes in hashData, MUST be 64 or less |
| |
| 5 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| BYTE [ ] |
| |
| hashData |
| |
| Final bytes to be hashed |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 2464Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 20 |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_SHA1Complete |
| |
| 3S |
| |
| 20 |
| |
| TPM_DIGEST |
| |
| hashValue |
| |
| The output of the SHA-1 hash. |
| |
| 2465Description |
| 2466This command SHALL incorporate a partial or complete block of data into the digest of an |
| 2467existing SHA-1 thread, and terminate that thread. hashDataSize MAY have values in the |
| 2468range of 0 through 64, inclusive. |
| 2469If the SHA-1 thread has received no bytes the TPM SHALL calculate the SHA-1 of the empty |
| 2470buffer. |
| |
| 615 |
| 616 |
| |
| 126 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 617TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 618Specification Version 1.2 |
| |
| 247113.4 |
| |
| TPM_SHA1CompleteExtend |
| |
| 2472Start of informative comment: |
| 2473This capability terminates a pending SHA-1 calculation and EXTENDS the result into a |
| 2474Platform Configuration Register using a SHA-1 hash process. |
| 2475This command is designed to complete a hash sequence and extend a PCR in memory-less |
| 2476environments. |
| 2477End of informative comment. |
| 2478Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_SHA1CompleteExtend |
| |
| 4 |
| |
| TPM_PCRINDEX |
| |
| pcrNum |
| |
| Index of the PCR to be modified |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| hashDataSize |
| |
| Number of bytes in hashData, MUST be 64 or less |
| |
| 4S |
| |
| <> |
| |
| BYTE [ ] |
| |
| hashData |
| |
| Final bytes to be hashed |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| 2 |
| |
| 4 |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| 4 |
| |
| 4 |
| |
| 2S |
| |
| 5 |
| |
| 4 |
| |
| 6 |
| |
| <> |
| |
| 2479Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_SHA1CompleteExtend |
| |
| 4 |
| |
| 20 |
| |
| 3S |
| |
| 20 |
| |
| TPM_DIGEST |
| |
| hashValue |
| |
| The output of the SHA-1 hash. |
| |
| 5 |
| |
| 20 |
| |
| 4S |
| |
| 20 |
| |
| TPM_PCRVALUE |
| |
| outDigest |
| |
| The PCR value after execution of the command. |
| |
| 2480Description |
| 2481This command SHALL incorporate a partial or complete block of data into the digest of an |
| 2482existing SHA-1 thread, EXTEND the resultant digest into a PCR, and terminate the SHA-1 |
| 2483session. hashDataSize MAY have values in the range of 0 through 64, inclusive. |
| 2484The SHA-1 session MUST terminate even if the command returns an error, e.g. |
| 2485TPM_BAD_LOCALITY. |
| 2486Actions |
| 24875. Validate that pcrNum represents a legal PCR number. On error, return TPM_BADINDEX. |
| 24886. Map V1 to TPM_STANY_DATA |
| 24897. Map L1 to V1 -> localityModifier |
| 619Level 2 Revision 116 28 February 2011 |
| 620 |
| |
| 127 |
| TCG Published |
| |
| 621Copyright © TCG |
| 622 |
| 623 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 24908. If the current locality, held in L1, is not selected in TPM_PERMANENT_DATA -> pcrAttrib |
| 2491 |
| [pcrNum]. pcrExtendLocal, return TPM_BAD_LOCALITY |
| 24929. Create H1 the TPM_DIGEST of the SHA-1 session ensuring that hashData, if any, is |
| 2493 |
| added to the SHA-1 session |
| 249410.Perform the actions of TPM_Extend using H1 as the data and pcrNum as the PCR to |
| 2495 |
| extend |
| |
| 624 |
| 625 |
| |
| 128 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 626TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 627Specification Version 1.2 |
| |
| 249613.5 |
| |
| TPM_Sign |
| |
| 2497Start of informative comment: |
| 2498The Sign command signs data and returns the resulting digital signature. |
| 2499The TPM does not allow TPM_Sign with a TPM_KEY_IDENTITY (AIK) because TPM_Sign can |
| 2500sign arbitrary data and could be used to fake a quote. (This could have been relaxed to |
| 2501allow TPM_Sign with an AIK if the signature scheme is _INFO For an _INFO key, the |
| 2502metadata prevents TPM_Sign from faking a quote.) |
| 2503End of informative comment. |
| 2504Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Sign. |
| |
| 4 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| keyHandle |
| |
| The keyHandle identifier of a loaded key that can perform digital |
| signatures. |
| |
| 5 |
| |
| 4 |
| |
| 2s |
| |
| 4 |
| |
| UINT32 |
| |
| areaToSignSize |
| |
| The size of the areaToSign parameter |
| |
| 6 |
| |
| <> |
| |
| 3s |
| |
| <> |
| |
| BYTE[] |
| |
| areaToSign |
| |
| The value to sign |
| |
| 7 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for keyHandle authorization |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 8 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 9 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 10 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| privAuth |
| |
| The authorization session digest that authorizes the use of keyHandle. |
| HMAC key: key.usageAuth |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2505Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Sign. |
| |
| 4 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| sigSize |
| |
| The length of the returned digital signature |
| |
| 5 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE[ ] |
| |
| sig |
| |
| The resulting digital signature. |
| |
| 6 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| key.usageAuth |
| |
| 7 |
| |
| 1 |
| |
| 8 |
| |
| 20 |
| |
| 628Level 2 Revision 116 28 February 2011 |
| 629 |
| |
| 129 |
| TCG Published |
| |
| 630Copyright © TCG |
| 631 |
| 632 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 2506Description |
| 2507The TPM MUST support all values of areaToSignSize that are legal for the defined signature |
| 2508scheme and key size. The maximum value of areaToSignSize is determined by the defined |
| 2509signature scheme and key size. |
| 2510In the case of PKCS1v15_SHA1 the areaToSignSize MUST be TPM_DIGEST (the hash size of |
| 2511a SHA-1 operation - see 8.5.1 TPM_SS_RSASSAPKCS1v15_SHA1). In the case of |
| 2512PKCS1v15_DER the maximum size of areaToSign is k-11 octets, where k is limited by the |
| 2513key size (see TPM_SS_RSASSAPKCS1v15_DER). |
| 2514Actions |
| 25151. The TPM validates the AuthData to use the key pointed to by keyHandle. |
| 25162. If the areaToSignSize is 0 the TPM returns TPM_BAD_PARAMETER. |
| 25173. Validate that keyHandle -> keyUsage is TPM_KEY_SIGNING or TPM_KEY_LEGACY, if not |
| 2518 |
| return the error code TPM_INVALID_KEYUSAGE |
| 25194. The TPM verifies that the signature scheme and key size can properly sign the |
| 2520 |
| areaToSign parameter. |
| 25215. If signature scheme is TPM_SS_RSASSAPKCS1v15_SHA1 then |
| 2522 |
| |
| a. Validate that areaToSignSize is 20 return TPM_BAD_PARAMETER on error |
| |
| 2523 |
| |
| b. Set S1 to areaToSign |
| |
| 25246. Else if signature scheme is TPM_SS_RSASSAPKCS1v15_DER then |
| 2525 |
| 2526 |
| |
| a. Validate that areaToSignSize is at least 11 bytes less than the key size, return |
| TPM_BAD_PARAMETER on error |
| |
| 2527 |
| |
| b. Set S1 to areaToSign |
| |
| 25287. else if signature scheme is TPM_SS_RSASSAPKCS1v15_INFO then |
| 2529 |
| |
| a. Create S2 a TPM_SIGN_INFO structure |
| |
| 2530 |
| |
| b. Set S2 -> fixed to “SIGN” |
| |
| 2531 |
| |
| c. Set S2 -> replay to nonceOdd |
| |
| 2532 |
| 2533 |
| |
| i. If nonceOdd is not present due to an unauthorized command return |
| TPM_BAD_PARAMETER |
| |
| 2534 |
| |
| d. Set S2 -> dataLen to areaToSignSize |
| |
| 2535 |
| |
| e. Set S2 -> data to areaToSign |
| |
| 2536 |
| |
| f. Set S1 to the SHA-1(S2) |
| |
| 25378. Else return TPM_INVALID_KEYUSAGE |
| 25389. The TPM computes the signature, sig, using the key referenced by keyHandle using S1 |
| 2539 |
| as the value to sign |
| 254010.Return the computed signature in Sig |
| |
| 633 |
| 634 |
| |
| 130 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 635TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 636Specification Version 1.2 |
| |
| 254113.6 |
| |
| TPM_GetRandom |
| |
| 2542Start of informative comment: |
| 2543TPM_GetRandom returns the next bytesRequested bytes from the random number |
| 2544generator to the caller. |
| 2545It is recommended that a TPM implement the RNG in a manner that would allow it to return |
| 2546RNG bytes such that the frequency of bytesRequested being more than the number of bytes |
| 2547available is an infrequent occurrence. |
| 2548End of informative comment. |
| 2549Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_GetRandom. |
| |
| 4 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| UINT32 |
| |
| bytesRequested |
| |
| Number of bytes to return |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 2550Outgoing Operands and Sizes |
| PARAM |
| # |
| |
| SZ |
| |
| 1 |
| |
| 4 |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| TPM_TAG |
| |
| 2 |
| |
| 2 |
| |
| HMAC |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_GetRandom. |
| |
| 4 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| randomBytesSize |
| |
| The number of bytes returned |
| |
| 5 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE[ ] |
| |
| randomBytes |
| |
| The returned bytes |
| |
| 2551Actions |
| 25521. The TPM determines if amount bytesRequested is available from the TPM. |
| 25532. Set randomBytesSize to the number of bytes available from the RNG. This number MAY |
| 2554 |
| be less than bytesRequested. |
| 25553. Set randomBytes to the next randomBytesSize bytes from the RNG |
| |
| 637Level 2 Revision 116 28 February 2011 |
| 638 |
| |
| 131 |
| TCG Published |
| |
| 639Copyright © TCG |
| 640 |
| 641 |
| |
| 255613.7 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_StirRandom |
| |
| 2557Start of informative comment: |
| 2558TPM_StirRandom adds entropy to the RNG state. |
| 2559End of informative comment. |
| 2560Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_StirRandom |
| |
| 4 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| UINT32 |
| |
| dataSize |
| |
| Number of bytes of input |
| |
| 5 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| BYTE[ ] |
| |
| inData |
| |
| Data to add entropy to RNG state |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 2561Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_StirRandom |
| |
| 2562Actions |
| 25631. If dataSize is not less than 256 bytes, the TPM MAY return TPM_BAD_PARAMETER. |
| 25642. The TPM updates the state of the current RNG using the appropriate mixing function. |
| |
| 642 |
| 643 |
| |
| 132 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 644TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 645Specification Version 1.2 |
| |
| 256513.8 |
| |
| TPM_CertifyKey |
| |
| 2566Start of informative comment: |
| 2567The TPM_CertifyKey operation allows one key to certify the public portion of another key. |
| 2568A TPM identity key may be used to certify non-migratable keys but is not permitted to |
| 2569certify migratory keys or certified migration keys. As such, it allows the TPM to make the |
| 2570statement “this key is held in a TPM-shielded location, and it will never be revealed.” For |
| 2571this statement to have veracity, the Challenger must trust the policies used by the entity |
| 2572that issued the identity and the maintenance policy of the TPM manufacturer. |
| 2573Signing and legacy keys may be used to certify both migratable and non-migratable keys. |
| 2574Then the usefulness of a certificate depends on the trust in the certifying key by the |
| 2575recipient of the certificate. |
| 2576The key to be certified must be loaded before TPM_CertifyKey is called. |
| 2577The determination to use the TPM_CERTIFY_INFO or TPM_CERTIFY_INFO2 on the output is |
| 2578based on which PCRs and what localities the certified key is restricted to. A key to be |
| 2579certified that does not have locality restrictions and which uses no PCRs greater than PCR |
| 2580#15 will cause this command to return and sign a TPM_CERTIFY_INFO structure, which |
| 2581provides compatibility with V1.1 TPMs. |
| 2582When this command is run to certify all other keys (those that use PCR #16 or higher, as |
| 2583well as those limited by locality in any way), it will return and sign a TPM_CERTIFY_INFO2 |
| 2584structure. |
| 2585TPM_CertifyKey does not support the case where (a) the certifying key requires a usage |
| 2586authorization to be provided but (b) the key-to-be-certified does not. In such cases, |
| 2587TPM_CertifyKey2 must be used. TPM_CertifyKey cannot be used to certify CMKs. |
| 2588If a command tag (in the parameter array) specifies only one authorisation session, then the |
| 2589TPM convention is that the first session listed is ignored (authDataUsage must be |
| 2590TPM_AUTH_NEVER for this key) and the incoming session data is used for the second auth |
| 2591session in the list. In TPM_CertifyKey, the first session is the certifying key and the second |
| 2592session is the key-to-be-certified. In TPM_CertifyKey2, the first session is the key-to-be2593certified and the second session is the certifying key. |
| 2594The key handles of both the certifying key and the key to be certified are not included in the |
| 2595HMAC protecting the command. This permits key handle virtualization (swapping of keys |
| 2596in and out of the TPM that results in different key handles while at the same time |
| 2597maintaining key identifiers of upper layer software). In environments where the interface to |
| 2598the TPM is accessible by other parties, the key handles not being protected allows an |
| 2599attacker to change the handle of the key to be certified. This can be avoided by processing |
| 2600this command within a transport session and making sure that antiReplay indeed contains |
| 2601a nonce. |
| 2602End of informative comment. |
| |
| 646Level 2 Revision 116 28 February 2011 |
| 647 |
| |
| 133 |
| TCG Published |
| |
| 648Copyright © TCG |
| 649 |
| 650 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 2603Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH2_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_CertifyKey |
| |
| 4 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| certHandle |
| |
| Handle of the key to be used to certify the key. |
| |
| 5 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| keyHandle |
| |
| Handle of the key to be certified. |
| |
| 6 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| antiReplay |
| |
| 160 bits of externally supplied data (typically a nonce provided to |
| prevent replay-attacks) |
| |
| 7 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| certAuthHandle |
| |
| The authorization session handle used for certHandle. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| 2S |
| |
| SZ |
| |
| 4 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 8 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with certAuthHandle |
| |
| 9 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 10 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| certAuth |
| |
| The authorization session digest for inputs and certHandle. HMAC key: |
| certKey.auth. |
| |
| 11 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| keyAuthHandle |
| |
| The authorization session handle used for the key to be signed. |
| |
| 2H2 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| keylastNonceEven |
| |
| Even nonce previously generated by TPM |
| |
| 12 |
| |
| 3H2 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| keynonceOdd |
| |
| Nonce generated by system associated with keyAuthHandle |
| |
| 13 |
| |
| 1 |
| |
| 4H2 |
| |
| 1 |
| |
| BOOL |
| |
| continueKeySession |
| |
| The continue use flag for the authorization session handle |
| |
| 14 |
| |
| 651 |
| 652 |
| |
| 20 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| keyAuth |
| |
| The authorization session digest for the inputs and key to be signed. |
| HMAC key: key.usageAuth. |
| |
| 134 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 653TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 654Specification Version 1.2 |
| |
| 2604Outgoing Operands and Sizes |
| Param |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH2_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| Sz |
| |
| 1 |
| |
| # |
| |
| Sz |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_CertifyKey |
| |
| 4 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| TPM_CERTIFY_INFO |
| |
| certifyInfo |
| |
| TPM_CERTIFY_INFO or TPM_CERTIFY_INFO2 structure that |
| provides information relative to keyhandle |
| |
| 5 |
| |
| 4 |
| |
| 4S |
| |
| 4 |
| |
| UINT32 |
| |
| outDataSize |
| |
| The used size of the output area for outData |
| |
| 6 |
| |
| <> |
| |
| 5S |
| |
| <> |
| |
| BYTE[ ] |
| |
| outData |
| |
| The signature of certifyInfo |
| |
| 7 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with certAuthHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag for cert key session |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters and |
| parentHandle. HMAC key: certKey -> auth. |
| |
| 2H2 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| keyNonceEven |
| |
| Even nonce newly generated by TPM |
| |
| 3H2 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| keynonceOdd |
| |
| Nonce generated by system associated with keyAuthHandle |
| |
| 4H2 |
| |
| 1 |
| |
| BOOL |
| |
| continueKeySession |
| |
| Continue use flag for target key session |
| |
| TPM_AUTHDATA |
| |
| keyAuth |
| |
| The authorization session digest for the target key. HMAC key: |
| key.auth. |
| |
| 8 |
| |
| 1 |
| |
| 9 |
| |
| 20 |
| |
| 10 |
| |
| 20 |
| |
| 11 |
| |
| 1 |
| |
| 12 |
| |
| 20 |
| |
| 2605Actions |
| 26061. The TPM validates that the key pointed to by certHandle has a signature scheme of |
| 2607 |
| TPM_SS_RSASSAPKCS1v15_SHA1 or TPM_SS_RSASSAPKCS1v15_INFO |
| 26082. Verify command and key AuthData values: |
| 2609 |
| |
| a. If tag is TPM_TAG_RQU_AUTH2_COMMAND |
| |
| 2610 |
| 2611 |
| |
| i. The TPM verifies the AuthData in certAuthHandle provides authorization to |
| use the key pointed to by certHandle, return TPM_AUTHFAIL on error |
| |
| 2612 |
| 2613 |
| |
| ii. The TPM verifies the AuthData in keyAuthHandle provides authorization to |
| use the key pointed to by keyHandle, return TPM_AUTH2FAIL on error |
| |
| 2614 |
| |
| b. else if tag is TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2615 |
| 2616 |
| |
| i. Verify that authDataUsage is TPM_AUTH_NEVER for the key referenced by |
| certHandle, return TPM_AUTHFAIL on error. |
| |
| 2617 |
| 2618 |
| |
| ii. The TPM verifies the AuthData in keyAuthHandle provides authorization to |
| use the key pointed to by keyHandle, return TPM_AUTHFAIL on error |
| |
| 2619 |
| 2620 |
| 2621 |
| |
| c. else if tag is TPM_TAG_RQU_COMMAND |
| i. Verify that authDataUsage is TPM_AUTH_NEVER for the key referenced by |
| certHandle, return TPM_AUTHFAIL on error. |
| |
| 655Level 2 Revision 116 28 February 2011 |
| 656 |
| |
| 135 |
| TCG Published |
| |
| 657Copyright © TCG |
| 658 |
| 659 |
| |
| 2622 |
| 2623 |
| 2624 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| ii. Verify |
| that |
| authDataUsage |
| is |
| TPM_AUTH_NEVER |
| or |
| TPM_NO_READ_PUBKEY_AUTH for the key referenced by keyHandle, return |
| TPM_AUTHFAIL on error. |
| |
| 26253. If keyHandle -> payload is not TPM_PT_ASYM, return TPM_INVALID_KEYUSAGE. |
| 26264. If the key pointed to by certHandle is an identity key (certHandle -> keyUsage is |
| 2627 |
| TPM_KEY_IDENTITY) |
| 2628 |
| |
| a. If keyHandle -> keyFlags -> migratable is TRUE return TPM_MIGRATEFAIL |
| |
| 26295. Validate that certHandle -> keyUsage is TPM_KEY_SIGN, TPM_KEY_IDENTITY or |
| 2630 |
| TPM_KEY_LEGACY, if not return TPM_INVALID_KEYUSAGE |
| 26316. Validate that keyHandle -> keyUsage is TPM_KEY_SIGN, TPM_KEY_STORAGE, |
| 2632 |
| TPM_KEY_IDENTITY, |
| TPM_KEY_BIND |
| or |
| TPM_KEY_LEGACY, |
| if |
| not |
| return |
| 2633 |
| TPM_INVALID_KEYUSAGE |
| 26347. If keyHandle -> digestAtRelease requires the use of PCRs 16 or higher to calculate or if |
| 2635 |
| keyHandle -> localityAtRelease is not 0x1F |
| 2636 |
| |
| a. Set V1 to 1.2 |
| |
| 26378. Else |
| 2638 |
| |
| a. Set V1 to 1.1 |
| |
| 26399. If keyHandle -> pcrInfoSize is not 0 |
| 2640 |
| |
| a. If keyHandle -> keyFlags has pcrIgnoredOnRead set to FALSE |
| |
| 2641 |
| 2642 |
| 2643 |
| |
| i. Create a digestAtRelease according to the specified TPM_STCLEAR_DATA -> |
| PCR registers and compare to keyHandle -> digestAtRelease and if a mismatch |
| return TPM_WRONGPCRVAL |
| |
| 2644 |
| |
| ii. If specified validate any locality requests on error TPM_BAD_LOCALITY |
| |
| 2645 |
| |
| b. If V1 is 1.1 |
| |
| 2646 |
| |
| i. |
| |
| 2647 |
| |
| ii. Fill in C1 with the information from the key pointed to by keyHandle |
| |
| 2648 |
| |
| iii. The TPM MUST set c1 -> pcrInfoSize to 44. |
| |
| 2649 |
| 2650 |
| |
| iv. The TPM MUST set c1 -> pcrInfo to a TPM_PCR_INFO structure properly filled |
| out using the information from keyHandle. |
| |
| 2651 |
| |
| v. The TPM MUST set c1 -> digestAtCreation to 20 bytes of 0x00. |
| |
| Create C1 a TPM_CERTIFY_INFO structure |
| |
| 2652 |
| |
| c. Else |
| |
| 2653 |
| |
| i. |
| |
| 2654 |
| |
| ii. Fill in C1 with the information from the key pointed to by keyHandle |
| |
| 2655 |
| 2656 |
| |
| iii. Set C1 -> pcrInfoSize to the size of an appropriate TPM_PCR_INFO_SHORT |
| structure. |
| |
| 2657 |
| 2658 |
| |
| iv. Set C1 -> pcrInfo to a properly filled out TPM_PCR_INFO_SHORT structure, |
| using the information from keyHandle. |
| |
| 2659 |
| |
| v. Set C1 -> migrationAuthoritySize to 0 |
| |
| 660 |
| 661 |
| |
| Create C1 a TPM_CERTIFY_INFO2 structure |
| |
| 136 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 662TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 663Specification Version 1.2 |
| |
| 266010.Else |
| 2661 |
| |
| a. Create C1 a TPM_CERTIFY_INFO structure |
| |
| 2662 |
| |
| b. Fill in C1 with the information from the key pointed to by keyHandle |
| |
| 2663 |
| |
| c. The TPM MUST set c1 -> pcrInfoSize to 0 |
| |
| 266411.Create TPM_DIGEST H1 which is the SHA-1 hash of keyHandle -> pubKey -> key. Note |
| 2665 |
| that <key> is the actual public modulus, and does not include any structure formatting. |
| 266612.Set C1 -> pubKeyDigest to H1 |
| 266713.The TPM copies the antiReplay parameter to c1 -> data. |
| 266814.The TPM sets certifyInfo to C1. |
| 266915.The TPM creates m1, a message digest formed by taking the SHA-1 of c1. |
| 2670 |
| 2671 |
| |
| a. The TPM then computes a signature using certHandle -> sigScheme. The resulting |
| signed blob is returned in outData. |
| |
| 664Level 2 Revision 116 28 February 2011 |
| 665 |
| |
| 137 |
| TCG Published |
| |
| 666Copyright © TCG |
| 667 |
| 668 |
| |
| 267213.9 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_CertifyKey2 |
| |
| 2673Start of informative comment: |
| 2674This command is based on TPM_CertifyKey, but includes the ability to certify a Certifiable |
| 2675Migration Key (CMK), which requires extra input parameters. |
| 2676TPM_CertifyKey2 always produces a TPM_CERTIFY_INFO2 structure. |
| 2677TPM_CertifyKey2 does not support the case where (a) the key-to-be-certified requires a |
| 2678usage authorization to be provided but (b) the certifying key does not. |
| 2679If a command tag (in the parameter array) specifies only one authorisation session, then the |
| 2680TPM convention is that the first session listed is ignored (authDataUsage must be |
| 2681TPM_NO_READ_PUBKEY_AUTH or TPM_AUTH_NEVER for this key) and the incoming |
| 2682session data is used for the second auth session in the list. In TPM_CertifyKey2, the first |
| 2683session is the key to be certified and the second session is the certifying key. |
| 2684The key handles of both the certifying key and the key to be certified are not included in the |
| 2685HMAC protecting the command. This permits key handle virtualization (swapping of keys |
| 2686in and out of the TPM that results in different key handles while at the same time |
| 2687maintaining key identifiers of upper layer software). In environments where the interface to |
| 2688the TPM is accessible by other parties, the key handles not being protected allows an |
| 2689attacker to change the handle of the key to be certified. This can be avoided by processing |
| 2690this command within a transport session and making sure that antiReplay indeed contains |
| 2691a nonce. |
| 2692End of informative comment. |
| 2693Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH2_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_CertifyKey2 |
| |
| 4 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| keyHandle |
| |
| Handle of the key to be certified. |
| |
| 5 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| certHandle |
| |
| Handle of the key to be used to certify the key. |
| |
| 6 |
| |
| 20 |
| |
| 2S |
| |
| 20 |
| |
| TPM_DIGEST |
| |
| migrationPubDigest |
| |
| The digest of a TPM_MSA_COMPOSITE structure, containing at least |
| one public key of a Migration Authority |
| |
| 7 |
| |
| 20 |
| |
| 3S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| antiReplay |
| |
| 160 bits of externally supplied data (typically a nonce provided to |
| prevent replay-attacks) |
| |
| 8 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| keyAuthHandle |
| |
| The authorization session handle used for the key to be signed. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| keylastNonceEven |
| |
| Even nonce previously generated by TPM |
| |
| 9 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| keynonceOdd |
| |
| Nonce generated by system associated with keyAuthHandle |
| |
| 10 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueKeySession |
| |
| The continue use flag for the authorization session handle |
| |
| 11 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| keyAuth |
| |
| The authorization session digest for the inputs and key to be signed. |
| HMAC key: key.usageAuth. |
| |
| 12 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| certAuthHandle |
| |
| The authorization session handle used for certHandle. |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 2H2 |
| |
| 669 |
| 670 |
| |
| 20 |
| |
| 138 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 671TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 672Specification Version 1.2 |
| 13 |
| |
| 20 |
| |
| 3H2 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with certAuthHandle |
| |
| 14 |
| |
| 1 |
| |
| 4H2 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 15 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| certAuth |
| |
| Authorization HMAC key: certKey.auth. |
| |
| 673Level 2 Revision 116 28 February 2011 |
| 674 |
| |
| 139 |
| TCG Published |
| |
| 675Copyright © TCG |
| 676 |
| 677 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 2694Outgoing Operands and Sizes |
| Param |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH2_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| Sz |
| |
| 1 |
| |
| # |
| |
| Sz |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_CertifyKey2 |
| |
| 4 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| TPM_CERTIFY_INFO2 |
| |
| certifyInfo |
| |
| TPM_CERTIFY_INFO2 relative to keyHandle |
| |
| 5 |
| |
| 4 |
| |
| 4S |
| |
| 4 |
| |
| UINT32 |
| |
| outDataSize |
| |
| The used size of the output area for outData |
| |
| 6 |
| |
| <> |
| |
| 5S |
| |
| <> |
| |
| BYTE[ ] |
| |
| outData |
| |
| The signed public key. |
| |
| 7 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| keyNonceEven |
| |
| Even nonce newly generated by TPM |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| keyNonceOdd |
| |
| Nonce generated by system associated with certAuthHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| keyContinueAuthSession |
| |
| Continue use flag for cert key session |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| keyResAuth |
| |
| Authorization HMAC key: keyHandle -> auth. |
| |
| 2H2 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| certNonceEven |
| |
| Even nonce newly generated by TPM |
| |
| 3H2 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| AuthLastNonceOdd |
| |
| Nonce generated by system associated with certAuthHandle |
| |
| 1 |
| |
| BOOL |
| |
| CertContinueAuthSession |
| |
| Continue use flag for cert key session |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| certResAuth |
| |
| Authorization HMAC key: certHandle -> auth. |
| |
| 8 |
| |
| 1 |
| |
| 9 |
| |
| 20 |
| |
| 10 |
| |
| 20 |
| |
| 11 |
| |
| 1 |
| |
| 12 |
| |
| 20 |
| |
| 4H2 |
| |
| 2695Actions |
| 26961. The TPM validates that the key pointed to by certHandle has a signature scheme of |
| 2697 |
| TPM_SS_RSASSAPKCS1v15_SHA1 or TPM_SS_RSASSAPKCS1v15_INFO |
| 26982. Verify command and key AuthData values: |
| 2699 |
| |
| a. If tag is TPM_TAG_RQU_AUTH2_COMMAND |
| |
| 2700 |
| 2701 |
| |
| i. The TPM verifies the AuthData in keyAuthHandle provides authorization to |
| use the key pointed to by keyHandle, return TPM_AUTHFAIL on error |
| |
| 2702 |
| 2703 |
| |
| ii. The TPM verifies the AuthData in certAuthHandle provides authorization to |
| use the key pointed to by certHandle, return TPM_AUTH2FAIL on error |
| |
| 2704 |
| |
| b. else if tag is TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2705 |
| 2706 |
| 2707 |
| |
| i. Verify |
| that |
| authDataUsage |
| is |
| TPM_AUTH_NEVER |
| or |
| TPM_NO_READ_PUBKEY_AUTH for the key referenced by keyHandle, return |
| TPM_AUTHFAIL on error |
| |
| 2708 |
| 2709 |
| |
| ii. The TPM verifies the AuthData in certAuthHandle provides authorization to |
| use the key pointed to by certHandle, return TPM_AUTH2FAIL on error |
| |
| 2710 |
| |
| c. else if tag is TPM_TAG_RQU_COMMAND |
| |
| 2711 |
| 2712 |
| 2713 |
| |
| 678 |
| 679 |
| |
| i. Verify |
| that |
| authDataUsage |
| is |
| TPM_AUTH_NEVER |
| or |
| TPM_NO_READ_PUBKEY_AUTH for the key referenced by keyHandle, return |
| TPM_AUTHFAIL on error |
| |
| 140 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 680TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 681Specification Version 1.2 |
| |
| 2714 |
| 2715 |
| |
| ii. Verify that authDataUsage is TPM_AUTH_NEVER for the key referenced by |
| certHandle, return TPM_AUTHFAIL on error. |
| |
| 27163. If the key pointed to by certHandle is an identity key (certHandle -> keyUsage is |
| 2717 |
| TPM_KEY_IDENTITY) |
| 2718 |
| 2719 |
| 2720 |
| 2721 |
| |
| a. If keyHandle -> keyFlags -> migratable is TRUE and [keyHandle -> keyFlags-> |
| migrateAuthority is FALSE or (keyHandle -> payload != TPM_PT_MIGRATE_RESTRICTED |
| and |
| keyHandle |
| -> |
| payload |
| != |
| TPM_PT_MIGRATE_EXTERNAL)] |
| return |
| TPM_MIGRATEFAIL |
| |
| 27224. Validate that certHandle -> keyUsage is TPM_KEY_SIGNING, TPM_KEY_IDENTITY or |
| 2723 |
| TPM_KEY_LEGACY, if not return TPM_INVALID_KEYUSAGE |
| 27245. Validate that keyHandle -> keyUsage is TPM_KEY_SIGNING, TPM_KEY_STORAGE, |
| 2725 |
| TPM_KEY_IDENTITY, |
| TPM_KEY_BIND |
| or |
| TPM_KEY_LEGACY, |
| if |
| not |
| return |
| 2726 |
| TPM_INVALID_KEYUSAGE |
| 27276. The TPM SHALL create a c1 a TPM_CERTIFY_INFO2 structure from the key pointed to |
| 2728 |
| by keyHandle |
| 27297. Create TPM_DIGEST H1 which is the SHA-1 hash of keyHandle -> pubKey -> key. Note |
| 2730 |
| that <key> is the actual public modulus, and does not include any structure formatting. |
| 27318. Set C1 -> pubKeyDigest to H1 |
| 27329. Copy the antiReplay parameter to c1 -> data |
| 273310.Copy other keyHandle parameters into C1 |
| 273411.If |
| keyHandle |
| -> |
| payload |
| 2735 |
| TPM_PT_MIGRATE_EXTERNAL |
| |
| == |
| |
| TPM_PT_MIGRATE_RESTRICTED |
| |
| or |
| |
| 2736 |
| 2737 |
| |
| a. create thisPubKey, a TPM_PUBKEY structure containing the public key, algorithm |
| and parameters corresponding to keyHandle |
| |
| 2738 |
| |
| b. Verify that the migration authorization is valid for this key |
| |
| 2739 |
| |
| i. |
| |
| 2740 |
| |
| ii. Set M2 -> msaDigest to migrationPubDigest |
| |
| 2741 |
| |
| iii. Set M2 -> pubkeyDigest to SHA-1[thisPubKey] |
| |
| 2742 |
| 2743 |
| |
| iv. Verify that [keyHandle -> migrationAuth] == HMAC(M2) signed by using |
| tpmProof as the secret and return error TPM_MA_SOURCE on mismatch |
| |
| Create M2 a TPM_CMK_MIGAUTH structure |
| |
| 2744 |
| |
| c. Set C1 -> migrationAuthority = SHA-1(migrationPubDigest || keyHandle -> payload) |
| |
| 2745 |
| |
| d. if keyHandle -> payload == TPM_PT_MIGRATE_RESTRICTED |
| |
| 2746 |
| 2747 |
| |
| i. |
| |
| Set C1 -> payloadType = TPM_PT_MIGRATE_RESTRICTED |
| |
| e. if keyHandle -> payload == TPM_PT_MIGRATE_EXTERNAL |
| |
| 2748 |
| |
| i. |
| |
| Set C1 -> payloadType = TPM_PT_MIGRATE_EXTERNAL |
| |
| 274912.Else |
| 2750 |
| |
| a. set C1 -> migrationAuthority = NULL |
| |
| 2751 |
| |
| b. set C1 -> migrationAuthoritySize =0 |
| |
| 682Level 2 Revision 116 28 February 2011 |
| 683 |
| |
| 141 |
| TCG Published |
| |
| 684Copyright © TCG |
| 685 |
| 686 |
| |
| 2752 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| c. Set C1 -> payloadType = TPM_PT_ASYM |
| |
| 275313.If keyHandle -> pcrInfoSize is not 0 |
| 2754 |
| 2755 |
| |
| a. The TPM MUST set c1 -> pcrInfoSize to match the pcrInfoSize from the keyHandle |
| key. |
| |
| 2756 |
| |
| b. The TPM MUST set c1 -> pcrInfo to match the pcrInfo from the keyHandle key |
| |
| 2757 |
| |
| c. If keyHandle -> keyFlags has pcrIgnoredOnRead set to FALSE |
| |
| 2758 |
| 2759 |
| 2760 |
| |
| i. Create a digestAtRelease according to the specified TPM_STCLEAR_DATA -> |
| PCR registers and compare to keyHandle -> digestAtRelease and if a mismatch |
| return TPM_WRONGPCRVAL |
| |
| 2761 |
| |
| ii. If specified validate any locality requests on error TPM_BAD_LOCALITY |
| |
| 276214.Else |
| 2763 |
| |
| a. The TPM MUST set c1 -> pcrInfoSize to 0 |
| |
| 276415.The TPM creates m1, a message digest formed by taking the SHA-1 of c1 |
| 2765 |
| 2766 |
| |
| 687 |
| 688 |
| |
| a. The TPM then computes a signature using certHandle -> sigScheme. The resulting |
| signed blob is returned in outData |
| |
| 142 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 689TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 690Specification Version 1.2 |
| |
| 276714. |
| Endorsement |
| 2768Start of informative comment: |
| |
| Key Handling |
| |
| 2769There are two create EK commands. The first matches the 1.1 functionality. The second |
| 2770provides the mechanism to enable revokeEK. |
| 2771The TPM and platform manufacturer decide on the inclusion or exclusion of the ability to |
| 2772execute revokeEK. |
| 2773The restriction to have the TPM generate the EK does not remove the manufacturing option |
| 2774to “squirt” the EK. During manufacturing, the TPM does not enforce all protections or |
| 2775requirements; hence, the restriction on only TPM generation of the EK is also not in force. |
| 2776End of informative comment. |
| 27771. A TPM SHALL NOT install an EK unless generated on the TPM by execution of |
| 2778 |
| TPM_CreateEndorsementKeyPair or TPM_CreateRevocableEK |
| |
| 691Level 2 Revision 116 28 February 2011 |
| 692 |
| |
| 143 |
| TCG Published |
| |
| 693Copyright © TCG |
| 694 |
| 695 |
| |
| 277914.1 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_CreateEndorsementKeyPair |
| |
| 2780Start of informative comment: |
| 2781This command creates the TPM endorsement key. It returns a failure code if an |
| 2782endorsement key already exists. |
| 2783End of informative comment. |
| 2784Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| # |
| |
| SZ |
| |
| 1 |
| 2 |
| |
| # |
| |
| SZ |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_CreateEndorsementKeyPair |
| |
| 4 |
| |
| 20 |
| |
| 2S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| antiReplay |
| |
| Arbitrary data |
| |
| 5 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| TPM_KEY_PARMS |
| |
| keyInfo |
| |
| Information about key to be created, this includes all algorithm parameters |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2785Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_CreateEndorsementKeyPair |
| |
| 4 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| TPM_PUBKEY |
| |
| pubEndorsementKey |
| |
| The public endorsement key |
| |
| 5 |
| |
| 20 |
| |
| 4S |
| |
| 20 |
| |
| TPM_DIGEST |
| |
| checksum |
| |
| Hash of pubEndorsementKey and antiReplay |
| |
| 2786Actions |
| 27871. If an EK already exists, return TPM_DISABLED_CMD |
| 27882. Validate the keyInfo parameters for the key description |
| 2789 |
| 2790 |
| |
| a. If the algorithm type is RSA the key length MUST be a minimum of 2048. For |
| interoperability the key length SHOULD be 2048 |
| |
| 2791 |
| 2792 |
| |
| b. If the algorithm type is other than RSA the strength provided by the key MUST be |
| comparable to RSA 2048 |
| |
| 2793 |
| |
| c. The other parameters of keyInfo (encScheme, sigScheme, etc.) are ignored. |
| |
| 27943. Create a key pair called the “endorsement key pair” using a TPM-protected capability. |
| 2795 |
| The type and size of key are that indicated by keyInfo. |
| Set encScheme to |
| 2796 |
| TPM_ES_RSAESOAEP_SHA1_MGF1. |
| 27974. Create checksum by performing SHA-1 on the concatenation of (PUBEK || antiReplay) |
| 27985. Store the PRIVEK |
| 27996. Create TPM_PERMANENT_DATA -> tpmDAASeed from the TPM RNG |
| 696 |
| 697 |
| |
| 144 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 698TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 699Specification Version 1.2 |
| |
| 28007. Create TPM_PERMANENT_DATA -> daaProof from the TPM RNG |
| 28018. Create TPM_PERMANENT_DATA -> daaBlobKey from the TPM RNG |
| 28029. Set TPM_PERMANENT_FLAGS -> CEKPUsed to TRUE |
| 280310.Set TPM_PERMANENT_FLAGS -> enableRevokeEK to FALSE |
| |
| 700Level 2 Revision 116 28 February 2011 |
| 701 |
| |
| 145 |
| TCG Published |
| |
| 702Copyright © TCG |
| 703 |
| 704 |
| |
| 280414.2 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_CreateRevocableEK |
| |
| 2805Start of informative comment: |
| 2806This command creates the TPM endorsement key. It returns a failure code if an |
| 2807endorsement key already exists. The TPM vendor may have a separate mechanism to create |
| 2808the EK and “squirt” the value into the TPM. |
| 2809The input parameters specify whether the EK is capable of being reset, whether the |
| 2810AuthData value to reset the EK will be generated by the TPM, and the new AuthData value |
| 2811itself if it is not to be generated by the TPM. The output parameter is the new AuthData |
| 2812value that must be used when resetting the EK (if it is capable of being reset). |
| 2813The command TPM_RevokeTrust must be used to reset an EK (if it is capable of being |
| 2814reset). |
| 2815Owner authorisation is unsuitable for authorizing resetting of an EK: someone with |
| 2816Physical Presence can remove a genuine Owner, install a new Owner, and revoke the EK. |
| 2817The genuine Owner can reinstall, but the platform will have lost its original attestation and |
| 2818may not be trusted by challengers. Therefore if a password is to be used to revoke an EK, it |
| 2819must be a separate password, given to the genuine Owner. |
| 2820In v1.2 an OEM has extra choices when creating EKs. |
| 2821a) An OEM could manufacture all of its TPMs with enableRevokeEK==TRUE. |
| 2822If the OEM has tracked the EKreset passwords for these TPMs, the OEM can give the |
| 2823passwords to customers. The customers can use the passwords as supplied, change the |
| 2824passwords, or clear the EKs and create new EKs with new passwords. |
| 2825If EKreset passwords are random values, the OEM can discard those values and not give |
| 2826them to customers. There is then a low probability (statistically zero) chance of a local DOS |
| 2827attack to reset the EK by guessing the password. The chance of a remote DOS attack is zero |
| 2828because Physical Presence must also be asserted to use TPM_RevokeTrust. |
| 2829b) An OEM could manufacture some of its TPMs with enableRevokeEK==FALSE. Then the |
| 2830EK can never be revoked, and the chance of even a local DOS attack on the EK is |
| 2831eliminated. |
| 2832End of informative comment. |
| 2833This is an optional command |
| |
| 705 |
| 706 |
| |
| 146 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 707TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 708Specification Version 1.2 |
| |
| 2834Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_CreateRevocableEK |
| |
| 4 |
| |
| 20 |
| |
| 2S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| antiReplay |
| |
| Arbitrary data |
| |
| 5 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| TPM_KEY_PARMS |
| |
| keyInfo |
| |
| Information about key to be created, this includes all algorithm parameters |
| |
| 6 |
| |
| 1 |
| |
| 4S |
| |
| 1 |
| |
| BOOL |
| |
| generateReset |
| |
| If TRUE use TPM RNG to generate EKreset. If FALSE use the passed |
| value inputEKreset |
| |
| 7 |
| |
| 20 |
| |
| 5S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| inputEKreset |
| |
| The authorization value to be used with TPM_RevokeTrust if |
| generateReset==FALSE, else the parameter is present but ignored |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 2835Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| # |
| |
| Type |
| |
| SZ |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_CreateRevocableEK |
| |
| 4 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| TPM_PUBKEY |
| |
| pubEndorsementKey |
| |
| The public endorsement key |
| |
| 5 |
| |
| 20 |
| |
| 4S |
| |
| 20 |
| |
| TPM_DIGEST |
| |
| checksum |
| |
| Hash of pubEndorsementKey and antiReplay |
| |
| 6 |
| |
| 20 |
| |
| 5S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| outputEKreset |
| |
| The AuthData value to use TPM_RevokeTrust |
| |
| 2836Actions |
| 28371. If an EK already exists, return TPM_DISABLED_CMD |
| 28382. Perform the actions of TPM_CreateEndorsementKeyPair, if any errors return with error |
| 28393. Set TPM_PERMANENT_FLAGS -> enableRevokeEK to TRUE |
| 2840 |
| |
| a. If generateReset is TRUE then |
| |
| 2841 |
| |
| i. |
| |
| 2842 |
| |
| b. Else |
| |
| 2843 |
| |
| i. |
| |
| Set TPM_PERMANENT_DATA -> EKreset to the next value from the TPM RNG |
| Set TPM_PERMANENT_DATA -> EKreset to inputEKreset |
| |
| 28444. Return PUBEK, checksum and Ekreset |
| 28455. |
| 2846 |
| 2847 |
| 2848 |
| |
| The outputEKreset AuthData is sent in the clear. There is no uniqueness on the TPM |
| available to actually perform encryption or use an encrypted channel. The assumption is |
| that this operation is occurring in a controlled environment and sending the value in the |
| clear is acceptable. |
| |
| 709Level 2 Revision 116 28 February 2011 |
| 710 |
| |
| 147 |
| TCG Published |
| |
| 711Copyright © TCG |
| 712 |
| 713 |
| |
| 284914.3 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_RevokeTrust |
| |
| 2850Start of informative comment: |
| 2851This command clears the EK and sets the TPM back to a pure default state. The generation |
| 2852of the AuthData value occurs during the generation of the EK. It is the responsibility of the |
| 2853EK generator to properly protect and disseminate the RevokeTrust AuthData. |
| 2854End of informative comment. |
| 2855This is an optional command |
| 2856Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| 2 |
| |
| 4 |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| 4 |
| |
| 20 |
| |
| 2S |
| |
| 20 |
| |
| Name |
| |
| Description |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| UINT32 |
| |
| SZ |
| |
| Type |
| |
| # |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_RevokeTrust |
| |
| TPM_NONCE |
| |
| EKReset |
| |
| The value that will be matched to EK Reset |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2857Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_RevokeTrust |
| |
| 2858Actions |
| 28591. The TPM MUST validate that TPM_PERMANENT_FLAGS -> enableRevokeEK is TRUE, |
| 2860 |
| return TPM_PERMANENTEK on error |
| 28612. The TPM MUST validate that the EKReset matches TPM_PERMANENT_DATA -> EKReset |
| 2862 |
| return TPM_AUTHFAIL on error. |
| 28633. Ensure that physical presence is being asserted |
| 28644. Perform the actions of TPM_OwnerClear (excepting the command authentication) |
| 2865 |
| 2866 |
| |
| a. NV items with the pubInfo -> nvIndex D value set MUST be deleted. This changes the |
| TPM_OwnerClear handling of the same NV areas |
| |
| 2867 |
| |
| b. Set TPM_PERMANENT_FLAGS -> nvLocked to FALSE |
| |
| 28685. Invalidate TPM_PERMANENT_DATA -> tpmDAASeed |
| 28696. Invalidate TPM_PERMANENT_DATA -> daaProof |
| 28707. Invalidate TPM_PERMANENT_DATA -> daaBlobKey |
| 28718. Invalidate the EK and any internal state associated with the EK |
| 714 |
| 715 |
| |
| 148 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 716TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 717Specification Version 1.2 |
| |
| 287214.4 |
| |
| TPM_ReadPubek |
| |
| 2873Start of informative comment: |
| 2874Return the endorsement key public portion. This value should have controls placed upon |
| 2875access, as it is a privacy sensitive value. |
| 2876The readPubek flag is set to FALSE by TPM_TakeOwnership and set to TRUE by |
| 2877TPM_OwnerClear, thus mirroring if a TPM Owner is present. |
| 2878End of informative comment. |
| 2879Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| 2 |
| |
| 4 |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| 4 |
| |
| 20 |
| |
| 2S |
| |
| 20 |
| |
| Name |
| |
| Description |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| UINT32 |
| |
| SZ |
| |
| Type |
| |
| # |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ReadPubek |
| |
| TPM_NONCE |
| |
| antiReplay |
| |
| Arbitrary data |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2880Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ReadPubek |
| |
| 4 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| TPM_PUBKEY |
| |
| pubEndorsementKey |
| |
| The public endorsement key |
| |
| 5 |
| |
| 20 |
| |
| 4S |
| |
| 20 |
| |
| TPM_DIGEST |
| |
| checksum |
| |
| Hash of pubEndorsementKey and antiReplay |
| |
| 2881Description |
| 2882This command returns the PUBEK. |
| 2883Actions |
| 2884The TPM_ReadPubek command SHALL |
| 28851. If TPM_PERMANENT_FLAGS -> readPubek is FALSE return TPM_DISABLED_CMD |
| 28862. If no EK is present the TPM MUST return TPM_NO_ENDORSEMENT |
| 28873. Create checksum by performing SHA-1 on the concatenation of (pubEndorsementKey || |
| 2888 |
| antiReplay). |
| 28894. Export the PUBEK and checksum. |
| |
| 718Level 2 Revision 116 28 February 2011 |
| 719 |
| |
| 149 |
| TCG Published |
| |
| 720Copyright © TCG |
| 721 |
| 722 |
| |
| 289014.5 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_OwnerReadInternalPub |
| |
| 2891Start of informative comment: |
| 2892A TPM Owner authorized command that returns the public portion of the EK or SRK. |
| 2893The keyHandle parameter is included in the incoming session authorization to prevent |
| 2894alteration of the value, causing a different key to be read. Unlike most key handles, which |
| 2895can be mapped by higher layer software, this key handle has only two fixed values. |
| 2896End of informative comment. |
| 2897Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| 2 |
| |
| 4 |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| 4 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| 5 |
| |
| 4 |
| |
| Description |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_OwnerReadInternalPub |
| |
| TPM_KEY_HANDLE |
| |
| keyHandle |
| |
| Handle for either PUBEK or SRK |
| |
| TPM_AUTHHANDLE |
| |
| # |
| |
| Name |
| |
| |
| # |
| |
| authHandle |
| |
| The authorization session handle used for owner authentication. |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 6 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 7 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 8 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| The authorization session digest for inputs and owner authentication. |
| HMAC key: ownerAuth. |
| |
| 2898Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_OwnerReadInternalPub |
| |
| 4 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| TPM_PUBKEY |
| |
| publicPortion |
| |
| The public portion of the requested key |
| |
| 5 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| ownerAuth. |
| |
| 6 |
| |
| 1 |
| |
| 7 |
| |
| 20 |
| |
| 2899Actions |
| 29001. Validate the parameters and TPM Owner AuthData for this command |
| 29012. If keyHandle is TPM_KH_EK |
| 2902 |
| 723 |
| 724 |
| |
| a. Set publicPortion to PUBEK |
| 150 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 725TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 726Specification Version 1.2 |
| |
| 29033. Else If keyHandle is TPM_KH_SRK |
| 2904 |
| |
| a. Set publicPortion to the TPM_PUBKEY of the SRK |
| |
| 29054. Else return TPM_BAD_PARAMETER |
| 29065. Export the public key of the referenced key |
| |
| 727Level 2 Revision 116 28 February 2011 |
| 728 |
| |
| 151 |
| TCG Published |
| |
| 729Copyright © TCG |
| 730 |
| 731 |
| |
| 290715. |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| Identity Creation and Activation |
| |
| 290815.1 |
| |
| TPM_MakeIdentity |
| |
| 2909Start of informative comment: |
| 2910Generate a new Attestation Identity Key (AIK). |
| 2911labelPrivCADigest identifies the privacy CA that the owner expects to be the target CA for |
| 2912the AIK. The selection is not enforced by the TPM. It is advisory only. It is included |
| 2913because the TSS cannot be trusted to send the AIK to the correct privacy CA. The privacy |
| 2914CA can use this parameter to validate that it is the target privacy CA and label intended by |
| 2915the TPM owner at the time the key was created. The label can be used to indicate an |
| 2916application purpose. |
| 2917End of informative comment. |
| 2918Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH2_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes incl. paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_MakeIdentity. |
| |
| 4 |
| |
| 20 |
| |
| 2S |
| |
| 20 |
| |
| TPM_ENCAUTH |
| |
| identityAuth |
| |
| Encrypted usage AuthData for the new identity |
| |
| 5 |
| |
| 20 |
| |
| 3S |
| |
| 20 |
| |
| TPM_CHOSENID_HASH |
| |
| labelPrivCADigest |
| |
| The digest of the identity label and privacy CA chosen for the AIK |
| |
| 6 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| TPM_KEY |
| |
| idKeyParams |
| |
| Structure containing all parameters of new identity key. |
| pubKey.keyLength & idKeyParams.encData are both 0 MAY be TPM_KEY12 |
| |
| 7 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| srkAuthHandle |
| |
| The authorization session handle used for SRK authorization. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| srkLastNonceEven |
| |
| Even nonce previously generated by TPM |
| |
| 8 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| srknonceOdd |
| |
| Nonce generated by system associated with srkAuthHandle |
| |
| 9 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueSrkSession |
| |
| Ignored |
| |
| 10 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| srkAuth |
| |
| The authorization session digest for the inputs and the SRK. HMAC |
| key: srk.usageAuth. |
| |
| 11 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for owner authentication. |
| Session type MUST be OSAP. |
| |
| 2H2 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 12 |
| |
| 20 |
| |
| 3H2 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 13 |
| |
| 1 |
| |
| 4H2 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Ignored |
| |
| 14 |
| |
| 732 |
| 733 |
| |
| 20 |
| |
| 20 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| The authorization session digest for inputs and owner. HMAC key: |
| ownerAuth. |
| |
| 152 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 734TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 735Specification Version 1.2 |
| |
| 2919Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH2_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal:TPM_ORD_MakeIdentity. |
| |
| 4 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| TPM_KEY |
| |
| idKey |
| |
| The newly created identity key. MAY be TPM_KEY12 |
| |
| 5 |
| |
| 4 |
| |
| 4S |
| |
| 4 |
| |
| UINT32 |
| |
| identityBindingSize |
| |
| The used size of the output area for identityBinding |
| |
| 6 |
| |
| <> |
| |
| 5S |
| |
| <> |
| |
| BYTE[ ] |
| |
| identityBinding |
| |
| Signature of TPM_IDENTITY_CONTENTS using idKey.private. |
| |
| 7 |
| |
| 20 |
| |
| 2H2 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| srkNonceEven |
| |
| Even nonce newly generated by TPM. |
| |
| 3H2 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| srknonceOdd |
| |
| Nonce generated by system associated with srkAuthHandle |
| |
| 4H2 |
| |
| 1 |
| |
| BOOL |
| |
| continueSrkSession |
| |
| Continue use flag. Fixed value of FALSE |
| |
| TPM_AUTHDATA |
| |
| srkAuth |
| |
| The authorization session digest used for the outputs and srkAuth |
| session. HMAC key: srk.usageAuth. |
| |
| 8 |
| |
| 1 |
| |
| 9 |
| |
| 20 |
| |
| 10 |
| |
| 20 |
| |
| 1 |
| |
| 12 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| 11 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag. Fixed value of FALSE |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| ownerAuth. |
| |
| 20 |
| |
| 2920Description |
| 2921The public key of the new TPM identity SHALL be identityPubKey. The private key of the |
| 2922new TPM identity SHALL be tpm_signature_key. |
| 2923Properties of the new identity |
| Type |
| |
| Name |
| |
| Description |
| |
| TPM_PUBKEY |
| |
| identityPubKey |
| |
| This SHALL be the public key of a previously unused asymmetric key pair. |
| |
| TPM_STORE_ASYMKEY |
| |
| tpm_signature_key |
| |
| This SHALL be the private key that forms a pair with identityPubKey and SHALL be |
| extant only in a TPM-shielded location. |
| |
| 2924 |
| |
| 2925This capability also generates a TPM_KEY containing the tpm_signature_key. |
| 2926If identityPubKey is stored on a platform it SHALL exist only in storage to which access is |
| 2927controlled and is available to authorized entities. |
| 2928The signing of TPM_ID_CONTENTS is not an authorized use of the key. |
| 2929TPM_PCR_INFO_xxx “…AtRelease” values are not validated. |
| |
| The |
| |
| 2930Actions |
| 2931A Trusted Platform Module that receives a valid TPM_MakeIdentity command SHALL do the |
| 2932following: |
| 29331. Validate the idKeyParams parameters for the key description |
| 736Level 2 Revision 116 28 February 2011 |
| 737 |
| |
| 153 |
| TCG Published |
| |
| 738Copyright © TCG |
| 739 |
| 740 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 2934 |
| 2935 |
| |
| a. If the algorithm type is RSA, the key length MUST be a minimum of 2048 and MUST |
| use the default exponent. For interoperability the key length SHOULD be 2048. |
| |
| 2936 |
| 2937 |
| |
| b. If the algorithm type is other than RSA the strength provided by the key MUST be |
| comparable to RSA 2048 |
| |
| 2938 |
| 2939 |
| |
| c. If the TPM is not designed to create a key of the requested type, return the error code |
| TPM_BAD_KEY_PROPERTY |
| |
| 2940 |
| |
| d. If TPM_PERMANENT_FLAGS -> FIPS is TRUE then |
| |
| 2941 |
| |
| i. |
| |
| If authDataUsage specifies TPM_AUTH_NEVER return TPM_NOTFIPS |
| |
| 29422. Use authHandle to verify that the Owner authorized all TPM_MakeIdentity input |
| 2943 |
| parameters. |
| 29443. Use srkAuthHandle to verify that the SRK owner authorized all TPM_MakeIdentity input |
| 2945 |
| parameters. |
| 29464. Verify that idKeyParams -> keyUsage is TPM_KEY_IDENTITY. If it is not, return |
| 2947 |
| TPM_INVALID_KEYUSAGE |
| 29485. Verify that idKeyParams -> keyFlags -> migratable is FALSE. If it is not, return |
| 2949 |
| TPM_INVALID_KEYUSAGE |
| 29506. Create a1 by decrypting identityAuth according to the ADIP indicated by authHandle. |
| 29517. Set continueAuthSession and continueSRKSession to FALSE. |
| 29528. Determine the structure version |
| 2953 |
| |
| a. If idKeyParams -> tag is TPM_TAG_KEY12 |
| |
| 2954 |
| |
| i. |
| |
| 2955 |
| 2956 |
| |
| ii. Create idKey a TPM_KEY12 structure using idKeyParams as the default values |
| for the structure |
| |
| 2957 |
| |
| Set V1 to 2 |
| |
| b. If idKeyParams -> ver is 1.1 |
| |
| 2958 |
| |
| i. |
| |
| 2959 |
| 2960 |
| |
| ii. Create idKey a TPM_KEY structure using idKeyParams as the default values |
| for the structure |
| |
| Set V1 to 1 |
| |
| 29619. Set the digestAtCreation values for pcrInfo |
| 2962 |
| |
| a. For TPM_PCR_INFO_LONG include the locality of the current command |
| |
| 296310.Create an asymmetric key pair (identityPubKey and tpm_signature_key) using a TPM2964 |
| protected capability, in accordance with the algorithm specified in idKeyParams |
| 296511.Ensure that the AuthData information in A1 is properly stored in the idKey as |
| 2966 |
| usageAuth. |
| 296712.Attach identityPubKey and tpm_signature_key to idKey |
| 296813.Set idKey -> migrationAuth to TPM_PERMANENT_DATA-> tpmProof |
| 296914.Ensure that all TPM_PAYLOAD_TYPE structures identify this key as TPM_PT_ASYM |
| 297015.Encrypt the private portion of idKey using the SRK as the parent key |
| |
| 741 |
| 742 |
| |
| 154 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 743TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 744Specification Version 1.2 |
| |
| 297116.Create |
| a |
| TPM_IDENTITY_CONTENTS |
| structure |
| 2972 |
| labelPrivCADigest and the information from idKey |
| |
| named |
| |
| idContents |
| |
| using |
| |
| 297317.Sign idContents using tpm_signature_key and TPM_SS_RSASSAPKCS1v15_SHA1. Store |
| 2974 |
| the result in identityBinding. |
| |
| 745Level 2 Revision 116 28 February 2011 |
| 746 |
| |
| 155 |
| TCG Published |
| |
| 747Copyright © TCG |
| 748 |
| 749 |
| |
| 297515.2 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_ActivateIdentity |
| |
| 2976Start of informative comment: |
| 2977The purpose of TPM_ActivateIdentity is to twofold. The first purpose is to obtain assurance |
| 2978that the credential in the TPM_SYM_CA_ATTESTATION is for this TPM. The second purpose |
| 2979is to obtain the session key used to encrypt the TPM_IDENTITY_CREDENTIAL. |
| 2980This is an extension to the 1.1 functionality of TPM_ActivateIdentity. The blob sent to from |
| 2981the CA can be in the 1.1 format or the 1.2 format. The TPM determines the type from the |
| 2982size or version information in the blob. |
| 2983TPM_ActivateIdentity checks that the symmetric session key corresponds to a TPM-identity |
| 2984before releasing that session key. |
| 2985Only the Owner of the TPM has the privilege of activating a TPM identity. The Owner is |
| 2986required to authorize the TPM_ActivateIdentity command. The owner may authorize the |
| 2987command using either the TPM_OIAP or TPM_OSAP authorization protocols. |
| 2988The creator of the ActivateIdentity package can specify if any PCR values are to be checked |
| 2989before releasing the session key. |
| 2990End of informative comment. |
| 2991Incoming Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH2_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes incl. paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ActivateIdentity |
| |
| 4 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| idKeyHandle |
| |
| Identity key to be activated |
| |
| 5 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| UINT32 |
| |
| blobSize |
| |
| Size of encrypted blob from CA |
| |
| 6 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| BYTE [ ] |
| |
| blob |
| |
| The encrypted ASYM_CA_CONTENTS or TPM_EK_BLOB |
| |
| 7 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| idKeyAuthHandle |
| |
| The authorization session handle used for ID key authorization. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| idKeyLastNonceEven |
| |
| Even nonce previously generated by TPM |
| |
| 8 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| idKeynonceOdd |
| |
| Nonce generated by system associated with idKeyAuthHandle |
| |
| 9 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueIdKeySession |
| |
| Continue usage flag for idKeyAuthHandle. |
| |
| 10 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| idKeyAuth |
| |
| The authorization session digest for the inputs and ID key. HMAC key: |
| idKey.usageAuth. |
| |
| 11 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for owner authentication. |
| |
| 2H2 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 12 |
| |
| 3H2 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 13 |
| |
| 1 |
| |
| 4H2 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 14 |
| |
| 750 |
| 751 |
| |
| 20 |
| |
| 20 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| The authorization session digest for inputs and owner. HMAC key: |
| ownerAuth. |
| |
| 156 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 752TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 753Specification Version 1.2 |
| |
| 2992Outgoing Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH2_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal:TPM_ORD_ActivateIdentity |
| |
| 4 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| TPM_SYMMETRIC_KEY |
| |
| symmetricKey |
| |
| The decrypted symmetric key. |
| |
| 5 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| idKeyNonceEven |
| |
| Even nonce newly generated by TPM. |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| idKeynonceOdd |
| |
| Nonce generated by system associated with idKeyAuthHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueIdKeySession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| idKeyAuth |
| |
| The authorization session digest used for the returned parameters and |
| idKeyAuth session. HMAC key: idKey.usageAuth. |
| |
| 6 |
| |
| 1 |
| |
| 7 |
| |
| 20 |
| |
| 8 |
| |
| 20 |
| |
| 1 |
| |
| 10 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H2 |
| 9 |
| |
| 2H2 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H2 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC |
| key: ownerAuth. |
| |
| 20 |
| |
| 2993Description |
| 29941. The command TPM_ActivateIdentity activates a TPM identity created using the command |
| 2995 |
| TPM_MakeIdentity. |
| 29962. The command assumes the availability of the private key associated with the identity. |
| 2997 |
| The command will verify the association between the keys during the process. |
| 29983. The command will decrypt the input blob and extract the session key and verify the |
| 2999 |
| connection between the public and private keys. The input blob can be in 1.1 or 1.2 |
| 3000 |
| format. |
| 3001Actions |
| 3002A Trusted Platform Module that receives a valid TPM_ActivateIdentity command SHALL do |
| 3003the following: |
| 30041. Using the authHandle field, validate the owner’s AuthData to execute the command and |
| 3005 |
| all of the incoming parameters. |
| 30062. Using the idKeyAuthHandle, validate the AuthData to execute command and all of the |
| 3007 |
| incoming parameters |
| 30083. Validate that the idKey is the public key of a valid TPM identity by checking that |
| 3009 |
| idKeyHandle -> keyUsage is TPM_KEY_IDENTITY. Return TPM_BAD_PARAMETER on |
| 3010 |
| mismatch |
| 30114. Create H1 the digest of a TPM_PUBKEY derived from idKey |
| 30125. Decrypt blob creating B1 using PRIVEK as the decryption key |
| 30136. Determine the type and version of B1 |
| 754Level 2 Revision 116 28 February 2011 |
| 755 |
| |
| 157 |
| TCG Published |
| |
| 756Copyright © TCG |
| 757 |
| 758 |
| |
| 3014 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| a. If B1 -> tag is TPM_TAG_EK_BLOB then |
| |
| 3015 |
| |
| i. |
| |
| 3016 |
| |
| b. Else |
| |
| 3017 |
| 3018 |
| 3019 |
| |
| B1 is a TPM_EK_BLOB |
| |
| i. B1 is a TPM_ASYM_CA_CONTENTS. As there is no tag for this structure it is |
| possible for the TPM to make a mistake here but other sections of the structure |
| undergo validation |
| |
| 30207. If B1 is a version 1.1 TPM_ASYM_CA_CONTENTS then |
| 3021 |
| |
| a. Compare H1 to B1 -> idDigest on mismatch return TPM_BAD_PARAMETER |
| |
| 3022 |
| |
| b. Set K1 to B1 -> sessionKey |
| |
| 30238. If B1 is a TPM_EK_BLOB then |
| 3024 |
| 3025 |
| |
| a. Validate that B1 -> ekType is TPM_EK_TYPE_ACTIVATE, return TPM_BAD_TYPE if |
| not. |
| |
| 3026 |
| |
| b. Assign A1 as a TPM_EK_BLOB_ACTIVATE structure from B1 -> blob |
| |
| 3027 |
| |
| c. Compare H1 to A1 -> idDigest on mismatch return TPM_BAD_PARAMETER |
| |
| 3028 |
| |
| d. If A1 -> pcrSelection is not NULL |
| |
| 3029 |
| |
| i. |
| |
| 3030 |
| 3031 |
| |
| ii. Compare |
| C1 |
| to |
| A1 |
| -> |
| TPM_WRONGPCRVAL on a mismatch |
| |
| 3032 |
| 3033 |
| |
| e. If A1 -> pcrInfo specifies a locality ensure that the appropriate locality has |
| been asserted, return TPM_BAD_LOCALITY on error |
| |
| 3034 |
| |
| Compute a composite hash C1 using the PCR selection A1 -> pcrSelection |
| pcrInfo->digestAtRelease |
| |
| and |
| |
| return |
| |
| f. Set K1 to A1 -> symmetricKey |
| |
| 30359. Return K1 |
| |
| 759 |
| 760 |
| |
| 158 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 761TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 762Specification Version 1.2 |
| |
| 303616. |
| Integrity Collection |
| 3037Start of informative comment: |
| |
| and Reporting |
| |
| 3038This section deals with what commands have direct access to the PCR |
| 3039End of informative comment. |
| 30401. The TPM SHALL only allow the following commands to alter the value of |
| 3041 |
| TPM_STCLEAR_DATA -> PCR |
| 3042 |
| |
| a. TPM_Extend |
| |
| 3043 |
| |
| b. TPM_SHA1CompleteExtend |
| |
| 3044 |
| |
| c. TPM_Startup |
| |
| 3045 |
| |
| d. TPM_PCR_Reset |
| |
| 763Level 2 Revision 116 28 February 2011 |
| 764 |
| |
| 159 |
| TCG Published |
| |
| 765Copyright © TCG |
| 766 |
| 767 |
| |
| 304616.1 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_Extend |
| |
| 3047Start of informative comment: |
| 3048This adds a new measurement to a PCR |
| 3049End of informative comment. |
| 3050Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Extend. |
| |
| 4 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| TPM_PCRINDEX |
| |
| pcrNum |
| |
| The PCR to be updated. |
| |
| 5 |
| |
| 20 |
| |
| 3S |
| |
| 20 |
| |
| TPM_DIGEST |
| |
| inDigest |
| |
| The 160 bit value representing the event to be recorded. |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 3051Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 20 |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Extend. |
| |
| 3S |
| |
| 20 |
| |
| TPM_PCRVALUE |
| |
| outDigest |
| |
| The PCR value after execution of the command. |
| |
| 3052Description |
| 3053Add a measurement value to a PCR |
| 3054Actions |
| 30551. Validate that pcrNum represents a legal PCR number. On error, return TPM_BADINDEX. |
| 30562. Map L1 to TPM_STANY_FLAGS -> localityModifier |
| 30573. Map P1 to TPM_PERMANENT_DATA -> pcrAttrib [pcrNum]. pcrExtendLocal |
| 30584. If, for the value of L1, the corresponding bit is not set in the bit map P1, return |
| 3059 |
| TPM_BAD_LOCALITY |
| 30605. Create c1 by concatenating (TPM_STCLEAR_DATA -> PCR[pcrNum] || inDigest). This |
| 3061 |
| takes the current PCR value and concatenates the inDigest parameter. |
| 30626. Create h1 by performing a SHA-1 digest of c1. |
| 30637. Store h1 to TPM_STCLEAR_DATA -> PCR[pcrNum] |
| 30648. If TPM_PERMANENT_FLAGS -> disable is TRUE or TPM_STCLEAR_FLAGS -> deactivated |
| 3065 |
| is TRUE |
| |
| 768 |
| 769 |
| |
| 160 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 770TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 771Specification Version 1.2 |
| |
| 3066 |
| |
| a. Set outDigest to 20 bytes of 0x00 |
| |
| 30679. Else |
| 3068 |
| |
| a. Set outDigest to h1 |
| |
| 772Level 2 Revision 116 28 February 2011 |
| 773 |
| |
| 161 |
| TCG Published |
| |
| 774Copyright © TCG |
| 775 |
| 776 |
| |
| 306916.2 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_PCRRead |
| |
| 3070Start of informative comment: |
| 3071The TPM_PCRRead operation provides non-cryptographic reporting of the contents of a |
| 3072named PCR. |
| 3073End of informative comment. |
| 3074Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_PCRRead. |
| |
| 4 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| TPM_PCRINDEX |
| |
| pcrIndex |
| |
| Index of the PCR to be read |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 3075Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 20 |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_PCRRead. |
| |
| 3S |
| |
| 20 |
| |
| TPM_PCRVALUE |
| |
| outDigest |
| |
| The current contents of the named PCR |
| |
| 3076Description |
| 3077The TPM_PCRRead operation returns the current contents of the named register to the |
| 3078caller. |
| 3079Actions |
| 30801. Validate that pcrIndex |
| 3081 |
| TPM_BADINDEX. |
| |
| represents |
| |
| a |
| |
| legal |
| |
| PCR |
| |
| number. |
| |
| On |
| |
| error, |
| |
| return |
| |
| 30822. Set outDigest to TPM_STCLEAR_DATA -> PCR[pcrIndex] |
| 30833. Return TPM_SUCCESS |
| 3084 |
| |
| 777 |
| 778 |
| |
| 162 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 779TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 780Specification Version 1.2 |
| |
| 308516.3 |
| |
| TPM_Quote |
| |
| 3086Start of informative comment: |
| 3087The TPM_Quote operation provides cryptographic reporting of PCR values. A loaded key is |
| 3088required for operation. TPM_Quote uses a key to sign a statement that names the current |
| 3089value of a chosen PCR and externally supplied data (which may be a nonce supplied by a |
| 3090Challenger). |
| 3091The term "ExternalData" is used because an important use of TPM_Quote is to provide a |
| 3092digital signature on arbitrary data, where the signature includes the PCR values of the |
| 3093platform at time of signing. Hence the "ExternalData" is not just for anti-replay purposes, |
| 3094although it is (of course) used for that purpose in an integrity challenge. |
| 3095TPM_Quote should not use a TPM_KEY_SIGNING, because there is no way for the remote |
| 3096party to tell whether TPM_Quote or TPM_Sign created the signature. The exception is a |
| 3097TPM_KEY_SIGNING key with the _INFO signature |
| scheme, |
| because |
| the |
| metadata |
| 3098differentiates TPM_Sign from TPM_Quote. |
| 3099End of informative comment. |
| 3100Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Quote. |
| |
| 4 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| keyHandle |
| |
| The keyHandle identifier of a loaded key that can sign the PCR values. |
| |
| 5 |
| |
| 20 |
| |
| 2S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| externalData |
| |
| 160 bits of externally supplied data (typically a nonce provided by a |
| server to prevent replay-attacks) |
| |
| 6 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| TPM_PCR_SELECTION |
| |
| targetPCR |
| |
| The indices of the PCRs that are to be reported. |
| |
| 7 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for keyHandle authorization. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 8 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 9 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 10 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| privAuth |
| |
| The authorization session digest for inputs and keyHandle. HMAC key: |
| key -> usageAuth. |
| |
| 781Level 2 Revision 116 28 February 2011 |
| 782 |
| |
| 163 |
| TCG Published |
| |
| 783Copyright © TCG |
| 784 |
| 785 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 3101Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Quote. |
| |
| 4 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| TPM_PCR_COMPOSITE |
| |
| pcrData |
| |
| A structure containing the same indices as targetPCR, plus the |
| corresponding current PCR values. |
| |
| 5 |
| |
| 4 |
| |
| 4S |
| |
| 4 |
| |
| UINT32 |
| |
| sigSize |
| |
| The used size of the output area for the signature |
| |
| 6 |
| |
| <> |
| |
| 5S |
| |
| <> |
| |
| BYTE[ ] |
| |
| sig |
| |
| The signed data blob. |
| |
| 7 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| Key -> usageAuth. |
| |
| 8 |
| |
| 1 |
| |
| 9 |
| |
| 20 |
| |
| 3102Actions |
| 31031. The TPM MUST validate the AuthData to use the key pointed to by keyHandle. |
| 31042. Validate that keyHandle -> sigScheme is TPM_SS_RSASSAPKCS1v15_SHA1 or |
| 3105 |
| TPM_SS_RSASSAPKCS1v15_INFO, if not return TPM_INAPPROPRIATE_SIG. |
| 31063. Validate that keyHandle -> keyUsage is TPM_KEY_SIGNING, TPM_KEY_IDENTITY, or |
| 3107 |
| TPM_KEY_LEGACY, if not return TPM_INVALID_KEYUSAGE |
| 31084. Validate targetPCR |
| 3109 |
| |
| a. targetPCR is a valid TPM_PCR_SELECTION structure |
| |
| 3110 |
| |
| b. On errors return TPM_INVALID_PCR_INFO |
| |
| 31115. Create H1 a SHA-1 hash of a TPM_PCR_COMPOSITE using the TPM_STCLEAR_DATA -> |
| 3112 |
| PCR indicated by targetPCR -> pcrSelect |
| 31136. Create Q1 a TPM_QUOTE_INFO structure |
| 3114 |
| |
| a. Set Q1 -> version to 1.1.0.0 |
| |
| 3115 |
| |
| b. Set Q1 -> fixed to “QUOT” |
| |
| 3116 |
| |
| c. Set Q1 -> digestValue to H1 |
| |
| 3117 |
| |
| d. Set Q1 -> externalData to externalData |
| |
| 31187. Sign SHA-1 hash of Q1 using keyHandle as the signature key |
| 31198. Return the signature in sig |
| |
| 786 |
| 787 |
| |
| 164 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 788TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 789Specification Version 1.2 |
| |
| 312016.4 |
| |
| TPM_PCR_Reset |
| |
| 3121Start of informative comment: |
| 3122For PCR with the pcrReset attribute set to TRUE, this command resets the PCR back to the |
| 3123default value, this mimics the actions of TPM_Init. The PCR may have restrictions as to |
| 3124which locality can perform the reset operation. |
| 3125Sending a null pcrSelection results in an error is due to the requirement that the command |
| 3126actually do something. If pcrSelection is null there are no PCR to reset and the command |
| 3127would then do nothing. |
| 3128For PCR that are resettable, the presence of a Trusted Operating System (TOS) can change |
| 3129the behavior of TPM_PCR_Reset. The following pseudo code shows how the behavior |
| 3130changes |
| 3131At TPM_Startup |
| 3132 |
| |
| If TPM_PCR_ATTRIBUTES->pcrReset is FALSE |
| |
| 3133 |
| |
| Set PCR to 0x00…00 |
| |
| 3134 |
| |
| Else |
| |
| 3135 |
| |
| Set PCR to 0xFF…FF |
| |
| 3136At TPM_PCR_Reset |
| 3137 |
| |
| If TPM_PCR_ATTRIBUTES->pcrReset is TRUE |
| |
| 3138 |
| |
| If TOSPresent |
| |
| 3139 |
| |
| Set PCR to 0x00…00 |
| |
| 3140 |
| |
| Else |
| |
| 3141 |
| |
| Set PCR to 0xFF…FF |
| |
| 3142 |
| |
| Else |
| |
| 3143 |
| |
| Return error |
| |
| 3144The above pseudocode is for example only, for the details of a specific platform, the reader |
| 3145must review the platform specific specification. The purpose of the above pseudocode is to |
| 3146show that both pcrReset and the TOSPresent bit control the value in use to when the PCR |
| 3147resets. |
| 3148End of informative comment. |
| 3149Incoming Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_PCR_Reset |
| |
| 4 |
| |
| <> |
| |
| 2S |
| |
| <> |
| |
| TPM_PCR_SELECTION |
| |
| pcrSelection |
| |
| The PCR’s to reset |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 790Level 2 Revision 116 28 February 2011 |
| 791 |
| |
| 165 |
| TCG Published |
| |
| 792Copyright © TCG |
| 793 |
| 794 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 3150Outgoing Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_PCR_Reset |
| |
| 3151Description |
| 3152This command resets PCR values back to the default value. The command MUST validate |
| 3153that all PCR registers that are selected are available to be reset before resetting any PCR. |
| 3154This command MUST either reset all selected PCR registers or none of the PCR registers. |
| 3155Actions |
| 31561. Validate that pcrSelection is valid |
| 3157 |
| |
| a. is a valid TPM_PCR_SELECTION structure |
| |
| 3158 |
| |
| b. pcrSelection -> pcrSelect is non-zero |
| |
| 3159 |
| |
| c. On errors return TPM_INVALID_PCR_INFO |
| |
| 31602. Map L1 to TPM_STANY_FLAGS -> localityModifier |
| 31613. For each PCR selected perform the following |
| 3162 |
| 3163 |
| |
| a. If TPM_PERMANENT_DATA |
| TPM_NOTRESETABLE |
| |
| 3164 |
| 3165 |
| |
| b. If, for the value L1, the corresponding bit is clear in the bit map |
| TPM_PERMANENT_DATA -> pcrAttrib[pcrIndex].pcrResetLocal, return TPM_NOTLOCAL |
| |
| -> |
| |
| pcrAttrib[pcrIndex].pcrReset |
| |
| is |
| |
| FALSE, |
| |
| return |
| |
| 31664. For each PCR selected perform the following |
| 3167 |
| |
| a. The PCR MAY only reset to 0x00…00 or 0xFF…FF |
| |
| 3168 |
| 3169 |
| |
| b. The logic to determine which value to use MUST be described by a platform specific |
| specification |
| |
| 795 |
| 796 |
| |
| 166 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 797TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 798Specification Version 1.2 |
| |
| 317016.5 |
| |
| TPM_Quote2 |
| |
| 3171Start of informative comment: |
| 3172The TPM_Quote2 operation provides cryptographic reporting of PCR values. A loaded key is |
| 3173required for operation. TPM_Quote2 uses a key to sign a statement that names the current |
| 3174value of a chosen PCR and externally supplied data (which may be a nonce supplied by a |
| 3175Challenger). |
| 3176The term "externalData" is used because an important use of TPM_Quote2 is to provide a |
| 3177digital signature on arbitrary data, where the signature includes the PCR values of the |
| 3178platform at time of signing. Hence the "externalData" is not just for anti-replay purposes, |
| 3179although it is (of course) used for that purpose in an integrity challenge. |
| 3180TPM_Quote2 differs from TPM_Quote in that TPM_Quote2 uses TPM_PCR_INFO_SHORT to |
| 3181hold information relative to the PCR registers. TPM_PCR_INFO_SHORT includes locality |
| 3182information to provide the requestor a more complete view of the current platform |
| 3183configuration. |
| 3184End of informative comment. |
| 3185Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Quote2 |
| |
| 4 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| keyHandle |
| |
| The keyHandle identifier of a loaded key that can sign the PCR values. |
| |
| 5 |
| |
| 20 |
| |
| 2S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| externalData |
| |
| 160 bits of externally supplied data (typically a nonce provided by a |
| server to prevent replay-attacks) |
| |
| 6 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| TPM_PCR_SELECTION |
| |
| targetPCR |
| |
| The indices of the PCRs that are to be reported. |
| |
| 7 |
| |
| 1 |
| |
| 4S |
| |
| 1 |
| |
| BOOL |
| |
| addVersion |
| |
| When TRUE add TPM_CAP_VERSION_INFO to the output |
| |
| 8 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for keyHandle authorization. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 9 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 10 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 11 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| privAuth |
| |
| The authorization session digest for inputs and keyHandle. HMAC key: |
| key -> usageAuth. |
| |
| 799Level 2 Revision 116 28 February 2011 |
| 800 |
| |
| 167 |
| TCG Published |
| |
| 801Copyright © TCG |
| 802 |
| 803 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 3186Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Quote2 |
| |
| 4 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| TPM_PCR_INFO_SHORT |
| |
| pcrData |
| |
| The value created and signed for the quote |
| |
| 5 |
| |
| 4 |
| |
| 4S |
| |
| 4 |
| |
| UINT32 |
| |
| versionInfoSize |
| |
| Size of the version info |
| |
| 6 |
| |
| <> |
| |
| 5S |
| |
| <> |
| |
| TPM_CAP_VERSION_INFO |
| |
| versionInfo |
| |
| The version info |
| |
| 7 |
| |
| 4 |
| |
| 6S |
| |
| 4 |
| |
| UINT32 |
| |
| sigSize |
| |
| The used size of the output area for the signature |
| |
| 8 |
| |
| <> |
| |
| 7S |
| |
| <> |
| |
| BYTE[ ] |
| |
| sig |
| |
| The signed data blob. |
| |
| 9 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| Key -> usageAuth. |
| |
| 10 |
| |
| 1 |
| |
| 11 |
| |
| 20 |
| |
| 3187Actions |
| 31881. The TPM MUST validate the AuthData to use the key pointed to by keyHandle. |
| 31892. Validate that keyHandle -> sigScheme is TPM_SS_RSASSAPKCS1v15_SHA1 or |
| 3190 |
| TPM_SS_RSASSAPKCS1v15_INFO, if not return TPM_INAPPROPRIATE_SIG. |
| 31913. Validate that keyHandle -> keyUsage is TPM_KEY_SIGNING, TPM_KEY_IDENTITY, or |
| 3192 |
| TPM_KEY_LEGACY, if not return TPM_INVALID_KEYUSAGE |
| 31934. Validate targetPCR is a valid TPM_PCR_SELECTION structure, on errors return |
| 3194 |
| TPM_INVALID_PCR_INFO |
| 31955. Create H1 a SHA-1 hash of a TPM_PCR_COMPOSITE using the TPM_STCLEAR_DATA -> |
| 3196 |
| PCR[] indicated by targetPCR -> pcrSelect |
| 31976. Create S1 a TPM_PCR_INFO_SHORT |
| 3198 |
| |
| a. Set S1->pcrSelection to targetPCR |
| |
| 3199 |
| |
| b. Set S1->localityAtRelease to TPM_STANY_DATA -> localityModifier |
| |
| 3200 |
| |
| c. Set S1->digestAtRelease to H1 |
| |
| 32017. Create Q1 a TPM_QUOTE_INFO2 structure |
| 3202 |
| |
| a. Set Q1 -> fixed to “QUT2” |
| |
| 3203 |
| |
| b. Set Q1 -> infoShort to S1 |
| |
| 3204 |
| |
| c. Set Q1 -> externalData to externalData |
| |
| 32058. If addVersion is TRUE |
| 3206 |
| 804 |
| 805 |
| |
| a. Concatenate to Q1 a TPM_CAP_VERSION_INFO structure |
| 168 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 806TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 807Specification Version 1.2 |
| |
| 3207 |
| |
| b. Set the output parameters for versionInfo |
| |
| 32089. Else |
| 3209 |
| |
| a. Set versionInfoSize to 0 |
| |
| 3210 |
| |
| b. Return no bytes in versionInfo |
| |
| 321110.Sign a SHA-1 hash of Q1 using keyHandle as the signature key |
| 321211.Return the signature in sig |
| |
| 808Level 2 Revision 116 28 February 2011 |
| 809 |
| |
| 169 |
| TCG Published |
| |
| 810Copyright © TCG |
| 811 |
| 812 |
| |
| 321317. |
| 321417.1 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| Changing AuthData |
| TPM_ChangeAuth |
| |
| 3215Start of informative comment: |
| 3216The TPM_ChangeAuth command allows the owner of an entity to change the AuthData for |
| 3217the entity. |
| 3218This command cannot invalidate the old entity. Therefore, the authorization change is only |
| 3219effective if the application can guarantee that the old entity can be securely destroyed. If |
| 3220not, two valid entities will exist, one with the old and one with the new authorization secret. |
| 3221If this command is delegated, the delegated party can expand its key use privileges. That |
| 3222party can create a copy of the key with known authorization, and it can then use the key |
| 3223without any ordinal restrictions. |
| 3224TPM_ChangeAuth requires the encryption of one parameter (“NewAuth”). For the sake of |
| 3225uniformity with other commands that require the encryption of more than one parameter, |
| 3226the parameters used for used encryption are generated from the authLastNonceEven |
| 3227(created during the OSAP session), nonceOdd, and the session shared secret. |
| 3228The parameter list to this command must always include two authorization sessions, |
| 3229regardless of the state of authDataUsage for the respective keys. |
| 3230End of informative comment. |
| |
| 813 |
| 814 |
| |
| 170 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 815TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 816Specification Version 1.2 |
| |
| 3231 |
| Incoming Operands and Sizes |
| |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH2_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ChangeAuth |
| |
| 4 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| parentHandle |
| |
| Handle of the parent key to the entity. |
| |
| 5 |
| |
| 2 |
| |
| 2S |
| |
| 2 |
| |
| TPM_PROTOCOL_ID |
| |
| protocolID |
| |
| The protocol in use. |
| |
| 6 |
| |
| 20 |
| |
| 3S |
| |
| 20 |
| |
| TPM_ENCAUTH |
| |
| newAuth |
| |
| The encrypted new AuthData for the entity |
| |
| 7 |
| |
| 2 |
| |
| 4S |
| |
| 2 |
| |
| TPM_ENTITY_TYPE |
| |
| entityType |
| |
| The type of entity to be modified |
| |
| 8 |
| |
| 4 |
| |
| 5S |
| |
| 4 |
| |
| UINT32 |
| |
| encDataSize |
| |
| The size of the encData parameter |
| |
| 9 |
| |
| <> |
| |
| 6S |
| |
| <> |
| |
| BYTE[ ] |
| |
| encData |
| |
| The encrypted entity that is to be modified. |
| |
| 10 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| parentAuthHandle |
| |
| The authorization session handle used for the parent key. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 2 H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 11 |
| |
| 20 |
| |
| 3 H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with parentAuthHandle |
| |
| 12 |
| |
| 1 |
| |
| 4 H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Ignored, parentAuthHandle is always terminated. |
| |
| 13 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| parentAuth |
| |
| The authorization session digest for inputs and parentHandle. HMAC |
| key: parentKey.usageAuth. |
| |
| 14 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| entityAuthHandle |
| |
| The authorization session handle used for the encrypted entity. The |
| session type MUST be OIAP |
| |
| 2 H2 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| entitylastNonceEven |
| |
| Even nonce previously generated by TPM |
| |
| 15 |
| |
| 20 |
| |
| 3 H2 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| entitynonceOdd |
| |
| Nonce generated by system associated with entityAuthHandle |
| |
| 16 |
| |
| 1 |
| |
| 4 H2 |
| |
| 1 |
| |
| BOOL |
| |
| continueEntitySession |
| |
| Ignored, entityAuthHandle is always terminated. |
| |
| 17 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| entityAuth |
| |
| The authorization session digest for the inputs and encrypted entity. |
| HMAC key: entity.usageAuth. |
| |
| 817Level 2 Revision 116 28 February 2011 |
| 818 |
| |
| 171 |
| TCG Published |
| |
| 819Copyright © TCG |
| 820 |
| 821 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 3232Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH2_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. See section 4.3. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ChangeAuth |
| |
| 4 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| outDataSize |
| |
| The used size of the output area for outData |
| |
| 5 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE[ ] |
| |
| outData |
| |
| The modified, encrypted entity. |
| |
| 6 |
| |
| 20 |
| |
| 2 H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3 H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with parentAuthHandle |
| |
| 4 H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, fixed value of FALSE |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters and |
| parentHandle. HMAC key: parentKey.usageAuth. |
| |
| 7 |
| |
| 1 |
| |
| 8 |
| |
| 20 |
| |
| 9 |
| |
| 20 |
| |
| 1 |
| |
| 11 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| entityNonceEven |
| |
| Even nonce newly generated by TPM to cover entity |
| |
| 3 H2 |
| 10 |
| |
| 2 H2 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| entitynonceOdd |
| |
| Nonce generated by system associated with entityAuthHandle |
| |
| 4 H2 |
| |
| 1 |
| |
| BOOL |
| |
| continueEntitySession |
| |
| Continue use flag, fixed value of FALSE |
| |
| TPM_AUTHDATA |
| |
| entityAuth |
| |
| The authorization session digest for the returned parameters and entity. |
| HMAC key: entity.usageAuth, the original and not the new auth value |
| |
| 20 |
| |
| 3233Description |
| 32341. The parentAuthHandle session type MUST be TPM_PID_OSAP. |
| 32352. In this capability, the SRK cannot be accessed as entityType TPM_ET_KEY, since the |
| 3236 |
| SRK is not wrapped by a parent key. |
| 3237Actions |
| 32381. Verify that entityType is one of TPM_ET_DATA, TPM_ET_KEY and return the error |
| 3239 |
| TPM_WRONG_ENTITYTYPE if not. |
| 32402. Verify that parentAuthHandle session type is TPM_PID_OSAP return TPM_BAD_MODE |
| 3241 |
| on error |
| 32423. Verify that entityAuthHandle session type is TPM_PID_OIAP return TPM_BAD_MODE on |
| 3243 |
| error |
| 32444. If protocolID is not TPM_PID_ADCP, the TPM MUST return TPM_BAD_PARAMETER. |
| 32455. The encData parameter MUST be the encData field from either the TPM_STORED_DATA |
| 3246 |
| or TPM_KEY structures. |
| 32476. Create decryptAuth by decrypting newAuth according to the ADIP indicated by |
| 3248 |
| parentHandle. |
| 32497. The TPM MUST validate the command using the AuthData in the parentAuth parameter |
| 32508. Validate that parentHandle -> keyUsage is TPM_KEY_STORAGE, if not return |
| 3251 |
| TPM_INVALID_KEYUSAGE |
| 822 |
| 823 |
| |
| 172 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 824TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 825Specification Version 1.2 |
| |
| 32529. After parameter validation, the TPM creates b1 by decrypting encData using the key |
| 3253 |
| pointed to by parentHandle. |
| 325410.The TPM MUST validate that b1 is a |
| 3255 |
| TPM_STORE_ASYMKEY or a TPM_SEALED_DATA |
| |
| valid |
| |
| TPM |
| |
| structure, |
| |
| either |
| |
| a |
| |
| 3256 |
| |
| a. Check the length and payload, return TPM_INVALID_STRUCTURE on any mismatch |
| |
| 3257 |
| 3258 |
| 3259 |
| |
| b. The TPM must validate the command using the authorization data entityAuth |
| parameter. |
| The HMAC key is TPM_STORE_ASYMKEY -> usageAuth or |
| TPM_SEALED_DATA -> authData. |
| |
| 326011.The TPM replaces the AuthData for b1 with decryptAuth created above. |
| 326112.The TPM encrypts b1 using the appropriate mechanism for the type using the |
| 3262 |
| parentKeyHandle to provide the key information. |
| 326313.The TPM MUST enforce the destruction of both the parentAuthHandle and |
| 3264 |
| entityAuthHandle sessions. |
| |
| 826Level 2 Revision 116 28 February 2011 |
| 827 |
| |
| 173 |
| TCG Published |
| |
| 828Copyright © TCG |
| 829 |
| 830 |
| |
| 326517.2 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_ChangeAuthOwner |
| |
| 3266Start of informative comment: |
| 3267The TPM_ChangeAuthOwner command allows the owner of an entity to change the |
| 3268AuthData for the TPM Owner or the SRK. |
| 3269This command requires authorization from the current TPM Owner to execute. |
| 3270TPM's targeted for an environment (e.g. a server) with long lasting sessions should not |
| 3271invalidate all sessions. |
| 3272End of informative comment. |
| 3273Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ChangeAuthOwner |
| |
| 4 |
| |
| 2 |
| |
| 2S |
| |
| 2 |
| |
| TPM_PROTOCOL_ID |
| |
| protocolID |
| |
| The protocol in use. |
| |
| 5 |
| |
| 20 |
| |
| 3S |
| |
| 20 |
| |
| TPM_ENCAUTH |
| |
| newAuth |
| |
| The encrypted new AuthData for the entity |
| |
| 6 |
| |
| 2 |
| |
| 4S |
| |
| 2 |
| |
| TPM_ENTITY_TYPE |
| |
| entityType |
| |
| The type of entity to be modified |
| |
| 7 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| ownerAuthHandle |
| |
| The authorization session handle used for the TPM Owner. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 8 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with ownerAuthHandle |
| |
| 9 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag the TPM ignores this value |
| |
| 10 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| The authorization session digest for inputs and ownerHandle. HMAC key: |
| ownerAuth. |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 3274Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 5 |
| 6 |
| |
| 831 |
| 832 |
| |
| 1 |
| 20 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ChangeAuthOwner |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| 4 |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with ownerAuthHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, fixed value of FALSE |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters and |
| ownerHandle. HMAC key: ownerAuth, the original value and not the new |
| auth value |
| |
| 174 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 833TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 834Specification Version 1.2 |
| |
| 3275Actions |
| 32761. The TPM MUST validate the command using the AuthData in the ownerAuth parameter |
| 32772. The ownerAuthHandle session type MUST be TPM_PID_OSAP |
| 32783. If protocolID is not TPM_PID_ADCP, the TPM MUST return TPM_BAD_PARAMETER. |
| 32794. Verify that entityType is either TPM_ET_OWNER or TPM_ET_SRK, and return the error |
| 3280 |
| TPM_WRONG_ENTITYTYPE if not. |
| 32815. Create decryptAuth by decrypting newAuth according to the ADIP indicated by |
| 3282 |
| ownerAuthHandle. |
| 32836. The TPM MUST enforce the destruction of the ownerAuthHandle session upon |
| 3284 |
| completion of this command (successful or unsuccessful). This includes setting |
| 3285 |
| continueAuthSession to FALSE |
| 32867. Set the AuthData for the indicated entity to decryptAuth |
| 32878. The TPM MUST invalidate all owner authorized OSAP and DSAP sessions, active or |
| 3288 |
| saved. |
| 32899. The TPM MAY invalidate all sessions, active or saved |
| |
| 835Level 2 Revision 116 28 February 2011 |
| 836 |
| |
| 175 |
| TCG Published |
| |
| 837Copyright © TCG |
| 838 |
| 839 |
| |
| 329018. |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| Authorization Sessions |
| |
| 329118.1 |
| |
| TPM_OIAP |
| |
| 3292Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_OIAP. |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 3293Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_OIAP. |
| |
| 4 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| Handle that TPM creates that points to the authorization state. |
| |
| 5 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Nonce generated by TPM and associated with session. |
| |
| 3294Actions |
| 32951. The TPM_OIAP command allows the creation of an authorization session handle and the |
| 3296 |
| tracking of the handle by the TPM. The TPM generates the handle and nonce. |
| 32972. The TPM has an internal limit as to the number of handles that may be open at one |
| 3298 |
| time, so the request for a new handle may fail if there is insufficient space available. |
| 32993. Internally the TPM will do the following: |
| 3300 |
| 3301 |
| |
| a. TPM allocates space to save handle, protocol identification, both nonces and any |
| other information the TPM needs to manage the session. |
| |
| 3302 |
| |
| b. TPM generates authHandle and nonceEven, returns these to caller |
| |
| 33034. On each subsequent use of the OIAP session the TPM MUST generate a new nonceEven |
| 3304 |
| value. |
| 33055. When TPM_OIAP is wrapped in an encrypted transport session, no input or output |
| 3306 |
| parameters are encrypted. |
| |
| 840 |
| 841 |
| |
| 176 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 842TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 843Specification Version 1.2 |
| |
| 3307 |
| 330818.1.1 |
| |
| Actions to validate an OIAP session |
| |
| 3309Start of informative comment: |
| 3310This section describes the authorization-related actions of a TPM when it receives a |
| 3311command that has been authorized with the OIAP protocol. |
| 3312Many commands use OIAP authorization. The following description is therefore necessarily |
| 3313abstract. |
| 3314End of informative comment. |
| 3315Actions |
| 3316The TPM MUST perform the following operations: |
| 33171. The TPM MUST verify that the authorization session handle (H, say) referenced in the |
| 3318 |
| command points to a valid session. If it does not, the TPM returns the error code |
| 3319 |
| TPM_INVALID_AUTHHANDLE |
| 33202. The TPM SHALL retrieve the latest version of the caller’s nonce (nonceOdd) and |
| 3321 |
| continueAuthSession flag from the input parameter list, and store it in internal TPM |
| 3322 |
| memory with the authSession ‘H’. |
| 33233. The TPM SHALL retrieve the latest version of the TPM’s nonce stored with the |
| 3324 |
| authorization session H (authLastNonceEven) computed during the previously executed |
| 3325 |
| command. |
| 33264. The TPM MUST retrieve the secret AuthData (SecretE, say) of the target entity. The entity |
| 3327 |
| and its secret must have been previously loaded into the TPM. |
| 3328 |
| |
| a. If the command using the OIAP session requires owner authorization |
| |
| 3329 |
| 3330 |
| |
| i. If TPM_STCLEAR_DATA -> ownerReference is TPM_KH_OWNER, the secret |
| AuthData is TPM_PERMANENT_DATA -> ownerAuth |
| |
| 3331 |
| |
| ii. If TPM_STCLEAR_DATA -> ownerReference is pointing to a delegate row |
| |
| 3332 |
| |
| (1) Set R1 a row index to TPM_STCLEAR_DATA -> ownerReference |
| |
| 3333 |
| 3334 |
| |
| (2) Set D1 a TPM_DELEGATE_TABLE_ROW to TPM_PERMANENT_DATA -> |
| delegateTable -> delRow[R1] |
| |
| 3335 |
| |
| (3) Set the secret AuthData to D1 -> authValue |
| |
| 3336 |
| |
| (4) Validate the TPM_DELEGATE_PUBLIC D1 -> pub |
| |
| 3337 |
| |
| (a) |
| |
| Validate D1 -> pub -> permissions based on the command ordinal |
| |
| 3338 |
| |
| (b) |
| |
| Validate D1 -> pub -> pcrInfo based on the PCR values |
| |
| 33395. The TPM SHALL perform a HMAC calculation using the entity secret data, ordinal, input |
| 3340 |
| command parameters and authorization parameters per Part 1 Object-Independent |
| 3341 |
| Authorization Protocol. |
| 33426. The TPM SHALL compare HM to the AuthData value received in the input parameters. If |
| 3343 |
| they are different, the TPM returns the error code TPM_AUTHFAIL if the authorization |
| 3344 |
| session is the first session of a command, or TPM_AUTH2FAIL if the authorization |
| 844Level 2 Revision 116 28 February 2011 |
| 845 |
| |
| 177 |
| TCG Published |
| |
| 846Copyright © TCG |
| 847 |
| 848 |
| |
| 3345 |
| 3346 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| session is the second session of a command. Otherwise, the TPM executes the command |
| which (for this example) produces an output that requires authentication. |
| |
| 33477. The TPM SHALL generate a nonce (nonceEven). |
| 33488. The TPM creates an HMAC digest to authenticate the return code, return values and |
| 3349 |
| authorization parameters to the same entity secret per Part 1 Object-Independent |
| 3350 |
| Authorization Protocol. |
| 33519. The TPM returns the return code, output parameters, authorization parameters and |
| 3352 |
| authorization session digest. |
| 335310.If the output continueUse flag is FALSE, then the TPM SHALL terminate the session. |
| 3354 |
| Future references to H will return an error. |
| 335511.Each time that access to an entity (e.g., key) is authorized using OIAP, the TPM MUST |
| 3356 |
| validate the TPM_PCR_INFO_xxx “…AtRelease” values if specified for the entity |
| 3357 |
| 3358 |
| 3359 |
| |
| 849 |
| 850 |
| |
| a. The TPM SHOULD validate the values before using the shared secret to validate the |
| command parameters. This prevents a dictionary attack on the shared secret when the |
| values are invalid for the entity. |
| |
| 178 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 851TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 852Specification Version 1.2 |
| |
| 336018.2 |
| |
| TPM_OSAP |
| |
| 3361Start of informative comment: |
| 3362The TPM_OSAP command creates the authorization session handle, the shared secret and |
| 3363generates nonceEven and nonceEvenOSAP. |
| 3364End of informative comment. |
| 3365Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_OSAP. |
| |
| 4 |
| |
| 2 |
| |
| TPM_ENTITY_TYPE |
| |
| entityType |
| |
| The type of entity in use |
| |
| 5 |
| |
| 4 |
| |
| UINT32 |
| |
| entityValue |
| |
| The selection value based on entityType, e.g. a keyHandle # |
| |
| 6 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOddOSAP |
| |
| The nonce generated by the caller associated with the shared secret. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| 3366Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_OSAP. |
| |
| 4 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| Handle that TPM creates that points to the authorization state. |
| |
| 5 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Nonce generated by TPM and associated with session. |
| |
| 6 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEvenOSAP |
| |
| Nonce generated by TPM and associated with shared secret. |
| |
| 3367Description |
| 33681. The TPM_OSAP command allows the creation of an authorization session handle and the |
| 3369 |
| tracking of the handle by the TPM. The TPM generates the handle, nonceEven and |
| 3370 |
| nonceEvenOSAP. |
| 33712. The TPM has an internal limit on the number of handles that may be open at one time, |
| 3372 |
| so the request for a new handle may fail if there is insufficient space available. |
| 33733. The TPM_OSAP allows the binding of an authorization to a specific entity. This allows |
| 3374 |
| the caller to continue to send in AuthData for each command but not have to request |
| 3375 |
| the information or cache the actual AuthData. |
| 33764. When TPM_OSAP is wrapped in an encrypted transport session, no input or output |
| 3377 |
| parameters are encrypted. |
| 33785. If the owner pointer is pointing to a delegate row, the TPM internally MUST treat the |
| 3379 |
| OSAP session as a DSAP session |
| 853Level 2 Revision 116 28 February 2011 |
| 854 |
| |
| 179 |
| TCG Published |
| |
| 855Copyright © TCG |
| 856 |
| 857 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 33806. TPM_ET_SRK or TPM_ET_KEYHANDLE with a value of TPM_KH_SRK MUST specify the |
| 3381 |
| SRK. |
| 33827. If the entity is tied to PCR values, the PCR’s are not validated during the TPM_OSAP |
| 3383 |
| ordinal session creation. The PCR’s are validated when the OSAP session is used. |
| 3384Actions |
| 33851. The TPM creates S1 a storage area that keeps track of the information associated with |
| 3386 |
| the authorization. |
| 33872. S1 MUST track the following information |
| 3388 |
| |
| a. Protocol identification (i.e. TPM_PID_OSAP) |
| |
| 3389 |
| |
| b. nonceEven |
| |
| 3390 |
| |
| i. |
| |
| Initialized to the next value from the TPM RNG |
| |
| 3391 |
| |
| c. shared secret |
| |
| 3392 |
| |
| d. ADIP encryption scheme from TPM_ENTITY_TYPE entityType |
| |
| 3393 |
| |
| e. Any other internal TPM state the TPM needs to manage the session |
| |
| 33943. The TPM MUST create and MAY track the following information |
| 3395 |
| |
| a. nonceEvenOSAP |
| |
| 3396 |
| 33974. |
| 3398 |
| 3399 |
| 3400 |
| 3401 |
| |
| i. |
| |
| Initialized to the next value from the TPM RNG |
| |
| The TPM calculates the shared secret using an HMAC calculation. The key for the HMAC |
| calculation is the secret AuthData assigned to the key handle identified by entityValue. |
| The input to the HMAC calculation is the concatenation of nonces nonceEvenOSAP and |
| nonceOddOSAP. The output of the HMAC calculation is the shared secret which is saved |
| in the authorization area associated with authHandle |
| |
| 34025. Check if the ADIP encryption scheme specified by entityType is supported, if not return |
| 3403 |
| TPM_INAPPROPRIATE_ENC. |
| 34046. If entityType = TPM_ET_KEYHANDLE |
| 3405 |
| 3406 |
| |
| a. The entity to authorize is a key held in the TPM. entityValue contains the keyHandle |
| that holds the key. |
| |
| 3407 |
| |
| b. If entityValue is TPM_KH_OPERATOR return TPM_BAD_HANDLE |
| |
| 34087. else if entityType = TPM_ET_OWNER |
| 3409 |
| |
| a. This value indicates that the entity is the TPM owner. entityValue is ignored |
| |
| 3410 |
| 3411 |
| |
| b. The HMAC key is the secret pointed to by ownerReference (owner secret or delegated |
| secret) |
| |
| 34128. else if entityType = TPM_ET_SRK |
| 3413 |
| |
| a. The entity to authorize is the SRK. entityValue is ignored. |
| |
| 34149. else if entityType = TPM_ET_COUNTER |
| 3415 |
| |
| a. The entity is a monotonic counter, entityValue contains the counter handle |
| |
| 341610.else if entityType = TPM_ET_NV |
| 858 |
| 859 |
| |
| 180 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 860TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 861Specification Version 1.2 |
| |
| 3417 |
| |
| a. The entity is a NV index, entityValue contains the NV index |
| |
| 341811.else return TPM_BAD_PARAMETER |
| 341912.On each subsequent use of the OSAP session the TPM MUST generate a new nonce |
| 3420 |
| value. |
| 342113.The TPM MUST ensure that OSAP shared secret is only available while the OSAP session |
| 3422 |
| is valid. |
| 342314.The session MUST terminate upon any of the following conditions: |
| 3424 |
| |
| a. The command that uses the session returns an error |
| |
| 3425 |
| |
| b. The resource is evicted from the TPM or otherwise invalidated |
| |
| 3426 |
| 3427 |
| |
| c. The session is used in any command for which the shared secret is used to encrypt |
| an input parameter (TPM_ENCAUTH) |
| |
| 3428 |
| |
| d. The TPM Owner is cleared |
| |
| 3429 |
| 3430 |
| |
| e. TPM_ChangeAuthOwner is executed and this session is attached to the owner |
| authorization |
| |
| 3431 |
| 3432 |
| |
| f. The |
| session |
| TPM_FlushSpecific |
| |
| 3433 |
| 3434 |
| |
| g. All OSAP sessions associated with the delegation table MUST be invalidated when |
| any of the following commands execute: |
| |
| explicitly |
| |
| terminated |
| |
| with |
| |
| continueAuth, |
| |
| 3435 |
| |
| i. |
| |
| 3436 |
| |
| ii. TPM_Delegate_CreateOwnerDelegation with Increment==TRUE |
| |
| 3437 |
| |
| iii. TPM_Delegate_LoadOwnerDelegation |
| |
| TPM_Delegate_Manage |
| |
| 862Level 2 Revision 116 28 February 2011 |
| 863 |
| |
| 181 |
| TCG Published |
| |
| TPM_Reset |
| |
| or |
| |
| 864Copyright © TCG |
| 865 |
| 866 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 3438 |
| 343918.2.1 |
| |
| Actions to validate an OSAP session |
| |
| 3440Start of informative comment: |
| 3441This section describes the authorization-related actions of a TPM when it receives a |
| 3442command that has been authorized with the OSAP protocol. |
| 3443Many commands use OSAP authorization. The following description is therefore necessarily |
| 3444abstract. |
| 3445End of informative comment |
| 3446Actions |
| 34471. On reception of a command with ordinal C1 that uses an authorization session, the TPM |
| 3448 |
| SHALL perform the following actions: |
| 34492. The TPM MUST have been able to retrieve the shared secret (Shared, say) of the target |
| 3450 |
| entity when the authorization session was established with TPM_OSAP. The entity and |
| 3451 |
| its secret must have been previously loaded into the TPM. |
| 34523. The TPM MUST verify that the authorization session handle (H, say) referenced in the |
| 3453 |
| command points to a valid session. If it does not, the TPM returns the error code |
| 3454 |
| TPM_INVALID_AUTHHANDLE. |
| 34554. The TPM MUST calculate the HMAC (HM1, say) of the command parameters according |
| 3456 |
| to Part 1 Object-Specific Authorization Protocol. |
| 34575. |
| 3458 |
| 3459 |
| 3460 |
| 3461 |
| |
| The TPM SHALL compare HM1 to the AuthData value received in the command. If they |
| are different, the TPM returns the error code TPM_AUTHFAIL if the authorization session |
| is the first session of a command, or TPM_AUTH2FAIL if the authorization session is the |
| second session of a command., the TPM executes command C1 which produces an |
| output (O, say) that requires authentication and uses a particular return code (RC, say). |
| |
| 34626. The TPM SHALL generate the latest version of the even nonce (nonceEven). |
| 34637. The TPM MUST calculate the HMAC (HM2) of the return parameters according to section |
| 3464 |
| Part 1 Object-Specific Authorization Protocol. |
| 34658. The TPM returns HM2 in the parameter list. |
| 34669. The TPM SHALL retrieve the continue flag from the received command. If the flag is |
| 3467 |
| FALSE, the TPM SHALL terminate the session and destroy the thread associated with |
| 3468 |
| handle H. |
| 346910.If the shared secret was used to provide confidentiality for data in the received |
| 3470 |
| command, the TPM SHALL terminate the session and destroy the thread associated with |
| 3471 |
| handle H. |
| 347211.Each time that access to an entity (e.g., key) is authorized using OSAP, the TPM MUST |
| 3473 |
| |
| a. ensure that the OSAP shared secret is that derived from the entity using TPM_OSAP |
| |
| 3474 |
| |
| b. validate the TPM_PCR_INFO_xxx “…AtRelease” values if specified for the entity |
| |
| 867 |
| 868 |
| |
| 182 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 869TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 870Specification Version 1.2 |
| |
| 3475 |
| 3476 |
| 3477 |
| |
| i. The TPM SHOULD validate the values before using the shared secret to |
| validate the command parameters. This prevents a dictionary attack on the |
| shared secret when the values are invalid for the entity. |
| |
| 871Level 2 Revision 116 28 February 2011 |
| 872 |
| |
| 183 |
| TCG Published |
| |
| 873Copyright © TCG |
| 874 |
| 875 |
| |
| 347818.3 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_DSAP |
| |
| 3479Start of informative comment: |
| 3480The TPM_DSAP command creates the authorization session handle using a delegated |
| 3481AuthData value passed into the command as an encrypted blob or from the internal |
| 3482delegation table. It can be used to start an authorization session for a user key or the |
| 3483owner. |
| 3484As in TPM_OSAP, it generates a shared secret and generates nonceEven and |
| 3485nonceEvenOSAP. |
| 3486End of informative comment. |
| 3487Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_DSAP. |
| |
| 4 |
| |
| 2 |
| |
| TPM_ENTITY_TYPE |
| |
| entityType |
| |
| The type of delegation information to use |
| |
| 5 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| keyHandle |
| |
| Key for which delegated authority corresponds, or 0 if delegated owner activity. |
| Only relevant if entityValue equals TPM_DELEGATE_KEY_BLOB |
| |
| 6 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOddDSAP |
| |
| The nonce generated by the caller associated with the shared secret. |
| |
| 7 |
| |
| 4 |
| |
| UINT32 |
| |
| entityValueSize |
| |
| The size of entityValue. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 8 |
| |
| <> |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 2S |
| |
| 4 |
| |
| <> |
| |
| BYTE [ ] |
| |
| entityValue |
| |
| Either TPM_DELEGATE_KEY_BLOB or TPM_DELEGATE_OWNER_BLOB or index |
| MUST not be empty |
| If entityType is TPM_ET_DEL_ROW then entityValue is a TPM_DELEGATE_INDEX |
| |
| 3488Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| # |
| |
| SZ |
| |
| 1 |
| 2 |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_DSAP. |
| |
| 4 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| Handle that TPM creates that points to the authorization state. |
| |
| 5 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Nonce generated by TPM and associated with session. |
| |
| 6 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEvenDSAP |
| |
| Nonce generated by TPM and associated with shared secret. |
| |
| 3489Description |
| 34901. The TPM_DSAP command allows the creation of an authorization session handle and the |
| 3491 |
| tracking of the handle by the TPM. The TPM generates the handle, nonceEven and |
| 3492 |
| nonceEvenOSAP. |
| |
| 876 |
| 877 |
| |
| 184 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 878TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 879Specification Version 1.2 |
| |
| 34932. The TPM has an internal limit on the number of handles that may be open at one time, |
| 3494 |
| so the request for a new handle may fail if there is insufficient space available. |
| 34953. The TPM_DSAP allows the binding of a delegated authorization to a specific entity. This |
| 3496 |
| allows the caller to continue to send in AuthData for each command but not have to |
| 3497 |
| request the information or cache the actual AuthData. |
| 34984. Each ordinal that uses the DSAP session MUST validate that TPM_PERMANENT_DATA |
| 3499 |
| -> restrictDelegate does not restrict delegation, based on keyHandle -> keyUsage and |
| 3500 |
| keyHandle -> keyFlags, return TPM_INVALID_KEYUSAGE on error. |
| 35015. On each subsequent use of the DSAP session the TPM MUST generate a new nonce |
| 3502 |
| value and check if the ordinal to be executed has delegation to execute. The TPM MUST |
| 3503 |
| ensure that the DSAP shared secret is only available while the DSAP session is valid. |
| 35046. When TPM_DSAP is wrapped in an encrypted transport session |
| 3505 |
| |
| a. For input the only parameter encrypted is entityValue |
| |
| 3506 |
| |
| b. For output no parameters are encrypted |
| |
| 35077. The DSAP session MUST terminate under any of the following conditions |
| 3508 |
| |
| a. The command that uses the session returns an error |
| |
| 3509 |
| |
| b. If attached to a key, when the key is evicted from the TPM or otherwise invalidated |
| |
| 3510 |
| 3511 |
| |
| c. The session is used in any command for which the shared secret is used to encrypt |
| an input parameter (TPM_ENCAUTH) |
| |
| 3512 |
| |
| d. The TPM Owner is cleared |
| |
| 3513 |
| 3514 |
| |
| e. TPM_ChangeAuthOwner is executed and this session is attached to the owner |
| authorization |
| |
| 3515 |
| 3516 |
| |
| f. The |
| session |
| TPM_FlushSpecific |
| |
| 3517 |
| 3518 |
| |
| g. All DSAP sessions MUST be invalidated when any of the following commands |
| execute: |
| |
| explicitly |
| |
| terminated |
| |
| 3519 |
| |
| i. |
| |
| 3520 |
| |
| TPM_Reset |
| |
| or |
| |
| iii. TPM_Delegate_LoadOwnerDelegation |
| |
| 3522 |
| |
| continueAuth, |
| |
| ii. When Increment is TRUE |
| |
| 3521 |
| |
| with |
| |
| iv. TPM_Delegate_Manage |
| |
| TPM_Delegate_CreateOwnerDelegation |
| |
| 3523entityType = TPM_ET_DEL_OWNER_BLOB |
| 3524 |
| |
| The entityValue parameter contains an owner delegation blob structure. |
| |
| 3525entityType = TPM_ET_DEL_ROW |
| 3526 |
| 3527 |
| |
| The entityValue parameter contains a row number in the nv Delegation table which |
| should be used for the AuthData value. |
| |
| 3528entityType = TPM_DEL_KEY_BLOB |
| 3529 |
| |
| The entityValue parameter contains a key delegation blob structure. |
| |
| 880Level 2 Revision 116 28 February 2011 |
| 881 |
| |
| 185 |
| TCG Published |
| |
| 882Copyright © TCG |
| 883 |
| 884 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 3530Actions |
| 35311. If entityType == TPM_ET_DEL_OWNER_BLOB |
| 3532 |
| |
| a. Map entityValue to B1 a TPM_DELEGATE_OWNER_BLOB |
| |
| 3533 |
| 3534 |
| |
| b. Validate |
| that |
| B1 |
| is |
| a |
| valid |
| TPM_WRONG_ENTITYTYPE on error |
| |
| 3535 |
| 3536 |
| |
| c. Locate B1 -> pub -> familyID in the TPM_FAMILY_TABLE and set familyRow to |
| indicate row, return TPM_BADINDEX if not found |
| |
| 3537 |
| |
| d. Set FR to TPM_FAMILY_TABLE.famTableRow[familyRow] |
| |
| 3538 |
| |
| e. If FR -> flags TPM_FAMFLAG_ENABLED is FALSE, return TPM_DISABLED_CMD |
| |
| 3539 |
| |
| f. Verify that B1->verificationCount equals FR -> verificationCount. |
| |
| 3540 |
| |
| g. Validate the integrity of the blob |
| |
| TPM_DELEGATE_OWNER_BLOB, |
| |
| 3541 |
| |
| i. |
| |
| 3542 |
| |
| ii. Set B1 -> integrityDigest to all zeros |
| |
| 3543 |
| |
| iii. Create H3 the HMAC of B1 using tpmProof as the secret |
| |
| 3544 |
| |
| return |
| |
| iv. Compare H2 to H3 return TPM_AUTHFAIL on mismatch |
| |
| Copy B1 -> integrityDigest to H2 |
| |
| 3545 |
| 3546 |
| |
| h. Create S1 a TPM_DELEGATE_SENSITIVE by decrypting B1 -> sensitiveArea using |
| TPM_DELEGATE_KEY |
| |
| 3547 |
| |
| i. |
| |
| Validate S1 values |
| |
| 3548 |
| |
| i. |
| |
| 3549 |
| |
| ii. Return TPM_BAD_DELEGATE on error |
| |
| 3550 |
| |
| j. |
| |
| S1 -> tag is TPM_TAG_DELEGATE_SENSITIVE |
| |
| Set A1 to S1 -> authValue |
| |
| 35512. Else if entityType == TPM_ET_DEL_ROW |
| 3552 |
| |
| a. Verify that entityValue points to a valid row in the delegation table. |
| |
| 3553 |
| |
| b. Set D1 to the delegation information in the row. |
| |
| 3554 |
| |
| c. Set A1 to D1->authValue. |
| |
| 3555 |
| 3556 |
| |
| d. Locate D1 -> familyID in the TPM_FAMILY_TABLE and set familyRow to indicate that |
| row, return TPM_BADINDEX if not found |
| |
| 3557 |
| |
| e. Set FR to TPM_FAMILY_TABLE.famTableRow[familyRow] |
| |
| 3558 |
| |
| f. If FR -> flags TPM_FAMFLAG_ENABLED is FALSE, return TPM_DISABLED_CMD |
| |
| 3559 |
| |
| g. Verify that D1->verificationCount equals FR -> verificationCount. |
| |
| 35603. Else if entityType == TPM_ET_DEL_KEY_BLOB |
| 3561 |
| |
| a. Map entityValue to K1 a TPM_DELEGATE_KEY_BLOB |
| |
| 3562 |
| 3563 |
| |
| b. Validate |
| that |
| K1 |
| is |
| a |
| TPM_WRONG_ENTITYTYPE on error |
| |
| 3564 |
| 3565 |
| |
| c. Locate K1 -> pub -> familyID in the TPM_FAMILY_TABLE and set familyRow to |
| indicate that row, return TPM_BADINDEX if not found |
| |
| 885 |
| 886 |
| |
| valid |
| |
| 186 |
| |
| TPM_DELEGATE_KEY_BLOB, |
| |
| return |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 887TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 888Specification Version 1.2 |
| |
| 3566 |
| |
| d. Set FR to TPM_FAMILY_TABLE.famTableRow[familyRow] |
| |
| 3567 |
| |
| e. If FR -> flags TPM_FAMFLAG_ENABLED is FALSE, return TPM_DISABLED_CMD |
| |
| 3568 |
| |
| f. Verify that K1 -> pub -> verificationCount equals FR -> verificationCount. |
| |
| 3569 |
| |
| g. Validate the integrity of the blob |
| |
| 3570 |
| |
| i. |
| |
| 3571 |
| |
| ii. Set K1 -> integrityDigest to all zeros |
| |
| 3572 |
| |
| iii. Create H3 the HMAC of K1 using tpmProof as the secret |
| |
| 3573 |
| |
| iv. Compare H2 to H3 return TPM_AUTHFAIL on mismatch |
| |
| Copy K1 -> integrityDigest to H2 |
| |
| 3574 |
| 3575 |
| |
| h. Validate that K1 -> pubKeyDigest identifies keyHandle, return TPM_KEYNOTFOUND |
| on error |
| |
| 3576 |
| 3577 |
| |
| i. Create S1 a TPM_DELEGATE_SENSITIVE by decrypting K1 -> sensitiveArea using |
| TPM_DELEGATE_KEY |
| |
| 3578 |
| |
| j. |
| |
| Validate S1 values |
| |
| 3579 |
| |
| i. |
| |
| 3580 |
| |
| ii. Return TPM_BAD_DELEGATE on error |
| |
| 3581 |
| |
| S1 -> tag is TPM_TAG_DELEGATE_SENSITIVE |
| |
| k. Set A1 to S1 -> authValue |
| |
| 35824. Else return TPM_BAD_PARAMETER |
| 35835. Generate a new authorization session handle and reserve space to save protocol |
| 3584 |
| identification, shared secret, pcrInfo, both nonces, ADIP encryption scheme, delegated |
| 3585 |
| permission bits and any other information the TPM needs to manage the session. |
| 35866. Read two new values from the RNG to generate nonceEven and nonceEvenOSAP. |
| 35877. |
| 3588 |
| 3589 |
| 3590 |
| |
| The TPM calculates the shared secret using an HMAC calculation. The key for the HMAC |
| calculation is A1. The input to the HMAC calculation is the concatenation of nonces |
| nonceEvenOSAP and nonceOddOSAP. The output of the HMAC calculation is the shared |
| secret which is saved in the authorization area associated with authHandle. |
| |
| 889Level 2 Revision 116 28 February 2011 |
| 890 |
| |
| 187 |
| TCG Published |
| |
| 891Copyright © TCG |
| 892 |
| 893 |
| |
| 359118.4 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_SetOwnerPointer |
| |
| 3592Start of informative comment: |
| 3593This command will set a reference to which secret the TPM will use when executing an |
| 3594owner secret related OIAP or OSAP session. |
| 3595This command should only be used to provide an owner delegation function for legacy code |
| 3596that does not itself support delegation. Normally, TPM_STCLEAR_DATA->ownerReference |
| 3597points to TPM_KH_OWNER, indicating that OIAP and OSAP sessions should use the owner |
| 3598authorization. This command allows ownerReference to point to an index in the delegation |
| 3599table, indicating that OIAP and OSAP sessions should use the delegation authorization. |
| 3600In use, a TSS supporting delegation would create and load the owner delegation and set the |
| 3601owner pointer to that delegation. From then on, a legacy TSS application would use its OIAP |
| 3602and OSAP sessions with the delegated owner authorization. |
| 3603Since this command is not authorized, the ownerReference is open to DoS attacks. |
| 3604Applications can attempt to recover from a failing owner authorization by resetting |
| 3605ownerReference to an appropriate value. |
| 3606This command intentionally does not clear OSAP sessions. A TPM 1.1 application gets the |
| 3607benefit of owner delegation, while the original owner can use a pre-existing OSAP session |
| 3608with the actual owner authorization. |
| 3609End of informative comment. |
| 3610Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Ordinal: TPM_ORD_SetOwnerPointer |
| |
| 4 |
| |
| 2 |
| |
| 2S |
| |
| 2 |
| |
| TPM_ENTITY_TYPE |
| |
| entityType |
| |
| The type of entity in use |
| |
| 5 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| entityValue |
| |
| The selection value based on entityType |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 3611Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Ordinal: TPM_ORD_SetOwnerPointer |
| |
| 3612Actions |
| 36131. Map TPM_STCLEAR_DATA to V1 |
| 36142. If entityType = TPM_ET_DEL_ROW |
| 894 |
| 895 |
| |
| 188 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 896TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 897Specification Version 1.2 |
| |
| 3615 |
| 3616 |
| |
| a. This value indicates that the entity is a delegate row. entityValue is a delegate index |
| in the delegation table. |
| |
| 3617 |
| 3618 |
| |
| b. Validate that entityValue points to a legal row within the delegate table stored within |
| the TPM. If not return TPM_BADINDEX |
| |
| 3619 |
| |
| i. |
| |
| Set D1 to the delegation information in the row. |
| |
| 3620 |
| 3621 |
| |
| c. Locate D1 -> familyID in the TPM_FAMILY_TABLE and set familyRow to indicate that |
| row, return TPM_BADINDEX if not found. |
| |
| 3622 |
| |
| d. Set FR to TPM_FAMILY_TABLE.famTableRow[familyRow] |
| |
| 3623 |
| |
| e. If FR -> flags TPM_FAMFLAG_ENABLED is FALSE, return TPM_DISABLED_CMD |
| |
| 3624 |
| |
| f. Verify that B1->verificationCount equals FR -> verificationCount. |
| |
| 3625 |
| |
| g. The TPM sets V1-> ownerReference to entityValue |
| |
| 3626 |
| |
| h. Return TPM_SUCCESS |
| |
| 36273. else if entityType = TPM_ET_OWNER |
| 3628 |
| |
| a. This value indicates that the entity is the TPM owner. entityValue is ignored. |
| |
| 3629 |
| |
| b. The TPM sets V1-> ownerReference to TPM_KH_OWNER |
| |
| 3630 |
| |
| c. Return TPM_SUCCESS |
| |
| 36314. Return TPM_BAD_PARAMETER |
| |
| 898Level 2 Revision 116 28 February 2011 |
| 899 |
| |
| 189 |
| TCG Published |
| |
| 900Copyright © TCG |
| 901 |
| 902 |
| |
| 363219. |
| 363319.1 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| Delegation Commands |
| TPM_Delegate_Manage |
| |
| 3634Start of informative comment: |
| 3635TPM_Delegate_Manage is the fundamental process for managing the Family tables, |
| 3636including |
| enabling/disabling |
| Delegation |
| for |
| a |
| selected |
| Family. |
| Normally |
| 3637TPM_Delegate_Manage must be executed at least once (to create Family tables for a |
| 3638particular family) before any other type of Delegation command in that family can succeed. |
| 3639TPM_Delegate_Manage is authorized by the TPM Owner if an Owner is installed, because |
| 3640changing a table is a privileged Owner operation. If no Owner is installed, |
| 3641TPM_Delegate_Manage requires no privilege to execute. This does not disenfranchise an |
| 3642Owner, since there is no Owner, and simplifies loading of tables during platform |
| 3643manufacture or on first-boot. Burn-out of TPM non-volatile storage by inappropriate use is |
| 3644mitigated by the TPM’s normal limits on NV-writes in the absence of an Owner. Tables can |
| 3645be locked after loading, to prevent subsequent tampering, and only unlocked by the Owner, |
| 3646his delegate, or the act of removing the Owner (even if there is no Owner). |
| 3647TPM_Delegate_Manage command is customized by opCode: |
| 3648(1) TPM_FAMILY_ENABLE enables/disables use of a family and all the rows of the delegate |
| 3649table belonging to that family, |
| 3650(2) TPM_FAMILY_ADMIN can be used to prevent further management of the Tables until an |
| 3651Owner is installed, or until the Owner is removed from the TPM. (Note that the Physical |
| 3652Presence command TPM_ForceClear always enables further management, even if |
| 3653TPM_ForceClear is used when no Owner is installed.) |
| 3654 (3) TPM_FAMILY_CREATE creates a new family. Sessions are invalidated even in this case |
| 3655because the lastFamilyID could wrap. |
| 3656(4) TPM_FAMILY_INVALIDATE invalidates an existing family. The TPM_SELFTEST_FAILED |
| 3657error code is returned because the familyRow has already been validated earlier. Failure |
| 3658here indicates a malfunction of the TPM. |
| 3659The rationale for Action 19.1 is that invalidating the family ID prevents the use of |
| 3660associated delegate rows, whether or not those delegate rows are themselves invalidated. |
| 3661Omitting the delegate row invalidation avoids an NV write. |
| 3662End of informative comment. |
| |
| 903 |
| 904 |
| |
| 190 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 905TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 906Specification Version 1.2 |
| |
| 3663Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Delegate_Manage |
| |
| 4 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| TPM_FAMILY_ID |
| |
| familyID |
| |
| The familyID that is to be managed |
| |
| 5 |
| |
| 4 |
| |
| 3s |
| |
| 4 |
| |
| TPM_FAMILY_OPERATION |
| |
| opCode |
| |
| Operation to be performed by this command. |
| |
| 6 |
| |
| 4 |
| |
| 4s |
| |
| 4 |
| |
| UINT32 |
| |
| opDataSize |
| |
| Size in bytes of opData |
| |
| 7 |
| |
| <> |
| |
| 5s |
| |
| <> |
| |
| BYTE [ ] |
| |
| opData |
| |
| Data necessary to implement opCode |
| |
| 8 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for owner authentication. |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 9 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 10 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 11 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| HMAC key: ownerAuth. |
| |
| 3664Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Delegate_Manage |
| |
| 4 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| retDataSize |
| |
| Size in bytes of retData |
| |
| 5 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE [ ] |
| |
| retData |
| |
| Returned data |
| |
| 6 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| HMAC key: ownerAuth. |
| |
| 7 |
| |
| 1 |
| |
| 8 |
| |
| 20 |
| |
| 3665Action |
| 36661. If opCode != TPM_FAMILY_CREATE |
| 3667 |
| 3668 |
| |
| a. Locate familyID in the TPM_FAMILY_TABLE and set familyRow to indicate row, |
| return TPM_BADINDEX if not found |
| |
| 3669 |
| 3670 |
| |
| b. Set FR, a TPM_FAMILY_TABLE_ENTRY, to TPM_FAMILY_TABLE. famTableRow |
| [familyRow] |
| |
| 36712. If tag = TPM_TAG_RQU_AUTH1_COMMAND |
| 3672 |
| 3673 |
| |
| a. Validate the command and parameters using ownerAuth, return TPM_AUTHFAIL on |
| error |
| |
| 907Level 2 Revision 116 28 February 2011 |
| 908 |
| |
| 191 |
| TCG Published |
| |
| 909Copyright © TCG |
| 910 |
| 911 |
| |
| 3674 |
| 3675 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| b. If the command is delegated (authHandle session type is TPM_PID_DSAP or through |
| ownerReference delegation) |
| |
| 3676 |
| |
| i. |
| |
| 3677 |
| |
| If opCode = TPM_FAMILY_CREATE |
| (1) |
| |
| 3678 |
| |
| The TPM MUST ignore familyID |
| |
| ii. Else |
| |
| 3679 |
| 3680 |
| |
| (1) |
| Verify that the familyID associated with authHandle matches the |
| familyID parameter, return TPM_DELEGATE_FAMILY on error |
| |
| 36813. Else |
| 3682 |
| |
| a. If TPM_PERMANENT_DATA -> ownerAuth is valid, return TPM_AUTHFAIL |
| |
| 3683 |
| 3684 |
| |
| b. If |
| opCode |
| != |
| TPM_FAMILY_CREATE |
| and |
| FR |
| -> |
| TPM_DELEGATE_ADMIN_LOCK is TRUE, return TPM_DELEGATE_LOCK |
| |
| 3685 |
| |
| c. Validate max NV writes without an owner |
| |
| flags |
| |
| 3686 |
| |
| i. |
| |
| 3687 |
| |
| ii. Increment NV1 by 1 |
| |
| 3688 |
| |
| iii. If NV1 > TPM_MAX_NV_WRITE_NOOWNER return TPM_MAXNVWRITES |
| |
| 3689 |
| |
| -> |
| |
| iv. Set TPM_PERMANENT_DATA -> noOwnerNVWrite to NV1 |
| |
| Set NV1 to TPM_PERMANENT_DATA -> noOwnerNVWrite |
| |
| 36904. The TPM invalidates sessions |
| 3691 |
| |
| a. MUST invalidate all DSAP sessions |
| |
| 3692 |
| |
| b. MUST invalidate all OSAP sessions associated with the delegation table |
| |
| 3693 |
| |
| c. MUST set TPM_STCLEAR_DATA -> ownerReference to TPM_KH_OWNER |
| |
| 3694 |
| |
| d. MAY invalidate any other session |
| |
| 36955. If opCode == TPM_FAMILY_CREATE |
| 3696 |
| 3697 |
| |
| a. Validate that sufficient space exists within the TPM to store an additional family and |
| map F2 to the newly allocated space. |
| |
| 3698 |
| |
| b. Validate that opData is a TPM_FAMILY_LABEL |
| |
| 3699 |
| 3700 |
| |
| i. |
| |
| If opDataSize != sizeof(TPM_FAMILY_LABEL) return TPM_BAD_PARAM_SIZE |
| |
| c. Map F2 to a TPM_FAMILY_TABLE_ENTRY |
| |
| 3701 |
| |
| i. |
| |
| 3702 |
| |
| ii. Set F2 -> familyLabel to opData |
| |
| Set F2 -> tag to TPM_TAG_FAMILY_TABLE_ENTRY |
| |
| 3703 |
| |
| d. Increment TPM_PERMANENT_DATA -> lastFamilyID by 1 |
| |
| 3704 |
| |
| e. Set F2 -> familyID = TPM_PERMANENT_DATA -> lastFamilyID |
| |
| 3705 |
| |
| f. Set F2 -> verificationCount = 1 |
| |
| 3706 |
| |
| g. Set F2 -> flags -> TPM_FAMFLAG_ENABLED to FALSE |
| |
| 3707 |
| |
| h. Set F2 -> flags -> TPM_DELEGATE_ADMIN_LOCK to FALSE |
| |
| 3708 |
| |
| i. |
| |
| 912 |
| 913 |
| |
| Set retDataSize = 4 |
| |
| 192 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 914TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 915Specification Version 1.2 |
| |
| 3709 |
| |
| j. |
| |
| 3710 |
| |
| k. Return TPM_SUCCESS |
| |
| Set retData = F2 -> familyID |
| |
| 37116. If authHandle is of type DSAP then continueAuthSession MUST set to FALSE |
| 37127. If opCode == TPM_FAMILY_ADMIN |
| 3713 |
| |
| a. Validate that opDataSize == 1, and that opData is a Boolean value. |
| |
| 3714 |
| |
| b. Set (FR -> flags -> TPM_DELEGATE_ADMIN_LOCK) = opData |
| |
| 3715 |
| |
| c. Set retDataSize = 0 |
| |
| 3716 |
| |
| d. Return TPM_SUCCESS |
| |
| 37178. else If opCode == TPM_FAMILY_ENABLE |
| 3718 |
| |
| a. Validate that opDataSize == 1, and that opData is a Boolean value. |
| |
| 3719 |
| |
| b. Set FR -> flags-> TPM_FAMFLAG_ENABLED = opData |
| |
| 3720 |
| |
| c. Set retDataSize = 0 |
| |
| 3721 |
| |
| d. Return TPM_SUCCESS |
| |
| 37229. else If opCode == TPM_FAMILY_INVALIDATE |
| 3723 |
| |
| a. Invalidate all data associated with familyRow |
| |
| 3724 |
| |
| i. |
| |
| 3725 |
| |
| ii. return TPM_SELFTEST_FAILED on failure |
| |
| 3726 |
| |
| b. The TPM MAY invalidate delegate rows that contain the same familyID. |
| |
| All data is all information pointed to by FR |
| |
| 3727 |
| |
| c. Set retDataSize = 0 |
| |
| 3728 |
| |
| d. Return TPM_SUCCESS |
| |
| 372910.Else return TPM_BAD_PARAMETER |
| |
| 916Level 2 Revision 116 28 February 2011 |
| 917 |
| |
| 193 |
| TCG Published |
| |
| 918Copyright © TCG |
| 919 |
| 920 |
| |
| 373019.2 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_Delegate_CreateKeyDelegation |
| |
| 3731Start of informative comment: |
| 3732This command delegates privilege to use a key by creating a blob that can be used by |
| 3733TPM_DSAP. |
| 3734There is no check for appropriateness of the key’s key usage against the key permission |
| 3735settings. If the key usage is incorrect, this command succeeds, but the delegated command |
| 3736will fail. |
| 3737These blobs CANNOT be used as input data for TPM_LoadOwnerDelegation because the |
| 3738internal TPM delegate table can store owner delegations only. |
| 3739(TPM_Delegate_CreateOwnerDelegation must be used to delegate Owner privilege.) |
| 3740The publicInfo -> familyID can specify a disabled family row. The family row is checked |
| 3741when the key delegation is used in a DSAP session, not when it is created. |
| 3742End of informative comment. |
| 3743Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Delegate_CreateKeyDelegation. |
| |
| TPM_KEY_HANDLE |
| |
| keyHandle |
| |
| The keyHandle identifier of a loaded key. |
| |
| <> |
| |
| TPM_DELEGATE_PUBLIC |
| |
| publicInfo |
| |
| The public information necessary to fill in the blob |
| |
| 3S |
| |
| 20 |
| |
| TPM_ENCAUTH |
| |
| delAuth |
| |
| The encrypted new AuthData for the blob. The encryption key is the |
| shared secret from the authorization session protocol. |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for keyHandle authorization |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| # |
| |
| SZ |
| |
| # |
| |
| 1 |
| 2 |
| 3 |
| |
| 4 |
| |
| 4 |
| |
| 4 |
| |
| 5 |
| |
| <> |
| |
| 2S |
| |
| 6 |
| |
| 20 |
| |
| 7 |
| |
| 4 |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 8 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 9 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Ignored |
| |
| 10 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| privAuth |
| |
| The authorization session digest that authorizes the use of keyHandle. |
| HMAC key: key.usageAuth |
| |
| 3744 |
| |
| 921 |
| 922 |
| |
| 194 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 923TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 924Specification Version 1.2 |
| |
| 3745Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Delegate_CreateKeyDelegation |
| |
| 4 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| blobSize |
| |
| The length of the returned blob |
| |
| 5 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| TPM_DELEGATE_KEY_BLOB |
| |
| blob |
| |
| The partially encrypted delegation information. |
| |
| 6 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag. Fixed value of FALSE |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| key.usageAuth |
| |
| 7 |
| |
| 1 |
| |
| 8 |
| |
| 20 |
| |
| 3746Description |
| 37471. The use restrictions that may be present on the key pointed to by keyHandle are not |
| 3748 |
| enforced for this command. Stated another way, TPM_CreateKeyDelegation is not a use |
| 3749 |
| of the key. |
| 3750Action |
| 37511. Verify AuthData for the command and parameters using privAuth |
| 37522. Locate publicInfo -> familyID in the TPM_FAMILY_TABLE and set familyRow to indicate |
| 3753 |
| row, return TPM_BADINDEX if not found |
| 37543. If the key authentication is in fact a delegation, then the TPM SHALL validate the |
| 3755 |
| command and parameters using Delegation authorisation, then |
| 3756 |
| 3757 |
| |
| a. Validate that authHandle -> familyID equals publicInfo -> familyID return |
| TPM_DELEGATE_FAMILY on error |
| |
| 3758 |
| 3759 |
| |
| b. If TPM_FAMILY_TABLE.famTableRow[ authHandle -> familyID] -> |
| TPM_FAMFLAG_ENABLED is FALSE, return error TPM_DISABLED_CMD. |
| |
| 3760 |
| 3761 |
| |
| c. Verify that the delegation bits in publicInfo do not grant more permissions then |
| currently delegated. Otherwise return error TPM_AUTHFAIL |
| |
| flags |
| |
| -> |
| |
| 37624. Check that publicInfo -> delegateType is TPM_DEL_KEY_BITS |
| 37635. Verify that authHandle indicates |
| 3764 |
| TPM_INVALID_AUTHHANDLE on error |
| |
| an |
| |
| OSAP |
| |
| or |
| |
| DSAP |
| |
| session |
| |
| return |
| |
| 37656. Create a1 by decrypting delAuth according to the ADIP indicated by authHandle. |
| 37667. Create h1 the SHA-1 of TPM_STORE_PUBKEY structure of the key pointed to by |
| 3767 |
| keyHandle |
| 37688. Create M1 a TPM_DELEGATE_SENSITIVE structure |
| 3769 |
| |
| a. Set M1 -> tag to TPM_TAG_DELEGATE_SENSITIVE |
| |
| 925Level 2 Revision 116 28 February 2011 |
| 926 |
| |
| 195 |
| TCG Published |
| |
| 927Copyright © TCG |
| 928 |
| 929 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 3770 |
| |
| b. Set M1 -> authValue to a1 |
| |
| 3771 |
| 3772 |
| |
| c. The TPM MAY add additional information of a sensitive nature relative to the |
| delegation |
| |
| 37739. Create M2 the encryption of M1 using TPM_DELEGATE_KEY |
| 377410.Create P1 a TPM_DELEGATE_KEY_BLOB |
| 3775 |
| |
| a. Set P1 -> tag to TPM_TAG_DELG_KEY_BLOB |
| |
| 3776 |
| |
| b. Set P1 -> pubKeyDigest to H1 |
| |
| 3777 |
| |
| c. Set P1 -> pub to PublicInfo |
| |
| 3778 |
| |
| d. Set P1 -> pub -> verificationCount to familyRow -> verificationCount |
| |
| 3779 |
| |
| e. Set P1 -> integrityDigest to all zeros |
| |
| 3780 |
| 3781 |
| 3782 |
| |
| f. The TPM sets additionalArea and additionalAreaSize appropriate for this TPM. The |
| information MAY include symmetric IV, symmetric mode of encryption and other data |
| that allows the TPM to process the blob in the future. |
| |
| 3783 |
| |
| g. Set P1 -> sensitiveSize to the size of M2 |
| |
| 3784 |
| |
| h. Set P1 -> sensitiveArea to M2 |
| |
| 378511.Calculate H2 the HMAC of P1 using tpmProof as the secret |
| 378612.Set P1 -> integrityDigest to H2 |
| 378713.Ignore continueAuthSession on input set continueAuthSession to FALSE on output |
| 378814.Return P1 as blob |
| |
| 930 |
| 931 |
| |
| 196 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 932TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 933Specification Version 1.2 |
| |
| 378919.3 |
| |
| TPM_Delegate_CreateOwnerDelegation |
| |
| 3790Start of informative comment: |
| 3791TPM_Delegate_CreateOwnerDelegation delegates the Owner’s privilege to use a set of |
| 3792command ordinals, by creating a blob. Such blobs can be used as input data for TPM_DSAP |
| 3793or TPM_Delegate_LoadOwnerDelegation. |
| 3794TPM_Delegate_CreateOwnerDelegation includes the ability to void all existing delegations |
| 3795(by incrementing the verification count) before creating the new delegation. This ensures |
| 3796that the new delegation will be the only delegation that can operate at Owner privilege in |
| 3797this family. This new delegation could be used to enable a security monitor (a local separate |
| 3798entity, or remote separate entity, or local host entity) to reinitialize a family and perhaps |
| 3799perform external verification of delegation settings. Normally the ordinals for a delegated |
| 3800security monitor would include TPM_Delegate_CreateOwnerDelegation (this command) in |
| 3801order |
| to |
| permit |
| the |
| monitor |
| to |
| create |
| further |
| delegations, |
| and |
| 3802TPM_Delegate_UpdateVerification to reactivate some previously voided delegations. |
| 3803If the verification count is incremented and the new delegation does not delegate any |
| 3804privileges (to any ordinals) at all, or uses an authorisation value that is then discarded, this |
| 3805family’s delegations are all void and delegation must be managed using actual Owner |
| 3806authorisation. |
| 3807(TPM_Delegate_CreateKeyDelegation must be used to delegate privilege to use a key.) |
| 3808End of informative comment. |
| 3809Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Delegate_CreateOwnerDelegation. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 1 |
| |
| 2S |
| |
| 1 |
| |
| BOOL |
| |
| increment |
| |
| Flag dictates whether verificationCount will be incremented |
| |
| 5 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| TPM_DELEGATE_PUBLIC |
| |
| publicInfo |
| |
| The public parameters for the blob |
| |
| 6 |
| |
| 20 |
| |
| 4S |
| |
| 20 |
| |
| TPM_ENCAUTH |
| |
| delAuth |
| |
| The encrypted new AuthData for the blob. The encryption key is the |
| shared secret from the OSAP protocol. |
| |
| 7 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle TPM Owner authentication |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 9 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Ignored |
| |
| 10 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| The authorization session digest. HMAC key:ownerAuth |
| |
| 8 |
| |
| 934Level 2 Revision 116 28 February 2011 |
| 935 |
| |
| 197 |
| TCG Published |
| |
| 936Copyright © TCG |
| 937 |
| 938 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 3810Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Delegate_CreateOwnerDelegation. |
| |
| 4 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| blobSize |
| |
| The length of the returned blob |
| |
| 5 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| TPM_DELEGATE_OWNER_BLOB |
| |
| blob |
| |
| The partially encrypted delegation information. |
| |
| 6 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag. Fixed value of FALSE |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| ownerAuth |
| |
| 7 |
| |
| 1 |
| |
| 8 |
| |
| 20 |
| |
| 3811Action |
| 38121. The TPM SHALL authenticate the command using TPM Owner authentication. Return |
| 3813 |
| TPM_AUTHFAIL on failure. |
| 38142. Locate publicInfo -> familyID in the TPM_FAMILY_TABLE and set familyRow to indicate |
| 3815 |
| the row return TPM_BADINDEX if not found |
| 3816 |
| |
| a. Set FR to TPM_FAMILY_TABLE.famTableRow[familyRow] |
| |
| 38173. If the TPM Owner authentication is in fact a delegation |
| 3818 |
| 3819 |
| |
| a. Validate that authHandle -> familyID equals publicInfo -> familyID return |
| TPM_DELEGATE_FAMILY on error |
| |
| 3820 |
| 3821 |
| |
| b. If FR -> flags |
| TPM_DISABLED_CMD. |
| |
| 3822 |
| 3823 |
| |
| c. Verify that the delegation bits in publicInfo do not grant more permissions then |
| currently delegated. Otherwise, return error TPM_AUTHFAIL. |
| |
| -> |
| |
| TPM_FAMFLAG_ENABLED |
| |
| is |
| |
| FALSE, |
| |
| return |
| |
| error |
| |
| 38244. Check that publicInfo -> delegateType is TPM_DEL_OWNER_BITS |
| 38255. Verify that authHandle indicates |
| 3826 |
| TPM_INVALID_AUTHHANDLE on error |
| |
| an |
| |
| OSAP |
| |
| or |
| |
| DSAP |
| |
| session |
| |
| return |
| |
| 38276. If increment == TRUE |
| 3828 |
| |
| a. Increment FR -> verificationCount |
| |
| 3829 |
| |
| b. Set TPM_STCLEAR_DATA-> ownerReference to TPM_KH_OWNER |
| |
| 3830 |
| |
| c. The TPM invalidates sessions |
| |
| 3831 |
| |
| i. |
| |
| 3832 |
| |
| ii. MUST invalidate all OSAP sessions associated with the delegation table |
| |
| 3833 |
| |
| iii. MAY invalidate any other session |
| |
| 939 |
| 940 |
| |
| MUST invalidate all DSAP sessions |
| |
| 198 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 941TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 942Specification Version 1.2 |
| |
| 38347. Create a1 by decrypting delAuth according to the ADIP indicated by authHandle. |
| 38358. Create M1 a TPM_DELEGATE_SENSITIVE structure |
| 3836 |
| |
| a. Set M1 -> tag to TPM_TAG_DELEGATE_SENSITIVE |
| |
| 3837 |
| |
| b. Set M1 -> authValue to a1 |
| |
| 3838 |
| |
| c. Set other M1 fields as determined by the TPM vendor |
| |
| 38399. Create M2 the encryption of M1 using TPM_DELEGATE_KEY |
| 384010.Create B1 a TPM_DELEGATE_OWNER_BLOB |
| 3841 |
| |
| a. Set B1 -> tag to TPM_TAG_DELG_OWNER_BLOB |
| |
| 3842 |
| |
| b. Set B1 -> pub to publicInfo |
| |
| 3843 |
| |
| c. Set B1 -> sensitiveSize to the size of M2 |
| |
| 3844 |
| |
| d. Set B1 -> sensitiveArea to M2 |
| |
| 3845 |
| |
| e. Set B1 -> integrityDigest to all zeros |
| |
| 3846 |
| |
| f. Set B1 -> pub -> verificationCount to FR -> verificationCount |
| |
| 384711.The TPM sets additionalArea and additionalAreaSize appropriate for this TPM. The |
| 3848 |
| information MAY include symmetric IV, symmetric mode of encryption and other data |
| 3849 |
| that allows the TPM to process the blob in the future. |
| 385012.Create H1 the HMAC of B1 using tpmProof as the secret |
| 385113.Set B1 -> integrityDigest to H1 |
| 385214.Ignore continueAuthSession on input set continueAuthSession to FALSE on output |
| 385315.Return B1 as blob |
| |
| 943Level 2 Revision 116 28 February 2011 |
| 944 |
| |
| 199 |
| TCG Published |
| |
| 945Copyright © TCG |
| 946 |
| 947 |
| |
| 385419.4 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_Delegate_LoadOwnerDelegation |
| |
| 3855Start of informative comment: |
| 3856This command loads a delegate table row blob into a non-volatile delegate table row. |
| 3857TPM_Delegate_LoadOwnerDelegation can be used during manufacturing or on first boot |
| 3858(when no Owner is installed), or after an Owner is installed. If an Owner is installed, |
| 3859TPM_Delegate_LoadOwnerDelegation requires Owner authorisation, and sensitive |
| 3860information must be encrypted. |
| 3861Burn-out of TPM non-volatile storage by inappropriate use is mitigated by the TPM’s normal |
| 3862limits on NV-writes in the absence of an Owner. Tables can be locked after loading using |
| 3863TPM_Delegate_Manage, to prevent subsequent tampering. |
| 3864A management system outside the TPM is expected to manage the delegate table rows |
| 3865stored on the TPM, and can overwrite any previously stored data. There is no way to |
| 3866explicitly delete a delegation entry. A new entry can overwrite an invalid entry. |
| 3867This command cannot be used to load key delegation blobs into the TPM |
| 3868End of informative comment. |
| 3869Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes incl. paramSize and tag |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Ordinal: TPM_ORD_Delegate_LoadOwnerDelegation |
| |
| 4 |
| |
| TPM_DELEGATE_INDEX |
| |
| index |
| |
| The index of the delegate row to be written |
| |
| 5 |
| |
| 4 |
| |
| UINT32 |
| |
| blobSize |
| |
| The size of the delegate blob |
| |
| 6 |
| |
| <> |
| |
| 5S |
| |
| <> |
| |
| TPM_DELEGATE_OWNER_BLOB |
| |
| blob |
| |
| Delegation information, including encrypted portions as appropriate |
| |
| 7 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle TPM Owner authentication |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 8 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 9 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 10 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| The authorization session digest. HMAC key:ownerAuth |
| |
| 952Level 2 Revision 116 28 February 2011 |
| 953 |
| |
| 201 |
| TCG Published |
| |
| 954Copyright © TCG |
| 955 |
| 956 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 3870Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 6 |
| |
| 1 |
| |
| 7 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Delegate_LoadOwnerDelegation |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| 4 |
| |
| 2S |
| 5 |
| |
| 1S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| Authorization HMAC key: ownerAuth. |
| |
| 20 |
| |
| 3871Actions |
| 38721. Map blob to D1 a TPM_DELEGATE_OWNER_BLOB. |
| 3873 |
| |
| a. Validate that D1 -> tag == TPM_TAG_DELEGATE_OWNER_BLOB |
| |
| 38742. Locate D1 -> pub -> familyID in the TPM_FAMILY_TABLE and set familyRow to indicate |
| 3875 |
| row, return TPM_BADINDEX if not found |
| 38763. Set FR to TPM_FAMILY_TABLE -> famTableRow[familyRow] |
| 38774. If TPM Owner is installed |
| 3878 |
| 3879 |
| |
| a. Validate the command and parameters using TPM Owner authentication, return |
| TPM_AUTHFAIL on error |
| |
| 3880 |
| 3881 |
| 3882 |
| |
| b. If the command is delegated (authHandle session type is TPM_PID_DSAP or through |
| ownerReference delegation), verify that D1 -> pub -> familyID matches authHandle -> |
| familyID, on error return TPM_DELEGATE_FAMILY |
| |
| 38835. Else |
| 3884 |
| |
| a. If tag is not TPM_TAG_RQU_COMMAND, return TPM_AUTHFAIL |
| |
| 3885 |
| 3886 |
| |
| b. If |
| FR |
| -> |
| flags |
| TPM_DELEGATE_LOCK |
| |
| 3887 |
| |
| c. Validate max NV writes without an owner |
| |
| -> |
| |
| TPM_DELEGATE_ADMIN_LOCK |
| |
| is |
| |
| TRUE |
| |
| 3888 |
| |
| i. |
| |
| 3889 |
| |
| ii. Increment NV1 by 1 |
| |
| 3890 |
| |
| iii. If NV1 > TPM_MAX_NV_WRITE_NOOWNER return TPM_MAXNVWRITES |
| |
| 3891 |
| |
| return |
| |
| iv. Set PD -> noOwnerNVWrite to NV1 |
| |
| Set NV1 to PD -> noOwnerNVWrite |
| |
| 38926. If FR -> flags -> TPM_FAMFLAG_ENABLED is FALSE, return TPM_DISABLED_CMD |
| 38937. If TPM Owner is installed, validate the integrity of the blob |
| 3894 |
| |
| a. Copy D1 -> integrityDigest to H2 |
| |
| 3895 |
| |
| b. Set D1 -> integrityDigest to all zeros |
| |
| 957 |
| 958 |
| |
| 202 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 959TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 960Specification Version 1.2 |
| |
| 3896 |
| |
| c. Create H3 the HMAC of D1 using tpmProof as the secret |
| |
| 3897 |
| |
| d. Compare H2 to H3, return TPM_AUTHFAIL on mismatch |
| |
| 38988. If TPM Owner is installed, create S1 a TPM_DELEGATE_SENSITIVE area by decrypting |
| 3899 |
| D1 -> sensitiveArea using TPM_DELEGATE_KEY. Otherwise set S1 = D1 -> sensitiveArea |
| 39009. Validate S1 |
| 3901 |
| 3902 |
| |
| a. Validate |
| that |
| S1 |
| -> |
| tag |
| == |
| TPM_INVALID_STRUCTURE on error |
| |
| TPM_TAG_DELEGATE_SENSITIVE, |
| |
| return |
| |
| 390310.Validate that index is a valid value for delegateTable, return TPM_BADINDEX on error |
| 390411.The TPM invalidates sessions |
| 3905 |
| |
| a. MUST invalidate all DSAP sessions |
| |
| 3906 |
| |
| b. MUST invalidate all OSAP sessions associated with the delegation table |
| |
| 3907 |
| |
| c. MAY invalidate any other session |
| |
| 390812.Copy data to the delegate table row |
| 3909 |
| 3910 |
| |
| a. Copy the TPM_DELEGATE_PUBLIC from D1 -> pub to TPM_DELEGATE_TABLE -> |
| delRow[index] -> pub. |
| |
| 3911 |
| 3912 |
| |
| b. Copy the TPM_SECRET from S1 -> authValue to TPM_DELEGATE_TABLE -> |
| delRow[index] -> authValue. |
| |
| 3913 |
| |
| c. Set TPM_STCLEAR_DATA-> ownerReference to TPM_KH_OWNER |
| |
| 3914 |
| |
| d. If authHandle is of type DSAP then continueAuthSession MUST set to FALSE |
| |
| 391513.Return TPM_SUCCESS |
| |
| 961Level 2 Revision 116 28 February 2011 |
| 962 |
| |
| 203 |
| TCG Published |
| |
| 963Copyright © TCG |
| 964 |
| 965 |
| |
| 391619.5 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_Delegate_ReadTable |
| |
| 3917Start of informative comment: |
| 3918This command reads from the TPM the public contents of the family and delegate tables |
| 3919that are stored on the TPM. Such data is required during external verification of tables. |
| 3920There are no restrictions on the execution of this command; anyone can read this |
| 3921information regardless of the state of the PCRs, regardless of whether they know any |
| 3922specific AuthData value and regardless of whether or not the enable and admin bits are set |
| 3923one way or the other. |
| 3924End of informative comment. |
| 3925Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Delegate_ReadTable |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 3926Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Delegate_ReadTable |
| |
| 4 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| familyTableSize |
| |
| Size in bytes of familyTable |
| |
| 5 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE [ ] |
| |
| familyTable |
| |
| Array of TPM_FAMILY_TABLE_ENTRY elements |
| |
| 6 |
| |
| 4 |
| |
| 5S |
| |
| 4 |
| |
| UINT32 |
| |
| delegateTableSize |
| |
| Size in bytes of delegateTable |
| |
| 7 |
| |
| <> |
| |
| 6S |
| |
| <> |
| |
| BYTE[] |
| |
| delegateTable |
| |
| Array of TPM_DELEGATE_INDEX and TPM_DELEGATE_PUBLIC |
| elements |
| |
| 3927Actions |
| 39281. Set familyTableSize to the number |
| 3929 |
| sizeof(TPM_FAMILY_TABLE_ELEMENT). |
| |
| of |
| |
| valid |
| |
| families |
| |
| on |
| |
| the |
| |
| TPM |
| |
| times |
| |
| 39302. Copy the valid entries in the internal family table to the output array familyTable |
| 39313. Set delegateTableSize to the number of valid delegate table entries on the TPM times |
| 3932 |
| (sizeof(TPM_DELEGATE_PUBLIC) + 4). |
| 39334. For each valid entry |
| 3934 |
| |
| a. Write the TPM_DELEGATE_INDEX to delegateTable |
| |
| 3935 |
| |
| b. Copy the TPM_DELEGATE_PUBLIC to delegateTable |
| |
| 966 |
| 967 |
| |
| 204 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 968TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 969Specification Version 1.2 |
| |
| 39365. Return TPM_SUCCESS |
| |
| 970Level 2 Revision 116 28 February 2011 |
| 971 |
| |
| 205 |
| TCG Published |
| |
| 972Copyright © TCG |
| 973 |
| 974 |
| |
| 393719.6 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_Delegate_UpdateVerification |
| |
| 3938Start of informative comment: |
| 3939TPM_UpdateVerification sets the verificationCount in an entity (a blob or a delegation row) |
| 3940to the current family value, in order that the delegations represented by that entity will |
| 3941continue to be accepted by the TPM. |
| 3942End of informative comment. |
| 3943Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Delegate_UpdateVerification |
| |
| 4 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| UINT32 |
| |
| inputSize |
| |
| The size of inputData |
| |
| 5 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| BYTE |
| |
| inputData |
| |
| TPM_DELEGATE_KEY_BLOB or TPM_DELEGATE_OWNER_BLOB |
| or TPM_DELEGATE_INDEX |
| |
| 6 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for owner authentication. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 8 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 9 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| Authorization HMAC key: ownerAuth. |
| |
| 7 |
| |
| 975 |
| 976 |
| |
| 206 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 977TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 978Specification Version 1.2 |
| |
| 3944Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Delegate_UpdateVerification |
| |
| 4 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| outputSize |
| |
| The size of the output |
| |
| 5 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE |
| |
| outputData |
| |
| TPM_DELEGATE_KEY_BLOB or TPM_DELEGATE_OWNER_BLOB |
| |
| 6 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| ownerAuth. |
| |
| 7 |
| |
| 1 |
| |
| 8 |
| |
| 20 |
| |
| 3945Actions |
| 39461. Verify the TPM Owner, directly or indirectly through delegation, authorizes the command |
| 3947 |
| and parameters, on error return TPM_AUTHFAIL |
| 39482. Determine |
| the |
| type |
| of |
| inputData |
| (TPM_DELEGATE_TABLE_ROW |
| or |
| 3949 |
| TPM_DELEGATE_OWNER_BLOB or TPM_DELEGATE_KEY_BLOB) and map D1 to that |
| 3950 |
| structure |
| 3951 |
| 3952 |
| |
| a. Mapping to TPM_DELEGATE_TABLE_ROW requires taking inputData as a tableIndex |
| and locating the appropriate row in the table |
| |
| 39533. If D1 is a TPM_DELEGATE_OWNER_BLOB or TPM_DELEGATE_KEY_BLOB, validate the |
| 3954 |
| integrity of D1 |
| 3955 |
| |
| a. Copy D1 -> integrityDigest to H2 |
| |
| 3956 |
| |
| b. Set D1 -> integrityDigest to all zeros |
| |
| 3957 |
| |
| c. Create H3 the HMAC of D1 using tpmProof as the secret |
| |
| 3958 |
| |
| d. Compare H2 to H3 return TPM_AUTHFAIL on mismatch |
| |
| 39594. Locate (D1 -> pub -> familyID) in the TPM_FAMILY_TABLE and set familyRow to indicate |
| 3960 |
| row, return TPM_BADINDEX if not found |
| 39615. Set FR to TPM_FAMILY_TABLE.famTableRow[familyRow] |
| 39626. If delegated, verify that family of the delegated Owner-auth is the same as D1: |
| 3963 |
| (authHandle -> familyID) == (D1 -> pub -> familyID); otherwise return error |
| 3964 |
| TPM_DELEGATE_FAMILY |
| 39657. If delegated, verify that the family of the delegated Owner-auth is enabled: if (authHandle |
| 3966 |
| -> familyID -> flags TPM_FAMFLAG_ENABLED) is FALSE, return TPM_DISABLED_CMD |
| 39678. Set D1 -> verificationCount to FR -> verificationCount |
| |
| 979Level 2 Revision 116 28 February 2011 |
| 980 |
| |
| 207 |
| TCG Published |
| |
| 981Copyright © TCG |
| 982 |
| 983 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 39689. If D1 is a TPM_DELEGATE_OWNER_BLOB or TPM_DELEGATE_KEY_BLOB set the |
| 3969 |
| integrity of D1 |
| 3970 |
| |
| a. Set D1 -> integrityDigest to all zeros |
| |
| 3971 |
| |
| b. Create H1 the HMAC of D1 using tpmProof as the secret |
| |
| 3972 |
| |
| c. Set D1 -> integrityDigest to H1 |
| |
| 397310.If D1 is a blob recreate the blob and return it |
| |
| 984 |
| 985 |
| |
| 208 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 986TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 987Specification Version 1.2 |
| |
| 397419.7 |
| |
| TPM_Delegate_VerifyDelegation |
| |
| 3975Start of informative comment: |
| 3976TPM_VerifyDelegation interprets a delegate blob and returns success or failure, depending |
| 3977on whether the blob is currently valid. The delegate blob is NOT loaded into the TPM. |
| 3978End of informative comment. |
| 3979Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal, TPM_ORD_Delegate_VerifyDelegation |
| |
| 4 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| UINT32 |
| |
| delegationSize |
| |
| The length of the delegated information blob |
| |
| 5 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| BYTE[ ] |
| |
| delegation |
| |
| TPM_DELEGATE_KEY_BLOB or TPM_DELEGATE_OWNER_BLOB |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 3980Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal, TPM_Delegate_VerifyDelegation |
| |
| 3981Actions |
| 39821. Determine |
| the |
| type |
| of |
| blob, |
| If |
| 3983 |
| TPM_TAG_DELGATE_OWNER_BLOB then |
| 3984 |
| |
| delegation |
| |
| -> |
| |
| tag |
| |
| is |
| |
| equal |
| |
| to |
| |
| a. Map D1 a TPM_DELEGATE_OWNER_BLOB to delegation |
| |
| 39852. Else if delegation -> tag = TPM_TAG_DELG_KEY_BLOB |
| 3986 |
| |
| a. Map D1 a TPM_DELEGATE_KEY_BLOB to delegation |
| |
| 39873. Else return TPM_BAD_PARAMETER |
| 39884. Locate D1 -> familyID in the TPM_FAMILY_TABLE and set familyRow to indicate row, |
| 3989 |
| return TPM_BADINDEX if not found |
| 39905. Set FR to TPM_FAMILY_TABLE.famTableRow[familyRow] |
| 39916. If FR -> flags TPM_FAMFLAG_ENABLED is FALSE, return TPM_DISABLED_CMD |
| 39927. Validate that D1 -> pub -> verificationCount matches FR -> verificationCount, on |
| 3993 |
| mismatch return TPM_FAMILYCOUNT |
| 39948. Validate the integrity of D1 |
| 3995 |
| |
| a. Copy D1 -> integrityDigest to H2 |
| |
| 988Level 2 Revision 116 28 February 2011 |
| 989 |
| |
| 209 |
| TCG Published |
| |
| 990Copyright © TCG |
| 991 |
| 992 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 3996 |
| |
| b. Set D1 -> integrityDigest to all zeros |
| |
| 3997 |
| |
| c. Create H3 the HMAC of D1 using tpmProof as the secret |
| |
| 3998 |
| |
| d. Compare H2 to H3 return TPM_AUTHFAIL on mismatch |
| |
| 39999. Create S1 a TPM_DELEGATE_SENSITIVE area by decrypting D1 -> sensitiveArea using |
| 4000 |
| TPM_DELEGATE_KEY |
| 400110.Validate S1 values |
| 4002 |
| |
| a. S1 -> tag is TPM_TAG_DELEGATE_SENSITIVE |
| |
| 4003 |
| |
| b. Return TPM_BAD_PARAMETER on error |
| |
| 400411.Return TPM_SUCCESS |
| |
| 993 |
| 994 |
| |
| 210 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 995TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 996Specification Version 1.2 |
| |
| 400520. |
| Non-volatile |
| 4006Start of informative comment: |
| |
| Storage |
| |
| 4007This section handles the allocation and use of the TPM non-volatile storage. |
| 4008End of informative comment. |
| 4009If nvIndex refers to the DIR, the TPM ignores actions containing access control checks that |
| 4010have no meaning for the DIR. The TPM only checks the owner authorization. |
| |
| 997Level 2 Revision 116 28 February 2011 |
| 998 |
| |
| 211 |
| TCG Published |
| |
| 999Copyright © TCG |
| 1000 |
| 1001 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 4011 |
| 401220.1 |
| |
| TPM_NV_DefineSpace |
| |
| 4013Start of informative comment: |
| 4014This establishes the space necessary for the indicated index. The definition will include the |
| 4015access requirements for writing and reading the area. |
| 4016 |
| 4017 |
| |
| Previously defined space at the index and new size is non-zero (and space is available, |
| etc.) –> redefine the index |
| |
| 4018 |
| 4019 |
| |
| No previous space at the index and new size is non-zero (and space is available, |
| etc.)-> define the index |
| |
| 4020 |
| |
| Previously defined space at the index and new size is 0 -> delete the index |
| |
| 4021 |
| |
| No previous space at the index and new size is 0 -> error |
| |
| 4022The space definition size does not include the area needed to manage the space. |
| 4023Setting TPM_PERMANENT_FLAGS -> nvLocked TRUE when it is already TRUE is not an |
| 4024error. |
| 4025End of informative comment. |
| 4026Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Ordinal, TPM_ORD_NV_DefineSpace |
| |
| 4 |
| |
| <> |
| |
| 2S |
| |
| <> |
| |
| TPM_NV_DATA_PUBLIC |
| |
| pubInfo |
| |
| The public parameters of the NV area |
| |
| 5 |
| |
| 20 |
| |
| 3S |
| |
| 20 |
| |
| TPM_ENCAUTH |
| |
| encAuth |
| |
| The encrypted AuthData, only valid if the attributes require subsequent |
| authorization |
| |
| 6 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for ownerAuth |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 7 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 8 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 9 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| The authorization session digest HMAC key: ownerAuth |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 4027Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1002 |
| 1003 |
| |
| 20 |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| ordinal, TPM_ORD_NV_DefineSpace |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 212 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1004TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1005Specification Version 1.2 |
| 3H1 |
| 5 |
| |
| 1 |
| |
| 6 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, fixed to FALSE |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| The authorization session digest HMAC key: ownerAuth |
| |
| 20 |
| |
| 4028Description |
| 4029For the case where pubInfo -> dataSize is 0, pubInfo -> pcrInfoRead and pubInfo -> |
| 4030pcrInfoWrite are not used. However, since the general principle is to validate parameters |
| 4031before changing state, the TPM SHOULD parse pubInfo completely before invalidating the |
| 4032data area. |
| 4033Actions |
| 40341. If pubInfo -> nvIndex == TPM_NV_INDEX_LOCK and tag = TPM_TAG_RQU_COMMAND |
| 4035 |
| |
| a. If pubInfo -> dataSize is not 0, the command MAY return TPM_BADINDEX. |
| |
| 4036 |
| |
| b. Set TPM_PERMANENT_FLAGS -> nvLocked to TRUE |
| |
| 4037 |
| |
| c. Return TPM_SUCCESS |
| |
| 40382. If TPM_PERMANENT_FLAGS -> nvLocked is FALSE then all authorization checks except |
| 4039 |
| for the Max NV writes are ignored |
| 4040 |
| 4041 |
| 4042 |
| 4043 |
| |
| a. Ignored checks include physical presence, owner authorization, 'D' bit check, |
| bGlobalLock, no authorization with a TPM owner present, bWriteSTClear, the check that |
| pubInfo -> dataSize is 0 in Action 5.c. (the no-authorization case) , disabled and |
| deactivated. |
| |
| 4044 |
| 4045 |
| 4046 |
| |
| i. The check that pubInfo -> dataSize is 0 is still enforced in Action 6.f. |
| (returning after deleting a previously defined storage area) and Action 9.f. (not |
| allowing a space of size 0 to be defined). |
| |
| 4047 |
| |
| ii. If ownerAuth is present, the TPM MAY check the authorization HMAC. |
| |
| 4048 |
| |
| b. The check for pubInfo -> nvIndex == TPM_NV_INDEX0 in Action 3. is not ignored. |
| |
| 40493. If pubInfo -> nvIndex has the D bit (bit 28) set to a 1 or pubInfo -> nvIndex == |
| 4050 |
| TPM_NV_INDEX0 then |
| 4051 |
| |
| a. Return TPM_BADINDEX |
| |
| 4052 |
| 4053 |
| |
| b. The D bit specifies an index value that is set in manufacturing and can never be |
| deleted or added to the TPM |
| |
| 4054 |
| |
| c. Index value TPM_NV_INDEX0 is reserved and cannot be defined |
| |
| 40554. If tag = TPM_TAG_RQU_AUTH1_COMMAND then |
| 4056 |
| 4057 |
| |
| a. The TPM MUST validate the command and parameters using the TPM Owner |
| authentication and ownerAuth, on error return TPM_AUTHFAIL |
| |
| 4058 |
| |
| b. authHandle session type MUST be OSAP |
| |
| 4059 |
| |
| c. Create A1 by decrypting encAuth according to the ADIP indicated by authHandle. |
| |
| 40605. else |
| 4061 |
| |
| a. Validate the assertion of physical presence. Return TPM_BAD_PRESENCE on error. |
| |
| 1006Level 2 Revision 116 28 February 2011 |
| 1007 |
| |
| 213 |
| TCG Published |
| |
| 1008Copyright © TCG |
| 1009 |
| 1010 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 4062 |
| |
| b. If TPM Owner is present then return TPM_OWNER_SET. |
| |
| 4063 |
| 4064 |
| |
| c. If pubInfo -> dataSize is 0 then return TPM_BAD_DATASIZE. Setting the size to 0 |
| represents an attempt to delete the value without TPM Owner authentication. |
| |
| 4065 |
| |
| d. Validate max NV writes without an owner |
| |
| 4066 |
| |
| i. |
| |
| 4067 |
| |
| ii. Increment NV1 by 1 |
| |
| 4068 |
| |
| iii. If NV1 > TPM_MAX_NV_WRITE_NOOWNER return TPM_MAXNVWRITES |
| |
| 4069 |
| |
| iv. Set NV1_INCREMENTED to TRUE |
| |
| 4070 |
| 4071 |
| |
| Set NV1 to TPM_PERMANENT_DATA -> noOwnerNVWrite |
| |
| e. Set A1 to encAuth. There is no nonce or authorization to create the encryption string, |
| hence the AuthData value is passed in the clear |
| |
| 40726. If pubInfo -> nvIndex points to a valid previously defined storage area then |
| 4073 |
| |
| a. Map D1 a TPM_NV_DATA_SENSITIVE to the storage area |
| |
| 4074 |
| |
| b. If D1 -> attributes specifies TPM_NV_PER_GLOBALLOCK then |
| |
| 4075 |
| 4076 |
| 4077 |
| |
| i. If TPM_STCLEAR_FLAGS |
| TPM_AREA_LOCKED |
| |
| -> |
| |
| bGlobalLock |
| |
| is |
| |
| TRUE |
| |
| then |
| |
| return |
| |
| c. If D1 -> attributes specifies TPM_NV_PER_WRITE_STCLEAR |
| |
| 4078 |
| |
| i. |
| |
| If D1 -> pubInfo -> bWriteSTClear is TRUE then return TPM_AREA_LOCKED |
| |
| 4079 |
| 4080 |
| |
| d. Invalidate the data area currently pointed to by D1 and ensure that if the area is |
| reallocated no residual information is left |
| |
| 4081 |
| |
| e. If NV1_INCREMENTED is TRUE |
| |
| 4082 |
| 4083 |
| |
| i. |
| |
| Set TPM_PERMANENT_DATA -> noOwnerNVWrite to NV1 |
| |
| f. The TPM invalidates authorization sessions |
| |
| 4084 |
| |
| i. |
| |
| 4085 |
| |
| ii. MAY invalidate any other authorization session |
| |
| 4086 |
| |
| g. If pubInfo -> dataSize is 0 then return TPM_SUCCESS |
| |
| MUST invalidate all authorization sessions associated with D1 |
| |
| 40877. Parse pubInfo -> pcrInfoRead |
| 4088 |
| |
| a. Validate pcrInfoRead structure on error return TPM_INVALID_STRUCTURE |
| |
| 4089 |
| |
| i. |
| |
| Validation includes proper PCR selections and locality selections |
| |
| 40908. Parse pubInfo -> pcrInfoWrite |
| 4091 |
| |
| a. Validate pcrInfoWrite structure on error return TPM_INVALID_STRUCTURE |
| |
| 4092 |
| 4093 |
| |
| i. |
| |
| Validation includes proper PCR selections and locality selections |
| |
| b. If pcrInfoWrite -> localityAtRelease disallows some localities |
| |
| 4094 |
| |
| i. |
| |
| 4095 |
| |
| c. Else |
| |
| 4096 |
| |
| i. |
| |
| 1011 |
| 1012 |
| |
| Set writeLocalities to TRUE |
| Set writeLocalities to FALSE |
| |
| 214 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1013TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1014Specification Version 1.2 |
| |
| 40979. Validate that the attributes are consistent |
| 4098 |
| 4099 |
| |
| a. The TPM SHALL ignore the bReadSTClear, bWriteSTClear and bWriteDefine |
| attributes during the execution of this command |
| |
| 4100 |
| 4101 |
| |
| b. If TPM_NV_PER_OWNERWRITE is TRUE and TPM_NV_PER_AUTHWRITE is TRUE |
| return TPM_AUTH_CONFLICT |
| |
| 4102 |
| 4103 |
| |
| c. If TPM_NV_PER_OWNERREAD is TRUE and TPM_NV_PER_AUTHREAD is TRUE |
| return TPM_AUTH_CONFLICT |
| |
| 4104 |
| 4105 |
| 4106 |
| |
| d. If |
| TPM_NV_PER_OWNERWRITE |
| and |
| TPM_NV_PER_AUTHWRITE |
| and |
| TPM_NV_PER_WRITEDEFINE and TPM_NV_PER_PPWRITE and writeLocalities are all |
| FALSE |
| |
| 4107 |
| 4108 |
| |
| i. |
| |
| Return TPM_PER_NOWRITE |
| |
| e. Validate pubInfo -> nvIndex |
| |
| 4109 |
| 4110 |
| 4111 |
| 4112 |
| 4113 |
| |
| i. Make sure that the index is applicable for this TPM. Return TPM_BADINDEX |
| on error. A valid index is platform and context sensitive. That is, attempting to |
| validate an index may be successful in one configuration and invalid in another |
| configuration. The individual index values MUST indicate if there are any |
| restrictions on the use of the index. |
| |
| 4114 |
| |
| ii. TPM_NV_INDEX_DIR is always an invalid defined index. |
| |
| 4115 |
| |
| f. If dataSize is 0 return TPM_BAD_PARAM_SIZE |
| |
| 411610.Create D1 a TPM_NV_DATA_SENSITIVE structure |
| 4117 |
| |
| a. Set D1 -> pubInfo to pubInfo |
| |
| 4118 |
| |
| b. Set D1 -> authValue to A1 |
| |
| 4119 |
| |
| c. Set D1 -> pubInfo -> bReadSTClear to FALSE |
| |
| 4120 |
| |
| d. Set D1 -> pubInfo -> bWriteSTClear to FALSE |
| |
| 4121 |
| |
| e. Set D1 -> pubInfo -> bWriteDefine to FALSE |
| |
| 412211.Validate that sufficient NV is available to store D1 and pubInfo -> dataSize bytes of data |
| 4123 |
| |
| a. Return TPM_NOSPACE if pubInfo -> dataSize is not available in the TPM |
| |
| 412412.If pubInfo -> nvIndex is not TPM_NV_INDEX_TRIAL |
| 4125 |
| |
| a. Reserve NV space for pubInfo -> dataSize |
| |
| 4126 |
| |
| b. Set all bytes in the newly defined area to 0xFF |
| |
| 4127 |
| |
| c. If NV1_INCREMENTED is TRUE |
| |
| 4128 |
| |
| i. |
| |
| Set TPM_PERMANENT_DATA -> noOwnerNVWrite to NV1 |
| |
| 412913.Ignore continueAuthSession on input and set to FALSE on output |
| 413014.Return TPM_SUCCESS |
| |
| 1015Level 2 Revision 116 28 February 2011 |
| 1016 |
| |
| 215 |
| TCG Published |
| |
| 1017Copyright © TCG |
| 1018 |
| 1019 |
| |
| 413120.2 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_NV_WriteValue |
| |
| 4132Start of informative comment: |
| 4133This command writes the value to a defined area. The write can be TPM Owner authorized |
| 4134or unauthorized and protected by other attributes and will work when no TPM Owner is |
| 4135present. |
| 4136The action setting bGlobalLock to TRUE is intentionally before the action checking the |
| 4137owner authorization. This allows code (e.g., a BIOS) to lock NVRAM without knowing the |
| 4138owner authorization. |
| 4139The DIR (TPM_NV_INDEX_DIR) has the attributes TPM_NV_PER_OWNERWRITE and |
| 4140TPM_NV_WRITEALL. |
| 4141Certain platform manufacturers or software might require specific error handling in Action |
| 414220.2. |
| 4143Owner authorization is not required when nvLocked is FALSE. If the host does send owner |
| 4144authorization, Action 20.2 indicates that it should be correct, since some TPM |
| 4145implementations may validate it. |
| 4146End of informative comment. |
| 4147Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Ordinal, TPM_ORD_NV_WriteValue |
| |
| 4 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| TPM_NV_INDEX |
| |
| nvIndex |
| |
| The index of the area to set |
| |
| 5 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| offset |
| |
| The offset into the NV Area |
| |
| 6 |
| |
| 4 |
| |
| 4S |
| |
| 4 |
| |
| UINT32 |
| |
| dataSize |
| |
| The size of the data parameter |
| |
| 7 |
| |
| <> |
| |
| 5S |
| |
| <> |
| |
| BYTE[] |
| |
| data |
| |
| The data to set the area to |
| |
| 8 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for TPM Owner |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 9 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authNonceOdd |
| |
| Nonce generated by caller |
| |
| 10 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 11 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| The authorization session digest HMAC key: ownerAuth |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 4148Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 1020 |
| 1021 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| ordinal, TPM_ORD_NV_WriteValue |
| |
| 216 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1022TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1023Specification Version 1.2 |
| 4 |
| |
| 20 |
| |
| 1 |
| |
| 6 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| 5 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authNonceOdd |
| |
| Nonce generated by caller |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| The authorization session digest HMAC key: ownerAuth |
| |
| 20 |
| |
| 4149Description |
| 4150For TPM_NV_INDEX_DIR, the ordinal MUST NOT set an error code for the “if dataSize = 0” |
| 4151action. However, the flags set in this case are not applicable to the DIR. |
| 4152Actions |
| 41531. If TPM_PERMANENT_FLAGS -> nvLocked is FALSE then all authorization checks except |
| 4154 |
| for the max NV writes are ignored |
| 4155 |
| 4156 |
| 4157 |
| |
| a. Ignored |
| checks |
| include |
| physical |
| presence, |
| owner |
| authorization, |
| TPM_NV_PER_OWNERWRITE, PCR, bWriteDefine, bGlobalLock, bWriteSTClear, locality, |
| disabled and deactivated. |
| |
| 4158 |
| |
| b. TPM_NV_PER_AUTHWRITE is not ignored. |
| |
| 4159 |
| |
| c. If ownerAuth is present, the TPM MAY check the authorization HMAC. |
| |
| 41602. Locate and set D1 to the TPM_NV_DATA_AREA that corresponds to nvIndex, return |
| 4161 |
| TPM_BADINDEX on error |
| 4162 |
| |
| a. If nvIndex = TPM_NV_INDEX_DIR, set D1 to TPM_PERMANENT_DATA -> authDir[0] |
| |
| 41633. If TPM_PERMANENT_FLAGS -> nvLocked is TRUE |
| 4164 |
| |
| a. If D1 -> permission -> TPM_NV_PER_OWNERWRITE is TRUE |
| |
| 4165 |
| |
| i. |
| |
| 4166 |
| |
| ii. If TPM_STCLEAR_FLAGS -> deactivated is TRUE, return TPM_DEACTIVATED |
| |
| 4167 |
| |
| If TPM_PERMANENT_FLAGS -> disable is TRUE, return TPM_DISABLED |
| |
| b. If D1 -> permission -> TPM_NV_PER_OWNERWRITE is FALSE |
| |
| 4168 |
| 4169 |
| |
| i. If TPM_PERMANENT_FLAGS -> disable is TRUE, the TPM MAY return |
| TPM_DISABLED |
| |
| 4170 |
| 4171 |
| |
| ii. If TPM_STCLEAR_FLAGS -> deactivated is TRUE, the TPM MAY return |
| TPM_DEACTIVATED |
| |
| 41724. If tag = TPM_TAG_RQU_AUTH1_COMMAND then |
| 4173 |
| 4174 |
| |
| a. If D1 -> permission |
| TPM_AUTH_CONFLICT |
| |
| 4175 |
| 4176 |
| 4177 |
| |
| i. |
| |
| -> |
| |
| TPM_NV_PER_OWNERWRITE |
| |
| is |
| |
| FALSE |
| |
| return |
| |
| This check is ignored if nvIndex is TPM_NV_INDEX0. |
| |
| b. Validate command and parameters using ownerAuth HMAC with TPM Owner |
| authentication as the secret, return TPM_AUTHFAIL on error |
| |
| 41785. Else |
| 4179 |
| 4180 |
| 4181 |
| |
| a. If D1 -> permission |
| TPM_AUTH_CONFLICT |
| i. |
| |
| -> |
| |
| TPM_NV_PER_OWNERWRITE |
| |
| This check is ignored if nvIndex is TPM_NV_INDEX0. |
| |
| 1024Level 2 Revision 116 28 February 2011 |
| 1025 |
| |
| 217 |
| TCG Published |
| |
| is |
| |
| TRUE |
| |
| return |
| |
| 1026Copyright © TCG |
| 1027 |
| 1028 |
| |
| 4182 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| b. If no TPM Owner validate max NV writes without an owner |
| |
| 4183 |
| |
| i. |
| |
| 4184 |
| |
| ii. Increment NV1 by 1 |
| |
| 4185 |
| |
| iii. If NV1 > TPM_MAX_NV_WRITE_NOOWNER return TPM_MAXNVWRITES |
| |
| 4186 |
| |
| iv. Set NV1_INCREMENTED to TRUE |
| |
| Set NV1 to TPM_PERMANENT_DATA -> noOwnerNVWrite |
| |
| 41876. If nvIndex is TPM_NV_INDEX0 then |
| 4188 |
| |
| a. If dataSize is not 0, the TPM MAY return TPM_BADINDEX. |
| |
| 4189 |
| |
| b. Set TPM_STCLEAR_FLAGS -> bGlobalLock to TRUE |
| |
| 4190 |
| |
| c. Return TPM_SUCCESS |
| |
| 41917. If |
| D1 |
| -> |
| permission |
| 4192 |
| TPM_AUTH_CONFLICT |
| |
| -> |
| |
| TPM_NV_PER_AUTHWRITE |
| |
| is |
| |
| TRUE |
| |
| return |
| |
| 41938. Check that D1 -> pcrInfoWrite -> localityAtRelease for TPM_STANY_DATA -> |
| 4194 |
| localityModifier is TRUE |
| 4195 |
| 4196 |
| |
| a. For example if TPM_STANY_DATA -> localityModifier was 2 then D1 -> pcrInfo -> |
| localityAtRelease -> TPM_LOC_TWO would have to be TRUE |
| |
| 4197 |
| |
| b. On error return TPM_BAD_LOCALITY |
| |
| 41989. If D1 -> attributes specifies TPM_NV_PER_PPWRITE then validate physical presence is |
| 4199 |
| asserted if not return TPM_BAD_PRESENCE |
| 420010.If D1 -> attributes specifies TPM_NV_PER_WRITEDEFINE |
| 4201 |
| |
| a. If D1 -> bWriteDefine is TRUE return TPM_AREA_LOCKED |
| |
| 420211.If D1 -> attributes specifies TPM_NV_PER_GLOBALLOCK |
| 4203 |
| |
| a. If TPM_STCLEAR_FLAGS -> bGlobalLock is TRUE return TPM_AREA_LOCKED |
| |
| 420412.If D1 -> attributes specifies TPM_NV_PER_WRITE_STCLEAR |
| 4205 |
| |
| a. If D1 ->bWriteSTClear is TRUE return TPM_AREA_LOCKED |
| |
| 420613.If D1 -> pcrInfoWrite -> pcrSelection specifies a selection of TPM_STCLEAR_DATA -> |
| 4207 |
| PCR[] |
| 4208 |
| 4209 |
| |
| a. Create P1 a composite hash of the TPM_STCLEAR_DATA -> PCR[] specified by D1 -> |
| pcrInfoWrite |
| |
| 4210 |
| 4211 |
| |
| b. Compare P1 to D1 -> pcrInfoWrite -> digestAtRelease return TPM_WRONGPCRVAL |
| on mismatch |
| |
| 421214.If dataSize = 0 then |
| 4213 |
| |
| a. Set D1 -> bWriteSTClear to TRUE |
| |
| 4214 |
| |
| b. Set D1 -> bWriteDefine to TRUE |
| |
| 421515.Else |
| 4216 |
| |
| a. Set S1 to offset + dataSize |
| |
| 4217 |
| |
| b. If S1 > D1 -> dataSize return TPM_NOSPACE |
| |
| 1029 |
| 1030 |
| |
| 218 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1031TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1032Specification Version 1.2 |
| |
| 4218 |
| 4219 |
| |
| c. If D1 -> attributes specifies TPM_NV_PER_WRITEALL |
| i. |
| |
| If dataSize != D1 -> dataSize return TPM_NOT_FULLWRITE |
| |
| 4220 |
| |
| d. Write the new value into the NV storage area |
| |
| 4221 |
| |
| e. If NV1_INCREMENTED is TRUE |
| |
| 4222 |
| |
| i. |
| |
| Set TPM_PERMANENT_DATA -> noOwnerNVWrite to NV1 |
| |
| 422316.Set D1 -> bReadSTClear to FALSE |
| 422417.Return TPM_SUCCESS |
| |
| 1033Level 2 Revision 116 28 February 2011 |
| 1034 |
| |
| 219 |
| TCG Published |
| |
| 1035Copyright © TCG |
| 1036 |
| 1037 |
| |
| 422520.3 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_NV_WriteValueAuth |
| |
| 4226Start of informative comment: |
| 4227This command writes to a previously defined area. The area must require authorization to |
| 4228write. Use this command when authorization other than the owner authorization is to be |
| 4229used. Otherwise, use TPM_NV_WriteValue. |
| 4230The Part 2 ordinal table indicates that TPM_NV_WriteValueAuth requires an owner present. |
| 4231This is normative, although it was a mistake. |
| 4232End of informative comment. |
| 4233Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| Tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Ordinal, TPM_ORD_NV_WriteValueAuth |
| |
| 4 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| TPM_NV_INDEX |
| |
| nvIndex |
| |
| The index of the area to set |
| |
| 5 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| offset |
| |
| The offset into the chunk |
| |
| 6 |
| |
| 4 |
| |
| 4S |
| |
| 4 |
| |
| UINT32 |
| |
| dataSize |
| |
| The size of the data area |
| |
| 7 |
| |
| <> |
| |
| 5S |
| |
| <> |
| |
| BYTE |
| |
| data |
| |
| The data to set the area to |
| |
| 8 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for NV element authorization |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 10 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 11 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| authValue |
| |
| HMAC key: NV element auth value |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 9 |
| |
| 4234Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 5 |
| |
| 1 |
| |
| 6 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| ordinal, TPM_ORD_NV_WriteValueAuth |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| 4 |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| NonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| authValue |
| |
| HMAC key: NV element auth value |
| |
| 20 |
| |
| 4235Actions |
| 42361. Locate and set D1 to the TPM_NV_DATA_AREA that corresponds to nvIndex, return |
| 4237 |
| TPM_BADINDEX on error |
| 1038 |
| 1039 |
| |
| 220 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1040TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1041Specification Version 1.2 |
| |
| 42382. If D1 -> attributes does not specify TPM_NV_PER_AUTHWRITE then return |
| 4239 |
| TPM_AUTH_CONFLICT |
| 42403. Validate authValue using D1 -> authValue, return TPM_AUTHFAIL on error |
| 42414. Check that D1 -> pcrInfoWrite -> localityAtRelease for TPM_STANY_DATA -> |
| 4242 |
| localityModifier is TRUE |
| 4243 |
| 4244 |
| |
| a. For example if TPM_STANY_DATA -> localityModifier was 2 then D1 -> pcrInfo -> |
| localityAtRelease -> TPM_LOC_TWO would have to be TRUE |
| |
| 4245 |
| |
| b. On error return TPM_BAD_LOCALITY |
| |
| 42465. If D1 -> attributes specifies TPM_NV_PER_PPWRITE then validate physical presence is |
| 4247 |
| asserted if not return TPM_BAD_PRESENCE |
| 42486. If D1 -> pcrInfoWrite -> pcrSelection specifies a selection of PCR |
| 4249 |
| 4250 |
| |
| a. Create P1 a composite hash of the TPM_STCLEAR_DATA -> PCR[] specified by D1 -> |
| pcrInfoWrite |
| |
| 4251 |
| |
| b. Compare P1 to digestAtRelease return TPM_WRONGPCRVAL on mismatch |
| |
| 42527. If D1 -> attributes specifies TPM_NV_PER_WRITEDEFINE |
| 4253 |
| |
| a. If D1 -> bWriteDefine is TRUE return TPM_AREA_LOCKED |
| |
| 42548. If D1 -> attributes specifies TPM_NV_PER_GLOBALLOCK |
| 4255 |
| |
| a. If TPM_STCLEAR_FLAGS -> bGlobalLock is TRUE return TPM_AREA_LOCKED |
| |
| 42569. If D1 -> attributes specifies TPM_NV_PER_WRITE_STCLEAR |
| 4257 |
| |
| a. If D1 -> bWriteSTClear is TRUE return TPM_AREA_LOCKED |
| |
| 425810.If dataSize = 0 then |
| 4259 |
| |
| a. Set D1 -> bWriteSTClear to TRUE |
| |
| 4260 |
| |
| b. Set D1 -> bWriteDefine to TRUE |
| |
| 426111.Else |
| 4262 |
| |
| a. Set S1 to offset + dataSize |
| |
| 4263 |
| |
| b. If S1 > D1 -> dataSize return TPM_NOSPACE |
| |
| 4264 |
| |
| c. If D1 -> attributes specifies TPM_NV_PER_WRITEALL |
| |
| 4265 |
| 4266 |
| |
| i. |
| |
| If dataSize != D1 -> dataSize return TPM_NOT_FULLWRITE |
| |
| d. Write the new value into the NV storage area |
| |
| 426712.Set D1 -> bReadSTClear to FALSE |
| 426813.Return TPM_SUCCESS |
| |
| 1042Level 2 Revision 116 28 February 2011 |
| 1043 |
| |
| 221 |
| TCG Published |
| |
| 1044Copyright © TCG |
| 1045 |
| 1046 |
| |
| 426920.4 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_NV_ReadValue |
| |
| 4270Start of informative comment: |
| 4271Read a value from the NV store. This command uses optional owner authentication. |
| 4272Action 1 indicates that if the NV area is not locked then reading of the NV area continues |
| 4273without ANY authorization. This is intentional, and allows a platform manufacturer to set |
| 4274the NV areas, read them back, and then lock them all without having to install a TPM |
| 4275owner. |
| 4276Certain platform manufacturers or software might require specific error handling in Action |
| 427720.4. |
| 4278Owner authorization is not required when nvLocked is FALSE. If the host does send owner |
| 4279authorization, Action 20.4 indicates that it should be correct, since some TPM |
| 4280implementations may validate it. |
| 4281End of informative comment. |
| 4282Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Ordinal, TPM_ORD_NV_ReadValue |
| |
| 4 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| TPM_NV_INDEX |
| |
| nvIndex |
| |
| The index of the area to set |
| |
| 5 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| offset |
| |
| The offset into the area |
| |
| 6 |
| |
| 4 |
| |
| 4S |
| |
| 4 |
| |
| UINT32 |
| |
| dataSize |
| |
| The size of the data area |
| |
| 7 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for TPM Owner authorization |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 8 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authNonceOdd |
| |
| Nonce generated by caller |
| |
| 9 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 10 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| HMAC key: ownerAuth |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 4283Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 1S |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_NV_ReadValue |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| dataSize |
| |
| The size of the data area |
| |
| 5 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE[] |
| |
| data |
| |
| The data to set the area to |
| |
| 6 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| HMAC key: ownerAuth |
| |
| 20 |
| |
| 4284Actions |
| 42851. If TPM_PERMANENT_FLAGS -> nvLocked is FALSE then all authorization checks are |
| 4286 |
| ignored. |
| 4287 |
| 4288 |
| |
| a. Ignored checks include physical presence, owner authorization, PCR, bReadSTClear, |
| locality, TPM_NV_PER_OWNERREAD, disabled and deactivated. |
| |
| 4289 |
| |
| b. TPM_NV_PER_AUTHREAD is not ignored. |
| |
| 4290 |
| |
| c. If ownerAuth is present, the TPM MAY check the authorization HMAC. |
| |
| 42912. Set D1 a TPM_NV_DATA_AREA structure to the area pointed to by nvIndex, if not found |
| 4292 |
| return TPM_BADINDEX |
| 4293 |
| |
| a. If nvIndex = TPM_NV_INDEX_DIR, set D1 to TPM_PERMANENT_DATA -> authDir[0] |
| |
| 42943. If TPM_PERMANENT_FLAGS -> nvLocked is TRUE |
| 4295 |
| |
| a. If D1 -> permission -> TPM_NV_PER_OWNERREAD is TRUE |
| |
| 4296 |
| |
| i. |
| |
| 4297 |
| |
| ii. If TPM_STCLEAR_FLAGS -> deactivated is TRUE, return TPM_DEACTIVATED |
| |
| 4298 |
| |
| If TPM_PERMANENT_FLAGS -> disable is TRUE, return TPM_DISABLED |
| |
| b. If D1 -> permission -> TPM_NV_PER_OWNERREAD is FALSE |
| |
| 4299 |
| 4300 |
| |
| i. If TPM_PERMANENT_FLAGS -> disable is TRUE, the TPM MAY return |
| TPM_DISABLED |
| |
| 4301 |
| 4302 |
| |
| ii. If TPM_STCLEAR_FLAGS -> deactivated is TRUE, the TPM MAY return |
| TPM_DEACTIVATED |
| |
| 43034. If tag = TPM_TAG_RQU_AUTH1_COMMAND then |
| 4304 |
| |
| a. If D1 -> TPM_NV_PER_OWNERREAD is FALSE return TPM_AUTH_CONFLICT |
| |
| 4305 |
| 4306 |
| |
| b. Validate command and parameters using TPM Owners authentication on error return |
| TPM_AUTHFAIL |
| |
| 43075. Else |
| 4308 |
| |
| a. If D1 -> TPM_NV_PER_AUTHREAD is TRUE return TPM_AUTH_CONFLICT |
| |
| 4309 |
| |
| b. If D1 -> TPM_NV_PER_OWNERREAD is TRUE return TPM_AUTH_CONFLICT |
| |
| 43106. Check that D1 -> pcrInfoRead -> localityAtRelease for TPM_STANY_DATA -> |
| 4311 |
| localityModifier is TRUE |
| 4312 |
| 4313 |
| |
| a. For example if TPM_STANY_DATA -> localityModifier was 2 then D1 -> pcrInfo -> |
| localityAtRelease -> TPM_LOC_TWO would have to be TRUE |
| |
| 4314 |
| |
| b. On error return TPM_BAD_LOCALITY |
| |
| 43157. If D1 -> attributes specifies TPM_NV_PER_PPREAD then validate physical presence is |
| 4316 |
| asserted if not return TPM_BAD_PRESENCE |
| 43178. If D1 -> TPM_NV_PER_READ_STCLEAR then |
| 1051Level 2 Revision 116 28 February 2011 |
| 1052 |
| |
| 223 |
| TCG Published |
| |
| 1053Copyright © TCG |
| 1054 |
| 1055 |
| |
| 4318 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| a. If D1 -> bReadSTClear is TRUE return TPM_DISABLED_CMD |
| |
| 43199. If D1 -> pcrInfoRead -> pcrSelection specifies a selection of PCR |
| 4320 |
| 4321 |
| |
| a. Create P1 a composite hash of the TPM_STCLEAR_DATA -> PCR[] specified by D1 -> |
| pcrInfoRead |
| |
| 4322 |
| 4323 |
| |
| b. Compare P1 to D1 -> pcrInfoRead -> digestAtRelease return TPM_WRONGPCRVAL on |
| mismatch |
| |
| 432410.If dataSize is 0 then |
| 4325 |
| |
| a. Set D1 -> bReadSTClear to TRUE |
| |
| 4326 |
| |
| b. Set data to NULL (output parameter dataSize to 0) |
| |
| 432711.Else |
| 4328 |
| |
| a. Set S1 to offset + dataSize |
| |
| 4329 |
| |
| b. If S1 > D1 -> dataSize return TPM_NOSPACE |
| |
| 4330 |
| |
| c. Set data to area pointed to by offset |
| |
| 4331 |
| |
| i. |
| |
| This includes partial reads of TPM_NV_INDEX_DIR. |
| |
| 433212.Return TPM_SUCCESS |
| |
| 1056 |
| 1057 |
| |
| 224 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1058TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1059Specification Version 1.2 |
| |
| 433320.5 |
| |
| TPM_NV_ReadValueAuth |
| |
| 4334Start of informative comment: |
| 4335This command requires that the read be authorized by a value set with the blob. |
| 4336The Part 2 ordinal table indicates that TPM_NV_ReadValueAuth requires an owner present. |
| 4337This is normative, although it was a mistake. |
| 4338End of informative comment. |
| 4339Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Ordinal, TPM_ORD_NV_ReadValueAuth |
| |
| 4 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| TPM_NV_INDEX |
| |
| nvIndex |
| |
| The index of the area to set |
| |
| 5 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UNIT32 |
| |
| offset |
| |
| The offset from the data area |
| |
| 6 |
| |
| 4 |
| |
| 5S |
| |
| 4 |
| |
| UINT32 |
| |
| dataSize |
| |
| The size of the data area |
| |
| 7 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| authThe auth handle for the NV element authorization |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 8 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authNonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 9 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| authContinueSession |
| |
| The continue use flag for the authorization session handle |
| |
| 10 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| authHmac |
| |
| HMAC key: nv element authorization |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 4340Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| ordinal, TPM_ORD_NV_ReadValueAuth |
| |
| 4 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| dataSize |
| |
| The size of the data area |
| |
| 5 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE[] |
| |
| data |
| |
| The data |
| |
| 6 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authNonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| authContinueSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| 8 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| authHmacOut |
| |
| HMAC key: nv element authorization |
| |
| 7 |
| |
| 1 |
| |
| 8 |
| |
| 20 |
| |
| 4341Actions |
| 43421. Locate and set D1 to the TPM_NV_DATA_AREA that corresponds to nvIndex, on error |
| 4343 |
| return TPM_BADINDEX |
| 1060Level 2 Revision 116 28 February 2011 |
| 1061 |
| |
| 225 |
| TCG Published |
| |
| 1062Copyright © TCG |
| 1063 |
| 1064 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 43442. If D1 -> TPM_NV_PER_AUTHREAD is FALSE return TPM_AUTH_CONFLICT |
| 43453. Validate authHmac using D1 -> authValue on error return TPM_AUTHFAIL |
| 43464. If D1 -> attributes specifies TPM_NV_PER_PPREAD then validate physical presence is |
| 4347 |
| asserted if not return TPM_BAD_PRESENCE |
| 43485. Check that D1 -> pcrInfoRead -> localityAtRelease for TPM_STANY_DATA -> |
| 4349 |
| localityModifier is TRUE |
| 4350 |
| 4351 |
| |
| a. For example if TPM_STANY_DATA -> localityModifier was 2 then D1 -> pcrInfo -> |
| localityAtRelease -> TPM_LOC_TWO would have to be TRUE |
| |
| 4352 |
| |
| b. On error return TPM_BAD_LOCALITY |
| |
| 43536. If D1 -> pcrInfoRead -> pcrSelection specifies a selection of PCR |
| 4354 |
| 4355 |
| |
| a. Create P1 a composite hash of the TPM_STCLEAR_DATA -> PCR[] specified by D1 -> |
| pcrInfoRead |
| |
| 4356 |
| 4357 |
| |
| b. Compare P1 to D1 -> pcrInfoRead -> digestAtRelease return TPM_WRONGPCRVAL on |
| mismatch |
| |
| 43587. If D1 specifies TPM_NV_PER_READ_STCLEAR then |
| 4359 |
| |
| a. If D1 -> bReadSTClear is TRUE return TPM_DISABLED_CMD |
| |
| 43608. If dataSize is 0 then |
| 4361 |
| |
| a. Set D1 -> bReadSTClear to TRUE |
| |
| 4362 |
| |
| b. Set data to all zeros |
| |
| 43639. Else |
| 4364 |
| |
| a. Set S1 to offset + dataSize |
| |
| 4365 |
| |
| b. If S1 > D1 -> dataSize return TPM_NOSPACE |
| |
| 4366 |
| |
| c. Set data to area pointed to by offset |
| |
| 436710.Return TPM_SUCCESS |
| |
| 1065 |
| 1066 |
| |
| 226 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1067TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1068Specification Version 1.2 |
| |
| 436821. |
| Session Management |
| 4369Start of informative comment: |
| 4370Three TPM_RT_CONTEXT session resources located in TPM_STANY_DATA work together to |
| 4371control session save and load: contextNonceSession, contextCount, and contextList[]. |
| 4372All three MUST initialized at TPM_Startup(ST_CLEAR) and TPM_Startup(ST_DEACTIVATED) |
| 4373and MAY be initialized at TPM_Startup(ST_STATE). Initializing invalidates all saved |
| 4374sessions. They MAY be restored by TPM_Startup(ST_STATE). This case would allow saved |
| 4375sessions to be loaded. |
| The actual ST_STATE operation is reported by the |
| 4376TPM_RT_CONTEXT startup effect. |
| 4377TPM_SaveContext creates a contextBlob containing an encrypted contextNonceSession. The |
| 4378nonce is checked by TPM_LoadContext. So initializing contextNonceSession invalidates all |
| 4379saved contexts. The nonce is large and protected, making a replay infeasible. |
| 4380The contextBlob also contains a public but protected contextCount. The count increments |
| 4381for each saved contextBlob. The TPM also saves contextCount in contextList[]. The TPM |
| 4382validates contextBlob against the contextList[] during TPM_LoadContext. Since the |
| 4383contextList[] is finite, it limits the number of valid saved sessions. Since the contextCount |
| 4384cannot be allowed to wrap, it limits the total number of saved sessions. |
| 4385After a contextBlob is loaded, its contextCount entry is removed from contextList[]. This |
| 4386releases space in the context list for future entries. It also invalidates the contextBlob. So a |
| 4387saved contextBlob can be loaded only once. |
| 4388TPM_FlushSpecific can also specify a contextCount to be removed from the contextList[], |
| 4389allowing invalidation of an individual contextBlob. This is different from TPM_FlushSpecific |
| 4390specifying a session handle, which invalidates a loaded session, not a saved contextBlob. |
| 4391End of informative comment. |
| 4392 |
| 439321.1 |
| |
| TPM_KeyControlOwner |
| |
| 4394Start of informative comment: |
| 4395This command controls some attributes of keys that are stored within the TPM key cache. |
| 4396OwnerEvict: If this bit is set to true, this key remains in the TPM non-volatile storage |
| 4397through all TPM_Startup events. The only way to evict this key is for the TPM Owner to |
| 4398execute this command again, setting the owner control bit to false and then executing |
| 4399TPM_FlushSpecific. |
| 4400The key handle does not reference an authorized entity and is not validated. |
| 4401The check for two remaining key slots ensures that users can load the two keys required to |
| 4402execute many commands. Since only the owner can flush owner evict keys, non-owner |
| 4403commands could be blocked if this test was not performed. |
| 4404End of informative comment. |
| 4405Incoming Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| 1069Level 2 Revision 116 28 February 2011 |
| 1070 |
| |
| Name |
| |
| 227 |
| TCG Published |
| |
| Description |
| |
| 1071Copyright © TCG |
| 1072 |
| 1073 |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| 2 |
| |
| 4 |
| |
| 3 |
| |
| 4 |
| |
| 4 |
| |
| 4 |
| |
| 5 |
| |
| <> |
| |
| 2S |
| |
| 6 |
| |
| 4 |
| |
| 7 |
| |
| 1 |
| |
| 8 |
| |
| 4 |
| |
| 9 |
| |
| # |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| SZ |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes incl. paramSize and tag |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_KeyControlOwner |
| |
| TPM_KEY_HANDLE |
| |
| keyHandle |
| |
| The handle of a loaded key. |
| |
| <> |
| |
| TPM_PUBKEY |
| |
| pubKey |
| |
| The public key associated with the loaded key |
| |
| 3S |
| |
| 4 |
| |
| TPM_KEY_CONTROL |
| |
| bitName |
| |
| The name of the bit to be modified |
| |
| 4S |
| |
| 1 |
| |
| BOOL |
| |
| bitValue |
| |
| The value to set the bit to |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for owner authentication. |
| |
| 1S |
| |
| 4 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 10 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 11 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 12 |
| |
| 20 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| HMAC authorization: key ownerAuth |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 4406Outgoing Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 5 |
| |
| 1 |
| |
| 6 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal:TPM_ORD_KeyControlOwner |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM. |
| |
| 3H1 |
| |
| 20 |
| |
| 4 |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| HMAC authorization: key ownerAuth |
| |
| 20 |
| |
| 4407Description |
| 44081. Set an internal bit within the key cache that controls some attribute of a loaded key. |
| 4409Actions |
| 44101. Validate the AuthData using the owner authentication value, on error return |
| 4411 |
| TPM_AUTHFAIL |
| 44122. Validate that keyHandle refers to a loaded key, return TPM_INVALID_KEYHANDLE on |
| 4413 |
| error. |
| 44143. Validate that pubKey matches the key held by the TPM pointed to by keyHandle, return |
| 4415 |
| TPM_BAD_PARAMETER on mismatch |
| 4416 |
| 4417 |
| |
| a. This check is added so that virtualization of the keyHandle does not result in attacks, |
| as the keyHandle is not associated with an authorization value |
| |
| 44184. Validate that bitName is valid, return TPM_BAD_MODE on error. |
| 44195. If bitName == TPM_KEY_CONTROL_OWNER_EVICT |
| 1074 |
| 1075 |
| |
| 228 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1076TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1077Specification Version 1.2 |
| |
| 4420 |
| |
| a. If bitValue == TRUE |
| |
| 4421 |
| 4422 |
| 4423 |
| |
| i. Verify that after this operation at least two key slots will be present within the |
| TPM that can store any type of key both of which do NOT have the OwnerEvict bit |
| set, on error return TPM_NOSPACE |
| |
| 4424 |
| 4425 |
| |
| ii. Verify that for this key handle, parentPCRStatus is FALSE and isVolatile is |
| FALSE. Return TPM_BAD_PARAMETER on error. |
| |
| 4426 |
| |
| iii. Set ownerEvict within the internal key storage structure to TRUE. |
| |
| 4427 |
| 4428 |
| |
| b. Else if bitValue == FALSE |
| i. |
| |
| Set ownerEvict within the internal key storage structure to FALSE. |
| |
| 44296. Return TPM_SUCCESS |
| |
| 1078Level 2 Revision 116 28 February 2011 |
| 1079 |
| |
| 229 |
| TCG Published |
| |
| 1080Copyright © TCG |
| 1081 |
| 1082 |
| |
| 443021.2 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_SaveContext |
| |
| 4431Start of informative comment: |
| 4432TPM_SaveContext saves a loaded resource outside the TPM. After successful execution of |
| 4433the command, the TPM automatically releases the internal memory for sessions but leaves |
| 4434keys in place. |
| 4435There is no assumption that a saved context blob is stored in a safe, protected area. Since |
| 4436the context blob can be loaded at any time, do not rely on TPM_SaveContext to restrict |
| 4437access to an entity such as a key. If use of the entity should be restricted, means such as |
| 4438authorization secrets or PCR’s should be used. |
| 4439In general, TPM_SaveContext can save a transport session. However, it cannot save an |
| 4440exclusive transport session, because any ordinal other than TPM_ExecuteTransport |
| 4441terminates the exclusive transport session. This action prevents the exclusive transport |
| 4442session from being saved and reloaded while intervening commands are hidden from the |
| 4443transport log. |
| 4444End of informative comment. |
| 4445Incoming Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_SaveContext |
| |
| 4 |
| |
| 4 |
| |
| TPM_HANDLE |
| |
| handle |
| |
| Handle of the resource being saved. |
| |
| 5 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| TPM_RESOURCE_TYPE |
| |
| resourceType |
| |
| The type of resource that is being saved |
| |
| 6 |
| |
| 16 |
| |
| 3S |
| |
| 16 |
| |
| BYTE[16] |
| |
| label |
| |
| Label for identification purposes |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| 4446Outgoing Parameters and Sizes |
| PARAM |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| 2 |
| |
| 4 |
| |
| 3 |
| |
| 4 |
| |
| HMAC |
| # |
| |
| SZ |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_SaveContext |
| |
| 4 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| contextSize |
| |
| The actual size of the outgoing context blob |
| |
| 5 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| TPM_CONTEXT_BLOB |
| |
| contextBlob |
| |
| The context blob |
| |
| 4447Description |
| 44481. The caller of the function uses the label field to add additional sequencing, anti-replay or |
| 4449 |
| other items to the blob. The information does not need to be confidential but needs to be |
| 4450 |
| part of the blob integrity. |
| |
| 1083 |
| 1084 |
| |
| 230 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1085TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1086Specification Version 1.2 |
| |
| 4451Actions |
| 44521. Map V1 to TPM_STANY_DATA |
| 44532. Validate that handle points to |
| 4454 |
| TPM_INVALID_RESOURCE on error |
| |
| resource |
| |
| that |
| |
| matches |
| |
| resourceType, |
| |
| return |
| |
| 44553. Validate that resourceType is a resource from the following list if not return |
| 4456 |
| TPM_INVALID_RESOURCE |
| 4457 |
| |
| a. TPM_RT_KEY |
| |
| 4458 |
| |
| b. TPM_RT_AUTH |
| |
| 4459 |
| |
| c. TPM_RT_TRANS |
| |
| 4460 |
| |
| d. TPM_RT_DAA_TPM |
| |
| 44614. Locate the correct nonce |
| 4462 |
| 4463 |
| |
| a. If resourceType is TPM_RT_KEY |
| i. |
| |
| 4464 |
| 4465 |
| |
| If TPM_STCLEAR_DATA -> contextNonceKey is all zeros |
| (1) |
| Set TPM_STCLEAR_DATA -> contextNonceKey to the next value from |
| the TPM RNG |
| |
| 4466 |
| |
| ii. Map N1 to TPM_STCLEAR_DATA -> contextNonceKey |
| |
| 4467 |
| 4468 |
| |
| iii. If the key has TPM_KEY_CONTROL_OWNER_EVICT |
| TPM_OWNER_CONTROL |
| |
| 4469 |
| |
| i. |
| |
| then |
| |
| return |
| |
| b. Else |
| |
| 4470 |
| |
| set |
| |
| 4471 |
| 4472 |
| |
| If V1 -> contextNonceSession is all zeros |
| (1) |
| |
| Set V1 -> contextNonceSession to the next value from the TPM RNG |
| |
| ii. Map N1 to V1 -> contextNonceSession |
| |
| 44735. Set K1 to TPM_PERMANENT_DATA -> contextKey |
| 44746. Create R1 by putting the sensitive part of the resource pointed to by handle into a |
| 4475 |
| structure. The structure is a TPM manufacturer option. The TPM MUST ensure that ALL |
| 4476 |
| sensitive information of the resource is included in R1. |
| 44777. Create C1 a TPM_CONTEXT_SENSITIVE structure |
| 4478 |
| 4479 |
| 4480 |
| |
| a. C1 forms the inner encrypted wrapper for the blob. All saved context blobs MUST |
| include a TPM_CONTEXT_SENSITIVE structure and the TPM_CONTEXT_SENSITIVE |
| structure MUST be encrypted. |
| |
| 4481 |
| |
| b. Set C1 -> contextNonce to N1 |
| |
| 4482 |
| |
| c. Set C1 -> internalData to R1 |
| |
| 44838. Create B1 a TPM_CONTEXT_BLOB |
| 4484 |
| |
| a. Set B1 -> tag to TPM_TAG_CONTEXTBLOB |
| |
| 4485 |
| |
| b. Set B1 -> resourceType to resourceType |
| |
| 4486 |
| |
| c. Set B1 -> handle to handle |
| |
| 4487 |
| |
| d. Set B1 -> integrityDigest to all zeros |
| |
| 1087Level 2 Revision 116 28 February 2011 |
| 1088 |
| |
| 231 |
| TCG Published |
| |
| 1089Copyright © TCG |
| 1090 |
| 1091 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 4488 |
| |
| e. Set B1 -> label to label |
| |
| 4489 |
| 4490 |
| 4491 |
| |
| f. Set B1 -> additionalData to information determined by the TPM manufacturer. This |
| data will help the TPM to reload and reset context. This area MUST NOT hold any data |
| that is sensitive (symmetric IV are fine, prime factors of an RSA key are not). |
| |
| 4492 |
| 4493 |
| |
| i. For OSAP sessions and for DSAP sessions attached to keys, the hash of the |
| entity MUST be included in additionalData |
| |
| 4494 |
| |
| g. Set B1 -> additionalSize to the size of additionalData |
| |
| 4495 |
| |
| h. Set B1 -> sensitiveSize to the size of C1 |
| |
| 4496 |
| |
| i. |
| |
| Set B1 -> sensitiveData to C1 |
| |
| 44979. If resourceType is TPM_RT_KEY |
| 4498 |
| |
| a. Set B1 -> contextCount to 0 |
| |
| 449910.Else |
| 4500 |
| |
| a. If V1 -> contextCount > 232-2 then |
| |
| 4501 |
| |
| i. |
| |
| 4502 |
| |
| b. Else |
| |
| 4503 |
| |
| i. |
| |
| Return with TPM_TOOMANYCONTEXTS |
| Validate that the TPM can still manage the new count value |
| |
| 4504 |
| 4505 |
| |
| (1) |
| If the distance between the oldest saved context and the contextCount |
| is too large return TPM_CONTEXT_GAP |
| |
| 4506 |
| 4507 |
| |
| ii. Find contextIndex such that V1 -> contextList[contextIndex] equals 0. If not |
| found exit with TPM_NOCONTEXTSPACE |
| |
| 4508 |
| |
| iii. Increment V1 -> contextCount by 1 |
| |
| 4509 |
| |
| iv. Set V1-> contextList[contextIndex] to V1 -> contextCount |
| |
| 4510 |
| |
| v. Set B1 -> contextCount to V1 -> contextCount |
| |
| 4511 |
| 4512 |
| |
| c. The TPM MUST invalidate all information regarding the resource except for |
| information needed for reloading |
| |
| 451311.Calculate B1 -> integrityDigest the HMAC of B1 using TPM_PERMANENT_DATA -> |
| 4514 |
| tpmProof as the secret |
| 451512.Create E1 by encrypting C1 using K1 as the key |
| 4516 |
| |
| a. Set B1 -> sensitiveSize to the size of E1 |
| |
| 4517 |
| |
| b. Set B1 -> sensitiveData to E1 |
| |
| 451813.Set contextSize to the size of B1 |
| 451914.Return B1 in contextBlob |
| |
| 1092 |
| 1093 |
| |
| 232 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1094TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1095Specification Version 1.2 |
| |
| 452021.3 |
| |
| TPM_LoadContext |
| |
| 4521Start of informative comment: |
| 4522TPM_LoadContext loads into the TPM a previously saved context. The command returns a |
| 4523handle. |
| 4524End of informative comment. |
| 4525Incoming Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_LoadContext |
| |
| 4 |
| |
| 4 |
| |
| TPM_HANDLE |
| |
| entityHandle |
| |
| The handle the TPM MUST use to locate the entity tied to the OSAP/DSAP |
| session |
| |
| 5 |
| |
| 1 |
| |
| 2S |
| |
| 1 |
| |
| BOOL |
| |
| keepHandle |
| |
| Indication if the handle MUST be preserved |
| |
| 6 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| contextSize |
| |
| The size of the following context blob. |
| |
| 7 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| TPM_CONTEXT_BLOB |
| |
| contextBlob |
| |
| The context blob |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 4526Outgoing Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 4 |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_LoadContext |
| |
| TPM_HANDLE |
| |
| handle |
| |
| The handle assigned to the resource after it has been successfully loaded. |
| |
| 4527Actions |
| 45281. Map contextBlob to B1, a TPM_CONTEXT_BLOB structure |
| 45292. Map V1 to TPM_STANY_DATA |
| 45303. Create M1 by decrypting B1 -> sensitiveData using TPM_PERMANENT_DATA -> |
| 4531 |
| contextKey |
| 45324. Create C1 and R1 by splitting M1 into a TPM_CONTEXT_SENSITIVE structure and |
| 4533 |
| internal resource data |
| 45345. Check contextNonce |
| 4535 |
| 4536 |
| 4537 |
| |
| a. If B1 -> resourceType is NOT TPM_RT_KEY |
| i. If C1 -> contextNonce does not equal V1 -> contextNonceSession return |
| TPM_BADCONTEXT |
| |
| 1096Level 2 Revision 116 28 February 2011 |
| 1097 |
| |
| 233 |
| TCG Published |
| |
| 1098Copyright © TCG |
| 1099 |
| 1100 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 4538 |
| 4539 |
| 4540 |
| |
| ii. Validate that the resource pointed to by the context is loaded (i.e. for OSAP the |
| key referenced is loaded and DSAP connected to the key) return |
| TPM_RESOURCEMISSING |
| |
| 4541 |
| 4542 |
| |
| (1) |
| For OSAP sessions and for DSAP sessions attached to keys, the TPM |
| MUST validate that the hash of the entity matches the entity held by the TPM |
| |
| 4543 |
| 4544 |
| 4545 |
| |
| (2) |
| For OSAP and DSAP sessions referring to a key, verify that entityHandle |
| identifies the key linked to this OSAP/DSAP session, if not return |
| TPM_BAD_HANDLE. |
| |
| 4546 |
| |
| b. Else |
| |
| 4547 |
| 4548 |
| |
| i. If C1 -> internalData -> parentPCRStatus is FALSE and C1 -> internalData -> |
| isVolatile is FALSE |
| |
| 4549 |
| |
| (1) |
| |
| 4550 |
| |
| Ignore C1 -> contextNonce |
| |
| ii. else |
| |
| 4551 |
| 4552 |
| |
| (1) |
| If C1 -> contextNonce does not equal TPM_STCLEAR_DATA -> |
| contextNonceKey return TPM_BADCONTEXT |
| |
| 45536. Validate the structure |
| 4554 |
| |
| a. Set H1 to B1 -> integrityDigest |
| |
| 4555 |
| |
| b. Set B1 -> integrityDigest to all zeros |
| |
| 4556 |
| |
| c. Copy M1 to B1 -> sensitiveData |
| |
| 4557 |
| 4558 |
| |
| d. Create H2 the HMAC of B1 using TPM_PERMANENT_DATA -> tpmProof as the HMAC |
| key |
| |
| 4559 |
| |
| e. If H2 does not equal H1 return TPM_BADCONTEXT |
| |
| 45607. If keepHandle is TRUE |
| 4561 |
| |
| a. Set handle to B1 -> handle |
| |
| 4562 |
| |
| b. If the TPM is unable to restore the handle the TPM MUST return TPM_BAD_HANDLE |
| |
| 45638. Else |
| 4564 |
| 4565 |
| |
| a. The TPM SHOULD attempt to restore the handle but if not possible it MAY set the |
| handle to any valid for B1 -> resourceType |
| |
| 45669. If B1 -> resourceType is NOT TPM_RT_KEY |
| 4567 |
| 4568 |
| |
| a. Find contextIndex such that V1 -> contextList[contextIndex] equals B1 -> |
| TPM_CONTEXT_BLOB -> contextCount |
| |
| 4569 |
| |
| b. If not found then return TPM_BADCONTEXT |
| |
| 4570 |
| |
| c. Set V1 -> contextList[contextIndex] to 0 |
| |
| 457110.Process B1 to return the resource back into TPM use |
| |
| 1101 |
| 1102 |
| |
| 234 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1103TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1104Specification Version 1.2 |
| |
| 457222. |
| Eviction |
| 4573Start of informative comment: |
| 4574The TPM has numerous resources held inside of the TPM that may need eviction. The need |
| 4575for eviction occurs when the number or resources in use by the TPM exceed the available |
| 4576space. For resources that are hard to reload (i.e. keys tied to PCR values) the outside entity |
| 4577should first perform a context save before evicting items. |
| 4578In version 1.1 there were separate commands to evict separate resource types. This new |
| 4579command set uses the resource types defined for context saving and creates a generic |
| 4580command that will evict all resource types. |
| 4581End of informative comment. |
| 4582The TPM MUST NOT flush the EK or SRK using this command. |
| 4583Version 1.2 deprecates the following commands: |
| 4584● TPM_Terminate_Handle |
| 4585● TPM_EvictKey |
| 4586● TPM_Reset |
| |
| 1105Level 2 Revision 116 28 February 2011 |
| 1106 |
| |
| 235 |
| TCG Published |
| |
| 1107Copyright © TCG |
| 1108 |
| 1109 |
| |
| 458722.1 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_FlushSpecific |
| |
| 4588Start of informative comment: |
| 4589TPM_FlushSpecific flushes from the TPM a specific handle. |
| 4590End of informative comment. |
| 4591Incoming Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_FlushSpecific |
| |
| 4 |
| |
| 4 |
| |
| TPM_HANDLE |
| |
| handle |
| |
| The handle of the item to flush |
| |
| 5 |
| |
| 4 |
| |
| TPM_RESOURCE_TYPE |
| |
| resourceType |
| |
| The type of resource that is being flushed |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| 2S |
| |
| SZ |
| |
| 4 |
| |
| 4 |
| |
| 4592Outgoing Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| # |
| |
| SZ |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_FlushSpecific |
| |
| 4593Description |
| 4594TPM_FlushSpecific releases the resources associated with the given handle. |
| 4595Actions |
| 45961. If resourceType is TPM_RT_CONTEXT |
| 4597 |
| 4598 |
| 4599 |
| |
| a. The handle for a context is not a handle but the "context count" value. The TPM uses |
| the "context count" value to locate the proper contextList entry and sets R1 to the |
| contextList entry |
| |
| 46002. Else if resourceType is TPM_RT_KEY |
| 4601 |
| |
| a. Set R1 to the key pointed to by handle |
| |
| 4602 |
| |
| b. If R1 -> ownerEvict is TRUE return TPM_KEY_OWNER_CONTROL |
| |
| 46033. Else if resourceType is TPM_RT_AUTH |
| 4604 |
| |
| a. Set R1 to the authorization session pointed to by handle |
| |
| 46054. Else if resourceType is TPM_RT_TRANS |
| 4606 |
| |
| a. Set R1 to the transport session pointed to by handle |
| |
| 46075. Else if resourceType is TPM_RT_DAA_TPM |
| 1110 |
| 1111 |
| |
| 236 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1112TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1113Specification Version 1.2 |
| |
| 4608 |
| |
| a. Set R1 to the DAA session pointed to by handle |
| |
| 46096. Else return TPM_INVALID_RESOURCE |
| 46107. Validate that R1 determined by resourceType and handle points to a valid allocated |
| 4611 |
| resource. Return TPM_BAD_PARAMETER on error. |
| 46128. Invalidate R1 and all internal resources allocated to R1 |
| 4613 |
| |
| a. Resources include authorization sessions |
| |
| 1114Level 2 Revision 116 28 February 2011 |
| 1115 |
| |
| 237 |
| TCG Published |
| |
| 1116Copyright © TCG |
| 1117 |
| 1118 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 461423. |
| Timing Ticks |
| 4615Start of informative comment: |
| 4616The TPM timing ticks are always available for use. The association of timing ticks to actual |
| 4617time is a protocol that occurs outside of the TPM. See the design document for details. |
| 4618The setting of the clock type variable is a one time operation that allows the TPM to be |
| 4619configured to the type of platform that is installed on. |
| 4620The ability for the TPM to continue to increment the timer ticks across power cycles of the |
| 4621platform is a TPM and platform manufacturer decision. |
| 4622End of informative comment. |
| 462323.1 |
| |
| TPM_GetTicks |
| |
| 4624Start of informative comment: |
| 4625This command returns the current tick count of the TPM. |
| 4626End of informative comment. |
| 4627Incoming Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Ordinal: TPM_ORD_GetTicks |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| 4628Outgoing Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 32 |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Ordinal: TPM_ORD_GetTicks |
| |
| 3S |
| |
| 32 |
| |
| TPM_CURRENT_TICKS |
| |
| currentTime |
| |
| The current time held in the TPM |
| |
| 4629Description |
| 4630This command returns the current time held in the TPM. It is the responsibility of the |
| 4631external system to maintain any relation between this time and a UTC value or local real |
| 4632time value. |
| 4633Actions |
| 46341. Set T1 to the internal TPM_CURRENT_TICKS structure |
| 46352. Return T1 as currentTime. |
| 1119 |
| 1120 |
| |
| 238 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1121TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1122Specification Version 1.2 |
| |
| 463623.2 |
| |
| TPM_TickStampBlob |
| |
| 4637Start of informative comment: |
| 4638This command applies a time stamp to the passed blob. The TPM makes no representation |
| 4639regarding the blob merely that the blob was present at the TPM at the time indicated. |
| 4640End of informative comment. |
| 4641Incoming Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Ordinal, fixed value of TPM_ORD_TickStampBlob |
| |
| 4 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| keyHandle |
| |
| The keyHandle identifier of a loaded key that can perform digital |
| signatures. |
| |
| 5 |
| |
| 20 |
| |
| 2S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| antiReplay |
| |
| Anti replay value added to signature |
| |
| 6 |
| |
| 20 |
| |
| 3S |
| |
| 20 |
| |
| TPM_DIGEST |
| |
| digestToStamp |
| |
| The digest to perform the tick stamp on |
| |
| 7 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for keyHandle authorization |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 8 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 9 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 10 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| privAuth |
| |
| The authorization session digest that authorizes the use of keyHandle. |
| HMAC key: key.usageAuth |
| |
| 1123Level 2 Revision 116 28 February 2011 |
| 1124 |
| |
| 239 |
| TCG Published |
| |
| 1125Copyright © TCG |
| 1126 |
| 1127 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 4642Outgoing Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Ordinal, fixed value of TPM_ORD_TickStampBlob |
| |
| 4 |
| |
| 32 |
| |
| 3S |
| |
| 32 |
| |
| TPM_CURRENT_TICKS |
| |
| currentTicks |
| |
| The current time according to the TPM |
| |
| 5 |
| |
| 4 |
| |
| 4S |
| |
| 4 |
| |
| UINT32 |
| |
| sigSize |
| |
| The length of the returned digital signature |
| |
| 6 |
| |
| <> |
| |
| 5S |
| |
| <> |
| |
| BYTE[ ] |
| |
| sig |
| |
| The resulting digital signature. |
| |
| 7 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| key.usageAuth |
| |
| 8 |
| |
| 1 |
| |
| 9 |
| |
| 20 |
| |
| 4643Description |
| 4644The function performs a digital signature on the hash of digestToStamp and the current tick |
| 4645count. |
| 4646It is the responsibility of the external system to maintain any relation between tick count |
| 4647and a UTC value or local real time value. |
| 4648Actions |
| 46491. The TPM validates the AuthData to use the key pointed to by keyHandle. |
| 46502. Validate that keyHandle -> keyUsage is TPM_KEY_SIGNING, TPM_KEY_IDENTITY or |
| 4651 |
| TPM_KEY_LEGACY, if not return the error code TPM_INVALID_KEYUSAGE. |
| 46523. Validate that keyHandle -> sigScheme is TPM_SS_RSASSAPKCS1v15_SHA1 or |
| 4653 |
| TPM_SS_RSASSAPKCS1v15_INFO, if not return TPM_INAPPROPRIATE_SIG. |
| 46544. If TPM_STCLEAR_DATA -> currentTicks is not properly initialized |
| 4655 |
| |
| a. Initialize the TPM_STCLEAR_DATA -> currentTicks |
| |
| 46565. Create T1, a TPM_CURRENT_TICKS structure. |
| 46576. Create H1 a TPM_SIGN_INFO structure and set the structure defaults |
| 4658 |
| |
| a. Set H1 -> fixed to “TSTP” |
| |
| 4659 |
| |
| b. Set H1 -> replay to antiReplay |
| |
| 4660 |
| |
| c. Create H2 the concatenation of digestToStamp || T1 |
| |
| 4661 |
| |
| d. Set H1 -> dataLen to the length of H2 |
| |
| 4662 |
| |
| e. Set H1 -> data to H2 |
| |
| 1128 |
| 1129 |
| |
| 240 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1130TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1131Specification Version 1.2 |
| |
| 46637. The TPM computes the signature, sig, using the key referenced by keyHandle, using |
| 4664 |
| SHA-1 of H1 as the information to be signed |
| 46658. The TPM returns T1 as currentTicks parameter |
| |
| 1132Level 2 Revision 116 28 February 2011 |
| 1133 |
| |
| 241 |
| TCG Published |
| |
| 1134Copyright © TCG |
| 1135 |
| 1136 |
| |
| 466624. |
| 4667 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| Transport Sessions |
| |
| 4668See Part 1 for rationale and security issues. |
| 466924.1 |
| |
| TPM_EstablishTransport |
| |
| 4670Start of informative comment: |
| 4671This establishes the transport session. Depending on the attributes specified for the session |
| 4672this may establish shared secrets, encryption keys, and session logs. The session will be in |
| 4673use for by the TPM_ExecuteTransport command. |
| 4674The only restriction on what can happen inside of a transport session is that there is no |
| 4675“nesting” of sessions. It is permissible to perform operations that delete internal state and |
| 4676make the TPM inoperable. |
| 4677End of informative comment. |
| 4678Incoming Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_EstablishTransport |
| |
| 4 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| encHandle |
| |
| The handle to the key that encrypted the blob |
| |
| 5 |
| |
| <> |
| |
| 2S |
| |
| <> |
| |
| TPM_TRANSPORT_PUBLIC |
| |
| transPublic |
| |
| The public information describing the transport session |
| |
| 6 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| secretSize |
| |
| The size of the secret Area |
| |
| 7 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE[] |
| |
| secret |
| |
| The encrypted secret area |
| |
| 8 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for keyHandle authorization |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 9 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 10 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 11 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| keyAuth |
| |
| Authorization. HMAC key: encKey.usageAuth |
| |
| 4679 |
| |
| 1137 |
| 1138 |
| |
| 242 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1139TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1140Specification Version 1.2 |
| |
| 4680Outgoing Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_EstablishTransport |
| |
| TPM_TRANSHANDLE |
| |
| transHandle |
| |
| The handle for the transport session |
| |
| 4 |
| |
| 4 |
| |
| 5 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| TPM_MODIFIER_INDICATOR |
| |
| locality |
| |
| The locality that called this command |
| |
| 6 |
| |
| 32 |
| |
| 4S |
| |
| 32 |
| |
| TPM_CURRENT_TICKS |
| |
| currentTicks |
| |
| The current tick count |
| |
| 7 |
| |
| 20 |
| |
| 5S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| transNonceEven |
| |
| The even nonce in use for subsequent execute transport |
| |
| 8 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| Authorization. HMAC key: key.usageAuth |
| |
| 9 |
| |
| 1 |
| |
| 10 |
| |
| 20 |
| |
| 4681Description |
| 4682This command establishes the transport sessions shared secret. The encryption of the |
| 4683shared secret uses the public key of the key loaded in encKey. |
| 4684Actions |
| 46851. If encHandle is TPM_KH_TRANSPORT then |
| 4686 |
| |
| a. If tag is NOT TPM_TAG_RQU_COMMAND return TPM_BADTAG |
| |
| 4687 |
| 4688 |
| |
| b. If transPublic -> transAttributes specifies TPM_TRANSPORT_ENCRYPT return |
| TPM_BAD_SCHEME |
| |
| 4689 |
| |
| c. If secretSize is not 20 return TPM_BAD_PARAM_SIZE |
| |
| 4690 |
| |
| d. Set A1 to secret |
| |
| 46912. Else |
| 4692 |
| 4693 |
| |
| a. encHandle -> keyUsage MUST be TPM_KEY_STORAGE or TPM_KEY_LEGACY return |
| TPM_INVALID_KEYUSAGE on error |
| |
| 4694 |
| 4695 |
| |
| b. If encHandle -> authDataUsage does not equal TPM_AUTH_NEVER and tag is NOT |
| TPM_TAG_RQU_AUTH1_COMMAND return TPM_AUTHFAIL |
| |
| 4696 |
| 4697 |
| |
| c. Using encHandle -> usageAuth validate the AuthData to use the key and the |
| parameters to the command |
| |
| 4698 |
| 4699 |
| |
| d. Create K1 a TPM_TRANSPORT_AUTH structure by decrypting secret using the key |
| pointed to by encHandle |
| |
| 4700 |
| |
| e. Validate K1 for tag |
| |
| 4701 |
| |
| f. Set A1 to K1 -> authData |
| |
| 1141Level 2 Revision 116 28 February 2011 |
| 1142 |
| |
| 243 |
| TCG Published |
| |
| 1143Copyright © TCG |
| 1144 |
| 1145 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 47023. If transPublic -> transAttributes has TPM_TRANSPORT_ENCRYPT |
| 4703 |
| 4704 |
| |
| a. If TPM_PERMANENT_FLAGS -> FIPS is true and transPublic -> algId is equal to |
| TPM_ALG_MGF1 return TPM_INAPPROPRIATE_ENC |
| |
| 4705 |
| 4706 |
| |
| b. Check |
| if |
| the |
| transPublic |
| TPM_BAD_KEY_PROPERTY |
| |
| 4707 |
| 4708 |
| |
| c. If transPublic -> algid is TPM_ALG_AESXXX, check that transPublic -> encScheme is |
| supported, if not return TPM_INAPPROPRIATE_ENC |
| |
| 4709 |
| |
| d. Perform any initializations necessary for the algorithm |
| |
| -> |
| |
| algId |
| |
| is |
| |
| supported, |
| |
| if |
| |
| not |
| |
| return |
| |
| 47104. Generate transNonceEven from the TPM RNG |
| 47115. Create T1 a TPM_TRANSPORT_INTERNAL structure |
| 4712 |
| 4713 |
| |
| a. Ensure that the TPM has sufficient internal space to allocate the transport session, |
| return TPM_RESOURCES on error |
| |
| 4714 |
| |
| b. Assign a T1 -> transHandle value. This value is assigned by the TPM |
| |
| 4715 |
| |
| c. Set T1 -> transDigest to all zeros |
| |
| 4716 |
| |
| d. Set T1 -> transPublic to transPublic |
| |
| 4717 |
| |
| e. Set T1-> transNonceEven to transNonceEven |
| |
| 4718 |
| |
| f. Set T1 -> authData to A1 |
| |
| 47196. If TPM_STANY_DATA -> currentTicks is not properly initialized |
| 4720 |
| |
| a. Initialize the TPM_STANY_DATA -> currentTicks |
| |
| 47217. Set currentTicks to TPM_STANY_DATA -> currentTicks |
| 47228. If T1 -> transPublic -> transAttributes has TPM_TRANSPORT_LOG set then |
| 4723 |
| |
| a. Create L1 a TPM_TRANSPORT_LOG_IN structure |
| |
| 4724 |
| |
| i. |
| |
| 4725 |
| |
| ii. Set L1 -> pubKeyHash to all zeros |
| |
| 4726 |
| |
| iii. Set T1 -> transDigest to SHA-1 (T1 -> transDigest || L1) |
| |
| 4727 |
| |
| Set L1 -> parameters to SHA-1 (ordinal || transPublic || secretSize || secret) |
| |
| b. Create L2 a TPM_TRANSPORT_LOG_OUT structure |
| |
| 4728 |
| 4729 |
| |
| i. Set L2 -> parameters to SHA-1 (returnCode || ordinal || locality || |
| currentTicks || transNonceEven) |
| |
| 4730 |
| |
| ii. Set L2 -> locality to the locality of this command |
| |
| 4731 |
| 4732 |
| |
| iii. Set L2 -> currentTicks to currentTicks, this MUST be the same value that is |
| returned in the currentTicks parameter |
| |
| 4733 |
| |
| iv. Set T1 -> transDigest to SHA-1 (T1 -> transDigest || L2) |
| |
| 47349. If T1 -> transPublic -> transAttributes has TPM_TRANSPORT_EXCLUSIVE then set |
| 4735 |
| TPM_STANY_FLAGS -> transportExclusive to TRUE |
| 4736 |
| 4737 |
| 4738 |
| 1146 |
| 1147 |
| |
| a. Execution |
| of |
| any |
| command |
| other |
| than |
| TPM_ExecuteTransport |
| or |
| TPM_ReleaseTransportSigned targeting this transport session will cause the abnormal |
| invalidation of this transport session transHandle |
| 244 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1148TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1149Specification Version 1.2 |
| |
| 4739 |
| 4740 |
| |
| b. The TPM gives no indication, other than invalidation of transHandle, that the session |
| is terminated |
| |
| 474110.Return T1 -> transHandle as transHandle |
| |
| 1150Level 2 Revision 116 28 February 2011 |
| 1151 |
| |
| 245 |
| TCG Published |
| |
| 1152Copyright © TCG |
| 1153 |
| 1154 |
| |
| 474224.2 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_ExecuteTransport |
| |
| 4743Start of informative comment: |
| 4744Delivers a wrapped TPM command to the TPM where the TPM unwraps the command and |
| 4745then executes the command. |
| 4746TPM_ExecuteTransport uses the same rolling nonce paradigm as other authorized TPM |
| 4747commands. The even nonces start in TPM_EstablishTransport and change on each |
| 4748invocation of TPM_ExecuteTransport. |
| 4749The only restriction on what can happen inside of a transport session is that there is no |
| 4750“nesting” of sessions. It is permissible to perform operations that delete internal state and |
| 4751make the TPM inoperable. |
| 4752Because, in general, key handles are not logged, a digest of the corresponding public key is |
| 4753logged. In cases where the key handle is logged (e.g. TPM_OwnerReadInternalPub), the |
| 4754public key is also logged. |
| 4755The wrapped command is audited twice – once according to the actions of |
| 4756TPM_ExecuteTransport and once within the wrapped command itself according to the |
| 4757special rules for auditing a command wrapped in an encrypted transport session. |
| 4758The method of incrementing the symmetric key counter value is different from that used by |
| 4759some standard crypto libraries (e.g. openSSL, Java JCE) that increment the entire counter |
| 4760value. TPM users should be aware of this to avoid errors when the counter wraps. |
| 4761End of informative comment. |
| 4762Incoming Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ExecuteTransport |
| |
| 4 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| UINT32 |
| |
| wrappedCmdSize |
| |
| Size of the wrapped command |
| |
| 5 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| BYTE[] |
| |
| wrappedCmd |
| |
| The wrapped command |
| |
| 6 |
| |
| 4 |
| |
| TPM_TRANSHANDLE |
| |
| transHandle |
| |
| The transport session handle |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| transLastNonceEven |
| |
| Even nonce previously generated by TPM |
| |
| 7 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| transNonceOdd |
| |
| Nonce generated by caller |
| |
| 8 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueTransSession |
| |
| The continue use flag for the authorization session handle |
| |
| 9 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| transAuth |
| |
| HMAC for transHandle key: transHandle -> authData |
| |
| 4763 |
| |
| 1155 |
| 1156 |
| |
| 246 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1157TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1158Specification Version 1.2 |
| |
| 4764Outgoing Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the ExecuteTransport command. This does not reflect |
| the status of wrapped command. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ExecuteTransport |
| |
| 4 |
| |
| 8 |
| |
| 3S |
| |
| 8 |
| |
| UINT64 |
| |
| currentTicks |
| |
| The current ticks when the command was executed |
| |
| 5 |
| |
| 4 |
| |
| 4S |
| |
| 4 |
| |
| TPM_MODIFIER_INDICATOR |
| |
| locality |
| |
| The locality that called this command |
| |
| 6 |
| |
| 4 |
| |
| 5S |
| |
| 4 |
| |
| UINT32 |
| |
| wrappedRspSize |
| |
| Size of the wrapped response |
| |
| 7 |
| |
| <> |
| |
| 6S |
| |
| <> |
| |
| BYTE[] |
| |
| wrappedRsp |
| |
| The wrapped response |
| |
| 8 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| transNonceEven |
| |
| Even nonce newly generated by TPM |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| transNonceOdd |
| |
| Nonce generated by caller |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueTransSession |
| |
| The continue use flag for the session |
| |
| TPM_AUTHDATA |
| |
| transAuth |
| |
| HMAC for transHandle key: transHandle -> authData |
| |
| 9 |
| |
| 1 |
| |
| 10 |
| |
| 20 |
| |
| 4765Description |
| 47661. This command executes a TPM command using the transport session. |
| 47672. |
| 4768 |
| 4769 |
| 4770 |
| |
| Prior to execution of the wrapped command (action 11 below) failure of the transport |
| session MUST have no effect on the resources referenced by the wrapped command. The |
| exception is when the TPM goes into failure mode and return FAILED_SELFTEST for all |
| subsequent commands. |
| |
| 47713. |
| 4772 |
| 4773 |
| 4774 |
| 4775 |
| 4776 |
| |
| After execution of the wrapped command, failure of the transport session MAY NOT |
| affect wrapped command resources. That is, the TPM is not required to clean up the |
| effects of the wrapped command. Sessions and keys MAY remain loaded. It is |
| understood that the transport session will be returning an error code and not reporting |
| any session nonces. Therefore, wrapped sessions are no longer useful to the caller. It is |
| the responsibility of the caller to clean up the result of the wrapped command. |
| |
| 47774. Execution of the wrapped command (action 11) SHOULD have no effect on the transport |
| 4778 |
| session. |
| 4779 |
| 4780 |
| |
| a. The wrapped command SHALL use no resources of the transport session, this |
| includes authorization sessions |
| |
| 4781 |
| 4782 |
| |
| b. If the wrapped command execution returns an error (action 11 below) then the |
| sessions for TPM_ExecuteTransport still operate properly. |
| |
| 4783 |
| 4784 |
| |
| c. The exception to this is when the wrapped command causes the TPM to go into |
| failure mode and return TPM_FAILSELFTEST for all subsequent commands |
| |
| 47855. Field layout |
| 4786 |
| |
| a. Notation |
| |
| 4787i. et indicates the outer TPM_ExecuteTransport command and response |
| 1159Level 2 Revision 116 28 February 2011 |
| 1160 |
| |
| 247 |
| TCG Published |
| |
| 1161Copyright © TCG |
| 1162 |
| 1163 |
| |
| 4788ii. w indicates the inner |
| 4789 |
| TPM_ExecuteTransport. |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| command |
| |
| and |
| |
| response |
| |
| that |
| |
| is |
| |
| wrapped |
| |
| by |
| |
| the |
| |
| 4790iii. (o) indicates optional parameters that may or may not be present in the wrapped |
| 4791 |
| command. |
| 4792 |
| |
| b. Command representation |
| |
| 4793 |
| |
| c. ****************************************************************************** |
| |
| 4794 |
| |
| d. TAGet | LENet | ORDet | wrappedCmdSize | wrappedCmd | AUTHet |
| |
| 4795 |
| |
| e. ****************************************************************************** |
| |
| 4796 |
| |
| f. wrappedCmd looks like the following |
| |
| 4797 |
| |
| g. **************************************************************************************** |
| |
| 4798 |
| |
| h. TAGw | LENw | ORDw | HANDLESw(o) | DATAw | AUTH1w (o) | AUTH2w (o) |
| |
| 4799 |
| |
| i. |
| |
| 4800 |
| |
| j. |
| |
| | LEN1 | |
| |
| 4801 |
| |
| k. |
| |
| | E1 |
| |
| | (encrypted) |
| |
| 4802 |
| |
| l. |
| |
| | C1 |
| |
| | (decrypted) |
| |
| 4803 |
| |
| m. Response representation |
| |
| 4804 |
| |
| n. ******************************************************************************* |
| |
| 4805 |
| |
| o. TAGet | LENet | RCet | … | wrappedRspSize | wrappedRsp | AUTHet |
| |
| 4806 |
| |
| p. ******************************************************************************* |
| |
| 4807 |
| |
| q. wrappedRsp looks like the following |
| |
| 4808 |
| |
| r. ************************************************************************************* |
| |
| 4809 |
| |
| s. TAGw | LENw | RCw | HANDLESw(o) | DATAw | AUTH1w (o) | AUTH2w (o) |
| |
| 4810 |
| |
| t. ************************************************************************************* |
| |
| 4811 |
| |
| u. |
| |
| 4812 |
| |
| v. | -------------------------- C2 -------------------------------------------------- | |
| |
| 4813 |
| |
| w. |
| |
| | S2 |
| |
| | (decrypted) |
| |
| 4814 |
| |
| x. |
| |
| | E2 |
| |
| | (encrypted) |
| |
| 4815 |
| |
| y. The only command and response parameter that is possibly encrypted is DATAw. |
| |
| **************************************************************************************** |
| |
| | LEN2 | |
| |
| 48166. Additional DATAw comments |
| 4817 |
| |
| a. For TPM_FlushSpecific and TPM_SaveContext |
| |
| 4818 |
| |
| i. |
| |
| 4819 |
| 4820 |
| |
| (1) It is understood that encrypting the resourceType prevents a determination of |
| the handle type. |
| |
| 4821 |
| |
| ii. If the resourceType is TPM_RT_KEY, then the public key MUST be logged. |
| |
| 4822 |
| 1164 |
| 1165 |
| |
| The DATAw part of these commands does not include the handle. |
| |
| b. For TPM_DAA_Join and TPM_DAA_Sign |
| 248 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1166TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1167Specification Version 1.2 |
| |
| 4823 |
| 4824 |
| 4825 |
| |
| i. The DATAw part of these commands does not include the input handle. The |
| output handle from stage 0 is included in DATAW. |
| c. For TPM_LoadKey2 |
| |
| 4826 |
| 4827 |
| 4828 |
| |
| i. The outgoing handle is not part of the outgoing DATAw and is not encrypted or |
| logged by the outgoing transport. |
| d. For TPM_LoadKey |
| |
| 4829 |
| 4830 |
| 4831 |
| |
| i. The outgoing handle is part of the outgoing DATAw and is encrypted and |
| logged. |
| e. For TPM_LoadContext |
| |
| 4832 |
| 4833 |
| |
| i. The outgoing handle is not part of the outgoing DATAw and is not encrypted or |
| logged by the outgoing transport. |
| |
| 4834 |
| 4835 |
| |
| (1) It is understood that encrypting the contextBlob prevents a determination of |
| the handle type. |
| |
| 4836 |
| 4837 |
| |
| f. For TPM_OIAP and TPM_OSAP, |
| or logged. |
| |
| 4838 |
| 4839 |
| 4840 |
| 4841 |
| |
| i. For TPM_OSAP, the public key MUST NOT be logged. During a logged |
| transport session, when a wrapped command uses the key, the public key |
| referenced by the key handle will be logged in the transport. Thus, the audit trail |
| is established for any key usage at that time. |
| |
| 4842 |
| |
| g. For TPM_DSAP |
| |
| 4843 |
| |
| i. |
| |
| 4844 |
| |
| ii. For output no parameters are encrypted or logged. |
| |
| no input or output parameters are encrypted |
| |
| For input, only entityValue is encrypted and logged. |
| |
| 48457. |
| 4846 |
| 4847 |
| 4848 |
| 4849 |
| 4850 |
| |
| TPM_ExecuteTransport returns an implementation defined result when the wrapped |
| command would cause termination of the transport session. Implementation defined |
| possibilities include but are not limited to: the wrapped command may execute, |
| completely, partially, or not at all, the transport session may or may not be terminated, |
| continueTransSession may not be processed or returned correctly, and an error may or |
| may not be returned. The wrapped commands include: |
| |
| 4851 |
| |
| a. TPM_FlushSpecific, TPM_SaveContext targeting the transport session |
| |
| 4852 |
| |
| b. TPM_OwnerClear, TPM_ForceClear, TPM_RevokeTrust |
| |
| 4853Actions |
| 48541. Using transHandle locate the TPM_TRANSPORT_INTERNAL structure T1 |
| 48552. Parse wrappedCmd |
| 4856 |
| |
| a. Set TAGw, LENw, and ORDw to the parameters from wrappedCmd |
| |
| 4857 |
| |
| b. Set E1 to DATAw |
| |
| 4858 |
| 4859 |
| 4860 |
| |
| i. This pointer is ordinal dependent and requires the execute transport |
| command to parse wrappedCmd |
| c. Set LEN1 to the length of DATAw |
| |
| 1168Level 2 Revision 116 28 February 2011 |
| 1169 |
| |
| 249 |
| TCG Published |
| |
| 1170Copyright © TCG |
| 1171 |
| 1172 |
| |
| 4861 |
| |
| i. |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| DATAw always ends at the start of AUTH1w if AUTH1w is present |
| |
| 48623. If LEN1 is less than 0, or if ORDw is unknown, unimplemented, or cannot be determined |
| 4863 |
| |
| a. Return TPM_BAD_PARAMETER |
| |
| 48644. If T1 -> transPublic -> transAttributes has TPM_TRANSPORT_ENCRYPT set then |
| 4865 |
| |
| a. If T1 -> transPublic -> algId is TPM_ALG_MGF1 |
| |
| 4866 |
| 4867 |
| 4868 |
| |
| i. Using the MGF1 function, create string G1 of length LEN1. The inputs to the |
| MGF1 are transLastNonceEven, transNonceOdd, “in”, and T1 -> authData. These |
| four values concatenated together form the Z value that is the seed for the MGF1. |
| |
| 4869 |
| |
| ii. Create C1 by performing an XOR of G1 and wrappedCmd starting at E1. |
| |
| 4870 |
| |
| b. If the encryption algorithm requires an IV or CTR, calculate the IV or CTR value |
| |
| 4871 |
| 4872 |
| 4873 |
| 4874 |
| 4875 |
| 4876 |
| |
| i. Using the MGF1 function, create string IV1 or CTR1 with a length set by the |
| block size of the encryption algorithm. The inputs to the MGF1 are |
| transLastNonceEven, transNonceOdd, and “in”. These three values concatenated |
| together form the Z value that is the seed for the MGF1. Note that any |
| terminating characters within the string “in” are ignored, so a total of 42 bytes are |
| hashed. |
| |
| 4877 |
| |
| ii. The symmetric key is taken from the first bytes of T1 -> authData. |
| |
| 4878 |
| |
| iii. Decrypt DATAw and replace the DATAw area of E1 creating C1 |
| |
| 4879 |
| |
| c. TPM_OSAP, TPM_OIAP have no parameters encrypted |
| |
| 4880 |
| |
| d. TPM_DSAP has special rules for parameter encryption |
| |
| 48815. Else |
| 4882 |
| |
| a. Set C1 to the DATAw area E1 of wrappedCmd |
| |
| 48836. Create H1 the SHA-1 of (ORDw || C1). |
| 4884 |
| |
| a. C1 MUST point at the decrypted DATAw area of E1 |
| |
| 4885 |
| 4886 |
| |
| b. The TPM MAY use this calculation for both execute transport authorization, |
| authorization of the wrapped command and transport log creation |
| |
| 48877. Validate the incoming transport session authorization |
| 4888 |
| |
| a. Set inParamDigest to SHA-1 (ORDet || wrappedCmdSize || H1) |
| |
| 4889 |
| 4890 |
| |
| b. Calculate the HMAC of (inParamDigest || transLastNonceEven || transNonceOdd || |
| continueTransSession) using T1 -> authData as the HMAC key |
| |
| 4891 |
| |
| c. Validate transAuth, on errors return TPM_AUTHFAIL |
| |
| 48928. If TPM_ExecuteTransport requires auditing |
| 4893 |
| 4894 |
| |
| a. Create TPM_AUDIT_EVENT_IN using H1 as the input parameter digest and update |
| auditDigest |
| |
| 4895 |
| |
| b. On any error return TPM_AUDITFAIL_UNSUCCESSFUL |
| |
| 48969. If ORDw is from the list of following commands return TPM_NO_WRAP_TRANSPORT |
| 4897 |
| 1173 |
| 1174 |
| |
| a. TPM_EstablishTransport |
| 250 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1175TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1176Specification Version 1.2 |
| |
| 4898 |
| |
| b. TPM_ExecuteTransport |
| |
| 4899 |
| |
| c. TPM_ReleaseTransportSigned |
| |
| 490010.If T1 -> transPublic -> transAttributes has TPM_TRANSPORT_LOG set then |
| 4901 |
| |
| a. Create L2 a TPM_TRANSPORT_LOG_IN structure |
| |
| 4902 |
| |
| b. Set L2 -> parameters to H1 |
| |
| 4903 |
| |
| c. If ORDw is a command with no key handles |
| |
| 4904 |
| 4905 |
| |
| i. |
| |
| Set L2 -> pubKeyHash to all zeros |
| |
| d. If ORDw is a command with one key handle |
| |
| 4906 |
| 4907 |
| |
| i. Create K2 the hash of the TPM_STORE_PUBKEY structure of the key pointed |
| to by the key handle. |
| |
| 4908 |
| |
| ii. Set L2 -> pubKeyHash to SHA-1 (K2) |
| |
| 4909 |
| |
| e. If ORDw is a command with two key handles |
| |
| 4910 |
| 4911 |
| |
| i. Create K2 the hash of the TPM_STORE_PUBKEY structure of the key pointed |
| to by the first key handle. |
| |
| 4912 |
| 4913 |
| |
| ii. Create K3 the hash of the TPM_STORE_PUBKEY structure of the key pointed |
| to by the second key handle. |
| |
| 4914 |
| |
| iii. Set L2 -> pubKeyHash to SHA-1 (K2 || K3) |
| |
| 4915 |
| |
| f. Set T1 -> transDigest to the SHA-1 (T1 -> transDigest || L2) |
| |
| 4916 |
| 4917 |
| |
| g. If ORDw is a command with key handles, and the key is not loaded, return |
| TPM_INVALID_KEYHANDLE. |
| |
| 491811.Send the wrapped command to the normal TPM command parser, the output is C2 and |
| 4919 |
| the return code is RCw |
| 4920 |
| 4921 |
| |
| a. If ORDw is a command that is audited then the TPM MUST perform the input and |
| output audit of the command as part of this action. |
| |
| 4922 |
| 4923 |
| |
| b. The TPM MAY use H1 as the data value in the authorization and audit calculations |
| during the execution of C1 |
| |
| 492412.Set CT1 to TPM_STANY_DATA -> currentTicks -> currentTicks and return CT1 in the |
| 4925 |
| currentTicks output parameter |
| 492613.Calculate S2 the pointer to the DATAw area of C2 |
| 4927 |
| |
| a. Calculate LEN2 the length of S2 according to the same rules that calculated LEN1 |
| |
| 492814.Create H2 the SHA-1 of (RCw || ORDw || S2) |
| 4929 |
| 4930 |
| |
| a. The TPM MAY use this calculation for execute transport authorization and transport |
| log out creation |
| |
| 493115.Calculate the outgoing transport session authorization |
| 4932 |
| |
| a. Create the new transNonceEven for the output of the command |
| |
| 4933 |
| 4934 |
| |
| b. Set outParamDigest to SHA-1 (RCet || ORDet || TPM_STANY_DATA -> currentTicks |
| -> currentTicks || locality || wrappedRspSize || H2) |
| |
| 1177Level 2 Revision 116 28 February 2011 |
| 1178 |
| |
| 251 |
| TCG Published |
| |
| 1179Copyright © TCG |
| 1180 |
| 1181 |
| |
| 4935 |
| 4936 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| c. Calculate transAuth, the HMAC of (outParamDigest || transNonceEven || |
| transNonceOdd || continueTransSession) using T1 -> authData as the HMAC key |
| |
| 493716.If T1 -> transPublic -> transAttributes has TPM_TRANSPORT_LOG set then |
| 4938 |
| |
| a. Create L3 a TPM_TRANSPORT_LOG_OUT structure |
| |
| 4939 |
| |
| b. Set L3 -> parameters to H2 |
| |
| 4940 |
| |
| c. Set L3 -> currentTicks to TPM_STANY_DATA -> currentTicks |
| |
| 4941 |
| |
| d. Set L3 -> locality to TPM_STANY_DATA -> localityModifier |
| |
| 4942 |
| |
| e. Set T1 -> transDigest to the SHA-1 (T1 -> transDigest || L3) |
| |
| 494317.If T1 -> transPublic -> transAttributes has TPM_TRANSPORT_ENCRYPT set then |
| 4944 |
| |
| a. If T1 -> transPublic -> algId is TPM_ALG_MGF1 |
| |
| 4945 |
| 4946 |
| 4947 |
| |
| i. Using the MGF1 function, create string G2 of length LEN2. The inputs to the |
| MGF1 are transNonceEven, transNonceOdd, “out”, and T1 -> authData. These |
| four values concatenated together form the Z value that is the seed for the MGF1. |
| |
| 4948 |
| |
| ii. Create E2 by performing an XOR of G2 and C2 starting at S2. |
| |
| 4949 |
| |
| b. Else |
| |
| 4950 |
| 4951 |
| 4952 |
| |
| i. Create IV2 or CTR2 using the same algorithm as IV1 or CTR1 with the input |
| values transNonceEven, transNonceOdd, and “out”. Note that any terminating |
| characters within the string “out” are ignored, so a total of 43 bytes are hashed. |
| |
| 4953 |
| |
| ii. The symmetric key is taken from the first bytes of T1 -> authData |
| |
| 4954 |
| |
| iii. Create E2 by encrypting C2 starting at S2 |
| |
| 495518.Else |
| 4956 |
| |
| a. Set E2 to the DATAw area S2 of wrappedRsp |
| |
| 495719.If continueTransSession is FALSE |
| 4958 |
| |
| a. Invalidate all session data related to transHandle |
| |
| 495920.If TPM_ExecuteTranport requires auditing |
| 4960 |
| 4961 |
| |
| a. Create TPM_AUDIT_EVENT_OUT using H2 for the parameters and update the |
| auditDigest |
| |
| 4962 |
| 4963 |
| |
| b. On |
| any |
| errors |
| return |
| TPM_AUDITFAIL_SUCCESSFUL |
| TPM_AUDITFAIL_UNSUCCESSFUL depending on RCw |
| |
| 496421.Return C2 but with S2 replaced by E2 in the wrappedRsp parameter |
| |
| 1182 |
| 1183 |
| |
| 252 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| or |
| |
| 1184TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1185Specification Version 1.2 |
| |
| 496524.3 |
| |
| TPM_ReleaseTransportSigned |
| |
| 4966Start of informative comment: |
| 4967This command completes the transport session. If logging for this session is turned on, then |
| 4968this command returns a digital signature of the hash of all operations performed during the |
| 4969session. |
| 4970This command serves no purpose if logging is turned off, and results in an error if |
| 4971attempted. |
| 4972This command uses two authorization sessions, the key that will sign the log and the |
| 4973authorization from the session. Having the session authorization proves that the requestor |
| 4974that is signing the log is the owner of the session. If this restriction is not put in then an |
| 4975attacker can close the log and sign using their own key. |
| 4976The hash of the session log includes the information associated with the input phase of |
| 4977execution of the TPM_ReleaseTransportSigned command. It cannot include the output |
| 4978phase information. |
| 4979End of informative comment. |
| 4980Incoming Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH2_COMMAND |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ReleaseTransportSigned |
| |
| TPM_KEY_HANDLE |
| |
| keyHandle |
| |
| Handle of a loaded key that will perform the signing |
| |
| TPM_NONCE |
| |
| antiReplay |
| |
| Value provided by caller for anti-replay protection |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session to use key |
| |
| # |
| |
| SZ |
| |
| 1 |
| 2 |
| 3 |
| |
| 4 |
| |
| 4 |
| |
| 4 |
| |
| 5 |
| |
| 20 |
| |
| 6 |
| |
| # |
| |
| 4 |
| |
| 1S |
| |
| 2S |
| |
| SZ |
| |
| 4 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 7 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authNonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 8 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 9 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| keyAuth |
| |
| The authorization session digest that authorizes the use of key. HMAC |
| key: key -> usageAuth |
| |
| 10 |
| |
| 4 |
| |
| TPM_TRANSHANDLE |
| |
| transHandle |
| |
| The transport session handle |
| |
| 2H2 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| transLastNonceEven |
| |
| Even nonce in use by execute Transport |
| |
| 11 |
| |
| 20 |
| |
| 3H2 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| transNonceOdd |
| |
| Nonce supplied by caller for transport session |
| |
| 12 |
| |
| 1 |
| |
| 4H2 |
| |
| 1 |
| |
| BOOL |
| |
| continueTransSession |
| |
| The continue use flag for the authorization session handle |
| |
| 13 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| transAuth |
| |
| HMAC for transport session key: transHandle -> authData |
| |
| 1186Level 2 Revision 116 28 February 2011 |
| 1187 |
| |
| 253 |
| TCG Published |
| |
| 1188Copyright © TCG |
| 1189 |
| 1190 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 4981Outgoing Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH2_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ReleaseTransportSigned |
| |
| 4 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| TPM_MODIFIER_INDICATOR |
| |
| locality |
| |
| The locality that called this command |
| |
| 5 |
| |
| 32 |
| |
| 4S |
| |
| 32 |
| |
| TPM_CURRENT_TICKS |
| |
| currentTicks |
| |
| The current ticks when the command executed |
| |
| 6 |
| |
| 4 |
| |
| 5S |
| |
| 4 |
| |
| UINT32 |
| |
| signSize |
| |
| The size of the signature area |
| |
| 7 |
| |
| <> |
| |
| 6S |
| |
| <> |
| |
| BYTE[] |
| |
| signature |
| |
| The signature of the digest |
| |
| 8 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authNonceEven |
| |
| Even nonce newly generated by TPM |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authNonceOdd |
| |
| Nonce generated by caller |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the session |
| |
| TPM_AUTHDATA |
| |
| keyAuth |
| |
| HMAC: key -> usageAuth |
| |
| 9 |
| |
| 1 |
| |
| 10 |
| |
| 20 |
| |
| 11 |
| |
| 20 |
| |
| 1 |
| |
| 13 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| transNonceEven |
| |
| Even nonce newly generated by TPM |
| |
| 3H2 |
| 12 |
| |
| 2H2 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| transNonceOdd |
| |
| Nonce generated by caller |
| |
| 4H2 |
| |
| 1 |
| |
| BOOL |
| |
| continueTransSession |
| |
| The continue use flag for the session |
| |
| TPM_AUTHDATA |
| |
| transAuth |
| |
| HMAC: transHandle -> authData |
| |
| 20 |
| |
| 4982Description |
| 4983This command releases a transport session and signs the transport log |
| 4984Actions |
| 49851. Using transHandle locate the TPM_TRANSPORT_INTERNAL structure T1 |
| 49862. Validate that keyHandle -> sigScheme is TPM_SS_RSASSAPKCS1v15_SHA1 or |
| 4987 |
| TPM_SS_RSASSAPKCS1v15_INFO, if not return TPM_INAPPROPRIATE_SIG. |
| 49883. Validate that keyHandle |
| 4989 |
| TPM_INVALID_KEYUSAGE |
| |
| -> |
| |
| keyUsage |
| |
| is |
| |
| TPM_KEY_SIGNING, |
| |
| if |
| |
| not |
| |
| return |
| |
| 49904. Using key -> authData validate the command and parameters, on error return |
| 4991 |
| TPM_AUTHFAIL |
| 49925. Using transHandle -> authData validate the command and parameters, on error return |
| 4993 |
| TPM_AUTH2FAIL |
| 49946. If T1 -> transAttributes has TPM_TRANSPORT_LOG set then |
| 4995 |
| |
| a. Create A1 a TPM_TRANSPORT_LOG_OUT structure |
| |
| 4996 |
| |
| b. Set A1 –> parameters to the SHA-1 (ordinal || antiReplay) |
| |
| 4997 |
| |
| c. Set A1 -> currentTicks to TPM_STANY_DATA -> currentTicks |
| |
| 4998 |
| |
| d. Set A1 -> locality to the locality modifier for this command |
| |
| 1191 |
| 1192 |
| |
| 254 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1193TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1194Specification Version 1.2 |
| |
| 4999 |
| |
| e. Set T1 -> transDigest to SHA-1 (T1 -> transDigest || A1) |
| |
| 50007. Else |
| 5001 |
| |
| a. Return TPM_BAD_MODE |
| |
| 50028. Create H1 a TPM_SIGN_INFO structure and set the structure defaults |
| 5003 |
| |
| a. Set H1 -> fixed to “TRAN” |
| |
| 5004 |
| |
| b. Set H1 -> replay to antiReplay |
| |
| 5005 |
| |
| c. Set H1 -> data to T1 -> transDigest |
| |
| 5006 |
| |
| d. Sign SHA-1 hash of H1 using the key pointed to by keyHandle |
| |
| 50079. Invalidate all session data related to T1 |
| 500810.Set continueTransSession to FALSE |
| 500911.Return TPM_SUCCESS |
| |
| 1195Level 2 Revision 116 28 February 2011 |
| 1196 |
| |
| 255 |
| TCG Published |
| |
| 1197Copyright © TCG |
| 1198 |
| 1199 |
| |
| 501025. |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| Monotonic Counter |
| |
| 501125.1 |
| |
| TPM_CreateCounter |
| |
| 5012Start of informative comment: |
| 5013This command creates the counter but does not select the counter. Counter creation |
| 5014assigns an AuthData value to the counter and sets the counters original start value. The |
| 5015original start value is the current internal base value plus one. Setting the new counter to |
| 5016the internal base avoids attacks on the system that are attempting to use old counter |
| 5017values. |
| 5018End of informative comment. |
| 5019Incoming Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes incl. paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_CreateCounter |
| |
| 4 |
| |
| 20 |
| |
| 2S |
| |
| 20 |
| |
| TPM_ENCAUTH |
| |
| encAuth |
| |
| The encrypted auth data for the new counter |
| |
| 5 |
| |
| 4 |
| |
| 3s |
| |
| 4 |
| |
| BYTE |
| |
| label |
| |
| Label to associate with counter |
| |
| 7 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for owner authentication. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 8 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 9 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Ignored |
| |
| 10 |
| |
| 20 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| Authorization ownerAuth. |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 5020Outgoing Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_CreateCounter |
| |
| 4 |
| |
| 4 |
| |
| 3s |
| |
| 4 |
| |
| TPM_COUNT_ID |
| |
| countID |
| |
| The handle for the counter |
| |
| 5 |
| |
| 10 |
| |
| 4S |
| |
| 10 |
| |
| TPM_COUNTER_VALUE |
| |
| counterValue |
| |
| The starting counter value |
| |
| 6 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Fixed value of FALSE |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| Authorization. HMAC key: ownerAuth. |
| |
| 7 |
| |
| 1 |
| |
| 8 |
| |
| 20 |
| |
| 5021Description |
| 1200 |
| 1201 |
| |
| 256 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1202TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1203Specification Version 1.2 |
| |
| 5022This command creates a new monotonic counter. The TPM MUST support a minimum of 4 |
| 5023concurrent counters. |
| 5024Actions |
| 5025The TPM SHALL do the following: |
| 50261. Using the authHandle field, validate the owner’s AuthData to execute the command and |
| 5027 |
| all of the incoming parameters. The authorization session MUST be OSAP or DSAP |
| 50282. Ignore continueAuthSession on input and set continueAuthSession to FALSE on output |
| 50293. Create a1 by decrypting encAuth according to the ADIP indicated by authHandle. |
| 50304. Validate that there is sufficient internal space in the TPM to create a new counter. If |
| 5031 |
| there is insufficient space, the command returns an error. |
| 5032 |
| 5033 |
| |
| a. The TPM MUST provide storage for a1, TPM_COUNTER_VALUE, countID, and any |
| other internal data the TPM needs to associate with the counter |
| |
| 50345. Increment the max counter value |
| 50356. Set the counter to the max counter value |
| 50367. Set the counter label to label |
| 50378. Create a countID |
| |
| 1204Level 2 Revision 116 28 February 2011 |
| 1205 |
| |
| 257 |
| TCG Published |
| |
| 1206Copyright © TCG |
| 1207 |
| 1208 |
| |
| 503825.2 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_IncrementCounter |
| |
| 5039Start of informative comment: |
| 5040This authorized command increments the indicated counter by one. Once a counter has |
| 5041been incremented then all subsequent increments must be for the same handle until a |
| 5042successful TPM_Startup(ST_CLEAR) is executed. |
| 5043The order for checking validation of the command parameters when no counter is active, |
| 5044keeps an attacker from creating a denial-of-service attack. |
| 5045End of informative comment. |
| 5046Incoming Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_IncrementCounter |
| |
| 4 |
| |
| 4 |
| |
| 2s |
| |
| 4 |
| |
| TPM_COUNT_ID |
| |
| countID |
| |
| The handle of a valid counter |
| |
| 5 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for counter authorization |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 6 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 7 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 8 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| counterAuth |
| |
| The authorization session digest that authorizes the use of countID. |
| HMAC key: countID -> authData |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 5047Outgoing Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_IncrementCounter |
| |
| 5 |
| |
| 10 |
| |
| 3S |
| |
| 10 |
| |
| TPM_COUNTER_VALUE |
| |
| count |
| |
| The counter value |
| |
| 6 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| countID -> authData |
| |
| 7 |
| |
| 1 |
| |
| 8 |
| |
| 20 |
| |
| 5048Description |
| 5049This function increments the counter by 1. |
| 5050The TPM MAY implement increment throttling to avoid burn problems |
| 1209 |
| 1210 |
| |
| 258 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1211TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1212Specification Version 1.2 |
| |
| 5051Actions |
| 50521. If TPM_STCLEAR_DATA -> countID is 0 |
| 5053 |
| |
| a. Validate that countID is a valid counter, return TPM_BAD_COUNTER on mismatch |
| |
| 5054 |
| |
| b. Validate the command parameters using counterAuth |
| |
| 5055 |
| |
| c. Set TPM_STCLEAR_DATA -> countID to countID |
| |
| 50562. else |
| 5057 |
| 5058 |
| 5059 |
| |
| a. If TPM_STCLEAR_DATA -> countID does not equal countID |
| i. |
| |
| Return TPM_BAD_COUNTER |
| |
| b. Validate the command parameters using counterAuth |
| |
| 50603. Increments the counter by 1 |
| 50614. Return new count value in count |
| |
| 1213Level 2 Revision 116 28 February 2011 |
| 1214 |
| |
| 259 |
| TCG Published |
| |
| 1215Copyright © TCG |
| 1216 |
| 1217 |
| |
| 506225.3 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_ReadCounter |
| |
| 5063Start of informative comment: |
| 5064Reading the counter provides the caller with the current number in the sequence. |
| 5065End of informative comment. |
| 5066Incoming Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes incl. paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ReadCounter |
| |
| 4 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| TPM_COUNT_ID |
| |
| countID |
| |
| ID value of the counter |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 5067Outgoing Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 10 |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ReadCounter |
| |
| 3S |
| |
| 10 |
| |
| TPM_COUNTER_VALUE |
| |
| count |
| |
| The counter value |
| |
| 5068Description |
| 5069This returns the current value for the counter indicated. The counter MAY be any valid |
| 5070counter. |
| 5071Actions |
| 50721. Validate that countID points to a valid counter. Return TPM_BAD_COUNTER on error. |
| 50732. Return count |
| |
| 1218 |
| 1219 |
| |
| 260 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1220TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1221Specification Version 1.2 |
| |
| 507425.4 |
| |
| TPM_ReleaseCounter |
| |
| 5075Start of informative comment: |
| 5076This command releases a counter such that no reads or increments of the indicated counter |
| 5077will succeed. |
| 5078End of informative comment. |
| 5079Incoming Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ReleaseCounter |
| |
| 4 |
| |
| 4 |
| |
| 2s |
| |
| 4 |
| |
| TPM_COUNT_ID |
| |
| countID |
| |
| ID value of the counter |
| |
| 5 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for countID authorization |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 6 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce associated with countID |
| |
| 7 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 8 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| counterAuth |
| |
| The authorization session digest that authorizes the use of countID. |
| HMAC key: countID -> authData |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 5080Outgoing Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 5 |
| |
| 1 |
| |
| 6 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ReleaseCounter |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| 4 |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| countID -> authData |
| |
| 20 |
| |
| 5081Actions |
| 5082The TPM uses countID to locate a valid counter. |
| 50831. Authenticate the command and the parameters using the AuthData pointed to by |
| 5084 |
| countID. Return TPM_AUTHFAIL on error |
| 50852. The TPM invalidates all internal information regarding the counter. This includes |
| 5086 |
| releasing countID such that any subsequent attempts to use countID will fail. |
| 50873. The TPM invalidates sessions |
| 1222Level 2 Revision 116 28 February 2011 |
| 1223 |
| |
| 261 |
| TCG Published |
| |
| 1224Copyright © TCG |
| 1225 |
| 1226 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 5088 |
| |
| a. MUST invalidate all OSAP sessions associated with the counter |
| |
| 5089 |
| |
| b. MAY invalidate any other session |
| |
| 50904. If TPM_STCLEAR_DATA -> countID equals countID, |
| 5091 |
| |
| 1227 |
| 1228 |
| |
| a. Set TPM_STCLEAR_DATA -> countID to an illegal value (not the zero value) |
| |
| 262 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1229TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1230Specification Version 1.2 |
| |
| 509225.5 |
| |
| TPM_ReleaseCounterOwner |
| |
| 5093Start of informative comment: |
| 5094This command releases a counter such that no reads or increments of the indicated counter |
| 5095will succeed. |
| 5096End of informative comment. |
| 5097Incoming Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ReleaseCounterOwner |
| |
| 4 |
| |
| 4 |
| |
| 2s |
| |
| 4 |
| |
| TPM_COUNT_ID |
| |
| countID |
| |
| ID value of the counter |
| |
| 5 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for owner authentication |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 6 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 7 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 8 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| The authorization session digest that authorizes the inputs. HMAC key: |
| ownerAuth |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 5098Outgoing Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 5 |
| |
| 1 |
| |
| 6 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ReleaseCounterOwner |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| 4 |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| ownerAuth |
| |
| 20 |
| |
| 5099Description |
| 5100This invalidates all information regarding a counter. |
| 5101Actions |
| 51021. Validate that ownerAuth properly authorizes the command and parameters |
| 51032. The TPM uses countID to locate a valid counter. Return TPM_BAD_COUNTER if not |
| 5104 |
| found. |
| 1231Level 2 Revision 116 28 February 2011 |
| 1232 |
| |
| 263 |
| TCG Published |
| |
| 1233Copyright © TCG |
| 1234 |
| 1235 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 51053. The TPM invalidates all internal information regarding the counter. This includes |
| 5106 |
| releasing countID such that any subsequent attempts to use countID will fail. |
| 51074. The TPM invalidates sessions |
| 5108 |
| |
| a. MUST invalidate all OSAP sessions associated with the counter |
| |
| 5109 |
| |
| b. MAY invalidate any other session |
| |
| 51105. If TPM_STCLEAR_DATA -> countID equals countID, |
| 5111 |
| |
| 1236 |
| 1237 |
| |
| a. Set TPM_STCLEAR_DATA -> countID to an illegal value (not the zero value) |
| |
| 264 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1238TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1239Specification Version 1.2 |
| |
| 511226. |
| |
| DAA commands |
| |
| 511326.1 |
| |
| TPM_DAA_Join |
| |
| 5114Start of informative comment: |
| 5115TPM_DAA_Join is the process that establishes the DAA parameters in the TPM for a specific |
| 5116DAA issuing authority. |
| 5117outputSize and outputData are always included in the outParamDigest. This includes stage |
| 51180, where the outputData contains the DAA session handle. |
| 5119 End of informative comment. |
| 5120Incoming Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes incl. paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_DAA_Join. |
| |
| 4 |
| |
| 4 |
| |
| TPM_HANDLE |
| |
| handle |
| |
| Session handle |
| |
| 5 |
| |
| 1 |
| |
| 2S |
| |
| 1 |
| |
| BYTE |
| |
| stage |
| |
| Processing stage of join |
| |
| 6 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| inputSize0 |
| |
| Size of inputData0 for this stage of JOIN |
| |
| 7 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE[] |
| |
| inputData0 |
| |
| Data to be used by this capability |
| |
| 8 |
| |
| 4 |
| |
| 5S |
| |
| 4 |
| |
| UINT32 |
| |
| inputSize1 |
| |
| Size of inputData1 for this stage of JOIN |
| |
| 9 |
| |
| <> |
| |
| 6S |
| |
| <> |
| |
| BYTE[] |
| |
| inputData1 |
| |
| Data to be used by this capability |
| |
| 10 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for owner authentication |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 2 H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 11 |
| |
| 20 |
| |
| 3 H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 12 |
| |
| 1 |
| |
| 4 H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| 13 |
| |
| 20 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| The authorization session digest for inputs and owner. HMAC key: |
| ownerAuth. |
| |
| 1240Level 2 Revision 116 28 February 2011 |
| 1241 |
| |
| 265 |
| TCG Published |
| |
| 1242Copyright © TCG |
| 1243 |
| 1244 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 5121Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes incl. paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_DAA_Join. |
| |
| 4 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| outputSize |
| |
| Size of outputData |
| |
| 5 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE[] |
| |
| outputData |
| |
| Data produced by this capability |
| |
| 6 |
| |
| 20 |
| |
| 2 H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3 H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4 H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| Authorization HMAC key: ownerAuth. |
| |
| 7 |
| 8 |
| |
| 1245 |
| 1246 |
| |
| 1 |
| 20 |
| |
| 266 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1247TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1248Specification Version 1.2 |
| |
| 5122Description |
| 5123This table summaries the input, output and saved data that is associated with each stage of |
| 5124processing. |
| Stage |
| 0 |
| |
| Input Data0 |
| |
| Input Data1 |
| |
| Operation |
| |
| Output Data |
| |
| Scratchpad |
| |
| DAA_count |
| |
| NULL |
| |
| initialise |
| |
| Session Handle |
| |
| NULL |
| |
| (used as # repetitions of stage 1) |
| 1 |
| |
| n0 |
| |
| signatureValue |
| |
| rekeying |
| |
| NULL |
| |
| n0 |
| |
| 2 |
| |
| DAA_issuerSettings |
| |
| signatureValue |
| |
| issuer settings |
| |
| NULL |
| |
| NULL |
| |
| 3 |
| |
| DAA_count |
| |
| NULL |
| |
| DAA_join_uo, |
| |
| NULL |
| |
| NULL |
| |
| DAA_join_u1 |
| 4 |
| |
| DAA_generic_R0 |
| |
| DAA_generic_n |
| |
| P1=R0^f0 mod n |
| |
| NULL |
| |
| P1 |
| |
| 5 |
| |
| DAA_generic_R1 |
| |
| DAA_generic_n |
| |
| P2 = P1*(R1^f1) mod n |
| |
| NULL |
| |
| P2 |
| |
| 6 |
| |
| DAA_generic_S0 |
| |
| DAA_generic_n |
| |
| P3 = P2*(S0^u0) mod n |
| |
| NULL |
| |
| P3 |
| |
| 7 |
| |
| DAA_generic_S1 |
| |
| DAA_generic_n |
| |
| U = P3*(S1^u1) mod n |
| |
| U |
| |
| NULL |
| |
| 8 |
| |
| NE |
| |
| NULL |
| |
| U2 |
| |
| U2 |
| |
| NULL |
| |
| 9 |
| |
| DAA_generic_R0 |
| |
| DAA_generic_n |
| |
| P1=R0^r0 mod n |
| |
| NULL |
| |
| P1 |
| |
| 10 |
| |
| DAA_generic_R1 |
| |
| DAA_generic_n |
| |
| P2 = P1*(R1^r1) mod n |
| |
| NULL |
| |
| P2 |
| |
| 11 |
| |
| DAA_generic_S0 |
| |
| DAA_generic_n |
| |
| P3 = P2*(S0^r2) mod n |
| |
| NULL |
| |
| P3 |
| |
| 12 |
| |
| DAA_generic_S1 |
| |
| DAA_generic_n |
| |
| P4 = P3*(S1^r3) mod n |
| |
| P4 |
| |
| NULL |
| |
| 13 |
| |
| DAA_generic_gamma |
| |
| w |
| |
| w1 = w^q mod gamma |
| |
| NULL |
| |
| w |
| |
| 14 |
| |
| DAA_generic_gamma |
| |
| NULL |
| |
| E = w^f mod gamma |
| |
| E |
| |
| w |
| |
| 15 |
| |
| DAA_generic_gamma |
| |
| NULL |
| |
| r = r0 + (2^power0)*r1 mod q, |
| |
| E1 |
| |
| NULL |
| |
| E1 = w^r mod gamma |
| 16 |
| |
| c1 |
| |
| NULL |
| |
| c = hash(c1 || NT) |
| |
| nt |
| |
| NULL |
| |
| 17 |
| |
| NULL |
| |
| NULL |
| |
| s0 = r0 + c*f0 |
| |
| s0 |
| |
| NULL |
| |
| 18 |
| |
| NULL |
| |
| NULL |
| |
| s1 = r1 + c*f1 |
| |
| s1 |
| |
| NULL |
| |
| 19 |
| |
| NULL |
| |
| NULL |
| |
| s2 = r2 + c*u0 |
| |
| s2 |
| |
| NULL |
| |
| c |
| |
| s12 |
| |
| mod 2^power1 |
| 20 |
| |
| NULL |
| |
| NULL |
| |
| s12 = r2 + c*u0 |
| >> power1 |
| |
| 21 |
| |
| NULL |
| |
| NULL |
| |
| s3 = r3 + c*u1 + s12 |
| |
| s3 |
| |
| NULL |
| |
| 22 |
| |
| u2 |
| |
| NULL |
| |
| v0 = u2 + u0 mod 2^power1 |
| |
| enc(v0) |
| |
| v10 |
| |
| v10 = u2 + u0 >> power1 |
| 23 |
| |
| u3 |
| |
| NULL |
| |
| V1 = u3 + u1 + v10 |
| |
| enc(v1) |
| |
| NULL |
| |
| 24 |
| |
| NULL |
| |
| NULL |
| |
| enc(DAA_tpmSpecific) |
| |
| enc(DAA_tpmSpecific) |
| |
| NULL |
| |
| 5125 |
| |
| 1249Level 2 Revision 116 28 February 2011 |
| 1250 |
| |
| 267 |
| TCG Published |
| |
| 1251Copyright © TCG |
| 1252 |
| 1253 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 5126Actions |
| 5127A Trusted Platform Module that receives a valid TPM_DAA_Join command SHALL: |
| 51281. Use ownerAuth to verify that the Owner authorized all TPM_DAA_Join input parameters. |
| 51292. Any error return results in the TPM invalidating all resources associated with the join |
| 51303. Constant values of 0 or 1 are 1 byte integers, stages affected are |
| 5131 |
| |
| a. 4(j), 5(j), 14(f), 17(e) |
| |
| 51324. Representation of the strings “r0” to “r4” are 2-byte ASCII encodings, stages affected are |
| 5133 |
| |
| a. 9(i), 10(h), 11(h), 12(h), 15(f),15(g), 17(d), 18(d), 19(d), 20(d), 21(d) |
| |
| 5134Start of informative comment: |
| 51355. Variable DAA_Count |
| 5136 |
| 5137 |
| 5138 |
| |
| a. In stage 0, DAA_Count denotes the length of the RSA key chain, which certifies the |
| main DAA public key and which will be loaded in stage 1. It also denotes the number of |
| times stage 1 is executed. |
| |
| 5139 |
| 5140 |
| 5141 |
| |
| b. In stage 3 the variable DAA_count denotes the actual DAA counter. It allows a DAA |
| issuer to keep track of the number of times it has issued 'different' DAA credentials to |
| the same platform. (The counter does not need to be equal to the actual number.) |
| |
| 5142End of informative comment. |
| 5143Stages |
| 51440. If stage==0 |
| 5145 |
| |
| c. Determine that sufficient resources are available to perform a TPM_DAA_Join. |
| |
| 5146 |
| 5147 |
| 5148 |
| |
| i. The TPM MUST support sufficient resources to perform one (1) |
| TPM_DAA_Join/ |
| TPM_DAA_Sign. |
| The |
| TPM |
| MAY |
| support |
| additional |
| TPM_DAA_Join/ TPM_DAA_Sign sessions. |
| |
| 5149 |
| 5150 |
| |
| ii. The TPM may share internal resources between the DAA operations and other |
| variable resource requirements: |
| |
| 5151 |
| 5152 |
| 5153 |
| |
| iii. |
| If there are insufficient resources within the stored key pool (and one or |
| more keys need to be removed to permit the DAA operation to execute) return |
| TPM_NOSPACE |
| |
| 5154 |
| 5155 |
| 5156 |
| |
| iv. |
| If there are insufficient resources within the stored session pool (and |
| one or more authorization or transport sessions need to be removed to permit |
| the DAA operation to execute), return TPM_RESOURCES. |
| |
| 5157 |
| |
| d. Set all fields in DAA_issuerSettings = NULL |
| |
| 5158 |
| |
| e. set all fields in DAA_tpmSpecific = NULL |
| |
| 5159 |
| |
| f. set all fields in DAA_session = NULL |
| |
| 5160 |
| |
| g. Set all fields in DAA_joinSession = NULL |
| |
| 5161 |
| 5162 |
| |
| h. Verify that sizeOf(inputData0) == sizeOf(DAA_tpmSpecific -> DAA_count) and return |
| error TPM_DAA_INPUT_DATA0 on mismatch |
| |
| 1254 |
| 1255 |
| |
| 268 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1256TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1257Specification Version 1.2 |
| |
| 5163 |
| |
| i. |
| |
| Verify that inputData0 > 0, and return error TPM_DAA_INPUT_DATA0 on mismatch |
| |
| 5164 |
| |
| j. |
| |
| Set DAA_tpmSpecific -> DAA_count = inputData0 |
| |
| 5165 |
| 5166 |
| |
| k. set |
| DAA_session |
| DAA_joinSession) |
| |
| 5167 |
| |
| l. |
| |
| 5168 |
| |
| m. Assign session handle for TPM_DAA_Join |
| |
| 5169 |
| |
| n. set outputData = new session handle |
| |
| 5170 |
| 5171 |
| |
| -> |
| |
| DAA_digestContext |
| |
| = |
| |
| SHA-1(DAA_tpmSpecific |
| |
| || |
| |
| set DAA_session -> DAA_stage = 1 |
| |
| i. |
| |
| The handle in outputData is included the output HMAC. |
| |
| o. return TPM_SUCCESS |
| |
| 51726. If stage==1 |
| 5173 |
| 5174 |
| |
| a. Verify that DAA_session ->DAA_stage==1. Return TPM_DAA_STAGE and flush handle |
| on mismatch |
| |
| 5175 |
| 5176 |
| |
| b. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific || |
| DAA_joinSession) and return TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5177 |
| 5178 |
| |
| c. Verify that sizeOf(inputData0) == DAA_SIZE_issuerModulus and return error |
| TPM_DAA_INPUT_DATA0 on mismatch |
| |
| 5179 |
| |
| d. If DAA_session -> DAA_scratch == NULL: |
| |
| 5180 |
| |
| i. |
| |
| 5181 |
| |
| ii. set DAA_joinSession -> DAA_digest_n0 = SHA-1(DAA_session -> DAA_scratch) |
| |
| 5182 |
| 5183 |
| |
| iii. set DAA_tpmSpecific -> DAA_rekey = SHA-1(tpmDAASeed || DAA_joinSession |
| -> DAA_digest_n0) |
| |
| 5184 |
| |
| Set DAA_session -> DAA_scratch = inputData0 |
| |
| e. Else (If DAA_session -> DAA_scratch != NULL): |
| |
| 5185 |
| |
| i. |
| |
| 5186 |
| 5187 |
| |
| ii. Verify that sizeOf(inputData1) == DAA_SIZE_issuerModulus and return error |
| TPM_DAA_INPUT_DATA1 on mismatch |
| |
| 5188 |
| |
| iii. Set signatureValue = inputData1 |
| |
| 5189 |
| 5190 |
| 5191 |
| 5192 |
| |
| iv. Use the RSA key == [DAA_session -> DAA_scratch] to verify that |
| signatureValue |
| is |
| a |
| signature |
| on |
| signedData |
| using |
| TPM_SS_RSASSAPKCS1v15_SHA1 (RSA PKCS1.5 with SHA-1), and return error |
| TPM_DAA_ISSUER_VALIDITY on mismatch |
| |
| 5193 |
| |
| v. Set DAA_session -> DAA_scratch = signedData |
| |
| Set signedData = inputData0 |
| |
| 5194 |
| |
| f. Decrement DAA_tpmSpecific -> DAA_count by 1 (unity) |
| |
| 5195 |
| |
| g. If DAA_tpmSpecific -> DAA_count == 0: |
| |
| 5196 |
| |
| i. |
| |
| increment DAA_session -> DAA_stage by 1 |
| |
| 5197 |
| 5198 |
| |
| h. set |
| DAA_session |
| DAA_joinSession) |
| |
| 5199 |
| |
| i. |
| |
| -> |
| |
| DAA_digestContext |
| |
| set outputData = NULL |
| |
| 1258Level 2 Revision 116 28 February 2011 |
| 1259 |
| |
| 269 |
| TCG Published |
| |
| = |
| |
| SHA-1(DAA_tpmSpecific |
| |
| || |
| |
| 1260Copyright © TCG |
| 1261 |
| 1262 |
| |
| 5200 |
| |
| j. |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| return TPM_SUCCESS |
| |
| 52017. If stage==2 |
| 5202 |
| 5203 |
| |
| a. Verify that DAA_session ->DAA_stage==2. Return TPM_DAA_STAGE and flush handle |
| on mismatch |
| |
| 5204 |
| 5205 |
| |
| b. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific || |
| DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5206 |
| 5207 |
| |
| c. Verify that sizeOf(inputData0) == sizeOf(TPM_DAA_ISSUER) and return error |
| TPM_DAA_INPUT_DATA0 on mismatch |
| |
| 5208 |
| 5209 |
| |
| d. Set DAA_issuerSettings = inputData0. Verify that all fields in DAA_issuerSettings are |
| present and return error TPM_DAA_INPUT_DATA0 if not. |
| |
| 5210 |
| 5211 |
| |
| e. Verify that sizeOf(inputData1) == DAA_SIZE_issuerModulus and return error |
| TPM_DAA_INPUT_DATA1 on mismatch |
| |
| 5212 |
| |
| f. Set signatureValue = inputData1 |
| |
| 5213 |
| |
| g. Set signedData = (DAA_joinSession -> DAA_digest_n0 ||DAA_issuerSettings) |
| |
| 5214 |
| 5215 |
| 5216 |
| |
| h. Use the RSA key [DAA_session -> DAA_scratch] to verify that signatureValue is a |
| signature on signedData using TPM_SS_RSASSAPKCS1v15_SHA1 (RSA PKCS1.5 with |
| SHA-1),, and return error TPM_DAA_ISSUER_VALIDITY on mismatch |
| |
| 5217 |
| |
| i. |
| |
| 5218 |
| 5219 |
| |
| j. set |
| DAA_session |
| DAA_joinSession) |
| |
| 5220 |
| |
| k. Set DAA_session -> DAA_scratch = NULL |
| |
| 5221 |
| |
| l. |
| |
| 5222 |
| |
| m. return TPM_SUCCESS |
| |
| Set DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) |
| -> |
| |
| DAA_digestContext |
| |
| = |
| |
| SHA-1(DAA_tpmSpecific |
| |
| || |
| |
| increment DAA_session -> DAA_stage by 1 |
| |
| 52238. If stage==3 |
| 5224 |
| 5225 |
| |
| a. Verify that DAA_session ->DAA_stage==3. Return TPM_DAA_STAGE and flush handle |
| on mismatch |
| |
| 5226 |
| 5227 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5228 |
| 5229 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific || |
| DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5230 |
| 5231 |
| |
| d. Verify that sizeOf(inputData0) == sizeOf(DAA_tpmSpecific -> DAA_count) and return |
| error TPM_DAA_INPUT_DATA0 on mismatch |
| |
| 5232 |
| |
| e. Set DAA_tpmSpecific -> DAA_count = inputData0 |
| |
| 5233 |
| |
| f. Obtain random data from the RNG and store it as DAA_joinSession -> DAA_join_u0 |
| |
| 5234 |
| |
| g. Obtain random data from the RNG and store it as DAA_joinSession -> DAA_join_u1 |
| |
| 5235 |
| |
| h. set outputData = NULL |
| |
| 5236 |
| |
| i. |
| |
| 1263 |
| 1264 |
| |
| increment DAA_session -> DAA_stage by 1 |
| |
| 270 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1265TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1266Specification Version 1.2 |
| |
| 5237 |
| 5238 |
| |
| j. set |
| DAA_session |
| DAA_joinSession) |
| |
| 5239 |
| |
| k. return TPM_SUCCESS |
| |
| -> |
| |
| DAA_digestContext |
| |
| = |
| |
| SHA-1(DAA_tpmSpecific |
| |
| || |
| |
| 52409. If stage==4, |
| 5241 |
| 5242 |
| |
| a. Verify that DAA_session ->DAA_stage==4. Return TPM_DAA_STAGE and flush handle |
| on mismatch |
| |
| 5243 |
| 5244 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5245 |
| 5246 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific || |
| DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5247 |
| |
| d. Set DAA_generic_R0 = inputData0 |
| |
| 5248 |
| 5249 |
| |
| e. Verify that SHA-1(DAA_generic_R0) == DAA_issuerSettings -> DAA_digest_R0 and |
| return error TPM_DAA_INPUT_DATA0 on mismatch |
| |
| 5250 |
| |
| f. Set DAA_generic_n = inputData1 |
| |
| 5251 |
| 5252 |
| |
| g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and |
| return error TPM_DAA_INPUT_DATA1 on mismatch |
| |
| 5253 |
| |
| h. Set X = DAA_generic_R0 |
| |
| 5254 |
| |
| i. |
| |
| 5255 |
| 5256 |
| 5257 |
| |
| j. Set f = SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || |
| 0 ) || SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 1 ) |
| mod DAA_issuerSettings -> DAA_generic_q |
| |
| 5258 |
| |
| k. Set f0 = f mod 2^DAA_power0 (erase all but the lowest DAA_power0 bits of f) |
| |
| 5259 |
| |
| l. |
| |
| 5260 |
| |
| m. set outputData = NULL |
| |
| 5261 |
| |
| n. increment DAA_session -> DAA_stage by 1 |
| |
| 5262 |
| |
| o. return TPM_SUCCESS |
| |
| Set n = DAA_generic_n |
| |
| Set DAA_session -> DAA_scratch = (X^f0) mod n |
| |
| 526310.If stage==5 |
| 5264 |
| 5265 |
| |
| a. Verify that DAA_session ->DAA_stage==5. Return TPM_DAA_STAGE and flush handle |
| on mismatch |
| |
| 5266 |
| 5267 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5268 |
| 5269 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific || |
| DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5270 |
| |
| d. Set DAA_generic_R1 = inputData0 |
| |
| 5271 |
| 5272 |
| |
| e. Verify that SHA-1(DAA_generic_R1) == DAA_issuerSettings -> DAA_digest_R1 and |
| return error TPM_DAA_INPUT_DATA0 on mismatch |
| |
| 5273 |
| |
| f. Set DAA_generic_n = inputData1 |
| |
| 1267Level 2 Revision 116 28 February 2011 |
| 1268 |
| |
| 271 |
| TCG Published |
| |
| 1269Copyright © TCG |
| 1270 |
| 1271 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 5274 |
| 5275 |
| |
| g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and |
| return error TPM_DAA_INPUT_DATA1 on mismatch |
| |
| 5276 |
| |
| h. Set X = DAA_generic_R1 |
| |
| 5277 |
| |
| i. |
| |
| 5278 |
| 5279 |
| 5280 |
| |
| j. Set f = SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || |
| 0 ) || SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 1 ) |
| mod DAA_issuerSettings -> DAA_generic_q. |
| |
| 5281 |
| 5282 |
| |
| k. Shift f right by DAA_power0 bits (discard the lowest DAA_power0 bits) and label the |
| result f1 |
| |
| 5283 |
| |
| l. |
| |
| 5284 |
| |
| m. Set DAA_session -> DAA_scratch = Z*(X^f1) mod n |
| |
| 5285 |
| |
| n. set outputData = NULL |
| |
| 5286 |
| |
| o. increment DAA_session -> DAA_stage by 1 |
| |
| 5287 |
| |
| p. return TPM_SUCCESS |
| |
| Set n = DAA_generic_n |
| |
| Set Z = DAA_session -> DAA_scratch |
| |
| 528811.If stage==6 |
| 5289 |
| 5290 |
| |
| a. Verify that DAA_session ->DAA_stage==6. Return TPM_DAA_STAGE and flush handle |
| on mismatch |
| |
| 5291 |
| 5292 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5293 |
| 5294 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific || |
| DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5295 |
| |
| d. Set DAA_generic_S0 = inputData0 |
| |
| 5296 |
| 5297 |
| |
| e. Verify that SHA-1(DAA_generic_S0) == DAA_issuerSettings -> DAA_digest_S0 and |
| return error TPM_DAA_INPUT_DATA0 on mismatch |
| |
| 5298 |
| |
| f. Set DAA_generic_n = inputData1 |
| |
| 5299 |
| 5300 |
| |
| g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and |
| return error TPM_DAA_INPUT_DATA1 on mismatch |
| |
| 5301 |
| |
| h. Set X = DAA_generic_S0 |
| |
| 5302 |
| |
| i. |
| |
| Set n = DAA_generic_n |
| |
| 5303 |
| |
| j. |
| |
| Set Z = DAA_session -> DAA_scratch |
| |
| 5304 |
| |
| k. Set Y = DAA_joinSession -> DAA_join_u0 |
| |
| 5305 |
| |
| l. |
| |
| 5306 |
| |
| m. set outputData = NULL |
| |
| 5307 |
| |
| n. increment DAA_session -> DAA_stage by 1 |
| |
| 5308 |
| |
| o. return TPM_SUCCESS |
| |
| Set DAA_session -> DAA_scratch = Z*(X^Y) mod n |
| |
| 530912.If stage==7 |
| |
| 1272 |
| 1273 |
| |
| 272 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1274TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1275Specification Version 1.2 |
| |
| 5310 |
| 5311 |
| |
| a. Verify that DAA_session ->DAA_stage==7. Return TPM_DAA_STAGE and flush handle |
| on mismatch |
| |
| 5312 |
| 5313 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5314 |
| 5315 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific || |
| DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5316 |
| |
| d. Set DAA_generic_S1 = inputData0 |
| |
| 5317 |
| 5318 |
| |
| e. Verify that SHA-1(DAA_generic_S1) == DAA_issuerSettings -> DAA_digest_S1 and |
| return error TPM_DAA_INPUT_DATA0 on mismatch |
| |
| 5319 |
| |
| f. Set DAA_generic_n = inputData1 |
| |
| 5320 |
| 5321 |
| |
| g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and |
| return error TPM_DAA_INPUT_DATA1 on mismatch |
| |
| 5322 |
| |
| h. Set X = DAA_generic_S1 |
| |
| 5323 |
| |
| i. |
| |
| Set n = DAA_generic_n |
| |
| 5324 |
| |
| j. |
| |
| Set Y = DAA_joinSession -> DAA_join_u1 |
| |
| 5325 |
| |
| k. Set Z = DAA_session -> DAA_scratch |
| |
| 5326 |
| |
| l. |
| |
| 5327 |
| 5328 |
| |
| m. Set DAA_session -> DAA_digest to the SHA-1 (DAA_session -> DAA_scratch || |
| DAA_tpmSpecific -> DAA_count || DAA_joinSession -> DAA_digest_n0) |
| |
| 5329 |
| |
| n. set outputData = DAA_session -> DAA_scratch |
| |
| 5330 |
| |
| o. set DAA_session -> DAA_scratch = NULL |
| |
| 5331 |
| |
| p. increment DAA_session -> DAA_stage by 1 |
| |
| 5332 |
| |
| q. return TPM_SUCCESS |
| |
| Set DAA_session -> DAA_scratch = Z*(X^Y) mod n |
| |
| 533313.If stage==8 |
| 5334 |
| 5335 |
| |
| a. Verify that DAA_session ->DAA_stage==8. Return TPM_DAA_STAGE and flush handle |
| on mismatch |
| |
| 5336 |
| 5337 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5338 |
| 5339 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific || |
| DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5340 |
| 5341 |
| |
| d. Verify inputSize0 == DAA_SIZE_NE and return error TPM_DAA_INPUT_DATA0 on |
| mismatch |
| |
| 5342 |
| |
| e. Set NE = decrypt(inputData0, privEK) |
| |
| 5343 |
| |
| f. set outputData = SHA-1(DAA_session -> DAA_digest || NE) |
| |
| 5344 |
| |
| g. set DAA_session -> DAA_digest = NULL |
| |
| 5345 |
| |
| h. increment DAA_session -> DAA_stage by 1 |
| |
| 5346 |
| |
| i. |
| |
| return TPM_SUCCESS |
| |
| 1276Level 2 Revision 116 28 February 2011 |
| 1277 |
| |
| 273 |
| TCG Published |
| |
| 1278Copyright © TCG |
| 1279 |
| 1280 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 534714.If stage==9 |
| 5348 |
| 5349 |
| |
| a. Verify that DAA_session ->DAA_stage==9. Return TPM_DAA_STAGE and flush handle |
| on mismatch |
| |
| 5350 |
| 5351 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5352 |
| 5353 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific || |
| DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5354 |
| |
| d. Set DAA_generic_R0 = inputData0 |
| |
| 5355 |
| 5356 |
| |
| e. Verify that SHA-1(DAA_generic_R0) == DAA_issuerSettings -> DAA_digest_R0 and |
| return error TPM_DAA_INPUT_DATA0 on mismatch |
| |
| 5357 |
| |
| f. Set DAA_generic_n = inputData1 |
| |
| 5358 |
| 5359 |
| |
| g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and |
| return error TPM_DAA_INPUT_DATA1 on mismatch |
| |
| 5360 |
| |
| h. Obtain random data from the RNG and store it as DAA_session -> DAA_contextSeed |
| |
| 5361 |
| 5362 |
| |
| i. Obtain DAA_SIZE_r0 bytes using the MGF1 function and label them Y. |
| DAA_session -> DAA_contextSeed is the Z seed. |
| |
| 5363 |
| |
| j. |
| |
| 5364 |
| |
| k. Set n = DAA_generic_n |
| |
| 5365 |
| |
| l. |
| |
| 5366 |
| |
| m. set outputData = NULL |
| |
| 5367 |
| |
| n. increment DAA_session -> DAA_stage by 1 |
| |
| 5368 |
| |
| o. return TPM_SUCCESS |
| |
| “r0” || |
| |
| Set X = DAA_generic_R0 |
| Set DAA_session -> DAA_scratch = (X^Y) mod n |
| |
| 536915.If stage==10 |
| 5370 |
| 5371 |
| |
| a. Verify that DAA_session ->DAA_stage==10. Return TPM_DAA_STAGE and flush |
| handle on mismatch h |
| |
| 5372 |
| 5373 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5374 |
| 5375 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific || |
| DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5376 |
| |
| d. Set DAA_generic_R1 = inputData0 |
| |
| 5377 |
| 5378 |
| |
| e. Verify that SHA-1(DAA_generic_R1) == DAA_issuerSettings -> DAA_digest_R1 and |
| return error TPM_DAA_INPUT_DATA0 on mismatch |
| |
| 5379 |
| |
| f. Set DAA_generic_n = inputData1 |
| |
| 5380 |
| 5381 |
| |
| g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and |
| return error TPM_DAA_INPUT_DATA1 on mismatch |
| |
| 5382 |
| 5383 |
| |
| h. Obtain DAA_SIZE_r1 bytes using the MGF1 function and label them Y. “r1” || |
| DAA_session -> DAA_contextSeed is the Z seed. |
| |
| 5384 |
| |
| i. |
| |
| 1281 |
| 1282 |
| |
| Set X = DAA_generic_R1 |
| |
| 274 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1283TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1284Specification Version 1.2 |
| |
| 5385 |
| |
| j. |
| |
| 5386 |
| |
| k. Set Z = DAA_session -> DAA_scratch |
| |
| 5387 |
| |
| l. |
| |
| 5388 |
| |
| m. set outputData = NULL |
| |
| 5389 |
| |
| n. increment DAA_session -> DAA_stage by 1 |
| |
| 5390 |
| |
| o. return TPM_SUCCESS |
| |
| Set n = DAA_generic_n |
| Set DAA_session -> DAA_scratch = Z*(X^Y) mod n |
| |
| 539116.If stage==11 |
| 5392 |
| 5393 |
| |
| a. Verify that DAA_session ->DAA_stage==11. Return TPM_DAA_STAGE and flush |
| handle on mismatch |
| |
| 5394 |
| 5395 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5396 |
| 5397 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific || |
| DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5398 |
| |
| d. Set DAA_generic_S0 = inputData0 |
| |
| 5399 |
| 5400 |
| |
| e. Verify that SHA-1(DAA_generic_S0) == DAA_issuerSettings -> DAA_digest_S0 and |
| return error TPM_DAA_INPUT_DATA0 on mismatch |
| |
| 5401 |
| |
| f. Set DAA_generic_n = inputData1 |
| |
| 5402 |
| 5403 |
| |
| g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and |
| return error TPM_DAA_INPUT_DATA1 on mismatch |
| |
| 5404 |
| 5405 |
| |
| h. Obtain DAA_SIZE_r2 bytes using the MGF1 function and label them Y. |
| DAA_session -> DAA_contextSeed is the Z seed. |
| |
| 5406 |
| |
| i. |
| |
| Set X = DAA_generic_S0 |
| |
| 5407 |
| |
| j. |
| |
| Set n = DAA_generic_n |
| |
| 5408 |
| |
| k. Set Z = DAA_session -> DAA_scratch |
| |
| 5409 |
| |
| l. |
| |
| 5410 |
| |
| m. set outputData = NULL |
| |
| 5411 |
| |
| n. increment DAA_session -> DAA_stage by 1 |
| |
| 5412 |
| |
| o. return TPM_SUCCESS |
| |
| “r2” || |
| |
| Set DAA_session -> DAA_scratch = Z*(X^Y) mod n |
| |
| 541317.If stage==12 |
| 5414 |
| 5415 |
| |
| a. Verify that DAA_session ->DAA_stage==12. Return TPM_DAA_STAGE and flush |
| handle on mismatch |
| |
| 5416 |
| 5417 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings ) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5418 |
| 5419 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific || |
| DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5420 |
| |
| d. Set DAA_generic_S1 = inputData0 |
| |
| 1285Level 2 Revision 116 28 February 2011 |
| 1286 |
| |
| 275 |
| TCG Published |
| |
| 1287Copyright © TCG |
| 1288 |
| 1289 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 5421 |
| 5422 |
| |
| e. Verify that SHA-1(DAA_generic_S1) == DAA_issuerSettings -> DAA_digest_S1 and |
| return error TPM_DAA_INPUT_DATA0 on mismatch |
| |
| 5423 |
| |
| f. Set DAA_generic_n = inputData1 |
| |
| 5424 |
| 5425 |
| |
| g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and |
| return error TPM_DAA_INPUT_DATA1 on mismatch |
| |
| 5426 |
| 5427 |
| |
| h. Obtain DAA_SIZE_r3 bytes using the MGF1 function and label them Y. |
| DAA_session -> DAA_contextSeed is the Z seed. |
| |
| 5428 |
| |
| i. |
| |
| Set X = DAA_generic_S1 |
| |
| 5429 |
| |
| j. |
| |
| Set n = DAA_generic_n |
| |
| 5430 |
| |
| k. Set Z = DAA_session -> DAA_scratch |
| |
| 5431 |
| |
| l. |
| |
| 5432 |
| |
| m. set outputData = DAA_session -> DAA_scratch |
| |
| 5433 |
| |
| n. Set DAA_session -> DAA_scratch = NULL |
| |
| 5434 |
| |
| o. increment DAA_session -> DAA_stage by 1 |
| |
| 5435 |
| |
| p. return TPM_SUCCESS |
| |
| “r3” || |
| |
| Set DAA_session -> DAA_scratch = Z*(X^Y) mod n |
| |
| 543618.If stage==13 |
| 5437 |
| 5438 |
| |
| a. Verify that DAA_session->DAA_stage==13. Return TPM_DAA_STAGE and flush |
| handle on mismatch |
| |
| 5439 |
| 5440 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5441 |
| 5442 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific || |
| DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5443 |
| |
| d. Set DAA_generic_gamma = inputData0 |
| |
| 5444 |
| 5445 |
| |
| e. Verify |
| that |
| SHA-1(DAA_generic_gamma) |
| == |
| DAA_issuerSettings |
| DAA_digest_gamma and return error TPM_DAA_INPUT_DATA0 on mismatch |
| |
| 5446 |
| 5447 |
| |
| f. Verify that inputSize1 == DAA_SIZE_w and return error TPM_DAA_INPUT_DATA1 on |
| mismatch |
| |
| 5448 |
| |
| g. Set w = inputData1 |
| |
| 5449 |
| |
| h. Set w1 = w^( DAA_issuerSettings -> DAA_generic_q) mod (DAA_generic_gamma) |
| |
| 5450 |
| |
| i. |
| |
| If w1 != 1 (unity), return error TPM_DAA_WRONG_W |
| |
| 5451 |
| |
| j. |
| |
| Set DAA_session -> DAA_scratch = w |
| |
| 5452 |
| |
| k. set outputData = NULL |
| |
| 5453 |
| |
| l. |
| |
| 5454 |
| |
| m. return TPM_SUCCESS. |
| |
| -> |
| |
| increment DAA_session -> DAA_stage by 1 |
| |
| 545519.If stage==14 |
| 5456 |
| 5457 |
| 1290 |
| 1291 |
| |
| a. Verify that DAA_session ->DAA_stage==14. Return TPM_DAA_STAGE and flush |
| handle on mismatch |
| 276 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1292TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1293Specification Version 1.2 |
| |
| 5458 |
| 5459 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings ) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5460 |
| 5461 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific || |
| DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5462 |
| |
| d. Set DAA_generic_gamma = inputData0 |
| |
| 5463 |
| 5464 |
| |
| e. Verify |
| that |
| SHA-1(DAA_generic_gamma) |
| == |
| DAA_issuerSettings |
| DAA_digest_gamma and return error TPM_DAA_INPUT_DATA0 on mismatch |
| |
| 5465 |
| 5466 |
| 5467 |
| |
| f. Set f = SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || |
| 0 ) || SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 1 ) |
| mod DAA_issuerSettings -> DAA_generic_q. |
| |
| 5468 |
| |
| g. Set E = ((DAA_session -> DAA_scratch)^f) mod (DAA_generic_gamma). |
| |
| 5469 |
| |
| h. Set outputData = E |
| |
| 5470 |
| |
| i. |
| |
| increment DAA_session -> DAA_stage by 1 |
| |
| 5471 |
| |
| j. |
| |
| return TPM_SUCCESS. |
| |
| -> |
| |
| 547220.If stage==15 |
| 5473 |
| 5474 |
| |
| a. Verify that DAA_session ->DAA_stage==15. Return TPM_DAA_STAGE and flush |
| handle on mismatch |
| |
| 5475 |
| 5476 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5477 |
| 5478 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific || |
| DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5479 |
| |
| d. Set DAA_generic_gamma = inputData0 |
| |
| 5480 |
| 5481 |
| |
| e. Verify |
| that |
| SHA-1(DAA_generic_gamma) |
| == |
| DAA_issuerSettings |
| DAA_digest_gamma and return error TPM_DAA_INPUT_DATA0 on mismatch |
| |
| 5482 |
| 5483 |
| |
| f. Obtain DAA_SIZE_r0 bytes using the MGF1 function and label them r0. |
| DAA_session -> DAA_contextSeed is the Z seed. |
| |
| “r0” || |
| |
| 5484 |
| 5485 |
| |
| g. Obtain DAA_SIZE_r1 bytes using the MGF1 function and label them r1. |
| DAA_session -> DAA_contextSeed is the Z seed. |
| |
| “r1” || |
| |
| 5486 |
| |
| h. set r = r0 + 2^DAA_power0 * r1 mod (DAA_issuerSettings -> DAA_generic_q). |
| |
| 5487 |
| |
| i. |
| |
| set E1 = ((DAA_session -> DAA_scratch)^r) mod (DAA_generic_gamma). |
| |
| 5488 |
| |
| j. |
| |
| Set DAA_session -> DAA_scratch = NULL |
| |
| 5489 |
| |
| k. Set outputData = E1 |
| |
| 5490 |
| |
| l. |
| |
| 5491 |
| |
| m. return TPM_SUCCESS. |
| |
| -> |
| |
| increment DAA_session -> DAA_stage by 1 |
| |
| 549221.If stage==16 |
| 5493 |
| 5494 |
| |
| a. Verify that DAA_session ->DAA_stage==16. Return TPM_DAA_STAGE and flush |
| handle on mismatch |
| |
| 1294Level 2 Revision 116 28 February 2011 |
| 1295 |
| |
| 277 |
| TCG Published |
| |
| 1296Copyright © TCG |
| 1297 |
| 1298 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 5495 |
| 5496 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5497 |
| 5498 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific || |
| DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5499 |
| 5500 |
| |
| d. Verify |
| that |
| inputSize0 |
| == |
| TPM_DAA_INPUT_DATA0 on mismatch |
| |
| 5501 |
| |
| e. Set DAA_session -> DAA_digest = inputData0 |
| |
| 5502 |
| |
| f. Obtain DAA_SIZE_NT bytes from the RNG and label them NT |
| |
| 5503 |
| |
| g. Set DAA_session -> DAA_digest to the SHA-1 ( DAA_session -> DAA_digest || NT ) |
| |
| 5504 |
| |
| h. Set outputData = NT |
| |
| 5505 |
| |
| i. |
| |
| increment DAA_session -> DAA_stage by 1 |
| |
| 5506 |
| |
| j. |
| |
| return TPM_SUCCESS. |
| |
| sizeOf(TPM_DIGEST) |
| |
| and |
| |
| return |
| |
| error |
| |
| 550722.If stage==17 |
| 5508 |
| 5509 |
| |
| a. Verify that DAA_session ->DAA_stage==17. Return TPM_DAA_STAGE and flush |
| handle on mismatch |
| |
| 5510 |
| 5511 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5512 |
| 5513 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific || |
| DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5514 |
| 5515 |
| |
| d. Obtain DAA_SIZE_r0 bytes using the MGF1 function and label them r0. |
| DAA_session -> DAA_contextSeed is the Z seed. |
| |
| 5516 |
| 5517 |
| 5518 |
| |
| e. Set f = SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || |
| 0 ) || SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 1 ) |
| mod DAA_issuerSettings -> DAA_generic_q. |
| |
| 5519 |
| |
| f. Set f0 = f mod 2^DAA_power0 (erase all but the lowest DAA_power0 bits of f) |
| |
| 5520 |
| 5521 |
| |
| g. Set s0 = r0 + (DAA_session -> DAA_digest) * f0 in Z. Compute over the integers. The |
| computation is not reduced with a modulus. |
| |
| 5522 |
| |
| h. set outputData = s0 |
| |
| 5523 |
| |
| i. |
| |
| increment DAA_session -> DAA_stage by 1 |
| |
| 5524 |
| |
| j. |
| |
| return TPM_SUCCESS |
| |
| “r0” || |
| |
| 552523.If stage==18 |
| 5526 |
| 5527 |
| |
| a. Verify that DAA_session ->DAA_stage==18. Return TPM_DAA_STAGE and flush |
| handle on mismatch |
| |
| 5528 |
| 5529 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5530 |
| 5531 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific || |
| DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 1299 |
| 1300 |
| |
| 278 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1301TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1302Specification Version 1.2 |
| |
| 5532 |
| 5533 |
| |
| d. Obtain DAA_SIZE_r1 bytes using the MGF1 function and label them r1. “r1” || |
| DAA_session -> DAA_contextSeed is the Z seed. |
| |
| 5534 |
| 5535 |
| 5536 |
| |
| e. Set f = SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || |
| 0 ) || SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 1 ) |
| mod DAA_issuerSettings -> DAA_generic_q. |
| |
| 5537 |
| 5538 |
| |
| f. Shift f right by DAA_power0 bits (discard the lowest DAA_power0 bits) and label the |
| result f1 |
| |
| 5539 |
| 5540 |
| |
| g. Set s1 = r1 + (DAA_session -> DAA_digest)* f1 in Z. Compute over the integers. The |
| computation is not reduced with a modulus. |
| |
| 5541 |
| |
| h. set outputData = s1 |
| |
| 5542 |
| |
| i. |
| |
| increment DAA_session -> DAA_stage by 1 |
| |
| 5543 |
| |
| j. |
| |
| return TPM_SUCCESS |
| |
| 554424.If stage==19 |
| 5545 |
| 5546 |
| |
| a. Verify that DAA_session ->DAA_stage==19. Return TPM_DAA_STAGE and flush |
| handle on mismatch |
| |
| 5547 |
| 5548 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5549 |
| 5550 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific || |
| DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5551 |
| 5552 |
| |
| d. Obtain DAA_SIZE_r2 bytes using the MGF1 function and label them r2. |
| DAA_session -> DAA_contextSeed is the Z seed. |
| |
| 5553 |
| 5554 |
| |
| e. Set s2 = r2 + (DAA_session -> DAA_digest)*( DAA_joinSession -> DAA_join_u0) mod |
| 2^DAA_power1 (Erase all but the lowest DAA_power1 bits of s2) |
| |
| 5555 |
| |
| f. set outputData = s2 |
| |
| 5556 |
| |
| g. increment DAA_session -> DAA_stage by 1 |
| |
| 5557 |
| |
| h. return TPM_SUCCESS |
| |
| “r2” || |
| |
| 555825.If stage==20 |
| 5559 |
| 5560 |
| |
| a. Verify that DAA_session ->DAA_stage==20. Return TPM_DAA_STAGE and flush |
| handle on mismatch |
| |
| 5561 |
| 5562 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5563 |
| 5564 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific || |
| DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5565 |
| 5566 |
| |
| d. Obtain DAA_SIZE_r2 bytes using the MGF1 function and label them r2. |
| DAA_session -> DAA_contextSeed is the Z seed. |
| |
| 5567 |
| |
| e. Set s12 = r2 + (DAA_session -> DAA_digest)*( DAA_joinSession -> DAA_join_u0) |
| |
| 5568 |
| |
| f. Shift s12 right by DAA_power1 bit (discard the lowest DAA_power1 bits). |
| |
| 5569 |
| |
| g. Set DAA_session -> DAA_scratch = s12 |
| |
| 1303Level 2 Revision 116 28 February 2011 |
| 1304 |
| |
| 279 |
| TCG Published |
| |
| “r2” || |
| |
| 1305Copyright © TCG |
| 1306 |
| 1307 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 5570 |
| |
| h. Set outputData = DAA_session -> DAA_digest |
| |
| 5571 |
| |
| i. |
| |
| increment DAA_session -> DAA_stage by 1 |
| |
| 5572 |
| |
| j. |
| |
| return TPM_SUCCESS |
| |
| 557326.If stage==21 |
| 5574 |
| 5575 |
| |
| a. Verify that DAA_session ->DAA_stage==21. Return TPM_DAA_STAGE and flush |
| handle on mismatch |
| |
| 5576 |
| 5577 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5578 |
| 5579 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific || |
| DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5580 |
| 5581 |
| |
| d. Obtain DAA_SIZE_r3 bytes using the MGF1 function and label them r3. |
| DAA_session -> DAA_contextSeed is the Z seed. |
| |
| 5582 |
| 5583 |
| |
| e. Set s3 = r3 + (DAA_session -> DAA_digest)*( DAA_joinSession -> DAA_join_u1) + |
| (DAA_session -> DAA_scratch). |
| |
| 5584 |
| |
| f. Set DAA_session -> DAA_scratch = NULL |
| |
| 5585 |
| |
| g. set outputData = s3 |
| |
| 5586 |
| |
| h. increment DAA_session -> DAA_stage by 1 |
| |
| 5587 |
| |
| i. |
| |
| “r3” || |
| |
| return TPM_SUCCESS |
| |
| 558827.If stage==22 |
| 5589 |
| 5590 |
| |
| a. Verify that DAA_session ->DAA_stage==22. Return TPM_DAA_STAGE and flush |
| handle on mismatch |
| |
| 5591 |
| 5592 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5593 |
| 5594 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific || |
| DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5595 |
| 5596 |
| |
| d. Verify inputSize0 == DAA_SIZE_v0 and return error TPM_DAA_INPUT_DATA0 on |
| mismatch |
| |
| 5597 |
| |
| e. Set u2 = inputData0 |
| |
| 5598 |
| 5599 |
| |
| f. Set v0 = u2 + (DAA_joinSession -> DAA_join_u0) mod 2^DAA_power1 (Erase all but |
| the lowest DAA_power1 bits of v0). |
| |
| 5600 |
| |
| g. Set DAA_tpmSpecific -> DAA_digest_v0 = SHA-1(v0) |
| |
| 5601 |
| 5602 |
| |
| h. Set v10 = u2 + (DAA_joinSession -> DAA_join_u0) in Z. Compute over the integers. |
| The computation is not reduced with a modulus. |
| |
| 5603 |
| |
| i. |
| |
| Shift v10 right by DAA_power1 bits (erase the lowest DAA_power1 bits). |
| |
| 5604 |
| |
| j. |
| |
| Set DAA_session ->DAA_scratch = v10 |
| |
| 5605 |
| |
| k. Set outputData |
| |
| 5606 |
| 5607 |
| 1308 |
| 1309 |
| |
| i. Fill in TPM_DAA_BLOB with a type of TPM_RT_DAA_V0 and encrypt the v0 |
| parameters using TPM_PERMANENT_DATA -> daaBlobKey |
| 280 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1310TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1311Specification Version 1.2 |
| |
| 5608 |
| |
| ii. set outputData to the encrypted TPM_DAA_BLOB |
| |
| 5609 |
| |
| l. |
| |
| 5610 |
| 5611 |
| |
| m. set |
| DAA_session |
| DAA_joinSession) |
| |
| 5612 |
| |
| n. return TPM_SUCCESS |
| |
| increment DAA_session -> DAA_stage by 1 |
| -> |
| |
| DAA_digestContext |
| |
| = |
| |
| SHA-1(DAA_tpmSpecific |
| |
| || |
| |
| 561328.If stage==23 |
| 5614 |
| 5615 |
| |
| a. Verify that DAA_session ->DAA_stage==23. Return TPM_DAA_STAGE and flush |
| handle on mismatch |
| |
| 5616 |
| 5617 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5618 |
| 5619 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific || |
| DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5620 |
| 5621 |
| |
| d. Verify inputSize0 == DAA_SIZE_v1 and return error TPM_DAA_INPUT_DATA0 on |
| mismatch |
| |
| 5622 |
| |
| e. Set u3 = inputData0 |
| |
| 5623 |
| |
| f. Set v1 = u3 + DAA_joinSession -> DAA_join_u1 + DAA_session ->DAA_scratch |
| |
| 5624 |
| |
| g. Set DAA_tpmSpecific -> DAA_digest_v1 = SHA-1(v1) |
| |
| 5625 |
| |
| h. Set outputData |
| |
| 5626 |
| 5627 |
| |
| i. Fill in TPM_DAA_BLOB with a type of TPM_RT_DAA_V1 and encrypt the v1 |
| parameters using TPM_PERMANENT_DATA -> daaBlobKey |
| |
| 5628 |
| |
| ii. set outputData to the encrypted TPM_DAA_BLOB |
| |
| 5629 |
| |
| i. |
| |
| Set DAA_session ->DAA_scratch = NULL |
| |
| 5630 |
| |
| j. |
| |
| increment DAA_session -> DAA_stage by 1 |
| |
| 5631 |
| 5632 |
| |
| k. set |
| DAA_session |
| DAA_joinSession) |
| |
| 5633 |
| |
| l. |
| |
| -> |
| |
| DAA_digestContext |
| |
| = |
| |
| SHA-1(DAA_tpmSpecific |
| |
| || |
| |
| return TPM_SUCCESS |
| |
| 563429.If stage==24 |
| 5635 |
| 5636 |
| |
| a. Verify that DAA_session ->DAA_stage==24. Return TPM_DAA_STAGE and flush |
| handle on mismatch |
| |
| 5637 |
| 5638 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5639 |
| 5640 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific || |
| DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5641 |
| 5642 |
| |
| d. set outputData |
| daaBlobKey |
| |
| 5643 |
| 5644 |
| |
| e. Terminate the DAA session and all resources associated with the DAA join session |
| handle. |
| |
| 5645 |
| |
| f. return TPM_SUCCESS |
| |
| = |
| |
| enc(DAA_tpmSpecific) |
| |
| 1312Level 2 Revision 116 28 February 2011 |
| 1313 |
| |
| 281 |
| TCG Published |
| |
| using |
| |
| TPM_PERMANENT_DATA |
| |
| -> |
| |
| 1314Copyright © TCG |
| 1315 |
| 1316 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 564630.If stage > 24, return error: TPM_DAA_STAGE |
| |
| 1317 |
| 1318 |
| |
| 282 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1319TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1320Specification Version 1.2 |
| |
| 564726.2 |
| |
| TPM_DAA_Sign |
| |
| 5648Start of informative comment: |
| 5649outputSize and outputData are always included in the outParamDigest. This includes stage |
| 56500, where the outputData contains the DAA session handle. |
| 5651 End of informative comment. |
| 5652TPM protected capability; user must provide authorizations from the TPM Owner. |
| 5653Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| Tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes incl. paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| Ordinal |
| |
| Command ordinal: TPM_ORD_DAA_Sign |
| |
| 4 |
| |
| 4 |
| |
| TPM_HANDLE |
| |
| handle |
| |
| Handle to the sign session |
| |
| 5 |
| |
| 1 |
| |
| 2S |
| |
| 1 |
| |
| BYTE |
| |
| stage |
| |
| Stage of the sign process |
| |
| 6 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| inputSize0 |
| |
| Size of inputData0 for this stage of DAA_Sign |
| |
| 7 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE[] |
| |
| inputData0 |
| |
| Data to be used by this capability |
| |
| 8 |
| |
| 4 |
| |
| 5S |
| |
| 4 |
| |
| UINT32 |
| |
| inputSize1 |
| |
| Size of inputData1 for this stage of DAA_Sign |
| |
| 9 |
| |
| <> |
| |
| 6S |
| |
| <> |
| |
| BYTE[] |
| |
| inputData1 |
| |
| Data to be used by this capability |
| |
| 10 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for owner authentication |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| 2 H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 11 |
| |
| 20 |
| |
| 3 H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 12 |
| |
| 1 |
| |
| 4 H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| 13 |
| |
| 20 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| The authorization session digest for inputs and owner. HMAC key: |
| ownerAuth. |
| |
| 5654Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes incl. paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal:TPM_ORD_DAA_Sign |
| |
| 4 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| outputSize |
| |
| Size of outputData |
| |
| 5 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE[] |
| |
| outputData |
| |
| Data produced by this capability |
| |
| 6 |
| |
| 20 |
| |
| 2 H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3 H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4 H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| ownerAuth. |
| |
| 7 |
| |
| 1 |
| |
| 8 |
| |
| 20 |
| |
| 1321Level 2 Revision 116 28 February 2011 |
| 1322 |
| |
| 283 |
| TCG Published |
| |
| 1323Copyright © TCG |
| 1324 |
| 1325 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 5655Description |
| 5656This table summaries the input, output and saved data that is associated with each stage of |
| 5657processing. |
| Stage |
| |
| Input Data0 |
| |
| Input Data1 |
| |
| Operation |
| |
| Output Data |
| |
| Scratchpad |
| |
| 0 |
| |
| DAA_issuerSettings |
| |
| NULL |
| |
| initialise |
| |
| handle |
| |
| NULL |
| |
| 1 |
| |
| enc(DAA_tpmSpecific) |
| |
| NULL |
| |
| initialise |
| |
| NULL |
| |
| NULL |
| |
| 2 |
| |
| DAA_generic_R0 |
| |
| DAA_generic_n |
| |
| P1=R0^r0 mod n |
| |
| NULL |
| |
| P1 |
| |
| 3 |
| |
| DAA_generic_R1 |
| |
| DAA_generic_n |
| |
| P2 = P1*(R1^r1) mod n |
| |
| NULL |
| |
| P2 |
| |
| 4 |
| |
| DAA_generic_S0 |
| |
| DAA_generic_n |
| |
| P3 = P2*(S0^r2) mod n |
| |
| NULL |
| |
| P3 |
| |
| 5 |
| |
| DAA_generic_S1 |
| |
| DAA_generic_n |
| |
| T = P3*(S1^r4) mod n |
| |
| T |
| |
| NULL |
| |
| 6 |
| |
| DAA_generic_gamma |
| |
| w |
| |
| w1 = w^q mod gamma |
| |
| NULL |
| |
| w |
| |
| 7 |
| |
| DAA_generic_gamma |
| |
| NULL |
| |
| E = w^f mod gamma |
| |
| E |
| |
| w |
| |
| 8 |
| |
| DAA_generic_gamma |
| |
| NULL |
| |
| r = r0 + (2^power0)*r1 |
| mod q, |
| |
| E1 |
| |
| NULL |
| |
| E1 = w^r mod gamma |
| 9 |
| |
| c1 |
| |
| NULL |
| |
| c = hash(c1 || NT) |
| |
| NT |
| |
| NULL |
| |
| 10 |
| |
| b (selector) |
| |
| m or handle to AIK |
| |
| c = hash(c || 1 || m) |
| |
| c |
| |
| NULL |
| |
| or |
| c = hash(c || 0 || AIKmodulus) |
| 11 |
| |
| NULL |
| |
| NULL |
| |
| s0 = r0 + c*f0 |
| |
| s0 |
| |
| NULL |
| |
| 12 |
| |
| NULL |
| |
| NULL |
| |
| s1 = r1 + c*f1 |
| |
| s1 |
| |
| NULL |
| |
| 13 |
| |
| enc(v0) |
| |
| NULL |
| |
| s2 = r2 + c*v0 |
| |
| s2 |
| |
| NULL |
| |
| NULL |
| |
| s12 |
| |
| s3 |
| |
| NULL |
| |
| mod 2^power1 |
| 14 |
| |
| enc(v0) |
| |
| NULL |
| |
| s12 = r2 + c*v0 |
| >> power1 |
| |
| 15 |
| |
| enc(v1) |
| |
| NULL |
| |
| s3 = r4 + c*v1 + s12 |
| |
| 5658 |
| 5659When a TPM receives an Owner authorized command to input enc(DAA_tpmSpecific) or |
| 5660enc(v0) or enc(v1), the TPM MUST verify that the TPM created the data and that neither the |
| 5661data nor the TPM's daaProof has been changed since the data was created. Loading one of |
| 5662these wrapped blobs does not require authorization, since correct blobs were created by the |
| 5663TPM under Owner authorization, and unwrapped blobs cannot be used without Owner |
| 5664authorisation. The TPM MUST NOT restrict the number of times that the contents of |
| 5665enc(DAA_tpmSpecific) or enc(v0) or enc(v1) can be used by the same combination of TPM |
| 5666and daaProof that created them. |
| 5667Actions |
| 5668A Trusted Platform Module that receives a valid TPM_DAA_Sign command SHALL: |
| 56691. Use ownerAuth to verify that the Owner authorized all TPM_DAA_Sign input parameters. |
| 56702. Any error results in the TPM invalidating all resources associated with the command |
| 56713. Constant values of 0 or 1 are 1 byte integers, stages affected are |
| 5672 |
| 1326 |
| 1327 |
| |
| a. 7(f), 11(e), 12(e) |
| 284 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1328TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1329Specification Version 1.2 |
| |
| 56734. Representation of the strings “r0” to “r4” are 2-byte ASCII encodings, stages affected are |
| 5674 |
| |
| a. 2(h), 3(h), 4(h), 5(h), 12(d), 13(f), 14(f), 15(f) |
| |
| 5675Stages |
| 56760. If stage==0 |
| 5677 |
| |
| b. Determine that sufficient resources are available to perform a TPM_DAA_Sign. |
| |
| 5678 |
| 5679 |
| 5680 |
| |
| i. The TPM MUST support sufficient resources to perform one (1) |
| TPM_DAA_Join/ TPM_DAA_Sign. The TPM MAY support addition TPM_DAA_Join/ |
| TPM_DAA_Sign sessions. |
| |
| 5681 |
| 5682 |
| |
| ii. The TPM may share internal resources between the DAA operations and other |
| variable resource requirements: |
| |
| 5683 |
| 5684 |
| 5685 |
| |
| iii. If there are insufficient resources within the stored key pool (and one or more |
| keys need to be removed to permit the DAA operation to execute) return |
| TPM_NOSPACE |
| |
| 5686 |
| 5687 |
| 5688 |
| |
| iv. If there are insufficient resources within the stored session pool (and one or |
| more authorization or transport sessions need to be removed to permit the DAA |
| operation to execute), return TPM_RESOURCES. |
| |
| 5689 |
| |
| c. Set DAA_issuerSettings = inputData0 |
| |
| 5690 |
| 5691 |
| |
| d. Verify that all fields in DAA_issuerSettings |
| TPM_DAA_INPUT_DATA0 if not. |
| |
| 5692 |
| |
| e. set all fields in DAA_session = NULL |
| |
| 5693 |
| |
| f. Assign new handle for session |
| |
| 5694 |
| |
| g. Set outputData to new handle |
| |
| 5695 |
| |
| i. |
| |
| are |
| |
| present |
| |
| and |
| |
| return |
| |
| error |
| |
| The handle in outputData is included the output HMAC. |
| |
| 5696 |
| |
| h. set DAA_session -> DAA_stage = 1 |
| |
| 5697 |
| |
| i. |
| |
| return TPM_SUCCESS |
| |
| 56985. If stage==1 |
| 5699 |
| 5700 |
| |
| a. Verify that DAA_session ->DAA_stage==1. Return TPM_DAA_STAGE and flush handle |
| on mismatch |
| |
| 5701 |
| 5702 |
| |
| b. Set DAA_tpmSpecific = unwrap(inputData0) using TPM_PERMANENT_DATA -> |
| daaBlobKey |
| |
| 5703 |
| 5704 |
| |
| c. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5705 |
| |
| d. set DAA_session -> DAA_digestContext = SHA-1(DAA_tpmSpecific) |
| |
| 5706 |
| |
| e. set outputData = NULL |
| |
| 5707 |
| |
| f. set DAA_session -> DAA_stage =2 |
| |
| 5708 |
| |
| g. return TPM_SUCCESS |
| |
| 57096. If stage==2 |
| 1330Level 2 Revision 116 28 February 2011 |
| 1331 |
| |
| 285 |
| TCG Published |
| |
| 1332Copyright © TCG |
| 1333 |
| 1334 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 5710 |
| 5711 |
| |
| a. Verify that DAA_session ->DAA_stage==2. Return TPM_DAA_STAGE and flush handle |
| on mismatch |
| |
| 5712 |
| 5713 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5714 |
| 5715 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and |
| return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5716 |
| |
| d. Set DAA_generic_R0 = inputData0 |
| |
| 5717 |
| 5718 |
| |
| e. Verify that SHA-1(DAA_generic_R0) == DAA_issuerSettings -> DAA_digest_R0 and |
| return error TPM_DAA_INPUT_DATA0 on mismatch |
| |
| 5719 |
| |
| f. Set DAA_generic_n = inputData1 |
| |
| 5720 |
| 5721 |
| |
| g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and |
| return error TPM_DAA_INPUT_DATA1 on mismatch |
| |
| 5722 |
| |
| h. Obtain random data from the RNG and store it as DAA_session -> DAA_contextSeed |
| |
| 5723 |
| 5724 |
| |
| i. Obtain DAA_SIZE_r0 bytes using the MGF1 function and label them Y. |
| DAA_session -> DAA_contextSeed is the Z seed. |
| |
| 5725 |
| |
| j. |
| |
| 5726 |
| |
| k. Set n = DAA_generic_n |
| |
| 5727 |
| |
| l. |
| |
| 5728 |
| |
| m. set outputData = NULL |
| |
| 5729 |
| |
| n. increment DAA_session -> DAA_stage by 1 |
| |
| 5730 |
| |
| o. return TPM_SUCCESS |
| |
| “r0” || |
| |
| Set X = DAA_generic_R0 |
| Set DAA_session -> DAA_scratch = (X^Y) mod n |
| |
| 57317. If stage==3 |
| 5732 |
| 5733 |
| |
| a. Verify that DAA_session ->DAA_stage==3. Return TPM_DAA_STAGE and flush handle |
| on mismatch |
| |
| 5734 |
| 5735 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5736 |
| 5737 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and |
| return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5738 |
| |
| d. Set DAA_generic_R1 = inputData0 |
| |
| 5739 |
| 5740 |
| |
| e. Verify that SHA-1(DAA_generic_R1) == DAA_issuerSettings -> DAA_digest_R1 and |
| return error TPM_DAA_INPUT_DATA0 on mismatch |
| |
| 5741 |
| |
| f. Set DAA_generic_n = inputData1 |
| |
| 5742 |
| 5743 |
| |
| g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and |
| return error TPM_DAA_INPUT_DATA1 on mismatch |
| |
| 5744 |
| 5745 |
| |
| h. Obtain DAA_SIZE_r1 bytes using the MGF1 function and label them Y. |
| DAA_session -> DAA_contextSeed is the Z seed. |
| |
| 5746 |
| |
| i. |
| |
| Set X = DAA_generic_R1 |
| |
| 5747 |
| |
| j. |
| |
| Set n = DAA_generic_n |
| |
| 1335 |
| 1336 |
| |
| 286 |
| |
| “r1” || |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1337TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1338Specification Version 1.2 |
| |
| 5748 |
| |
| k. Set Z = DAA_session -> DAA_scratch |
| |
| 5749 |
| |
| l. |
| |
| 5750 |
| |
| m. set outputData = NULL |
| |
| 5751 |
| |
| n. increment DAA_session -> DAA_stage by 1 |
| |
| 5752 |
| |
| o. return TPM_SUCCESS |
| |
| Set DAA_session -> DAA_scratch = Z*(X^Y) mod n |
| |
| 57538. If stage==4 |
| 5754 |
| 5755 |
| |
| a. Verify that DAA_session ->DAA_stage==4. Return TPM_DAA_STAGE and flush handle |
| on mismatch |
| |
| 5756 |
| 5757 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5758 |
| 5759 |
| |
| c. Verify that DAA_session -> DAA_digestContext = SHA-1(DAA_tpmSpecific) |
| return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5760 |
| |
| d. Set DAA_generic_S0 = inputData0 |
| |
| 5761 |
| 5762 |
| |
| e. Verify that SHA-1(DAA_generic_S0) == DAA_issuerSettings -> DAA_digest_S0 and |
| return error TPM_DAA_INPUT_DATA0 on mismatch |
| |
| 5763 |
| |
| f. Set DAA_generic_n = inputData1 |
| |
| 5764 |
| 5765 |
| |
| g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and |
| return error TPM_DAA_INPUT_DATA1 on mismatch |
| |
| 5766 |
| 5767 |
| |
| h. Obtain DAA_SIZE_r2 bytes using the MGF1 function and label them Y. |
| DAA_session -> DAA_contextSeed is the Z seed. |
| |
| 5768 |
| |
| i. |
| |
| Set X = DAA_generic_S0 |
| |
| 5769 |
| |
| j. |
| |
| Set n = DAA_generic_n |
| |
| 5770 |
| |
| k. Set Z = DAA_session -> DAA_scratch |
| |
| 5771 |
| |
| l. |
| |
| 5772 |
| |
| m. set outputData = NULL |
| |
| 5773 |
| |
| n. increment DAA_session -> DAA_stage by 1 |
| |
| 5774 |
| |
| o. return TPM_SUCCESS |
| |
| and |
| |
| “r2” || |
| |
| Set DAA_session -> DAA_scratch = Z*(X^Y) mod n |
| |
| 57759. If stage==5 |
| 5776 |
| 5777 |
| |
| a. Verify that DAA_session ->DAA_stage==5. Return TPM_DAA_STAGE and flush handle |
| on mismatch |
| |
| 5778 |
| 5779 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5780 |
| 5781 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and |
| return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5782 |
| |
| d. Set DAA_generic_S1 = inputData0 |
| |
| 5783 |
| 5784 |
| |
| e. Verify that SHA-1(DAA_generic_S1) == DAA_issuerSettings -> DAA_digest_S1 and |
| return error TPM_DAA_INPUT_DATA0 on mismatch |
| |
| 1339Level 2 Revision 116 28 February 2011 |
| 1340 |
| |
| 287 |
| TCG Published |
| |
| 1341Copyright © TCG |
| 1342 |
| 1343 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 5785 |
| |
| f. Set DAA_generic_n = inputData1 |
| |
| 5786 |
| 5787 |
| |
| g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and |
| return error TPM_DAA_INPUT_DATA1 on mismatch |
| |
| 5788 |
| 5789 |
| |
| h. Obtain DAA_SIZE_r4 bytes using the MGF1 function and label them Y. |
| DAA_session -> DAA_contextSeed is the Z seed. |
| |
| 5790 |
| |
| i. |
| |
| Set X = DAA_generic_S1 |
| |
| 5791 |
| |
| j. |
| |
| Set n = DAA_generic_n |
| |
| 5792 |
| |
| k. Set Z = DAA_session -> DAA_scratch |
| |
| 5793 |
| |
| l. |
| |
| 5794 |
| |
| m. set outputData = DAA_session -> DAA_scratch |
| |
| 5795 |
| |
| n. set DAA_session -> DAA_scratch = NULL |
| |
| 5796 |
| |
| o. increment DAA_session -> DAA_stage by 1 |
| |
| 5797 |
| |
| p. return TPM_SUCCESS |
| |
| “r4” || |
| |
| Set DAA_session -> DAA_scratch = Z*(X^Y) mod n |
| |
| 579810.If stage==6 |
| 5799 |
| 5800 |
| |
| a. Verify that DAA_session ->DAA_stage==6. Return TPM_DAA_STAGE and flush handle |
| on mismatch |
| |
| 5801 |
| 5802 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5803 |
| 5804 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and |
| return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5805 |
| |
| d. Set DAA_generic_gammma = inputData0 |
| |
| 5806 |
| 5807 |
| |
| e. Verify |
| that |
| SHA-1(DAA_generic_gamma) |
| == |
| DAA_issuerSettings |
| DAA_digest_gamma and return error TPM_DAA_INPUT_DATA0 on mismatch |
| |
| 5808 |
| 5809 |
| |
| f. Verify that inputSize1 == DAA_SIZE_w and return error TPM_DAA_INPUT_DATA1 on |
| mismatch |
| |
| 5810 |
| |
| g. Set w = inputData1 |
| |
| 5811 |
| |
| h. Set w1 = w^( DAA_issuerSettings -> DAA_generic_q) mod (DAA_generic_gamma) |
| |
| 5812 |
| |
| i. |
| |
| If w1 != 1 (unity), return error TPM_DAA_WRONG_W |
| |
| 5813 |
| |
| j. |
| |
| Set DAA_session -> DAA_scratch = w |
| |
| 5814 |
| |
| k. set outputData = NULL |
| |
| 5815 |
| |
| l. |
| |
| 5816 |
| |
| m. return TPM_SUCCESS. |
| |
| -> |
| |
| increment DAA_session -> DAA_stage by 1 |
| |
| 581711.If stage==7 |
| 5818 |
| 5819 |
| |
| a. Verify that DAA_session ->DAA_stage==7. Return TPM_DAA_STAGE and flush handle |
| on mismatch |
| |
| 5820 |
| 5821 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 1344 |
| 1345 |
| |
| 288 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1346TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1347Specification Version 1.2 |
| |
| 5822 |
| 5823 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and |
| return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5824 |
| |
| d. Set DAA_generic_gamma = inputData0 |
| |
| 5825 |
| 5826 |
| |
| e. Verify |
| that |
| SHA-1(DAA_generic_gamma) |
| == |
| DAA_issuerSettings |
| DAA_digest_gamma and return error TPM_DAA_INPUT_DATA0 on mismatch |
| |
| 5827 |
| 5828 |
| 5829 |
| |
| f. Set f = SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || |
| 0 ) || SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 1 ) |
| mod DAA_issuerSettings -> DAA_generic_q. |
| |
| 5830 |
| |
| g. Set E = ((DAA_session -> DAA_scratch)^f) mod (DAA_generic_gamma). |
| |
| 5831 |
| |
| h. Set outputData = E |
| |
| 5832 |
| |
| i. |
| |
| increment DAA_session -> DAA_stage by 1 |
| |
| 5833 |
| |
| j. |
| |
| return TPM_SUCCESS. |
| |
| -> |
| |
| 583412.If stage==8 |
| 5835 |
| 5836 |
| |
| a. Verify that DAA_session ->DAA_stage==8. Return TPM_DAA_STAGE and flush handle |
| on mismatch |
| |
| 5837 |
| 5838 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5839 |
| 5840 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and |
| return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5841 |
| |
| d. Set DAA_generic_gamma = inputData0 |
| |
| 5842 |
| 5843 |
| |
| e. Verify |
| that |
| SHA-1(DAA_generic_gamma) |
| == |
| DAA_issuerSettings |
| DAA_digest_gamma and return error TPM_DAA_INPUT_DATA0 on mismatch |
| |
| 5844 |
| 5845 |
| |
| f. Obtain DAA_SIZE_r0 bytes using the MGF1 function and label them r0. |
| DAA_session -> DAA_contextSeed is the Z seed. |
| |
| “r0” || |
| |
| 5846 |
| 5847 |
| |
| g. Obtain DAA_SIZE_r1 bytes using the MGF1 function and label them r1. |
| DAA_session -> DAA_contextSeed is the Z seed. |
| |
| “r1” || |
| |
| 5848 |
| |
| h. set r = r0 + 2^DAA_power0 * r1 mod (DAA_issuerSettings -> DAA_generic_q). |
| |
| 5849 |
| |
| i. |
| |
| Set E1 = ((DAA_session -> DAA_scratch)^r) mod (DAA_generic_gamma) |
| |
| 5850 |
| |
| j. |
| |
| Set DAA_session -> DAA_scratch = NULL |
| |
| 5851 |
| |
| k. Set outputData = E1 |
| |
| 5852 |
| |
| l. |
| |
| 5853 |
| |
| m. return TPM_SUCCESS. |
| |
| -> |
| |
| increment DAA_session -> DAA_stage by 1 |
| |
| 585413.If stage==9 |
| 5855 |
| 5856 |
| |
| a. Verify that DAA_session ->DAA_stage==9. Return TPM_DAA_STAGE and flush handle |
| on mismatch |
| |
| 5857 |
| 5858 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 1348Level 2 Revision 116 28 February 2011 |
| 1349 |
| |
| 289 |
| TCG Published |
| |
| 1350Copyright © TCG |
| 1351 |
| 1352 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 5859 |
| 5860 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and |
| return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5861 |
| 5862 |
| |
| d. Verify |
| that |
| inputSize0 |
| == |
| TPM_DAA_INPUT_DATA0 on mismatch |
| |
| 5863 |
| |
| e. Set DAA_session -> DAA_digest = inputData0 |
| |
| 5864 |
| |
| f. Obtain DAA_SIZE_NT bytes from the RNG and label them NT |
| |
| 5865 |
| |
| g. Set DAA_session -> DAA_digest to the SHA-1 ( DAA_session -> DAA_digest || NT ) |
| |
| 5866 |
| |
| h. Set outputData = NT |
| |
| 5867 |
| |
| i. |
| |
| increment DAA_session -> DAA_stage by 1 |
| |
| 5868 |
| |
| j. |
| |
| return TPM_SUCCESS. |
| |
| sizeOf(TPM_DIGEST) |
| |
| and |
| |
| return |
| |
| error |
| |
| 586914.If stage==10 |
| 5870 |
| 5871 |
| |
| a. Verify that DAA_session ->DAA_stage==10. Return TPM_DAA_STAGE and flush |
| handle on mismatch |
| |
| 5872 |
| 5873 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5874 |
| 5875 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and |
| return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5876 |
| 5877 |
| |
| d. Verify that inputSize0 == sizeOf(BYTE), and return error TPM_DAA_INPUT_DATA0 on |
| mismatch |
| |
| 5878 |
| 5879 |
| |
| e. Set selector = inputData0, verify that selector == 0 or 1, and return error |
| TPM_DAA_INPUT_DATA0 on mismatch |
| |
| 5880 |
| 5881 |
| |
| f. If selector == 1, verify that inputSize1 == sizeOf(TPM_DIGEST), and return error |
| TPM_DAA_INPUT_DATA1 on mismatch |
| |
| 5882 |
| 5883 |
| |
| g. Set DAA_session -> DAA_digest to SHA-1 (DAA_session -> DAA_digest || 1 || |
| inputData1) |
| |
| 5884 |
| 5885 |
| |
| h. If selector == 0, verify that inputData1 is a handle to a TPM identity key (AIK), and |
| return error TPM_DAA_INPUT_DATA1 on mismatch |
| |
| 5886 |
| 5887 |
| |
| i. Set DAA_session -> DAA_digest to SHA-1 (DAA_session -> DAA_digest || 0 || n2) |
| where n2 is the modulus of the AIK |
| |
| 5888 |
| |
| j. |
| |
| 5889 |
| |
| k. increment DAA_session -> DAA_stage by 1 |
| |
| 5890 |
| |
| l. |
| |
| Set outputData = DAA_session -> DAA_digest |
| return TPM_SUCCESS. |
| |
| 589115.If stage==11 |
| 5892 |
| 5893 |
| |
| a. Verify that DAA_session ->DAA_stage==11. Return TPM_DAA_STAGE and flush |
| handle on mismatch |
| |
| 5894 |
| 5895 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 1353 |
| 1354 |
| |
| 290 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1355TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1356Specification Version 1.2 |
| |
| 5896 |
| 5897 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and |
| return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5898 |
| 5899 |
| |
| d. Obtain DAA_SIZE_r0 bytes using the MGF1 function and label them r0. |
| DAA_session -> DAA_contextSeed is the Z seed. |
| |
| 5900 |
| 5901 |
| 5902 |
| |
| e. Set f = SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || |
| 0 ) || SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 1 ) |
| mod DAA_issuerSettings -> DAA_generic_q. |
| |
| 5903 |
| |
| f. Set f0 = f mod 2^DAA_power0 (erase all but the lowest DAA_power0 bits of f) |
| |
| 5904 |
| |
| g. Set s0 = r0 + (DAA_session -> DAA_digest)*(f0) |
| |
| 5905 |
| |
| h. set outputData = s0 |
| |
| 5906 |
| |
| i. |
| |
| increment DAA_session -> DAA_stage by 1 |
| |
| 5907 |
| |
| j. |
| |
| return TPM_SUCCESS |
| |
| “r0” || |
| |
| 590816.If stage==12 |
| 5909 |
| 5910 |
| |
| a. Verify that DAA_session ->DAA_stage==12. Return TPM_DAA_STAGE and flush |
| handle on mismatch |
| |
| 5911 |
| 5912 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5913 |
| 5914 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and |
| return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5915 |
| 5916 |
| |
| d. Obtain DAA_SIZE_r1 bytes using the MGF1 function and label them r1. |
| DAA_session -> DAA_contextSeed is the Z seed. |
| |
| 5917 |
| 5918 |
| 5919 |
| |
| e. Set f = SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || |
| 0 ) || SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 1 ) |
| mod DAA_issuerSettings -> DAA_generic_q. |
| |
| 5920 |
| 5921 |
| |
| f. Shift f right by DAA_power0 bits (discard the lowest DAA_power0 bits) and label the |
| result f1 |
| |
| 5922 |
| |
| g. Set s1 = r1 + (DAA_session -> DAA_digest)*(f1) |
| |
| 5923 |
| |
| h. set outputData = s1 |
| |
| 5924 |
| |
| i. |
| |
| increment DAA_session -> DAA_stage by 1 |
| |
| 5925 |
| |
| j. |
| |
| return TPM_SUCCESS |
| |
| “r1” || |
| |
| 592617.If stage==13 |
| 5927 |
| 5928 |
| |
| a. Verify that DAA_session ->DAA_stage==13. Return TPM_DAA_STAGE and flush |
| handle on mismatch |
| |
| 5929 |
| 5930 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5931 |
| 5932 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and |
| return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5933 |
| 5934 |
| |
| d. Set DAA_private_v0= |
| daaBlobKey |
| |
| unwrap(inputData0) |
| |
| 1357Level 2 Revision 116 28 February 2011 |
| 1358 |
| |
| 291 |
| TCG Published |
| |
| using |
| |
| TPM_PERMANENT_DATA |
| |
| -> |
| |
| 1359Copyright © TCG |
| 1360 |
| 1361 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 5935 |
| 5936 |
| |
| e. Verify that SHA-1(DAA_private_v0) == DAA_tpmSpecific -> DAA_digest_v0 and return |
| error TPM_DAA_INPUT_DATA0 on mismatch |
| |
| 5937 |
| 5938 |
| |
| f. Obtain DAA_SIZE_r2 bytes from the MGF1 function and label them r2. |
| DAA_session -> DAA_contextSeed is the Z seed. |
| |
| 5939 |
| 5940 |
| |
| g. Set s2 = r2 + (DAA_session -> DAA_digest)*( DAA_private_v0) mod 2^DAA_power1 |
| (erase all but the lowest DAA_power1 bits of s2) |
| |
| 5941 |
| |
| h. set outputData = s2 |
| |
| 5942 |
| |
| i. |
| |
| increment DAA_session -> DAA_stage by 1 |
| |
| 5943 |
| |
| j. |
| |
| return TPM_SUCCESS |
| |
| “r2” || |
| |
| 594418.If stage==14 |
| 5945 |
| 5946 |
| |
| a. Verify that DAA_session ->DAA_stage==14. Return TPM_DAA_STAGE and flush |
| handle on mismatch |
| |
| 5947 |
| 5948 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5949 |
| 5950 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and |
| return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5951 |
| 5952 |
| |
| d. Set DAA_private_v0= |
| daaBlobKey |
| |
| 5953 |
| 5954 |
| |
| e. Verify that SHA-1(DAA_private_v0) == DAA_tpmSpecific -> DAA_digest_v0 and return |
| error TPM_DAA_INPUT_DATA0 on mismatch |
| |
| 5955 |
| 5956 |
| |
| f. Obtain DAA_SIZE_r2 bytes using the MGF1 function and label them r2. |
| DAA_session -> DAA_contextSeed is the Z seed. |
| |
| 5957 |
| |
| g. Set s12 = r2 + (DAA_session -> DAA_digest)*(DAA_private_v0). |
| |
| 5958 |
| |
| h. Shift s12 right by DAA_power1 bits (erase the lowest DAA_power1 bits). |
| |
| 5959 |
| |
| i. |
| |
| Set DAA_session -> DAA_scratch = s12 |
| |
| 5960 |
| |
| j. |
| |
| set outputData = NULL |
| |
| 5961 |
| |
| k. increment DAA_session -> DAA_stage by 1 |
| |
| 5962 |
| |
| l. |
| |
| unwrap(inputData0) |
| |
| using |
| |
| TPM_PERMANENT_DATA |
| |
| -> |
| |
| “r2” || |
| |
| return TPM_SUCCESS |
| |
| 596319.If stage==15 |
| 5964 |
| 5965 |
| |
| a. Verify that DAA_session ->DAA_stage==15. Return TPM_DAA_STAGE and flush |
| handle on mismatch |
| |
| 5966 |
| 5967 |
| |
| b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and |
| return error TPM_DAA_ISSUER_SETTINGS on mismatch |
| |
| 5968 |
| 5969 |
| |
| c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and |
| return error TPM_DAA_TPM_SETTINGS on mismatch |
| |
| 5970 |
| 5971 |
| |
| d. Set DAA_private_v1 = unwrap(inputData0) using |
| daaBlobKey |
| |
| 1362 |
| 1363 |
| |
| 292 |
| |
| TPM_PERMANENT_DATA |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| -> |
| |
| 1364TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1365Specification Version 1.2 |
| |
| 5972 |
| 5973 |
| |
| e. Verify that SHA-1(DAA_private_v1) == DAA_tpmSpecific -> DAA_digest_v1 and return |
| error TPM_DAA_INPUT_DATA0 on mismatch |
| |
| 5974 |
| 5975 |
| |
| f. Obtain DAA_SIZE_r4 bytes using the MGF1 function and label them r4. |
| DAA_session -> DAA_contextSeed is the Z seed. |
| |
| 5976 |
| 5977 |
| |
| g. Set s3 = r4 + (DAA_session -> DAA_digest)*(DAA_private_v1) + (DAA_session -> |
| DAA_scratch). |
| |
| 5978 |
| |
| h. Set DAA_session -> DAA_scratch = NULL |
| |
| 5979 |
| |
| i. |
| |
| 5980 |
| 5981 |
| |
| j. Terminate the DAA session and all resources associated with the DAA sign session |
| handle. |
| |
| 5982 |
| |
| k. return TPM_SUCCESS |
| |
| “r4” || |
| |
| set outputData = s3 |
| |
| 598320.If stage > 15, return error: TPM_DAA_STAGE |
| |
| 1366Level 2 Revision 116 28 February 2011 |
| 1367 |
| |
| 293 |
| TCG Published |
| |
| 1368Copyright © TCG |
| 1369 |
| 1370 |
| |
| 598427. |
| Deprecated |
| 5985Start of informative comment: |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| commands |
| |
| 5986This section covers the commands that were in version 1.1 but now have new functionality |
| 5987in other functions. The deprecated commands are still available in 1.2 but all new software |
| 5988should use the new functionality. |
| 5989There is no requirement that the deprecated commands work with new structures. |
| 5990End of informative comment. |
| 59911. Commands deprecated in version 1.2 MUST work with version 1.1 structures |
| 59922. Commands deprecated in version 1.2 MAY work with version 1.2 structures |
| |
| 1371 |
| 1372 |
| |
| 294 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1373TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1374Specification Version 1.2 |
| |
| 599327.1 |
| |
| Key commands |
| |
| 5994Start of informative comment: |
| 5995The key commands are deprecated as the new way to handle keys is to use the standard |
| 5996context commands. So TPM_EvictKey is now handled by TPM_FlushSpecific, |
| 5997TPM_Terminate_Handle by TPM_FlushSpecific. |
| 5998End of informative comment. |
| 599927.1.1 |
| |
| TPM_EvictKey |
| |
| 6000Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_EvictKey |
| |
| 4 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| evictHandle |
| |
| The handle of the key to be evicted. |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 6001Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_EvictKey |
| |
| 6002Actions |
| 6003The TPM will invalidate the key stored in the specified handle and return the space to the |
| 6004available internal pool for subsequent query by TPM_GetCapability and usage by |
| 6005TPM_LoadKey. If the specified key handle does not correspond to a valid key, an error will |
| 6006be returned. |
| 6007New 1.2 functionality |
| 6008The command must check the status of the ownerEvict flag for the key and if the flag is |
| 6009TRUE return TPM_KEY_CONTROL_OWNER |
| |
| 1375Level 2 Revision 116 28 February 2011 |
| 1376 |
| |
| 295 |
| TCG Published |
| |
| 1377Copyright © TCG |
| 1378 |
| 1379 |
| |
| 601027.1.2 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_Terminate_Handle |
| |
| 6011Start of informative comment: |
| 6012This allows the TPM manager to clear out information in a session handle. |
| 6013The TPM may maintain the authorization session even though a key attached to it has been |
| 6014unloaded or the authorization session itself has been unloaded in some way. When a |
| 6015command is executed that requires this session, it is the responsibility of the external |
| 6016software to load both the entity and the authorization session information prior to |
| 6017command execution. |
| 6018End of informative comment. |
| 6019Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Terminate_Handle. |
| |
| 4 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| handle |
| |
| The handle to terminate |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| 6020Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Terminate_Handle. |
| |
| 6021Description |
| 6022The TPM SHALL terminate the session and destroy all data associated with the session |
| 6023indicated. |
| 6024Actions |
| 6025A TPM SHALL unilaterally perform the actions of TPM_Terminate_Handle upon detection of |
| 6026the following events: |
| 60271. Completion of a received command whose authorization “continueUse” flag is FALSE. |
| 60282. Completion of a received command when a shared secret derived from the authorization |
| 6029 |
| session was exclusive-or’ed with data (to provide confidentiality for that data). This |
| 6030 |
| occurs during execution of a TPM_ChangeAuth command, for example. |
| 60313. When the associated entity is destroyed (in the case of TPM Owner or SRK, for example) |
| 60324. Upon execution of TPM_Init |
| |
| 1380 |
| 1381 |
| |
| 296 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1382TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1383Specification Version 1.2 |
| |
| 60335. When the command returns an error. This is due to the fact that when returning an |
| 6034 |
| error the TPM does not send back nonceEven. There is no way to maintain the rolling |
| 6035 |
| nonces, hence the TPM MUST terminate the authorization session. |
| 60366. Failure of an authorization check belonging to that authorization session. |
| |
| 1384Level 2 Revision 116 28 February 2011 |
| 1385 |
| |
| 297 |
| TCG Published |
| |
| 1386Copyright © TCG |
| 1387 |
| 1388 |
| |
| 603727.2 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| Context management |
| |
| 6038Start of informative comment: |
| 6039The 1.1 context commands were written for specific resource types. The 1.2 commands are |
| 6040generic for all resource types. So the Savexxx commands are replaced by TPM_SaveContext |
| 6041and the LoadXXX commands by TPM_LoadContext. |
| 6042End of informative comment. |
| 604327.2.1 |
| |
| TPM_SaveKeyContext |
| |
| 6044Start of informative comment: |
| 6045TPM_SaveKeyContext saves a loaded key outside the TPM. After creation of the key context |
| 6046blob the TPM automatically releases the internal memory used by that key. The format of |
| 6047the key context blob is specific to a TPM. |
| 6048End of informative comment. |
| 6049Incoming Operands and Sizes |
| PARAM |
| # |
| |
| SZ |
| |
| 1 |
| |
| 4 |
| |
| 4 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| Description |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_SaveKeyContext |
| |
| TPM_KEY_HANDLE |
| |
| SZ |
| |
| Name |
| |
| 4 |
| |
| 3 |
| |
| # |
| |
| Type |
| |
| 2 |
| |
| 2 |
| |
| HMAC |
| |
| keyHandle |
| |
| The key which will be kept outside the TPM |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 6050Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_SaveKeyContext |
| |
| 4 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| keyContextSize |
| |
| The actual size of the outgoing key context blob. If the command fails the value |
| will be 0 |
| |
| 5 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE[] |
| |
| keyContextBlob |
| |
| The key context blob. |
| |
| 6051Description |
| 60521. This command allows saving a loaded key outside the TPM. After creation of the |
| 6053 |
| keyContextBlob, the TPM automatically releases the internal memory used by that key. |
| 6054 |
| The format of the key context blob is specific to a TPM. |
| 60552. |
| 6056 |
| 6057 |
| 6058 |
| 1389 |
| 1390 |
| |
| A TPM protected capability belonging to the TPM that created a key context blob MUST |
| be the only entity that can interpret the contents of that blob. If a cryptographic |
| technique is used for this purpose, the level of security provided by that technique |
| SHALL be at least as secure as a 2048 bit RSA algorithm. Any secrets (such as keys) |
| 298 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1391TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1392Specification Version 1.2 |
| |
| 6059 |
| 6060 |
| 6061 |
| |
| used in such a cryptographic technique MUST be generated using the TPM’s random |
| number generator. Any symmetric key MUST be used within the power-on session |
| during which it was created, only. |
| |
| 60623. A key context blob SHALL enable verification of the integrity of the contents of the blob |
| 6063 |
| by a TPM protected capability. |
| 60644. A key context blob SHALL enable verification of the session validity of the contents of the |
| 6065 |
| blob by a TPM protected capability. The method SHALL ensure that all key context blobs |
| 6066 |
| are rendered invalid if power to the TPM is interrupted. |
| |
| 1393Level 2 Revision 116 28 February 2011 |
| 1394 |
| |
| 299 |
| TCG Published |
| |
| 1395Copyright © TCG |
| 1396 |
| 1397 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 6067 |
| 606827.2.2 |
| |
| TPM_LoadKeyContext |
| |
| 6069Start of informative comment: |
| 6070TPM_LoadKeyContext loads a key context blob into the TPM previously retrieved by a |
| 6071TPM_SaveKeyContext call. After successful completion the handle returned by this |
| 6072command can be used to access the key. |
| 6073End of informative comment. |
| 6074Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_LoadKeyContext |
| |
| 4 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| UINT32 |
| |
| keyContextSize |
| |
| The size of the following key context blob. |
| |
| 5 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| BYTE[] |
| |
| keyContextBlob |
| |
| The key context blob. |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 6075Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_LoadKeyContext |
| |
| TPM_KEY_HANDLE |
| |
| keyHandle |
| |
| The handle assigned to the key after it has been successfully loaded. |
| |
| 4 |
| |
| 6076Description |
| 60771. This command allows loading a key context blob into the TPM previously retrieved by a |
| 6078 |
| TPM_SaveKeyContext call. After successful completion the handle returned by this |
| 6079 |
| command can be used to access the key. |
| 60802. The contents of a key context blob SHALL be discarded unless the contents have passed |
| 6081 |
| an integrity test. This test SHALL (statistically) prove that the contents of the blob are |
| 6082 |
| the same as when the blob was created. |
| 60833. The contents of a key context blob SHALL be discarded unless the contents have passed |
| 6084 |
| a session validity test. This test SHALL (statistically) prove that the blob was created by |
| 6085 |
| this TPM during this power-on session. |
| |
| 1398 |
| 1399 |
| |
| 300 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1400TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1401Specification Version 1.2 |
| |
| 6086 |
| 608727.2.3 |
| |
| TPM_SaveAuthContext |
| |
| 6088Start of informative comment: |
| 6089TPM_SaveAuthContext saves a loaded authorization session outside the TPM. After creation |
| 6090of the authorization context blob, the TPM automatically releases the internal memory used |
| 6091by that session. The format of the authorization context blob is specific to a TPM. |
| 6092End of informative comment. |
| 6093Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_SaveAuthContext |
| |
| 4 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| Authorization session which will be kept outside the TPM |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| 6094Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_SaveAuthContext |
| |
| 4 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| authContextSize |
| |
| The actual size of the outgoing authorization context blob. If the command fails |
| the value will be 0. |
| |
| 5 |
| |
| <> |
| |
| 4S |
| |
| 4 |
| |
| BYTE[] |
| |
| authContextBlob |
| |
| The authorization context blob. |
| |
| 6095Description |
| 6096This command allows saving a loaded authorization session outside the TPM. After creation |
| 6097of the authContextBlob, the TPM automatically releases the internal memory used by that |
| 6098session. The format of the authorization context blob is specific to a TPM. |
| 6099A TPM protected capability belonging to the TPM that created an authorization context blob |
| 6100MUST be the only entity that can interpret the contents of that blob. If a cryptographic |
| 6101technique is used for this purpose, the level of security provided by that technique SHALL |
| 6102be at least as secure as a 2048 bit RSA algorithm. Any secrets (such as keys) used in such a |
| 6103cryptographic technique MUST be generated using the TPM’s random number generator. |
| 6104Any symmetric key MUST be used within the power-on session during which it was created, |
| 6105only. |
| 6106An authorization context blob SHALL enable verification of the integrity of the contents of |
| 6107the blob by a TPM protected capability. |
| |
| 1402Level 2 Revision 116 28 February 2011 |
| 1403 |
| |
| 301 |
| TCG Published |
| |
| 1404Copyright © TCG |
| 1405 |
| 1406 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 6108An authorization context blob SHALL enable verification of the session validity of the |
| 6109contents of the blob by a TPM protected capability. The method SHALL ensure that all |
| 6110authorization context blobs are rendered invalid if power to the TPM is interrupted. |
| 611127.2.4 |
| |
| TPM_LoadAuthContext |
| |
| 6112Start of informative comment: |
| 6113TPM_LoadAuthContext loads an authorization context blob into the TPM previously |
| 6114retrieved by a TPM_SaveAuthContext call. After successful completion, the handle returned |
| 6115by this command can be used to access the authorization session. |
| 6116End of informative comment. |
| 6117Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Name |
| |
| Description |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| UINT32 |
| |
| # |
| |
| Type |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_LoadAuthContext |
| |
| 4 |
| |
| UINT32 |
| |
| authContextSize |
| |
| The size of the following authorization context blob. |
| |
| <> |
| |
| BYTE[] |
| |
| authContextBlob |
| |
| The authorization context blob. |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| 2 |
| |
| 4 |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| 4 |
| |
| 4 |
| |
| 2S |
| |
| 5 |
| |
| <> |
| |
| 3S |
| |
| 6118Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_LoadAuthContext |
| |
| TPM_KEY_HANDLE |
| |
| authHandle |
| |
| The handle assigned to the authorization session after it has been successfully |
| loaded. |
| |
| 4 |
| |
| 6119Description |
| 6120This command allows loading an authorization context blob into the TPM previously |
| 6121retrieved by a TPM_SaveAuthContext call. After successful completion, the handle returned |
| 6122by this command can be used to access the authorization session. |
| 6123The contents of an authorization context blob SHALL be discarded unless the contents have |
| 6124passed an integrity test. This test SHALL (statistically) prove that the contents of the blob |
| 6125are the same as when the blob was created. |
| 6126The contents of an authorization context blob SHALL be discarded unless the contents have |
| 6127passed a session validity test. This test SHALL (statistically) prove that the blob was created |
| 6128by this TPM during this power-on session. |
| 6129For an OSAP authorization context blob referring to a key, verify that the key linked to this |
| 6130session is resident in the TPM. |
| 1407 |
| 1408 |
| |
| 302 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1409TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1410Specification Version 1.2 |
| |
| 6131 |
| |
| 1411Level 2 Revision 116 28 February 2011 |
| 1412 |
| |
| 303 |
| TCG Published |
| |
| 1413Copyright © TCG |
| 1414 |
| 1415 |
| |
| 613227.3 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| DIR commands |
| |
| 6133Start of informative comment: |
| 6134The DIR commands are replaced by the NV storage commands. |
| 6135The DIR [0] in 1.1 is now TPM_PERMANENT_DATA -> authDIR[0] and is always available for |
| 6136the TPM to use. It is accessed by DIR commands using dirIndex 0 and by NV commands |
| 6137using nvIndex TPM_NV_INDEX_DIR. |
| 6138If the TPM vendor supports additional DIR registers, the TPM vendor may return errors or |
| 6139provide vendor specific mappings for those DIR registers to NV storage locations. |
| 6140End of informative comment. |
| 61411. A dirIndex value of 0 MUST corresponds to an NV storage nvIndex value |
| 6142 |
| TPM_NV_INDEX_DIR. |
| 61432. The TPM vendor MAY return errors or MAY provide vendor specific mappings for DIR |
| 6144 |
| dirIndex values greater than 0 to NV storage locations. |
| |
| 1416 |
| 1417 |
| |
| 304 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1418TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1419Specification Version 1.2 |
| |
| 614527.3.1 |
| |
| TPM_DirWriteAuth |
| |
| 6146Start of informative comment: |
| 6147The TPM_DirWriteAuth operation provides write access to the Data Integrity Registers. DIRs |
| 6148are non-volatile memory registers held in a TPM-shielded location. Owner authentication is |
| 6149required to authorize this action. |
| 6150Access is also provided through the NV commands with nvIndex TPM_NV_INDEX_DIR. |
| 6151Owner authorization is not required when nvLocked is FALSE. |
| 6152Version 1.2 requires only one DIR. If the DIR named does not exist, the TPM_DirWriteAuth |
| 6153operation returns TPM_BADINDEX. |
| 6154End of informative comment. |
| 6155Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_DirWriteAuth. |
| |
| 4 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| TPM_DIRINDEX |
| |
| dirIndex |
| |
| Index of the DIR |
| |
| 5 |
| |
| 20 |
| |
| 3S |
| |
| 20 |
| |
| TPM_DIRVALUE |
| |
| newContents |
| |
| New value to be stored in named DIR |
| |
| 6 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for command. |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 7 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 8 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 9 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| The authorization session digest for inputs. HMAC key: ownerAuth. |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 6156Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 5 |
| |
| 1 |
| |
| 6 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_DirWriteAuth |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| 4 |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| ownerAuth. |
| |
| 20 |
| |
| 6157Actions |
| |
| 1420Level 2 Revision 116 28 February 2011 |
| 1421 |
| |
| 305 |
| TCG Published |
| |
| 1422Copyright © TCG |
| 1423 |
| 1424 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 61581. Validate that authHandle contains a TPM Owner AuthData to execute the |
| 6159 |
| TPM_DirWriteAuth command |
| 61602. Validate that dirIndex points to a valid DIR on this TPM |
| 61613. Write newContents into the DIR pointed to by dirIndex |
| |
| 1425 |
| 1426 |
| |
| 306 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1427TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1428Specification Version 1.2 |
| |
| 6162 |
| 616327.3.2 |
| |
| TPM_DirRead |
| |
| 6164Start of informative comment: |
| 6165The TPM_DirRead operation provides read access to the DIRs. No authentication is required |
| 6166to perform this action because typically no cryptographically useful AuthData is available |
| 6167early in boot. TSS implementers may choose to provide other means of authorizing this |
| 6168action. Version 1.2 requires only one DIR. If the DIR named does not exist, the |
| 6169TPM_DirRead operation returns TPM_BADINDEX. |
| 6170End of informative comment. |
| 6171Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| 2 |
| |
| 4 |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| 4 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| Name |
| |
| Description |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| UINT32 |
| |
| SZ |
| |
| Type |
| |
| # |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_DirRead. |
| |
| TPM_DIRINDEX |
| |
| dirIndex |
| |
| Index of the DIR to be read |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 6172Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 20 |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_DirRead. |
| |
| 3S |
| |
| 20 |
| |
| TPM_DIRVALUE |
| |
| dirContents |
| |
| The current contents of the named DIR |
| |
| 6173Actions |
| 61741. Validate that dirIndex points to a valid DIR on this TPM |
| 61752. Return the contents of the DIR in dirContents |
| |
| 1429Level 2 Revision 116 28 February 2011 |
| 1430 |
| |
| 307 |
| TCG Published |
| |
| 1431Copyright © TCG |
| 1432 |
| 1433 |
| |
| 617627.4 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| Change Auth |
| |
| 6177Start of informative comment: |
| 6178The change auth commands can be duplicated by creating a transport session with |
| 6179confidentiality and issuing the changeAuth command. |
| 6180End of informative comment. |
| |
| 1434 |
| 1435 |
| |
| 308 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1436TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1437Specification Version 1.2 |
| |
| 6181 |
| 618227.4.1 |
| |
| TPM_ChangeAuthAsymStart |
| |
| 6183Start of informative comment: |
| 6184The TPM_ChangeAuthAsymStart starts the process of changing AuthData for an entity. It |
| 6185sets up an OIAP session that must be retained for use by its twin |
| 6186TPM_ChangeAuthAsymFinish command. |
| 6187TPM_ChangeAuthAsymStart creates a temporary asymmetric public key “tempkey” to |
| 6188provide confidentiality for new AuthData to be sent to the TPM. TPM_ChangeAuthAsymStart |
| 6189certifies that tempkey was generated by a genuine TPM, by generating a certifyInfo |
| 6190structure that is signed by a TPM identity. The owner of that TPM identity must cooperate |
| 6191to produce this command, because TPM_ChangeAuthAsymStart requires authorization to |
| 6192use that identity. |
| 6193It is envisaged that tempkey and certifyInfo are given to the owner of the entity whose |
| 6194authorization |
| is |
| to |
| be |
| changed. |
| That |
| owner |
| uses |
| certifyInfo |
| and |
| a |
| 6195TPM_IDENTITY_CREDENTIAL to verify that tempkey was generated by a genuine TPM. This |
| 6196is done by verifying the TPM_IDENTITY_CREDENTIAL using the public key of a CA, |
| 6197verifying the signature on the certifyInfo structure with the public key of the identity in |
| 6198TPM_IDENTITY_CREDENTIAL, and verifying tempkey by comparing its digest with the value |
| 6199inside certifyInfo. The owner uses tempkey to encrypt the desired new AuthData and inserts |
| 6200that encrypted data in a TPM_ChangeAuthAsymFinish command, in the knowledge that |
| 6201only a TPM with a specific identity can interpret the new AuthData. |
| 6202End of informative comment. |
| 6203Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ChangeAuthAsymStart. |
| |
| 4 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| idHandle |
| |
| The keyHandle identifier of a loaded identity ID key |
| |
| 5 |
| |
| 20 |
| |
| 2s |
| |
| 20 |
| |
| TPM_NONCE |
| |
| antiReplay |
| |
| The nonce to be inserted into the certifyInfo structure |
| |
| 6 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| TPM_KEY_PARMS |
| |
| tempKey |
| |
| Structure contains all parameters of ephemeral key. |
| |
| 7 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for idHandle authorization. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 8 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 9 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 10 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| idAuth |
| |
| Authorization. HMAC key: idKey.usageAuth. |
| |
| 1438Level 2 Revision 116 28 February 2011 |
| 1439 |
| |
| 309 |
| TCG Published |
| |
| 1440Copyright © TCG |
| 1441 |
| 1442 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 6204Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ChangeAuthAsymStart |
| |
| 7 |
| |
| 95 |
| |
| 3S |
| |
| 95 |
| |
| TPM_CERTIFY_INFO |
| |
| certifyInfo |
| |
| The certifyInfo structure that is to be signed. |
| |
| 8 |
| |
| 4 |
| |
| 4S |
| |
| 4 |
| |
| UINT32 |
| |
| sigSize |
| |
| The used size of the output area for the signature |
| |
| 9 |
| |
| <> |
| |
| 5S |
| |
| <> |
| |
| BYTE[ ] |
| |
| sig |
| |
| The signature of the certifyInfo parameter. |
| |
| 10 |
| |
| 4 |
| |
| 6s |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| ephHandle |
| |
| The keyHandle identifier to be used by ChangeAuthAsymFinish for the |
| ephemeral key |
| |
| 11 |
| |
| <> |
| |
| 7S |
| |
| <> |
| |
| TPM_KEY |
| |
| tempKey |
| |
| Structure containing all parameters and public part of ephemeral key. TPM_KEY.encSize is set to 0. |
| |
| 12 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| Authorization. HMAC key: idKey.usageAuth. |
| |
| 13 |
| |
| 1 |
| |
| 14 |
| |
| 20 |
| |
| 6205Actions |
| 62061. The TPM SHALL verify the AuthData to use the TPM identity key held in idHandle. The |
| 6207 |
| TPM MUST verify that the key is a TPM identity key. |
| 62082. The TPM SHALL validate the algorithm parameters for the key to create from the |
| 6209 |
| tempKey parameter. |
| 62103. Recommended key type is RSA |
| 62114. Minimum RSA key size MUST is 512 bits, recommended RSA key size is 1024 |
| 62125. For other key types the minimum key size strength MUST be comparable to RSA 512 |
| 62136. If the TPM is not designed to create a key of the requested type, return the error code |
| 6214 |
| TPM_BAD_KEY_PROPERTY |
| 62157. The TPM SHALL create a new key (k1) in accordance with the algorithm parameter. The |
| 6216 |
| newly created key is pointed to by ephHandle. |
| 62178. The TPM SHALL fill in all fields in tempKey using k1 for the information. The TPM_KEY |
| 6218 |
| -> encSize MUST be 0. |
| 62199. The TPM SHALL fill in certifyInfo using k1 for the information. The certifyInfo -> data |
| 6220 |
| field is supplied by the antiReplay. |
| 622110.The TPM then signs the certifyInfo parameter using the key pointed to by idHandle. The |
| 6222 |
| resulting signed blob is returned in sig parameter |
| |
| 1443 |
| 1444 |
| |
| 310 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1445TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1446Specification Version 1.2 |
| |
| 6223Field Descriptions for certifyInfo parameter |
| Type |
| |
| Name |
| |
| Description |
| |
| TPM_VERSION |
| |
| Version |
| |
| TPM version structure; Part 2 TPM_VERSION |
| |
| keyFlags |
| |
| Redirection |
| |
| This SHALL be set to FALSE |
| |
| Migratable |
| |
| This SHALL be set to FALSE |
| |
| Volatile |
| |
| This SHALL be set to TRUE |
| |
| TPM_AUTH_DATA_USAGE |
| |
| authDataUsage |
| |
| This SHALL be set to TPM_AUTH_NEVER |
| |
| TPM_KEY_USAGE |
| |
| KeyUsage |
| |
| This SHALL be set to TPM_KEY_AUTHCHANGE |
| |
| UINT32 |
| |
| PCRInfoSize |
| |
| This SHALL be set to 0 |
| |
| TPM_DIGEST |
| |
| pubDigest |
| |
| This SHALL be the hash of the public key being certified. |
| |
| TPM_NONCE |
| |
| Data |
| |
| This SHALL be set to antiReplay |
| |
| TPM_KEY_PARMS |
| |
| info |
| |
| This specifies the type of key and its parameters. |
| |
| BOOL |
| |
| parentPCRStatus |
| |
| This SHALL be set to FALSE. |
| |
| 1447Level 2 Revision 116 28 February 2011 |
| 1448 |
| |
| 311 |
| TCG Published |
| |
| 1449Copyright © TCG |
| 1450 |
| 1451 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 6224 |
| 622527.4.2 |
| |
| TPM_ChangeAuthAsymFinish |
| |
| 6226Start of informative comment: |
| 6227The TPM_ChangeAuthAsymFinish command allows the owner of an entity to change the |
| 6228AuthData for the entity. |
| 6229The command requires the cooperation of the owner of the parent of the entity, since |
| 6230AuthData must be provided to use that parent entity. The command requires knowledge of |
| 6231the existing AuthData information and passes the new AuthData information. The |
| 6232newAuthLink parameter proves knowledge of existing AuthData information and new |
| 6233AuthData information. The new AuthData information “encNewAuth” is encrypted using the |
| 6234“tempKey” variable obtained via TPM_ChangeAuthAsymStart. |
| 6235A parent therefore retains control over a change in the AuthData of a child, but is prevented |
| 6236from knowing the new AuthData for that child. |
| 6237The changeProof parameter provides a proof that the new AuthData value was properly |
| 6238inserted into the entity. The inclusion of a nonce from the TPM provides an entropy source |
| 6239in the case where the AuthData value may be in itself be a low entropy value (hash of a |
| 6240password etc). |
| 6241 End of informative comment. |
| 6242Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ChangeAuthAsymFinish |
| |
| 4 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| parentHandle |
| |
| The keyHandle of the parent key for the input data |
| |
| 5 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| ephHandle |
| |
| The keyHandle identifier for the ephemeral key |
| |
| 6 |
| |
| 2 |
| |
| 3S |
| |
| 2 |
| |
| TPM_ENTITY_TYPE |
| |
| entityType |
| |
| The type of entity to be modified |
| |
| 7 |
| |
| 20 |
| |
| 4s |
| |
| 20 |
| |
| TPM_HMAC |
| |
| newAuthLink |
| |
| HMAC calculation that links the old and new AuthData values together |
| |
| 8 |
| |
| 4 |
| |
| 5S |
| |
| 4 |
| |
| UINT32 |
| |
| newAuthSize |
| |
| Size of encNewAuth |
| |
| 9 |
| |
| <> |
| |
| 6S |
| |
| <> |
| |
| BYTE[ ] |
| |
| encNewAuth |
| |
| New AuthData encrypted with ephemeral key. |
| |
| 10 |
| |
| 4 |
| |
| 7S |
| |
| 4 |
| |
| UINT32 |
| |
| encDataSize |
| |
| The size of the inData parameter |
| |
| 11 |
| |
| <> |
| |
| 8S |
| |
| <> |
| |
| BYTE[ ] |
| |
| encData |
| |
| The encrypted entity that is to be modified. |
| |
| 12 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| Authorization for parent key. |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 13 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 14 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 15 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| privAuth |
| |
| The authorization session digest for inputs and parentHandle. HMAC key: |
| parentKey.usageAuth. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| 1S |
| |
| SZ |
| |
| 4 |
| |
| 6243 |
| 1452 |
| 1453 |
| |
| 312 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1454TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1455Specification Version 1.2 |
| |
| 6244Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_ChangeAuthAsymFinish |
| |
| 4 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| outDataSize |
| |
| The used size of the output area for outData |
| |
| 5 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE[ ] |
| |
| outData |
| |
| The modified, encrypted entity. |
| |
| 6 |
| |
| 20 |
| |
| 5s |
| |
| 20 |
| |
| TPM_NONCE |
| |
| saltNonce |
| |
| A nonce value from the TPM RNG to add entropy to the changeProof |
| value |
| |
| 7 |
| |
| <> |
| |
| 6S |
| |
| <> |
| |
| TPM_DIGEST |
| |
| changeProof |
| |
| Proof that AuthData has changed. |
| |
| 8 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| parentKey.usageAuth. |
| |
| 9 |
| |
| 1 |
| |
| 10 |
| |
| 20 |
| |
| 6245Description |
| 6246If the parentHandle points to the SRK then the HMAC key MUST be built using the TPM |
| 6247Owner authentication. |
| 6248Actions |
| 62491. The TPM SHALL validate that the authHandle parameter authorizes use of the key in |
| 6250 |
| parentHandle. |
| 62512. The encData field MUST be the encData field from TPM_STORED_DATA or TPM_KEY. |
| 62523. The TPM SHALL create e1 by decrypting the entity held in the encData parameter. |
| 62534. The TPM SHALL create a1 by decrypting encNewAuth using the ephHandle -> |
| 6254 |
| TPM_KEY_AUTHCHANGE |
| private |
| key. |
| a1 |
| is |
| a |
| structure |
| of |
| type |
| 6255 |
| TPM_CHANGEAUTH_VALIDATE. |
| 62565. |
| 6257 |
| 6258 |
| 6259 |
| |
| The TPM SHALL create b1 by performing the following HMAC calculation: b1 = HMAC |
| (a1 -> newAuthSecret). The secret for this calculation is encData -> currentAuth. This |
| means that b1 is a value built from the current AuthData value (encData -> |
| currentAuth) and the new AuthData value (a1 -> newAuthSecret). |
| |
| 62606. The TPM SHALL compare b1 with newAuthLink. The TPM SHALL indicate a failure if the |
| 6261 |
| values do not match. |
| 62627. The TPM SHALL replace e1 -> authData with a1 -> newAuthSecret |
| 62638. The TPM SHALL encrypt e1 using the appropriate functions for the entity type. The key |
| 6264 |
| to encrypt with is parentHandle. |
| 62659. The TPM SHALL create saltNonce by taking the next 20 bytes from the TPM RNG. |
| |
| 1456Level 2 Revision 116 28 February 2011 |
| 1457 |
| |
| 313 |
| TCG Published |
| |
| 1458Copyright © TCG |
| 1459 |
| 1460 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 626610.The TPM SHALL create changeProof a HMAC of (saltNonce concatenated with a1 -> n1) |
| 6267 |
| using a1 -> newAuthSecret as the HMAC secret. |
| 626811.The TPM MUST destroy the TPM_KEY_AUTHCHANGE key associated with the |
| 6269 |
| authorization session. |
| |
| 1461 |
| 1462 |
| |
| 314 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1463TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1464Specification Version 1.2 |
| |
| 627027.5 |
| |
| TPM_Reset |
| |
| 6271Start of informative comment: |
| 6272TPM_Reset releases all resources associated with existing authorization sessions. This is |
| 6273useful if a TSS driver has lost track of the state in the TPM. |
| 6274End of informative comment. |
| 6275Deprecated Command in 1.2 |
| 6276Incoming Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Reset. |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| 6277Outgoing Parameters and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_Reset. |
| |
| 6278Description |
| 6279This is a deprecated command in V1.2. This command in 1.1 only referenced authorization |
| 6280sessions and is not upgraded to affect any other TPM entity in 1.2 |
| 6281Actions |
| 62821. The TPM invalidates all resources allocated to authorization sessions as per version 1.1 |
| 6283 |
| extant in the TPM |
| 6284 |
| |
| a. This includes structures created by TPM_SaveAuthContext and TPM_SaveKeyContext |
| |
| 6285 |
| |
| b. The TPM MUST invalidate OSAP sessions |
| |
| 6286 |
| |
| c. The TPM MAY invalidate DSAP sessions |
| |
| 6287 |
| |
| d. The TPM MUST NOT invalidate structures created by TPM_SaveContext |
| |
| 62882. The TPM does not reset any PCR or DIR values. |
| 62893. The TPM does not reset any flags in the TPM_STCLEAR_FLAGS structure. |
| 62904. The TPM does not reset or invalidate any keys |
| |
| 1465Level 2 Revision 116 28 February 2011 |
| 1466 |
| |
| 315 |
| TCG Published |
| |
| 1467Copyright © TCG |
| 1468 |
| 1469 |
| |
| 629127.6 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_OwnerReadPubek |
| |
| 6292Start of informative comment: |
| 6293Return the endorsement key public portion. This is authorized by the TPM Owner. |
| 6294End of informative comment. |
| 6295Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_OwnerReadPubek |
| |
| 4 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for owner authentication. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 5 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 6 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 7 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| The authorization session digest for inputs and owner authentication. |
| HMAC key: ownerAuth. |
| |
| 6296Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_OwnerReadPubek |
| |
| 4 |
| |
| <> |
| |
| 3S |
| |
| <> |
| |
| TPM_PUBKEY |
| |
| pubEndorsementKey |
| |
| The public endorsement key |
| |
| 5 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| ownerAuth. |
| |
| 6 |
| |
| 1 |
| |
| 7 |
| |
| 20 |
| |
| 6297Description |
| 6298This command returns the PUBEK. |
| 6299Actions |
| 6300The TPM_OwnerReadPubek command SHALL |
| 63011. Validate the TPM Owner AuthData to execute this command |
| 63022. Export the PUBEK |
| |
| 1470 |
| 1471 |
| |
| 316 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1472TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1473Specification Version 1.2 |
| |
| 630327.7 |
| |
| TPM_DisablePubekRead |
| |
| 6304Start of informative comment: |
| 6305The TPM Owner may wish to prevent any entity from reading the PUBEK. This command |
| 6306sets the non-volatile flag so that the TPM_ReadPubek command always returns |
| 6307TPM_DISABLED_CMD. |
| 6308This command has in essence been deprecated as TPM_TakeOwnership now sets the value |
| 6309to false. The command remains at this time for backward compatibility. |
| 6310End of informative comment. |
| 6311Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_DisablePubekRead |
| |
| 4 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for owner authentication. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 4 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 5 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 6 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 7 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| ownerAuth |
| |
| The authorization session digest for inputs and owner authorization. |
| HMAC key: ownerAuth. |
| |
| 6312Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 5 |
| |
| 1 |
| |
| 6 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_DisablePubekRead |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| 4 |
| |
| 2S |
| 4 |
| |
| 1S |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| ownerAuth. |
| |
| 20 |
| |
| 6313Actions |
| 63141. This capability sets the TPM_PERMANENT_FLAGS -> readPubek flag to FALSE. |
| |
| 1474Level 2 Revision 116 28 February 2011 |
| 1475 |
| |
| 317 |
| TCG Published |
| |
| 1476Copyright © TCG |
| 1477 |
| 1478 |
| |
| 631527.8 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_LoadKey |
| |
| 6316Start of informative comment: |
| 6317Version 1.2 deprecates TPM_LoadKey due to the HMAC of the new key handle on return. |
| 6318The wrapping makes use of the handle difficult in an environment where the TSS, or other |
| 6319management entity, is changing the TPM handle to a virtual handle. |
| 6320Software using TPM_LoadKey on a 1.2 TPM can have a collision with the returned handle as |
| 6321the 1.2 TPM uses random values in the lower three bytes of the handle. All new software |
| 6322must use LoadKey2 to allow management software the ability to manage the key handle. |
| 6323Before the TPM can use a key to either wrap, unwrap, bind, unbind, seal, unseal, sign or |
| 6324perform any other action, it needs to be present in the TPM. The TPM_LoadKey function |
| 6325loads the key into the TPM for further use. |
| 6326The TPM assigns the key handle. The TPM always locates a loaded key by use of the handle. |
| 6327The assumption is that the handle may change due to key management operations. It is the |
| 6328responsibility of upper level software to maintain the mapping between handle and any |
| 6329label used by external software. |
| 6330This command has the responsibility of enforcing restrictions on the use of keys. For |
| 6331example, when attempting to load a STORAGE key it will be checked for the restrictions on |
| 6332a storage key (2048 size etc.). |
| 6333The load command must maintain a record of whether any previous key in the key |
| 6334hierarchy was bound to a PCR using parentPCRStatus. |
| 6335The flag parentPCRStatus enables the possibility of checking that a platform passed |
| 6336through some particular state or states before finishing in the current state. A grandparent |
| 6337key could be linked to state-1, a parent key could linked to state-2, and a child key could be |
| 6338linked to state-3, for example. The use of the child key then indicates that the platform |
| 6339passed through states 1 and 2 and is currently in state 3, in this example. TPM_Startup |
| 6340with stType == TPM_ST_CLEAR indicates that the platform has been reset, so the platform |
| 6341has not passed through the previous states. Hence keys with parentPCRStatus==TRUE |
| 6342must be unloaded if TPM_Startup is issued with stType == TPM_ST_CLEAR. |
| 6343If a TPM_KEY structure has been decrypted AND the integrity test using "pubDataDigest" |
| 6344has passed AND the key is non-migratory, the key must have been created by the TPM. So |
| 6345there is every reason to believe that the key poses no security threat to the TPM. While there |
| 6346is no known attack from a rogue migratory key, there is a desire to verify that a loaded |
| 6347migratory key is a real key, arising from a general sense of unease about execution of |
| 6348arbitrary data as a key. Ideally a consistency check would consist of an encrypt/decrypt |
| 6349cycle, but this may be expensive. For RSA keys, it is therefore suggested that the |
| 6350consistency test consists of dividing the supposed RSA product by the supposed RSA prime, |
| 6351and checking that there is no remainder. |
| 6352End of informative comment. |
| |
| 1479 |
| 1480 |
| |
| 318 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1481TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1482Specification Version 1.2 |
| |
| 6353Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_LoadKey. |
| |
| 4 |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| parentHandle |
| |
| TPM handle of parent key. |
| |
| 5 |
| |
| <> |
| |
| TPM_KEY |
| |
| inKey |
| |
| Incoming key structure, both encrypted private and clear public portions. |
| MAY be TPM_KEY12 |
| |
| 6 |
| |
| 4 |
| |
| TPM_AUTHHANDLE |
| |
| authHandle |
| |
| The authorization session handle used for parentHandle authorization. |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 1S |
| |
| 2S |
| |
| 4 |
| |
| <> |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 7 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 8 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 9 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| parentAuth |
| |
| The authorization session digest for inputs and parentHandle. HMAC key: |
| parentKey.usageAuth. |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 6354Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_LoadKey |
| |
| 4 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| TPM_KEY_HANDLE |
| |
| inkeyHandle |
| |
| Internal TPM handle where decrypted key was loaded. |
| |
| 5 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| parentKey.usageAuth. |
| |
| 6 |
| |
| 1 |
| |
| 7 |
| |
| 20 |
| |
| 6355Actions |
| 6356The TPM SHALL perform the following steps: |
| 63571. Validate the command and the parameters using parentAuth and parentHandle -> |
| 6358 |
| usageAuth |
| 63592. If |
| parentHandle |
| -> |
| 6360 |
| TPM_INVALID_KEYUSAGE |
| |
| keyUsage |
| |
| is |
| |
| NOT |
| |
| TPM_KEY_STORAGE |
| |
| return |
| |
| 63613. If the TPM is not designed to operate on a key of the type specified by inKey, return the |
| 6362 |
| error code TPM_BAD_KEY_PROPERTY |
| 63634. The TPM MUST handle both TPM_KEY and TPM_KEY12 structures |
| 63645. Decrypt the inKey -> privkey to obtain TPM_STORE_ASYMKEY structure using the key |
| 6365 |
| in parentHandle |
| 1483Level 2 Revision 116 28 February 2011 |
| 1484 |
| |
| 319 |
| TCG Published |
| |
| 1485Copyright © TCG |
| 1486 |
| 1487 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 63666. Validate the integrity of inKey and decrypted TPM_STORE_ASYMKEY |
| 6367 |
| 6368 |
| |
| a. Reproduce inKey -> TPM_STORE_ASYMKEY -> pubDataDigest using the fields of |
| inKey, and check that the reproduced value is the same as pubDataDigest |
| |
| 63697. Validate the consistency of the key and it’s key usage. |
| 6370 |
| 6371 |
| 6372 |
| 6373 |
| 6374 |
| 6375 |
| |
| a. If inKey -> keyFlags -> migratable is TRUE, the TPM SHALL verify consistency of the |
| public and private components of the asymmetric key pair. If inKey -> keyFlags -> |
| migratable is FALSE, the TPM MAY verify consistency of the public and private |
| components of the asymmetric key pair. The consistency of an RSA key pair MAY be |
| verified by dividing the supposed (P*Q) product by a supposed prime and checking that |
| there is no remainder. |
| |
| 6376 |
| 6377 |
| |
| b. If inKey -> keyUsage is TPM_KEY_IDENTITY, verify that inKey->keyFlags->migratable |
| is FALSE. If it is not, return TPM_INVALID_KEYUSAGE |
| |
| 6378 |
| |
| c. If inKey -> keyUsage is TPM_KEY_AUTHCHANGE, return TPM_INVALID_KEYUSAGE |
| |
| 6379 |
| 6380 |
| |
| d. If inKey -> keyFlags -> migratable equals 0 then verify that TPM_STORE_ASYMKEY |
| -> migrationAuth equals TPM_PERMANENT_DATA -> tpmProof |
| |
| 6381 |
| |
| e. Validate the mix of encryption and signature schemes |
| |
| 6382 |
| |
| f. If TPM_PERMANENT_FLAGS -> FIPS is TRUE then |
| |
| 6383 |
| |
| i. |
| |
| 6384 |
| 6385 |
| |
| ii. If keyInfo |
| TPM_NOTFIPS |
| |
| 6386 |
| |
| iii. If keyInfo -> keyUsage specifies TPM_KEY_LEGACY return TPM_NOTFIPS |
| |
| 6387 |
| |
| If keyInfo -> keySize is less than 1024 return TPM_NOTFIPS |
| -> |
| |
| authDataUsage |
| |
| specifies |
| |
| TPM_AUTH_NEVER |
| |
| return |
| |
| g. If inKey -> keyUsage is TPM_KEY_STORAGE or TPM_KEY_MIGRATE |
| |
| 6388 |
| |
| i. |
| |
| 6389 |
| |
| ii. Key size MUST be 2048 |
| |
| 6390 |
| |
| iii. exponentSize MUST be 0 |
| |
| 6391 |
| |
| iv. sigScheme MUST be TPM_SS_NONE |
| |
| 6392 |
| |
| algorithmID MUST be TPM_ALG_RSA |
| |
| h. If inKey -> keyUsage is TPM_KEY_IDENTITY |
| |
| 6393 |
| |
| i. |
| |
| 6394 |
| |
| ii. Key size MUST be 2048 |
| |
| 6395 |
| |
| iii. exponentSize MUST be 0 |
| |
| 6396 |
| |
| iv. encScheme MUST be TPM_ES_NONE |
| |
| 6397 |
| |
| i. |
| |
| 6398 |
| 6399 |
| 6400 |
| |
| If the decrypted inKey -> pcrInfo is NULL, |
| i. The TPM MUST set the internal indicator to indicate that the key is not using |
| any PCR registers. |
| |
| j. |
| |
| 6401 |
| 6402 |
| |
| 1488 |
| 1489 |
| |
| algorithmID MUST be TPM_ALG_RSA |
| |
| Else |
| i. The TPM MUST store pcrInfo in a manner that allows the TPM to calculate a |
| composite hash whenever the key will be in use |
| |
| 320 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1490TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1491Specification Version 1.2 |
| |
| 6403 |
| 6404 |
| |
| ii. The TPM MUST handle both version 1.1 TPM_PCR_INFO and 1.2 |
| TPM_PCR_INFO_LONG structures according to the type of TPM_KEY structure |
| |
| 6405 |
| 6406 |
| 6407 |
| |
| (1) The TPM MUST validate the TPM_PCR_INFO or TPM_PCR_INFO_LONG |
| structures for legal values. |
| However, the digestAtRelease and |
| localityAtRelease are not validated for authorization until use time. |
| |
| 64088. Perform any processing necessary to make TPM_STORE_ASYMKEY key available for |
| 6409 |
| operations |
| 64109. Load key and key information into internal memory of the TPM. If insufficient memory |
| 6411 |
| exists, return error TPM_NOSPACE. |
| 641210.Assign inKeyHandle according to internal TPM rules. |
| 641311.Set InKeyHandle -> parentPCRStatus to parentHandle -> parentPCRStatus. |
| 641412.If parentHandle indicates it is using PCR registers, then set inKeyHandle -> |
| 6415 |
| parentPCRStatus to TRUE. |
| |
| 1492Level 2 Revision 116 28 February 2011 |
| 1493 |
| |
| 321 |
| TCG Published |
| |
| 1494Copyright © TCG |
| 1495 |
| 1496 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 641628. |
| Deleted Commands |
| 6417Start of informative comment: |
| 6418These commands are no longer active commands. Their removal is due to security concerns |
| 6419with their use. |
| 6420End of informative comment. |
| 64211. The TPM MUST return TPM_BAD_ORDINAL for any deleted command |
| |
| 1497 |
| 1498 |
| |
| 322 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1499TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1500Specification Version 1.2 |
| |
| 323 |
| TCG Published |
| |
| 1503Copyright © TCG |
| 1504 |
| 1505 |
| |
| 643628.2 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| TPM_GetOrdinalAuditStatus |
| |
| 6437Start of informative comment: |
| 6438Get the status of the audit flag for the given ordinal. |
| 6439End of informative comment. |
| 6440Incoming Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_GetOrdinalAuditStatus |
| |
| 4 |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinalToQuery |
| |
| The ordinal whose audit flag is to be queried |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| # |
| |
| SZ |
| |
| 6441Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 4 |
| |
| 1 |
| |
| BOOL |
| |
| State |
| |
| Value of audit flag for ordinalToQuery |
| |
| 6442Actions |
| 64431. The TPM returns the Boolean value for the given ordinal. The value is TRUE if the |
| 6444 |
| command is being audited. |
| |
| 1506 |
| 1507 |
| |
| 324 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1508TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1509Specification Version 1.2 |
| |
| 644528.3 |
| |
| TPM_CertifySelfTest |
| |
| 6446Start of informative comment: |
| 6447TPM_CertifySelfTest causes the TPM to perform a full self-test and return an authenticated |
| 6448value if the test passes. |
| 6449If a caller itself requires proof, it is sufficient to use any signing key for which only the TPM |
| 6450and the caller have AuthData. |
| 6451If a caller requires proof for a third party, the signing key must be one whose signature is |
| 6452trusted by the third party. A TPM-identity key may be suitable. |
| 6453End of informative comment. |
| 6454Incoming Operands and Sizes |
| PARAM |
| # |
| |
| SZ |
| |
| 1 |
| |
| 4 |
| |
| 4 |
| 5 |
| |
| 20 |
| |
| 6 |
| |
| 4 |
| |
| 2S |
| |
| 4 |
| |
| 20 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RQU_AUTH1_COMMAND |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of input bytes including paramSize and tag |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_CertifySelfTest |
| |
| TPM_KEY_HANDLE |
| |
| keyHandle |
| |
| The keyHandle identifier of a loaded key that can perform digital |
| signatures. |
| |
| TPM_NONCE |
| |
| antiReplay |
| |
| Anti Replay nonce to prevent replay of messages |
| |
| TPM_AUTHHANDLE |
| |
| 4 |
| |
| 1S |
| |
| |
| SZ |
| |
| Name |
| |
| |
| 3 |
| |
| # |
| |
| Type |
| |
| 2 |
| |
| 2 |
| |
| HMAC |
| |
| authHandle |
| |
| The authorization session handle used for keyHandle authorization |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| authLastNonceEven |
| |
| Even nonce previously generated by TPM to cover inputs |
| |
| 7 |
| |
| 20 |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 8 |
| |
| 1 |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| The continue use flag for the authorization session handle |
| |
| 9 |
| |
| 20 |
| |
| TPM_AUTHDATA |
| |
| privAuth |
| |
| The authorization session digest that authorizes the inputs and use of |
| keyHandle. HMAC key: key.usageAuth |
| |
| Type |
| |
| Name |
| |
| Description |
| |
| 6455Outgoing Operands and Sizes |
| PARAM |
| |
| HMAC |
| |
| # |
| |
| SZ |
| |
| # |
| |
| SZ |
| |
| 1 |
| |
| 2 |
| |
| TPM_TAG |
| |
| tag |
| |
| TPM_TAG_RSP_AUTH1_COMMAND |
| |
| 2 |
| |
| 4 |
| |
| UINT32 |
| |
| paramSize |
| |
| Total number of output bytes including paramSize and tag |
| |
| 3 |
| |
| 4 |
| |
| 1S |
| |
| 4 |
| |
| TPM_RESULT |
| |
| returnCode |
| |
| The return code of the operation. |
| |
| 2S |
| |
| 4 |
| |
| TPM_COMMAND_CODE |
| |
| ordinal |
| |
| Command ordinal: TPM_ORD_CertifySelfTest |
| |
| 4 |
| |
| 4 |
| |
| 3S |
| |
| 4 |
| |
| UINT32 |
| |
| sigSize |
| |
| The length of the returned digital signature |
| |
| 5 |
| |
| <> |
| |
| 4S |
| |
| <> |
| |
| BYTE[ ] |
| |
| sig |
| |
| The resulting digital signature. |
| |
| 6 |
| |
| 20 |
| |
| 2H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceEven |
| |
| Even nonce newly generated by TPM to cover outputs |
| |
| 3H1 |
| |
| 20 |
| |
| TPM_NONCE |
| |
| nonceOdd |
| |
| Nonce generated by system associated with authHandle |
| |
| 4H1 |
| |
| 1 |
| |
| BOOL |
| |
| continueAuthSession |
| |
| Continue use flag, TRUE if handle is still active |
| |
| TPM_AUTHDATA |
| |
| resAuth |
| |
| The authorization session digest for the returned parameters. HMAC key: |
| key.usageAuth |
| |
| 7 |
| |
| 1 |
| |
| 8 |
| |
| 20 |
| |
| 1510Level 2 Revision 116 28 February 2011 |
| 1511 |
| |
| 325 |
| TCG Published |
| |
| 1512Copyright © TCG |
| 1513 |
| 1514 |
| |
| TPM Main Part 3 Commands |
| Specification Version 1.2 |
| |
| 6456Description |
| 6457The key in keyHandle MUST have a KEYUSAGE value of type TPM_KEY_SIGNING or |
| 6458TPM_KEY_LEGACY or TPM_KEY_IDENTITY. |
| 6459Information returned by TPM_CertifySelfTest MUST NOT aid identification of an individual |
| 6460TPM. |
| 6461Actions |
| 64621. The TPM SHALL perform TPM_SelfTestFull. If the test fails the TPM returns the |
| 6463 |
| appropriate error code. |
| 64642. After successful completion of the self-test the TPM then validates the authorization to |
| 6465 |
| use the key pointed to by keyHandle |
| 6466 |
| 6467 |
| 6468 |
| |
| a. If the key pointed to by keyHandle has a signature scheme that is not |
| TPM_SS_RSASSAPKCS1v15_SHA1, the TPM may either return TPM_BAD_SCHEME or |
| may return TPM_SUCCESS and a vendor specific signature. |
| |
| 64693. Create t1 the NOT null terminated string of "Test Passed", i.e. 11 bytes. |
| 64704. The TPM creates m2 the message to sign by concatenating t1 || AntiReplay || ordinal. |
| 64715. The TPM signs the SHA-1 of m2 using the key identified by keyHandle, and returns the |
| 6472 |
| signature as sig. |
| 6473 |
| |
| 1515 |
| 1516 |
| |
| 326 |
| |
| Level 2 Revision 116 28 February 2011 |
| TCG Published |
| |
| 1517TPM Main Part 3 Commands |
| |
| TCG © Copyright |
| |
| 1518Specification Version 1.2 |
| |