Google Git
Sign in
chromium / chromiumos / platform / trunks / refs/heads/stabilize-5500.100.B / . / tpm_commands_specification.txt
blob: c1db24c4832d1d8904db41cb76abef71833b68f7 [file] [log] [blame]
TPM_Init
286Start of informative comment:
287TPM_Init is a physical method of initializing a TPM. There is no TPM_Init ordinal as this is a
288platform message sent on the platform internals to the TPM. On a PC this command arrives
289at the TPM via the LPC bus and informs the TPM that the platform is performing a boot
290process.
291TPM_Init puts the TPM into a state where it waits for the command TPM_Startup (which
292specifies the type of initialization that is required.
293End of informative comment.
294Definition
295TPM_Init();
296
297Operation of the TPM. This is not a command that any software can execute. It is inherent
298in the design of the TPM and the platform that the TPM resides on.
299Parameters
300None
301Description
3021.
303
304
305
The TPM_Init signal indicates to the TPM that platform initialization is taking place. The
TPM SHALL set the TPM into a state such that the only legal command to receive after
the TPM_Init is the TPM_Startup command. The TPM_Startup will further indicate to the
TPM how to handle and initialize the TPM resources.
3062.
307
308
309
310
311
The platform design MUST be that the TPM is not the only component undergoing
initialization. If the TPM_Init signal forces the TPM to perform initialization then the
platform MUST ensure that ALL components of the platform receive an initialization
signal. This is to prevent an attacker from causing the TPM to initialize to a state where
various masquerades are allowable. For instance, on a PC causing the TPM to initialize
and expect measurements in PCR0 but the remainder of the platform does not initialize.
3123. The design of the TPM MUST be such that the ONLY mechanism that signals TPM_Init
313
also signals initialization to the other platform components.
314Actions
3151. The TPM sets TPM_STANY_FLAGS -> postInitialise to TRUE.
75
76
6
Level 2 Revision 116 28 February 2011
TCG Published
77TPM Main Part 3 Commands
TCG © Copyright
78Specification Version 1.2
3163.2
TPM_Startup
317Start of informative comment:
318TPM_Startup is always preceded by TPM_Init, which is the physical indication (a system319wide reset) that TPM initialization is necessary.
320There are many events on a platform that can cause a reset and the response to these
321events can require different operations to occur on the TPM. The mere reset indication does
322not contain sufficient information to inform the TPM as to what type of reset is occurring.
323Additional information known by the platform initialization code needs transmitting to the
324TPM. The TPM_Startup command provides the mechanism to transmit the information.
325The TPM can startup in three different modes:
326A “clear” start where all variables go back to their default or non-volatile set state
327A “save” start where the TPM recovers appropriate information and restores various values
328based on a prior TPM_SaveState. This recovery requires an invocation of TPM_Init to be
329successful.
330A failing "save" start must shut down the TPM. The CRTM cannot leave the TPM in a state
331where an untrusted upper software layer could issue a "clear" and then extend PCR's and
332thus mimic the CRTM.
333A “deactivated” start where the TPM turns itself off and requires another TPM_Init before
334the TPM will execute in a fully operational state.
335End of informative comment.
336Incoming Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal TPM_ORD_Startup
4
2
2S
2
TPM_STARTUP_TYPE
startupType
Type of startup that is occurring
Type
Name
Description
#
SZ
1
#
SZ
337Outgoing Parameters and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Startup
338Description
339TPM_Startup MUST be generated by a trusted entity (the RTM or the TPM, for example).
340
1. If the TPM is in failure mode
79Level 2 Revision 116 28 February 2011
80
7
TCG Published
81Copyright © TCG
82
83
TPM Main Part 3 Commands
Specification Version 1.2
341
a. TPM_STANY_FLAGS -> postInitialize is still set to FALSE
342
b. The TPM returns TPM_FAILEDSELFTEST
343Actions
3441. If TPM_STANY_FLAGS -> postInitialise is FALSE,
345
a. Then the TPM MUST return TPM_INVALID_POSTINIT, and exit this capability
3462. If stType = TPM_ST_CLEAR
347
348
a. Ensure that sessions associated with resources TPM_RT_CONTEXT, TPM_RT_AUTH,
TPM_RT_DAA_TPM, and TPM_RT_TRANS are invalidated
349
b. Reset TPM_STCLEAR_DATA -> PCR[] values to each correct default value
350
i.
351
ii. pcrReset is TRUE, set to 0xFF..FF
352
pcrReset is FALSE, set to 0x00..00
c. Set the following TPM_STCLEAR_FLAGS to their default state
353
i.
354
ii. PhysicalPresenceLock
355
iii. disableForceClear
356
PhysicalPresence
d. The TPM MAY initialize auditDigest to all zeros
357
358
i. If not initialized to all zeros, the TPM SHALL ensure that auditDigest contains
a valid value.
359
360
361
ii. If initialization fails, the TPM SHALL set auditDigest to all zeros and SHALL set
the internal TPM state so that the TPM returns TPM_FAILEDSELFTEST to all
subsequent commands.
362
363
e. The TPM SHALL set TPM_STCLEAR_FLAGS -> deactivated to the same state as
TPM_PERMANENT_FLAGS -> deactivated
364
f. The TPM MUST set the TPM_STANY_DATA fields to:
365
i.
366
ii. TPM_STANY_DATA->contextCount is set to 0
367
iii. TPM_STANY_DATA->contextList is set to 0
368
TPM_STANY_DATA->contextNonceSession is set to all zeros
g. The TPM MUST set TPM_STCLEAR_DATA fields to:
369
i.
370
ii. countID to zero
371
iii. ownerReference to TPM_KH_OWNER
372
h. The TPM MUST set the following TPM_STCLEAR_FLAGS to
373
374
i.
i.
375
84
85
Invalidate contextNonceKey
bGlobalLock to FALSE
Determine which keys should remain in the TPM
i.
For each key that has a valid preserved value in the TPM
8
Level 2 Revision 116 28 February 2011
TCG Published
86TPM Main Part 3 Commands
TCG © Copyright
87Specification Version 1.2
376
(1)
if parentPCRStatus is TRUE then call TPM_FlushSpecific(keyHandle)
377
(2)
if isVolatile is TRUE then call TPM_FlushSpecific(keyHandle)
378
ii. Keys under control of the OwnerEvict flag MUST stay resident in the TPM
3793. If stType = TPM_ST_STATE
380
381
a. If the TPM has no state to restore, the TPM MUST set the internal state such that it
returns TPM_FAILEDSELFTEST to all subsequent commands.
382
383
384
b. The TPM MAY determine for each session type (authorization, transport, DAA, …) to
release or maintain the session information. The TPM reports how it manages sessions
in the TPM_GetCapability command.
385
386
387
c. The TPM SHALL take all necessary actions to ensure that all PCRs contain valid
preserved values. If the TPM is unable to successfully complete these actions, it SHALL
enter the TPM failure mode.
388
389
390
i. For resettable PCR the TPM MUST set the value of TPM_STCLEAR_DATA ->
PCR[]to the resettable PCR default value. The TPM MUST NOT restore a resettable
PCR to a preserved value
391
392
393
394
395
396
397
d. The TPM MAY initialize auditDigest to all zeros.
i. Otherwise, the TPM SHALL take all actions necessary to ensure that
auditDigest contains a valid value. If the TPM is unable to successfully complete
these actions, the TPM SHALL initialize auditDigest to all zeros and SHALL set the
internal state such that the TPM returns TPM_FAILEDSELFTEST to all
subsequent commands.
e. The TPM MUST restore the following flags to their preserved states:
398
i.
399
ii. All values in TPM_STCLEAR_DATA
All values in TPM_STCLEAR_FLAGS
400
f. The TPM MUST restore all keys that have a valid preserved value.
401
402
g. The TPM resumes normal operation. If the TPM is unable to resume normal
operation, it SHALL enter the TPM failure mode.
4034. If stType = TPM_ST_DEACTIVATED
404
a. Invalidate sessions
405
406
i. Ensure that all resources associated with saved and active sessions are
invalidated
407
b. Set the TPM_STCLEAR_FLAGS to their default state.
408
c. Set TPM_STCLEAR_FLAGS -> deactivated to TRUE
4095. The TPM MUST ensure that state associated with TPM_SaveState is invalidated
4106. The TPM MUST set TPM_STANY_FLAGS -> postInitialise to FALSE
88Level 2 Revision 116 28 February 2011
89
9
TCG Published
90Copyright © TCG
91
92
4113.3
TPM Main Part 3 Commands
Specification Version 1.2
TPM_SaveState
412Start of informative comment:
413This warns a TPM to save some state information.
414If the relevant shielded storage is non-volatile, this command need have no effect.
415If the relevant shielded storage is volatile and the TPM alone is unable to detect the loss of
416external power in time to move data to non-volatile memory, this command should be
417presented before the TPM enters a low or no power state.
418Resettable PCRs are tied to platform state that does not survive a sleep state. If the PCRs
419did not reset, they would falsely indicate that the platform state was already present when it
420came out of sleep. Since some setup is required first, there would be a gap where PCRs
421indicated the wrong state. Therefore, the PCRs must be recreated.
422Any loaded keys may be preserved. Keys with parentPCRStatus TRUE are not given priority
423because of security concerns. Rather, since the key might be part of a storage tree that
424requires PCR value transitions, it might not be directly loadable after
425TPM_Startup(ST_STATE). For a TPM implementation that does not save all loaded keys, the
426platform should issue a TPM_SaveContext / TPM_LoadContext sequence for those loaded
427keys. contextNonceKey will be restored, guaranteeing that the saved key context can be
428restored.
429End of informative comment.
430Incoming Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_SaveState.
Type
Name
Description
#
SZ
1
#
SZ
1S
4
431Outgoing Parameters and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_SaveState.
432Description
4331. Preserved values MUST be non-volatile.
4342. If data is never stored in a volatile medium, that data MAY be used as preserved data. In
435
such cases, no explicit action may be required to preserve that data.
93
94
10
Level 2 Revision 116 28 February 2011
TCG Published
95TPM Main Part 3 Commands
TCG © Copyright
96Specification Version 1.2
4363. If an explicit action is required to preserve data, it MUST be possible for the TPM to
437
determine whether preserved data is valid.
4384. If a parameter mirrored by any preserved value is altered, all preserved values MUST be
439
declared invalid.
4405. The TPM MAY declare all preserved values invalid in response to any command other
441
than TPM_Init.
442Actions
4431. Store TPM_STCLEAR_DATA -> PCR contents except for
444
a. If the PCR attribute pcrReset is TRUE
445
b. Any platform identified debug PCR
4462. The auditDigest MUST be handled according to the audit requirements as reported by
447
TPM_GetCapability.
448
449
450
a. If the ordinalAuditStatus is TRUE for the TPM_SaveState ordinal and the auditDigest
is being stored in the saved state, the saved auditDigest MUST include the
TPM_SaveState input parameters and MUST NOT include the output parameters.
4513. All values in TPM_STCLEAR_DATA MUST be preserved.
4524. All values in TPM_STCLEAR_FLAGS MUST be preserved.
4535. The contents of any key that is currently loaded SHOULD be preserved if the key's
454
parentPCRStatus indicator is TRUE.
4556. The contents of any key that has TPM_KEY_CONTROL_OWNER_EVICT set MUST be
456
preserved
4577. The contents of any key that is currently loaded MAY be preserved.
4588. The contents of sessions (authorization, transport, DAA, etc.) MAY be preserved as
459
reported by TPM_GetCapability.
97Level 2 Revision 116 28 February 2011
98
11
TCG Published
99Copyright © TCG
100
101
4604.
TPM Main Part 3 Commands
Specification Version 1.2
Admin Testing
4614.1
TPM_SelfTestFull
462Start of informative comment:
463TPM_SelfTestFull tests all of the TPM capabilities.
464Unlike TPM_ContinueSelfTest, which may optionally return immediately and then perform
465the tests, TPM_SelfTestFull always performs the tests and then returns success or failure.
466End of informative comment.
467Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_SelfTestFull
Type
Name
Description
#
SZ
1
#
1S
SZ
4
468Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_SelfTestFull
469Actions
4701. TPM_SelfTestFull SHALL cause a TPM to perform self-test of each TPM internal function.
471
a. If the self-test succeeds, return TPM_SUCCESS.
472
b. If the self-test fails, return TPM_FAILEDSELFTEST.
4732. Failure of any test results in overall failure, and the TPM goes into failure mode.
4743. If the TPM has not executed the action of TPM_ContinueSelfTest, the TPM
475
a. MAY perform the full self-test.
476
b. MAY return TPM_NEEDS_SELFTEST.
102
103
12
Level 2 Revision 116 28 February 2011
TCG Published
104TPM Main Part 3 Commands
TCG © Copyright
105Specification Version 1.2
4774.2
TPM_ContinueSelfTest
478Start of informative comment:
479TPM_ContinueSelfTest informs the TPM that it should complete the self-test of all TPM
480functions.
481The TPM may return success immediately and then perform the self-test, or it may perform
482the self-test and then return success or failure.
483End of informative comment.
484Incoming Operands and Sizes
PARAM
#
SZ
1
4
SZ
1S
4
Name
Description
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
UINT32
4
3
#
Type
2
2
HMAC
paramSize
Total number of input bytes including paramSize and tag
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ContinueSelfTest
Type
Name
Description
485Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ContinueSelfTest
486Description
4871. Prior to executing the actions of TPM_ContinueSelfTest, if the TPM receives a command
488
C1 that uses an untested TPM function, the TPM MUST take one of these actions:
489
a. The TPM MAY return TPM_NEEDS_SELFTEST
490
491
i. This indicates that the TPM has not tested the internal resources required to
execute C1.
492
ii. The TPM does not execute C1.
493
494
iii. The caller MUST issue TPM_ContinueSelfTest before re-issuing the command
C1.
495
496
497
(1) If the TPM permits TPM_SelfTestFull prior to completing the actions of
TPM_ContinueSelfTest, the caller MAY issue TPM_SelfTestFull rather than
TPM_ContinueSelfTest.
498
b. The TPM MAY return TPM_DOING_SELFTEST
499
500
i. This indicates that the TPM is doing the actions of TPM_ContinueSelfTest
implicitly, as if the TPM_ContinueSelfTest command had been issued.
501
ii. The TPM does not execute C1.
106Level 2 Revision 116 28 February 2011
107
13
TCG Published
108Copyright © TCG
109
110
502
503
504
TPM Main Part 3 Commands
Specification Version 1.2
iii. The caller MUST wait for the actions of TPM_ContinueSelfTest to complete
before reissuing the command C1.
c. The TPM MAY return TPM_SUCCESS or an error code associated with C1.
505
506
i. This
indicates
that
the
TPM
has
completed
TPM_ContinueSelfTest and has completed the command C1.
507
ii. The error code MAY be TPM_FAILEDSELFTEST.
the
actions
of
508Actions
5091. If TPM_PERMANENT_FLAGS -> FIPS is TRUE or TPM_PERMANENT_FLAGS -> TPMpost
510
is TRUE
511
a. The TPM MUST run all self-tests
5122. Else
513
a. The TPM MUST complete all self-tests that are outstanding
514
i.
Instead of completing all outstanding self-tests the TPM MAY run all self-tests
5153. The TPM either
516
a. MAY immediately return TPM_SUCCESS
517
518
519
520
111
112
i. When TPM_ContinueSelfTest finishes execution, it MUST NOT respond to the
caller with a return code.
b. MAY
complete
the
TPM_FAILEDSELFTEST.
self-test
and
14
then
return
TPM_SUCCESS
Level 2 Revision 116 28 February 2011
TCG Published
or
113TPM Main Part 3 Commands
TCG © Copyright
114Specification Version 1.2
5214.3
TPM_GetTestResult
522Start of informative comment:
523TPM_GetTestResult provides manufacturer specific information regarding the results of the
524self-test. This command will work when the TPM is in self-test failure mode. The reason for
525allowing this command to operate in the failure mode is to allow TPM manufacturers to
526obtain diagnostic information.
527End of informative comment.
528Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_GetTestResult
Type
Name
Description
#
SZ
1
#
SZ
1S
4
529Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_GetTestResult
4
4
3S
4
UINT32
outDataSize
The size of the outData area
5
<>
4S
<>
BYTE[]
outData
The outData this is manufacturer specific
530Description
531This command will work when the TPM is in self test failure mode or limited operation
532mode.
533Actions
5341. The TPM SHALL respond to this command with a manufacturer specific block of
535
information that describes the result of the latest self-test
5362. The information MUST NOT contain any data that uniquely identifies an individual TPM.
115Level 2 Revision 116 28 February 2011
116
15
TCG Published
117Copyright © TCG
118
119
5375.
TPM Main Part 3 Commands
Specification Version 1.2
Admin Opt-in
5385.1
TPM_SetOwnerInstall
539Start of informative comment:
540When enabled but without an owner this command sets the PERMANENT flag that allows or
541disallows the ability to insert an owner.
542End of informative comment.
543Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_SetOwnerInstall
4
1
2S
1
BOOL
state
State to which ownership flag is to be set.
Type
Name
Description
#
SZ
1
#
SZ
544Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_SetOwnerInstall
545Action
5461. If the TPM has a current owner, this command immediately returns with
547
TPM_SUCCESS.
5482. The TPM validates the assertion of physical presence. The TPM then sets the value of
549
TPM_PERMANENT_FLAGS -> ownership to the value in state.
120
121
16
Level 2 Revision 116 28 February 2011
TCG Published
122TPM Main Part 3 Commands
TCG © Copyright
123Specification Version 1.2
5505.2
TPM_OwnerSetDisable
551Start of informative comment:
552The TPM owner sets the PERMANENT disable flag to TRUE or FALSE.
553End of informative comment.
554Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_OwnerSetDisable
4
1
2S
1
BOOL
disableState
Value for disable state
5
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for owner authentication.
#
SZ
1
#
SZ
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
6
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
7
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
8
20
TPM_AUTHDATA
ownerAuth
The authorization session digest for inputs and owner authentication.
HMAC key: ownerAuth.
555Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
5
1
6
20
TPM_RESULT
returnCode
The return code of the operation.
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_OwnerSetDisable
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
4
2S
4
1S
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
ownerAuth.
556Action
5571. The TPM SHALL authenticate the command as coming from the TPM Owner. If
558
unsuccessful, the TPM SHALL return TPM_AUTHFAIL.
5592. The TPM SHALL set the TPM_PERMANENT_FLAGS -> disable flag to the value in the
560
disableState parameter.
124Level 2 Revision 116 28 February 2011
125
17
TCG Published
126Copyright © TCG
127
128
5615.3
TPM Main Part 3 Commands
Specification Version 1.2
TPM_PhysicalEnable
562Start of informative comment:
563Sets the PERMANENT disable flag to FALSE using physical presence as authorization.
564End of informative comment.
565Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_PhysicalEnable
Type
Name
Description
#
SZ
1
#
1S
SZ
4
566Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_PhysicalEnable
567Action
5681. Validate that physical presence is being asserted, if not return TPM_BAD_PRESENCE
5692. The TPM SHALL set the TPM_PERMANENT_FLAGS.disable value to FALSE.
129
130
18
Level 2 Revision 116 28 February 2011
TCG Published
131TPM Main Part 3 Commands
TCG © Copyright
132Specification Version 1.2
5705.4
TPM_PhysicalDisable
571Start of informative comment:
572Sets the PERMANENT disable flag to TRUE using physical presence as authorization
573End of informative comment.
574Incoming Operands and Sizes
PARAM
HMAC
#
SZ
#
1
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_PhysicalDisable
Type
Name
Description
1S
SZ
4
575Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_PhysicalDisable
576Action
5771. Validate that physical presence is being asserted, if not return TPM_BAD_PRESENCE
5782. The TPM SHALL set the TPM_PERMANENT_FLAGS.disable value to TRUE.
133Level 2 Revision 116 28 February 2011
134
19
TCG Published
135Copyright © TCG
136
137
5795.5
TPM Main Part 3 Commands
Specification Version 1.2
TPM_PhysicalSetDeactivated
580Start of informative comment:
581Changes the TPM persistant deactivated flag using physical presence as authorization.
582This command is not available when the TPM is disabled.
583End of informative comment.
584Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_PhysicalSetDeactivated
4
1
2S
1
BOOL
state
State to which deactivated flag is to be set.
Type
Name
Description
#
SZ
1
#
SZ
585Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_PhysicalSetDeactivated
586Action
5871. Validate that physical presence is being asserted, if not return TPM_BAD_PRESENCE
5882. The TPM SHALL set the TPM_PERMANENT_FLAGS.deactivated flag to the value in the
589
state parameter.
138
139
20
Level 2 Revision 116 28 February 2011
TCG Published
140TPM Main Part 3 Commands
TCG © Copyright
141Specification Version 1.2
5905.6
TPM_SetTempDeactivated
591Start of informative comment:
592This command allows the operator of the platform to deactivate the TPM until the next boot
593of the platform.
594This command requires operator authentication. The operator can provide the
595authentication by either the assertion of physical presence or presenting the operator
596AuthData value.
597End of informative comment.
598Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_SetTempDeactivated
4
4
4
TPM_AUTHHANDLE
authHandle
Auth handle for operation validation. Session type MUST be OIAP
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
#
SZ
1
#
SZ
1S
5
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
6
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
7
20
TPM_AUTHDATA
operatorAuth
HMAC key: operatorAuth
599Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
5
1
6
20
TPM_RESULT
returnCode
The return code of the operation.
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_SetTempDeactivated
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
4
2S
4
1S
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
operatorAuth.
600Action
6011. If tag = TPM_TAG_RQU_AUTH1_COMMAND
602
a. If TPM_PERMANENT_FLAGS -> operator is FALSE return TPM_NOOPERATOR
603
604
b. Validate command
TPM_AUTHFAIL
and
142Level 2 Revision 116 28 February 2011
143
parameters
using
21
TCG Published
operatorAuth,
on
error
return
144Copyright © TCG
145
146
TPM Main Part 3 Commands
Specification Version 1.2
6052. Else
606
a. If physical presence is not asserted the TPM MUST return TPM_BAD_PRESENCE
6073. The TPM SHALL set the TPM_STCLEAR_FLAGS.deactivated flag to the value TRUE.
147
148
22
Level 2 Revision 116 28 February 2011
TCG Published
149TPM Main Part 3 Commands
TCG © Copyright
150Specification Version 1.2
6085.7
TPM_SetOperatorAuth
609Start of informative comment:
610This command allows the setting of the operator AuthData value.
611There is no confidentiality applied to the operator authentication as the value is sent under
612the assumption of being local to the platform. If there is a concern regarding the path
613between the TPM and the keyboard then unless the keyboard is using encryption and a
614secure channel an attacker can read the values.
615End of informative comment.
616Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_SetOperatorAuth
4
20
2S
20
TPM_SECRET
operatorAuth
The operator AuthData
Type
Name
Description
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
#
SZ
1
#
SZ
617Outgoing Operands and Sizes
PARAM
#
SZ
1
2
2
4
3
4
HMAC
#
SZ
UINT32
paramSize
Total number of output bytes including paramSize and tag
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_SetOperatorAuth
618Action
6191. If physical presence is not asserted the TPM MUST return TPM_BAD_PRESENCE
6202. The TPM SHALL set the TPM_PERMANENT_DATA -> operatorAuth
6213. The TPM SHALL set TPM_PERMANENT_FLAGS -> operator to TRUE
151Level 2 Revision 116 28 February 2011
152
23
TCG Published
153Copyright © TCG
154
155
6226.
TPM Main Part 3 Commands
Specification Version 1.2
Admin Ownership
6236.1
TPM_TakeOwnership
624Start of informative comment:
625This command inserts the TPM Ownership value into the TPM.
626End of informative comment.
627Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_TakeOwnership
4
2
2S
2
TPM_PROTOCOL_ID
protocolID
The ownership protocol in use.
5
4
3S
4
UINT32
encOwnerAuthSize
The size of the encOwnerAuth field
6
<>
4S
<>
BYTE[ ]
encOwnerAuth
The owner AuthData encrypted with PUBEK
7
4
5S
4
UINT32
encSrkAuthSize
The size of the encSrkAuth field
8
<>
6S
<>
BYTE[ ]
encSrkAuth
The SRK AuthData encrypted with PUBEK
9
<>
7S
<>
TPM_KEY12
srkParams
Structure containing all parameters of new SRK. pubKey.keyLength &
encSize are both 0. This structure MAY be TPM_KEY12.
10
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for this command
#
SZ
1
#
SZ
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
11
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
12
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
13
20
TPM_AUTHDATA
ownerAuth
Authorization session digest for input params. HMAC key: the new
ownerAuth value. See actions for validation operations
628
156
157
24
Level 2 Revision 116 28 February 2011
TCG Published
158TPM Main Part 3 Commands
TCG © Copyright
159Specification Version 1.2
629Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_TakeOwnership
4
<>
3S
<>
TPM_KEY
srkPub
Structure containing all parameters of new SRK. srkPub.encData is set to
0. This structure MAY be TPM_KEY12.
5
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
the new ownerAuth value
6
1
7
20
630Description
631The type of the output srkPub MUST be the same as the type of the input srkParams, either
632both TPM_KEY or both TPM_KEY12.
633Actions
6341. If TPM_PERMANENT_DATA -> ownerAuth is valid return TPM_OWNER_SET
6352. If TPM_PERMANENT_FLAGS -> ownership is FALSE return TPM_INSTALL_DISABLED
6363. If
TPM_PERMANENT_DATA
637
TPM_NO_ENDORSEMENT
->
endorsementKey
is
invalid
return
6384. Verify that authHandle is of type OIAP on error return TPM_AUTHFAIL
6395. If protocolID is not TPM_PID_OWNER, the TPM MAY return TPM_BAD_PARAMETER
6406. Create A1 a TPM_SECRET by decrypting encOwnerAuth using PRIVEK as the key
641
a. This requires that A1 was encrypted using the PUBEK
642
b. Validate that A1 is a length of 20 bytes, on error return TPM_BAD_KEY_PROPERTY
6437. Validate the command and parameters using A1 and ownerAuth, on error return
644
TPM_AUTHFAIL
6458. Validate srkParams
646
647
a. If
srkParams
->
TPM_INVALID_KEYUSAGE
648
b. If srkParams -> migratable is TRUE return TPM_INVALID_KEYUSAGE
649
650
c. If srkParams -> algorithmParms -> algorithmID is NOT TPM_ALG_RSA return
TPM_BAD_KEY_PROPERTY
651
652
d. If
srkParams
->
algorithmParms
->
encScheme
TPM_ES_RSAESOAEP_SHA1_MGF1 return TPM_BAD_KEY_PROPERTY
160Level 2 Revision 116 28 February 2011
161
keyUsage
is
25
TCG Published
not
TPM_KEY_STORAGE
is
return
NOT
162Copyright © TCG
163
164
TPM Main Part 3 Commands
Specification Version 1.2
653
654
e. If srkParams -> algorithmParms -> sigScheme is NOT TPM_SS_NONE return
TPM_BAD_KEY_PROPERTY
655
656
f. srkParams -> algorithmParms -> parms -> keyLength MUST be greater than or equal
to 2048, on error return TPM_BAD_KEY_PROPERTY
657
658
g. If srkParams -> algorithmParms -> parms -> exponentSize is not 0, return
TPM_BAD_KEY_PROPERTY
659
h. If TPM_PERMANENT_FLAGS -> FIPS is TRUE
660
661
i. If srkParams
TPM_NOTFIPS
->
authDataUsage
specifies
TPM_AUTH_NEVER
return
6629. Generate K1 according to the srkParams, on error return TPM_BAD_KEY_PROPERTY
663
a. This includes copying PCRInfo from srkParams to K1
66410.Create A2 a TPM_SECRET by decrypting encSrkAuth using the PRIVEK
665
a. This requires A2 to be encrypted using the PUBEK
666
b. Validate that A2 is a length of 20 bytes, on error return TPM_BAD_KEY_PROPERTY
667
c. Store A2 in K1 -> usageAuth
66811.Store K1 in TPM_PERMANENT_DATA -> srk
66912.Store A1 in TPM_PERMANENT_DATA -> ownerAuth
67013.Create TPM_PERMANENT_DATA -> contextKey according to the rules for the algorithm
671
in use by the TPM to save context blobs
67214.Create TPM_PERMANENT_DATA -> delegateKey according to the rules for the algorithm
673
in use by the TPM to save delegate blobs
67415.Create TPM_PERMANENT_DATA -> tpmProof by using the TPM RNG
67516.Export TPM_PERMANENT_DATA -> srk as srkPub
67617.Set TPM_PERMANENT_FLAGS -> readPubek to FALSE
67718.Calculate resAuth using the newly established TPM_PERMANENT_DATA -> ownerAuth
165
166
26
Level 2 Revision 116 28 February 2011
TCG Published
167TPM Main Part 3 Commands
TCG © Copyright
168Specification Version 1.2
6786.2
TPM_OwnerClear
679Start of informative comment:
680The TPM_OwnerClear command performs the clear operation under Owner authentication.
681This command is available until the Owner executes the TPM_DisableOwnerClear, at which
682time any further invocation of this command returns TPM_CLEAR_DISABLED.
683End of informative comment.
684Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_OwnerClear
4
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for owner authentication.
#
SZ
1
#
SZ
1S
4
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
5
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
6
1
4H1
1
BOOL
continueAuthSession
Ignored
7
20
TPM_AUTHDATA
ownerAuth
The authorization session digest for inputs and owner authentication.
HMAC key: ownerAuth.
685Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
5
1
6
TPM_RESULT
returnCode
The return code of the operation.
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_OwnerClear
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
4
2S
4
1S
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Fixed value FALSE
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
old ownerAuth.
20
686Actions
6871. Verify that the TPM Owner authorizes the command and all of the input, on error return
688
TPM_AUTHFAIL.
6892. If TPM_PERMANENT_FLAGS
690
TPM_CLEAR_DISABLED.
->
disableOwnerClear
6913. Unload all loaded keys.
692
a. This includes owner evict keys
169Level 2 Revision 116 28 February 2011
170
27
TCG Published
is
TRUE
then
return
171Copyright © TCG
172
173
693
694
TPM Main Part 3 Commands
Specification Version 1.2
b. If TPM_PERMANENT_FLAGS -> FIPS is TRUE, the memory locations containing
secret or private keys MUST be set to all zeros.
6954. The TPM MUST NOT modify the following TPM_PERMANENT_DATA items
696
a. endorsementKey
697
b. revMajor
698
c. revMinor
699
d. manuMaintPub
700
e. auditMonotonicCounter
701
f. monotonicCounter
702
g. pcrAttrib
703
h. rngState
704
i.
EKReset
705
j.
lastFamilyID
706
k. tpmDAASeed
707
l.
708
m. daaProof
709
n. daaBlobKey
authDIR[0]
7105. The TPM MUST invalidate the following TPM_PERMANENT_DATA items and any internal
711
resources associated with these items
712
a. ownerAuth
713
b. srk
714
c. delegateKey
715
d. delegateTable
716
e. contextKey
717
f. tpmProof
718
g. operatorAuth
7196. The TPM MUST reset to manufacturing defaults the following TPM_PERMANENT_DATA
720
items
721
a. noOwnerNVWrite MUST be set to 0
722
b. ordinalAuditStatus
723
c. restrictDelegate
7247. The TPM MUST invalidate or reset all fields of TPM_STANY_DATA
725
a. Nonces SHALL be reset
726
b. Lists (e.g. contextList) SHALL be invalidated
7278. The TPM MUST invalidate or reset all fields of TPM_STCLEAR_DATA except the PCR’s
174
175
28
Level 2 Revision 116 28 February 2011
TCG Published
176TPM Main Part 3 Commands
TCG © Copyright
177Specification Version 1.2
728
a. Nonces SHALL be reset
729
b. Lists (e.g. contextList) SHALL be invalidated
730
c. deferredPhysicalPresence MUST be set to 0
7319. The TPM MUST set the following TPM_PERMANENT_FLAGS to their default values
732
a. disable
733
b. deactivated
734
c. readPubek
735
d. disableOwnerClear
736
e. disableFullDALogicInfo
737
f. allowMaintenance
738
g. readSRKPub
73910.The TPM MUST set the following TPM_PERMANENT_FLAGS
740
a. ownership to TRUE
741
b. operator to FALSE
742
c. maintenanceDone to FALSE
74311.The TPM releases all TPM_PERMANENT_DATA -> monotonicCounter settings
744
745
746
a. This includes invalidating all currently allocated counters. The result will be no
currently allocated counters and the new owner will need to allocate counters. The
actual count value will continue to increase.
74712.The TPM MUST deallocate all defined NV storage areas where
748
a.
TPM_NV_PER_OWNERWRITE is TRUE if nvIndex does not have the “D” bit set
749
b.
TPM_NV_PER_OWNERREAD is TRUE if nvIndex does not have the “D” bit set
750
c. The TPM MUST NOT deallocate any other currently defined NV storage areas.
75113.The TPM MUST invalidate all familyTable entries
75214.The TPM MUST terminate all sessions, active or saved.
178Level 2 Revision 116 28 February 2011
179
29
TCG Published
180Copyright © TCG
181
182
7536.3
TPM Main Part 3 Commands
Specification Version 1.2
TPM_ForceClear
754Start of informative comment:
755The TPM_ForceClear command performs the Clear operation under physical access. This
756command is available until the execution of the TPM_DisableForceClear, at which time any
757further invocation of this command returns TPM_CLEAR_DISABLED.
758TPM_ForceClear can succeed even if no owner is installed. In that case, it does whatever
759TPM_OwnerClear actions that it can.
760End of informative comment.
761Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ForceClear
Type
Name
Description
#
SZ
1
#
1S
SZ
4
762Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ForceClear
763Actions
7641. The TPM SHALL check for the assertion of physical presence, if not present return
765
TPM_BAD_PRESENCE
7662. If TPM_STCLEAR_FLAGS -> disableForceClear is TRUE return TPM_CLEAR_DISABLED
7673. The TPM SHALL execute the actions of TPM_OwnerClear (except for the TPM Owner
768
authentication check)
183
184
30
Level 2 Revision 116 28 February 2011
TCG Published
185TPM Main Part 3 Commands
TCG © Copyright
186Specification Version 1.2
7696.4
TPM_DisableOwnerClear
770Start of informative comment:
771The TPM_DisableOwnerClear command disables the ability to execute the TPM_OwnerClear
772command permanently. Once invoked the only method of clearing the TPM will require
773physical access to the TPM.
774After the execution of TPM_ForceClear, ownerClear is re-enabled and must be explicitly
775disabled again by the new TPM Owner.
776End of informative comment.
777Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_DisableOwnerClear
4
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for owner authentication.
#
SZ
1
#
SZ
1S
4
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
5
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
6
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
7
20
TPM_AUTHDATA
ownerAuth
The authorization session digest for inputs and owner authentication.
HMAC key: ownerAuth.
778Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
5
1
6
TPM_RESULT
returnCode
The return code of the operation.
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_DisableOwnerClear
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
4
2S
4
1S
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
ownerAuth.
20
779Actions
7801. The TPM verifies that the authHandle properly authorizes the owner.
7812. The TPM sets the TPM_PERMANENT_FLAGS -> disableOwnerClear flag to TRUE.
187Level 2 Revision 116 28 February 2011
188
31
TCG Published
189Copyright © TCG
190
191
TPM Main Part 3 Commands
Specification Version 1.2
7823. When this flag is TRUE the only mechanism that can clear the TPM is the
783
TPM_ForceClear command. The TPM_ForceClear command requires physical access to
784
the TPM to execute.
192
193
32
Level 2 Revision 116 28 February 2011
TCG Published
194TPM Main Part 3 Commands
TCG © Copyright
195Specification Version 1.2
7856.5
TPM_DisableForceClear
786Start of informative comment:
787The TPM_DisableForceClear command disables the execution of the TPM_ForceClear
788command until the next startup cycle. Once this command is executed, the TPM_ForceClear
789is disabled until another startup cycle is run.
790End of informative comment.
791Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_DisableForceClear
Type
Name
Description
#
SZ
1
#
1S
SZ
4
792Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_DisableForceClear
793Actions
7941. The TPM sets the TPM_STCLEAR_FLAGS.disableForceClear flag in the TPM that disables
795
the execution of the TPM_ForceClear command.
196Level 2 Revision 116 28 February 2011
197
33
TCG Published
198Copyright © TCG
199
200
7966.6
TPM Main Part 3 Commands
Specification Version 1.2
TSC_PhysicalPresence
797Start of informative comment:
798Some TPM operations require the indication of a human’s physical presence at the platform.
799The presence of the human either provides another indication of platform ownership or a
800mechanism to ensure that the execution of the command is not the result of a remote
801software process.
802This command allows a process on the platform to indicate the assertion of physical
803presence. As this command is executable by software there must be protections against the
804improper invocation of this command.
805The physicalPresenceHWEnable and physicalPresenceCMDEnable indicate the ability for
806either SW or HW to indicate physical presence. These flags can be reset until the
807physicalPresenceLifetimeLock is set. The platform manufacturer should set these flags to
808indicate the capabilities of the platform the TPM is bound to.
809The command provides two sets of functionality. The first is to enable, permanently, either
810the HW or the SW ability to assert physical presence. The second is to allow SW, if enabled,
811to assert physical presence.
812End of informative comment.
813Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TSC_ORD_PhysicalPresence.
4
2
2S
2
TPM_PHYSICAL_PRESENCE
physicalPresence
The state to set the TPM’s Physical Presence flags.
#
SZ
1
#
SZ
814Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TSC_ORD_PhysicalPresence.
815Actions
8161. For documentation ease, the bits break into two categories. The first is the lifetime
817
settings and the second is the assertion settings.
818
819
820
821
201
202
a. Define A1 to be the lifetime settings: TPM_PHYSICAL_PRESENCE_LIFETIME_LOCK,
TPM_PHYSICAL_PRESENCE_HW_ENABLE, TPM_PHYSICAL_PRESENCE_CMD_ENABLE,
TPM_PHYSICAL_PRESENCE_HW_DISABLE,
and
TPM_PHYSICAL_PRESENCE_CMD_DISABLE
34
Level 2 Revision 116 28 February 2011
TCG Published
203TPM Main Part 3 Commands
TCG © Copyright
204Specification Version 1.2
822
823
b. Define A2 to be the assertion settings: TPM_PHYSICAL_PRESENCE_LOCK,
TPM_PHYSICAL_PRESENCE_PRESENT, and TPM_PHYSICAL_PRESENCE_NOTPRESENT
824Lifetime lock settings
8252. If any A1 setting is present
826
827
a. If TPM_PERMANENT_FLAGS -> physicalPresenceLifetimeLock is TRUE, return
TPM_BAD_PARAMETER
828
b. If any A2 setting is present return TPM_BAD_PARAMETER
829
830
831
c. If both physicalPresence -> TPM_PHYSICAL_PRESENCE_HW_ENABLE and
physicalPresence -> TPM_PHYSICAL_PRESENCE_HW_DISABLE are TRUE, return
TPM_BAD_PARAMETER.
832
833
834
d. If both physicalPresence -> TPM_PHYSICAL_PRESENCE_CMD_ENABLE and
physicalPresence -> TPM_PHYSICAL_PRESENCE_CMD_DISABLE are TRUE, return
TPM_BAD_PARAMETER.
835
836
e. If physicalPresence -> TPM_PHYSICAL_PRESENCE_HW_ENABLE is TRUE Set
TPM_PERMANENT_FLAGS -> physicalPresenceHWEnable to TRUE
837
838
f. If physicalPresence -> TPM_PHYSICAL_PRESENCE_HW_DISABLE is TRUE Set
TPM_PERMANENT_FLAGS -> physicalPresenceHWEnable to FALSE
839
840
g. If physicalPresence -> TPM_PHYSICAL_PRESENCE_CMD_ENABLE is TRUE, Set
TPM_PERMANENT_FLAGS -> physicalPresenceCMDEnable to TRUE.
841
842
h. If physicalPresence -> TPM_PHYSICAL_PRESENCE_CMD_DISABLE is TRUE, Set
TPM_PERMANENT_FLAGS -> physicalPresenceCMDEnable to FALSE.
843
i.
844
845
If physicalPresence -> TPM_PHYSICAL_PRESENCE_LIFETIME_LOCK is TRUE
i.
j.
Set TPM_PERMANENT_FLAGS -> physicalPresenceLifetimeLock to TRUE
Return TPM_SUCCESS
846SW physical presence assertion
8473. If any A2 setting is present
848
a. If any A1 setting is present return TPM_BAD_PARAMETER
849
850
i. This check here just for consistency, the prior checks would have already
ensured that this was ok
851
852
b. If TPM_PERMANENT_FLAGS -> physicalPresenceCMDEnable is FALSE, return
TPM_BAD_PARAMETER
853
854
c. If both physicalPresence -> TPM_PHYSICAL_PRESENCE_LOCK and physicalPresence
-> TPM_PHYSICAL_PRESENCE_PRESENT are TRUE, return TPM_BAD_PARAMETER
855
856
857
d. If
both
physicalPresence
->
TPM_PHYSICAL_PRESENCE_PRESENT
and
physicalPresence -> TPM_PHYSICAL_PRESENCE_NOTPRESENT are TRUE, return
TPM_BAD_PARAMETER
858
859
e. If
TPM_STCLEAR_FLAGS
TPM_BAD_PARAMETER
205Level 2 Revision 116 28 February 2011
206
->
physicalPresenceLock
35
TCG Published
is
TRUE,
return
207Copyright © TCG
208
209
860
TPM Main Part 3 Commands
Specification Version 1.2
f. If physicalPresence -> TPM_PHYSICAL_PRESENCE_LOCK is TRUE
861
i.
862
ii. Set TPM_STCLEAR_FLAGS -> physicalPresenceLock to TRUE
863
iii. Return TPM_SUCCESS
864
g. If physicalPresence -> TPM_PHYSICAL_PRESENCE_PRESENT is TRUE
865
866
i.
Set TPM_STCLEAR_FLAGS -> physicalPresence to TRUE
h. If physicalPresence -> TPM_PHYSICAL_PRESENCE_NOTPRESENT is TRUE
867
868
Set TPM_STCLEAR_FLAGS -> physicalPresence to FALSE
i.
i.
Set TPM_STCLEAR_FLAGS -> physicalPresence to FALSE
Return TPM_SUCCESS
8694. Else // There were no A1 or A2 parameters set
870
210
211
a. Return TPM_BAD_PARAMETER
36
Level 2 Revision 116 28 February 2011
TCG Published
212TPM Main Part 3 Commands
TCG © Copyright
213Specification Version 1.2
8716.7
TSC_ResetEstablishmentBit
872Start of informative comment:
873The PC TPM Interface Specification (TIS) specifies setting tpmEstablished to TRUE upon
874execution of the HASH_START sequence. The setting implies the creation of a Trusted
875Operating System on the platform. Platforms will use the value of tpmEstablished to
876determine if operations necessary to maintain the security perimeter are necessary.
877The tpmEstablished bit provides a non-volatile, secure reporting that a HASH_START was
878previously run on the platform. When a platform makes use of the tpmEstablished bit, the
879platform can reset tpmEstablished as the operation is no longer necessary.
880For example, a platform could use tpmEstablished to ensure that, if HASH_START had ever
881been, executed the platform could use the value to invoke special processing. Once the
882processing is complete the platform will wish to reset tpmEstablished to avoid invoking the
883special process again.
884The TPM_PERMANENT_FLAGS -> tpmEstablished bit described in the TPM specifications
885uses positive logic. The TPM_ACCESS register uses negative logic, so that TRUE is reflected
886as a 0.
887End of informative comment.
888Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TSC_ORD_ResetEstablishmentBit
Type
Name
Description
#
SZ
1
#
1S
SZ
4
889Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TSC_ORD_ResetEstablishmentBit
890Actions
8911. Validate the assertion of locality 3 or locality 4
8922. Set TPM_PERMANENT_FLAGS -> tpmEstablished to FALSE
8933. Return TPM_SUCCESS
214Level 2 Revision 116 28 February 2011
215
37
TCG Published
216Copyright © TCG
217
218
TPM Main Part 3 Commands
Specification Version 1.2
8947. The Capability Commands
895Start of informative comment:
896The TPM has numerous capabilities that a remote entity may wish to know about. These
897items include support of algorithms, key sizes, protocols and vendor-specific additions. The
898TPM_GetCapability command allows the TPM to report back to the requestor what type of
899TPM it is dealing with.
900The request for information requires the requestor to specify which piece of information that
901is required. The request does not allow the “merging” of multiple requests and returns only
902a single piece of information.
903In failure mode, the TPM returns a limited set of information that includes the TPM
904manufacturer and version.
905In version 1.2 with the deletion of TPM_GetCapabilitySigned the way to obtain a signed
906listing of the capabilities is to create a transport session, perform TPM_GetCapability
907commands to list the information and then close the transport session using
908TPM_ReleaseTransportSigned.
909End of informative comment.
9101. The standard information provided in TPM_GetCapability MUST NOT provide unique
911
information
912
913
914
219
220
a. The TPM has no control of information placed into areas on the TPM like the NV store
that is reported by the TPM. Configuration information for these areas could conceivably
be unique
38
Level 2 Revision 116 28 February 2011
TCG Published
221TPM Main Part 3 Commands
TCG © Copyright
222Specification Version 1.2
9157.1
TPM_GetCapability
916Start of informative comment:
917This command returns current information regarding the TPM.
918The limitation on what can be returned in failure mode restricts the information a
919manufacturer may return when capArea indicates TPM_CAP_MFR.
920End of informative comment.
921Incoming Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_GetCapability
4
4
2S
4
TPM_CAPABILITY_AREA
capArea
Partition of capabilities to be interrogated
5
4
3S
4
UINT32
subCapSize
Size of subCap parameter
6
<>
4S
<>
BYTE[]
subCap
Further definition of information
Type
Name
Description
#
SZ
1
#
SZ
922Outgoing Parameters and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_GetCapability
4
4
3S
4
UINT32
respSize
The length of the returned capability response
5
<>
4S
<>
BYTE[ ]
resp
The capability response
923
223Level 2 Revision 116 28 February 2011
224
39
TCG Published
225Copyright © TCG
226
227
TPM Main Part 3 Commands
Specification Version 1.2
924Actions
9251. The TPM validates the capArea and subCap indicators. If the information is available,
926
the TPM creates the response field and fills in the actual information.
9272. The structure document contains the list of caparea and subCap values
9283. If the TPM is in failure mode or limited operation mode, the TPM MUST return
929
a. TPM_CAP_VERSION
930
b. TPM_CAP_VERSION_VAL
931
c. TPM_CAP_MFR
932
d. TPM_CAP_PROPERTY -> TPM_CAP_PROP_MANUFACTURER
933
e. TPM_CAP_PROPERTY -> TPM_CAP_PROP_DURATION
934
f. TPM_CAP_PROPERTY -> TPM_CAP_PROP_TIS_TIMEOUT
935
g. The TPM MAY return any other capability.
228
229
40
Level 2 Revision 116 28 February 2011
TCG Published
230TPM Main Part 3 Commands
TCG © Copyright
231Specification Version 1.2
9367.2
TPM_SetCapability
937Start of informative comment:
938This command sets values in the TPM.
939A setValue that is inconsistent with the capArea and subCap is considered a bad
940parameter.
941End of informative comment.
942Incoming Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
ordinal: TPM_ORD_SetCapability
4
4
2S
4
TPM_CAPABILITY_AREA
capArea
Partition of capabilities to be set
5
4
3S
4
UINT32
subCapSize
Size of subCap parameter
6
<>
4S
<>
BYTE[]
subCap
Further definition of information
7
4
5S
4
UINT32
setValueSize
The size of the value to set
8
<>
6S
<>
BYTE[]
setValue
The value to set
9
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for owner authentication.
#
SZ
1
#
SZ
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
10
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
11
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
12
20
TPM_AUTHDATA
ownerAuth
Authorization. HMAC key: owner.usageAuth.
232Level 2 Revision 116 28 February 2011
233
41
TCG Published
234Copyright © TCG
235
236
TPM Main Part 3 Commands
Specification Version 1.2
943Outgoing Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
5
1
6
TPM_RESULT
returnCode
The return code of the operation.
4
TPM_COMMAND_CODE
ordinal
ordinal: TPM_ORD_SetCapability
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
4
2S
4
1S
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
Authorization HMAC key:owner.usageAuth.
20
944Actions
9451. If tag = TPM_TAG_RQU_AUTH1_COMMAND, validate the command and parameters
946
using ownerAuth, return TPM_AUTHFAIL on error
9472. The TPM validates the capArea and subCap indicators, including the ability to set value
948
based on any set restrictions
9493. If the capArea and subCap indicators conform with one of the entries in the structure
950
TPM_CAPABILITY_AREA (Values for TPM_SetCapability)
951
a. The TPM sets the relevant flag/data to the value of setValue parameter.
9524. Else
953
237
238
a. Return the error code TPM_BAD_PARAMETER.
42
Level 2 Revision 116 28 February 2011
TCG Published
239TPM Main Part 3 Commands
TCG © Copyright
240Specification Version 1.2
9547.3
TPM_GetCapabilityOwner
955Start of informative comment:
956TPM_GetCapabilityOwner enables the TPM Owner to retrieve all the non-volatile flags and
957the volatile flags in a single operation.
958The flags summarize many operational aspects of the TPM. The information represented by
959some flags is private to the TPM Owner. So, for simplicity, proof of ownership of the TPM
960must be presented to retrieve the set of flags. When necessary, the flags that are not private
961to the Owner can be deduced by Users via other (more specific) means.
962The normal TPM authentication mechanisms are sufficient to prove the integrity of the
963response. No additional integrity check is required.
964End of informative comment.
965Incoming Operands and Sizes
PARAM
HMAC
#
Type
SZ
Name
Description
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_GetCapabilityOwner
4
4
TPM_AUTHHANDLE
authHandle
The authorization handle used for Owner authorization.
1S
4
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
5
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
6
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization handle
7
20
TPM_AUTHDATA
ownerAuth
The authorization digest for inputs and owner authorization. HMAC key:
OwnerAuth.
966
967Outgoing Operands and Sizes
PARAM
HMAC
#
Type
SZ
Name
Description
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation. See section 4.3.
2S
4
TPM_COMMAND_CODE
ordinal
Ordinal: TPM_ORD_GetCapabilityOwner
4
4
3S
4
TPM_VERSION
version
A properly filled out version structure.
5
4
4S
4
UINT32
non_volatile_flags
The current state of the non-volatile flags.
6
4
5S
4
UINT32
volatile_flags
The current state of the volatile flags.
7
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
The authorization digest for the returned parameters. HMAC key: OwnerAuth.
8
1
9
20
241Level 2 Revision 116 28 February 2011
242
43
TCG Published
243Copyright © TCG
244
245
TPM Main Part 3 Commands
Specification Version 1.2
968
969Description
970For 31>=N>=0
9711.
972
973
974
Bit-N of the TPM_PERMANENT_FLAGS structure is the Nth bit after the opening bracket
in the definition of TPM_PERMANENT_FLAGS in the version of the specification
indicated by the parameter “version”. The bit immediately after the opening bracket is
the 0th bit.
9752. Bit-N of the TPM_STCLEAR_FLAGS structure is the Nth bit after the opening bracket in
976
the definition of TPM_STCLEAR_FLAGS in the version of the specification indicated by
977
the parameter “version”. The bit immediately after the opening bracket is the 0 th bit.
9783. Bit-N of non_volatile_flags corresponds to the Nth bit in TPM_PERMANENT_FLAGS, and
979
the lsb of non_volatile_flags corresponds to bit0 of TPM_PERMANENT_FLAGS
9804. Bit-N of volatile_flags corresponds to the Nth bit in TPM_STCLEAR_FLAGS, and the lsb
981
of volatile_flags corresponds to bit0 of TPM_STCLEAR_FLAGS
982Actions
9831. The TPM validates that the TPM Owner authorizes the command.
9842. The TPM creates the parameter non_volatile_flags by setting each bit to the same state
985
as the corresponding bit in TPM_PERMANENT_FLAGS. Bits in non_volatile_flags for
986
which there is no corresponding bit in TPM_PERMANENT_FLAGS are set to zero.
9873. The TPM creates the parameter volatile_flags by setting each bit to the same state as the
988
corresponding bit in TPM_STCLEAR_FLAGS. Bits in volatile_flags for which there is no
989
corresponding bit in TPM_STCLEAR_FLAGS are set to zero.
9904. The TPM generates the parameter “version”.
9915. The TPM returns non_volatile_flags, volatile_flags and version to the caller.
246
247
44
Level 2 Revision 116 28 February 2011
TCG Published
248TPM Main Part 3 Commands
TCG © Copyright
249Specification Version 1.2
9928.
Auditing
9938.1
Audit Generation
994Start of informative comment:
995The TPM generates an audit event in response to the TPM successfully executing a
996command that has the audit flag set to TRUE for that command ordinal.
997The TPM maintains an extended value for all audited operations.
998End of informative comment.
999Description
10001. The TPM extends the audit digest whenever the ordinalAuditStatus is TRUE for the
1001
ordinal about to be executed.
10022. The TPM extends the audit digest only when a command is successfully executed.
1003
1004
a. If the ordinal is unknown, unimplemented, or cannot be determined, no auditing is
performed.
10053. Corner cases
1006
1007
1008
a. TPM_SaveState: Only the input parameters are audited, and the audit occurs before
the state is saved. If an error occurs while or after the state is saved, the audit still
occurs.
1009
1010
1011
b. TPM_SetOrdinalAuditStatus: In the case where the ordinalToAudit is TPM_ORD_SetOrdinalAuditStatus, audit is based on the initial state, not the final
state.
1012Actions
1013The TPM will execute the ordinal and perform auditing in the following manner:
10141. Execute command
1015
a. Execution implies the performance of the listed actions for the ordinal.
10162. If the command will return TPM_SUCCESS
1017
1018
1019
a. If TPM_STANY_DATA -> auditDigest is all zeros
i. Increment TPM_PERMANENT_DATA -> auditMonotonicCounter by 1
b. Create A1 a TPM_AUDIT_EVENT_IN structure
1020
1021
i. Set A1 -> inputParms to the digest of the input parameters from the
command
1022
1023
1. Digest value according to the HMAC digest rules of the "above the
line" parameters (i.e. the first HMAC digest calculation).
1024
1025
ii. Set
A1
->
auditCount
auditMonotonicCounter
250Level 2 Revision 116 28 February 2011
251
45
TCG Published
to
TPM_PERMANENT_DATA
->
252Copyright © TCG
253
254
TPM Main Part 3 Commands
Specification Version 1.2
1026
1027
c. Set TPM_STANY_DATA
auditDigest || A1)
1028
d. Create A2 a TPM_AUDIT_EVENT_OUT structure
->
auditDigest
to
SHA-1
(TPM_STANY_DATA
->
1029
1030
i. Set A2 -> outputParms to the digest of the output parameters from the
command
1031
1032
1. Digest value according to the HMAC digest rules of the "above the
line" parameters (i.e. the first HMAC digest calculation).
1033
1034
ii. Set
A2
->
auditCount
auditMonotonicCounter
1035
1036
e. Set TPM_STANY_DATA
auditDigest || A2)
->
auditDigest
to
TPM_PERMANENT_DATA
to
SHA-1
(TPM_STANY_DATA
1037
255
256
46
Level 2 Revision 116 28 February 2011
TCG Published
->
->
257TPM Main Part 3 Commands
TCG © Copyright
258Specification Version 1.2
10388.2
Effect of audit failing
1039Start of informative comment:
1040The TPM audit process could have an internal error when attempting to audit a command.
1041To indicate the audit failure, the TPM will return TPM_AUDITFAIL_SUCCESSFUL. This new
1042functionality changes the 1.1 TPM functionality when this condition occurs.
1043Since no audit occurs if the command fails, The TPM_AUDITFAIL_UNSUCCESSFUL return
1044code is no longer used.
1045End of informative comment.
10461. When, in performing the audit process, the TPM has an internal failure (unable to write,
1047
SHA-1 failure etc.) the TPM MUST set the internal TPM state such that the TPM returns
1048
the TPM_FAILEDSELFTEST error on subsequent attempts to execute a command.
10492. The return code for the command uses the following rules
1050
a. Command result success, audit success -> return TPM_SUCCESS
1051
b. Command result failure, no audit -> return command result failure
1052
c. Command result success, audit failure -> return TPM_AUDITFAIL_SUCCESSFUL
10533.
1054
1055
1056
If the TPM is permanently nonrecoverable after an audit failure, then the TPM MUST
always
return
TPM_FAILEDSELFTEST
for
every
command
other
than
TPM_GetTestResult. This state must persist regardless of power cycling, the execution
of TPM_Init or any other actions.
259Level 2 Revision 116 28 February 2011
260
47
TCG Published
261Copyright © TCG
262
263
10578.3
TPM Main Part 3 Commands
Specification Version 1.2
TPM_GetAuditDigest
1058Start of informative comment:
1059This returns the current audit digest. The external audit log has the responsibility to track
1060the parameters that constitute the audit digest.
1061This value may be unique to an individual TPM. The value however will be changing at a
1062rate set by the TPM Owner. Those attempting to use this value may find it changing without
1063their knowledge. This value represents a very poor source of tracking uniqueness.
1064End of informative comment.
1065Incoming Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_GetAuditDigest
4
4
UINT32
startOrdinal
The starting ordinal for the list of audited ordinals
Type
Name
Description
#
SZ
1
#
SZ
1066Outgoing Parameters and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
Tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
TPM_RESULT
returnCode
The return code of the operation.
5
10
TPM_COUNTER_VALUE
counterValue
The current value of the audit monotonic counter
4
20
TPM_DIGEST
auditDigest
Log of all audited events
5
1
BOOL
more
TRUE if the output does not contain a full list of audited ordinals
5
4
UINT32
ordSize
Size of the ordinal list in bytes
6
<>
BYTE[]
ordList
List of ordinals that are audited.
1067Description
10681. This command is never audited.
1069Actions
10701. The TPM sets auditDigest to TPM_STANY_DATA -> auditDigest
10712. The TPM sets counterValue to TPM_PERMANENT_DATA -> auditMonotonicCounter
10723. The TPM creates an ordered list of audited ordinals. The list starts at startOrdinal listing
1073
each ordinal that is audited.
1074
1075
264
265
a. If startOrdinal is 0 then the first ordinal that could be audited would be TPM_OIAP
(ordinal 0x0000000A)
48
Level 2 Revision 116 28 February 2011
TCG Published
266TPM Main Part 3 Commands
TCG © Copyright
267Specification Version 1.2
1076
b. The next ordinal would be TPM_OSAP (ordinal 0x0000000B)
10774. If the ordered list does not fit in the output buffer the TPM sets more to TRUE
10785. Return TPM_STANY_DATA -> auditDigest as auditDigest
268Level 2 Revision 116 28 February 2011
269
49
TCG Published
270Copyright © TCG
271
272
10798.4
TPM Main Part 3 Commands
Specification Version 1.2
TPM_GetAuditDigestSigned
1080Start of informative comment:
1081The signing of the audit log returns the entire digest value and the list of currently audited
1082commands.
1083The inclusion of the list of audited commands as an atomic operation is to tie the current
1084digest value with the list of commands that are being audited.
1085Note to future architects
1086When auditing functionality is active in a TPM, it may seem logical to remove this ordinal
1087from the active set of ordinals as the signing functionality of this command could be
1088handled in a signed transport session. While true, this command has a secondary affect
1089also, resetting the audit log digest. As the reset requires TPM Owner authentication, there
1090must be some way in this command to reflect the TPM Owner wishes. By requiring that a
1091TPM Identity key be the only key that can sign and reset, the TPM Owner’s authentication is
1092implicit in the execution of the command (TPM Identity Keys are created and controlled by
1093the TPM Owner only). Hence, while one might want to remove an ordinal this is not one that
1094can be removed if auditing is functional.
1095End of informative comment.
1096Incoming Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_GetAuditDigestSigned
4
4
TPM_KEY_HANDLE
keyHandle
The handle of a loaded key that can perform digital signatures.
5
1
2S
1
BOOL
closeAudit
Indication if audit session should be closed
6
20
3S
20
TPM_NONCE
antiReplay
A nonce to prevent replay attacks
7
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for key authentication.
#
SZ
1
#
1S
SZ
4
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
8
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
10
273
274
20
9
20
TPM_AUTHDATA
keyAuth
Authorization. HMAC key: key.usageAuth.
50
Level 2 Revision 116 28 February 2011
TCG Published
275TPM Main Part 3 Commands
TCG © Copyright
276Specification Version 1.2
1097Outgoing Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_GetAuditDigestSigned
4
10
3S
10
TPM_COUNTER_VALUE
counterValue
The value of the audit monotonic counter
5
20
4S
20
TPM_DIGEST
auditDigest
Log of all audited events
6
20
5S
20
TPM_DIGEST
ordinalDigest
Digest of all audited ordinals
7
4
6S
4
UINT32
sigSize
The size of the sig parameter
8
<>
7S
<>
BYTE[]
sig
The signature of the area
9
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
Authorization HMAC key: key.usageAuth.
10
1
11
20
1098Actions
10991. Validate the AuthData and parameters using keyAuth, return TPM_AUTHFAIL on error
11002. Validate that keyHandle -> keyUsage is TPM_KEY_SIGNING, TPM_KEY_IDENTITY or
1101
TPM_KEY_LEGACY, if not return TPM_INVALID_KEYUSAGE
11023. The TPM validates that the key pointed to by keyHandle has a signature scheme of
1103
TPM_SS_RSASSAPKCS1v15_SHA1
or
TPM_SS_RSASSAPKCS1v15_INFO,
return
1104
TPM_INVALID_KEYUSAGE on error
11054. Create D1 a TPM_SIGN_INFO structure and set the structure defaults
1106
a. Set D1 -> fixed to “ADIG”
1107
b. Set D1 -> replay to antiReplay
1108
1109
c. Create D3 a list of all audited ordinals as defined in the TPM_GetAuditDigest
UINT32[] ordList outgoing parameter
1110
d. Create D4 the SHA-1 of D3
1111
e. Set auditDigest to TPM_STANY_DATA -> auditDigest
1112
f. Set counterValue to TPM_PERMANENT_DATA -> auditMonotonicCounter
1113
g. Create D2 the concatenation of auditDigest || counterValue || D4
1114
h. Set D1 -> data to D2
1115
1116
i. Create a digital signature of the SHA-1 of D1 by using the signature scheme for
keyHandle
1117
j.
Set ordinalDigest to D4
11185. If closeAudit == TRUE
277Level 2 Revision 116 28 February 2011
278
51
TCG Published
279Copyright © TCG
280
281
1119
TPM Main Part 3 Commands
Specification Version 1.2
a. If keyHandle->keyUsage is TPM_KEY_IDENTITY
1120
i.
1121
b. Else
1122
i.
282
283
TPM_STANY_DATA -> auditDigest MUST be set to all zeros.
Return TPM_INVALID_KEYUSAGE
52
Level 2 Revision 116 28 February 2011
TCG Published
284TPM Main Part 3 Commands
TCG © Copyright
285Specification Version 1.2
11238.5
TPM_SetOrdinalAuditStatus
1124Start of informative comment:
1125Set the audit flag for a given ordinal. Requires the authentication of the TPM Owner.
1126End of informative comment.
1127Incoming Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_SetOrdinalAuditStatus
4
4
2S
4
TPM_COMMAND_CODE
ordinalToAudit
The ordinal whose audit flag is to be set
5
1
3S
1
BOOL
auditState
Value for audit flag
6
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for owner authentication.
#
SZ
1
#
SZ
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
7
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
8
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
9
20
TPM_AUTHDATA
ownerAuth
HMAC key: ownerAuth.
Type
Name
Description
1128Outgoing Parameters and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
5
1
6
TPM_RESULT
returnCode
The return code of the operation.
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_SetOrdinalAuditStatus
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
4
2S
4
1S
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
ownerAuth.
20
1129Actions
11301. Validate the AuthData to execute the command and the parameters
11312. Validate that the ordinal points to a valid TPM ordinal, return TPM_BADINDEX on error
1132
a. Valid TPM ordinal means an ordinal that the TPM implementation supports
11333. Set the non-volatile flag associated with ordinalToAudit to the value in auditState
286Level 2 Revision 116 28 February 2011
287
53
TCG Published
288Copyright © TCG
289
290
11349.
TPM Main Part 3 Commands
Specification Version 1.2
Administrative Functions - Management
11359.1
TPM_FieldUpgrade
1136Start of informative comment:
1137The TPM needs a mechanism to allow for updating the protected capabilities once a TPM is
1138in the field. Given the varied nature of TPM implementations there will be numerous
1139methods of performing an upgrade of the protected capabilities. This command, when
1140implemented, provides a manufacturer specific method of performing the upgrade.
1141The manufacturer can determine, within the listed requirements, how to implement this
1142command. The command may be more than one command and actually a series of
1143commands.
1144The IDL definition is to create an ordinal for the command. However, the remaining
1145parameters are manufacturer specific.
1146The policy to determine when it is necessary to perform the actions of TPM_RevokeTrust is
1147outside the TPM spec and determined by other TCG workgroups.
1148TPM_FieldUpgrade is gated by either owner authorization or deferred assertion of Physical
1149Presence
(via
the
TPM_STCLEAR_DATA
->
deferredPhysicalPresence
->
1150unownedFieldUpgrade flag). This gating is acknowledgement that the entity that sets the
1151security policy for a platform must approve field upgrade for that platform. This gating can
1152block a global attack on TPMs when the TPME’s privilege information (private key) has been
1153compromised. For blocking to be effective in an unowned TPM, the TPM’s ownership flag
1154must be FALSE. (This prevents software from taking ownership and executing
1155TPM_FieldUpgrade with owner authorization.)
1156If an owner is present, field upgrade MUST be owner authorized, as the actions indicate.
1157This prevents an attacker from using physical presence to upgrade a TPM without detection
1158by the owner.
1159The advantages of deferred assertion of Physical Presence are that it:
1160
permits a TPM to be upgraded if taking ownership is undesirable or impractical.
1161
1162
permits a TPM to be upgraded in the OS environment (where Physical Presence
typically cannot be asserted), when the TPM has no owner.
1163If it is acceptable to take ownership of a TPM temporarily, an alternative to deferred
1164assertion of Physical Presence is the process: (1) take ownership; (2) perform an owner
1165authorized field upgrade; (3) clear the owner from the TPM.
1166There is no requirement for patch confidentiality. Confidentiality may be implemented
1167using a manufacturer specific mechanism, and may use a global secret such as a
1168symmetric encryption key.
1169The TPM may set the volatile deactivated flag to TRUE if a reboot is required after the field
1170upgrade. There is no requirement to do so.
1171The TPM must check owner authorization before changing the TPM state or beginning the
1172upgrade. This prevents a non-owner from mounting a denial-of-service attack. It is
1173understood that a TPM may not be able to stage the entire upgrade patch inside the TPM
291
292
54
Level 2 Revision 116 28 February 2011
TCG Published
293TPM Main Part 3 Commands
TCG © Copyright
294Specification Version 1.2
1174before checking owner authorization. That TPM may be forced to move the patch outside
1175the owner authorization HMAC.
1176Ideally, if the upgrade fails (e.g., due to an authentication failure) the TPM firmware should
1177remain unchanged. It is understood that a TPM may not be able to stage the entire upgrade
1178patch inside the TPM for authentication before beginning the upgrade. On a failure, that
1179TPM may be forced to roll the firmware back to a ROMed version. It may go into an upgrade
1180failure state, where it requires a successful field upgrade before continuing.
1181If a field upgrade adds or deletes features, the security implications must be analyzed. The
1182associated state must be set to prevent attacks. See, for example, allowMaintenance in Part
11832. In addition, if a field upgrade adds maintenance commands, it must atomically install
1184the manufacturer’s maintenance public key.
1185End of informative comment.
1186IDL Definition
1187TPM_RESULT TPM_FieldUpgrade(
1188
[in, out] TPM_AUTH* ownerAuth,
1189
…);
1190Type
1191This is an optional command and a TPM is not required to implement this command in any
1192form.
1193Parameters
Type
Name
Description
TPM_AUTH
ownerAuth
Authentication from TPM owner to execute command
Remaining parameters are manufacturer specific
1194Description
1195The patch integrity and authenticity verification mechanisms in the TPM MUST not require
1196the TPM to hold a global secret. The definition of global secret is a secret value shared by
1197more than one TPM.
1198The TPME is not allowed to pre-store or use unique identifiers in the TPM for the purpose of
1199field upgrade. The TPM MUST NOT use the endorsement key for identification or encryption
1200in the upgrade process. The upgrade process MAY use a TPM Identity to deliver upgrade
1201information to specific TPM’s.
1202The upgrade process SHOULD only change protected capabilities. The upgrade process
1203SHOULD NOT change shielded locations.
1204The upgrade process MUST NOT change the disabled or deactivated state from TRUE to
1205FALSE.
1206The upgrade process SHOULD only access data in shielded locations where this data is
1207necessary to validate the TPM Owner, validate the TPME and manipulate the blob.
295Level 2 Revision 116 28 February 2011
296
55
TCG Published
297Copyright © TCG
298
299
TPM Main Part 3 Commands
Specification Version 1.2
1208The execution of a TPM_FieldUpgrade command in a TPM MUST leave the TPM in a state
1209that conforms to a version of TCG's TPM specification and conforms to any extant TCG1210defined credentials (certificates) that attest to that upgraded TPM.
1211The security target used to valuate this TPM MUST include this command in the TOE.
1212If the owner authorization fails, the state of the TPM (volatile, nonvolatile, and firmware)
1213MUST remain unchanged. The only exception shall be the dictionary attack mitigation
1214state, which should process the authentication failure.
1215Actions
1216The TPM SHALL perform the following when executing the command:
12171. If TPM Owner is installed
1218
1219
a. Validate the command and parameters using TPM owner authentication, return
TPM_AUTHFAIL on error
12202. Else
1221
1222
a. If TPM_STCLEAR_DATA -> deferredPhysicalPresence -> unownedFieldUpgrade is
FALSE return TPM_BAD_PRESENCE.
12233. Validate that the upgrade information was sent by the TPME. The validation mechanism
1224
MUST use a strength of function that is at least the same strength of function as a
1225
digital signature performed using a 2048 bit RSA key.
12264. Validate that the upgrade target is the appropriate TPM model and version.
12275. Process the upgrade information and update the protected capabilities
12286. Set the TPM_PERMANENT_DATA -> revMajor and TPM_PERMANENT_DATA -> revMinor
1229
to the values indicated in the upgrade. The selection of the value is a manufacturer
1230
option.
1231
1232
a. The TPM MAY validate that the upgrade major and minor revision are monotonically
increasing.
1233
1234
b. The TPM MAY allow upgrade with a major and minor revision that is less than
currently installed in the TPM.
12357. The TPM MAY set the TPM_STCLEAR_FLAGS.deactivated to TRUE
300
301
56
Level 2 Revision 116 28 February 2011
TCG Published
302TPM Main Part 3 Commands
TCG © Copyright
303Specification Version 1.2
12369.2
TPM_SetRedirection
1237Start of informative comment:
1238The redirection command attaches a key to a redirection receiver.
1239When making the connection to a GPIO channel the authorization restrictions are set at
1240connection time and not for each invocation that uses the channel.
1241End of informative comment.
1242Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_SetRedirection
4
4
TPM_KEY_HANDLE
keyHandle
The keyHandle identifier of a loaded key that can implement redirection.
5
4
2S
4
TPM_COMMAND_CODE
redirCmd
The command to execute
6
4
3S
4
UINT32
inputDataSize
The size of the input data
7
<>
4S
<>
BYTE
inputData
Manufacturer parameter
8
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for keyHandle authorization
#
SZ
1
#
SZ
1S
4
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
9
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
10
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
11
20
TPM_AUTHDATA
ownerAuth
HMAC key ownerAuth
1243Outgoing Operands and Sizes
PARAM
HMAC
#
Type
SZ
Name
Description
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
5
1
6
20
TPM_RESULT
returnCode
The return code of the operation.
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_SetRedirection
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
4
2S
4
1S
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
key.usageAuth
1244
1245Action
12461. If tag == TPM_TAG_RQU_AUTH1_COMMAND
304Level 2 Revision 116 28 February 2011
305
57
TCG Published
306Copyright © TCG
307
308
1247
1248
TPM Main Part 3 Commands
Specification Version 1.2
a. Validate the command and parameters using TPM Owner authentication, on error
return TPM_AUTHFAIL
12492. if redirCmd == TPM_REDIR_GPIO
1250
1251
a. Validate that keyHandle points to a loaded key, return TPM_INVALID_KEYHANDLE
on error
1252
b. Validate the key attributes specify redirection, return TPM_BAD_TYPE on error
1253
c. Validate that inputDataSize is 4, return TPM_BAD_PARAM_SIZE on error
1254
1255
d. Validate
that
inputData
TPM_BAD_PARAMETER on error
1256
e. Map C1 to the TPM_GPIO_CONFIG_CHANNEL structure indicated by inputData
1257
f. If C1 -> attr specifies TPM_GPIO_ATTR_OWNER
1258
1259
i.
to
a
valid
GPIO
channel,
return
If tag != TPM_TAG_RQU_AUTH1_COMMAND return TPM_AUTHFAIL
g. If C1 -> attr specifies TPM_GPIO_ATTR_PP
1260
1261
1262
points
i. If TPM_STCLEAR_FLAGS
TPM_BAD_PRESENCE
->
physicalPresence
==
FALSE,
then
return
h. Return TPM_SUCCESS
12633. The TPM MAY support other redirection types. These types may be specified by TCG or
1264
provided by the manufacturer.
309
310
58
Level 2 Revision 116 28 February 2011
TCG Published
311TPM Main Part 3 Commands
TCG © Copyright
312Specification Version 1.2
12659.3
TPM_ResetLockValue
1266Start of informative comment:
1267Command that resets the TPM dictionary attack mitigation values
1268This allows the TPM owner to cancel the effect of a number of successive authorization
1269failures. Dictionary attack mitigation is vendor specific, and the actions here are one
1270possible implementation. The TPM may treat an authorization failure outside the mitigation
1271time as a normal failure and not disable the command.
1272If this command itself has an authorization failure, it is blocked for the remainder of the
1273lock out period. This prevents a dictionary attack on the owner authorization using this
1274command.
1275It is understood that this command allows the TPM owner to perform a dictionary attack on
1276other authorization values by alternating a trial and this command. Similarly, delegating
1277this command allows the owner’s delegate to perform a dictionary attack.
1278End of informative comment.
1279Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ResetLockValue
4
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for TPM Owner authorization
#
SZ
1
#
SZ
1S
4
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
5
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
6
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
7
20
TPM_AUTHDATA
ownerAuth
HMAC key TPM Owner auth
Type
Name
Description
1280Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
5
1
6
20
TPM_RESULT
returnCode
The return code of the operation.
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ResetLockValue
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
4
2S
4
1S
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
HMAC key: TPM Owner auth
313Level 2 Revision 116 28 February 2011
314
59
TCG Published
315Copyright © TCG
316
317
TPM Main Part 3 Commands
Specification Version 1.2
1281Action
12821. If TPM_STCLEAR_DATA -> disableResetLock is TRUE return TPM_AUTHFAIL
1283
1284
a. The internal dictionary attack mechanism will set TPM_STCLEAR_DATA ->
disableResetLock to FALSE when the timeout period expires
12852. If the command and parameters validation using ownerAuth fails
1286
a. Set TPM_STCLEAR_DATA -> disableResetLock to TRUE
1287
b. Restart the TPM dictionary attack lock out period
1288
c. Return TPM_AUTHFAIL
12893. Reset the internal TPM dictionary attack mitigation mechanism
1290
1291
318
319
a. The mechanism is vendor specific and can include time outs, reboots, and other
mitigation strategies
60
Level 2 Revision 116 28 February 2011
TCG Published
320TPM Main Part 3 Commands
TCG © Copyright
321Specification Version 1.2
129210.
129310.1
Storage functions
TPM_Seal
1294Start of informative comment:
1295The SEAL operation allows software to explicitly state the future “trusted” configuration that
1296the platform must be in for the secret to be revealed. The SEAL operation also implicitly
1297includes the relevant platform configuration (PCR-values) when the SEAL operation was
1298performed. The SEAL operation uses the tpmProof value to BIND the blob to an individual
1299TPM.
1300If the UNSEAL operation succeeds, proof of the platform configuration that was in effect
1301when the SEAL operation was performed is returned to the caller, as well as the secret data.
1302This proof may, or may not, be of interest. If the SEALed secret is used to authenticate the
1303platform to a third party, a caller is normally unconcerned about the state of the platform
1304when the secret was SEALed, and the proof may be of no interest. On the other hand, if the
1305SEALed secret is used to authenticate a third party to the platform, a caller is normally
1306concerned about the state of the platform when the secret was SEALed. Then the proof is of
1307interest.
1308For example, if SEAL is used to store a secret key for a future configuration (probably to
1309prove that the platform is a particular platform that is in a particular configuration), the
1310only requirement is that that key can be used only when the platform is in that future
1311configuration. Then there is no interest in the platform configuration when the secret key
1312was SEALed. An example of this case is when SEAL is used to store a network
1313authentication key.
1314On the other hand, suppose an OS contains an encrypted database of users allowed to log
1315on to the platform. The OS uses a SEALED blob to store the encryption key for the user1316database. However, the nature of SEAL is that any SW stack can SEAL a blob for any other
1317software stack. Hence, the OS can be attacked by a second OS replacing both the SEALED1318blob encryption key, and the user database itself, allowing untrusted parties access to the
1319services of the OS. To thwart such attacks, SEALED blobs include the past SW
1320configuration. Hence, if the OS is concerned about such attacks, it may check to see
1321whether the past configuration is one that is known to be trusted.
1322TPM_Seal requires the encryption of one parameter (“Secret”). For the sake of uniformity
1323with other commands that require the encryption of more than one parameter, the string
1324used for XOR encryption is generated by concatenating a nonce (created during the OSAP
1325session) with the session shared secret and then hashing the result.
1326The sealed data blob does not have a protected identifier. On a platform that does not
1327prevent unauthorized access to data, a data blob can be exchanged by a lower layer without
1328detection. The upper layer software must take additional measures to protect the relation
1329between its identifier of the data blob and the blob itself.
1330End of informative comment.
322Level 2 Revision 116 28 February 2011
323
61
TCG Published
324Copyright © TCG
325
326
TPM Main Part 3 Commands
Specification Version 1.2
1331Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Seal.
4
4
TPM_KEY_HANDLE
keyHandle
Handle of a loaded key that can perform seal operations.
5
20
2S
20
TPM_ENCAUTH
encAuth
The encrypted AuthData for the sealed data.
6
4
3S
4
UINT32
pcrInfoSize
The size of the pcrInfo parameter. If 0 there are no PCR registers in use
7
<>
4S
<>
TPM_PCR_INFO
pcrInfo
The PCR selection information. The caller MAY use TPM_PCR_INFO_LONG.
8
4
5S
4
UINT32
inDataSize
The size of the inData parameter
9
<>
6S
<>
BYTE[ ]
inData
The data to be sealed to the platform and any specified PCRs
10
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for keyHandle authorization.
Must be an OSAP session for this command.
#
SZ
1
#
SZ
1S
4
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
11
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
12
1
4H1
1
BOOL
continueAuthSession
Ignored
13
20
TPM_AUTHDATA
pubAuth
The authorization session digest for inputs and keyHandle. HMAC key:
key.usageAuth.
1332Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Seal.
4
<>
3S
<>
TPM_STORED_DATA
sealedData
Encrypted, integrity-protected data object that is the result of the TPM_Seal operation.
5
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, fixed value of FALSE
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
key.usageAuth.
6
1
7
20
1333Description
1334TPM_Seal is used to encrypt private objects that can only be decrypted using TPM_Unseal.
1335Actions
13361. Validate the authorization to use the key pointed to by keyHandle
13372. If the inDataSize is 0 the TPM returns TPM_BAD_PARAMETER
327
328
62
Level 2 Revision 116 28 February 2011
TCG Published
329TPM Main Part 3 Commands
TCG © Copyright
330Specification Version 1.2
13383. If the keyUsage field of the key indicated by keyHandle does not have the value TPM_KEY_STORAGE, the TPM must return the error code TPM_INVALID_KEYUSAGE.
13404. If the keyHandle points to a migratable key then the TPM MUST return the error code TPM_INVALID_KEY_USAGE.
13425. Determine the version of pcrInfo
1343
a. If pcrInfoSize is 0
1344
i.
1345
b. Else
1346
i.
1347
ii. If X1 -> tag is TPM_TAG_PCR_INFO_LONG
1348
set V1 to 1
Point X1 as TPM_PCR_INFO_LONG structure to pcrInfo
(1)
1349
Set V1 to 2
iii. Else
1350
(1)
Set V1 to 1
13516. If V1 is 1 then
1352
a. Create S1 a TPM_STORED_DATA structure
13537. else
1354
a. Create S1 a TPM_STORED_DATA12 structure
1355
b. Set S1 -> et to 0
13568. Set S1 -> encDataSize to 0
13579. Set S1 -> encData to all zeros
135810.Set S1 -> sealInfoSize to pcrInfoSize
135911.If pcrInfoSize is not 0 then
1360
a. if V1 is 1 then
1361
1362
i. Validate pcrInfo as a valid TPM_PCR_INFO structure, return TPM_BADINDEX
on error
1363
ii. Set S1 -> sealInfo -> pcrSelection to pcrInfo -> pcrSelection
1364
iii. Create h1 the composite hash of the PCR selected by pcrInfo -> pcrSelection
1365
iv. Set S1 -> sealInfo -> digestAtCreation to h1
1366
v. Set S1 -> sealInfo -> digestAtRelease to pcrInfo -> digestAtRelease
1367
b. else
1368
1369
i. Validate pcrInfo as TPM_BADINDEX on error
1370
ii. Set S1 -> sealInfo -> creationPCRSelection to pcrInfo -> creationPCRSelection
1371
iii. Set S1 -> sealInfo -> releasePCRSelection to pcrInfo -> releasePCRSelection
1372
iv. Set S1 -> sealInfo -> digestAtRelease to pcrInfo -> digestAtRelease
331Level 2 Revision 116 28 February 2011
332
a
valid
TPM_PCR_INFO_LONG
63
TCG Published
structure,
return
333Copyright © TCG
334
335
TPM Main Part 3 Commands
Specification Version 1.2
1373
v. Set S1 -> sealInfo -> localityAtRelease to pcrInfo -> localityAtRelease
1374
1375
vi. Create h2 the composite hash of the TPM_STCLEAR_DATA -> PCR selected by
pcrInfo -> creationPCRSelection
1376
vii. Set S1 -> sealInfo -> digestAtCreation to h2
1377
1378
viii.
Set S1 -> sealInfo -> localityAtCreation to TPM_STANY_FLAGS ->
localityModifier
137912.Create a1 by decrypting encAuth according to the ADIP indicated by authHandle.
138013.The TPM provides NO validation of a1. Well-known values (like all zeros) are valid and
1381
possible.
138214.Create S2 a TPM_SEALED_DATA structure
1383
a. Set S2 -> payload to TPM_PT_SEAL
1384
b. Set S2 -> tpmProof to TPM_PERMANENT_DATA -> tpmProof
1385
c. Create h3 the SHA-1 of S1
1386
d. Set S2 -> storedDigest to h3
1387
e. Set S2 -> authData to a1
1388
f. Set S2 -> dataSize to inDataSize
1389
g. Set S2 -> data to inData
139015.Validate that the size of S2 can be encrypted by the key pointed to by keyHandle, return
1391
TPM_BAD_DATASIZE on error
139216.Create s3 the encryption of S2 using the key pointed to by keyHandle
139317.Set continueAuthSession to FALSE
139418.Set S1 -> encDataSize to the size of s3
139519.Set S1 -> encData to s3
139620.Return S1 as sealedData
336
337
64
Level 2 Revision 116 28 February 2011
TCG Published
338TPM Main Part 3 Commands
TCG © Copyright
339Specification Version 1.2
139710.2
TPM_Unseal
1398Start of informative comment:
1399The TPM_Unseal operation will reveal TPM_Seal’ed data only if it was encrypted on this
1400platform and the current configuration (as defined by the named PCR contents) is the one
1401named as qualified to decrypt it. Internally, TPM_Unseal accepts a data blob generated by a
1402TPM_Seal operation. TPM_Unseal decrypts the structure internally, checks the integrity of
1403the resulting data, and checks that the PCR named has the value named during TPM_Seal.
1404Additionally, the caller must supply appropriate AuthData for blob and for the key that was
1405used to seal that data.
1406If the integrity, platform configuration and authorization checks succeed, the sealed data is
1407returned to the caller; otherwise, an error is generated.
1408End of informative comment.
1409Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH2_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Unseal.
4
4
TPM_KEY_HANDLE
parentHandle
Handle of a loaded key that can unseal the data.
5
<>
TPM_STORED_DATA
inData
The encrypted data generated by TPM_Seal.
6
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for parentHandle.
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
7
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
8
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
9
20
TPM_AUTHDATA
parentAuth
The authorization session digest for inputs and parentHandle. HMAC
key: parentKey.usageAuth.
10
4
TPM_AUTHHANDLE
dataAuthHandle
The authorization session handle used to authorize inData.
#
SZ
1
#
1S
2S
SZ
4
<>
2H2
20
TPM_NONCE
dataLastNonceEven
Even nonce previously generated by TPM
11
20
3H2
20
TPM_NONCE
datanonceOdd
Nonce generated by system associated with entityAuthHandle
12
1
4H2
1
BOOL
continueDataSession
Continue usage flag for dataAuthHandle.
13
20
TPM_AUTHDATA
dataAuth
The authorization session digest for the encrypted entity. HMAC key:
entity.usageAuth.
340Level 2 Revision 116 28 February 2011
341
65
TCG Published
342Copyright © TCG
343
344
TPM Main Part 3 Commands
Specification Version 1.2
1410Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH2_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Unseal.
4
4
3S
4
UINT32
secretSize
The used size of the output area for secret
5
<>
4S
<>
BYTE[ ]
secret
Decrypted data that had been sealed
6
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC
key: parentKey.usageAuth.
7
1
8
20
9
20
1
11
20
TPM_NONCE
dataNonceEven
Even nonce newly generated by TPM.
3H2
10
2H2
20
TPM_NONCE
datanonceOdd
Nonce generated by system associated with dataAuthHandle
4H2
1
BOOL
continueDataSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
dataAuth
The authorization session digest used for the dataAuth session. HMAC
key: entity.usageAuth.
20
1411Actions
14121. The TPM MUST validate that parentAuth authorizes the use of the key in parentHandle,
1413
on error return TPM_AUTHFAIL
14142. If the keyUsage field of the key indicated by parentHandle does not have the value
1415
TPM_KEY_STORAGE, the TPM MUST return the error code TPM_INVALID_KEYUSAGE.
14163. The TPM MUST check that the TPM_KEY_FLAGS -> Migratable flag has the value FALSE
1417
in the key indicated by parentHandle. If not, the TPM MUST return the error code
1418
TPM_INVALID_KEYUSAGE
14194. Determine the version of inData
1420
a. If inData -> tag = TPM_TAG_STORED_DATA12
1421
i.
1422
ii. Map S2 a TPM_STORED_DATA12 structure to inData
1423
Set V1 to 2
b. Else If inData -> ver = 1.1
1424
i.
1425
ii. Map S2 a TPM_STORED_DATA structure to inData
1426
c. Else
1427
i.
Set V1 to 1
Return TPM_BAD_VERSION
14285. Create d1 by decrypting S2 -> encData using the key pointed to by parentHandle
14296. Validate d1
345
346
66
Level 2 Revision 116 28 February 2011
TCG Published
347TPM Main Part 3 Commands
TCG © Copyright
348Specification Version 1.2
1430
a. d1 MUST be a TPM_SEALED_DATA structure
1431
b. d1 -> tpmProof MUST match TPM_PERMANENT_DATA -> tpmProof
1432
c. Set S2 -> encDataSize to 0
1433
d. Set S2 -> encData to all zeros
1434
e. Create h1 the SHA-1 of S2
1435
f. d1 -> storedDigest MUST match h1
1436
g. d1 -> payload MUST be TPM_PT_SEAL
1437
h. Any failure MUST return TPM_NOTSEALED_BLOB
14387. If S2 -> sealInfoSize is not 0 then
1439
a. If V1 is 1 then
1440
i.
1441
1442
ii. Create h2 the composite hash of the PCR selected by S2 -> pcrInfo ->
pcrSelection
1443
Validate that S2 -> pcrInfo is a valid TPM_PCR_INFO structure
b. If V1 is 2 then
1444
i.
1445
1446
ii. Create h2 the composite hash of the TPM_STCLEAR_DATA -> PCR selected by
S2 -> pcrInfo -> releasePCRSelection
1447
1448
iii. Check that S2 -> pcrInfo -> localityAtRelease for TPM_STANY_DATA ->
localityModifier is TRUE
1449
1450
(1)
For example if TPM_STANY_DATA -> localityModifier was 2 then S2 ->
pcrInfo -> localityAtRelease -> TPM_LOC_TWO would have to be TRUE
1451
1452
Validate that S2 -> pcrInfo is a valid TPM_PCR_INFO_LONG structure
c. Compare h2 with
TPM_WRONGPCRVAL
S2
->
pcrInfo
->
digestAtRelease,
on
mismatch
return
14538. The TPM MUST validate authorization to use d1 by checking that the HMAC calculation
1454
using d1 -> authData as the shared secret matches the dataAuth. Return
1455
TPM_AUTHFAIL on mismatch.
14569. If V1 is 2 and S2 -> et specifies encryption (i.e. is not all zeros) then
1457
a. If tag is not TPM_TAG_RQU_AUTH2_COMMAND, return TPM_AUTHFAIL
1458
1459
b. Verify that the authHandle session type is TPM_PID_OSAP or TPM_PID_DSAP, return
TPM_BAD_MODE on error.
1460
c. If the MSB of S2 -> et is TPM_ET_XOR
1461
1462
1463
i. Use MGF1 to create string X1 of length sealedDataSize. The inputs to MGF1
are; authLastnonceEven, nonceOdd, “XOR”, and authHandle -> sharedSecret. The
four concatenated values form the Z value that is the seed for MFG1.
1464
ii. Create o1 by XOR of d1 -> data and X1
1465
d. Else
349Level 2 Revision 116 28 February 2011
350
67
TCG Published
351Copyright © TCG
352
353
TPM Main Part 3 Commands
Specification Version 1.2
1466
1467
i. Create o1 by encrypting d1 -> data using the algorithm indicated by inData ->
et
1468
ii. Key is from authHandle -> sharedSecret
1469
iii. IV is SHA-1 of (authLastNonceEven || nonceOdd)
1470
e. Set continueAuthSession to FALSE
147110.else
1472
a. Set o1 to d1 -> data
147311.Set the return secret as o1
147412.Return TPM_SUCCESS
354
355
68
Level 2 Revision 116 28 February 2011
TCG Published
356TPM Main Part 3 Commands
TCG © Copyright
357Specification Version 1.2
147510.3
TPM_UnBind
1476Start of informative comment:
1477TPM_UnBind takes the data blob that is the result of a Tspi_Data_Bind command and
1478decrypts it for export to the User. The caller must authorize the use of the key that will
1479decrypt the incoming blob.
1480TPM_UnBind operates on a block-by-block basis, and has no notion of any relation between
1481one block and another.
1482End of informative comment.
1483Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_UnBind.
4
4
TPM_KEY_HANDLE
keyHandle
The keyHandle identifier of a loaded key that can perform UnBind
operations.
5
4
2S
4
UINT32
inDataSize
The size of the input blob
6
<>
3S
<>
BYTE[ ]
inData
Encrypted blob to be decrypted
7
4
TPM_AUTHHANDLE
authHandle
The handle used for keyHandle authorization
#
SZ
1
#
1S
SZ
4
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
8
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
9
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
10
20
TPM_AUTHDATA
privAuth
The authorization session digest that authorizes the inputs and use of
keyHandle. HMAC key: key.usageAuth.
358Level 2 Revision 116 28 February 2011
359
69
TCG Published
360Copyright © TCG
361
362
TPM Main Part 3 Commands
Specification Version 1.2
1484Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_UnBind
4
4
3S
4
UINT32
outDataSize
The length of the returned decrypted data
5
<>
4S
<>
BYTE[ ]
outData
The resulting decrypted data.
6
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
key.usageAuth.
7
1
8
20
1485Description
1486TPM_UnBind SHALL operate on a single block only.
1487Actions
1488The TPM SHALL perform the following:
14891. If the inDataSize is 0 the TPM returns TPM_BAD_PARAMETER
14902. Validate the AuthData to use the key pointed to by keyHandle
14913. If the keyUsage field of the key referenced by keyHandle does not have the value
1492
TPM_KEY_BIND or TPM_KEY_LEGACY, the TPM must return the error code
1493
TPM_INVALID_KEYUSAGE
14944. Decrypt the inData using the key pointed to by keyHandle
14955. if (keyHandle -> encScheme does not equal TPM_ES_RSAESOAEP_SHA1_MGF1) and
1496
(keyHandle -> keyUsage equals TPM_KEY_LEGACY),
1497
1498
a. The payload does not have TPM specific markers to validate, so no consistency check
can be performed.
1499
1500
b. Set the output parameter outData to the value of the decrypted value of inData.
(Padding associated with the encryption wrapping of inData SHALL NOT be returned.)
1501
1502
c. Set the output parameter outDataSize to the size of outData, as deduced from the
decryption process.
15036. else
1504
1505
a. Interpret the decrypted data under the assumption that it is a TPM_BOUND_DATA
structure, and validate that the payload type is TPM_PT_BIND
1506
1507
1508
b. Set the output parameter outData to the value of TPM_BOUND_DATA ->
payloadData. (Other parameters of TPM_BOUND_DATA SHALL NOT be returned.
Padding associated with the encryption wrapping of inData SHALL NOT be returned.)
363
364
70
Level 2 Revision 116 28 February 2011
TCG Published
365TPM Main Part 3 Commands
TCG © Copyright
366Specification Version 1.2
1509
1510
c. Set the output parameter outDataSize to the size of outData, as deduced from the
decryption process and the interpretation of TPM_BOUND_DATA.
15117. Return the output parameters.
367Level 2 Revision 116 28 February 2011
368
71
TCG Published
369Copyright © TCG
370
371
151210.4
TPM Main Part 3 Commands
Specification Version 1.2
TPM_CreateWrapKey
1513Start of informative comment:
1514The TPM_CreateWrapKey command both generates and creates a secure storage bundle for
1515asymmetric keys.
1516The newly created key can be locked to a specific PCR value by specifying a set of PCR
1517registers.
1518The key blob does not have a protected identifier. On a platform that does not prevent
1519unauthorized access to data, a key blob can be exchanged by a lower layer without
1520detection. The upper layer software must take additional measures to protect the relation
1521between its identifier of the key blob and the blob itself.
1522End of informative comment.
1523Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_CreateWrapKey
4
4
TPM_KEY_HANDLE
parentHandle
Handle of a loaded key that can perform key wrapping.
5
20
2S
20
TPM_ENCAUTH
dataUsageAuth
Encrypted usage AuthData for the key.
6
20
3S
20
TPM_ENCAUTH
dataMigrationAuth
Encrypted migration AuthData for the key.
7
<>
4S
<>
TPM_KEY
keyInfo
Information about key to be created, pubkey.keyLength and
keyInfo.encData elements are 0. MAY be TPM_KEY12
8
4
TPM_AUTHHANDLE
authHandle
parent key authorization. Must be an OSAP session.
#
SZ
1
#
SZ
1S
4
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
9
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
10
1
4H1
1
BOOL
continueAuthSession
Ignored
11
20
TPM_AUTHDATA
pubAuth
Authorization HMAC key: parentKey.usageAuth.
1524Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_CreateWrapKey
4
<>
3S
<>
TPM_KEY
wrappedKey
The TPM_KEY structure which includes the public and encrypted private
key. MAY be TPM_KEY12
5
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, fixed at FALSE
6
372
373
1
72
Level 2 Revision 116 28 February 2011
TCG Published
374TPM Main Part 3 Commands
TCG © Copyright
375Specification Version 1.2
7
20
TPM_AUTHDATA
376Level 2 Revision 116 28 February 2011
377
resAuth
73
TCG Published
Authorization HMAC key: parentKey.usageAuth.
378Copyright © TCG
379
380
TPM Main Part 3 Commands
Specification Version 1.2
1525 Actions
1526The TPM SHALL do the following:
15271. Validate the AuthData to use the key pointed to by parentHandle. Return
1528
TPM_AUTHFAIL on any error.
15292. Validate the session type for parentHandle is OSAP.
15303. If the TPM is not designed to create a key of the type requested in keyInfo, return the
1531
error code TPM_BAD_KEY_PROPERTY
15324. Verify that parentHandle->keyUsage equals TPM_KEY_STORAGE
15335. If parentHandle -> keyFlags -> migratable is TRUE and keyInfo -> keyFlags -> migratable
1534
is FALSE then return TPM_INVALID_KEYUSAGE
15356. Validate key parameters
1536
1537
a. keyInfo
->
keyUsage
MUST
NOT
be
TPM_KEY_IDENTITY
TPM_KEY_AUTHCHANGE. If it is, return TPM_INVALID_KEYUSAGE
1538
1539
b. If
keyInfo
->
keyFlags
TPM_INVALID_KEYUSAGE
->
migrateAuthority
is
TRUE
then
or
return
15407. If TPM_PERMANENT_FLAGS -> FIPS is TRUE then
1541
a. If keyInfo -> keySize is less than 1024 return TPM_NOTFIPS
1542
b. If keyInfo -> authDataUsage specifies TPM_AUTH_NEVER return TPM_NOTFIPS
1543
c. If keyInfo -> keyUsage specifies TPM_KEY_LEGACY return TPM_NOTFIPS
15448. If keyInfo -> keyUsage equals TPM_KEY_STORAGE or TPM_KEY_MIGRATE
1545
i.
1546
ii. encScheme MUST be TPM_ES_RSAESOAEP_SHA1_MGF1
1547
iii. sigScheme MUST be TPM_SS_NONE
1548
iv. key size MUST be 2048
1549
v. exponentSize MUST be 0
algorithmID MUST be TPM_ALG_RSA
15509. Determine the version of key
1551
a. If keyInfo -> ver is 1.1
1552
i.
1553
ii. Map wrappedKey to a TPM_KEY structure
1554
iii. Validate all remaining TPM_KEY structures
1555
Set V1 to 1
b. Else if keyInfo -> tag is TPM_TAG_KEY12
1556
i.
1557
ii. Map wrappedKey to a TPM_KEY12 structure
1558
iii. Validate all remaining TPM_KEY12 structures
381
382
Set V1 to 2
74
Level 2 Revision 116 28 February 2011
TCG Published
383TPM Main Part 3 Commands
TCG © Copyright
384Specification Version 1.2
155910.Create DU1 by decrypting dataUsageAuth according to the ADIP indicated by
1560
authHandle
156111.Create DM1 by decrypting dataMigrationAuth according to the ADIP indicated by
1562
authHandle
156312.Set continueAuthSession to FALSE
156413.Generate asymmetric key according to algorithm information in keyInfo
156514.Fill in the wrappedKey structure with information from the newly generated key.
1566
a. Set wrappedKey -> encData -> usageAuth to DU1
1567
1568
b. If the KeyFlags -> migratable bit is set to 1, the wrappedKey -> encData ->
migrationAuth SHALL contain the decrypted value from dataMigrationAuth.
1569
1570
c. If the KeyFlags -> migratable bit is set to 0, the wrappedKey -> encData ->
migrationAuth SHALL be set to the value tpmProof
157115.If keyInfo->PCRInfoSize is non-zero
1572
1573
1574
a. If V1 is 1
i. Set wrappedKey -> pcrInfo to a TPM_PCR_INFO structure using the
pcrSelection to indicate the PCR’s in use
1575
b. Else
1576
i.
1577
c. Set wrappedKey -> pcrInfo to keyInfo -> pcrInfo
Set wrappedKey -> pcrInfo to a TPM_PCR_INFO_LONG structure
1578
1579
d. Set wrappedKey -> digestAtCreation to the TPM_COMPOSITE_HASH indicated by
creationPCRSelection
1580
e. If V1 is 2 set wrappedKey -> localityAtCreation to TPM_STANY_DATA -> locality
158116.Encrypt the private portions of the wrappedKey structure using the key in parentHandle
158217.Return the newly generated key in the wrappedKey parameter
385Level 2 Revision 116 28 February 2011
386
75
TCG Published
387Copyright © TCG
388
389
158310.5
TPM Main Part 3 Commands
Specification Version 1.2
TPM_LoadKey2
1584Start of informative comment:
1585Before the TPM can use a key to either wrap, unwrap, unbind, seal, unseal, sign or perform
1586any other action, it needs to be present in the TPM. The TPM_LoadKey2 function loads the
1587key into the TPM for further use.
1588The TPM assigns the key handle. The TPM always locates a loaded key by use of the handle.
1589The assumption is that the handle may change due to key management operations. It is the
1590responsibility of upper level software to maintain the mapping between handle and any
1591label used by external software.
1592To permit this mapping between handle and upper software labels (called key handle
1593virtualization), the key handle returned by TPM_LoadKey2 must not be included in the
1594response HMAC. This may cause problems if several keys are authorized using the same
1595authorization data. Care should be taken to assign different authorization data to each key.
1596This command has the responsibility of enforcing restrictions on the use of keys. For
1597example, when attempting to load a STORAGE key it will be checked for the restrictions on
1598a storage key (2048 size etc.).
1599The load command must maintain a record of whether any previous key in the key
1600hierarchy was bound to a PCR using parentPCRStatus.
1601The flag parentPCRStatus enables the possibility of checking that a platform passed
1602through some particular state or states before finishing in the current state. A grandparent
1603key could be linked to state-1, a parent key could linked to state-2, and a child key could be
1604linked to state-3, for example. The use of the child key then indicates that the platform
1605passed through states 1 and 2 and is currently in state 3, in this example. TPM_Startup
1606with stType == TPM_ST_CLEAR indicates that the platform has been reset, so the platform
1607has not passed through the previous states. Hence keys with parentPCRStatus==TRUE
1608must be unloaded if TPM_Startup is issued with stType == TPM_ST_CLEAR.
1609If a TPM_KEY structure has been decrypted AND the integrity test using "pubDataDigest"
1610has passed AND the key is non-migratory, the key must have been created by the TPM. So
1611there is every reason to believe that the key poses no security threat to the TPM. While there
1612is no known attack from a rogue migratory key, there is a desire to verify that a loaded
1613migratory key is a real key, arising from a general sense of unease about execution of
1614arbitrary data as a key. Ideally a consistency check would consist of an encrypt/decrypt
1615cycle, but this may be expensive. For RSA keys, it is therefore suggested that the
1616consistency test consists of dividing the supposed RSA product by the supposed RSA prime,
1617and checking that there is no remainder.
1618End of informative comment.
390
391
76
Level 2 Revision 116 28 February 2011
TCG Published
392TPM Main Part 3 Commands
TCG © Copyright
393Specification Version 1.2
1619Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_LoadKey2.
4
4
TPM_KEY_HANDLE
parentHandle
TPM handle of parent key.
5
<>
TPM_KEY
inKey
Incoming key structure, both encrypted private and clear public portions.
MAY be TPM_KEY12
6
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for parentHandle authorization.
#
SZ
1
#
SZ
1S
2S
4
<>
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
7
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
8
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
9
20
TPM_AUTHDATA
parentAuth
The authorization session digest for inputs and parentHandle. HMAC key:
parentKey.usageAuth.
Type
Name
Description
1620Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
20
TPM_RESULT
returnCode
The return code of the operation.
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_LoadKey2
TPM_KEY_HANDLE
inkeyHandle
Internal TPM handle where decrypted key was loaded.
4
5
4
2S
4
1S
1
7
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
6
2H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
parentKey.usageAuth.
20
1621Actions
1622The TPM SHALL perform the following steps:
16231. Validate the command and the parameters using parentAuth and parentHandle ->
1624
usageAuth
16252. If
parentHandle
->
1626
TPM_INVALID_KEYUSAGE
keyUsage
is
NOT
TPM_KEY_STORAGE
return
16273. If the TPM is not designed to operate on a key of the type specified by inKey, return the
1628
error code TPM_BAD_KEY_PROPERTY
16294. The TPM MUST handle both TPM_KEY and TPM_KEY12 structures
16305. Decrypt the inKey -> privkey to obtain TPM_STORE_ASYMKEY structure using the key
1631
in parentHandle
394Level 2 Revision 116 28 February 2011
395
77
TCG Published
396Copyright © TCG
397
398
TPM Main Part 3 Commands
Specification Version 1.2
16326. Validate the integrity of inKey and decrypted TPM_STORE_ASYMKEY
1633
1634
a. Reproduce inKey -> TPM_STORE_ASYMKEY -> pubDataDigest using the fields of
inKey, and check that the reproduced value is the same as pubDataDigest
16357. Validate the consistency of the key and it’s key usage.
1636
1637
1638
1639
1640
1641
a. If inKey -> keyFlags -> migratable is TRUE, the TPM SHALL verify consistency of the
public and private components of the asymmetric key pair. If inKey -> keyFlags ->
migratable is FALSE, the TPM MAY verify consistency of the public and private
components of the asymmetric key pair. The consistency of an RSA key pair MAY be
verified by dividing the supposed (P*Q) product by a supposed prime and checking that
there is no remainder.
1642
1643
b. If inKey -> keyUsage is TPM_KEY_IDENTITY, verify that inKey->keyFlags->migratable
is FALSE. If it is not, return TPM_INVALID_KEYUSAGE
1644
c. If inKey -> keyUsage is TPM_KEY_AUTHCHANGE, return TPM_INVALID_KEYUSAGE
1645
1646
d. If inKey -> keyFlags -> migratable equals 0 then verify that TPM_STORE_ASYMKEY
-> migrationAuth equals TPM_PERMANENT_DATA -> tpmProof
1647
e. Validate the mix of encryption and signature schemes
1648
f. If TPM_PERMANENT_FLAGS -> FIPS is TRUE then
1649
i.
1650
1651
ii. If keyInfo
TPM_NOTFIPS
1652
iii. If keyInfo -> keyUsage specifies TPM_KEY_LEGACY return TPM_NOTFIPS
1653
If keyInfo -> keySize is less than 1024 return TPM_NOTFIPS
->
authDataUsage
specifies
TPM_AUTH_NEVER
return
g. If inKey -> keyUsage is TPM_KEY_STORAGE or TPM_KEY_MIGRATE
1654
i.
1655
ii. Key size MUST be 2048
1656
iii. exponentSize MUST be 0
1657
iv. sigScheme MUST be TPM_SS_NONE
1658
algorithmID MUST be TPM_ALG_RSA
h. If inKey -> keyUsage is TPM_KEY_IDENTITY
1659
i.
1660
ii. Key size MUST be 2048
1661
iii. exponentSize MUST be 0
1662
iv. encScheme MUST be TPM_ES_NONE
1663
i.
1664
1665
1666
If the decrypted inKey -> pcrInfo is NULL,
i. The TPM MUST set the internal indicator to indicate that the key is not using
any PCR registers.
j.
1667
1668
399
400
algorithmID MUST be TPM_ALG_RSA
Else
i. The TPM MUST store pcrInfo in a manner that allows the TPM to calculate a
composite hash whenever the key will be in use
78
Level 2 Revision 116 28 February 2011
TCG Published
401TPM Main Part 3 Commands
TCG © Copyright
402Specification Version 1.2
1669
1670
ii. The TPM MUST handle both version 1.1 TPM_PCR_INFO and 1.2
TPM_PCR_INFO_LONG structures according to the type of TPM_KEY structure
1671
1672
1673
(1)
The TPM MUST validate the TPM_PCR_INFO or TPM_PCR_INFO_LONG
structures for legal values.
However, the digestAtRelease and
localityAtRelease are not validated for authorization until use time.
16748. Perform any processing necessary to make TPM_STORE_ASYMKEY key available for
1675
operations
16769. Load key and key information into internal memory of the TPM. If insufficient memory
1677
exists return error TPM_NOSPACE.
167810.Assign inKeyHandle according to internal TPM rules.
167911.Set InKeyHandle -> parentPCRStatus to parentHandle -> parentPCRStatus.
168012.If parentHandle indicates that it is using PCR registers, then set inKeyHandle ->
1681
parentPCRStatus to TRUE.
403Level 2 Revision 116 28 February 2011
404
79
TCG Published
405Copyright © TCG
406
407
10.6
1682
TPM Main Part 3 Commands
Specification Version 1.2
TPM_GetPubKey
1683Start of informative comment:
1684The owner of a key may wish to obtain the public key value from a loaded key. This
1685information may have privacy concerns so the command must have authorization from the
1686key owner.
1687End of informative comment.
1688Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_GetPubKey.
4
4
TPM_KEY_HANDLE
keyHandle
TPM handle of key.
5
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for keyHandle authorization.
#
SZ
1
#
SZ
1S
4
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
7
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
8
20
TPM_AUTHDATA
keyAuth
Authorization HMAC key: key.usageAuth.
Type
Name
Description
6
1689Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_GetPubKey.
4
<>
3S
<>
TPM_PUBKEY
pubKey
Public portion of key in keyHandle.
5
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
Authorization. HMAC key: key.usageAuth.
6
1
7
20
1690Actions
1691The TPM SHALL perform the following steps:
16921. If tag = TPM_TAG_RQU_AUTH1_COMMAND then
1693
1694
a. Validate the command parameters using keyHandle -> usageAuth, on error return
TPM_AUTHFAIL
16952. Else
408
409
80
Level 2 Revision 116 28 February 2011
TCG Published
410TPM Main Part 3 Commands
TCG © Copyright
411Specification Version 1.2
1696
1697
a. Verify that keyHandle -> authDataUsage is TPM_NO_READ_PUBKEY_AUTH
TPM_AUTH_NEVER, on error return TPM_AUTHFAIL
or
16983. If keyHandle == TPM_KH_SRK then
1699
1700
a. If
TPM_PERMANENT_FLAGS
TPM_INVALID_KEYHANDLE
->
readSRKPub
is
FALSE
then
return
17014. If keyHandle -> pcrInfoSize is not 0
1702
a. If keyHandle -> keyFlags has pcrIgnoredOnRead set to FALSE
1703
1704
i. Create a digestAtRelease according to the specified PCR registers and compare
to keyHandle -> digestAtRelease and if a mismatch return TPM_WRONGPCRVAL
1705
ii. If specified validate any locality requests
17065. Create a TPM_PUBKEY structure and return
412Level 2 Revision 116 28 February 2011
413
81
TCG Published
414Copyright © TCG
415
416
170710.7
TPM Main Part 3 Commands
Specification Version 1.2
TPM_Sealx
1708Start of informative comment:
1709The TPM_Sealx command works exactly like the TPM_Seal command with the additional
1710requirement of encryption for the inData parameter. This command also places in the
1711sealed blob the information that the TPM_Unseal also requires encryption.
1712TPM_Sealx requires the use of 1.2 data structures. The actions are the same as TPM_Seal
1713without the checks for 1.1 data structure usage.
1714The method of incrementing the symmetric key counter value is different from that used by
1715some standard crypto libraries (e.g. openSSL, Java JCE) that increment the entire counter
1716value. TPM users should be aware of this to avoid errors when the counter wraps.
1717End of informative comment.
1718Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Sealx
4
4
TPM_KEY_HANDLE
keyHandle
Handle of a loaded key that can perform seal operations.
5
20
2S
20
TPM_ENCAUTH
encAuth
The encrypted AuthData for the sealed data.
6
4
3S
4
UINT32
pcrInfoSize
The size of the pcrInfo parameter. If 0 there are no PCR registers in use
7
<>
4S
<>
TPM_PCR_INFO
pcrInfo
MUST use TPM_PCR_INFO_LONG.
8
4
5S
4
UINT32
inDataSize
The size of the inData parameter
9
<>
6S
<>
BYTE[ ]
inData
The data to be sealed to the platform and any specified PCRs
10
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for keyHandle authorization.
Must be an OSAP session for this command.
#
SZ
1
#
1S
SZ
4
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
11
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
12
1
4H1
1
BOOL
continueAuthSession
Ignored
13
417
418
20
20
TPM_AUTHDATA
pubAuth
The authorization session digest for inputs and keyHandle. HMAC key: key.usageAuth.
82
Level 2 Revision 116 28 February 2011
TCG Published
419TPM Main Part 3 Commands
TCG © Copyright
420Specification Version 1.2
1719Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Sealx
4
<>
3S
4
TPM_STORED_DATA
sealedData
Encrypted, integrity-protected data object that is the result of the TPM_Sealx operation.
5
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, fixed value of FALSE
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
key.usageAuth.
6
1
7
20
1720Actions
17211. Validate the authorization to use the key pointed to by keyHandle
17222. If the inDataSize is 0 the TPM returns TPM_BAD_PARAMETER
17233. If the keyUsage field of the key indicated by keyHandle does not have the value
1724
TPM_KEY_STORAGE, the TPM must return the error code TPM_INVALID_KEYUSAGE.
17254. If the keyHandle points to a migratable key then the TPM MUST return the error code
1726
TPM_INVALID_KEY_USAGE.
17275. Create S1 a TPM_STORED_DATA12 structure
17286. Set S1 -> encDataSize to 0
17297. Set S1 -> encData to all zeros
17308. Set S1 -> sealInfoSize to pcrInfoSize
17319. If pcrInfoSize is not 0 then
1732
1733
a. Validate pcrInfo as a valid TPM_PCR_INFO_LONG structure, return TPM_BADINDEX
on error
1734
b. Set S1 -> sealInfo -> creationPCRSelection to pcrInfo -> creationPCRSelection
1735
c. Set S1 -> sealInfo -> releasePCRSelection to pcrInfo -> releasePCRSelection
1736
d. Set S1 -> sealInfo -> digestAtRelease to pcrInfo -> digestAtRelease
1737
e. Set S1 -> sealInfo -> localityAtRelease to pcrInfo -> localityAtRelease
1738
1739
f. Create h2 the composite hash of the TPM_STCLEAR_DATA -> PCR selected by
pcrInfo -> creationPCRSelection
1740
g. Set S1 -> sealInfo -> digestAtCreation to h2
1741
h. Set S1 -> sealInfo -> localityAtCreation to TPM_STANY_DATA -> localityModifier
174210.Create S2 a TPM_SEALED_DATA structure
421Level 2 Revision 116 28 February 2011
422
83
TCG Published
423Copyright © TCG
424
425
TPM Main Part 3 Commands
Specification Version 1.2
174311.Create a1 by decrypting encAuth according to the ADIP indicated by authHandle.
1744
a. If authHandle indicates XOR encryption for the AuthData secrets
1745
i.
1746
1747
(1) TPM_ET_KEY is added because TPM_Unseal uses zero as a special value
indicating no encryption.
1748
b. Else
1749
i.
Set S1 -> et to TPM_ET_XOR || TPM_ET_KEY
Set S1 -> et to the algorithm indicated by authHandle
175012.The TPM provides NO validation of a1. Well-known values (like all zeros) are valid and
1751
possible.
175213.If authHandle indicates XOR encryption
1753
1754
1755
a. Use MGF1 to create string X2 of length inDataSize. The inputs to MGF1 are;
authLastNonceEven, nonceOdd, “XOR”, and authHandle -> sharedSecret. The four
concatenated values form the Z value that is the seed for MFG1.
1756
b. Create o1 by XOR of inData and X2
175714.Else
1758
a. Create o1 by decrypting inData using the algorithm indicated by authHandle
1759
b. Key is from authHandle -> sharedSecret
1760
c. CTR is SHA-1 of (authLastNonceEven || nonceOdd)
176115.Create S2 a TPM_SEALED_DATA structure
1762
a. Set S2 -> payload to TPM_PT_SEAL
1763
b. Set S2 -> tpmProof to TPM_PERMANENT_DATA -> tpmProof
1764
c. Create h3 the SHA-1 of S1
1765
d. Set S2 -> storedDigest to h3
1766
e. Set S2 -> authData to a1
1767
f. Set S2 -> dataSize to inDataSize
1768
g. Set S2 -> data to o1
176916.Validate that the size of S2 can be encrypted by the key pointed to by keyHandle, return
1770
TPM_BAD_DATASIZE on error
177117.Create s3 the encryption of S2 using the key pointed to by keyHandle
177218.Set continueAuthSession to FALSE
177319.Set S1 -> encDataSize to the size of s3
177420.Set S1 -> encData to s3
177521.Return S1 as sealedData
426
427
84
Level 2 Revision 116 28 February 2011
TCG Published
428TPM Main Part 3 Commands
TCG © Copyright
429Specification Version 1.2
177611.
Migration
1777Start of informative comment:
1778The migration of a key from one TPM to another is a vital aspect to many use models of the
1779TPM. The migration commands are the commands that allow this operation to occur.
1780There are two types of migratable keys, the version 1.1 migratable keys and the version 1.2
1781certifiable migratable keys.
1782End of informative comment.
178311.1
TPM_CreateMigrationBlob
1784Start of informative comment:
1785The TPM_CreateMigrationBlob command implements the first step in the process of moving
1786a migratable key to a new parent or platform. Execution of this command requires
1787knowledge of the migrationAuth field of the key to be migrated.
1788Migrate mode is generally used to migrate keys from one TPM to another for backup,
1789upgrade or to clone a key on another platform. To do this, the TPM needs to create a data
1790blob that another TPM can deal with. This is done by loading in a backup public key that
1791will be used by the TPM to create a new data blob for a migratable key.
1792The TPM Owner does the selection and authorization of migration public keys at any time
1793prior
to
the
execution
of
TPM_CreateMigrationBlob
by
performing
the
1794TPM_AuthorizeMigrationKey command.
1795IReWrap mode is used directly to move the key to a new parent (on either this platform or
1796another). The TPM simply re-encrypts the key using a new parent, and outputs a normal
1797encrypted element that can be subsequently used by a TPM_LoadKey command.
1798TPM_CreateMigrationBlob implicitly cannot be used to migrate a non-migratory key. No
1799explicit check is required. Only the TPM knows tpmProof. Therefore, it is impossible for the
1800caller to submit an AuthData value equal to tpmProof and migrate a non-migratory key.
1801End of informative comment.
430Level 2 Revision 116 28 February 2011
431
85
TCG Published
432Copyright © TCG
433
434
TPM Main Part 3 Commands
Specification Version 1.2
1802Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH2_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_CreateMigrationBlob
4
4
TPM_KEY_HANDLE
parentHandle
Handle of the parent key that can decrypt encData.
5
2
2S
2
TPM_MIGRATE_SCHEME
migrationType
The migration type, either MIGRATE or REWRAP
6
<>
3S
<>
TPM_MIGRATIONKEYAUTH
migrationKeyAuth
Migration public key and its authorization session digest.
7
4
4S
4
UINT32
encDataSize
The size of the encData parameter
8
<>
5S
<>
BYTE[ ]
encData
The encrypted entity that is to be modified.
9
4
TPM_AUTHHANDLE
parentAuthHandle
The authorization session handle used for the parent key.
#
SZ
1
#
1S
SZ
4
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with parentAuthHandle
11
1
4H1
1
BOOL
continueAuthSession
Continue use flag for parent session
12
20
20
TPM_AUTHDATA
parentAuth
Authorization HMAC key: parentKey.usageAuth.
13
4
10
TPM_AUTHHANDLE
entityAuthHandle
The authorization session handle used for the encrypted entity.
2H2
20
TPM_NONCE
entitylastNonceEven
Even nonce previously generated by TPM
14
20
3H2
20
TPM_NONCE
entitynonceOdd
Nonce generated by system associated with entityAuthHandle
15
1
4H2
1
BOOL
continueEntitySession
Continue use flag for entity session
16
20
TPM_AUTHDATA
entityAuth
Authorization HMAC key: entity.migrationAuth.
1803
435
436
86
Level 2 Revision 116 28 February 2011
TCG Published
437TPM Main Part 3 Commands
TCG © Copyright
438Specification Version 1.2
1804Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH2_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_CreateMigrationBlob
4
4
3S
4
UINT32
randomSize
The used size of the output area for random
5
<>
4S
<>
BYTE[ ]
random
String used for xor encryption
6
4
5S
4
UINT32
outDataSize
The used size of the output area for outData
7
<>
6S
<>
BYTE[ ]
outData
The modified, encrypted entity.
8
20
3H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
4H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with parentAuthHandle
5H1
1
BOOL
continueAuthSession
Continue use flag for parent key session
20
TPM_AUTHDATA
resAuth
Authorization. HMAC key: parentKey.usageAuth.
3H2
20
TPM_NONCE
entityNonceEven
Even nonce newly generated by TPM to cover entity
4H2
20
TPM_NONCE
entitynonceOdd
Nonce generated by system associated with entityAuthHandle
5 H2
1
BOOL
continueEntitySession
Continue use flag for entity session
TPM_AUTHDATA
entityAuth
Authorization HMAC key: entity.migrationAuth.
9
1
10
20
11
20
12
1
13
20
1805Description
1806The TPM does not check the PCR values when migrating values locked to a PCR.
1807The second authorization session (using entityAuth) MUST be OIAP because OSAP does not
1808have a suitable entityType
1809Actions
18101. Validate that parentAuth authorizes the use of the key pointed to by parentHandle.
18112. Validate that parentHandle -> keyUsage is TPM_KEY_STORAGE, if not return
1812
TPM_INVALID_KEYUSAGE
18133. Create d1 a TPM_STORE_ASYMKEY structure by decrypting encData using the key
1814
pointed to by parentHandle.
1815
a. Verify that d1 -> payload is TPM_PT_ASYM.
18164. Validate that entityAuth authorizes the migration of d1. The validation MUST use d1 ->
1817
migrationAuth as the secret.
18185. Validate that migrationKeyAuth -> digest is the SHA-1 hash of (migrationKeyAuth ->
1819
migrationKey || migrationKeyAuth -> migrationScheme || TPM_PERMANENT_DATA ->
1820
tpmProof).
18216. If migrationType == TPM_MS_MIGRATE the TPM SHALL perform the following actions:
1822
a. Build two byte arrays, K1 and K2:
439Level 2 Revision 116 28 February 2011
440
87
TCG Published
441Copyright © TCG
442
443
TPM Main Part 3 Commands
Specification Version 1.2
1823
1824
i. K1 = d1.privKey[0..19] (d1.privKey.keyLength + 16 bytes of d1.privKey.key),
sizeof(K1) = 20
1825
ii. K2 = d1.privKey[20..131] (position 16-127 of d1 . privKey.key), sizeof(K2) = 112
1826
b. Build M1 a TPM_MIGRATE_ASYMKEY structure
1827
i.
1828
ii. TPM_MIGRATE_ASYMKEY.usageAuth = d1.usageAuth
1829
iii. TPM_MIGRATE_ASYMKEY.pubDataDigest = d1. pubDataDigest
1830
iv. TPM_MIGRATE_ASYMKEY.partPrivKeyLen = 112 – 127.
1831
v. TPM_MIGRATE_ASYMKEY.partPrivKey = K2
1832
1833
TPM_MIGRATE_ASYMKEY.payload = TPM_PT_MIGRATE
c. Create o1 (which SHALL be 198 bytes for a 2048 bit RSA key) by performing the
OAEP encoding of m using OAEP parameters of
1834
i.
1835
ii. pHash = d1->migrationAuth
1836
iii. seed = s1 = K1
m = M1 the TPM_MIGRATE_ASYMKEY structure
1837
1838
d. Create r1 a random value from the TPM RNG. The size of r1 MUST be the size of o1.
Return r1 in the Random parameter.
1839
e. Create x1 by XOR of o1 with r1
1840
f. Copy r1 into the output field “random”.
1841
g. Encrypt x1 with the migration public key included in migrationKeyAuth.
18427. If migrationType == TPM_MS_REWRAP the TPM SHALL perform the following actions:
1843
1844
a. Rewrap the key using the public key in migrationKeyAuth, keeping the existing
contents of that key.
1845
b. Set randomSize to 0 in the output parameter array
18468. Else
1847
444
445
a. Return TPM_BAD_PARAMETER
88
Level 2 Revision 116 28 February 2011
TCG Published
446TPM Main Part 3 Commands
TCG © Copyright
447Specification Version 1.2
184811.2
TPM_ConvertMigrationBlob
1849Start of informative comment:
1850This command takes a migration blob and creates a normal wrapped blob. The migrated
1851blob must be loaded into the TPM using the normal TPM_LoadKey function.
1852Note that the command migrates private keys, only. The migration of the associated public
1853keys is not specified by TPM because they are not security sensitive. Migration of the
1854associated public keys may be specified in a platform specific specification. A TPM_KEY
1855structure must be recreated before the migrated key can be used by the target TPM in a
1856TPM_LoadKey command.
1857End of informative comment.
1858Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ConvertMigrationBlob.
4
4
TPM_KEY_HANDLE
parentHandle
Handle of a loaded key that can decrypt keys.
5
4
2S
4
UINT32
inDataSize
Size of inData
6
<>
3S
<>
BYTE [ ]
inData
The XOR’d and encrypted key
7
4
4S
4
UINT32
randomSize
Size of random
8
<>
5S
<>
BYTE [ ]
random
Random value used to hide key data.
9
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for keyHandle.
#
SZ
1
#
1S
SZ
4
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
10
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
11
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
12
20
TPM_AUTHDATA
parentAuth
The authorization session digest that authorizes the inputs and the
migration of the key in parentHandle. HMAC key: parentKey.usageAuth
1859
448Level 2 Revision 116 28 February 2011
449
89
TCG Published
450Copyright © TCG
451
452
TPM Main Part 3 Commands
Specification Version 1.2
1860Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ConvertMigrationBlob
4
4
3S
4
UINT32
outDataSize
The used size of the output area for outData
5
<>
4S
<>
BYTE[ ]
outData
The encrypted private key that can be loaded with TPM_LoadKey
6
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
parentKey.usageAuth
7
1
8
20
1861Action
1862The TPM SHALL perform the following:
18631. Validate the AuthData to use the key in parentHandle
18642. If the keyUsage field of the key referenced by parentHandle does not have the value
1865
TPM_KEY_STORAGE, the TPM must return the error code TPM_INVALID_KEYUSAGE
18663. Create d1 by decrypting the inData area using the key in parentHandle
18674. Create o1 by XOR d1 and random parameter
18685. Create m1 a TPM_MIGRATE_ASYMKEY structure, seed and pHash by OAEP decoding o1
18696. Create k1 by combining seed and the TPM_MIGRATE_ASYMKEY -> partPrivKey field
18707. Create d2 a TPM_STORE_ASYMKEY structure
1871
a.
1872
b. Set d2 -> payload = TPM_PT_ASYM
1873
c. Set d2 -> usageAuth to m1 -> usageAuth
1874
d. Set d2 -> migrationAuth to pHash
1875
e. Set d2 -> pubDataDigest to m1 -> pubDataDigest
1876
f. Set d2 -> privKey field to k1
Verify that m1 -> payload == TPM_PT_MIGRATE
18778. Create outData using the key in parentHandle to perform the encryption
453
454
90
Level 2 Revision 116 28 February 2011
TCG Published
455TPM Main Part 3 Commands
TCG © Copyright
456Specification Version 1.2
187811.3
TPM_AuthorizeMigrationKey
1879Start of informative comment:
1880This command creates an authorization blob, to allow the TPM owner to specify which
1881migration facility they will use and allow users to migrate information without further
1882involvement with the TPM owner.
1883It is the responsibility of the TPM Owner to determine whether migrationKey is appropriate
1884for migration. The TPM checks just the cryptographic strength of migrationKey.
1885End of informative comment.
1886Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_AuthorizeMigrationKey
4
2
2S
2
TPM_MIGRATE_SCHEME
migrationScheme
Type of migration operation that is to be permitted for this key.
4
<>
3S
<>
TPM_PUBKEY
migrationKey
The public key to be authorized.
5
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for owner authentication.
#
SZ
1
#
SZ
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
6
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
7
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
8
20
TPM_AUTHDATA
ownerAuth
The authorization session digest for inputs and owner authorization.
HMAC key: ownerAuth.
1887Outgoing Operands and Sizes
PARAM
#
SZ
1
4
3
4
#
SZ
Type
Name
Description
TPM_TAG
2
2
HMAC
tag
TPM_TAG_RSP_AUTH1_COMMAND
UINT32
paramSize
Total number of output bytes including paramSize and tag
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_AuthorizeMigrationKey
4
<>
3S
<>
TPM_MIGRATIONKEYAUTH
outData
Returned public key and authorization session digest.
5
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC
key: ownerAuth.
6
1
7
20
1888
1889Action
1890The TPM SHALL perform the following:
457Level 2 Revision 116 28 February 2011
458
91
TCG Published
459Copyright © TCG
460
461
TPM Main Part 3 Commands
Specification Version 1.2
18911. Check that the cryptographic strength of migrationKey is at least that of a 2048 bit RSA
1892
key. If migrationKey is an RSA key, this means that migrationKey MUST be 2048 bits or
1893
greater and MUST use the default exponent.
18942. Validate the AuthData to use the TPM by the TPM Owner
18953. Create a f1 a TPM_MIGRATIONKEYAUTH structure
18964. Verify
that
migrationKey->
1897
TPM_ES_RSAESOAEP_SHA1_MGF1,
1898
TPM_INAPPROPRIATE_ENC if it is not
algorithmParms
and
return
->
the
encScheme
error
is
code
18995. Set f1 -> migrationKey to the input migrationKey
19006. Set f1 -> migrationScheme to the input migrationScheme
19017. Create
v1
by
concatenating
1902
TPM_PERMANENT_DATA -> tpmProof)
(migrationKey
||
migrationScheme
19038. Create h1 by performing a SHA-1 hash of v1
19049. Set f1 -> digest to h1
190510.Return f1 as outData
462
463
92
Level 2 Revision 116 28 February 2011
TCG Published
||
464TPM Main Part 3 Commands
TCG © Copyright
465Specification Version 1.2
190611.4
TPM_MigrateKey
1907Start of informative comment:
1908The TPM_MigrateKey command performs the function of a migration authority.
1909The command is relatively simple; it just decrypts the input packet (coming from
1910TPM_CreateMigrationBlob or TPM_CMK_CreateBlob) and then re-encrypts it with the input
1911public key. The output of this command would then be sent to TPM_ConvertMigrationBlob
1912or TPM_CMK_ConvertMigration on the target TPM.
1913TPM_MigrateKey does not make ANY assumptions about the contents of the encrypted blob.
1914Since it does not have the XOR string, it cannot actually determine much about the key
1915that is being migrated.
1916This command exists to permit the TPM to be a migration authority. If used in this way, it is
1917expected that the physical security of the system containing the TPM and the AuthData
1918value for the MA key would be tightly controlled.
1919To prevent the execution of this command using any other key as a parent key, this
1920command works only if keyUsage for maKeyHandle is TPM_KEY_MIGRATE.
1921End of informative comment.
1922Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_MigrateKey
4
4
TPM_KEY_HANDLE
maKeyHandle
Handle of the key to be used to migrate the key.
5
<>
2S
<>
TPM_PUBKEY
pubKey
Public key to which the blob is to be migrated
6
4
3S
4
UINT32
inDataSize
The size of inData
7
<>
4S
<>
BYTE[ ]
inData
The input blob
8
4
TPM_AUTHHANDLE
maAuthHandle
The authorization session handle used for maKeyHandle.
#
SZ
1
#
1S
SZ
4
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
9
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with certAuthHandle
10
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
11
20
TPM_AUTHDATA
keyAuth
The authorization session digest for the inputs and key to be signed.
HMAC key: maKeyHandle.usageAuth.
466Level 2 Revision 116 28 February 2011
467
93
TCG Published
468Copyright © TCG
469
470
TPM Main Part 3 Commands
Specification Version 1.2
1923Outgoing Operands and Sizes
Param
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
Sz
1
#
Sz
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_MigrateKey
4
4
3S
4
UINT32
outDataSize
The used size of the output area for outData
5
<>
4S
<>
BYTE[ ]
outData
The re-encrypted blob
6
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with certAuthHandle
4H1
1
BOOL
continueAuthSession
Continue use flag for cert key session
TPM_AUTHDATA
keyAuth
The authorization session digest for the target key. HMAC key:
maKeyHandle.usageAuth
7
1
8
20
1924Actions
19251. Validate that keyAuth authorizes the use of the key pointed to by maKeyHandle
19262. The TPM validates that the key pointed to by maKeyHandle has a key usage value of
1927
TPM_KEY_MIGRATE,
and
that
the
allowed
encryption
scheme
is
1928
TPM_ES_RSAESOAEP_SHA1_MGF1.
19293. The TPM validates that pubKey is of a size supported by the TPM and that its size is
1930
consistent with the input blob and maKeyHandle.
19314. The TPM decrypts inData and re-encrypts it using pubKey.
471
472
94
Level 2 Revision 116 28 February 2011
TCG Published
473TPM Main Part 3 Commands
TCG © Copyright
474Specification Version 1.2
193211.5
TPM_CMK_SetRestrictions
1933Start of informative comment:
1934This command is used by the Owner to dictate the usage of a certified-migration key with
1935delegated authorization (authorization other than actual owner authorization).
1936This command is provided for privacy reasons and must not itself be delegated, because a
1937certified-migration-key may involve a contractual relationship between the Owner and an
1938external entity.
1939Since restrictions are validated at DSAP session use, there is no need to invalidate DSAP
1940sessions when the restriction value changes.
1941End of informative comment.
1942Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes incl. paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Ordinal: TPM_ORD_CMK_SetRestrictions
4
4
2S
4
TPM_CMK_DELEGATE
restriction
The bit mask of how to set the restrictions on CMK keys
5
4
TPM_AUTHHANDLE
authHandle
The authorization session handle TPM Owner authentication
#
SZ
1
#
SZ
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
6
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
7
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
8
20
TPM_AUTHDATA
ownerAuth
The authorization session digest. HMAC key:ownerAuth
Type
Name
Description
1943Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes
3
4
5
1
6
TPM_RESULT
returnCode
The return code of the operation
4
TPM_COMMAND_CODE
ordinal
Ordinal: TPM_ORD_CMK_SetRestrictions
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
4
2S
4
1S
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
Authorization HMAC key: ownerAuth.
20
1944Description
1945TPM_PERMANENT_DATA -> restrictDelegate is used as follows
19461. If the session type is TPM_PID_DSAP and TPM_KEY -> keyFlags -> migrateAuthority is
1947
TRUE
475Level 2 Revision 116 28 February 2011
476
95
TCG Published
477Copyright © TCG
478
479
1948
TPM Main Part 3 Commands
Specification Version 1.2
a. If
1949TPM_KEY_USAGE
is
TPM_KEY_SIGNING
1950TPM_CMK_DELEGATE_SIGNING is TRUE, or
and
restrictDelegate
->
1951TPM_KEY_USAGE
is
TPM_KEY_STORAGE
1952TPM_CMK_DELEGATE_STORAGE is TRUE, or
and
restrictDelegate
->
1953TPM_KEY_USAGE is TPM_KEY_BIND and restrictDelegate -> TPM_CMK_DELEGATE_BIND
1954is TRUE, or
1955TPM_KEY_USAGE
is
TPM_KEY_LEGACY
1956TPM_CMK_DELEGATE_LEGACY is TRUE, or
and
restrictDelegate
->
1957TPM_KEY_USAGE
is
TPM_KEY_MIGRATE
1958TPM_CMK_DELEGATE_MIGRATE is TRUE
and
restrictDelegate
->
1959then the key can be used.
1960
b. Else return TPM_INVALID_KEYUSAGE.
1961Actions
19621. Validate the ordinal and parameters using TPM Owner authentication, return
1963
TPM_AUTHFAIL on error
19642. Set TPM_PERMANENT_DATA -> TPM_CMK_DELEGATE -> restrictDelegate = restriction
19653. Return TPM_SUCCESS
480
481
96
Level 2 Revision 116 28 February 2011
TCG Published
482TPM Main Part 3 Commands
TCG © Copyright
483Specification Version 1.2
196611.6
TPM_CMK_ApproveMA
1967Start of informative comment:
1968This command creates an authorization ticket, to allow the TPM owner to specify which
1969Migration Authorities they approve and allow users to create certified-migration-keys
1970without further involvement with the TPM owner.
1971It is the responsibility of the TPM Owner to determine whether a particular Migration
1972Authority is suitable to control migration
1973End of informative comment.
1974Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_CMK_ApproveMA
4
20
2S
20
TPM_DIGEST
migrationAuthorityDigest
A digest of a TPM_MSA_COMPOSITE structure (itself one or more
digests of public keys belonging to migration authorities)
5
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for owner authentication.
#
SZ
1
#
SZ
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
6
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
7
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
8
20
TPM_AUTHDATA
ownerAuth
Authorization HMAC, key: ownerAuth.
1975Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_CMK_ApproveMA
4
20
3S
20
TPM_HMAC
outData
HMAC of migrationAuthorityDigest
5
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
Authorization HMAC, key: ownerAuth.
6
1
7
20
1976Action
1977The TPM SHALL perform the following:
19781. Validate the AuthData to use the TPM by the TPM Owner
19792. Create M2 a TPM_CMK_MA_APPROVAL structure
484Level 2 Revision 116 28 February 2011
485
97
TCG Published
486Copyright © TCG
487
488
1980
TPM Main Part 3 Commands
Specification Version 1.2
a. Set M2 ->migrationAuthorityDigest to migrationAuthorityDigest
19813. Set outData = HMAC(M2) using tpmProof as the secret
19824. Return TPM_SUCCESS
489
490
98
Level 2 Revision 116 28 February 2011
TCG Published
491TPM Main Part 3 Commands
TCG © Copyright
492Specification Version 1.2
198311.7
TPM_CMK_CreateKey
1984Start of informative comment:
1985The TPM_CMK_CreateKey command both generates and creates a secure storage bundle for
1986asymmetric keys whose migration is controlled by a migration authority.
1987TPM_CMK_CreateKey is very similar to TPM_CreateWrapKey, but: (1) the resultant key must
1988be a migratable key and can be migrated only by TPM_CMK_CreateBlob; (2) the command is
1989Owner authorized via a ticket.
1990TPM_CMK_CreateKey creates an otherwise normal migratable key except that (1)
1991migrationAuth is an HMAC of the migration authority and the new key’s public key, signed
1992by tpmProof (instead of being tpmProof); (2) the migrationAuthority bit is set TRUE; (3) the
1993payload type is TPM_PT_MIGRATE_RESTRICTED.
1994The migration-selection/migration authority is specified by passing in a public key (actually
1995the digests of one or more public keys, so more than one migration authority can be
1996specified).
1997End of informative comment.
1998Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_CMK_CreateKey
TPM_KEY_HANDLE
parentHandle
Handle of a loaded key that can perform key wrapping.
20
TPM_ENCAUTH
dataUsageAuth
Encrypted usage AuthData for the key.
3S
<>
TPM_KEY12
keyInfo
Information about key to be created, pubkey.keyLength and
keyInfo.encData elements are 0. MUST be TPM_KEY12
20
4S
20
TPM_HMAC
migrationAuthorityApproval
A ticket, created by the TPM Owner using TPM_CMK_ApproveMA,
approving a TPM_MSA_COMPOSITE structure
8
20
5S
20
TPM_DIGEST
migrationAuthorityDigest
The digest of a TPM_MSA_COMPOSITE structure
9
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for parent key authorization.
Must be an OSAP session.
#
SZ
#
1
2
3
4
4
4
5
20
2S
6
<>
7
1S
SZ
4
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
10
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
11
1
4H1
1
BOOL
continueAuthSession
Ignored
12
20
TPM_AUTHDATA
pubAuth
The authorization session digest that authorizes the use of the public
key in parentHandle. HMAC key: parentKey.usageAuth.
493Level 2 Revision 116 28 February 2011
494
99
TCG Published
495Copyright © TCG
496
497
TPM Main Part 3 Commands
Specification Version 1.2
1999Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_CMK_CreateKey
4
<>
3S
<>
TPM_KEY12
wrappedKey
The TPM_KEY structure which includes the public and encrypted private
key. MUST be TPM_KEY12
5
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, fixed at FALSE
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
parentKey.usageAuth.
6
1
7
20
2000Actions
2001The TPM SHALL do the following:
20021. Validate the AuthData to use the key pointed to by parentHandle. Return
2003
TPM_AUTHFAIL on any error
20042. Validate the session type for parentHandle is OSAP
20053. If the TPM is not designed to create a key of the type requested in keyInfo, return the
2006
error code TPM_BAD_KEY_PROPERTY
20074. Verify that parentHandle->keyUsage equals TPM_KEY_STORAGE
20085. Verify that parentHandle-> keyFlags-> migratable == FALSE
20096. If keyInfo -> keyFlags -> migratable is FALSE, return TPM_INVALID_KEYUSAGE
20107. If keyInfo -> keyFlags -> migrateAuthority is FALSE , return TPM_INVALID_KEYUSAGE
20118. Verify that the migration authority is authorized
2012
a. Create M1 a TPM_CMK_MA_APPROVAL structure
2013
2014
2015
i.
Set M1 ->migrationAuthorityDigest to migrationAuthorityDigest
b. Verify that migrationAuthorityApproval == HMAC(M1) using tpmProof as the secret
and return error TPM_MA_AUTHORITY on mismatch
20169. Validate key parameters
2017
2018
a. keyInfo
->
keyUsage
MUST
NOT
be
TPM_KEY_IDENTITY
TPM_KEY_AUTHCHANGE. If it is, return TPM_INVALID_KEYUSAGE
201910.If TPM_PERMANENT_FLAGS -> FIPS is TRUE then
2020
a. If keyInfo -> keySize is less than 1024 return TPM_NOTFIPS
2021
b. If keyInfo -> authDataUsage specifies TPM_AUTH_NEVER return TPM_NOTFIPS
2022
c. If keyInfo -> keyUsage specifies TPM_KEY_LEGACY return TPM_NOTFIPS
498
499
100
Level 2 Revision 116 28 February 2011
TCG Published
or
500TPM Main Part 3 Commands
TCG © Copyright
501Specification Version 1.2
202311.If keyInfo -> keyUsage equals TPM_KEY_STORAGE or TPM_KEY_MIGRATE
2024
a. algorithmID MUST be TPM_ALG_RSA
2025
b. encScheme MUST be TPM_ES_RSAESOAEP_SHA1_MGF1
2026
c. sigScheme MUST be TPM_SS_NONE
2027
d. key size MUST be 2048
2028
e. exponentSize MUST be 0
202912.If keyInfo -> tag is NOT TPM_TAG_KEY12 return error TPM_INVALID_STRUCTURE
203013.Map wrappedKey to a TPM_KEY12 structure
203114.Create DU1 by decrypting dataUsageAuth according to the ADIP indicated by
2032
authHandle.
203315.Set continueAuthSession to FALSE
203416.Generate asymmetric key according to algorithm information in keyInfo
203517.Fill in the wrappedKey structure with information from the newly generated key.
2036
a. Set wrappedKey -> encData -> usageAuth to DU1
2037
b. Set wrappedKey -> encData -> payload to TPM_PT_MIGRATE_RESTRICTED
2038
2039
c. Create thisPubKey, a TPM_PUBKEY structure containing wrappedKey’s public key
and algorithm parameters
2040
d. Create M2 a TPM_CMK_MIGAUTH structure
2041
i.
2042
ii. Set M2 -> pubKeyDigest to SHA-1 (thisPubKey)
2043
2044
Set M2 -> msaDigest to migrationAuthorityDigest
e. Set wrappedKey -> encData -> migrationAuth equal to HMAC(M2), using tpmProof as
the shared secret
204518.If keyInfo->PCRInfoSize is non-zero
2046
a. Set wrappedKey -> pcrInfo to a TPM_PCR_INFO_LONG structure
2047
b. Set wrappedKey -> pcrInfo to keyInfo -> pcrInfo
2048
2049
c. Set wrappedKey -> digestAtCreation to the TPM_COMPOSITE_HASH indicated by
creationPCRSelection
2050
d. Set wrappedKey -> localityAtCreation to TPM_STANY_FLAGS -> localityModifier
205119.Encrypt the private portions of the wrappedKey structure using the key in parentHandle
205220.Return the newly generated key in the wrappedKey parameter
502Level 2 Revision 116 28 February 2011
503
101
TCG Published
504Copyright © TCG
505
506
205311.8
TPM Main Part 3 Commands
Specification Version 1.2
TPM_CMK_CreateTicket
2054Start of informative comment:
2055The TPM_CMK_CreateTicket command uses a public key to verify the signature over a
2056digest.
2057TPM_CMK_CreateTicket returns a ticket that can be used to prove to the same TPM that
2058signature verification with a particular public key was successful.
2059End of informative comment.
2060Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
UINT32
paramSize
Total number of input bytes including paramSize and tag
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_CMK_CreateTicket
<>
TPM_PUBKEY
verificationKey
The public key to be used to check signatureValue
3S
20
TPM_DIGEST
signedData
The data to be verified
4
4S
4
UINT32
signatureValueSize
The size of the signatureValue
7
<>
5S
<>
BYTE[]
signatureValue
The signatureValue to be verified
8
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for owner authentication.
#
SZ
#
SZ
1
2
2
4
3
4
1S
4
4
<>
2S
5
20
6
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
9
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
10
1
4H1
1
BOOL
continueAuthSession
Ignored
11
507
508
20
20
TPM_AUTHDATA
pubAuth
The authorization session digest for inputs and owner. HMAC key:
ownerAuth.
102
Level 2 Revision 116 28 February 2011
TCG Published
509TPM Main Part 3 Commands
TCG © Copyright
510Specification Version 1.2
2061Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_CMK_CreateTicket
4
20
3S
20
TPM_HMAC
sigTicket
Ticket that proves digest created on this TPM
5
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag
TPM_AUTHDATA
resAuth
Authorization. HMAC key:. ownerAuth.
6
1
7
20
2062Actions
2063The TPM SHALL do the following:
20641. Validate the TPM Owner authentication to use the command
20652. Validate that the key type and algorithm are correct
2066
a. Validate that verificationKey -> algorithmParms -> algorithmID == TPM_ALG_RSA
2067
b. Validate that verificationKey -> algorithmParms ->encScheme == TPM_ES_NONE
2068
2069
c. Validate
that
verificationKey
->algorithmParms
->sigScheme
TPM_SS_RSASSAPKCS1v15_SHA1 or TPM_SS_RSASSAPKCS1v15_INFO
is
20703. Use verificationKey to verify that signatureValue is a valid signature on signedData, and
2071
return error TPM_BAD_SIGNATURE on mismatch
20724. Create M2 a TPM_CMK_SIGTICKET
2073
a. Set M2 -> verKeyDigest to the SHA-1 (verificationKey)
2074
b. Set M2 -> signedData to signedData
20755. Set sigTicket = HMAC(M2) signed by using tpmProof as the secret
20766. Return TPM_SUCCESS
511Level 2 Revision 116 28 February 2011
512
103
TCG Published
513Copyright © TCG
514
515
207711.9
TPM Main Part 3 Commands
Specification Version 1.2
TPM_CMK_CreateBlob
2078Start of informative comment:
2079TPM_CMK_CreateBlob command is very similar to TPM_CreateMigrationBlob, except that it:
2080(1) uses an extra ticket (restrictedKeyAuth) instead of a migrationAuth authorization
2081session;
(2)
uses
the
migration
options
TPM_MS_RESTRICT_MIGRATE
or
2082TPM_MS_RESTRICT_APPROVE; (3) produces a wrapped key blob whose migrationAuth is
2083independent of tpmProof.
2084If the destination (parent) public key is the MA, migration is implicitly permitted. Further
2085checks are required if the MA is not the destination (parent) public key, and merely selects
2086a migration destination: (1) sigTicket must prove that restrictTicket was signed by the MA;
2087(2) restrictTicket must vouch that the target public key is approved for migration to the
2088destination (parent) public key. (Obviously, this more complex method may also be used by
2089an MA to approve migration to that MA.) In both cases, the MA must be one of the MAs
2090implicitly listed in the migrationAuth of the target key-to-be-migrated.
2091When the migrationType is TPM_MS_RESTRICT_MIGRATE, restrictTicket and sigTicket are
2092unused. The TPM may test that the corresponding sizes are zero, so the caller should set
2093them to zero for interoperability.
2094End of informative comment.
516
517
104
Level 2 Revision 116 28 February 2011
TCG Published
518TPM Main Part 3 Commands
TCG © Copyright
519Specification Version 1.2
2095Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_CMK_CreateBlob
4
4
TPM_KEY_HANDLE
parentHandle
Handle of the parent key that can decrypt encData.
5
2
2S
2
TPM_MIGRATE_SCHEME
migrationType
The migration type, either TPM_MS_RESTRICT_MIGRATE or TPM_MS_RESTRICT_APPROVE.
6
<>
3S
<>
TPM_MIGRATIONKEYAUTH
migrationKeyAuth
Migration public key and its authorization session digest.
7
20
4S
20
TPM_DIGEST
pubSourceKeyDigest
The digest of the TPM_PUBKEY of the entity to be migrated
8
4
5S
4
UINT32
msaListSize
The size of the msaList parameter, which is a variable length
TPM_MSA_COMPOSITE structure
9
<>
6S
<>
TPM_MSA_COMPOSITE
msaList
One or more digests of public keys belonging to migration authorities
10
4
7S
4
UINT32
restrictTicketSize
The size of the restrictTicket parameter
11
<>
8S
<>
BYTE[]
restrictTicket
If migrationType is TPM_MS_RESTRICT_APPROVE, a TPM_CMK_AUTH structure, containing the digests of the public keys
belonging to the Migration Authority, the destination parent key and the key-to-be-migrated.
12
4
9S
4
UINT32
sigTicketSize
The size of the sigTicket parameter
13
<>
10S
<>
BYTE[]
sigTicket
If migrationType is TPM_MS_RESTRICT_APPROVE, a TPM_HMAC
structure, generated by the TPM, signaling a valid signature over
restrictTicket
14
4
11S
4
UINT32
encDataSize
The size of the encData parameter
15
<>
12S
<>
BYTE[]
encData
The encrypted entity that is to be modified.
16
4
TPM_AUTHHANDLE
parentAuthHandle
The authorization session handle used for the parent key.
#
SZ
1
#
1S
SZ
4
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
17
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with parentAuthHandle
18
1
4H1
1
BOOL
continueAuthSession
Continue use flag for parent session
19
20
20
TPM_AUTHDATA
parentAuth
HMAC key: parentKey.usageAuth.
520Level 2 Revision 116 28 February 2011
521
105
TCG Published
522Copyright © TCG
523
524
TPM Main Part 3 Commands
Specification Version 1.2
2096Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_CMK_CreateBlob
4
4
3S
4
UINT32
randomSize
The used size of the output area for random
5
<>
4S
<>
BYTE[ ]
random
String used for xor encryption
6
4
5S
4
UINT32
outDataSize
The used size of the output area for outData
7
<>
6S
<>
BYTE[ ]
outData
The modified, encrypted entity.
8
20
3H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
4H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with parentAuthHandle
5H1
1
BOOL
continueAuthSession
Continue use flag for parent key session
20
TPM_AUTHDATA
resAuth
HMAC key: parentKey.usageAuth.
9
1
10
20
2097Description
2098The TPM does not check the PCR values when migrating values locked to a PCR.
2099Actions
21001. Validate that parentAuth authorizes the use of the key pointed to by parentHandle.
21012. The TPM MAY verify that migrationType == migrationKeyAuth -> migrationScheme and
2102
return TPM_BAD_MODE on error.
2103
a. The TPM MAY ignore migrationType.
21043. Verify that parentHandle-> keyFlags-> migratable == FALSE
21054. Create d1 by decrypting encData using the key pointed to by parentHandle.
21065. Verify that the digest within migrationKeyAuth is legal for this TPM and public key
21076. Verify
that
d1
->
payload
2108
TPM_PT_MIGRATE_EXTERNAL
==
TPM_PT_MIGRATE_RESTRICTED
or
21097. Verify that the migration authorities in msaList are authorized to migrate this key
2110
a. Create M2 a TPM_CMK_MIGAUTH structure
2111
i.
2112
ii. Set M2 -> pubKeyDigest to pubSourceKeyDigest
2113
2114
Set M2 -> msaDigest to SHA-1[msaList]
b. Verify that d1 -> migrationAuth == HMAC(M2) using tpmProof as the secret and
return error TPM_MA_AUTHORITY on mismatch
21158. If migrationKeyAuth -> migrationScheme == TPM_MS_RESTRICT_MIGRATE
2116
525
526
a. Verify that intended migration destination is an MA:
106
Level 2 Revision 116 28 February 2011
TCG Published
527TPM Main Part 3 Commands
TCG © Copyright
528Specification Version 1.2
2117
2118
2119
i. For one of n=1 to n=(msaList -> MSAlist), verify that SHA-1[migrationKeyAuth
-> migrationKey] == msaList -> migAuthDigest[n]
b. Validate that the MA key is the correct type
2120
2121
i. Validate that migrationKeyAuth -> migrationKey -> algorithmParms ->
algorithmID == TPM_ALG_RSA
2122
2123
ii. Validate that migrationKeyAuth -> migrationKey -> algorithmParms ->
encScheme is an encryption scheme supported by the TPM
2124
2125
iii. Validate that migrationKeyAuth
sigScheme is TPM_SS_NONE
2126
c. The TPM MAY validate that restrictTicketSize is zero.
2127
d. The TPM MAY validate that sigTicketSize is zero.
->
migrationKey
->algorithmParms
->
21289. else If migrationKeyAuth -> migrationScheme == TPM_MS_RESTRICT_APPROVE
2129
2130
2131
2132
a. Verify that the intended migration destination has been approved by the MSA:
i. Verify that for one of the n=1 to n=(msaList -> MSAlist) values of msaList ->
migAuthDigest[n], sigTicket == HMAC (V1) using tpmProof as the secret where V1
is a TPM_CMK_SIGTICKET structure such that:
2133
(1)
V1 -> verKeyDigest = msaList -> migAuthDigest[n]
2134
(2)
V1 -> signedData = SHA-1[restrictTicket]
2135
2136
ii. If [restrictTicket -> destinationKeyDigest] != SHA-1[migrationKeyAuth ->
migrationKey], return error TPM_MA_DESTINATION
2137
2138
iii. If [restrictTicket -> sourceKeyDigest] != pubSourceKeyDigest, return error
TPM_MA_SOURCE
213910.Else return with error TPM_BAD_PARAMETER.
214011.Build two bytes array, K1 and K2, using d1:
2141
2142
2143
a. K1
=
TPM_STORE_ASYMKEY.privKey[0..19]
(TPM_STORE_ASYMKEY.privKey.keyLength
+
16
bytes
of
TPM_STORE_ASYMKEY.privKey.key), sizeof(K1) = 20
2144
2145
b. K2
=
TPM_STORE_ASYMKEY.privKey[20..131]
TPM_STORE_ASYMKEY . privKey.key), sizeof(K2) = 112
(position
16-127
of
214612.Build M1 a TPM_MIGRATE_ASYMKEY structure
2147
a. TPM_MIGRATE_ASYMKEY.payload = TPM_PT_CMK_MIGRATE
2148
b. TPM_MIGRATE_ASYMKEY.usageAuth = TPM_STORE_ASYMKEY.usageAuth
2149
c. TPM_MIGRATE_ASYMKEY.pubDataDigest = TPM_STORE_ASYMKEY. pubDataDigest
2150
d. TPM_MIGRATE_ASYMKEY.partPrivKeyLen = 112 – 127.
2151
e. TPM_MIGRATE_ASYMKEY.partPrivKey = K2
215213.Create o1 (which SHALL be 198 bytes for a 2048 bit RSA key) by performing the OAEP
2153
encoding of m using OAEP parameters m, pHash, and seed
2154
a. m is the previously created M1
529Level 2 Revision 116 28 February 2011
530
107
TCG Published
531Copyright © TCG
532
533
TPM Main Part 3 Commands
Specification Version 1.2
2155
b. pHash = SHA-1( SHA-1[msaList] || pubSourceKeyDigest)
2156
c. seed = s1 = the previously created K1
215714.Create r1 a random value from the TPM RNG. The size of r1 MUST be the size of o1.
2158
Return r1 in the random parameter
215915.Create x1 by XOR of o1 with r1
216016.Copy r1 into the output field “random”
216117.Encrypt x1 with the migrationKeyAuth-> migrationKey
534
535
108
Level 2 Revision 116 28 February 2011
TCG Published
536TPM Main Part 3 Commands
TCG © Copyright
537Specification Version 1.2
216211.10
TPM_CMK_ConvertMigration
2163Start of informative comment:
2164TPM_CMK_ConvertMigration completes the migration of certified migration blobs.
2165This command takes a certified migration blob and creates a normal wrapped blob with
2166payload type TPM_PT_MIGRATE_EXTERNAL. The migrated blob must be loaded into the
2167TPM using the normal TPM_LoadKey function.
2168Note that the command migrates private keys, only. The migration of the associated public
2169keys is not specified by TPM because they are not security sensitive. Migration of the
2170associated public keys may be specified in a platform specific specification. A TPM_KEY
2171structure must be recreated before the migrated key can be used by the target TPM in a
2172TPM_LoadKey command.
2173TPM_CMK_ConvertMigration checks that one of the MAs implicitly listed in the
2174migrationAuth of the target key has approved migration of the target key to the destination
2175(parent) key, and that the settings (flags etc.) in the target key are those of a CMK.
2176End of informative comment.
2177Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_CMK_ConvertMigration
TPM_KEY_HANDLE
parentHandle
Handle of a loaded key that can decrypt keys.
60
TPM_CMK_AUTH
restrictTicket
The digests of public keys belonging to the Migration Authority, the
destination parent key and the key-to-be-migrated.
3S
20
TPM_HMAC
sigTicket
A signature ticket, generated by the TPM, signaling a valid signature
over restrictTicket
<>
4S
<>
TPM_KEY12
migratedKey
The public key of the key-to-be-migrated. The private portion MUST be
TPM_MIGRATE_ASYMKEY properly XOR’d
8
4
5S
4
UINT32
msaListSize
The size of the msaList parameter, which is a variable length
TPM_MSA_COMPOSITE structure
9
<>
6S
<>
TPM_MSA_COMPOSITE
msaList
One or more digests of public keys belonging to migration authorities
10
4
7S
4
UINT32
randomSize
Size of random
11
<>
8S
<>
BYTE [ ]
random
Random value used to hide key data.
12
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for keyHandle.
#
SZ
#
1
2
3
4
4
4
5
60
2S
6
20
7
1S
SZ
4
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
13
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
14
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
15
20
TPM_AUTHDATA
parentAuth
Authorization HMAC: parentKey.usageAuth
538Level 2 Revision 116 28 February 2011
539
109
TCG Published
540Copyright © TCG
541
542
TPM Main Part 3 Commands
Specification Version 1.2
2178Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_CMK_ConvertMigration
4
4
3S
4
UINT32
outDataSize
The used size of the output area for outData
5
<>
4S
<>
BYTE[ ]
outData
The encrypted private key that can be loaded with TPM_LoadKey
6
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
Authorization HMAC key .usageAuth
7
1
8
20
2179Action
21801. Validate the AuthData to use the key in parentHandle
21812. If the keyUsage field of the key referenced by parentHandle does not have the value
2182
TPM_KEY_STORAGE, the TPM must return the error code TPM_INVALID_KEYUSAGE
21833. Create d1 by decrypting the migratedKey -> encData area using the key in parentHandle
21844. Create o1 by XOR d1 and random parameter
21855. Create m1 a TPM_MIGRATE_ASYMKEY, seed and pHash by OAEP decoding o1
21866. Create migratedPubKey a TPM_PUBKEY structure corresponding to migratedKey
2187
a. Verify that pHash == SHA-1( SHA-1[msaList] || SHA-1(migratedPubKey )
21887. Create k1 by combining seed and the TPM_MIGRATE_ASYMKEY -> partPrivKey field
21898. Create d2 a TPM_STORE_ASYMKEY structure.
2190
a. Set the TPM_STORE_ASYMKEY -> privKey field to k1
2191
b. Set d2 -> usageAuth to m1 -> usageAuth
2192
c. Set d2 -> pubDataDigest to m1 -> pubDataDigest
21939. Verify that parentHandle-> keyFlags -> migratable == FALSE
219410.Verify that m1 -> payload == TPM_PT_CMK_MIGRATE then set d2-> payload =
2195
TPM_PT_MIGRATE_EXTERNAL
219611.Verify that for one of the n=1 to n=(msaList -> MSAlist) values of msaList ->
2197
migAuthDigest[n] sigTicket == HMAC (V1) using tpmProof as the secret where V1 is a
2198
TPM_CMK_SIGTICKET structure such that:
2199
a. V1 -> verKeyDigest = msaList -> migAuthDigest[n]
2200
b. V1 -> signedData = SHA-1[restrictTicket]
220112.Create parentPubKey, a TPM_PUBKEY structure corresponding to parentHandle
543
544
110
Level 2 Revision 116 28 February 2011
TCG Published
545TPM Main Part 3 Commands
TCG © Copyright
546Specification Version 1.2
220213.If [restrictTicket -> destinationKeyDigest] != SHA-1(parentPubKey), return error
2203
TPM_MA_DESTINATION
220414.Verify that migratedKey is corresponding to d2
220515.If migratedKey -> keyFlags
2206
TPM_INVALID_KEYUSAGE
->
migratable
220716.If migratedKey -> keyFlags
2208
TPM_INVALID_KEYUSAGE
->
migrateAuthority
220917.If [restrictTicket ->
2210
TPM_MA_SOURCE
sourceKeyDigest]
!=
is
FALSE,
is
and
return
error
FALSE,
return
error
return
error
SHA-1(migratedPubKey),
221118.Create M2 a TPM_CMK_MIGAUTH structure
2212
a. Set M2 -> msaDigest to SHA-1[msaList]
2213
b. Set M2 -> pubKeyDigest to SHA-1[migratedPubKey]
221419.Set d2 -> migrationAuth = HMAC(M2) using tpmProof as the secret
221520.Create outData using the key in parentHandle to perform the encryption
547Level 2 Revision 116 28 February 2011
548
111
TCG Published
549Copyright © TCG
550
551
221612.
Maintenance
2217Start of informative comment:
TPM Main Part 3 Commands
Specification Version 1.2
Functions (optional)
2218When a maintenance archive is created with generateRandom FALSE, the maintenance blob
2219is XOR encrypted with the owner authorization before encryption with the maintenance
2220public key. This prevents the manufacturer from obtaining plaintext data. The receiving
2221TPM must have the same owner authorization as the sending TPM in order to XOR decrypt
2222the archive.
2223When generateRandom is TRUE, the maintenance blob is XOR encrypted with random data,
2224which is also returned. This permits someone trusted by the Owner to load the
2225maintenance archive into the replacement platform in the absence of the Owner and
2226manufacturer, without the Owner having to reveal information about his auth value. The
2227receiving and sending TPM's may have different owner authorizations. The random data is
2228transferred from the sending TPM owner to the receiving TPM owner out of band, so the
2229maintenance blob remains hidden from the manufacturer.
2230This is a typical maintenance sequence:
22311. Manufacturer:
2232•
generates maintenance key pair
2233•
gives public key to TPM1 owner
22342. TPM1: TPM_LoadManuMaintPub
2235•
load maintenance public key
22363. TPM1: TPM_CreateMaintenanceArchive
2237•
XOR encrypt with owner auth or random
2238•
encrypt the maintenance archive with maintenance public key
22394. TPM2:
2240•
Take ownership
2241•
Create and activate an AIK
2242•
Certify the SRK with the AIK, proving that the SRK came from a legitimate TPM
22434. Manufacturer:
2244•
decrypt maintenance archive with maintenance private key
2245•
(still XOR encrypted with owner auth or random)
2246•
validate the TPM2 SRK certification
2247•
encrypt the maintenance archive with TPM2 SRK public key
22485. TPM2: TPM_LoadMaintenanceArchive
2249•
decrypt the maintenance archive with SRK private key
2250•
XOR decrypt with owner auth or random
2251End of informative comment.
552
553
112
Level 2 Revision 116 28 February 2011
TCG Published
554TPM Main Part 3 Commands
TCG © Copyright
555Specification Version 1.2
2252
556Level 2 Revision 116 28 February 2011
557
113
TCG Published
558Copyright © TCG
559
560
TPM Main Part 3 Commands
Specification Version 1.2
2253
225412.1
TPM_CreateMaintenanceArchive
2255Start of informative comment:
2256This command creates the maintenance archive. It can only be executed by the owner, and
2257may be shut off with the TPM_KillMaintenanceFeature command.
2258End of informative comment.
2259Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Cmd ordinal: TPM_ORD_CreateMaintenanceArchive
4
1
2S
1
BOOL
generateRandom
Use RNG or Owner auth to generate ‘random’.
5
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for owner authentication.
#
SZ
1
#
SZ
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
7
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
8
20
TPM_AUTHDATA
ownerAuth
HMAC key: ownerAuth.
6
2260Outgoing Operands and Sizes
PARAM
HMAC
#
Type
SZ
Name
Description
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Cmd ordinal: TPM_ORD_CreateMaintenanceArchive
4
4
3S
4
UINT32
randomSize
Size of the returned random data. Will be 0 if generateRandom is FALSE.
5
<>
4S
<>
BYTE [ ]
random
Random data to XOR with result.
6
4
5S
4
UINT32
archiveSize
Size of the encrypted archive
7
<>
6S
<>
BYTE [ ]
archive
Encrypted key archive.
8
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
ownerAuth.
9
1
10
20
2261Actions
2262Upon authorization being confirmed this command does the following:
561
562
114
Level 2 Revision 116 28 February 2011
TCG Published
563TPM Main Part 3 Commands
TCG © Copyright
564Specification Version 1.2
22631. Validates that the TPM_PERMANENT_FLAGS -> allowMaintenance is TRUE. If it is
2264
FALSE, the TPM SHALL return TPM_DISABLED_CMD and exit this capability.
22652. Validates the TPM Owner AuthData.
22663. If the value of TPM_PERMANENT_DATA -> manuMaintPub is zero, the TPM MUST
2267
return the error code TPM_KEYNOTFOUND
22684. Build a1 a TPM_KEY structure using the SRK. The encData field is not a normal
2269
TPM_STORE_ASYMKEY structure but rather a TPM_MIGRATE_ASYMKEY structure built
2270
using the following actions.
22715. Build a TPM_STORE_PRIVKEY structure from the SRK. This privKey element should be
2272
132 bytes long for a 2K RSA key.
22736. Create k1 and k2 by splitting the privKey element created in step 4 into 2 parts. k1 is
2274
the first 20 bytes of privKey, k2 contains the remainder of privKey.
22757. Build m1 by creating and filling in a TPM_MIGRATE_ASYMKEY structure
2276
a. m1 -> usageAuth is set to TPM_PERMANENT_DATA -> tpmProof
2277
b. m1 -> pubDataDigest is set to the digest value of the SRK fields from step 4
2278
c. m1 -> payload is set to TPM_PT_MAINT
2279
d. m1 -> partPrivKey is set to k2
22808. Create o1 (which SHALL be 198 bytes for a 2048 bit RSA key) by performing the OAEP
2281
encoding of m using OAEP parameters of
2282
a. m = TPM_MIGRATE_ASYMKEY structure (step 7)
2283
b. pHash = TPM_PERMANENT_DATA -> ownerAuth
2284
c. seed = s1 = k1 (step 6)
22859. If generateRandom = TRUE
2286
2287
a. Create r1 by obtaining values from the TPM RNG. The size of r1 MUST be the same
size as o1. Set random parameter to r1
228810.If generateRandom = FALSE
2289
2290
a. Create r1 by applying MGF1 to the TPM Owner AuthData. The size of r1 MUST be the
same size as o1. Set randomSize to 0.
229111.Create x1 by XOR of o1 with r1
229212.Encrypt x1 with the manuMaintPub key using the TPM_ES_RSAESOAEP_SHA1_MGF1
2293
encryption scheme.
229413.Set a1 -> encData to the encryption of x1
229514.Set TPM_PERMANENT_FLAGS -> maintenanceDone to TRUE
229615.Return a1 in the archive parameter
565Level 2 Revision 116 28 February 2011
566
115
TCG Published
567Copyright © TCG
568
569
229712.2
TPM Main Part 3 Commands
Specification Version 1.2
TPM_LoadMaintenanceArchive
2298Start of informative comment:
2299This command loads in a Maintenance archive that has been massaged by the
2300manufacturer to load into another TPM.
2301If the maintenance archive was created using the owner authorization for XOR encryption,
2302the current owner authorization must be used for decryption. The owner authorization does
2303not change.
2304If the maintenance archive was created using random data for the XOR encryption, the
2305vendor specific arguments must include the random data. The owner authorization may
2306change.
2307End of informative comment.
2308Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_LoadMaintenanceArchive
4
4
2S
4
UINT32
archiveSize
Sice of the encrypted archive
5
<>
3S
<>
BYTE[]
archive
Encrypted key archive
Vendor specific arguments
TPM_AUTHHANDLE
authHandle
The authorization session handle used for owner authentication.
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
#
SZ
1
-
#
SZ
4
-
20
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
-
1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
--
20
TPM_AUTHDATA
ownerAuth
The authorization session digest for inputs and owner authentication.
HMAC key: ownerAuth.
2309
570
571
116
Level 2 Revision 116 28 February 2011
TCG Published
572TPM Main Part 3 Commands
TCG © Copyright
573Specification Version 1.2
2310Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
4
TPM_RESULT
returnCode
The return code of the operation.
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_LoadMaintenanceArchive
..
..
Vendor specific arguments
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
ownerAuth, the original value and not the new auth value
#
SZ
1
-
#
SZ
20
-
1
-
20
2311Description
2312The maintenance mechanisms in the TPM MUST not require the TPM to hold a global
2313secret. The definition of global secret is a secret value shared by more than one TPM.
2314The TPME is not allowed to pre-store or use unique identifiers in the TPM for the purpose of
2315maintenance. The TPM MUST NOT use the endorsement key for identification or encryption
2316in the maintenance process. The maintenance process MAY use a TPM Identity to deliver
2317maintenance information to specific TPM’s.
2318The maintenance process can only change the SRK, tpmProof and TPM Owner AuthData
2319fields.
2320The maintenance process can only access data in shielded locations where this data is
2321necessary to validate the TPM Owner, validate the TPME and manipulate the blob
2322The TPM MUST be conformant to the TPM specification, protection profiles and security
2323targets after maintenance. The maintenance MAY NOT decrease the security values from
2324the original security target.
2325The security target used to evaluate this TPM MUST include this command in the TOE.
2326Actions
2327The TPM SHALL perform the following when executing the command
23281. Validate the TPM Owner’s AuthData
23292. Validate that the maintenance information was sent by the TPME. The validation
2330
mechanism MUST use a strength of function that is at least the same strength of
2331
function as a digital signature performed using a 2048 bit RSA key.
23323. The packet MUST contain m2 as defined in section 12.1.
23334. Ensure that only the target TPM can interpret the maintenance packet. The protection
2334
mechanism MUST use a strength of function that is at least the same strength of
2335
function as a digital signature performed using a 2048 bit RSA key.
574Level 2 Revision 116 28 February 2011
575
117
TCG Published
576Copyright © TCG
577
578
TPM Main Part 3 Commands
Specification Version 1.2
23365. Execute the actions of TPM_OwnerClear.
23376. Process the maintenance information
2338
a. Update the SRK
2339
i.
Set the SRK usageAuth to be the same as the source TPM owner's AuthData
2340
b. Update TPM_PERMANENT_DATA -> tpmProof
2341
c. Update TPM_PERMANENT_DATA -> ownerAuth
23427. Set TPM_PERMANENT_FLAGS -> maintenanceDone to TRUE
2343
579
580
118
Level 2 Revision 116 28 February 2011
TCG Published
581TPM Main Part 3 Commands
TCG © Copyright
582Specification Version 1.2
234412.3
TPM_KillMaintenanceFeature
2345Start of informative comment:
2346The TPM_KillMaintencanceFeature is a permanent action that prevents ANYONE from
2347creating a maintenance archive. This action, once taken, is permanent until a new TPM
2348Owner is set.
2349This action is to allow those customers who do not want the maintenance feature to not
2350allow the use of the maintenance feature.
2351At the discretion of the Owner, it should be possible to kill the maintenance feature in such
2352a way that the only way to recover maintainability of the platform would be to wipe out the
2353root keys. This feature is mandatory in any TPM that implements the maintenance feature.
2354End of informative comment.
2355Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_KillMaintenanceFeature
4
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for owner authentication.
#
SZ
1
#
SZ
1S
4
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
5
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
6
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
7
20
TPM_AUTHDATA
ownerAuth
HMAC key: ownerAuth.
2356Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
5
1
6
TPM_RESULT
returnCode
The return code of the operation.
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_KillMaintenanceFeature
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
4
2S
4
1S
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
HMAC key: ownerAuth.
20
2357Actions
23581. Validate the TPM Owner AuthData
23592. Set the TPM_PERMANENT_FLAGS.allowMaintenance flag to FALSE.
583Level 2 Revision 116 28 February 2011
584
119
TCG Published
585Copyright © TCG
586
587
236012.4
TPM Main Part 3 Commands
Specification Version 1.2
TPM_LoadManuMaintPub
2361Start of informative comment:
2362The TPM_LoadManuMaintPub command loads the manufacturer’s public key for use in the
2363maintenance process. The command installs manuMaintPub in PERMANENT data storage
2364inside a TPM. Maintenance enables duplication of non-migratory data in protected storage.
2365There is therefore a security hole if a platform is shipped before the maintenance public key
2366has been installed in a TPM.
2367The command is expected to be used before installation of a TPM Owner or any key in TPM
2368protected storage. It therefore does not use authorization.
2369End of informative comment.
2370Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_LoadManuMaintPub
4
20
2S
20
TPM_NONCE
antiReplay
AntiReplay and validation nonce
5
<>
3S
<>
TPM_PUBKEY
pubKey
The public key of the manufacturer to be in use for maintenance
#
SZ
1
#
SZ
2371Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
20
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_LoadManuMaintPub
3S
20
TPM_DIGEST
checksum
Digest of pubKey and antiReplay
2372Description
2373The pubKey MUST specify an algorithm whose strength is not less than the RSA algorithm
2374with 2048bit keys.
2375pubKey SHOULD unambiguously identify the entity that will perform the maintenance
2376process with the TPM Owner.
2377TPM_PERMANENT_DATA -> manuMaintPub SHALL exist in a TPM-shielded location, only.
2378If an entity (Platform Entity) does not support the maintenance process but issues a
2379platform credential for a platform containing a TPM that supports the maintenance process,
2380the value of TPM_PERMANENT_DATA -> manuMaintPub MUST be set to zero before the
2381platform leaves the entity’s control. That is, this ordinal can only be run once, and used to
2382either load the key or load a NULL key.
588
589
120
Level 2 Revision 116 28 February 2011
TCG Published
590TPM Main Part 3 Commands
TCG © Copyright
591Specification Version 1.2
2383Actions
2384The first valid TPM_LoadManuMaintPub command received by a TPM SHALL
23851. Store the parameter pubKey as TPM_PERMANENT_DATA -> manuMaintPub.
23862. Set checksum to SHA-1 of (pubKey || antiReplay)
23873. Export the checksum
23884. Subsequent
calls
2389
TPM_DISABLED_CMD.
to
592Level 2 Revision 116 28 February 2011
593
TPM_LoadManuMaintPub
121
TCG Published
SHALL
return
code
594Copyright © TCG
595
596
239012.5
TPM Main Part 3 Commands
Specification Version 1.2
TPM_ReadManuMaintPub
2391Start of informative comment:
2392The TPM_ReadManuMaintPub command is used to check whether the manufacturer’s
2393public maintenance key in a TPM has the expected value. This may be useful during the
2394manufacture process. The command returns a digest of the installed key, rather than the
2395key itself. This hinders discovery of the maintenance key, which may (or may not) be useful
2396for manufacturer privacy.
2397The command is expected to be used before installation of a TPM Owner or any key in TPM
2398protected storage. It therefore does not use authorization.
2399End of Informative Comments
2400Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ReadManuMaintPub
4
20
2S
20
TPM_NONCE
antiReplay
AntiReplay and validation nonce
#
SZ
1
#
SZ
2401Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
20
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ReadManuMaintPub
3S
20
TPM_DIGEST
checksum
Digest of pubKey and antiReplay
2402Description
2403This command returns the hash of the antiReplay nonce and the previously loaded
2404manufacturer’s maintenance public key.
2405Actions
2406The TPM_ReadManuMaintPub command SHALL
24071. Create “checksum” by concatenating data to form (TPM_PERMANENT_DATA ->
2408
manuMaintPub ||antiReplay) and passing the concatenated data through SHA-1.
24092. Export the checksum
597
598
122
Level 2 Revision 116 28 February 2011
TCG Published
599TPM Main Part 3 Commands
TCG © Copyright
600Specification Version 1.2
241013.
Cryptographic Functions
241113.1
TPM_SHA1Start
2412Start of informative comment:
2413This capability starts the process of calculating a SHA-1 digest.
2414The exposure of the SHA-1 processing is a convenience to platforms in a mode that do not
2415have sufficient memory to perform SHA-1 themselves. As such, the use of SHA-1 is
2416restrictive on the TPM.
2417The TPM may not allow any other types of processing during the execution of a SHA-1
2418session. There is only one SHA-1 session active on a TPM. The exclusivity of a SHA-1
2419context is due to the relatively large volatile buffer it requires in order to hold the
2420intermediate results between the SHA-1 context commands. This buffer can be in
2421contradiction to other command needs.
2422After the execution of TPM_SHA1Start, and prior to TPM_SHA1Complete or
2423TPM_SHA1CompleteExtend, the receipt of any command other than TPM_SHA1Update will
2424cause the invalidation of the SHA-1 session.
2425End of informative comment.
2426Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_SHA1Start
Type
Name
Description
#
SZ
1
#
SZ
1S
4
2427Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
4
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_SHA1Start
3S
4
UINT32
maxNumBytes
Maximum number of bytes that can be sent to TPM_SHA1Update. Must be a
multiple of 64 bytes.
2428Description
24291. This capability prepares the TPM for a subsequent TPM_SHA1Update,
2430
TPM_SHA1Complete or TPM_SHA1CompleteExtend command. The capability SHALL
2431
open a thread that calculates a SHA-1 digest.
601Level 2 Revision 116 28 February 2011
602
123
TCG Published
603Copyright © TCG
604
605
TPM Main Part 3 Commands
Specification Version 1.2
24322. After receipt of TPM_SHA1Start, and prior to the receipt of TPM_SHA1Complete or
2433
TPM_SHA1CompleteExtend, receipt of any command other than TPM_SHA1Update
2434
invalidates the SHA-1 session.
2435
2436
a. If the command received is TPM_ExecuteTransport, the SHA-1 session invalidation is
based on the wrapped command, not the TPM_ExecuteTransport ordinal.
2437
2438
b. A SHA-1 thread (start, update, complete) MUST take place either completely outside
a transport session or completely within a single transport session.
606
607
124
Level 2 Revision 116 28 February 2011
TCG Published
608TPM Main Part 3 Commands
TCG © Copyright
609Specification Version 1.2
243913.2
TPM_SHA1Update
2440Start of informative comment:
2441This capability inputs complete blocks of data into a pending SHA-1 digest. At the end of
2442the process, the digest remains pending.
2443End of informative comment.
2444Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_SHA1Update
4
4
2S
4
UINT32
numBytes
The number of bytes in hashData. Must be a multiple of 64 bytes.
5
<>
3S
<>
BYTE [ ]
hashData
Bytes to be hashed
Type
Name
Description
#
SZ
1
#
SZ
2445Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_SHA1Update
2446Description
2447This command SHALL incorporate complete blocks of data into the digest of an existing
2448SHA-1 thread. Only integral numbers of complete blocks (64 bytes each) can be processed.
2449Actions
24501. If there is no existing SHA-1 thread, return TPM_SHA_THREAD
24512. If numBytes is not a multiple of 64
2452
a. Return TPM_SHA_ERROR
2453
b. The TPM MAY terminate the SHA-1 thread
24543. If numBytes is greater than maxNumBytes returned by TPM_SHA1Start
2455
a. Return TPM_SHA_ERROR
2456
b. The TPM MAY terminate the SHA-1 thread
24574. Incorporate hashData into the digest of the existing SHA-1 thread.
2458
610Level 2 Revision 116 28 February 2011
611
125
TCG Published
612Copyright © TCG
613
614
245913.3
TPM Main Part 3 Commands
Specification Version 1.2
TPM_SHA1Complete
2460Start of informative comment:
2461This capability terminates a pending SHA-1 calculation.
2462End of informative comment.
2463Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_SHA1Complete
4
4
2S
4
UINT32
hashDataSize
Number of bytes in hashData, MUST be 64 or less
5
<>
3S
<>
BYTE [ ]
hashData
Final bytes to be hashed
Type
Name
Description
#
SZ
1
#
SZ
2464Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
20
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_SHA1Complete
3S
20
TPM_DIGEST
hashValue
The output of the SHA-1 hash.
2465Description
2466This command SHALL incorporate a partial or complete block of data into the digest of an
2467existing SHA-1 thread, and terminate that thread. hashDataSize MAY have values in the
2468range of 0 through 64, inclusive.
2469If the SHA-1 thread has received no bytes the TPM SHALL calculate the SHA-1 of the empty
2470buffer.
615
616
126
Level 2 Revision 116 28 February 2011
TCG Published
617TPM Main Part 3 Commands
TCG © Copyright
618Specification Version 1.2
247113.4
TPM_SHA1CompleteExtend
2472Start of informative comment:
2473This capability terminates a pending SHA-1 calculation and EXTENDS the result into a
2474Platform Configuration Register using a SHA-1 hash process.
2475This command is designed to complete a hash sequence and extend a PCR in memory-less
2476environments.
2477End of informative comment.
2478Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
UINT32
paramSize
Total number of input bytes including paramSize and tag
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_SHA1CompleteExtend
4
TPM_PCRINDEX
pcrNum
Index of the PCR to be modified
3S
4
UINT32
hashDataSize
Number of bytes in hashData, MUST be 64 or less
4S
<>
BYTE [ ]
hashData
Final bytes to be hashed
Type
Name
Description
#
SZ
#
SZ
1
2
2
4
3
4
1S
4
4
4
2S
5
4
6
<>
2479Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_SHA1CompleteExtend
4
20
3S
20
TPM_DIGEST
hashValue
The output of the SHA-1 hash.
5
20
4S
20
TPM_PCRVALUE
outDigest
The PCR value after execution of the command.
2480Description
2481This command SHALL incorporate a partial or complete block of data into the digest of an
2482existing SHA-1 thread, EXTEND the resultant digest into a PCR, and terminate the SHA-1
2483session. hashDataSize MAY have values in the range of 0 through 64, inclusive.
2484The SHA-1 session MUST terminate even if the command returns an error, e.g.
2485TPM_BAD_LOCALITY.
2486Actions
24875. Validate that pcrNum represents a legal PCR number. On error, return TPM_BADINDEX.
24886. Map V1 to TPM_STANY_DATA
24897. Map L1 to V1 -> localityModifier
619Level 2 Revision 116 28 February 2011
620
127
TCG Published
621Copyright © TCG
622
623
TPM Main Part 3 Commands
Specification Version 1.2
24908. If the current locality, held in L1, is not selected in TPM_PERMANENT_DATA -> pcrAttrib
2491
[pcrNum]. pcrExtendLocal, return TPM_BAD_LOCALITY
24929. Create H1 the TPM_DIGEST of the SHA-1 session ensuring that hashData, if any, is
2493
added to the SHA-1 session
249410.Perform the actions of TPM_Extend using H1 as the data and pcrNum as the PCR to
2495
extend
624
625
128
Level 2 Revision 116 28 February 2011
TCG Published
626TPM Main Part 3 Commands
TCG © Copyright
627Specification Version 1.2
249613.5
TPM_Sign
2497Start of informative comment:
2498The Sign command signs data and returns the resulting digital signature.
2499The TPM does not allow TPM_Sign with a TPM_KEY_IDENTITY (AIK) because TPM_Sign can
2500sign arbitrary data and could be used to fake a quote. (This could have been relaxed to
2501allow TPM_Sign with an AIK if the signature scheme is _INFO For an _INFO key, the
2502metadata prevents TPM_Sign from faking a quote.)
2503End of informative comment.
2504Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Sign.
4
4
TPM_KEY_HANDLE
keyHandle
The keyHandle identifier of a loaded key that can perform digital
signatures.
5
4
2s
4
UINT32
areaToSignSize
The size of the areaToSign parameter
6
<>
3s
<>
BYTE[]
areaToSign
The value to sign
7
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for keyHandle authorization
#
SZ
1
#
SZ
1S
4
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
8
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
9
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
10
20
TPM_AUTHDATA
privAuth
The authorization session digest that authorizes the use of keyHandle.
HMAC key: key.usageAuth
Type
Name
Description
2505Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Sign.
4
4
3S
4
UINT32
sigSize
The length of the returned digital signature
5
<>
4S
<>
BYTE[ ]
sig
The resulting digital signature.
6
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
key.usageAuth
7
1
8
20
628Level 2 Revision 116 28 February 2011
629
129
TCG Published
630Copyright © TCG
631
632
TPM Main Part 3 Commands
Specification Version 1.2
2506Description
2507The TPM MUST support all values of areaToSignSize that are legal for the defined signature
2508scheme and key size. The maximum value of areaToSignSize is determined by the defined
2509signature scheme and key size.
2510In the case of PKCS1v15_SHA1 the areaToSignSize MUST be TPM_DIGEST (the hash size of
2511a SHA-1 operation - see 8.5.1 TPM_SS_RSASSAPKCS1v15_SHA1). In the case of
2512PKCS1v15_DER the maximum size of areaToSign is k-11 octets, where k is limited by the
2513key size (see TPM_SS_RSASSAPKCS1v15_DER).
2514Actions
25151. The TPM validates the AuthData to use the key pointed to by keyHandle.
25162. If the areaToSignSize is 0 the TPM returns TPM_BAD_PARAMETER.
25173. Validate that keyHandle -> keyUsage is TPM_KEY_SIGNING or TPM_KEY_LEGACY, if not
2518
return the error code TPM_INVALID_KEYUSAGE
25194. The TPM verifies that the signature scheme and key size can properly sign the
2520
areaToSign parameter.
25215. If signature scheme is TPM_SS_RSASSAPKCS1v15_SHA1 then
2522
a. Validate that areaToSignSize is 20 return TPM_BAD_PARAMETER on error
2523
b. Set S1 to areaToSign
25246. Else if signature scheme is TPM_SS_RSASSAPKCS1v15_DER then
2525
2526
a. Validate that areaToSignSize is at least 11 bytes less than the key size, return
TPM_BAD_PARAMETER on error
2527
b. Set S1 to areaToSign
25287. else if signature scheme is TPM_SS_RSASSAPKCS1v15_INFO then
2529
a. Create S2 a TPM_SIGN_INFO structure
2530
b. Set S2 -> fixed to “SIGN”
2531
c. Set S2 -> replay to nonceOdd
2532
2533
i. If nonceOdd is not present due to an unauthorized command return
TPM_BAD_PARAMETER
2534
d. Set S2 -> dataLen to areaToSignSize
2535
e. Set S2 -> data to areaToSign
2536
f. Set S1 to the SHA-1(S2)
25378. Else return TPM_INVALID_KEYUSAGE
25389. The TPM computes the signature, sig, using the key referenced by keyHandle using S1
2539
as the value to sign
254010.Return the computed signature in Sig
633
634
130
Level 2 Revision 116 28 February 2011
TCG Published
635TPM Main Part 3 Commands
TCG © Copyright
636Specification Version 1.2
254113.6
TPM_GetRandom
2542Start of informative comment:
2543TPM_GetRandom returns the next bytesRequested bytes from the random number
2544generator to the caller.
2545It is recommended that a TPM implement the RNG in a manner that would allow it to return
2546RNG bytes such that the frequency of bytesRequested being more than the number of bytes
2547available is an infrequent occurrence.
2548End of informative comment.
2549Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_GetRandom.
4
4
2S
4
UINT32
bytesRequested
Number of bytes to return
#
SZ
1
#
SZ
2550Outgoing Operands and Sizes
PARAM
#
SZ
1
4
3
4
#
SZ
Type
Name
Description
TPM_TAG
2
2
HMAC
tag
TPM_TAG_RSP_COMMAND
UINT32
paramSize
Total number of output bytes including paramSize and tag
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_GetRandom.
4
4
3S
4
UINT32
randomBytesSize
The number of bytes returned
5
<>
4S
<>
BYTE[ ]
randomBytes
The returned bytes
2551Actions
25521. The TPM determines if amount bytesRequested is available from the TPM.
25532. Set randomBytesSize to the number of bytes available from the RNG. This number MAY
2554
be less than bytesRequested.
25553. Set randomBytes to the next randomBytesSize bytes from the RNG
637Level 2 Revision 116 28 February 2011
638
131
TCG Published
639Copyright © TCG
640
641
255613.7
TPM Main Part 3 Commands
Specification Version 1.2
TPM_StirRandom
2557Start of informative comment:
2558TPM_StirRandom adds entropy to the RNG state.
2559End of informative comment.
2560Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_StirRandom
4
4
2S
4
UINT32
dataSize
Number of bytes of input
5
<>
3S
<>
BYTE[ ]
inData
Data to add entropy to RNG state
Type
Name
Description
#
SZ
1
#
SZ
2561Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_StirRandom
2562Actions
25631. If dataSize is not less than 256 bytes, the TPM MAY return TPM_BAD_PARAMETER.
25642. The TPM updates the state of the current RNG using the appropriate mixing function.
642
643
132
Level 2 Revision 116 28 February 2011
TCG Published
644TPM Main Part 3 Commands
TCG © Copyright
645Specification Version 1.2
256513.8
TPM_CertifyKey
2566Start of informative comment:
2567The TPM_CertifyKey operation allows one key to certify the public portion of another key.
2568A TPM identity key may be used to certify non-migratable keys but is not permitted to
2569certify migratory keys or certified migration keys. As such, it allows the TPM to make the
2570statement “this key is held in a TPM-shielded location, and it will never be revealed.” For
2571this statement to have veracity, the Challenger must trust the policies used by the entity
2572that issued the identity and the maintenance policy of the TPM manufacturer.
2573Signing and legacy keys may be used to certify both migratable and non-migratable keys.
2574Then the usefulness of a certificate depends on the trust in the certifying key by the
2575recipient of the certificate.
2576The key to be certified must be loaded before TPM_CertifyKey is called.
2577The determination to use the TPM_CERTIFY_INFO or TPM_CERTIFY_INFO2 on the output is
2578based on which PCRs and what localities the certified key is restricted to. A key to be
2579certified that does not have locality restrictions and which uses no PCRs greater than PCR
2580#15 will cause this command to return and sign a TPM_CERTIFY_INFO structure, which
2581provides compatibility with V1.1 TPMs.
2582When this command is run to certify all other keys (those that use PCR #16 or higher, as
2583well as those limited by locality in any way), it will return and sign a TPM_CERTIFY_INFO2
2584structure.
2585TPM_CertifyKey does not support the case where (a) the certifying key requires a usage
2586authorization to be provided but (b) the key-to-be-certified does not. In such cases,
2587TPM_CertifyKey2 must be used. TPM_CertifyKey cannot be used to certify CMKs.
2588If a command tag (in the parameter array) specifies only one authorisation session, then the
2589TPM convention is that the first session listed is ignored (authDataUsage must be
2590TPM_AUTH_NEVER for this key) and the incoming session data is used for the second auth
2591session in the list. In TPM_CertifyKey, the first session is the certifying key and the second
2592session is the key-to-be-certified. In TPM_CertifyKey2, the first session is the key-to-be2593certified and the second session is the certifying key.
2594The key handles of both the certifying key and the key to be certified are not included in the
2595HMAC protecting the command. This permits key handle virtualization (swapping of keys
2596in and out of the TPM that results in different key handles while at the same time
2597maintaining key identifiers of upper layer software). In environments where the interface to
2598the TPM is accessible by other parties, the key handles not being protected allows an
2599attacker to change the handle of the key to be certified. This can be avoided by processing
2600this command within a transport session and making sure that antiReplay indeed contains
2601a nonce.
2602End of informative comment.
646Level 2 Revision 116 28 February 2011
647
133
TCG Published
648Copyright © TCG
649
650
TPM Main Part 3 Commands
Specification Version 1.2
2603Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH2_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_CertifyKey
4
4
TPM_KEY_HANDLE
certHandle
Handle of the key to be used to certify the key.
5
4
TPM_KEY_HANDLE
keyHandle
Handle of the key to be certified.
6
20
TPM_NONCE
antiReplay
160 bits of externally supplied data (typically a nonce provided to
prevent replay-attacks)
7
4
TPM_AUTHHANDLE
certAuthHandle
The authorization session handle used for certHandle.
#
SZ
1
#
1S
2S
SZ
4
20
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
8
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with certAuthHandle
9
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
10
20
TPM_AUTHDATA
certAuth
The authorization session digest for inputs and certHandle. HMAC key:
certKey.auth.
11
4
TPM_AUTHHANDLE
keyAuthHandle
The authorization session handle used for the key to be signed.
2H2
20
TPM_NONCE
keylastNonceEven
Even nonce previously generated by TPM
12
3H2
20
TPM_NONCE
keynonceOdd
Nonce generated by system associated with keyAuthHandle
13
1
4H2
1
BOOL
continueKeySession
The continue use flag for the authorization session handle
14
651
652
20
20
TPM_AUTHDATA
keyAuth
The authorization session digest for the inputs and key to be signed.
HMAC key: key.usageAuth.
134
Level 2 Revision 116 28 February 2011
TCG Published
653TPM Main Part 3 Commands
TCG © Copyright
654Specification Version 1.2
2604Outgoing Operands and Sizes
Param
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH2_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
Sz
1
#
Sz
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_CertifyKey
4
<>
3S
<>
TPM_CERTIFY_INFO
certifyInfo
TPM_CERTIFY_INFO or TPM_CERTIFY_INFO2 structure that
provides information relative to keyhandle
5
4
4S
4
UINT32
outDataSize
The used size of the output area for outData
6
<>
5S
<>
BYTE[ ]
outData
The signature of certifyInfo
7
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with certAuthHandle
4H1
1
BOOL
continueAuthSession
Continue use flag for cert key session
20
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters and
parentHandle. HMAC key: certKey -> auth.
2H2
20
TPM_NONCE
keyNonceEven
Even nonce newly generated by TPM
3H2
20
TPM_NONCE
keynonceOdd
Nonce generated by system associated with keyAuthHandle
4H2
1
BOOL
continueKeySession
Continue use flag for target key session
TPM_AUTHDATA
keyAuth
The authorization session digest for the target key. HMAC key:
key.auth.
8
1
9
20
10
20
11
1
12
20
2605Actions
26061. The TPM validates that the key pointed to by certHandle has a signature scheme of
2607
TPM_SS_RSASSAPKCS1v15_SHA1 or TPM_SS_RSASSAPKCS1v15_INFO
26082. Verify command and key AuthData values:
2609
a. If tag is TPM_TAG_RQU_AUTH2_COMMAND
2610
2611
i. The TPM verifies the AuthData in certAuthHandle provides authorization to
use the key pointed to by certHandle, return TPM_AUTHFAIL on error
2612
2613
ii. The TPM verifies the AuthData in keyAuthHandle provides authorization to
use the key pointed to by keyHandle, return TPM_AUTH2FAIL on error
2614
b. else if tag is TPM_TAG_RQU_AUTH1_COMMAND
2615
2616
i. Verify that authDataUsage is TPM_AUTH_NEVER for the key referenced by
certHandle, return TPM_AUTHFAIL on error.
2617
2618
ii. The TPM verifies the AuthData in keyAuthHandle provides authorization to
use the key pointed to by keyHandle, return TPM_AUTHFAIL on error
2619
2620
2621
c. else if tag is TPM_TAG_RQU_COMMAND
i. Verify that authDataUsage is TPM_AUTH_NEVER for the key referenced by
certHandle, return TPM_AUTHFAIL on error.
655Level 2 Revision 116 28 February 2011
656
135
TCG Published
657Copyright © TCG
658
659
2622
2623
2624
TPM Main Part 3 Commands
Specification Version 1.2
ii. Verify
that
authDataUsage
is
TPM_AUTH_NEVER
or
TPM_NO_READ_PUBKEY_AUTH for the key referenced by keyHandle, return
TPM_AUTHFAIL on error.
26253. If keyHandle -> payload is not TPM_PT_ASYM, return TPM_INVALID_KEYUSAGE.
26264. If the key pointed to by certHandle is an identity key (certHandle -> keyUsage is
2627
TPM_KEY_IDENTITY)
2628
a. If keyHandle -> keyFlags -> migratable is TRUE return TPM_MIGRATEFAIL
26295. Validate that certHandle -> keyUsage is TPM_KEY_SIGN, TPM_KEY_IDENTITY or
2630
TPM_KEY_LEGACY, if not return TPM_INVALID_KEYUSAGE
26316. Validate that keyHandle -> keyUsage is TPM_KEY_SIGN, TPM_KEY_STORAGE,
2632
TPM_KEY_IDENTITY,
TPM_KEY_BIND
or
TPM_KEY_LEGACY,
if
not
return
2633
TPM_INVALID_KEYUSAGE
26347. If keyHandle -> digestAtRelease requires the use of PCRs 16 or higher to calculate or if
2635
keyHandle -> localityAtRelease is not 0x1F
2636
a. Set V1 to 1.2
26378. Else
2638
a. Set V1 to 1.1
26399. If keyHandle -> pcrInfoSize is not 0
2640
a. If keyHandle -> keyFlags has pcrIgnoredOnRead set to FALSE
2641
2642
2643
i. Create a digestAtRelease according to the specified TPM_STCLEAR_DATA ->
PCR registers and compare to keyHandle -> digestAtRelease and if a mismatch
return TPM_WRONGPCRVAL
2644
ii. If specified validate any locality requests on error TPM_BAD_LOCALITY
2645
b. If V1 is 1.1
2646
i.
2647
ii. Fill in C1 with the information from the key pointed to by keyHandle
2648
iii. The TPM MUST set c1 -> pcrInfoSize to 44.
2649
2650
iv. The TPM MUST set c1 -> pcrInfo to a TPM_PCR_INFO structure properly filled
out using the information from keyHandle.
2651
v. The TPM MUST set c1 -> digestAtCreation to 20 bytes of 0x00.
Create C1 a TPM_CERTIFY_INFO structure
2652
c. Else
2653
i.
2654
ii. Fill in C1 with the information from the key pointed to by keyHandle
2655
2656
iii. Set C1 -> pcrInfoSize to the size of an appropriate TPM_PCR_INFO_SHORT
structure.
2657
2658
iv. Set C1 -> pcrInfo to a properly filled out TPM_PCR_INFO_SHORT structure,
using the information from keyHandle.
2659
v. Set C1 -> migrationAuthoritySize to 0
660
661
Create C1 a TPM_CERTIFY_INFO2 structure
136
Level 2 Revision 116 28 February 2011
TCG Published
662TPM Main Part 3 Commands
TCG © Copyright
663Specification Version 1.2
266010.Else
2661
a. Create C1 a TPM_CERTIFY_INFO structure
2662
b. Fill in C1 with the information from the key pointed to by keyHandle
2663
c. The TPM MUST set c1 -> pcrInfoSize to 0
266411.Create TPM_DIGEST H1 which is the SHA-1 hash of keyHandle -> pubKey -> key. Note
2665
that <key> is the actual public modulus, and does not include any structure formatting.
266612.Set C1 -> pubKeyDigest to H1
266713.The TPM copies the antiReplay parameter to c1 -> data.
266814.The TPM sets certifyInfo to C1.
266915.The TPM creates m1, a message digest formed by taking the SHA-1 of c1.
2670
2671
a. The TPM then computes a signature using certHandle -> sigScheme. The resulting
signed blob is returned in outData.
664Level 2 Revision 116 28 February 2011
665
137
TCG Published
666Copyright © TCG
667
668
267213.9
TPM Main Part 3 Commands
Specification Version 1.2
TPM_CertifyKey2
2673Start of informative comment:
2674This command is based on TPM_CertifyKey, but includes the ability to certify a Certifiable
2675Migration Key (CMK), which requires extra input parameters.
2676TPM_CertifyKey2 always produces a TPM_CERTIFY_INFO2 structure.
2677TPM_CertifyKey2 does not support the case where (a) the key-to-be-certified requires a
2678usage authorization to be provided but (b) the certifying key does not.
2679If a command tag (in the parameter array) specifies only one authorisation session, then the
2680TPM convention is that the first session listed is ignored (authDataUsage must be
2681TPM_NO_READ_PUBKEY_AUTH or TPM_AUTH_NEVER for this key) and the incoming
2682session data is used for the second auth session in the list. In TPM_CertifyKey2, the first
2683session is the key to be certified and the second session is the certifying key.
2684The key handles of both the certifying key and the key to be certified are not included in the
2685HMAC protecting the command. This permits key handle virtualization (swapping of keys
2686in and out of the TPM that results in different key handles while at the same time
2687maintaining key identifiers of upper layer software). In environments where the interface to
2688the TPM is accessible by other parties, the key handles not being protected allows an
2689attacker to change the handle of the key to be certified. This can be avoided by processing
2690this command within a transport session and making sure that antiReplay indeed contains
2691a nonce.
2692End of informative comment.
2693Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH2_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_CertifyKey2
4
4
TPM_KEY_HANDLE
keyHandle
Handle of the key to be certified.
5
4
TPM_KEY_HANDLE
certHandle
Handle of the key to be used to certify the key.
6
20
2S
20
TPM_DIGEST
migrationPubDigest
The digest of a TPM_MSA_COMPOSITE structure, containing at least
one public key of a Migration Authority
7
20
3S
20
TPM_NONCE
antiReplay
160 bits of externally supplied data (typically a nonce provided to
prevent replay-attacks)
8
4
TPM_AUTHHANDLE
keyAuthHandle
The authorization session handle used for the key to be signed.
#
SZ
1
#
1S
SZ
4
2H1
20
TPM_NONCE
keylastNonceEven
Even nonce previously generated by TPM
9
20
3H1
20
TPM_NONCE
keynonceOdd
Nonce generated by system associated with keyAuthHandle
10
1
4H1
1
BOOL
continueKeySession
The continue use flag for the authorization session handle
11
20
TPM_AUTHDATA
keyAuth
The authorization session digest for the inputs and key to be signed.
HMAC key: key.usageAuth.
12
4
TPM_AUTHHANDLE
certAuthHandle
The authorization session handle used for certHandle.
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
2H2
669
670
20
138
Level 2 Revision 116 28 February 2011
TCG Published
671TPM Main Part 3 Commands
TCG © Copyright
672Specification Version 1.2
13
20
3H2
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with certAuthHandle
14
1
4H2
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
15
20
TPM_AUTHDATA
certAuth
Authorization HMAC key: certKey.auth.
673Level 2 Revision 116 28 February 2011
674
139
TCG Published
675Copyright © TCG
676
677
TPM Main Part 3 Commands
Specification Version 1.2
2694Outgoing Operands and Sizes
Param
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH2_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
Sz
1
#
Sz
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_CertifyKey2
4
<>
3S
<>
TPM_CERTIFY_INFO2
certifyInfo
TPM_CERTIFY_INFO2 relative to keyHandle
5
4
4S
4
UINT32
outDataSize
The used size of the output area for outData
6
<>
5S
<>
BYTE[ ]
outData
The signed public key.
7
20
2H1
20
TPM_NONCE
keyNonceEven
Even nonce newly generated by TPM
3H1
20
TPM_NONCE
keyNonceOdd
Nonce generated by system associated with certAuthHandle
4H1
1
BOOL
keyContinueAuthSession
Continue use flag for cert key session
20
TPM_AUTHDATA
keyResAuth
Authorization HMAC key: keyHandle -> auth.
2H2
20
TPM_NONCE
certNonceEven
Even nonce newly generated by TPM
3H2
20
TPM_NONCE
AuthLastNonceOdd
Nonce generated by system associated with certAuthHandle
1
BOOL
CertContinueAuthSession
Continue use flag for cert key session
20
TPM_AUTHDATA
certResAuth
Authorization HMAC key: certHandle -> auth.
8
1
9
20
10
20
11
1
12
20
4H2
2695Actions
26961. The TPM validates that the key pointed to by certHandle has a signature scheme of
2697
TPM_SS_RSASSAPKCS1v15_SHA1 or TPM_SS_RSASSAPKCS1v15_INFO
26982. Verify command and key AuthData values:
2699
a. If tag is TPM_TAG_RQU_AUTH2_COMMAND
2700
2701
i. The TPM verifies the AuthData in keyAuthHandle provides authorization to
use the key pointed to by keyHandle, return TPM_AUTHFAIL on error
2702
2703
ii. The TPM verifies the AuthData in certAuthHandle provides authorization to
use the key pointed to by certHandle, return TPM_AUTH2FAIL on error
2704
b. else if tag is TPM_TAG_RQU_AUTH1_COMMAND
2705
2706
2707
i. Verify
that
authDataUsage
is
TPM_AUTH_NEVER
or
TPM_NO_READ_PUBKEY_AUTH for the key referenced by keyHandle, return
TPM_AUTHFAIL on error
2708
2709
ii. The TPM verifies the AuthData in certAuthHandle provides authorization to
use the key pointed to by certHandle, return TPM_AUTH2FAIL on error
2710
c. else if tag is TPM_TAG_RQU_COMMAND
2711
2712
2713
678
679
i. Verify
that
authDataUsage
is
TPM_AUTH_NEVER
or
TPM_NO_READ_PUBKEY_AUTH for the key referenced by keyHandle, return
TPM_AUTHFAIL on error
140
Level 2 Revision 116 28 February 2011
TCG Published
680TPM Main Part 3 Commands
TCG © Copyright
681Specification Version 1.2
2714
2715
ii. Verify that authDataUsage is TPM_AUTH_NEVER for the key referenced by
certHandle, return TPM_AUTHFAIL on error.
27163. If the key pointed to by certHandle is an identity key (certHandle -> keyUsage is
2717
TPM_KEY_IDENTITY)
2718
2719
2720
2721
a. If keyHandle -> keyFlags -> migratable is TRUE and [keyHandle -> keyFlags->
migrateAuthority is FALSE or (keyHandle -> payload != TPM_PT_MIGRATE_RESTRICTED
and
keyHandle
->
payload
!=
TPM_PT_MIGRATE_EXTERNAL)]
return
TPM_MIGRATEFAIL
27224. Validate that certHandle -> keyUsage is TPM_KEY_SIGNING, TPM_KEY_IDENTITY or
2723
TPM_KEY_LEGACY, if not return TPM_INVALID_KEYUSAGE
27245. Validate that keyHandle -> keyUsage is TPM_KEY_SIGNING, TPM_KEY_STORAGE,
2725
TPM_KEY_IDENTITY,
TPM_KEY_BIND
or
TPM_KEY_LEGACY,
if
not
return
2726
TPM_INVALID_KEYUSAGE
27276. The TPM SHALL create a c1 a TPM_CERTIFY_INFO2 structure from the key pointed to
2728
by keyHandle
27297. Create TPM_DIGEST H1 which is the SHA-1 hash of keyHandle -> pubKey -> key. Note
2730
that <key> is the actual public modulus, and does not include any structure formatting.
27318. Set C1 -> pubKeyDigest to H1
27329. Copy the antiReplay parameter to c1 -> data
273310.Copy other keyHandle parameters into C1
273411.If
keyHandle
->
payload
2735
TPM_PT_MIGRATE_EXTERNAL
==
TPM_PT_MIGRATE_RESTRICTED
or
2736
2737
a. create thisPubKey, a TPM_PUBKEY structure containing the public key, algorithm
and parameters corresponding to keyHandle
2738
b. Verify that the migration authorization is valid for this key
2739
i.
2740
ii. Set M2 -> msaDigest to migrationPubDigest
2741
iii. Set M2 -> pubkeyDigest to SHA-1[thisPubKey]
2742
2743
iv. Verify that [keyHandle -> migrationAuth] == HMAC(M2) signed by using
tpmProof as the secret and return error TPM_MA_SOURCE on mismatch
Create M2 a TPM_CMK_MIGAUTH structure
2744
c. Set C1 -> migrationAuthority = SHA-1(migrationPubDigest || keyHandle -> payload)
2745
d. if keyHandle -> payload == TPM_PT_MIGRATE_RESTRICTED
2746
2747
i.
Set C1 -> payloadType = TPM_PT_MIGRATE_RESTRICTED
e. if keyHandle -> payload == TPM_PT_MIGRATE_EXTERNAL
2748
i.
Set C1 -> payloadType = TPM_PT_MIGRATE_EXTERNAL
274912.Else
2750
a. set C1 -> migrationAuthority = NULL
2751
b. set C1 -> migrationAuthoritySize =0
682Level 2 Revision 116 28 February 2011
683
141
TCG Published
684Copyright © TCG
685
686
2752
TPM Main Part 3 Commands
Specification Version 1.2
c. Set C1 -> payloadType = TPM_PT_ASYM
275313.If keyHandle -> pcrInfoSize is not 0
2754
2755
a. The TPM MUST set c1 -> pcrInfoSize to match the pcrInfoSize from the keyHandle
key.
2756
b. The TPM MUST set c1 -> pcrInfo to match the pcrInfo from the keyHandle key
2757
c. If keyHandle -> keyFlags has pcrIgnoredOnRead set to FALSE
2758
2759
2760
i. Create a digestAtRelease according to the specified TPM_STCLEAR_DATA ->
PCR registers and compare to keyHandle -> digestAtRelease and if a mismatch
return TPM_WRONGPCRVAL
2761
ii. If specified validate any locality requests on error TPM_BAD_LOCALITY
276214.Else
2763
a. The TPM MUST set c1 -> pcrInfoSize to 0
276415.The TPM creates m1, a message digest formed by taking the SHA-1 of c1
2765
2766
687
688
a. The TPM then computes a signature using certHandle -> sigScheme. The resulting
signed blob is returned in outData
142
Level 2 Revision 116 28 February 2011
TCG Published
689TPM Main Part 3 Commands
TCG © Copyright
690Specification Version 1.2
276714.
Endorsement
2768Start of informative comment:
Key Handling
2769There are two create EK commands. The first matches the 1.1 functionality. The second
2770provides the mechanism to enable revokeEK.
2771The TPM and platform manufacturer decide on the inclusion or exclusion of the ability to
2772execute revokeEK.
2773The restriction to have the TPM generate the EK does not remove the manufacturing option
2774to “squirt” the EK. During manufacturing, the TPM does not enforce all protections or
2775requirements; hence, the restriction on only TPM generation of the EK is also not in force.
2776End of informative comment.
27771. A TPM SHALL NOT install an EK unless generated on the TPM by execution of
2778
TPM_CreateEndorsementKeyPair or TPM_CreateRevocableEK
691Level 2 Revision 116 28 February 2011
692
143
TCG Published
693Copyright © TCG
694
695
277914.1
TPM Main Part 3 Commands
Specification Version 1.2
TPM_CreateEndorsementKeyPair
2780Start of informative comment:
2781This command creates the TPM endorsement key. It returns a failure code if an
2782endorsement key already exists.
2783End of informative comment.
2784Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
#
SZ
1
2
#
SZ
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_CreateEndorsementKeyPair
4
20
2S
20
TPM_NONCE
antiReplay
Arbitrary data
5
<>
3S
<>
TPM_KEY_PARMS
keyInfo
Information about key to be created, this includes all algorithm parameters
Type
Name
Description
2785Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_CreateEndorsementKeyPair
4
<>
3S
<>
TPM_PUBKEY
pubEndorsementKey
The public endorsement key
5
20
4S
20
TPM_DIGEST
checksum
Hash of pubEndorsementKey and antiReplay
2786Actions
27871. If an EK already exists, return TPM_DISABLED_CMD
27882. Validate the keyInfo parameters for the key description
2789
2790
a. If the algorithm type is RSA the key length MUST be a minimum of 2048. For
interoperability the key length SHOULD be 2048
2791
2792
b. If the algorithm type is other than RSA the strength provided by the key MUST be
comparable to RSA 2048
2793
c. The other parameters of keyInfo (encScheme, sigScheme, etc.) are ignored.
27943. Create a key pair called the “endorsement key pair” using a TPM-protected capability.
2795
The type and size of key are that indicated by keyInfo.
Set encScheme to
2796
TPM_ES_RSAESOAEP_SHA1_MGF1.
27974. Create checksum by performing SHA-1 on the concatenation of (PUBEK || antiReplay)
27985. Store the PRIVEK
27996. Create TPM_PERMANENT_DATA -> tpmDAASeed from the TPM RNG
696
697
144
Level 2 Revision 116 28 February 2011
TCG Published
698TPM Main Part 3 Commands
TCG © Copyright
699Specification Version 1.2
28007. Create TPM_PERMANENT_DATA -> daaProof from the TPM RNG
28018. Create TPM_PERMANENT_DATA -> daaBlobKey from the TPM RNG
28029. Set TPM_PERMANENT_FLAGS -> CEKPUsed to TRUE
280310.Set TPM_PERMANENT_FLAGS -> enableRevokeEK to FALSE
700Level 2 Revision 116 28 February 2011
701
145
TCG Published
702Copyright © TCG
703
704
280414.2
TPM Main Part 3 Commands
Specification Version 1.2
TPM_CreateRevocableEK
2805Start of informative comment:
2806This command creates the TPM endorsement key. It returns a failure code if an
2807endorsement key already exists. The TPM vendor may have a separate mechanism to create
2808the EK and “squirt” the value into the TPM.
2809The input parameters specify whether the EK is capable of being reset, whether the
2810AuthData value to reset the EK will be generated by the TPM, and the new AuthData value
2811itself if it is not to be generated by the TPM. The output parameter is the new AuthData
2812value that must be used when resetting the EK (if it is capable of being reset).
2813The command TPM_RevokeTrust must be used to reset an EK (if it is capable of being
2814reset).
2815Owner authorisation is unsuitable for authorizing resetting of an EK: someone with
2816Physical Presence can remove a genuine Owner, install a new Owner, and revoke the EK.
2817The genuine Owner can reinstall, but the platform will have lost its original attestation and
2818may not be trusted by challengers. Therefore if a password is to be used to revoke an EK, it
2819must be a separate password, given to the genuine Owner.
2820In v1.2 an OEM has extra choices when creating EKs.
2821a) An OEM could manufacture all of its TPMs with enableRevokeEK==TRUE.
2822If the OEM has tracked the EKreset passwords for these TPMs, the OEM can give the
2823passwords to customers. The customers can use the passwords as supplied, change the
2824passwords, or clear the EKs and create new EKs with new passwords.
2825If EKreset passwords are random values, the OEM can discard those values and not give
2826them to customers. There is then a low probability (statistically zero) chance of a local DOS
2827attack to reset the EK by guessing the password. The chance of a remote DOS attack is zero
2828because Physical Presence must also be asserted to use TPM_RevokeTrust.
2829b) An OEM could manufacture some of its TPMs with enableRevokeEK==FALSE. Then the
2830EK can never be revoked, and the chance of even a local DOS attack on the EK is
2831eliminated.
2832End of informative comment.
2833This is an optional command
705
706
146
Level 2 Revision 116 28 February 2011
TCG Published
707TPM Main Part 3 Commands
TCG © Copyright
708Specification Version 1.2
2834Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_CreateRevocableEK
4
20
2S
20
TPM_NONCE
antiReplay
Arbitrary data
5
<>
3S
<>
TPM_KEY_PARMS
keyInfo
Information about key to be created, this includes all algorithm parameters
6
1
4S
1
BOOL
generateReset
If TRUE use TPM RNG to generate EKreset. If FALSE use the passed
value inputEKreset
7
20
5S
20
TPM_NONCE
inputEKreset
The authorization value to be used with TPM_RevokeTrust if
generateReset==FALSE, else the parameter is present but ignored
#
SZ
1
#
SZ
2835Outgoing Operands and Sizes
PARAM
HMAC
#
Type
SZ
Name
Description
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_CreateRevocableEK
4
<>
3S
<>
TPM_PUBKEY
pubEndorsementKey
The public endorsement key
5
20
4S
20
TPM_DIGEST
checksum
Hash of pubEndorsementKey and antiReplay
6
20
5S
20
TPM_NONCE
outputEKreset
The AuthData value to use TPM_RevokeTrust
2836Actions
28371. If an EK already exists, return TPM_DISABLED_CMD
28382. Perform the actions of TPM_CreateEndorsementKeyPair, if any errors return with error
28393. Set TPM_PERMANENT_FLAGS -> enableRevokeEK to TRUE
2840
a. If generateReset is TRUE then
2841
i.
2842
b. Else
2843
i.
Set TPM_PERMANENT_DATA -> EKreset to the next value from the TPM RNG
Set TPM_PERMANENT_DATA -> EKreset to inputEKreset
28444. Return PUBEK, checksum and Ekreset
28455.
2846
2847
2848
The outputEKreset AuthData is sent in the clear. There is no uniqueness on the TPM
available to actually perform encryption or use an encrypted channel. The assumption is
that this operation is occurring in a controlled environment and sending the value in the
clear is acceptable.
709Level 2 Revision 116 28 February 2011
710
147
TCG Published
711Copyright © TCG
712
713
284914.3
TPM Main Part 3 Commands
Specification Version 1.2
TPM_RevokeTrust
2850Start of informative comment:
2851This command clears the EK and sets the TPM back to a pure default state. The generation
2852of the AuthData value occurs during the generation of the EK. It is the responsibility of the
2853EK generator to properly protect and disseminate the RevokeTrust AuthData.
2854End of informative comment.
2855This is an optional command
2856Incoming Operands and Sizes
PARAM
HMAC
#
SZ
1
2
2
4
3
4
1S
4
4
20
2S
20
Name
Description
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
UINT32
SZ
Type
#
paramSize
Total number of input bytes including paramSize and tag
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_RevokeTrust
TPM_NONCE
EKReset
The value that will be matched to EK Reset
Type
Name
Description
2857Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_RevokeTrust
2858Actions
28591. The TPM MUST validate that TPM_PERMANENT_FLAGS -> enableRevokeEK is TRUE,
2860
return TPM_PERMANENTEK on error
28612. The TPM MUST validate that the EKReset matches TPM_PERMANENT_DATA -> EKReset
2862
return TPM_AUTHFAIL on error.
28633. Ensure that physical presence is being asserted
28644. Perform the actions of TPM_OwnerClear (excepting the command authentication)
2865
2866
a. NV items with the pubInfo -> nvIndex D value set MUST be deleted. This changes the
TPM_OwnerClear handling of the same NV areas
2867
b. Set TPM_PERMANENT_FLAGS -> nvLocked to FALSE
28685. Invalidate TPM_PERMANENT_DATA -> tpmDAASeed
28696. Invalidate TPM_PERMANENT_DATA -> daaProof
28707. Invalidate TPM_PERMANENT_DATA -> daaBlobKey
28718. Invalidate the EK and any internal state associated with the EK
714
715
148
Level 2 Revision 116 28 February 2011
TCG Published
716TPM Main Part 3 Commands
TCG © Copyright
717Specification Version 1.2
287214.4
TPM_ReadPubek
2873Start of informative comment:
2874Return the endorsement key public portion. This value should have controls placed upon
2875access, as it is a privacy sensitive value.
2876The readPubek flag is set to FALSE by TPM_TakeOwnership and set to TRUE by
2877TPM_OwnerClear, thus mirroring if a TPM Owner is present.
2878End of informative comment.
2879Incoming Operands and Sizes
PARAM
HMAC
#
SZ
1
2
2
4
3
4
1S
4
4
20
2S
20
Name
Description
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
UINT32
SZ
Type
#
paramSize
Total number of input bytes including paramSize and tag
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ReadPubek
TPM_NONCE
antiReplay
Arbitrary data
Type
Name
Description
2880Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ReadPubek
4
<>
3S
<>
TPM_PUBKEY
pubEndorsementKey
The public endorsement key
5
20
4S
20
TPM_DIGEST
checksum
Hash of pubEndorsementKey and antiReplay
2881Description
2882This command returns the PUBEK.
2883Actions
2884The TPM_ReadPubek command SHALL
28851. If TPM_PERMANENT_FLAGS -> readPubek is FALSE return TPM_DISABLED_CMD
28862. If no EK is present the TPM MUST return TPM_NO_ENDORSEMENT
28873. Create checksum by performing SHA-1 on the concatenation of (pubEndorsementKey ||
2888
antiReplay).
28894. Export the PUBEK and checksum.
718Level 2 Revision 116 28 February 2011
719
149
TCG Published
720Copyright © TCG
721
722
289014.5
TPM Main Part 3 Commands
Specification Version 1.2
TPM_OwnerReadInternalPub
2891Start of informative comment:
2892A TPM Owner authorized command that returns the public portion of the EK or SRK.
2893The keyHandle parameter is included in the incoming session authorization to prevent
2894alteration of the value, causing a different key to be read. Unlike most key handles, which
2895can be mapped by higher layer software, this key handle has only two fixed values.
2896End of informative comment.
2897Incoming Operands and Sizes
PARAM
HMAC
SZ
1
2
2
4
3
4
1S
4
4
4
2S
4
5
4
Description
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
UINT32
paramSize
Total number of input bytes including paramSize and tag
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_OwnerReadInternalPub
TPM_KEY_HANDLE
keyHandle
Handle for either PUBEK or SRK
TPM_AUTHHANDLE
#
Name
#
authHandle
The authorization session handle used for owner authentication.
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
6
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
7
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
8
20
TPM_AUTHDATA
ownerAuth
The authorization session digest for inputs and owner authentication.
HMAC key: ownerAuth.
2898Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_OwnerReadInternalPub
4
<>
3S
<>
TPM_PUBKEY
publicPortion
The public portion of the requested key
5
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
ownerAuth.
6
1
7
20
2899Actions
29001. Validate the parameters and TPM Owner AuthData for this command
29012. If keyHandle is TPM_KH_EK
2902
723
724
a. Set publicPortion to PUBEK
150
Level 2 Revision 116 28 February 2011
TCG Published
725TPM Main Part 3 Commands
TCG © Copyright
726Specification Version 1.2
29033. Else If keyHandle is TPM_KH_SRK
2904
a. Set publicPortion to the TPM_PUBKEY of the SRK
29054. Else return TPM_BAD_PARAMETER
29065. Export the public key of the referenced key
727Level 2 Revision 116 28 February 2011
728
151
TCG Published
729Copyright © TCG
730
731
290715.
TPM Main Part 3 Commands
Specification Version 1.2
Identity Creation and Activation
290815.1
TPM_MakeIdentity
2909Start of informative comment:
2910Generate a new Attestation Identity Key (AIK).
2911labelPrivCADigest identifies the privacy CA that the owner expects to be the target CA for
2912the AIK. The selection is not enforced by the TPM. It is advisory only. It is included
2913because the TSS cannot be trusted to send the AIK to the correct privacy CA. The privacy
2914CA can use this parameter to validate that it is the target privacy CA and label intended by
2915the TPM owner at the time the key was created. The label can be used to indicate an
2916application purpose.
2917End of informative comment.
2918Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH2_COMMAND
2
4
UINT32
paramSize
Total number of input bytes incl. paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_MakeIdentity.
4
20
2S
20
TPM_ENCAUTH
identityAuth
Encrypted usage AuthData for the new identity
5
20
3S
20
TPM_CHOSENID_HASH
labelPrivCADigest
The digest of the identity label and privacy CA chosen for the AIK
6
<>
4S
<>
TPM_KEY
idKeyParams
Structure containing all parameters of new identity key.
pubKey.keyLength & idKeyParams.encData are both 0 MAY be TPM_KEY12
7
4
TPM_AUTHHANDLE
srkAuthHandle
The authorization session handle used for SRK authorization.
#
SZ
1
#
SZ
2H1
20
TPM_NONCE
srkLastNonceEven
Even nonce previously generated by TPM
8
3H1
20
TPM_NONCE
srknonceOdd
Nonce generated by system associated with srkAuthHandle
9
1
4H1
1
BOOL
continueSrkSession
Ignored
10
20
TPM_AUTHDATA
srkAuth
The authorization session digest for the inputs and the SRK. HMAC
key: srk.usageAuth.
11
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for owner authentication.
Session type MUST be OSAP.
2H2
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
12
20
3H2
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
13
1
4H2
1
BOOL
continueAuthSession
Ignored
14
732
733
20
20
20
TPM_AUTHDATA
ownerAuth
The authorization session digest for inputs and owner. HMAC key:
ownerAuth.
152
Level 2 Revision 116 28 February 2011
TCG Published
734TPM Main Part 3 Commands
TCG © Copyright
735Specification Version 1.2
2919Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH2_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal:TPM_ORD_MakeIdentity.
4
<>
3S
<>
TPM_KEY
idKey
The newly created identity key. MAY be TPM_KEY12
5
4
4S
4
UINT32
identityBindingSize
The used size of the output area for identityBinding
6
<>
5S
<>
BYTE[ ]
identityBinding
Signature of TPM_IDENTITY_CONTENTS using idKey.private.
7
20
2H2
20
TPM_NONCE
srkNonceEven
Even nonce newly generated by TPM.
3H2
20
TPM_NONCE
srknonceOdd
Nonce generated by system associated with srkAuthHandle
4H2
1
BOOL
continueSrkSession
Continue use flag. Fixed value of FALSE
TPM_AUTHDATA
srkAuth
The authorization session digest used for the outputs and srkAuth
session. HMAC key: srk.usageAuth.
8
1
9
20
10
20
1
12
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
11
2H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag. Fixed value of FALSE
20
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
ownerAuth.
20
2920Description
2921The public key of the new TPM identity SHALL be identityPubKey. The private key of the
2922new TPM identity SHALL be tpm_signature_key.
2923Properties of the new identity
Type
Name
Description
TPM_PUBKEY
identityPubKey
This SHALL be the public key of a previously unused asymmetric key pair.
TPM_STORE_ASYMKEY
tpm_signature_key
This SHALL be the private key that forms a pair with identityPubKey and SHALL be
extant only in a TPM-shielded location.
2924
2925This capability also generates a TPM_KEY containing the tpm_signature_key.
2926If identityPubKey is stored on a platform it SHALL exist only in storage to which access is
2927controlled and is available to authorized entities.
2928The signing of TPM_ID_CONTENTS is not an authorized use of the key.
2929TPM_PCR_INFO_xxx “…AtRelease” values are not validated.
The
2930Actions
2931A Trusted Platform Module that receives a valid TPM_MakeIdentity command SHALL do the
2932following:
29331. Validate the idKeyParams parameters for the key description
736Level 2 Revision 116 28 February 2011
737
153
TCG Published
738Copyright © TCG
739
740
TPM Main Part 3 Commands
Specification Version 1.2
2934
2935
a. If the algorithm type is RSA, the key length MUST be a minimum of 2048 and MUST
use the default exponent. For interoperability the key length SHOULD be 2048.
2936
2937
b. If the algorithm type is other than RSA the strength provided by the key MUST be
comparable to RSA 2048
2938
2939
c. If the TPM is not designed to create a key of the requested type, return the error code
TPM_BAD_KEY_PROPERTY
2940
d. If TPM_PERMANENT_FLAGS -> FIPS is TRUE then
2941
i.
If authDataUsage specifies TPM_AUTH_NEVER return TPM_NOTFIPS
29422. Use authHandle to verify that the Owner authorized all TPM_MakeIdentity input
2943
parameters.
29443. Use srkAuthHandle to verify that the SRK owner authorized all TPM_MakeIdentity input
2945
parameters.
29464. Verify that idKeyParams -> keyUsage is TPM_KEY_IDENTITY. If it is not, return
2947
TPM_INVALID_KEYUSAGE
29485. Verify that idKeyParams -> keyFlags -> migratable is FALSE. If it is not, return
2949
TPM_INVALID_KEYUSAGE
29506. Create a1 by decrypting identityAuth according to the ADIP indicated by authHandle.
29517. Set continueAuthSession and continueSRKSession to FALSE.
29528. Determine the structure version
2953
a. If idKeyParams -> tag is TPM_TAG_KEY12
2954
i.
2955
2956
ii. Create idKey a TPM_KEY12 structure using idKeyParams as the default values
for the structure
2957
Set V1 to 2
b. If idKeyParams -> ver is 1.1
2958
i.
2959
2960
ii. Create idKey a TPM_KEY structure using idKeyParams as the default values
for the structure
Set V1 to 1
29619. Set the digestAtCreation values for pcrInfo
2962
a. For TPM_PCR_INFO_LONG include the locality of the current command
296310.Create an asymmetric key pair (identityPubKey and tpm_signature_key) using a TPM2964
protected capability, in accordance with the algorithm specified in idKeyParams
296511.Ensure that the AuthData information in A1 is properly stored in the idKey as
2966
usageAuth.
296712.Attach identityPubKey and tpm_signature_key to idKey
296813.Set idKey -> migrationAuth to TPM_PERMANENT_DATA-> tpmProof
296914.Ensure that all TPM_PAYLOAD_TYPE structures identify this key as TPM_PT_ASYM
297015.Encrypt the private portion of idKey using the SRK as the parent key
741
742
154
Level 2 Revision 116 28 February 2011
TCG Published
743TPM Main Part 3 Commands
TCG © Copyright
744Specification Version 1.2
297116.Create
a
TPM_IDENTITY_CONTENTS
structure
2972
labelPrivCADigest and the information from idKey
named
idContents
using
297317.Sign idContents using tpm_signature_key and TPM_SS_RSASSAPKCS1v15_SHA1. Store
2974
the result in identityBinding.
745Level 2 Revision 116 28 February 2011
746
155
TCG Published
747Copyright © TCG
748
749
297515.2
TPM Main Part 3 Commands
Specification Version 1.2
TPM_ActivateIdentity
2976Start of informative comment:
2977The purpose of TPM_ActivateIdentity is to twofold. The first purpose is to obtain assurance
2978that the credential in the TPM_SYM_CA_ATTESTATION is for this TPM. The second purpose
2979is to obtain the session key used to encrypt the TPM_IDENTITY_CREDENTIAL.
2980This is an extension to the 1.1 functionality of TPM_ActivateIdentity. The blob sent to from
2981the CA can be in the 1.1 format or the 1.2 format. The TPM determines the type from the
2982size or version information in the blob.
2983TPM_ActivateIdentity checks that the symmetric session key corresponds to a TPM-identity
2984before releasing that session key.
2985Only the Owner of the TPM has the privilege of activating a TPM identity. The Owner is
2986required to authorize the TPM_ActivateIdentity command. The owner may authorize the
2987command using either the TPM_OIAP or TPM_OSAP authorization protocols.
2988The creator of the ActivateIdentity package can specify if any PCR values are to be checked
2989before releasing the session key.
2990End of informative comment.
2991Incoming Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH2_COMMAND
2
4
UINT32
paramSize
Total number of input bytes incl. paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ActivateIdentity
4
4
TPM_KEY_HANDLE
idKeyHandle
Identity key to be activated
5
4
2S
4
UINT32
blobSize
Size of encrypted blob from CA
6
<>
3S
<>
BYTE [ ]
blob
The encrypted ASYM_CA_CONTENTS or TPM_EK_BLOB
7
4
TPM_AUTHHANDLE
idKeyAuthHandle
The authorization session handle used for ID key authorization.
#
SZ
1
#
1S
SZ
4
2H1
20
TPM_NONCE
idKeyLastNonceEven
Even nonce previously generated by TPM
8
20
3H1
20
TPM_NONCE
idKeynonceOdd
Nonce generated by system associated with idKeyAuthHandle
9
1
4H1
1
BOOL
continueIdKeySession
Continue usage flag for idKeyAuthHandle.
10
20
TPM_AUTHDATA
idKeyAuth
The authorization session digest for the inputs and ID key. HMAC key:
idKey.usageAuth.
11
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for owner authentication.
2H2
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
12
3H2
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
13
1
4H2
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
14
750
751
20
20
20
TPM_AUTHDATA
ownerAuth
The authorization session digest for inputs and owner. HMAC key:
ownerAuth.
156
Level 2 Revision 116 28 February 2011
TCG Published
752TPM Main Part 3 Commands
TCG © Copyright
753Specification Version 1.2
2992Outgoing Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH2_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal:TPM_ORD_ActivateIdentity
4
<>
3S
<>
TPM_SYMMETRIC_KEY
symmetricKey
The decrypted symmetric key.
5
20
2H1
20
TPM_NONCE
idKeyNonceEven
Even nonce newly generated by TPM.
3H1
20
TPM_NONCE
idKeynonceOdd
Nonce generated by system associated with idKeyAuthHandle
4H1
1
BOOL
continueIdKeySession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
idKeyAuth
The authorization session digest used for the returned parameters and
idKeyAuth session. HMAC key: idKey.usageAuth.
6
1
7
20
8
20
1
10
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H2
9
2H2
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H2
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
20
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC
key: ownerAuth.
20
2993Description
29941. The command TPM_ActivateIdentity activates a TPM identity created using the command
2995
TPM_MakeIdentity.
29962. The command assumes the availability of the private key associated with the identity.
2997
The command will verify the association between the keys during the process.
29983. The command will decrypt the input blob and extract the session key and verify the
2999
connection between the public and private keys. The input blob can be in 1.1 or 1.2
3000
format.
3001Actions
3002A Trusted Platform Module that receives a valid TPM_ActivateIdentity command SHALL do
3003the following:
30041. Using the authHandle field, validate the owner’s AuthData to execute the command and
3005
all of the incoming parameters.
30062. Using the idKeyAuthHandle, validate the AuthData to execute command and all of the
3007
incoming parameters
30083. Validate that the idKey is the public key of a valid TPM identity by checking that
3009
idKeyHandle -> keyUsage is TPM_KEY_IDENTITY. Return TPM_BAD_PARAMETER on
3010
mismatch
30114. Create H1 the digest of a TPM_PUBKEY derived from idKey
30125. Decrypt blob creating B1 using PRIVEK as the decryption key
30136. Determine the type and version of B1
754Level 2 Revision 116 28 February 2011
755
157
TCG Published
756Copyright © TCG
757
758
3014
TPM Main Part 3 Commands
Specification Version 1.2
a. If B1 -> tag is TPM_TAG_EK_BLOB then
3015
i.
3016
b. Else
3017
3018
3019
B1 is a TPM_EK_BLOB
i. B1 is a TPM_ASYM_CA_CONTENTS. As there is no tag for this structure it is
possible for the TPM to make a mistake here but other sections of the structure
undergo validation
30207. If B1 is a version 1.1 TPM_ASYM_CA_CONTENTS then
3021
a. Compare H1 to B1 -> idDigest on mismatch return TPM_BAD_PARAMETER
3022
b. Set K1 to B1 -> sessionKey
30238. If B1 is a TPM_EK_BLOB then
3024
3025
a. Validate that B1 -> ekType is TPM_EK_TYPE_ACTIVATE, return TPM_BAD_TYPE if
not.
3026
b. Assign A1 as a TPM_EK_BLOB_ACTIVATE structure from B1 -> blob
3027
c. Compare H1 to A1 -> idDigest on mismatch return TPM_BAD_PARAMETER
3028
d. If A1 -> pcrSelection is not NULL
3029
i.
3030
3031
ii. Compare
C1
to
A1
->
TPM_WRONGPCRVAL on a mismatch
3032
3033
e. If A1 -> pcrInfo specifies a locality ensure that the appropriate locality has
been asserted, return TPM_BAD_LOCALITY on error
3034
Compute a composite hash C1 using the PCR selection A1 -> pcrSelection
pcrInfo->digestAtRelease
and
return
f. Set K1 to A1 -> symmetricKey
30359. Return K1
759
760
158
Level 2 Revision 116 28 February 2011
TCG Published
761TPM Main Part 3 Commands
TCG © Copyright
762Specification Version 1.2
303616.
Integrity Collection
3037Start of informative comment:
and Reporting
3038This section deals with what commands have direct access to the PCR
3039End of informative comment.
30401. The TPM SHALL only allow the following commands to alter the value of
3041
TPM_STCLEAR_DATA -> PCR
3042
a. TPM_Extend
3043
b. TPM_SHA1CompleteExtend
3044
c. TPM_Startup
3045
d. TPM_PCR_Reset
763Level 2 Revision 116 28 February 2011
764
159
TCG Published
765Copyright © TCG
766
767
304616.1
TPM Main Part 3 Commands
Specification Version 1.2
TPM_Extend
3047Start of informative comment:
3048This adds a new measurement to a PCR
3049End of informative comment.
3050Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Extend.
4
4
2S
4
TPM_PCRINDEX
pcrNum
The PCR to be updated.
5
20
3S
20
TPM_DIGEST
inDigest
The 160 bit value representing the event to be recorded.
Type
Name
Description
#
SZ
1
#
SZ
3051Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
20
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Extend.
3S
20
TPM_PCRVALUE
outDigest
The PCR value after execution of the command.
3052Description
3053Add a measurement value to a PCR
3054Actions
30551. Validate that pcrNum represents a legal PCR number. On error, return TPM_BADINDEX.
30562. Map L1 to TPM_STANY_FLAGS -> localityModifier
30573. Map P1 to TPM_PERMANENT_DATA -> pcrAttrib [pcrNum]. pcrExtendLocal
30584. If, for the value of L1, the corresponding bit is not set in the bit map P1, return
3059
TPM_BAD_LOCALITY
30605. Create c1 by concatenating (TPM_STCLEAR_DATA -> PCR[pcrNum] || inDigest). This
3061
takes the current PCR value and concatenates the inDigest parameter.
30626. Create h1 by performing a SHA-1 digest of c1.
30637. Store h1 to TPM_STCLEAR_DATA -> PCR[pcrNum]
30648. If TPM_PERMANENT_FLAGS -> disable is TRUE or TPM_STCLEAR_FLAGS -> deactivated
3065
is TRUE
768
769
160
Level 2 Revision 116 28 February 2011
TCG Published
770TPM Main Part 3 Commands
TCG © Copyright
771Specification Version 1.2
3066
a. Set outDigest to 20 bytes of 0x00
30679. Else
3068
a. Set outDigest to h1
772Level 2 Revision 116 28 February 2011
773
161
TCG Published
774Copyright © TCG
775
776
306916.2
TPM Main Part 3 Commands
Specification Version 1.2
TPM_PCRRead
3070Start of informative comment:
3071The TPM_PCRRead operation provides non-cryptographic reporting of the contents of a
3072named PCR.
3073End of informative comment.
3074Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_PCRRead.
4
4
2S
4
TPM_PCRINDEX
pcrIndex
Index of the PCR to be read
Type
Name
Description
#
SZ
1
#
SZ
3075Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
20
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_PCRRead.
3S
20
TPM_PCRVALUE
outDigest
The current contents of the named PCR
3076Description
3077The TPM_PCRRead operation returns the current contents of the named register to the
3078caller.
3079Actions
30801. Validate that pcrIndex
3081
TPM_BADINDEX.
represents
a
legal
PCR
number.
On
error,
return
30822. Set outDigest to TPM_STCLEAR_DATA -> PCR[pcrIndex]
30833. Return TPM_SUCCESS
3084
777
778
162
Level 2 Revision 116 28 February 2011
TCG Published
779TPM Main Part 3 Commands
TCG © Copyright
780Specification Version 1.2
308516.3
TPM_Quote
3086Start of informative comment:
3087The TPM_Quote operation provides cryptographic reporting of PCR values. A loaded key is
3088required for operation. TPM_Quote uses a key to sign a statement that names the current
3089value of a chosen PCR and externally supplied data (which may be a nonce supplied by a
3090Challenger).
3091The term "ExternalData" is used because an important use of TPM_Quote is to provide a
3092digital signature on arbitrary data, where the signature includes the PCR values of the
3093platform at time of signing. Hence the "ExternalData" is not just for anti-replay purposes,
3094although it is (of course) used for that purpose in an integrity challenge.
3095TPM_Quote should not use a TPM_KEY_SIGNING, because there is no way for the remote
3096party to tell whether TPM_Quote or TPM_Sign created the signature. The exception is a
3097TPM_KEY_SIGNING key with the _INFO signature
scheme,
because
the
metadata
3098differentiates TPM_Sign from TPM_Quote.
3099End of informative comment.
3100Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Quote.
4
4
TPM_KEY_HANDLE
keyHandle
The keyHandle identifier of a loaded key that can sign the PCR values.
5
20
2S
20
TPM_NONCE
externalData
160 bits of externally supplied data (typically a nonce provided by a
server to prevent replay-attacks)
6
<>
3S
<>
TPM_PCR_SELECTION
targetPCR
The indices of the PCRs that are to be reported.
7
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for keyHandle authorization.
#
SZ
1
#
1S
SZ
4
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
8
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
9
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
10
20
TPM_AUTHDATA
privAuth
The authorization session digest for inputs and keyHandle. HMAC key:
key -> usageAuth.
781Level 2 Revision 116 28 February 2011
782
163
TCG Published
783Copyright © TCG
784
785
TPM Main Part 3 Commands
Specification Version 1.2
3101Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Quote.
4
<>
3S
<>
TPM_PCR_COMPOSITE
pcrData
A structure containing the same indices as targetPCR, plus the
corresponding current PCR values.
5
4
4S
4
UINT32
sigSize
The used size of the output area for the signature
6
<>
5S
<>
BYTE[ ]
sig
The signed data blob.
7
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
Key -> usageAuth.
8
1
9
20
3102Actions
31031. The TPM MUST validate the AuthData to use the key pointed to by keyHandle.
31042. Validate that keyHandle -> sigScheme is TPM_SS_RSASSAPKCS1v15_SHA1 or
3105
TPM_SS_RSASSAPKCS1v15_INFO, if not return TPM_INAPPROPRIATE_SIG.
31063. Validate that keyHandle -> keyUsage is TPM_KEY_SIGNING, TPM_KEY_IDENTITY, or
3107
TPM_KEY_LEGACY, if not return TPM_INVALID_KEYUSAGE
31084. Validate targetPCR
3109
a. targetPCR is a valid TPM_PCR_SELECTION structure
3110
b. On errors return TPM_INVALID_PCR_INFO
31115. Create H1 a SHA-1 hash of a TPM_PCR_COMPOSITE using the TPM_STCLEAR_DATA ->
3112
PCR indicated by targetPCR -> pcrSelect
31136. Create Q1 a TPM_QUOTE_INFO structure
3114
a. Set Q1 -> version to 1.1.0.0
3115
b. Set Q1 -> fixed to “QUOT”
3116
c. Set Q1 -> digestValue to H1
3117
d. Set Q1 -> externalData to externalData
31187. Sign SHA-1 hash of Q1 using keyHandle as the signature key
31198. Return the signature in sig
786
787
164
Level 2 Revision 116 28 February 2011
TCG Published
788TPM Main Part 3 Commands
TCG © Copyright
789Specification Version 1.2
312016.4
TPM_PCR_Reset
3121Start of informative comment:
3122For PCR with the pcrReset attribute set to TRUE, this command resets the PCR back to the
3123default value, this mimics the actions of TPM_Init. The PCR may have restrictions as to
3124which locality can perform the reset operation.
3125Sending a null pcrSelection results in an error is due to the requirement that the command
3126actually do something. If pcrSelection is null there are no PCR to reset and the command
3127would then do nothing.
3128For PCR that are resettable, the presence of a Trusted Operating System (TOS) can change
3129the behavior of TPM_PCR_Reset. The following pseudo code shows how the behavior
3130changes
3131At TPM_Startup
3132
If TPM_PCR_ATTRIBUTES->pcrReset is FALSE
3133
Set PCR to 0x00…00
3134
Else
3135
Set PCR to 0xFF…FF
3136At TPM_PCR_Reset
3137
If TPM_PCR_ATTRIBUTES->pcrReset is TRUE
3138
If TOSPresent
3139
Set PCR to 0x00…00
3140
Else
3141
Set PCR to 0xFF…FF
3142
Else
3143
Return error
3144The above pseudocode is for example only, for the details of a specific platform, the reader
3145must review the platform specific specification. The purpose of the above pseudocode is to
3146show that both pcrReset and the TOSPresent bit control the value in use to when the PCR
3147resets.
3148End of informative comment.
3149Incoming Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_PCR_Reset
4
<>
2S
<>
TPM_PCR_SELECTION
pcrSelection
The PCR’s to reset
#
SZ
1
#
SZ
790Level 2 Revision 116 28 February 2011
791
165
TCG Published
792Copyright © TCG
793
794
TPM Main Part 3 Commands
Specification Version 1.2
3150Outgoing Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_PCR_Reset
3151Description
3152This command resets PCR values back to the default value. The command MUST validate
3153that all PCR registers that are selected are available to be reset before resetting any PCR.
3154This command MUST either reset all selected PCR registers or none of the PCR registers.
3155Actions
31561. Validate that pcrSelection is valid
3157
a. is a valid TPM_PCR_SELECTION structure
3158
b. pcrSelection -> pcrSelect is non-zero
3159
c. On errors return TPM_INVALID_PCR_INFO
31602. Map L1 to TPM_STANY_FLAGS -> localityModifier
31613. For each PCR selected perform the following
3162
3163
a. If TPM_PERMANENT_DATA
TPM_NOTRESETABLE
3164
3165
b. If, for the value L1, the corresponding bit is clear in the bit map
TPM_PERMANENT_DATA -> pcrAttrib[pcrIndex].pcrResetLocal, return TPM_NOTLOCAL
->
pcrAttrib[pcrIndex].pcrReset
is
FALSE,
return
31664. For each PCR selected perform the following
3167
a. The PCR MAY only reset to 0x00…00 or 0xFF…FF
3168
3169
b. The logic to determine which value to use MUST be described by a platform specific
specification
795
796
166
Level 2 Revision 116 28 February 2011
TCG Published
797TPM Main Part 3 Commands
TCG © Copyright
798Specification Version 1.2
317016.5
TPM_Quote2
3171Start of informative comment:
3172The TPM_Quote2 operation provides cryptographic reporting of PCR values. A loaded key is
3173required for operation. TPM_Quote2 uses a key to sign a statement that names the current
3174value of a chosen PCR and externally supplied data (which may be a nonce supplied by a
3175Challenger).
3176The term "externalData" is used because an important use of TPM_Quote2 is to provide a
3177digital signature on arbitrary data, where the signature includes the PCR values of the
3178platform at time of signing. Hence the "externalData" is not just for anti-replay purposes,
3179although it is (of course) used for that purpose in an integrity challenge.
3180TPM_Quote2 differs from TPM_Quote in that TPM_Quote2 uses TPM_PCR_INFO_SHORT to
3181hold information relative to the PCR registers. TPM_PCR_INFO_SHORT includes locality
3182information to provide the requestor a more complete view of the current platform
3183configuration.
3184End of informative comment.
3185Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Quote2
4
4
TPM_KEY_HANDLE
keyHandle
The keyHandle identifier of a loaded key that can sign the PCR values.
5
20
2S
20
TPM_NONCE
externalData
160 bits of externally supplied data (typically a nonce provided by a
server to prevent replay-attacks)
6
<>
3S
<>
TPM_PCR_SELECTION
targetPCR
The indices of the PCRs that are to be reported.
7
1
4S
1
BOOL
addVersion
When TRUE add TPM_CAP_VERSION_INFO to the output
8
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for keyHandle authorization.
#
SZ
1
#
1S
SZ
4
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
9
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
10
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
11
20
TPM_AUTHDATA
privAuth
The authorization session digest for inputs and keyHandle. HMAC key:
key -> usageAuth.
799Level 2 Revision 116 28 February 2011
800
167
TCG Published
801Copyright © TCG
802
803
TPM Main Part 3 Commands
Specification Version 1.2
3186Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Quote2
4
<>
3S
<>
TPM_PCR_INFO_SHORT
pcrData
The value created and signed for the quote
5
4
4S
4
UINT32
versionInfoSize
Size of the version info
6
<>
5S
<>
TPM_CAP_VERSION_INFO
versionInfo
The version info
7
4
6S
4
UINT32
sigSize
The used size of the output area for the signature
8
<>
7S
<>
BYTE[ ]
sig
The signed data blob.
9
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
Key -> usageAuth.
10
1
11
20
3187Actions
31881. The TPM MUST validate the AuthData to use the key pointed to by keyHandle.
31892. Validate that keyHandle -> sigScheme is TPM_SS_RSASSAPKCS1v15_SHA1 or
3190
TPM_SS_RSASSAPKCS1v15_INFO, if not return TPM_INAPPROPRIATE_SIG.
31913. Validate that keyHandle -> keyUsage is TPM_KEY_SIGNING, TPM_KEY_IDENTITY, or
3192
TPM_KEY_LEGACY, if not return TPM_INVALID_KEYUSAGE
31934. Validate targetPCR is a valid TPM_PCR_SELECTION structure, on errors return
3194
TPM_INVALID_PCR_INFO
31955. Create H1 a SHA-1 hash of a TPM_PCR_COMPOSITE using the TPM_STCLEAR_DATA ->
3196
PCR[] indicated by targetPCR -> pcrSelect
31976. Create S1 a TPM_PCR_INFO_SHORT
3198
a. Set S1->pcrSelection to targetPCR
3199
b. Set S1->localityAtRelease to TPM_STANY_DATA -> localityModifier
3200
c. Set S1->digestAtRelease to H1
32017. Create Q1 a TPM_QUOTE_INFO2 structure
3202
a. Set Q1 -> fixed to “QUT2”
3203
b. Set Q1 -> infoShort to S1
3204
c. Set Q1 -> externalData to externalData
32058. If addVersion is TRUE
3206
804
805
a. Concatenate to Q1 a TPM_CAP_VERSION_INFO structure
168
Level 2 Revision 116 28 February 2011
TCG Published
806TPM Main Part 3 Commands
TCG © Copyright
807Specification Version 1.2
3207
b. Set the output parameters for versionInfo
32089. Else
3209
a. Set versionInfoSize to 0
3210
b. Return no bytes in versionInfo
321110.Sign a SHA-1 hash of Q1 using keyHandle as the signature key
321211.Return the signature in sig
808Level 2 Revision 116 28 February 2011
809
169
TCG Published
810Copyright © TCG
811
812
321317.
321417.1
TPM Main Part 3 Commands
Specification Version 1.2
Changing AuthData
TPM_ChangeAuth
3215Start of informative comment:
3216The TPM_ChangeAuth command allows the owner of an entity to change the AuthData for
3217the entity.
3218This command cannot invalidate the old entity. Therefore, the authorization change is only
3219effective if the application can guarantee that the old entity can be securely destroyed. If
3220not, two valid entities will exist, one with the old and one with the new authorization secret.
3221If this command is delegated, the delegated party can expand its key use privileges. That
3222party can create a copy of the key with known authorization, and it can then use the key
3223without any ordinal restrictions.
3224TPM_ChangeAuth requires the encryption of one parameter (“NewAuth”). For the sake of
3225uniformity with other commands that require the encryption of more than one parameter,
3226the parameters used for used encryption are generated from the authLastNonceEven
3227(created during the OSAP session), nonceOdd, and the session shared secret.
3228The parameter list to this command must always include two authorization sessions,
3229regardless of the state of authDataUsage for the respective keys.
3230End of informative comment.
813
814
170
Level 2 Revision 116 28 February 2011
TCG Published
815TPM Main Part 3 Commands
TCG © Copyright
816Specification Version 1.2
3231
Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH2_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ChangeAuth
4
4
TPM_KEY_HANDLE
parentHandle
Handle of the parent key to the entity.
5
2
2S
2
TPM_PROTOCOL_ID
protocolID
The protocol in use.
6
20
3S
20
TPM_ENCAUTH
newAuth
The encrypted new AuthData for the entity
7
2
4S
2
TPM_ENTITY_TYPE
entityType
The type of entity to be modified
8
4
5S
4
UINT32
encDataSize
The size of the encData parameter
9
<>
6S
<>
BYTE[ ]
encData
The encrypted entity that is to be modified.
10
4
TPM_AUTHHANDLE
parentAuthHandle
The authorization session handle used for the parent key.
#
SZ
1
#
1S
SZ
4
2 H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
11
20
3 H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with parentAuthHandle
12
1
4 H1
1
BOOL
continueAuthSession
Ignored, parentAuthHandle is always terminated.
13
20
TPM_AUTHDATA
parentAuth
The authorization session digest for inputs and parentHandle. HMAC
key: parentKey.usageAuth.
14
4
TPM_AUTHHANDLE
entityAuthHandle
The authorization session handle used for the encrypted entity. The
session type MUST be OIAP
2 H2
20
TPM_NONCE
entitylastNonceEven
Even nonce previously generated by TPM
15
20
3 H2
20
TPM_NONCE
entitynonceOdd
Nonce generated by system associated with entityAuthHandle
16
1
4 H2
1
BOOL
continueEntitySession
Ignored, entityAuthHandle is always terminated.
17
20
TPM_AUTHDATA
entityAuth
The authorization session digest for the inputs and encrypted entity.
HMAC key: entity.usageAuth.
817Level 2 Revision 116 28 February 2011
818
171
TCG Published
819Copyright © TCG
820
821
TPM Main Part 3 Commands
Specification Version 1.2
3232Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH2_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation. See section 4.3.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ChangeAuth
4
4
3S
4
UINT32
outDataSize
The used size of the output area for outData
5
<>
4S
<>
BYTE[ ]
outData
The modified, encrypted entity.
6
20
2 H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3 H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with parentAuthHandle
4 H1
1
BOOL
continueAuthSession
Continue use flag, fixed value of FALSE
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters and
parentHandle. HMAC key: parentKey.usageAuth.
7
1
8
20
9
20
1
11
20
TPM_NONCE
entityNonceEven
Even nonce newly generated by TPM to cover entity
3 H2
10
2 H2
20
TPM_NONCE
entitynonceOdd
Nonce generated by system associated with entityAuthHandle
4 H2
1
BOOL
continueEntitySession
Continue use flag, fixed value of FALSE
TPM_AUTHDATA
entityAuth
The authorization session digest for the returned parameters and entity.
HMAC key: entity.usageAuth, the original and not the new auth value
20
3233Description
32341. The parentAuthHandle session type MUST be TPM_PID_OSAP.
32352. In this capability, the SRK cannot be accessed as entityType TPM_ET_KEY, since the
3236
SRK is not wrapped by a parent key.
3237Actions
32381. Verify that entityType is one of TPM_ET_DATA, TPM_ET_KEY and return the error
3239
TPM_WRONG_ENTITYTYPE if not.
32402. Verify that parentAuthHandle session type is TPM_PID_OSAP return TPM_BAD_MODE
3241
on error
32423. Verify that entityAuthHandle session type is TPM_PID_OIAP return TPM_BAD_MODE on
3243
error
32444. If protocolID is not TPM_PID_ADCP, the TPM MUST return TPM_BAD_PARAMETER.
32455. The encData parameter MUST be the encData field from either the TPM_STORED_DATA
3246
or TPM_KEY structures.
32476. Create decryptAuth by decrypting newAuth according to the ADIP indicated by
3248
parentHandle.
32497. The TPM MUST validate the command using the AuthData in the parentAuth parameter
32508. Validate that parentHandle -> keyUsage is TPM_KEY_STORAGE, if not return
3251
TPM_INVALID_KEYUSAGE
822
823
172
Level 2 Revision 116 28 February 2011
TCG Published
824TPM Main Part 3 Commands
TCG © Copyright
825Specification Version 1.2
32529. After parameter validation, the TPM creates b1 by decrypting encData using the key
3253
pointed to by parentHandle.
325410.The TPM MUST validate that b1 is a
3255
TPM_STORE_ASYMKEY or a TPM_SEALED_DATA
valid
TPM
structure,
either
a
3256
a. Check the length and payload, return TPM_INVALID_STRUCTURE on any mismatch
3257
3258
3259
b. The TPM must validate the command using the authorization data entityAuth
parameter.
The HMAC key is TPM_STORE_ASYMKEY -> usageAuth or
TPM_SEALED_DATA -> authData.
326011.The TPM replaces the AuthData for b1 with decryptAuth created above.
326112.The TPM encrypts b1 using the appropriate mechanism for the type using the
3262
parentKeyHandle to provide the key information.
326313.The TPM MUST enforce the destruction of both the parentAuthHandle and
3264
entityAuthHandle sessions.
826Level 2 Revision 116 28 February 2011
827
173
TCG Published
828Copyright © TCG
829
830
326517.2
TPM Main Part 3 Commands
Specification Version 1.2
TPM_ChangeAuthOwner
3266Start of informative comment:
3267The TPM_ChangeAuthOwner command allows the owner of an entity to change the
3268AuthData for the TPM Owner or the SRK.
3269This command requires authorization from the current TPM Owner to execute.
3270TPM's targeted for an environment (e.g. a server) with long lasting sessions should not
3271invalidate all sessions.
3272End of informative comment.
3273Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ChangeAuthOwner
4
2
2S
2
TPM_PROTOCOL_ID
protocolID
The protocol in use.
5
20
3S
20
TPM_ENCAUTH
newAuth
The encrypted new AuthData for the entity
6
2
4S
2
TPM_ENTITY_TYPE
entityType
The type of entity to be modified
7
4
TPM_AUTHHANDLE
ownerAuthHandle
The authorization session handle used for the TPM Owner.
#
SZ
1
#
SZ
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
8
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with ownerAuthHandle
9
1
4H1
1
BOOL
continueAuthSession
Continue use flag the TPM ignores this value
10
20
TPM_AUTHDATA
ownerAuth
The authorization session digest for inputs and ownerHandle. HMAC key:
ownerAuth.
Type
Name
Description
3274Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
5
6
831
832
1
20
TPM_RESULT
returnCode
The return code of the operation.
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ChangeAuthOwner
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
4
2S
4
1S
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with ownerAuthHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, fixed value of FALSE
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters and
ownerHandle. HMAC key: ownerAuth, the original value and not the new
auth value
174
Level 2 Revision 116 28 February 2011
TCG Published
833TPM Main Part 3 Commands
TCG © Copyright
834Specification Version 1.2
3275Actions
32761. The TPM MUST validate the command using the AuthData in the ownerAuth parameter
32772. The ownerAuthHandle session type MUST be TPM_PID_OSAP
32783. If protocolID is not TPM_PID_ADCP, the TPM MUST return TPM_BAD_PARAMETER.
32794. Verify that entityType is either TPM_ET_OWNER or TPM_ET_SRK, and return the error
3280
TPM_WRONG_ENTITYTYPE if not.
32815. Create decryptAuth by decrypting newAuth according to the ADIP indicated by
3282
ownerAuthHandle.
32836. The TPM MUST enforce the destruction of the ownerAuthHandle session upon
3284
completion of this command (successful or unsuccessful). This includes setting
3285
continueAuthSession to FALSE
32867. Set the AuthData for the indicated entity to decryptAuth
32878. The TPM MUST invalidate all owner authorized OSAP and DSAP sessions, active or
3288
saved.
32899. The TPM MAY invalidate all sessions, active or saved
835Level 2 Revision 116 28 February 2011
836
175
TCG Published
837Copyright © TCG
838
839
329018.
TPM Main Part 3 Commands
Specification Version 1.2
Authorization Sessions
329118.1
TPM_OIAP
3292Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_OIAP.
Type
Name
Description
#
SZ
1
#
1S
SZ
4
3293Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_OIAP.
4
4
TPM_AUTHHANDLE
authHandle
Handle that TPM creates that points to the authorization state.
5
20
TPM_NONCE
nonceEven
Nonce generated by TPM and associated with session.
3294Actions
32951. The TPM_OIAP command allows the creation of an authorization session handle and the
3296
tracking of the handle by the TPM. The TPM generates the handle and nonce.
32972. The TPM has an internal limit as to the number of handles that may be open at one
3298
time, so the request for a new handle may fail if there is insufficient space available.
32993. Internally the TPM will do the following:
3300
3301
a. TPM allocates space to save handle, protocol identification, both nonces and any
other information the TPM needs to manage the session.
3302
b. TPM generates authHandle and nonceEven, returns these to caller
33034. On each subsequent use of the OIAP session the TPM MUST generate a new nonceEven
3304
value.
33055. When TPM_OIAP is wrapped in an encrypted transport session, no input or output
3306
parameters are encrypted.
840
841
176
Level 2 Revision 116 28 February 2011
TCG Published
842TPM Main Part 3 Commands
TCG © Copyright
843Specification Version 1.2
3307
330818.1.1
Actions to validate an OIAP session
3309Start of informative comment:
3310This section describes the authorization-related actions of a TPM when it receives a
3311command that has been authorized with the OIAP protocol.
3312Many commands use OIAP authorization. The following description is therefore necessarily
3313abstract.
3314End of informative comment.
3315Actions
3316The TPM MUST perform the following operations:
33171. The TPM MUST verify that the authorization session handle (H, say) referenced in the
3318
command points to a valid session. If it does not, the TPM returns the error code
3319
TPM_INVALID_AUTHHANDLE
33202. The TPM SHALL retrieve the latest version of the caller’s nonce (nonceOdd) and
3321
continueAuthSession flag from the input parameter list, and store it in internal TPM
3322
memory with the authSession ‘H’.
33233. The TPM SHALL retrieve the latest version of the TPM’s nonce stored with the
3324
authorization session H (authLastNonceEven) computed during the previously executed
3325
command.
33264. The TPM MUST retrieve the secret AuthData (SecretE, say) of the target entity. The entity
3327
and its secret must have been previously loaded into the TPM.
3328
a. If the command using the OIAP session requires owner authorization
3329
3330
i. If TPM_STCLEAR_DATA -> ownerReference is TPM_KH_OWNER, the secret
AuthData is TPM_PERMANENT_DATA -> ownerAuth
3331
ii. If TPM_STCLEAR_DATA -> ownerReference is pointing to a delegate row
3332
(1) Set R1 a row index to TPM_STCLEAR_DATA -> ownerReference
3333
3334
(2) Set D1 a TPM_DELEGATE_TABLE_ROW to TPM_PERMANENT_DATA ->
delegateTable -> delRow[R1]
3335
(3) Set the secret AuthData to D1 -> authValue
3336
(4) Validate the TPM_DELEGATE_PUBLIC D1 -> pub
3337
(a)
Validate D1 -> pub -> permissions based on the command ordinal
3338
(b)
Validate D1 -> pub -> pcrInfo based on the PCR values
33395. The TPM SHALL perform a HMAC calculation using the entity secret data, ordinal, input
3340
command parameters and authorization parameters per Part 1 Object-Independent
3341
Authorization Protocol.
33426. The TPM SHALL compare HM to the AuthData value received in the input parameters. If
3343
they are different, the TPM returns the error code TPM_AUTHFAIL if the authorization
3344
session is the first session of a command, or TPM_AUTH2FAIL if the authorization
844Level 2 Revision 116 28 February 2011
845
177
TCG Published
846Copyright © TCG
847
848
3345
3346
TPM Main Part 3 Commands
Specification Version 1.2
session is the second session of a command. Otherwise, the TPM executes the command
which (for this example) produces an output that requires authentication.
33477. The TPM SHALL generate a nonce (nonceEven).
33488. The TPM creates an HMAC digest to authenticate the return code, return values and
3349
authorization parameters to the same entity secret per Part 1 Object-Independent
3350
Authorization Protocol.
33519. The TPM returns the return code, output parameters, authorization parameters and
3352
authorization session digest.
335310.If the output continueUse flag is FALSE, then the TPM SHALL terminate the session.
3354
Future references to H will return an error.
335511.Each time that access to an entity (e.g., key) is authorized using OIAP, the TPM MUST
3356
validate the TPM_PCR_INFO_xxx “…AtRelease” values if specified for the entity
3357
3358
3359
849
850
a. The TPM SHOULD validate the values before using the shared secret to validate the
command parameters. This prevents a dictionary attack on the shared secret when the
values are invalid for the entity.
178
Level 2 Revision 116 28 February 2011
TCG Published
851TPM Main Part 3 Commands
TCG © Copyright
852Specification Version 1.2
336018.2
TPM_OSAP
3361Start of informative comment:
3362The TPM_OSAP command creates the authorization session handle, the shared secret and
3363generates nonceEven and nonceEvenOSAP.
3364End of informative comment.
3365Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_OSAP.
4
2
TPM_ENTITY_TYPE
entityType
The type of entity in use
5
4
UINT32
entityValue
The selection value based on entityType, e.g. a keyHandle #
6
20
TPM_NONCE
nonceOddOSAP
The nonce generated by the caller associated with the shared secret.
#
SZ
1
#
SZ
1S
4
3366Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_OSAP.
4
4
TPM_AUTHHANDLE
authHandle
Handle that TPM creates that points to the authorization state.
5
20
TPM_NONCE
nonceEven
Nonce generated by TPM and associated with session.
6
20
TPM_NONCE
nonceEvenOSAP
Nonce generated by TPM and associated with shared secret.
3367Description
33681. The TPM_OSAP command allows the creation of an authorization session handle and the
3369
tracking of the handle by the TPM. The TPM generates the handle, nonceEven and
3370
nonceEvenOSAP.
33712. The TPM has an internal limit on the number of handles that may be open at one time,
3372
so the request for a new handle may fail if there is insufficient space available.
33733. The TPM_OSAP allows the binding of an authorization to a specific entity. This allows
3374
the caller to continue to send in AuthData for each command but not have to request
3375
the information or cache the actual AuthData.
33764. When TPM_OSAP is wrapped in an encrypted transport session, no input or output
3377
parameters are encrypted.
33785. If the owner pointer is pointing to a delegate row, the TPM internally MUST treat the
3379
OSAP session as a DSAP session
853Level 2 Revision 116 28 February 2011
854
179
TCG Published
855Copyright © TCG
856
857
TPM Main Part 3 Commands
Specification Version 1.2
33806. TPM_ET_SRK or TPM_ET_KEYHANDLE with a value of TPM_KH_SRK MUST specify the
3381
SRK.
33827. If the entity is tied to PCR values, the PCR’s are not validated during the TPM_OSAP
3383
ordinal session creation. The PCR’s are validated when the OSAP session is used.
3384Actions
33851. The TPM creates S1 a storage area that keeps track of the information associated with
3386
the authorization.
33872. S1 MUST track the following information
3388
a. Protocol identification (i.e. TPM_PID_OSAP)
3389
b. nonceEven
3390
i.
Initialized to the next value from the TPM RNG
3391
c. shared secret
3392
d. ADIP encryption scheme from TPM_ENTITY_TYPE entityType
3393
e. Any other internal TPM state the TPM needs to manage the session
33943. The TPM MUST create and MAY track the following information
3395
a. nonceEvenOSAP
3396
33974.
3398
3399
3400
3401
i.
Initialized to the next value from the TPM RNG
The TPM calculates the shared secret using an HMAC calculation. The key for the HMAC
calculation is the secret AuthData assigned to the key handle identified by entityValue.
The input to the HMAC calculation is the concatenation of nonces nonceEvenOSAP and
nonceOddOSAP. The output of the HMAC calculation is the shared secret which is saved
in the authorization area associated with authHandle
34025. Check if the ADIP encryption scheme specified by entityType is supported, if not return
3403
TPM_INAPPROPRIATE_ENC.
34046. If entityType = TPM_ET_KEYHANDLE
3405
3406
a. The entity to authorize is a key held in the TPM. entityValue contains the keyHandle
that holds the key.
3407
b. If entityValue is TPM_KH_OPERATOR return TPM_BAD_HANDLE
34087. else if entityType = TPM_ET_OWNER
3409
a. This value indicates that the entity is the TPM owner. entityValue is ignored
3410
3411
b. The HMAC key is the secret pointed to by ownerReference (owner secret or delegated
secret)
34128. else if entityType = TPM_ET_SRK
3413
a. The entity to authorize is the SRK. entityValue is ignored.
34149. else if entityType = TPM_ET_COUNTER
3415
a. The entity is a monotonic counter, entityValue contains the counter handle
341610.else if entityType = TPM_ET_NV
858
859
180
Level 2 Revision 116 28 February 2011
TCG Published
860TPM Main Part 3 Commands
TCG © Copyright
861Specification Version 1.2
3417
a. The entity is a NV index, entityValue contains the NV index
341811.else return TPM_BAD_PARAMETER
341912.On each subsequent use of the OSAP session the TPM MUST generate a new nonce
3420
value.
342113.The TPM MUST ensure that OSAP shared secret is only available while the OSAP session
3422
is valid.
342314.The session MUST terminate upon any of the following conditions:
3424
a. The command that uses the session returns an error
3425
b. The resource is evicted from the TPM or otherwise invalidated
3426
3427
c. The session is used in any command for which the shared secret is used to encrypt
an input parameter (TPM_ENCAUTH)
3428
d. The TPM Owner is cleared
3429
3430
e. TPM_ChangeAuthOwner is executed and this session is attached to the owner
authorization
3431
3432
f. The
session
TPM_FlushSpecific
3433
3434
g. All OSAP sessions associated with the delegation table MUST be invalidated when
any of the following commands execute:
explicitly
terminated
with
continueAuth,
3435
i.
3436
ii. TPM_Delegate_CreateOwnerDelegation with Increment==TRUE
3437
iii. TPM_Delegate_LoadOwnerDelegation
TPM_Delegate_Manage
862Level 2 Revision 116 28 February 2011
863
181
TCG Published
TPM_Reset
or
864Copyright © TCG
865
866
TPM Main Part 3 Commands
Specification Version 1.2
3438
343918.2.1
Actions to validate an OSAP session
3440Start of informative comment:
3441This section describes the authorization-related actions of a TPM when it receives a
3442command that has been authorized with the OSAP protocol.
3443Many commands use OSAP authorization. The following description is therefore necessarily
3444abstract.
3445End of informative comment
3446Actions
34471. On reception of a command with ordinal C1 that uses an authorization session, the TPM
3448
SHALL perform the following actions:
34492. The TPM MUST have been able to retrieve the shared secret (Shared, say) of the target
3450
entity when the authorization session was established with TPM_OSAP. The entity and
3451
its secret must have been previously loaded into the TPM.
34523. The TPM MUST verify that the authorization session handle (H, say) referenced in the
3453
command points to a valid session. If it does not, the TPM returns the error code
3454
TPM_INVALID_AUTHHANDLE.
34554. The TPM MUST calculate the HMAC (HM1, say) of the command parameters according
3456
to Part 1 Object-Specific Authorization Protocol.
34575.
3458
3459
3460
3461
The TPM SHALL compare HM1 to the AuthData value received in the command. If they
are different, the TPM returns the error code TPM_AUTHFAIL if the authorization session
is the first session of a command, or TPM_AUTH2FAIL if the authorization session is the
second session of a command., the TPM executes command C1 which produces an
output (O, say) that requires authentication and uses a particular return code (RC, say).
34626. The TPM SHALL generate the latest version of the even nonce (nonceEven).
34637. The TPM MUST calculate the HMAC (HM2) of the return parameters according to section
3464
Part 1 Object-Specific Authorization Protocol.
34658. The TPM returns HM2 in the parameter list.
34669. The TPM SHALL retrieve the continue flag from the received command. If the flag is
3467
FALSE, the TPM SHALL terminate the session and destroy the thread associated with
3468
handle H.
346910.If the shared secret was used to provide confidentiality for data in the received
3470
command, the TPM SHALL terminate the session and destroy the thread associated with
3471
handle H.
347211.Each time that access to an entity (e.g., key) is authorized using OSAP, the TPM MUST
3473
a. ensure that the OSAP shared secret is that derived from the entity using TPM_OSAP
3474
b. validate the TPM_PCR_INFO_xxx “…AtRelease” values if specified for the entity
867
868
182
Level 2 Revision 116 28 February 2011
TCG Published
869TPM Main Part 3 Commands
TCG © Copyright
870Specification Version 1.2
3475
3476
3477
i. The TPM SHOULD validate the values before using the shared secret to
validate the command parameters. This prevents a dictionary attack on the
shared secret when the values are invalid for the entity.
871Level 2 Revision 116 28 February 2011
872
183
TCG Published
873Copyright © TCG
874
875
347818.3
TPM Main Part 3 Commands
Specification Version 1.2
TPM_DSAP
3479Start of informative comment:
3480The TPM_DSAP command creates the authorization session handle using a delegated
3481AuthData value passed into the command as an encrypted blob or from the internal
3482delegation table. It can be used to start an authorization session for a user key or the
3483owner.
3484As in TPM_OSAP, it generates a shared secret and generates nonceEven and
3485nonceEvenOSAP.
3486End of informative comment.
3487Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_DSAP.
4
2
TPM_ENTITY_TYPE
entityType
The type of delegation information to use
5
4
TPM_KEY_HANDLE
keyHandle
Key for which delegated authority corresponds, or 0 if delegated owner activity.
Only relevant if entityValue equals TPM_DELEGATE_KEY_BLOB
6
20
TPM_NONCE
nonceOddDSAP
The nonce generated by the caller associated with the shared secret.
7
4
UINT32
entityValueSize
The size of entityValue.
#
SZ
1
8
<>
#
SZ
1S
2S
4
<>
BYTE [ ]
entityValue
Either TPM_DELEGATE_KEY_BLOB or TPM_DELEGATE_OWNER_BLOB or index
MUST not be empty
If entityType is TPM_ET_DEL_ROW then entityValue is a TPM_DELEGATE_INDEX
3488Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
#
SZ
1
2
3
4
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_DSAP.
4
4
TPM_AUTHHANDLE
authHandle
Handle that TPM creates that points to the authorization state.
5
20
TPM_NONCE
nonceEven
Nonce generated by TPM and associated with session.
6
20
TPM_NONCE
nonceEvenDSAP
Nonce generated by TPM and associated with shared secret.
3489Description
34901. The TPM_DSAP command allows the creation of an authorization session handle and the
3491
tracking of the handle by the TPM. The TPM generates the handle, nonceEven and
3492
nonceEvenOSAP.
876
877
184
Level 2 Revision 116 28 February 2011
TCG Published
878TPM Main Part 3 Commands
TCG © Copyright
879Specification Version 1.2
34932. The TPM has an internal limit on the number of handles that may be open at one time,
3494
so the request for a new handle may fail if there is insufficient space available.
34953. The TPM_DSAP allows the binding of a delegated authorization to a specific entity. This
3496
allows the caller to continue to send in AuthData for each command but not have to
3497
request the information or cache the actual AuthData.
34984. Each ordinal that uses the DSAP session MUST validate that TPM_PERMANENT_DATA
3499
-> restrictDelegate does not restrict delegation, based on keyHandle -> keyUsage and
3500
keyHandle -> keyFlags, return TPM_INVALID_KEYUSAGE on error.
35015. On each subsequent use of the DSAP session the TPM MUST generate a new nonce
3502
value and check if the ordinal to be executed has delegation to execute. The TPM MUST
3503
ensure that the DSAP shared secret is only available while the DSAP session is valid.
35046. When TPM_DSAP is wrapped in an encrypted transport session
3505
a. For input the only parameter encrypted is entityValue
3506
b. For output no parameters are encrypted
35077. The DSAP session MUST terminate under any of the following conditions
3508
a. The command that uses the session returns an error
3509
b. If attached to a key, when the key is evicted from the TPM or otherwise invalidated
3510
3511
c. The session is used in any command for which the shared secret is used to encrypt
an input parameter (TPM_ENCAUTH)
3512
d. The TPM Owner is cleared
3513
3514
e. TPM_ChangeAuthOwner is executed and this session is attached to the owner
authorization
3515
3516
f. The
session
TPM_FlushSpecific
3517
3518
g. All DSAP sessions MUST be invalidated when any of the following commands
execute:
explicitly
terminated
3519
i.
3520
TPM_Reset
or
iii. TPM_Delegate_LoadOwnerDelegation
3522
continueAuth,
ii. When Increment is TRUE
3521
with
iv. TPM_Delegate_Manage
TPM_Delegate_CreateOwnerDelegation
3523entityType = TPM_ET_DEL_OWNER_BLOB
3524
The entityValue parameter contains an owner delegation blob structure.
3525entityType = TPM_ET_DEL_ROW
3526
3527
The entityValue parameter contains a row number in the nv Delegation table which
should be used for the AuthData value.
3528entityType = TPM_DEL_KEY_BLOB
3529
The entityValue parameter contains a key delegation blob structure.
880Level 2 Revision 116 28 February 2011
881
185
TCG Published
882Copyright © TCG
883
884
TPM Main Part 3 Commands
Specification Version 1.2
3530Actions
35311. If entityType == TPM_ET_DEL_OWNER_BLOB
3532
a. Map entityValue to B1 a TPM_DELEGATE_OWNER_BLOB
3533
3534
b. Validate
that
B1
is
a
valid
TPM_WRONG_ENTITYTYPE on error
3535
3536
c. Locate B1 -> pub -> familyID in the TPM_FAMILY_TABLE and set familyRow to
indicate row, return TPM_BADINDEX if not found
3537
d. Set FR to TPM_FAMILY_TABLE.famTableRow[familyRow]
3538
e. If FR -> flags TPM_FAMFLAG_ENABLED is FALSE, return TPM_DISABLED_CMD
3539
f. Verify that B1->verificationCount equals FR -> verificationCount.
3540
g. Validate the integrity of the blob
TPM_DELEGATE_OWNER_BLOB,
3541
i.
3542
ii. Set B1 -> integrityDigest to all zeros
3543
iii. Create H3 the HMAC of B1 using tpmProof as the secret
3544
return
iv. Compare H2 to H3 return TPM_AUTHFAIL on mismatch
Copy B1 -> integrityDigest to H2
3545
3546
h. Create S1 a TPM_DELEGATE_SENSITIVE by decrypting B1 -> sensitiveArea using
TPM_DELEGATE_KEY
3547
i.
Validate S1 values
3548
i.
3549
ii. Return TPM_BAD_DELEGATE on error
3550
j.
S1 -> tag is TPM_TAG_DELEGATE_SENSITIVE
Set A1 to S1 -> authValue
35512. Else if entityType == TPM_ET_DEL_ROW
3552
a. Verify that entityValue points to a valid row in the delegation table.
3553
b. Set D1 to the delegation information in the row.
3554
c. Set A1 to D1->authValue.
3555
3556
d. Locate D1 -> familyID in the TPM_FAMILY_TABLE and set familyRow to indicate that
row, return TPM_BADINDEX if not found
3557
e. Set FR to TPM_FAMILY_TABLE.famTableRow[familyRow]
3558
f. If FR -> flags TPM_FAMFLAG_ENABLED is FALSE, return TPM_DISABLED_CMD
3559
g. Verify that D1->verificationCount equals FR -> verificationCount.
35603. Else if entityType == TPM_ET_DEL_KEY_BLOB
3561
a. Map entityValue to K1 a TPM_DELEGATE_KEY_BLOB
3562
3563
b. Validate
that
K1
is
a
TPM_WRONG_ENTITYTYPE on error
3564
3565
c. Locate K1 -> pub -> familyID in the TPM_FAMILY_TABLE and set familyRow to
indicate that row, return TPM_BADINDEX if not found
885
886
valid
186
TPM_DELEGATE_KEY_BLOB,
return
Level 2 Revision 116 28 February 2011
TCG Published
887TPM Main Part 3 Commands
TCG © Copyright
888Specification Version 1.2
3566
d. Set FR to TPM_FAMILY_TABLE.famTableRow[familyRow]
3567
e. If FR -> flags TPM_FAMFLAG_ENABLED is FALSE, return TPM_DISABLED_CMD
3568
f. Verify that K1 -> pub -> verificationCount equals FR -> verificationCount.
3569
g. Validate the integrity of the blob
3570
i.
3571
ii. Set K1 -> integrityDigest to all zeros
3572
iii. Create H3 the HMAC of K1 using tpmProof as the secret
3573
iv. Compare H2 to H3 return TPM_AUTHFAIL on mismatch
Copy K1 -> integrityDigest to H2
3574
3575
h. Validate that K1 -> pubKeyDigest identifies keyHandle, return TPM_KEYNOTFOUND
on error
3576
3577
i. Create S1 a TPM_DELEGATE_SENSITIVE by decrypting K1 -> sensitiveArea using
TPM_DELEGATE_KEY
3578
j.
Validate S1 values
3579
i.
3580
ii. Return TPM_BAD_DELEGATE on error
3581
S1 -> tag is TPM_TAG_DELEGATE_SENSITIVE
k. Set A1 to S1 -> authValue
35824. Else return TPM_BAD_PARAMETER
35835. Generate a new authorization session handle and reserve space to save protocol
3584
identification, shared secret, pcrInfo, both nonces, ADIP encryption scheme, delegated
3585
permission bits and any other information the TPM needs to manage the session.
35866. Read two new values from the RNG to generate nonceEven and nonceEvenOSAP.
35877.
3588
3589
3590
The TPM calculates the shared secret using an HMAC calculation. The key for the HMAC
calculation is A1. The input to the HMAC calculation is the concatenation of nonces
nonceEvenOSAP and nonceOddOSAP. The output of the HMAC calculation is the shared
secret which is saved in the authorization area associated with authHandle.
889Level 2 Revision 116 28 February 2011
890
187
TCG Published
891Copyright © TCG
892
893
359118.4
TPM Main Part 3 Commands
Specification Version 1.2
TPM_SetOwnerPointer
3592Start of informative comment:
3593This command will set a reference to which secret the TPM will use when executing an
3594owner secret related OIAP or OSAP session.
3595This command should only be used to provide an owner delegation function for legacy code
3596that does not itself support delegation. Normally, TPM_STCLEAR_DATA->ownerReference
3597points to TPM_KH_OWNER, indicating that OIAP and OSAP sessions should use the owner
3598authorization. This command allows ownerReference to point to an index in the delegation
3599table, indicating that OIAP and OSAP sessions should use the delegation authorization.
3600In use, a TSS supporting delegation would create and load the owner delegation and set the
3601owner pointer to that delegation. From then on, a legacy TSS application would use its OIAP
3602and OSAP sessions with the delegated owner authorization.
3603Since this command is not authorized, the ownerReference is open to DoS attacks.
3604Applications can attempt to recover from a failing owner authorization by resetting
3605ownerReference to an appropriate value.
3606This command intentionally does not clear OSAP sessions. A TPM 1.1 application gets the
3607benefit of owner delegation, while the original owner can use a pre-existing OSAP session
3608with the actual owner authorization.
3609End of informative comment.
3610Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Ordinal: TPM_ORD_SetOwnerPointer
4
2
2S
2
TPM_ENTITY_TYPE
entityType
The type of entity in use
5
4
3S
4
UINT32
entityValue
The selection value based on entityType
#
SZ
1
#
SZ
3611Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation
2S
4
TPM_COMMAND_CODE
ordinal
Ordinal: TPM_ORD_SetOwnerPointer
3612Actions
36131. Map TPM_STCLEAR_DATA to V1
36142. If entityType = TPM_ET_DEL_ROW
894
895
188
Level 2 Revision 116 28 February 2011
TCG Published
896TPM Main Part 3 Commands
TCG © Copyright
897Specification Version 1.2
3615
3616
a. This value indicates that the entity is a delegate row. entityValue is a delegate index
in the delegation table.
3617
3618
b. Validate that entityValue points to a legal row within the delegate table stored within
the TPM. If not return TPM_BADINDEX
3619
i.
Set D1 to the delegation information in the row.
3620
3621
c. Locate D1 -> familyID in the TPM_FAMILY_TABLE and set familyRow to indicate that
row, return TPM_BADINDEX if not found.
3622
d. Set FR to TPM_FAMILY_TABLE.famTableRow[familyRow]
3623
e. If FR -> flags TPM_FAMFLAG_ENABLED is FALSE, return TPM_DISABLED_CMD
3624
f. Verify that B1->verificationCount equals FR -> verificationCount.
3625
g. The TPM sets V1-> ownerReference to entityValue
3626
h. Return TPM_SUCCESS
36273. else if entityType = TPM_ET_OWNER
3628
a. This value indicates that the entity is the TPM owner. entityValue is ignored.
3629
b. The TPM sets V1-> ownerReference to TPM_KH_OWNER
3630
c. Return TPM_SUCCESS
36314. Return TPM_BAD_PARAMETER
898Level 2 Revision 116 28 February 2011
899
189
TCG Published
900Copyright © TCG
901
902
363219.
363319.1
TPM Main Part 3 Commands
Specification Version 1.2
Delegation Commands
TPM_Delegate_Manage
3634Start of informative comment:
3635TPM_Delegate_Manage is the fundamental process for managing the Family tables,
3636including
enabling/disabling
Delegation
for
a
selected
Family.
Normally
3637TPM_Delegate_Manage must be executed at least once (to create Family tables for a
3638particular family) before any other type of Delegation command in that family can succeed.
3639TPM_Delegate_Manage is authorized by the TPM Owner if an Owner is installed, because
3640changing a table is a privileged Owner operation. If no Owner is installed,
3641TPM_Delegate_Manage requires no privilege to execute. This does not disenfranchise an
3642Owner, since there is no Owner, and simplifies loading of tables during platform
3643manufacture or on first-boot. Burn-out of TPM non-volatile storage by inappropriate use is
3644mitigated by the TPM’s normal limits on NV-writes in the absence of an Owner. Tables can
3645be locked after loading, to prevent subsequent tampering, and only unlocked by the Owner,
3646his delegate, or the act of removing the Owner (even if there is no Owner).
3647TPM_Delegate_Manage command is customized by opCode:
3648(1) TPM_FAMILY_ENABLE enables/disables use of a family and all the rows of the delegate
3649table belonging to that family,
3650(2) TPM_FAMILY_ADMIN can be used to prevent further management of the Tables until an
3651Owner is installed, or until the Owner is removed from the TPM. (Note that the Physical
3652Presence command TPM_ForceClear always enables further management, even if
3653TPM_ForceClear is used when no Owner is installed.)
3654 (3) TPM_FAMILY_CREATE creates a new family. Sessions are invalidated even in this case
3655because the lastFamilyID could wrap.
3656(4) TPM_FAMILY_INVALIDATE invalidates an existing family. The TPM_SELFTEST_FAILED
3657error code is returned because the familyRow has already been validated earlier. Failure
3658here indicates a malfunction of the TPM.
3659The rationale for Action 19.1 is that invalidating the family ID prevents the use of
3660associated delegate rows, whether or not those delegate rows are themselves invalidated.
3661Omitting the delegate row invalidation avoids an NV write.
3662End of informative comment.
903
904
190
Level 2 Revision 116 28 February 2011
TCG Published
905TPM Main Part 3 Commands
TCG © Copyright
906Specification Version 1.2
3663Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Delegate_Manage
4
4
2S
4
TPM_FAMILY_ID
familyID
The familyID that is to be managed
5
4
3s
4
TPM_FAMILY_OPERATION
opCode
Operation to be performed by this command.
6
4
4s
4
UINT32
opDataSize
Size in bytes of opData
7
<>
5s
<>
BYTE [ ]
opData
Data necessary to implement opCode
8
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for owner authentication.
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
#
SZ
1
#
SZ
9
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
10
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
11
20
TPM_AUTHDATA
ownerAuth
HMAC key: ownerAuth.
3664Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Delegate_Manage
4
4
3S
4
UINT32
retDataSize
Size in bytes of retData
5
<>
4S
<>
BYTE [ ]
retData
Returned data
6
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
HMAC key: ownerAuth.
7
1
8
20
3665Action
36661. If opCode != TPM_FAMILY_CREATE
3667
3668
a. Locate familyID in the TPM_FAMILY_TABLE and set familyRow to indicate row,
return TPM_BADINDEX if not found
3669
3670
b. Set FR, a TPM_FAMILY_TABLE_ENTRY, to TPM_FAMILY_TABLE. famTableRow
[familyRow]
36712. If tag = TPM_TAG_RQU_AUTH1_COMMAND
3672
3673
a. Validate the command and parameters using ownerAuth, return TPM_AUTHFAIL on
error
907Level 2 Revision 116 28 February 2011
908
191
TCG Published
909Copyright © TCG
910
911
3674
3675
TPM Main Part 3 Commands
Specification Version 1.2
b. If the command is delegated (authHandle session type is TPM_PID_DSAP or through
ownerReference delegation)
3676
i.
3677
If opCode = TPM_FAMILY_CREATE
(1)
3678
The TPM MUST ignore familyID
ii. Else
3679
3680
(1)
Verify that the familyID associated with authHandle matches the
familyID parameter, return TPM_DELEGATE_FAMILY on error
36813. Else
3682
a. If TPM_PERMANENT_DATA -> ownerAuth is valid, return TPM_AUTHFAIL
3683
3684
b. If
opCode
!=
TPM_FAMILY_CREATE
and
FR
->
TPM_DELEGATE_ADMIN_LOCK is TRUE, return TPM_DELEGATE_LOCK
3685
c. Validate max NV writes without an owner
flags
3686
i.
3687
ii. Increment NV1 by 1
3688
iii. If NV1 > TPM_MAX_NV_WRITE_NOOWNER return TPM_MAXNVWRITES
3689
->
iv. Set TPM_PERMANENT_DATA -> noOwnerNVWrite to NV1
Set NV1 to TPM_PERMANENT_DATA -> noOwnerNVWrite
36904. The TPM invalidates sessions
3691
a. MUST invalidate all DSAP sessions
3692
b. MUST invalidate all OSAP sessions associated with the delegation table
3693
c. MUST set TPM_STCLEAR_DATA -> ownerReference to TPM_KH_OWNER
3694
d. MAY invalidate any other session
36955. If opCode == TPM_FAMILY_CREATE
3696
3697
a. Validate that sufficient space exists within the TPM to store an additional family and
map F2 to the newly allocated space.
3698
b. Validate that opData is a TPM_FAMILY_LABEL
3699
3700
i.
If opDataSize != sizeof(TPM_FAMILY_LABEL) return TPM_BAD_PARAM_SIZE
c. Map F2 to a TPM_FAMILY_TABLE_ENTRY
3701
i.
3702
ii. Set F2 -> familyLabel to opData
Set F2 -> tag to TPM_TAG_FAMILY_TABLE_ENTRY
3703
d. Increment TPM_PERMANENT_DATA -> lastFamilyID by 1
3704
e. Set F2 -> familyID = TPM_PERMANENT_DATA -> lastFamilyID
3705
f. Set F2 -> verificationCount = 1
3706
g. Set F2 -> flags -> TPM_FAMFLAG_ENABLED to FALSE
3707
h. Set F2 -> flags -> TPM_DELEGATE_ADMIN_LOCK to FALSE
3708
i.
912
913
Set retDataSize = 4
192
Level 2 Revision 116 28 February 2011
TCG Published
914TPM Main Part 3 Commands
TCG © Copyright
915Specification Version 1.2
3709
j.
3710
k. Return TPM_SUCCESS
Set retData = F2 -> familyID
37116. If authHandle is of type DSAP then continueAuthSession MUST set to FALSE
37127. If opCode == TPM_FAMILY_ADMIN
3713
a. Validate that opDataSize == 1, and that opData is a Boolean value.
3714
b. Set (FR -> flags -> TPM_DELEGATE_ADMIN_LOCK) = opData
3715
c. Set retDataSize = 0
3716
d. Return TPM_SUCCESS
37178. else If opCode == TPM_FAMILY_ENABLE
3718
a. Validate that opDataSize == 1, and that opData is a Boolean value.
3719
b. Set FR -> flags-> TPM_FAMFLAG_ENABLED = opData
3720
c. Set retDataSize = 0
3721
d. Return TPM_SUCCESS
37229. else If opCode == TPM_FAMILY_INVALIDATE
3723
a. Invalidate all data associated with familyRow
3724
i.
3725
ii. return TPM_SELFTEST_FAILED on failure
3726
b. The TPM MAY invalidate delegate rows that contain the same familyID.
All data is all information pointed to by FR
3727
c. Set retDataSize = 0
3728
d. Return TPM_SUCCESS
372910.Else return TPM_BAD_PARAMETER
916Level 2 Revision 116 28 February 2011
917
193
TCG Published
918Copyright © TCG
919
920
373019.2
TPM Main Part 3 Commands
Specification Version 1.2
TPM_Delegate_CreateKeyDelegation
3731Start of informative comment:
3732This command delegates privilege to use a key by creating a blob that can be used by
3733TPM_DSAP.
3734There is no check for appropriateness of the key’s key usage against the key permission
3735settings. If the key usage is incorrect, this command succeeds, but the delegated command
3736will fail.
3737These blobs CANNOT be used as input data for TPM_LoadOwnerDelegation because the
3738internal TPM delegate table can store owner delegations only.
3739(TPM_Delegate_CreateOwnerDelegation must be used to delegate Owner privilege.)
3740The publicInfo -> familyID can specify a disabled family row. The family row is checked
3741when the key delegation is used in a DSAP session, not when it is created.
3742End of informative comment.
3743Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Delegate_CreateKeyDelegation.
TPM_KEY_HANDLE
keyHandle
The keyHandle identifier of a loaded key.
<>
TPM_DELEGATE_PUBLIC
publicInfo
The public information necessary to fill in the blob
3S
20
TPM_ENCAUTH
delAuth
The encrypted new AuthData for the blob. The encryption key is the
shared secret from the authorization session protocol.
TPM_AUTHHANDLE
authHandle
The authorization session handle used for keyHandle authorization
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
#
SZ
#
1
2
3
4
4
4
5
<>
2S
6
20
7
4
1S
SZ
4
8
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
9
1
4H1
1
BOOL
continueAuthSession
Ignored
10
20
TPM_AUTHDATA
privAuth
The authorization session digest that authorizes the use of keyHandle.
HMAC key: key.usageAuth
3744
921
922
194
Level 2 Revision 116 28 February 2011
TCG Published
923TPM Main Part 3 Commands
TCG © Copyright
924Specification Version 1.2
3745Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Delegate_CreateKeyDelegation
4
4
3S
4
UINT32
blobSize
The length of the returned blob
5
<>
4S
<>
TPM_DELEGATE_KEY_BLOB
blob
The partially encrypted delegation information.
6
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag. Fixed value of FALSE
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
key.usageAuth
7
1
8
20
3746Description
37471. The use restrictions that may be present on the key pointed to by keyHandle are not
3748
enforced for this command. Stated another way, TPM_CreateKeyDelegation is not a use
3749
of the key.
3750Action
37511. Verify AuthData for the command and parameters using privAuth
37522. Locate publicInfo -> familyID in the TPM_FAMILY_TABLE and set familyRow to indicate
3753
row, return TPM_BADINDEX if not found
37543. If the key authentication is in fact a delegation, then the TPM SHALL validate the
3755
command and parameters using Delegation authorisation, then
3756
3757
a. Validate that authHandle -> familyID equals publicInfo -> familyID return
TPM_DELEGATE_FAMILY on error
3758
3759
b. If TPM_FAMILY_TABLE.famTableRow[ authHandle -> familyID] ->
TPM_FAMFLAG_ENABLED is FALSE, return error TPM_DISABLED_CMD.
3760
3761
c. Verify that the delegation bits in publicInfo do not grant more permissions then
currently delegated. Otherwise return error TPM_AUTHFAIL
flags
->
37624. Check that publicInfo -> delegateType is TPM_DEL_KEY_BITS
37635. Verify that authHandle indicates
3764
TPM_INVALID_AUTHHANDLE on error
an
OSAP
or
DSAP
session
return
37656. Create a1 by decrypting delAuth according to the ADIP indicated by authHandle.
37667. Create h1 the SHA-1 of TPM_STORE_PUBKEY structure of the key pointed to by
3767
keyHandle
37688. Create M1 a TPM_DELEGATE_SENSITIVE structure
3769
a. Set M1 -> tag to TPM_TAG_DELEGATE_SENSITIVE
925Level 2 Revision 116 28 February 2011
926
195
TCG Published
927Copyright © TCG
928
929
TPM Main Part 3 Commands
Specification Version 1.2
3770
b. Set M1 -> authValue to a1
3771
3772
c. The TPM MAY add additional information of a sensitive nature relative to the
delegation
37739. Create M2 the encryption of M1 using TPM_DELEGATE_KEY
377410.Create P1 a TPM_DELEGATE_KEY_BLOB
3775
a. Set P1 -> tag to TPM_TAG_DELG_KEY_BLOB
3776
b. Set P1 -> pubKeyDigest to H1
3777
c. Set P1 -> pub to PublicInfo
3778
d. Set P1 -> pub -> verificationCount to familyRow -> verificationCount
3779
e. Set P1 -> integrityDigest to all zeros
3780
3781
3782
f. The TPM sets additionalArea and additionalAreaSize appropriate for this TPM. The
information MAY include symmetric IV, symmetric mode of encryption and other data
that allows the TPM to process the blob in the future.
3783
g. Set P1 -> sensitiveSize to the size of M2
3784
h. Set P1 -> sensitiveArea to M2
378511.Calculate H2 the HMAC of P1 using tpmProof as the secret
378612.Set P1 -> integrityDigest to H2
378713.Ignore continueAuthSession on input set continueAuthSession to FALSE on output
378814.Return P1 as blob
930
931
196
Level 2 Revision 116 28 February 2011
TCG Published
932TPM Main Part 3 Commands
TCG © Copyright
933Specification Version 1.2
378919.3
TPM_Delegate_CreateOwnerDelegation
3790Start of informative comment:
3791TPM_Delegate_CreateOwnerDelegation delegates the Owner’s privilege to use a set of
3792command ordinals, by creating a blob. Such blobs can be used as input data for TPM_DSAP
3793or TPM_Delegate_LoadOwnerDelegation.
3794TPM_Delegate_CreateOwnerDelegation includes the ability to void all existing delegations
3795(by incrementing the verification count) before creating the new delegation. This ensures
3796that the new delegation will be the only delegation that can operate at Owner privilege in
3797this family. This new delegation could be used to enable a security monitor (a local separate
3798entity, or remote separate entity, or local host entity) to reinitialize a family and perhaps
3799perform external verification of delegation settings. Normally the ordinals for a delegated
3800security monitor would include TPM_Delegate_CreateOwnerDelegation (this command) in
3801order
to
permit
the
monitor
to
create
further
delegations,
and
3802TPM_Delegate_UpdateVerification to reactivate some previously voided delegations.
3803If the verification count is incremented and the new delegation does not delegate any
3804privileges (to any ordinals) at all, or uses an authorisation value that is then discarded, this
3805family’s delegations are all void and delegation must be managed using actual Owner
3806authorisation.
3807(TPM_Delegate_CreateKeyDelegation must be used to delegate privilege to use a key.)
3808End of informative comment.
3809Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Delegate_CreateOwnerDelegation.
#
SZ
1
#
1S
SZ
4
1
2S
1
BOOL
increment
Flag dictates whether verificationCount will be incremented
5
<>
3S
<>
TPM_DELEGATE_PUBLIC
publicInfo
The public parameters for the blob
6
20
4S
20
TPM_ENCAUTH
delAuth
The encrypted new AuthData for the blob. The encryption key is the
shared secret from the OSAP protocol.
7
4
TPM_AUTHHANDLE
authHandle
The authorization session handle TPM Owner authentication
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
9
1
4H1
1
BOOL
continueAuthSession
Ignored
10
20
TPM_AUTHDATA
ownerAuth
The authorization session digest. HMAC key:ownerAuth
8
934Level 2 Revision 116 28 February 2011
935
197
TCG Published
936Copyright © TCG
937
938
TPM Main Part 3 Commands
Specification Version 1.2
3810Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Delegate_CreateOwnerDelegation.
4
4
3S
4
UINT32
blobSize
The length of the returned blob
5
<>
4S
<>
TPM_DELEGATE_OWNER_BLOB
blob
The partially encrypted delegation information.
6
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag. Fixed value of FALSE
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
ownerAuth
7
1
8
20
3811Action
38121. The TPM SHALL authenticate the command using TPM Owner authentication. Return
3813
TPM_AUTHFAIL on failure.
38142. Locate publicInfo -> familyID in the TPM_FAMILY_TABLE and set familyRow to indicate
3815
the row return TPM_BADINDEX if not found
3816
a. Set FR to TPM_FAMILY_TABLE.famTableRow[familyRow]
38173. If the TPM Owner authentication is in fact a delegation
3818
3819
a. Validate that authHandle -> familyID equals publicInfo -> familyID return
TPM_DELEGATE_FAMILY on error
3820
3821
b. If FR -> flags
TPM_DISABLED_CMD.
3822
3823
c. Verify that the delegation bits in publicInfo do not grant more permissions then
currently delegated. Otherwise, return error TPM_AUTHFAIL.
->
TPM_FAMFLAG_ENABLED
is
FALSE,
return
error
38244. Check that publicInfo -> delegateType is TPM_DEL_OWNER_BITS
38255. Verify that authHandle indicates
3826
TPM_INVALID_AUTHHANDLE on error
an
OSAP
or
DSAP
session
return
38276. If increment == TRUE
3828
a. Increment FR -> verificationCount
3829
b. Set TPM_STCLEAR_DATA-> ownerReference to TPM_KH_OWNER
3830
c. The TPM invalidates sessions
3831
i.
3832
ii. MUST invalidate all OSAP sessions associated with the delegation table
3833
iii. MAY invalidate any other session
939
940
MUST invalidate all DSAP sessions
198
Level 2 Revision 116 28 February 2011
TCG Published
941TPM Main Part 3 Commands
TCG © Copyright
942Specification Version 1.2
38347. Create a1 by decrypting delAuth according to the ADIP indicated by authHandle.
38358. Create M1 a TPM_DELEGATE_SENSITIVE structure
3836
a. Set M1 -> tag to TPM_TAG_DELEGATE_SENSITIVE
3837
b. Set M1 -> authValue to a1
3838
c. Set other M1 fields as determined by the TPM vendor
38399. Create M2 the encryption of M1 using TPM_DELEGATE_KEY
384010.Create B1 a TPM_DELEGATE_OWNER_BLOB
3841
a. Set B1 -> tag to TPM_TAG_DELG_OWNER_BLOB
3842
b. Set B1 -> pub to publicInfo
3843
c. Set B1 -> sensitiveSize to the size of M2
3844
d. Set B1 -> sensitiveArea to M2
3845
e. Set B1 -> integrityDigest to all zeros
3846
f. Set B1 -> pub -> verificationCount to FR -> verificationCount
384711.The TPM sets additionalArea and additionalAreaSize appropriate for this TPM. The
3848
information MAY include symmetric IV, symmetric mode of encryption and other data
3849
that allows the TPM to process the blob in the future.
385012.Create H1 the HMAC of B1 using tpmProof as the secret
385113.Set B1 -> integrityDigest to H1
385214.Ignore continueAuthSession on input set continueAuthSession to FALSE on output
385315.Return B1 as blob
943Level 2 Revision 116 28 February 2011
944
199
TCG Published
945Copyright © TCG
946
947
385419.4
TPM Main Part 3 Commands
Specification Version 1.2
TPM_Delegate_LoadOwnerDelegation
3855Start of informative comment:
3856This command loads a delegate table row blob into a non-volatile delegate table row.
3857TPM_Delegate_LoadOwnerDelegation can be used during manufacturing or on first boot
3858(when no Owner is installed), or after an Owner is installed. If an Owner is installed,
3859TPM_Delegate_LoadOwnerDelegation requires Owner authorisation, and sensitive
3860information must be encrypted.
3861Burn-out of TPM non-volatile storage by inappropriate use is mitigated by the TPM’s normal
3862limits on NV-writes in the absence of an Owner. Tables can be locked after loading using
3863TPM_Delegate_Manage, to prevent subsequent tampering.
3864A management system outside the TPM is expected to manage the delegate table rows
3865stored on the TPM, and can overwrite any previously stored data. There is no way to
3866explicitly delete a delegation entry. A new entry can overwrite an invalid entry.
3867This command cannot be used to load key delegation blobs into the TPM
3868End of informative comment.
3869Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
4
UINT32
paramSize
Total number of input bytes incl. paramSize and tag
4
TPM_COMMAND_CODE
ordinal
Ordinal: TPM_ORD_Delegate_LoadOwnerDelegation
4
TPM_DELEGATE_INDEX
index
The index of the delegate row to be written
5
4
UINT32
blobSize
The size of the delegate blob
6
<>
5S
<>
TPM_DELEGATE_OWNER_BLOB
blob
Delegation information, including encrypted portions as appropriate
7
4
TPM_AUTHHANDLE
authHandle
The authorization session handle TPM Owner authentication
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
8
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
9
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
10
20
TPM_AUTHDATA
ownerAuth
The authorization session digest. HMAC key:ownerAuth
952Level 2 Revision 116 28 February 2011
953
201
TCG Published
954Copyright © TCG
955
956
TPM Main Part 3 Commands
Specification Version 1.2
3870Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes
3
4
#
SZ
1
#
SZ
6
1
7
TPM_RESULT
returnCode
The return code of the operation
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Delegate_LoadOwnerDelegation
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
4
2S
5
1S
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
Authorization HMAC key: ownerAuth.
20
3871Actions
38721. Map blob to D1 a TPM_DELEGATE_OWNER_BLOB.
3873
a. Validate that D1 -> tag == TPM_TAG_DELEGATE_OWNER_BLOB
38742. Locate D1 -> pub -> familyID in the TPM_FAMILY_TABLE and set familyRow to indicate
3875
row, return TPM_BADINDEX if not found
38763. Set FR to TPM_FAMILY_TABLE -> famTableRow[familyRow]
38774. If TPM Owner is installed
3878
3879
a. Validate the command and parameters using TPM Owner authentication, return
TPM_AUTHFAIL on error
3880
3881
3882
b. If the command is delegated (authHandle session type is TPM_PID_DSAP or through
ownerReference delegation), verify that D1 -> pub -> familyID matches authHandle ->
familyID, on error return TPM_DELEGATE_FAMILY
38835. Else
3884
a. If tag is not TPM_TAG_RQU_COMMAND, return TPM_AUTHFAIL
3885
3886
b. If
FR
->
flags
TPM_DELEGATE_LOCK
3887
c. Validate max NV writes without an owner
->
TPM_DELEGATE_ADMIN_LOCK
is
TRUE
3888
i.
3889
ii. Increment NV1 by 1
3890
iii. If NV1 > TPM_MAX_NV_WRITE_NOOWNER return TPM_MAXNVWRITES
3891
return
iv. Set PD -> noOwnerNVWrite to NV1
Set NV1 to PD -> noOwnerNVWrite
38926. If FR -> flags -> TPM_FAMFLAG_ENABLED is FALSE, return TPM_DISABLED_CMD
38937. If TPM Owner is installed, validate the integrity of the blob
3894
a. Copy D1 -> integrityDigest to H2
3895
b. Set D1 -> integrityDigest to all zeros
957
958
202
Level 2 Revision 116 28 February 2011
TCG Published
959TPM Main Part 3 Commands
TCG © Copyright
960Specification Version 1.2
3896
c. Create H3 the HMAC of D1 using tpmProof as the secret
3897
d. Compare H2 to H3, return TPM_AUTHFAIL on mismatch
38988. If TPM Owner is installed, create S1 a TPM_DELEGATE_SENSITIVE area by decrypting
3899
D1 -> sensitiveArea using TPM_DELEGATE_KEY. Otherwise set S1 = D1 -> sensitiveArea
39009. Validate S1
3901
3902
a. Validate
that
S1
->
tag
==
TPM_INVALID_STRUCTURE on error
TPM_TAG_DELEGATE_SENSITIVE,
return
390310.Validate that index is a valid value for delegateTable, return TPM_BADINDEX on error
390411.The TPM invalidates sessions
3905
a. MUST invalidate all DSAP sessions
3906
b. MUST invalidate all OSAP sessions associated with the delegation table
3907
c. MAY invalidate any other session
390812.Copy data to the delegate table row
3909
3910
a. Copy the TPM_DELEGATE_PUBLIC from D1 -> pub to TPM_DELEGATE_TABLE ->
delRow[index] -> pub.
3911
3912
b. Copy the TPM_SECRET from S1 -> authValue to TPM_DELEGATE_TABLE ->
delRow[index] -> authValue.
3913
c. Set TPM_STCLEAR_DATA-> ownerReference to TPM_KH_OWNER
3914
d. If authHandle is of type DSAP then continueAuthSession MUST set to FALSE
391513.Return TPM_SUCCESS
961Level 2 Revision 116 28 February 2011
962
203
TCG Published
963Copyright © TCG
964
965
391619.5
TPM Main Part 3 Commands
Specification Version 1.2
TPM_Delegate_ReadTable
3917Start of informative comment:
3918This command reads from the TPM the public contents of the family and delegate tables
3919that are stored on the TPM. Such data is required during external verification of tables.
3920There are no restrictions on the execution of this command; anyone can read this
3921information regardless of the state of the PCRs, regardless of whether they know any
3922specific AuthData value and regardless of whether or not the enable and admin bits are set
3923one way or the other.
3924End of informative comment.
3925Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Delegate_ReadTable
#
SZ
1
#
1S
SZ
4
3926Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Delegate_ReadTable
4
4
3S
4
UINT32
familyTableSize
Size in bytes of familyTable
5
<>
4S
<>
BYTE [ ]
familyTable
Array of TPM_FAMILY_TABLE_ENTRY elements
6
4
5S
4
UINT32
delegateTableSize
Size in bytes of delegateTable
7
<>
6S
<>
BYTE[]
delegateTable
Array of TPM_DELEGATE_INDEX and TPM_DELEGATE_PUBLIC
elements
3927Actions
39281. Set familyTableSize to the number
3929
sizeof(TPM_FAMILY_TABLE_ELEMENT).
of
valid
families
on
the
TPM
times
39302. Copy the valid entries in the internal family table to the output array familyTable
39313. Set delegateTableSize to the number of valid delegate table entries on the TPM times
3932
(sizeof(TPM_DELEGATE_PUBLIC) + 4).
39334. For each valid entry
3934
a. Write the TPM_DELEGATE_INDEX to delegateTable
3935
b. Copy the TPM_DELEGATE_PUBLIC to delegateTable
966
967
204
Level 2 Revision 116 28 February 2011
TCG Published
968TPM Main Part 3 Commands
TCG © Copyright
969Specification Version 1.2
39365. Return TPM_SUCCESS
970Level 2 Revision 116 28 February 2011
971
205
TCG Published
972Copyright © TCG
973
974
393719.6
TPM Main Part 3 Commands
Specification Version 1.2
TPM_Delegate_UpdateVerification
3938Start of informative comment:
3939TPM_UpdateVerification sets the verificationCount in an entity (a blob or a delegation row)
3940to the current family value, in order that the delegations represented by that entity will
3941continue to be accepted by the TPM.
3942End of informative comment.
3943Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Delegate_UpdateVerification
4
4
2S
4
UINT32
inputSize
The size of inputData
5
<>
3S
<>
BYTE
inputData
TPM_DELEGATE_KEY_BLOB or TPM_DELEGATE_OWNER_BLOB
or TPM_DELEGATE_INDEX
6
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for owner authentication.
#
SZ
1
#
SZ
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
8
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
9
20
TPM_AUTHDATA
ownerAuth
Authorization HMAC key: ownerAuth.
7
975
976
206
Level 2 Revision 116 28 February 2011
TCG Published
977TPM Main Part 3 Commands
TCG © Copyright
978Specification Version 1.2
3944Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Delegate_UpdateVerification
4
4
3S
4
UINT32
outputSize
The size of the output
5
<>
4S
<>
BYTE
outputData
TPM_DELEGATE_KEY_BLOB or TPM_DELEGATE_OWNER_BLOB
6
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
ownerAuth.
7
1
8
20
3945Actions
39461. Verify the TPM Owner, directly or indirectly through delegation, authorizes the command
3947
and parameters, on error return TPM_AUTHFAIL
39482. Determine
the
type
of
inputData
(TPM_DELEGATE_TABLE_ROW
or
3949
TPM_DELEGATE_OWNER_BLOB or TPM_DELEGATE_KEY_BLOB) and map D1 to that
3950
structure
3951
3952
a. Mapping to TPM_DELEGATE_TABLE_ROW requires taking inputData as a tableIndex
and locating the appropriate row in the table
39533. If D1 is a TPM_DELEGATE_OWNER_BLOB or TPM_DELEGATE_KEY_BLOB, validate the
3954
integrity of D1
3955
a. Copy D1 -> integrityDigest to H2
3956
b. Set D1 -> integrityDigest to all zeros
3957
c. Create H3 the HMAC of D1 using tpmProof as the secret
3958
d. Compare H2 to H3 return TPM_AUTHFAIL on mismatch
39594. Locate (D1 -> pub -> familyID) in the TPM_FAMILY_TABLE and set familyRow to indicate
3960
row, return TPM_BADINDEX if not found
39615. Set FR to TPM_FAMILY_TABLE.famTableRow[familyRow]
39626. If delegated, verify that family of the delegated Owner-auth is the same as D1:
3963
(authHandle -> familyID) == (D1 -> pub -> familyID); otherwise return error
3964
TPM_DELEGATE_FAMILY
39657. If delegated, verify that the family of the delegated Owner-auth is enabled: if (authHandle
3966
-> familyID -> flags TPM_FAMFLAG_ENABLED) is FALSE, return TPM_DISABLED_CMD
39678. Set D1 -> verificationCount to FR -> verificationCount
979Level 2 Revision 116 28 February 2011
980
207
TCG Published
981Copyright © TCG
982
983
TPM Main Part 3 Commands
Specification Version 1.2
39689. If D1 is a TPM_DELEGATE_OWNER_BLOB or TPM_DELEGATE_KEY_BLOB set the
3969
integrity of D1
3970
a. Set D1 -> integrityDigest to all zeros
3971
b. Create H1 the HMAC of D1 using tpmProof as the secret
3972
c. Set D1 -> integrityDigest to H1
397310.If D1 is a blob recreate the blob and return it
984
985
208
Level 2 Revision 116 28 February 2011
TCG Published
986TPM Main Part 3 Commands
TCG © Copyright
987Specification Version 1.2
397419.7
TPM_Delegate_VerifyDelegation
3975Start of informative comment:
3976TPM_VerifyDelegation interprets a delegate blob and returns success or failure, depending
3977on whether the blob is currently valid. The delegate blob is NOT loaded into the TPM.
3978End of informative comment.
3979Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal, TPM_ORD_Delegate_VerifyDelegation
4
4
2S
4
UINT32
delegationSize
The length of the delegated information blob
5
<>
3S
<>
BYTE[ ]
delegation
TPM_DELEGATE_KEY_BLOB or TPM_DELEGATE_OWNER_BLOB
Type
Name
Description
#
SZ
1
#
SZ
3980Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal, TPM_Delegate_VerifyDelegation
3981Actions
39821. Determine
the
type
of
blob,
If
3983
TPM_TAG_DELGATE_OWNER_BLOB then
3984
delegation
->
tag
is
equal
to
a. Map D1 a TPM_DELEGATE_OWNER_BLOB to delegation
39852. Else if delegation -> tag = TPM_TAG_DELG_KEY_BLOB
3986
a. Map D1 a TPM_DELEGATE_KEY_BLOB to delegation
39873. Else return TPM_BAD_PARAMETER
39884. Locate D1 -> familyID in the TPM_FAMILY_TABLE and set familyRow to indicate row,
3989
return TPM_BADINDEX if not found
39905. Set FR to TPM_FAMILY_TABLE.famTableRow[familyRow]
39916. If FR -> flags TPM_FAMFLAG_ENABLED is FALSE, return TPM_DISABLED_CMD
39927. Validate that D1 -> pub -> verificationCount matches FR -> verificationCount, on
3993
mismatch return TPM_FAMILYCOUNT
39948. Validate the integrity of D1
3995
a. Copy D1 -> integrityDigest to H2
988Level 2 Revision 116 28 February 2011
989
209
TCG Published
990Copyright © TCG
991
992
TPM Main Part 3 Commands
Specification Version 1.2
3996
b. Set D1 -> integrityDigest to all zeros
3997
c. Create H3 the HMAC of D1 using tpmProof as the secret
3998
d. Compare H2 to H3 return TPM_AUTHFAIL on mismatch
39999. Create S1 a TPM_DELEGATE_SENSITIVE area by decrypting D1 -> sensitiveArea using
4000
TPM_DELEGATE_KEY
400110.Validate S1 values
4002
a. S1 -> tag is TPM_TAG_DELEGATE_SENSITIVE
4003
b. Return TPM_BAD_PARAMETER on error
400411.Return TPM_SUCCESS
993
994
210
Level 2 Revision 116 28 February 2011
TCG Published
995TPM Main Part 3 Commands
TCG © Copyright
996Specification Version 1.2
400520.
Non-volatile
4006Start of informative comment:
Storage
4007This section handles the allocation and use of the TPM non-volatile storage.
4008End of informative comment.
4009If nvIndex refers to the DIR, the TPM ignores actions containing access control checks that
4010have no meaning for the DIR. The TPM only checks the owner authorization.
997Level 2 Revision 116 28 February 2011
998
211
TCG Published
999Copyright © TCG
1000
1001
TPM Main Part 3 Commands
Specification Version 1.2
4011
401220.1
TPM_NV_DefineSpace
4013Start of informative comment:
4014This establishes the space necessary for the indicated index. The definition will include the
4015access requirements for writing and reading the area.
4016
4017
Previously defined space at the index and new size is non-zero (and space is available,
etc.) –> redefine the index
4018
4019
No previous space at the index and new size is non-zero (and space is available,
etc.)-> define the index
4020
Previously defined space at the index and new size is 0 -> delete the index
4021
No previous space at the index and new size is 0 -> error
4022The space definition size does not include the area needed to manage the space.
4023Setting TPM_PERMANENT_FLAGS -> nvLocked TRUE when it is already TRUE is not an
4024error.
4025End of informative comment.
4026Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Ordinal, TPM_ORD_NV_DefineSpace
4
<>
2S
<>
TPM_NV_DATA_PUBLIC
pubInfo
The public parameters of the NV area
5
20
3S
20
TPM_ENCAUTH
encAuth
The encrypted AuthData, only valid if the attributes require subsequent
authorization
6
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for ownerAuth
#
SZ
1
#
SZ
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
7
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
8
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
9
20
TPM_AUTHDATA
ownerAuth
The authorization session digest HMAC key: ownerAuth
Type
Name
Description
4027Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1002
1003
20
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
1S
4
TPM_COMMAND_CODE
ordinal
ordinal, TPM_ORD_NV_DefineSpace
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
212
Level 2 Revision 116 28 February 2011
TCG Published
1004TPM Main Part 3 Commands
TCG © Copyright
1005Specification Version 1.2
3H1
5
1
6
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, fixed to FALSE
TPM_AUTHDATA
ownerAuth
The authorization session digest HMAC key: ownerAuth
20
4028Description
4029For the case where pubInfo -> dataSize is 0, pubInfo -> pcrInfoRead and pubInfo ->
4030pcrInfoWrite are not used. However, since the general principle is to validate parameters
4031before changing state, the TPM SHOULD parse pubInfo completely before invalidating the
4032data area.
4033Actions
40341. If pubInfo -> nvIndex == TPM_NV_INDEX_LOCK and tag = TPM_TAG_RQU_COMMAND
4035
a. If pubInfo -> dataSize is not 0, the command MAY return TPM_BADINDEX.
4036
b. Set TPM_PERMANENT_FLAGS -> nvLocked to TRUE
4037
c. Return TPM_SUCCESS
40382. If TPM_PERMANENT_FLAGS -> nvLocked is FALSE then all authorization checks except
4039
for the Max NV writes are ignored
4040
4041
4042
4043
a. Ignored checks include physical presence, owner authorization, 'D' bit check,
bGlobalLock, no authorization with a TPM owner present, bWriteSTClear, the check that
pubInfo -> dataSize is 0 in Action 5.c. (the no-authorization case) , disabled and
deactivated.
4044
4045
4046
i. The check that pubInfo -> dataSize is 0 is still enforced in Action 6.f.
(returning after deleting a previously defined storage area) and Action 9.f. (not
allowing a space of size 0 to be defined).
4047
ii. If ownerAuth is present, the TPM MAY check the authorization HMAC.
4048
b. The check for pubInfo -> nvIndex == TPM_NV_INDEX0 in Action 3. is not ignored.
40493. If pubInfo -> nvIndex has the D bit (bit 28) set to a 1 or pubInfo -> nvIndex ==
4050
TPM_NV_INDEX0 then
4051
a. Return TPM_BADINDEX
4052
4053
b. The D bit specifies an index value that is set in manufacturing and can never be
deleted or added to the TPM
4054
c. Index value TPM_NV_INDEX0 is reserved and cannot be defined
40554. If tag = TPM_TAG_RQU_AUTH1_COMMAND then
4056
4057
a. The TPM MUST validate the command and parameters using the TPM Owner
authentication and ownerAuth, on error return TPM_AUTHFAIL
4058
b. authHandle session type MUST be OSAP
4059
c. Create A1 by decrypting encAuth according to the ADIP indicated by authHandle.
40605. else
4061
a. Validate the assertion of physical presence. Return TPM_BAD_PRESENCE on error.
1006Level 2 Revision 116 28 February 2011
1007
213
TCG Published
1008Copyright © TCG
1009
1010
TPM Main Part 3 Commands
Specification Version 1.2
4062
b. If TPM Owner is present then return TPM_OWNER_SET.
4063
4064
c. If pubInfo -> dataSize is 0 then return TPM_BAD_DATASIZE. Setting the size to 0
represents an attempt to delete the value without TPM Owner authentication.
4065
d. Validate max NV writes without an owner
4066
i.
4067
ii. Increment NV1 by 1
4068
iii. If NV1 > TPM_MAX_NV_WRITE_NOOWNER return TPM_MAXNVWRITES
4069
iv. Set NV1_INCREMENTED to TRUE
4070
4071
Set NV1 to TPM_PERMANENT_DATA -> noOwnerNVWrite
e. Set A1 to encAuth. There is no nonce or authorization to create the encryption string,
hence the AuthData value is passed in the clear
40726. If pubInfo -> nvIndex points to a valid previously defined storage area then
4073
a. Map D1 a TPM_NV_DATA_SENSITIVE to the storage area
4074
b. If D1 -> attributes specifies TPM_NV_PER_GLOBALLOCK then
4075
4076
4077
i. If TPM_STCLEAR_FLAGS
TPM_AREA_LOCKED
->
bGlobalLock
is
TRUE
then
return
c. If D1 -> attributes specifies TPM_NV_PER_WRITE_STCLEAR
4078
i.
If D1 -> pubInfo -> bWriteSTClear is TRUE then return TPM_AREA_LOCKED
4079
4080
d. Invalidate the data area currently pointed to by D1 and ensure that if the area is
reallocated no residual information is left
4081
e. If NV1_INCREMENTED is TRUE
4082
4083
i.
Set TPM_PERMANENT_DATA -> noOwnerNVWrite to NV1
f. The TPM invalidates authorization sessions
4084
i.
4085
ii. MAY invalidate any other authorization session
4086
g. If pubInfo -> dataSize is 0 then return TPM_SUCCESS
MUST invalidate all authorization sessions associated with D1
40877. Parse pubInfo -> pcrInfoRead
4088
a. Validate pcrInfoRead structure on error return TPM_INVALID_STRUCTURE
4089
i.
Validation includes proper PCR selections and locality selections
40908. Parse pubInfo -> pcrInfoWrite
4091
a. Validate pcrInfoWrite structure on error return TPM_INVALID_STRUCTURE
4092
4093
i.
Validation includes proper PCR selections and locality selections
b. If pcrInfoWrite -> localityAtRelease disallows some localities
4094
i.
4095
c. Else
4096
i.
1011
1012
Set writeLocalities to TRUE
Set writeLocalities to FALSE
214
Level 2 Revision 116 28 February 2011
TCG Published
1013TPM Main Part 3 Commands
TCG © Copyright
1014Specification Version 1.2
40979. Validate that the attributes are consistent
4098
4099
a. The TPM SHALL ignore the bReadSTClear, bWriteSTClear and bWriteDefine
attributes during the execution of this command
4100
4101
b. If TPM_NV_PER_OWNERWRITE is TRUE and TPM_NV_PER_AUTHWRITE is TRUE
return TPM_AUTH_CONFLICT
4102
4103
c. If TPM_NV_PER_OWNERREAD is TRUE and TPM_NV_PER_AUTHREAD is TRUE
return TPM_AUTH_CONFLICT
4104
4105
4106
d. If
TPM_NV_PER_OWNERWRITE
and
TPM_NV_PER_AUTHWRITE
and
TPM_NV_PER_WRITEDEFINE and TPM_NV_PER_PPWRITE and writeLocalities are all
FALSE
4107
4108
i.
Return TPM_PER_NOWRITE
e. Validate pubInfo -> nvIndex
4109
4110
4111
4112
4113
i. Make sure that the index is applicable for this TPM. Return TPM_BADINDEX
on error. A valid index is platform and context sensitive. That is, attempting to
validate an index may be successful in one configuration and invalid in another
configuration. The individual index values MUST indicate if there are any
restrictions on the use of the index.
4114
ii. TPM_NV_INDEX_DIR is always an invalid defined index.
4115
f. If dataSize is 0 return TPM_BAD_PARAM_SIZE
411610.Create D1 a TPM_NV_DATA_SENSITIVE structure
4117
a. Set D1 -> pubInfo to pubInfo
4118
b. Set D1 -> authValue to A1
4119
c. Set D1 -> pubInfo -> bReadSTClear to FALSE
4120
d. Set D1 -> pubInfo -> bWriteSTClear to FALSE
4121
e. Set D1 -> pubInfo -> bWriteDefine to FALSE
412211.Validate that sufficient NV is available to store D1 and pubInfo -> dataSize bytes of data
4123
a. Return TPM_NOSPACE if pubInfo -> dataSize is not available in the TPM
412412.If pubInfo -> nvIndex is not TPM_NV_INDEX_TRIAL
4125
a. Reserve NV space for pubInfo -> dataSize
4126
b. Set all bytes in the newly defined area to 0xFF
4127
c. If NV1_INCREMENTED is TRUE
4128
i.
Set TPM_PERMANENT_DATA -> noOwnerNVWrite to NV1
412913.Ignore continueAuthSession on input and set to FALSE on output
413014.Return TPM_SUCCESS
1015Level 2 Revision 116 28 February 2011
1016
215
TCG Published
1017Copyright © TCG
1018
1019
413120.2
TPM Main Part 3 Commands
Specification Version 1.2
TPM_NV_WriteValue
4132Start of informative comment:
4133This command writes the value to a defined area. The write can be TPM Owner authorized
4134or unauthorized and protected by other attributes and will work when no TPM Owner is
4135present.
4136The action setting bGlobalLock to TRUE is intentionally before the action checking the
4137owner authorization. This allows code (e.g., a BIOS) to lock NVRAM without knowing the
4138owner authorization.
4139The DIR (TPM_NV_INDEX_DIR) has the attributes TPM_NV_PER_OWNERWRITE and
4140TPM_NV_WRITEALL.
4141Certain platform manufacturers or software might require specific error handling in Action
414220.2.
4143Owner authorization is not required when nvLocked is FALSE. If the host does send owner
4144authorization, Action 20.2 indicates that it should be correct, since some TPM
4145implementations may validate it.
4146End of informative comment.
4147Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Ordinal, TPM_ORD_NV_WriteValue
4
4
2S
4
TPM_NV_INDEX
nvIndex
The index of the area to set
5
4
3S
4
UINT32
offset
The offset into the NV Area
6
4
4S
4
UINT32
dataSize
The size of the data parameter
7
<>
5S
<>
BYTE[]
data
The data to set the area to
8
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for TPM Owner
#
SZ
1
#
SZ
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
9
20
3H1
20
TPM_NONCE
authNonceOdd
Nonce generated by caller
10
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
11
20
TPM_AUTHDATA
ownerAuth
The authorization session digest HMAC key: ownerAuth
Type
Name
Description
4148Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
4
TPM_RESULT
returnCode
The return code of the operation.
2S
1020
1021
1S
4
TPM_COMMAND_CODE
ordinal
ordinal, TPM_ORD_NV_WriteValue
216
Level 2 Revision 116 28 February 2011
TCG Published
1022TPM Main Part 3 Commands
TCG © Copyright
1023Specification Version 1.2
4
20
1
6
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
5
2H1
20
TPM_NONCE
authNonceOdd
Nonce generated by caller
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
ownerAuth
The authorization session digest HMAC key: ownerAuth
20
4149Description
4150For TPM_NV_INDEX_DIR, the ordinal MUST NOT set an error code for the “if dataSize = 0”
4151action. However, the flags set in this case are not applicable to the DIR.
4152Actions
41531. If TPM_PERMANENT_FLAGS -> nvLocked is FALSE then all authorization checks except
4154
for the max NV writes are ignored
4155
4156
4157
a. Ignored
checks
include
physical
presence,
owner
authorization,
TPM_NV_PER_OWNERWRITE, PCR, bWriteDefine, bGlobalLock, bWriteSTClear, locality,
disabled and deactivated.
4158
b. TPM_NV_PER_AUTHWRITE is not ignored.
4159
c. If ownerAuth is present, the TPM MAY check the authorization HMAC.
41602. Locate and set D1 to the TPM_NV_DATA_AREA that corresponds to nvIndex, return
4161
TPM_BADINDEX on error
4162
a. If nvIndex = TPM_NV_INDEX_DIR, set D1 to TPM_PERMANENT_DATA -> authDir[0]
41633. If TPM_PERMANENT_FLAGS -> nvLocked is TRUE
4164
a. If D1 -> permission -> TPM_NV_PER_OWNERWRITE is TRUE
4165
i.
4166
ii. If TPM_STCLEAR_FLAGS -> deactivated is TRUE, return TPM_DEACTIVATED
4167
If TPM_PERMANENT_FLAGS -> disable is TRUE, return TPM_DISABLED
b. If D1 -> permission -> TPM_NV_PER_OWNERWRITE is FALSE
4168
4169
i. If TPM_PERMANENT_FLAGS -> disable is TRUE, the TPM MAY return
TPM_DISABLED
4170
4171
ii. If TPM_STCLEAR_FLAGS -> deactivated is TRUE, the TPM MAY return
TPM_DEACTIVATED
41724. If tag = TPM_TAG_RQU_AUTH1_COMMAND then
4173
4174
a. If D1 -> permission
TPM_AUTH_CONFLICT
4175
4176
4177
i.
->
TPM_NV_PER_OWNERWRITE
is
FALSE
return
This check is ignored if nvIndex is TPM_NV_INDEX0.
b. Validate command and parameters using ownerAuth HMAC with TPM Owner
authentication as the secret, return TPM_AUTHFAIL on error
41785. Else
4179
4180
4181
a. If D1 -> permission
TPM_AUTH_CONFLICT
i.
->
TPM_NV_PER_OWNERWRITE
This check is ignored if nvIndex is TPM_NV_INDEX0.
1024Level 2 Revision 116 28 February 2011
1025
217
TCG Published
is
TRUE
return
1026Copyright © TCG
1027
1028
4182
TPM Main Part 3 Commands
Specification Version 1.2
b. If no TPM Owner validate max NV writes without an owner
4183
i.
4184
ii. Increment NV1 by 1
4185
iii. If NV1 > TPM_MAX_NV_WRITE_NOOWNER return TPM_MAXNVWRITES
4186
iv. Set NV1_INCREMENTED to TRUE
Set NV1 to TPM_PERMANENT_DATA -> noOwnerNVWrite
41876. If nvIndex is TPM_NV_INDEX0 then
4188
a. If dataSize is not 0, the TPM MAY return TPM_BADINDEX.
4189
b. Set TPM_STCLEAR_FLAGS -> bGlobalLock to TRUE
4190
c. Return TPM_SUCCESS
41917. If
D1
->
permission
4192
TPM_AUTH_CONFLICT
->
TPM_NV_PER_AUTHWRITE
is
TRUE
return
41938. Check that D1 -> pcrInfoWrite -> localityAtRelease for TPM_STANY_DATA ->
4194
localityModifier is TRUE
4195
4196
a. For example if TPM_STANY_DATA -> localityModifier was 2 then D1 -> pcrInfo ->
localityAtRelease -> TPM_LOC_TWO would have to be TRUE
4197
b. On error return TPM_BAD_LOCALITY
41989. If D1 -> attributes specifies TPM_NV_PER_PPWRITE then validate physical presence is
4199
asserted if not return TPM_BAD_PRESENCE
420010.If D1 -> attributes specifies TPM_NV_PER_WRITEDEFINE
4201
a. If D1 -> bWriteDefine is TRUE return TPM_AREA_LOCKED
420211.If D1 -> attributes specifies TPM_NV_PER_GLOBALLOCK
4203
a. If TPM_STCLEAR_FLAGS -> bGlobalLock is TRUE return TPM_AREA_LOCKED
420412.If D1 -> attributes specifies TPM_NV_PER_WRITE_STCLEAR
4205
a. If D1 ->bWriteSTClear is TRUE return TPM_AREA_LOCKED
420613.If D1 -> pcrInfoWrite -> pcrSelection specifies a selection of TPM_STCLEAR_DATA ->
4207
PCR[]
4208
4209
a. Create P1 a composite hash of the TPM_STCLEAR_DATA -> PCR[] specified by D1 ->
pcrInfoWrite
4210
4211
b. Compare P1 to D1 -> pcrInfoWrite -> digestAtRelease return TPM_WRONGPCRVAL
on mismatch
421214.If dataSize = 0 then
4213
a. Set D1 -> bWriteSTClear to TRUE
4214
b. Set D1 -> bWriteDefine to TRUE
421515.Else
4216
a. Set S1 to offset + dataSize
4217
b. If S1 > D1 -> dataSize return TPM_NOSPACE
1029
1030
218
Level 2 Revision 116 28 February 2011
TCG Published
1031TPM Main Part 3 Commands
TCG © Copyright
1032Specification Version 1.2
4218
4219
c. If D1 -> attributes specifies TPM_NV_PER_WRITEALL
i.
If dataSize != D1 -> dataSize return TPM_NOT_FULLWRITE
4220
d. Write the new value into the NV storage area
4221
e. If NV1_INCREMENTED is TRUE
4222
i.
Set TPM_PERMANENT_DATA -> noOwnerNVWrite to NV1
422316.Set D1 -> bReadSTClear to FALSE
422417.Return TPM_SUCCESS
1033Level 2 Revision 116 28 February 2011
1034
219
TCG Published
1035Copyright © TCG
1036
1037
422520.3
TPM Main Part 3 Commands
Specification Version 1.2
TPM_NV_WriteValueAuth
4226Start of informative comment:
4227This command writes to a previously defined area. The area must require authorization to
4228write. Use this command when authorization other than the owner authorization is to be
4229used. Otherwise, use TPM_NV_WriteValue.
4230The Part 2 ordinal table indicates that TPM_NV_WriteValueAuth requires an owner present.
4231This is normative, although it was a mistake.
4232End of informative comment.
4233Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
Tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Ordinal, TPM_ORD_NV_WriteValueAuth
4
4
2S
4
TPM_NV_INDEX
nvIndex
The index of the area to set
5
4
3S
4
UINT32
offset
The offset into the chunk
6
4
4S
4
UINT32
dataSize
The size of the data area
7
<>
5S
<>
BYTE
data
The data to set the area to
8
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for NV element authorization
#
SZ
1
#
SZ
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
10
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
11
20
TPM_AUTHDATA
authValue
HMAC key: NV element auth value
Type
Name
Description
9
4234Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
5
1
6
TPM_RESULT
returnCode
The return code of the operation.
4
TPM_COMMAND_CODE
ordinal
ordinal, TPM_ORD_NV_WriteValueAuth
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
4
2S
4
1S
20
TPM_NONCE
NonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
authValue
HMAC key: NV element auth value
20
4235Actions
42361. Locate and set D1 to the TPM_NV_DATA_AREA that corresponds to nvIndex, return
4237
TPM_BADINDEX on error
1038
1039
220
Level 2 Revision 116 28 February 2011
TCG Published
1040TPM Main Part 3 Commands
TCG © Copyright
1041Specification Version 1.2
42382. If D1 -> attributes does not specify TPM_NV_PER_AUTHWRITE then return
4239
TPM_AUTH_CONFLICT
42403. Validate authValue using D1 -> authValue, return TPM_AUTHFAIL on error
42414. Check that D1 -> pcrInfoWrite -> localityAtRelease for TPM_STANY_DATA ->
4242
localityModifier is TRUE
4243
4244
a. For example if TPM_STANY_DATA -> localityModifier was 2 then D1 -> pcrInfo ->
localityAtRelease -> TPM_LOC_TWO would have to be TRUE
4245
b. On error return TPM_BAD_LOCALITY
42465. If D1 -> attributes specifies TPM_NV_PER_PPWRITE then validate physical presence is
4247
asserted if not return TPM_BAD_PRESENCE
42486. If D1 -> pcrInfoWrite -> pcrSelection specifies a selection of PCR
4249
4250
a. Create P1 a composite hash of the TPM_STCLEAR_DATA -> PCR[] specified by D1 ->
pcrInfoWrite
4251
b. Compare P1 to digestAtRelease return TPM_WRONGPCRVAL on mismatch
42527. If D1 -> attributes specifies TPM_NV_PER_WRITEDEFINE
4253
a. If D1 -> bWriteDefine is TRUE return TPM_AREA_LOCKED
42548. If D1 -> attributes specifies TPM_NV_PER_GLOBALLOCK
4255
a. If TPM_STCLEAR_FLAGS -> bGlobalLock is TRUE return TPM_AREA_LOCKED
42569. If D1 -> attributes specifies TPM_NV_PER_WRITE_STCLEAR
4257
a. If D1 -> bWriteSTClear is TRUE return TPM_AREA_LOCKED
425810.If dataSize = 0 then
4259
a. Set D1 -> bWriteSTClear to TRUE
4260
b. Set D1 -> bWriteDefine to TRUE
426111.Else
4262
a. Set S1 to offset + dataSize
4263
b. If S1 > D1 -> dataSize return TPM_NOSPACE
4264
c. If D1 -> attributes specifies TPM_NV_PER_WRITEALL
4265
4266
i.
If dataSize != D1 -> dataSize return TPM_NOT_FULLWRITE
d. Write the new value into the NV storage area
426712.Set D1 -> bReadSTClear to FALSE
426813.Return TPM_SUCCESS
1042Level 2 Revision 116 28 February 2011
1043
221
TCG Published
1044Copyright © TCG
1045
1046
426920.4
TPM Main Part 3 Commands
Specification Version 1.2
TPM_NV_ReadValue
4270Start of informative comment:
4271Read a value from the NV store. This command uses optional owner authentication.
4272Action 1 indicates that if the NV area is not locked then reading of the NV area continues
4273without ANY authorization. This is intentional, and allows a platform manufacturer to set
4274the NV areas, read them back, and then lock them all without having to install a TPM
4275owner.
4276Certain platform manufacturers or software might require specific error handling in Action
427720.4.
4278Owner authorization is not required when nvLocked is FALSE. If the host does send owner
4279authorization, Action 20.4 indicates that it should be correct, since some TPM
4280implementations may validate it.
4281End of informative comment.
4282Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Ordinal, TPM_ORD_NV_ReadValue
4
4
2S
4
TPM_NV_INDEX
nvIndex
The index of the area to set
5
4
3S
4
UINT32
offset
The offset into the area
6
4
4S
4
UINT32
dataSize
The size of the data area
7
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for TPM Owner authorization
#
SZ
1
#
SZ
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
8
20
3H1
20
TPM_NONCE
authNonceOdd
Nonce generated by caller
9
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
10
20
TPM_AUTHDATA
ownerAuth
HMAC key: ownerAuth
Type
Name
Description
4283Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
TPM_RESULT
returnCode
The return code of the operation.
1S
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_NV_ReadValue
4
3S
4
UINT32
dataSize
The size of the data area
5
<>
4S
<>
BYTE[]
data
The data to set the area to
6
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
ownerAuth
HMAC key: ownerAuth
20
4284Actions
42851. If TPM_PERMANENT_FLAGS -> nvLocked is FALSE then all authorization checks are
4286
ignored.
4287
4288
a. Ignored checks include physical presence, owner authorization, PCR, bReadSTClear,
locality, TPM_NV_PER_OWNERREAD, disabled and deactivated.
4289
b. TPM_NV_PER_AUTHREAD is not ignored.
4290
c. If ownerAuth is present, the TPM MAY check the authorization HMAC.
42912. Set D1 a TPM_NV_DATA_AREA structure to the area pointed to by nvIndex, if not found
4292
return TPM_BADINDEX
4293
a. If nvIndex = TPM_NV_INDEX_DIR, set D1 to TPM_PERMANENT_DATA -> authDir[0]
42943. If TPM_PERMANENT_FLAGS -> nvLocked is TRUE
4295
a. If D1 -> permission -> TPM_NV_PER_OWNERREAD is TRUE
4296
i.
4297
ii. If TPM_STCLEAR_FLAGS -> deactivated is TRUE, return TPM_DEACTIVATED
4298
If TPM_PERMANENT_FLAGS -> disable is TRUE, return TPM_DISABLED
b. If D1 -> permission -> TPM_NV_PER_OWNERREAD is FALSE
4299
4300
i. If TPM_PERMANENT_FLAGS -> disable is TRUE, the TPM MAY return
TPM_DISABLED
4301
4302
ii. If TPM_STCLEAR_FLAGS -> deactivated is TRUE, the TPM MAY return
TPM_DEACTIVATED
43034. If tag = TPM_TAG_RQU_AUTH1_COMMAND then
4304
a. If D1 -> TPM_NV_PER_OWNERREAD is FALSE return TPM_AUTH_CONFLICT
4305
4306
b. Validate command and parameters using TPM Owners authentication on error return
TPM_AUTHFAIL
43075. Else
4308
a. If D1 -> TPM_NV_PER_AUTHREAD is TRUE return TPM_AUTH_CONFLICT
4309
b. If D1 -> TPM_NV_PER_OWNERREAD is TRUE return TPM_AUTH_CONFLICT
43106. Check that D1 -> pcrInfoRead -> localityAtRelease for TPM_STANY_DATA ->
4311
localityModifier is TRUE
4312
4313
a. For example if TPM_STANY_DATA -> localityModifier was 2 then D1 -> pcrInfo ->
localityAtRelease -> TPM_LOC_TWO would have to be TRUE
4314
b. On error return TPM_BAD_LOCALITY
43157. If D1 -> attributes specifies TPM_NV_PER_PPREAD then validate physical presence is
4316
asserted if not return TPM_BAD_PRESENCE
43178. If D1 -> TPM_NV_PER_READ_STCLEAR then
1051Level 2 Revision 116 28 February 2011
1052
223
TCG Published
1053Copyright © TCG
1054
1055
4318
TPM Main Part 3 Commands
Specification Version 1.2
a. If D1 -> bReadSTClear is TRUE return TPM_DISABLED_CMD
43199. If D1 -> pcrInfoRead -> pcrSelection specifies a selection of PCR
4320
4321
a. Create P1 a composite hash of the TPM_STCLEAR_DATA -> PCR[] specified by D1 ->
pcrInfoRead
4322
4323
b. Compare P1 to D1 -> pcrInfoRead -> digestAtRelease return TPM_WRONGPCRVAL on
mismatch
432410.If dataSize is 0 then
4325
a. Set D1 -> bReadSTClear to TRUE
4326
b. Set data to NULL (output parameter dataSize to 0)
432711.Else
4328
a. Set S1 to offset + dataSize
4329
b. If S1 > D1 -> dataSize return TPM_NOSPACE
4330
c. Set data to area pointed to by offset
4331
i.
This includes partial reads of TPM_NV_INDEX_DIR.
433212.Return TPM_SUCCESS
1056
1057
224
Level 2 Revision 116 28 February 2011
TCG Published
1058TPM Main Part 3 Commands
TCG © Copyright
1059Specification Version 1.2
433320.5
TPM_NV_ReadValueAuth
4334Start of informative comment:
4335This command requires that the read be authorized by a value set with the blob.
4336The Part 2 ordinal table indicates that TPM_NV_ReadValueAuth requires an owner present.
4337This is normative, although it was a mistake.
4338End of informative comment.
4339Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Ordinal, TPM_ORD_NV_ReadValueAuth
4
4
2S
4
TPM_NV_INDEX
nvIndex
The index of the area to set
5
4
3S
4
UNIT32
offset
The offset from the data area
6
4
5S
4
UINT32
dataSize
The size of the data area
7
4
TPM_AUTHHANDLE
authHandle
authThe auth handle for the NV element authorization
#
SZ
1
#
SZ
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
8
20
3H1
20
TPM_NONCE
authNonceOdd
Nonce generated by system associated with authHandle
9
1
4H1
1
BOOL
authContinueSession
The continue use flag for the authorization session handle
10
20
TPM_AUTHDATA
authHmac
HMAC key: nv element authorization
Type
Name
Description
4340Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
ordinal, TPM_ORD_NV_ReadValueAuth
4
4
3S
4
UINT32
dataSize
The size of the data area
5
<>
4S
<>
BYTE[]
data
The data
6
20
2H1
20
TPM_NONCE
authNonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
authLastNonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
authContinueSession
Continue use flag, TRUE if handle is still active
8
20
TPM_AUTHDATA
authHmacOut
HMAC key: nv element authorization
7
1
8
20
4341Actions
43421. Locate and set D1 to the TPM_NV_DATA_AREA that corresponds to nvIndex, on error
4343
return TPM_BADINDEX
1060Level 2 Revision 116 28 February 2011
1061
225
TCG Published
1062Copyright © TCG
1063
1064
TPM Main Part 3 Commands
Specification Version 1.2
43442. If D1 -> TPM_NV_PER_AUTHREAD is FALSE return TPM_AUTH_CONFLICT
43453. Validate authHmac using D1 -> authValue on error return TPM_AUTHFAIL
43464. If D1 -> attributes specifies TPM_NV_PER_PPREAD then validate physical presence is
4347
asserted if not return TPM_BAD_PRESENCE
43485. Check that D1 -> pcrInfoRead -> localityAtRelease for TPM_STANY_DATA ->
4349
localityModifier is TRUE
4350
4351
a. For example if TPM_STANY_DATA -> localityModifier was 2 then D1 -> pcrInfo ->
localityAtRelease -> TPM_LOC_TWO would have to be TRUE
4352
b. On error return TPM_BAD_LOCALITY
43536. If D1 -> pcrInfoRead -> pcrSelection specifies a selection of PCR
4354
4355
a. Create P1 a composite hash of the TPM_STCLEAR_DATA -> PCR[] specified by D1 ->
pcrInfoRead
4356
4357
b. Compare P1 to D1 -> pcrInfoRead -> digestAtRelease return TPM_WRONGPCRVAL on
mismatch
43587. If D1 specifies TPM_NV_PER_READ_STCLEAR then
4359
a. If D1 -> bReadSTClear is TRUE return TPM_DISABLED_CMD
43608. If dataSize is 0 then
4361
a. Set D1 -> bReadSTClear to TRUE
4362
b. Set data to all zeros
43639. Else
4364
a. Set S1 to offset + dataSize
4365
b. If S1 > D1 -> dataSize return TPM_NOSPACE
4366
c. Set data to area pointed to by offset
436710.Return TPM_SUCCESS
1065
1066
226
Level 2 Revision 116 28 February 2011
TCG Published
1067TPM Main Part 3 Commands
TCG © Copyright
1068Specification Version 1.2
436821.
Session Management
4369Start of informative comment:
4370Three TPM_RT_CONTEXT session resources located in TPM_STANY_DATA work together to
4371control session save and load: contextNonceSession, contextCount, and contextList[].
4372All three MUST initialized at TPM_Startup(ST_CLEAR) and TPM_Startup(ST_DEACTIVATED)
4373and MAY be initialized at TPM_Startup(ST_STATE). Initializing invalidates all saved
4374sessions. They MAY be restored by TPM_Startup(ST_STATE). This case would allow saved
4375sessions to be loaded.
The actual ST_STATE operation is reported by the
4376TPM_RT_CONTEXT startup effect.
4377TPM_SaveContext creates a contextBlob containing an encrypted contextNonceSession. The
4378nonce is checked by TPM_LoadContext. So initializing contextNonceSession invalidates all
4379saved contexts. The nonce is large and protected, making a replay infeasible.
4380The contextBlob also contains a public but protected contextCount. The count increments
4381for each saved contextBlob. The TPM also saves contextCount in contextList[]. The TPM
4382validates contextBlob against the contextList[] during TPM_LoadContext. Since the
4383contextList[] is finite, it limits the number of valid saved sessions. Since the contextCount
4384cannot be allowed to wrap, it limits the total number of saved sessions.
4385After a contextBlob is loaded, its contextCount entry is removed from contextList[]. This
4386releases space in the context list for future entries. It also invalidates the contextBlob. So a
4387saved contextBlob can be loaded only once.
4388TPM_FlushSpecific can also specify a contextCount to be removed from the contextList[],
4389allowing invalidation of an individual contextBlob. This is different from TPM_FlushSpecific
4390specifying a session handle, which invalidates a loaded session, not a saved contextBlob.
4391End of informative comment.
4392
439321.1
TPM_KeyControlOwner
4394Start of informative comment:
4395This command controls some attributes of keys that are stored within the TPM key cache.
4396OwnerEvict: If this bit is set to true, this key remains in the TPM non-volatile storage
4397through all TPM_Startup events. The only way to evict this key is for the TPM Owner to
4398execute this command again, setting the owner control bit to false and then executing
4399TPM_FlushSpecific.
4400The key handle does not reference an authorized entity and is not validated.
4401The check for two remaining key slots ensures that users can load the two keys required to
4402execute many commands. Since only the owner can flush owner evict keys, non-owner
4403commands could be blocked if this test was not performed.
4404End of informative comment.
4405Incoming Parameters and Sizes
PARAM
HMAC
Type
1069Level 2 Revision 116 28 February 2011
1070
Name
227
TCG Published
Description
1071Copyright © TCG
1072
1073
#
SZ
1
2
2
4
3
4
4
4
5
<>
2S
6
4
7
1
8
4
9
#
TPM Main Part 3 Commands
Specification Version 1.2
SZ
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
UINT32
paramSize
Total number of input bytes incl. paramSize and tag
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_KeyControlOwner
TPM_KEY_HANDLE
keyHandle
The handle of a loaded key.
<>
TPM_PUBKEY
pubKey
The public key associated with the loaded key
3S
4
TPM_KEY_CONTROL
bitName
The name of the bit to be modified
4S
1
BOOL
bitValue
The value to set the bit to
TPM_AUTHHANDLE
authHandle
The authorization session handle used for owner authentication.
1S
4
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
10
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
11
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
12
20
20
TPM_AUTHDATA
ownerAuth
HMAC authorization: key ownerAuth
Type
Name
Description
4406Outgoing Parameters and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
5
1
6
TPM_RESULT
returnCode
The return code of the operation.
4
TPM_COMMAND_CODE
ordinal
Command ordinal:TPM_ORD_KeyControlOwner
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM.
3H1
20
4
2S
4
1S
20
TPM_NONCE
nonceOdd
Nonce generated by system
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
HMAC authorization: key ownerAuth
20
4407Description
44081. Set an internal bit within the key cache that controls some attribute of a loaded key.
4409Actions
44101. Validate the AuthData using the owner authentication value, on error return
4411
TPM_AUTHFAIL
44122. Validate that keyHandle refers to a loaded key, return TPM_INVALID_KEYHANDLE on
4413
error.
44143. Validate that pubKey matches the key held by the TPM pointed to by keyHandle, return
4415
TPM_BAD_PARAMETER on mismatch
4416
4417
a. This check is added so that virtualization of the keyHandle does not result in attacks,
as the keyHandle is not associated with an authorization value
44184. Validate that bitName is valid, return TPM_BAD_MODE on error.
44195. If bitName == TPM_KEY_CONTROL_OWNER_EVICT
1074
1075
228
Level 2 Revision 116 28 February 2011
TCG Published
1076TPM Main Part 3 Commands
TCG © Copyright
1077Specification Version 1.2
4420
a. If bitValue == TRUE
4421
4422
4423
i. Verify that after this operation at least two key slots will be present within the
TPM that can store any type of key both of which do NOT have the OwnerEvict bit
set, on error return TPM_NOSPACE
4424
4425
ii. Verify that for this key handle, parentPCRStatus is FALSE and isVolatile is
FALSE. Return TPM_BAD_PARAMETER on error.
4426
iii. Set ownerEvict within the internal key storage structure to TRUE.
4427
4428
b. Else if bitValue == FALSE
i.
Set ownerEvict within the internal key storage structure to FALSE.
44296. Return TPM_SUCCESS
1078Level 2 Revision 116 28 February 2011
1079
229
TCG Published
1080Copyright © TCG
1081
1082
443021.2
TPM Main Part 3 Commands
Specification Version 1.2
TPM_SaveContext
4431Start of informative comment:
4432TPM_SaveContext saves a loaded resource outside the TPM. After successful execution of
4433the command, the TPM automatically releases the internal memory for sessions but leaves
4434keys in place.
4435There is no assumption that a saved context blob is stored in a safe, protected area. Since
4436the context blob can be loaded at any time, do not rely on TPM_SaveContext to restrict
4437access to an entity such as a key. If use of the entity should be restricted, means such as
4438authorization secrets or PCR’s should be used.
4439In general, TPM_SaveContext can save a transport session. However, it cannot save an
4440exclusive transport session, because any ordinal other than TPM_ExecuteTransport
4441terminates the exclusive transport session. This action prevents the exclusive transport
4442session from being saved and reloaded while intervening commands are hidden from the
4443transport log.
4444End of informative comment.
4445Incoming Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_SaveContext
4
4
TPM_HANDLE
handle
Handle of the resource being saved.
5
4
2S
4
TPM_RESOURCE_TYPE
resourceType
The type of resource that is being saved
6
16
3S
16
BYTE[16]
label
Label for identification purposes
Type
Name
Description
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
#
SZ
1
#
SZ
1S
4
4446Outgoing Parameters and Sizes
PARAM
#
SZ
1
2
2
4
3
4
HMAC
#
SZ
UINT32
paramSize
Total number of output bytes including paramSize and tag
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_SaveContext
4
4
3S
4
UINT32
contextSize
The actual size of the outgoing context blob
5
<>
4S
<>
TPM_CONTEXT_BLOB
contextBlob
The context blob
4447Description
44481. The caller of the function uses the label field to add additional sequencing, anti-replay or
4449
other items to the blob. The information does not need to be confidential but needs to be
4450
part of the blob integrity.
1083
1084
230
Level 2 Revision 116 28 February 2011
TCG Published
1085TPM Main Part 3 Commands
TCG © Copyright
1086Specification Version 1.2
4451Actions
44521. Map V1 to TPM_STANY_DATA
44532. Validate that handle points to
4454
TPM_INVALID_RESOURCE on error
resource
that
matches
resourceType,
return
44553. Validate that resourceType is a resource from the following list if not return
4456
TPM_INVALID_RESOURCE
4457
a. TPM_RT_KEY
4458
b. TPM_RT_AUTH
4459
c. TPM_RT_TRANS
4460
d. TPM_RT_DAA_TPM
44614. Locate the correct nonce
4462
4463
a. If resourceType is TPM_RT_KEY
i.
4464
4465
If TPM_STCLEAR_DATA -> contextNonceKey is all zeros
(1)
Set TPM_STCLEAR_DATA -> contextNonceKey to the next value from
the TPM RNG
4466
ii. Map N1 to TPM_STCLEAR_DATA -> contextNonceKey
4467
4468
iii. If the key has TPM_KEY_CONTROL_OWNER_EVICT
TPM_OWNER_CONTROL
4469
i.
then
return
b. Else
4470
set
4471
4472
If V1 -> contextNonceSession is all zeros
(1)
Set V1 -> contextNonceSession to the next value from the TPM RNG
ii. Map N1 to V1 -> contextNonceSession
44735. Set K1 to TPM_PERMANENT_DATA -> contextKey
44746. Create R1 by putting the sensitive part of the resource pointed to by handle into a
4475
structure. The structure is a TPM manufacturer option. The TPM MUST ensure that ALL
4476
sensitive information of the resource is included in R1.
44777. Create C1 a TPM_CONTEXT_SENSITIVE structure
4478
4479
4480
a. C1 forms the inner encrypted wrapper for the blob. All saved context blobs MUST
include a TPM_CONTEXT_SENSITIVE structure and the TPM_CONTEXT_SENSITIVE
structure MUST be encrypted.
4481
b. Set C1 -> contextNonce to N1
4482
c. Set C1 -> internalData to R1
44838. Create B1 a TPM_CONTEXT_BLOB
4484
a. Set B1 -> tag to TPM_TAG_CONTEXTBLOB
4485
b. Set B1 -> resourceType to resourceType
4486
c. Set B1 -> handle to handle
4487
d. Set B1 -> integrityDigest to all zeros
1087Level 2 Revision 116 28 February 2011
1088
231
TCG Published
1089Copyright © TCG
1090
1091
TPM Main Part 3 Commands
Specification Version 1.2
4488
e. Set B1 -> label to label
4489
4490
4491
f. Set B1 -> additionalData to information determined by the TPM manufacturer. This
data will help the TPM to reload and reset context. This area MUST NOT hold any data
that is sensitive (symmetric IV are fine, prime factors of an RSA key are not).
4492
4493
i. For OSAP sessions and for DSAP sessions attached to keys, the hash of the
entity MUST be included in additionalData
4494
g. Set B1 -> additionalSize to the size of additionalData
4495
h. Set B1 -> sensitiveSize to the size of C1
4496
i.
Set B1 -> sensitiveData to C1
44979. If resourceType is TPM_RT_KEY
4498
a. Set B1 -> contextCount to 0
449910.Else
4500
a. If V1 -> contextCount > 232-2 then
4501
i.
4502
b. Else
4503
i.
Return with TPM_TOOMANYCONTEXTS
Validate that the TPM can still manage the new count value
4504
4505
(1)
If the distance between the oldest saved context and the contextCount
is too large return TPM_CONTEXT_GAP
4506
4507
ii. Find contextIndex such that V1 -> contextList[contextIndex] equals 0. If not
found exit with TPM_NOCONTEXTSPACE
4508
iii. Increment V1 -> contextCount by 1
4509
iv. Set V1-> contextList[contextIndex] to V1 -> contextCount
4510
v. Set B1 -> contextCount to V1 -> contextCount
4511
4512
c. The TPM MUST invalidate all information regarding the resource except for
information needed for reloading
451311.Calculate B1 -> integrityDigest the HMAC of B1 using TPM_PERMANENT_DATA ->
4514
tpmProof as the secret
451512.Create E1 by encrypting C1 using K1 as the key
4516
a. Set B1 -> sensitiveSize to the size of E1
4517
b. Set B1 -> sensitiveData to E1
451813.Set contextSize to the size of B1
451914.Return B1 in contextBlob
1092
1093
232
Level 2 Revision 116 28 February 2011
TCG Published
1094TPM Main Part 3 Commands
TCG © Copyright
1095Specification Version 1.2
452021.3
TPM_LoadContext
4521Start of informative comment:
4522TPM_LoadContext loads into the TPM a previously saved context. The command returns a
4523handle.
4524End of informative comment.
4525Incoming Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_LoadContext
4
4
TPM_HANDLE
entityHandle
The handle the TPM MUST use to locate the entity tied to the OSAP/DSAP
session
5
1
2S
1
BOOL
keepHandle
Indication if the handle MUST be preserved
6
4
3S
4
UINT32
contextSize
The size of the following context blob.
7
<>
4S
<>
TPM_CONTEXT_BLOB
contextBlob
The context blob
Type
Name
Description
#
SZ
1
#
1S
SZ
4
4526Outgoing Parameters and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
4
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_LoadContext
TPM_HANDLE
handle
The handle assigned to the resource after it has been successfully loaded.
4527Actions
45281. Map contextBlob to B1, a TPM_CONTEXT_BLOB structure
45292. Map V1 to TPM_STANY_DATA
45303. Create M1 by decrypting B1 -> sensitiveData using TPM_PERMANENT_DATA ->
4531
contextKey
45324. Create C1 and R1 by splitting M1 into a TPM_CONTEXT_SENSITIVE structure and
4533
internal resource data
45345. Check contextNonce
4535
4536
4537
a. If B1 -> resourceType is NOT TPM_RT_KEY
i. If C1 -> contextNonce does not equal V1 -> contextNonceSession return
TPM_BADCONTEXT
1096Level 2 Revision 116 28 February 2011
1097
233
TCG Published
1098Copyright © TCG
1099
1100
TPM Main Part 3 Commands
Specification Version 1.2
4538
4539
4540
ii. Validate that the resource pointed to by the context is loaded (i.e. for OSAP the
key referenced is loaded and DSAP connected to the key) return
TPM_RESOURCEMISSING
4541
4542
(1)
For OSAP sessions and for DSAP sessions attached to keys, the TPM
MUST validate that the hash of the entity matches the entity held by the TPM
4543
4544
4545
(2)
For OSAP and DSAP sessions referring to a key, verify that entityHandle
identifies the key linked to this OSAP/DSAP session, if not return
TPM_BAD_HANDLE.
4546
b. Else
4547
4548
i. If C1 -> internalData -> parentPCRStatus is FALSE and C1 -> internalData ->
isVolatile is FALSE
4549
(1)
4550
Ignore C1 -> contextNonce
ii. else
4551
4552
(1)
If C1 -> contextNonce does not equal TPM_STCLEAR_DATA ->
contextNonceKey return TPM_BADCONTEXT
45536. Validate the structure
4554
a. Set H1 to B1 -> integrityDigest
4555
b. Set B1 -> integrityDigest to all zeros
4556
c. Copy M1 to B1 -> sensitiveData
4557
4558
d. Create H2 the HMAC of B1 using TPM_PERMANENT_DATA -> tpmProof as the HMAC
key
4559
e. If H2 does not equal H1 return TPM_BADCONTEXT
45607. If keepHandle is TRUE
4561
a. Set handle to B1 -> handle
4562
b. If the TPM is unable to restore the handle the TPM MUST return TPM_BAD_HANDLE
45638. Else
4564
4565
a. The TPM SHOULD attempt to restore the handle but if not possible it MAY set the
handle to any valid for B1 -> resourceType
45669. If B1 -> resourceType is NOT TPM_RT_KEY
4567
4568
a. Find contextIndex such that V1 -> contextList[contextIndex] equals B1 ->
TPM_CONTEXT_BLOB -> contextCount
4569
b. If not found then return TPM_BADCONTEXT
4570
c. Set V1 -> contextList[contextIndex] to 0
457110.Process B1 to return the resource back into TPM use
1101
1102
234
Level 2 Revision 116 28 February 2011
TCG Published
1103TPM Main Part 3 Commands
TCG © Copyright
1104Specification Version 1.2
457222.
Eviction
4573Start of informative comment:
4574The TPM has numerous resources held inside of the TPM that may need eviction. The need
4575for eviction occurs when the number or resources in use by the TPM exceed the available
4576space. For resources that are hard to reload (i.e. keys tied to PCR values) the outside entity
4577should first perform a context save before evicting items.
4578In version 1.1 there were separate commands to evict separate resource types. This new
4579command set uses the resource types defined for context saving and creates a generic
4580command that will evict all resource types.
4581End of informative comment.
4582The TPM MUST NOT flush the EK or SRK using this command.
4583Version 1.2 deprecates the following commands:
4584● TPM_Terminate_Handle
4585● TPM_EvictKey
4586● TPM_Reset
1105Level 2 Revision 116 28 February 2011
1106
235
TCG Published
1107Copyright © TCG
1108
1109
458722.1
TPM Main Part 3 Commands
Specification Version 1.2
TPM_FlushSpecific
4588Start of informative comment:
4589TPM_FlushSpecific flushes from the TPM a specific handle.
4590End of informative comment.
4591Incoming Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_FlushSpecific
4
4
TPM_HANDLE
handle
The handle of the item to flush
5
4
TPM_RESOURCE_TYPE
resourceType
The type of resource that is being flushed
Type
Name
Description
#
SZ
1
#
1S
2S
SZ
4
4
4592Outgoing Parameters and Sizes
PARAM
HMAC
#
#
SZ
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_FlushSpecific
4593Description
4594TPM_FlushSpecific releases the resources associated with the given handle.
4595Actions
45961. If resourceType is TPM_RT_CONTEXT
4597
4598
4599
a. The handle for a context is not a handle but the "context count" value. The TPM uses
the "context count" value to locate the proper contextList entry and sets R1 to the
contextList entry
46002. Else if resourceType is TPM_RT_KEY
4601
a. Set R1 to the key pointed to by handle
4602
b. If R1 -> ownerEvict is TRUE return TPM_KEY_OWNER_CONTROL
46033. Else if resourceType is TPM_RT_AUTH
4604
a. Set R1 to the authorization session pointed to by handle
46054. Else if resourceType is TPM_RT_TRANS
4606
a. Set R1 to the transport session pointed to by handle
46075. Else if resourceType is TPM_RT_DAA_TPM
1110
1111
236
Level 2 Revision 116 28 February 2011
TCG Published
1112TPM Main Part 3 Commands
TCG © Copyright
1113Specification Version 1.2
4608
a. Set R1 to the DAA session pointed to by handle
46096. Else return TPM_INVALID_RESOURCE
46107. Validate that R1 determined by resourceType and handle points to a valid allocated
4611
resource. Return TPM_BAD_PARAMETER on error.
46128. Invalidate R1 and all internal resources allocated to R1
4613
a. Resources include authorization sessions
1114Level 2 Revision 116 28 February 2011
1115
237
TCG Published
1116Copyright © TCG
1117
1118
TPM Main Part 3 Commands
Specification Version 1.2
461423.
Timing Ticks
4615Start of informative comment:
4616The TPM timing ticks are always available for use. The association of timing ticks to actual
4617time is a protocol that occurs outside of the TPM. See the design document for details.
4618The setting of the clock type variable is a one time operation that allows the TPM to be
4619configured to the type of platform that is installed on.
4620The ability for the TPM to continue to increment the timer ticks across power cycles of the
4621platform is a TPM and platform manufacturer decision.
4622End of informative comment.
462323.1
TPM_GetTicks
4624Start of informative comment:
4625This command returns the current tick count of the TPM.
4626End of informative comment.
4627Incoming Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Ordinal: TPM_ORD_GetTicks
Type
Name
Description
#
SZ
1
#
SZ
1S
4
4628Outgoing Parameters and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
32
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
1S
4
TPM_COMMAND_CODE
ordinal
Ordinal: TPM_ORD_GetTicks
3S
32
TPM_CURRENT_TICKS
currentTime
The current time held in the TPM
4629Description
4630This command returns the current time held in the TPM. It is the responsibility of the
4631external system to maintain any relation between this time and a UTC value or local real
4632time value.
4633Actions
46341. Set T1 to the internal TPM_CURRENT_TICKS structure
46352. Return T1 as currentTime.
1119
1120
238
Level 2 Revision 116 28 February 2011
TCG Published
1121TPM Main Part 3 Commands
TCG © Copyright
1122Specification Version 1.2
463623.2
TPM_TickStampBlob
4637Start of informative comment:
4638This command applies a time stamp to the passed blob. The TPM makes no representation
4639regarding the blob merely that the blob was present at the TPM at the time indicated.
4640End of informative comment.
4641Incoming Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Ordinal, fixed value of TPM_ORD_TickStampBlob
4
4
TPM_KEY_HANDLE
keyHandle
The keyHandle identifier of a loaded key that can perform digital
signatures.
5
20
2S
20
TPM_NONCE
antiReplay
Anti replay value added to signature
6
20
3S
20
TPM_DIGEST
digestToStamp
The digest to perform the tick stamp on
7
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for keyHandle authorization
#
SZ
1
#
1S
SZ
4
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
8
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
9
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
10
20
TPM_AUTHDATA
privAuth
The authorization session digest that authorizes the use of keyHandle.
HMAC key: key.usageAuth
1123Level 2 Revision 116 28 February 2011
1124
239
TCG Published
1125Copyright © TCG
1126
1127
TPM Main Part 3 Commands
Specification Version 1.2
4642Outgoing Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Ordinal, fixed value of TPM_ORD_TickStampBlob
4
32
3S
32
TPM_CURRENT_TICKS
currentTicks
The current time according to the TPM
5
4
4S
4
UINT32
sigSize
The length of the returned digital signature
6
<>
5S
<>
BYTE[ ]
sig
The resulting digital signature.
7
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
key.usageAuth
8
1
9
20
4643Description
4644The function performs a digital signature on the hash of digestToStamp and the current tick
4645count.
4646It is the responsibility of the external system to maintain any relation between tick count
4647and a UTC value or local real time value.
4648Actions
46491. The TPM validates the AuthData to use the key pointed to by keyHandle.
46502. Validate that keyHandle -> keyUsage is TPM_KEY_SIGNING, TPM_KEY_IDENTITY or
4651
TPM_KEY_LEGACY, if not return the error code TPM_INVALID_KEYUSAGE.
46523. Validate that keyHandle -> sigScheme is TPM_SS_RSASSAPKCS1v15_SHA1 or
4653
TPM_SS_RSASSAPKCS1v15_INFO, if not return TPM_INAPPROPRIATE_SIG.
46544. If TPM_STCLEAR_DATA -> currentTicks is not properly initialized
4655
a. Initialize the TPM_STCLEAR_DATA -> currentTicks
46565. Create T1, a TPM_CURRENT_TICKS structure.
46576. Create H1 a TPM_SIGN_INFO structure and set the structure defaults
4658
a. Set H1 -> fixed to “TSTP”
4659
b. Set H1 -> replay to antiReplay
4660
c. Create H2 the concatenation of digestToStamp || T1
4661
d. Set H1 -> dataLen to the length of H2
4662
e. Set H1 -> data to H2
1128
1129
240
Level 2 Revision 116 28 February 2011
TCG Published
1130TPM Main Part 3 Commands
TCG © Copyright
1131Specification Version 1.2
46637. The TPM computes the signature, sig, using the key referenced by keyHandle, using
4664
SHA-1 of H1 as the information to be signed
46658. The TPM returns T1 as currentTicks parameter
1132Level 2 Revision 116 28 February 2011
1133
241
TCG Published
1134Copyright © TCG
1135
1136
466624.
4667
TPM Main Part 3 Commands
Specification Version 1.2
Transport Sessions
4668See Part 1 for rationale and security issues.
466924.1
TPM_EstablishTransport
4670Start of informative comment:
4671This establishes the transport session. Depending on the attributes specified for the session
4672this may establish shared secrets, encryption keys, and session logs. The session will be in
4673use for by the TPM_ExecuteTransport command.
4674The only restriction on what can happen inside of a transport session is that there is no
4675“nesting” of sessions. It is permissible to perform operations that delete internal state and
4676make the TPM inoperable.
4677End of informative comment.
4678Incoming Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_EstablishTransport
4
4
TPM_KEY_HANDLE
encHandle
The handle to the key that encrypted the blob
5
<>
2S
<>
TPM_TRANSPORT_PUBLIC
transPublic
The public information describing the transport session
6
4
3S
4
UINT32
secretSize
The size of the secret Area
7
<>
4S
<>
BYTE[]
secret
The encrypted secret area
8
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for keyHandle authorization
#
SZ
1
#
1S
SZ
4
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
9
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
10
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
11
20
TPM_AUTHDATA
keyAuth
Authorization. HMAC key: encKey.usageAuth
4679
1137
1138
242
Level 2 Revision 116 28 February 2011
TCG Published
1139TPM Main Part 3 Commands
TCG © Copyright
1140Specification Version 1.2
4680Outgoing Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_EstablishTransport
TPM_TRANSHANDLE
transHandle
The handle for the transport session
4
4
5
4
3S
4
TPM_MODIFIER_INDICATOR
locality
The locality that called this command
6
32
4S
32
TPM_CURRENT_TICKS
currentTicks
The current tick count
7
20
5S
20
TPM_NONCE
transNonceEven
The even nonce in use for subsequent execute transport
8
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
Authorization. HMAC key: key.usageAuth
9
1
10
20
4681Description
4682This command establishes the transport sessions shared secret. The encryption of the
4683shared secret uses the public key of the key loaded in encKey.
4684Actions
46851. If encHandle is TPM_KH_TRANSPORT then
4686
a. If tag is NOT TPM_TAG_RQU_COMMAND return TPM_BADTAG
4687
4688
b. If transPublic -> transAttributes specifies TPM_TRANSPORT_ENCRYPT return
TPM_BAD_SCHEME
4689
c. If secretSize is not 20 return TPM_BAD_PARAM_SIZE
4690
d. Set A1 to secret
46912. Else
4692
4693
a. encHandle -> keyUsage MUST be TPM_KEY_STORAGE or TPM_KEY_LEGACY return
TPM_INVALID_KEYUSAGE on error
4694
4695
b. If encHandle -> authDataUsage does not equal TPM_AUTH_NEVER and tag is NOT
TPM_TAG_RQU_AUTH1_COMMAND return TPM_AUTHFAIL
4696
4697
c. Using encHandle -> usageAuth validate the AuthData to use the key and the
parameters to the command
4698
4699
d. Create K1 a TPM_TRANSPORT_AUTH structure by decrypting secret using the key
pointed to by encHandle
4700
e. Validate K1 for tag
4701
f. Set A1 to K1 -> authData
1141Level 2 Revision 116 28 February 2011
1142
243
TCG Published
1143Copyright © TCG
1144
1145
TPM Main Part 3 Commands
Specification Version 1.2
47023. If transPublic -> transAttributes has TPM_TRANSPORT_ENCRYPT
4703
4704
a. If TPM_PERMANENT_FLAGS -> FIPS is true and transPublic -> algId is equal to
TPM_ALG_MGF1 return TPM_INAPPROPRIATE_ENC
4705
4706
b. Check
if
the
transPublic
TPM_BAD_KEY_PROPERTY
4707
4708
c. If transPublic -> algid is TPM_ALG_AESXXX, check that transPublic -> encScheme is
supported, if not return TPM_INAPPROPRIATE_ENC
4709
d. Perform any initializations necessary for the algorithm
->
algId
is
supported,
if
not
return
47104. Generate transNonceEven from the TPM RNG
47115. Create T1 a TPM_TRANSPORT_INTERNAL structure
4712
4713
a. Ensure that the TPM has sufficient internal space to allocate the transport session,
return TPM_RESOURCES on error
4714
b. Assign a T1 -> transHandle value. This value is assigned by the TPM
4715
c. Set T1 -> transDigest to all zeros
4716
d. Set T1 -> transPublic to transPublic
4717
e. Set T1-> transNonceEven to transNonceEven
4718
f. Set T1 -> authData to A1
47196. If TPM_STANY_DATA -> currentTicks is not properly initialized
4720
a. Initialize the TPM_STANY_DATA -> currentTicks
47217. Set currentTicks to TPM_STANY_DATA -> currentTicks
47228. If T1 -> transPublic -> transAttributes has TPM_TRANSPORT_LOG set then
4723
a. Create L1 a TPM_TRANSPORT_LOG_IN structure
4724
i.
4725
ii. Set L1 -> pubKeyHash to all zeros
4726
iii. Set T1 -> transDigest to SHA-1 (T1 -> transDigest || L1)
4727
Set L1 -> parameters to SHA-1 (ordinal || transPublic || secretSize || secret)
b. Create L2 a TPM_TRANSPORT_LOG_OUT structure
4728
4729
i. Set L2 -> parameters to SHA-1 (returnCode || ordinal || locality ||
currentTicks || transNonceEven)
4730
ii. Set L2 -> locality to the locality of this command
4731
4732
iii. Set L2 -> currentTicks to currentTicks, this MUST be the same value that is
returned in the currentTicks parameter
4733
iv. Set T1 -> transDigest to SHA-1 (T1 -> transDigest || L2)
47349. If T1 -> transPublic -> transAttributes has TPM_TRANSPORT_EXCLUSIVE then set
4735
TPM_STANY_FLAGS -> transportExclusive to TRUE
4736
4737
4738
1146
1147
a. Execution
of
any
command
other
than
TPM_ExecuteTransport
or
TPM_ReleaseTransportSigned targeting this transport session will cause the abnormal
invalidation of this transport session transHandle
244
Level 2 Revision 116 28 February 2011
TCG Published
1148TPM Main Part 3 Commands
TCG © Copyright
1149Specification Version 1.2
4739
4740
b. The TPM gives no indication, other than invalidation of transHandle, that the session
is terminated
474110.Return T1 -> transHandle as transHandle
1150Level 2 Revision 116 28 February 2011
1151
245
TCG Published
1152Copyright © TCG
1153
1154
474224.2
TPM Main Part 3 Commands
Specification Version 1.2
TPM_ExecuteTransport
4743Start of informative comment:
4744Delivers a wrapped TPM command to the TPM where the TPM unwraps the command and
4745then executes the command.
4746TPM_ExecuteTransport uses the same rolling nonce paradigm as other authorized TPM
4747commands. The even nonces start in TPM_EstablishTransport and change on each
4748invocation of TPM_ExecuteTransport.
4749The only restriction on what can happen inside of a transport session is that there is no
4750“nesting” of sessions. It is permissible to perform operations that delete internal state and
4751make the TPM inoperable.
4752Because, in general, key handles are not logged, a digest of the corresponding public key is
4753logged. In cases where the key handle is logged (e.g. TPM_OwnerReadInternalPub), the
4754public key is also logged.
4755The wrapped command is audited twice – once according to the actions of
4756TPM_ExecuteTransport and once within the wrapped command itself according to the
4757special rules for auditing a command wrapped in an encrypted transport session.
4758The method of incrementing the symmetric key counter value is different from that used by
4759some standard crypto libraries (e.g. openSSL, Java JCE) that increment the entire counter
4760value. TPM users should be aware of this to avoid errors when the counter wraps.
4761End of informative comment.
4762Incoming Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ExecuteTransport
4
4
2S
4
UINT32
wrappedCmdSize
Size of the wrapped command
5
<>
3S
<>
BYTE[]
wrappedCmd
The wrapped command
6
4
TPM_TRANSHANDLE
transHandle
The transport session handle
#
SZ
1
#
SZ
2H1
20
TPM_NONCE
transLastNonceEven
Even nonce previously generated by TPM
7
20
3H1
20
TPM_NONCE
transNonceOdd
Nonce generated by caller
8
1
4H1
1
BOOL
continueTransSession
The continue use flag for the authorization session handle
9
20
TPM_AUTHDATA
transAuth
HMAC for transHandle key: transHandle -> authData
4763
1155
1156
246
Level 2 Revision 116 28 February 2011
TCG Published
1157TPM Main Part 3 Commands
TCG © Copyright
1158Specification Version 1.2
4764Outgoing Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the ExecuteTransport command. This does not reflect
the status of wrapped command.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ExecuteTransport
4
8
3S
8
UINT64
currentTicks
The current ticks when the command was executed
5
4
4S
4
TPM_MODIFIER_INDICATOR
locality
The locality that called this command
6
4
5S
4
UINT32
wrappedRspSize
Size of the wrapped response
7
<>
6S
<>
BYTE[]
wrappedRsp
The wrapped response
8
20
2H1
20
TPM_NONCE
transNonceEven
Even nonce newly generated by TPM
3H1
20
TPM_NONCE
transNonceOdd
Nonce generated by caller
4H1
1
BOOL
continueTransSession
The continue use flag for the session
TPM_AUTHDATA
transAuth
HMAC for transHandle key: transHandle -> authData
9
1
10
20
4765Description
47661. This command executes a TPM command using the transport session.
47672.
4768
4769
4770
Prior to execution of the wrapped command (action 11 below) failure of the transport
session MUST have no effect on the resources referenced by the wrapped command. The
exception is when the TPM goes into failure mode and return FAILED_SELFTEST for all
subsequent commands.
47713.
4772
4773
4774
4775
4776
After execution of the wrapped command, failure of the transport session MAY NOT
affect wrapped command resources. That is, the TPM is not required to clean up the
effects of the wrapped command. Sessions and keys MAY remain loaded. It is
understood that the transport session will be returning an error code and not reporting
any session nonces. Therefore, wrapped sessions are no longer useful to the caller. It is
the responsibility of the caller to clean up the result of the wrapped command.
47774. Execution of the wrapped command (action 11) SHOULD have no effect on the transport
4778
session.
4779
4780
a. The wrapped command SHALL use no resources of the transport session, this
includes authorization sessions
4781
4782
b. If the wrapped command execution returns an error (action 11 below) then the
sessions for TPM_ExecuteTransport still operate properly.
4783
4784
c. The exception to this is when the wrapped command causes the TPM to go into
failure mode and return TPM_FAILSELFTEST for all subsequent commands
47855. Field layout
4786
a. Notation
4787i. et indicates the outer TPM_ExecuteTransport command and response
1159Level 2 Revision 116 28 February 2011
1160
247
TCG Published
1161Copyright © TCG
1162
1163
4788ii. w indicates the inner
4789
TPM_ExecuteTransport.
TPM Main Part 3 Commands
Specification Version 1.2
command
and
response
that
is
wrapped
by
the
4790iii. (o) indicates optional parameters that may or may not be present in the wrapped
4791
command.
4792
b. Command representation
4793
c. ******************************************************************************
4794
d. TAGet | LENet | ORDet | wrappedCmdSize | wrappedCmd | AUTHet
4795
e. ******************************************************************************
4796
f. wrappedCmd looks like the following
4797
g. ****************************************************************************************
4798
h. TAGw | LENw | ORDw | HANDLESw(o) | DATAw | AUTH1w (o) | AUTH2w (o)
4799
i.
4800
j.
| LEN1 |
4801
k.
| E1
| (encrypted)
4802
l.
| C1
| (decrypted)
4803
m. Response representation
4804
n. *******************************************************************************
4805
o. TAGet | LENet | RCet | … | wrappedRspSize | wrappedRsp | AUTHet
4806
p. *******************************************************************************
4807
q. wrappedRsp looks like the following
4808
r. *************************************************************************************
4809
s. TAGw | LENw | RCw | HANDLESw(o) | DATAw | AUTH1w (o) | AUTH2w (o)
4810
t. *************************************************************************************
4811
u.
4812
v. | -------------------------- C2 -------------------------------------------------- |
4813
w.
| S2
| (decrypted)
4814
x.
| E2
| (encrypted)
4815
y. The only command and response parameter that is possibly encrypted is DATAw.
****************************************************************************************
| LEN2 |
48166. Additional DATAw comments
4817
a. For TPM_FlushSpecific and TPM_SaveContext
4818
i.
4819
4820
(1) It is understood that encrypting the resourceType prevents a determination of
the handle type.
4821
ii. If the resourceType is TPM_RT_KEY, then the public key MUST be logged.
4822
1164
1165
The DATAw part of these commands does not include the handle.
b. For TPM_DAA_Join and TPM_DAA_Sign
248
Level 2 Revision 116 28 February 2011
TCG Published
1166TPM Main Part 3 Commands
TCG © Copyright
1167Specification Version 1.2
4823
4824
4825
i. The DATAw part of these commands does not include the input handle. The
output handle from stage 0 is included in DATAW.
c. For TPM_LoadKey2
4826
4827
4828
i. The outgoing handle is not part of the outgoing DATAw and is not encrypted or
logged by the outgoing transport.
d. For TPM_LoadKey
4829
4830
4831
i. The outgoing handle is part of the outgoing DATAw and is encrypted and
logged.
e. For TPM_LoadContext
4832
4833
i. The outgoing handle is not part of the outgoing DATAw and is not encrypted or
logged by the outgoing transport.
4834
4835
(1) It is understood that encrypting the contextBlob prevents a determination of
the handle type.
4836
4837
f. For TPM_OIAP and TPM_OSAP,
or logged.
4838
4839
4840
4841
i. For TPM_OSAP, the public key MUST NOT be logged. During a logged
transport session, when a wrapped command uses the key, the public key
referenced by the key handle will be logged in the transport. Thus, the audit trail
is established for any key usage at that time.
4842
g. For TPM_DSAP
4843
i.
4844
ii. For output no parameters are encrypted or logged.
no input or output parameters are encrypted
For input, only entityValue is encrypted and logged.
48457.
4846
4847
4848
4849
4850
TPM_ExecuteTransport returns an implementation defined result when the wrapped
command would cause termination of the transport session. Implementation defined
possibilities include but are not limited to: the wrapped command may execute,
completely, partially, or not at all, the transport session may or may not be terminated,
continueTransSession may not be processed or returned correctly, and an error may or
may not be returned. The wrapped commands include:
4851
a. TPM_FlushSpecific, TPM_SaveContext targeting the transport session
4852
b. TPM_OwnerClear, TPM_ForceClear, TPM_RevokeTrust
4853Actions
48541. Using transHandle locate the TPM_TRANSPORT_INTERNAL structure T1
48552. Parse wrappedCmd
4856
a. Set TAGw, LENw, and ORDw to the parameters from wrappedCmd
4857
b. Set E1 to DATAw
4858
4859
4860
i. This pointer is ordinal dependent and requires the execute transport
command to parse wrappedCmd
c. Set LEN1 to the length of DATAw
1168Level 2 Revision 116 28 February 2011
1169
249
TCG Published
1170Copyright © TCG
1171
1172
4861
i.
TPM Main Part 3 Commands
Specification Version 1.2
DATAw always ends at the start of AUTH1w if AUTH1w is present
48623. If LEN1 is less than 0, or if ORDw is unknown, unimplemented, or cannot be determined
4863
a. Return TPM_BAD_PARAMETER
48644. If T1 -> transPublic -> transAttributes has TPM_TRANSPORT_ENCRYPT set then
4865
a. If T1 -> transPublic -> algId is TPM_ALG_MGF1
4866
4867
4868
i. Using the MGF1 function, create string G1 of length LEN1. The inputs to the
MGF1 are transLastNonceEven, transNonceOdd, “in”, and T1 -> authData. These
four values concatenated together form the Z value that is the seed for the MGF1.
4869
ii. Create C1 by performing an XOR of G1 and wrappedCmd starting at E1.
4870
b. If the encryption algorithm requires an IV or CTR, calculate the IV or CTR value
4871
4872
4873
4874
4875
4876
i. Using the MGF1 function, create string IV1 or CTR1 with a length set by the
block size of the encryption algorithm. The inputs to the MGF1 are
transLastNonceEven, transNonceOdd, and “in”. These three values concatenated
together form the Z value that is the seed for the MGF1. Note that any
terminating characters within the string “in” are ignored, so a total of 42 bytes are
hashed.
4877
ii. The symmetric key is taken from the first bytes of T1 -> authData.
4878
iii. Decrypt DATAw and replace the DATAw area of E1 creating C1
4879
c. TPM_OSAP, TPM_OIAP have no parameters encrypted
4880
d. TPM_DSAP has special rules for parameter encryption
48815. Else
4882
a. Set C1 to the DATAw area E1 of wrappedCmd
48836. Create H1 the SHA-1 of (ORDw || C1).
4884
a. C1 MUST point at the decrypted DATAw area of E1
4885
4886
b. The TPM MAY use this calculation for both execute transport authorization,
authorization of the wrapped command and transport log creation
48877. Validate the incoming transport session authorization
4888
a. Set inParamDigest to SHA-1 (ORDet || wrappedCmdSize || H1)
4889
4890
b. Calculate the HMAC of (inParamDigest || transLastNonceEven || transNonceOdd ||
continueTransSession) using T1 -> authData as the HMAC key
4891
c. Validate transAuth, on errors return TPM_AUTHFAIL
48928. If TPM_ExecuteTransport requires auditing
4893
4894
a. Create TPM_AUDIT_EVENT_IN using H1 as the input parameter digest and update
auditDigest
4895
b. On any error return TPM_AUDITFAIL_UNSUCCESSFUL
48969. If ORDw is from the list of following commands return TPM_NO_WRAP_TRANSPORT
4897
1173
1174
a. TPM_EstablishTransport
250
Level 2 Revision 116 28 February 2011
TCG Published
1175TPM Main Part 3 Commands
TCG © Copyright
1176Specification Version 1.2
4898
b. TPM_ExecuteTransport
4899
c. TPM_ReleaseTransportSigned
490010.If T1 -> transPublic -> transAttributes has TPM_TRANSPORT_LOG set then
4901
a. Create L2 a TPM_TRANSPORT_LOG_IN structure
4902
b. Set L2 -> parameters to H1
4903
c. If ORDw is a command with no key handles
4904
4905
i.
Set L2 -> pubKeyHash to all zeros
d. If ORDw is a command with one key handle
4906
4907
i. Create K2 the hash of the TPM_STORE_PUBKEY structure of the key pointed
to by the key handle.
4908
ii. Set L2 -> pubKeyHash to SHA-1 (K2)
4909
e. If ORDw is a command with two key handles
4910
4911
i. Create K2 the hash of the TPM_STORE_PUBKEY structure of the key pointed
to by the first key handle.
4912
4913
ii. Create K3 the hash of the TPM_STORE_PUBKEY structure of the key pointed
to by the second key handle.
4914
iii. Set L2 -> pubKeyHash to SHA-1 (K2 || K3)
4915
f. Set T1 -> transDigest to the SHA-1 (T1 -> transDigest || L2)
4916
4917
g. If ORDw is a command with key handles, and the key is not loaded, return
TPM_INVALID_KEYHANDLE.
491811.Send the wrapped command to the normal TPM command parser, the output is C2 and
4919
the return code is RCw
4920
4921
a. If ORDw is a command that is audited then the TPM MUST perform the input and
output audit of the command as part of this action.
4922
4923
b. The TPM MAY use H1 as the data value in the authorization and audit calculations
during the execution of C1
492412.Set CT1 to TPM_STANY_DATA -> currentTicks -> currentTicks and return CT1 in the
4925
currentTicks output parameter
492613.Calculate S2 the pointer to the DATAw area of C2
4927
a. Calculate LEN2 the length of S2 according to the same rules that calculated LEN1
492814.Create H2 the SHA-1 of (RCw || ORDw || S2)
4929
4930
a. The TPM MAY use this calculation for execute transport authorization and transport
log out creation
493115.Calculate the outgoing transport session authorization
4932
a. Create the new transNonceEven for the output of the command
4933
4934
b. Set outParamDigest to SHA-1 (RCet || ORDet || TPM_STANY_DATA -> currentTicks
-> currentTicks || locality || wrappedRspSize || H2)
1177Level 2 Revision 116 28 February 2011
1178
251
TCG Published
1179Copyright © TCG
1180
1181
4935
4936
TPM Main Part 3 Commands
Specification Version 1.2
c. Calculate transAuth, the HMAC of (outParamDigest || transNonceEven ||
transNonceOdd || continueTransSession) using T1 -> authData as the HMAC key
493716.If T1 -> transPublic -> transAttributes has TPM_TRANSPORT_LOG set then
4938
a. Create L3 a TPM_TRANSPORT_LOG_OUT structure
4939
b. Set L3 -> parameters to H2
4940
c. Set L3 -> currentTicks to TPM_STANY_DATA -> currentTicks
4941
d. Set L3 -> locality to TPM_STANY_DATA -> localityModifier
4942
e. Set T1 -> transDigest to the SHA-1 (T1 -> transDigest || L3)
494317.If T1 -> transPublic -> transAttributes has TPM_TRANSPORT_ENCRYPT set then
4944
a. If T1 -> transPublic -> algId is TPM_ALG_MGF1
4945
4946
4947
i. Using the MGF1 function, create string G2 of length LEN2. The inputs to the
MGF1 are transNonceEven, transNonceOdd, “out”, and T1 -> authData. These
four values concatenated together form the Z value that is the seed for the MGF1.
4948
ii. Create E2 by performing an XOR of G2 and C2 starting at S2.
4949
b. Else
4950
4951
4952
i. Create IV2 or CTR2 using the same algorithm as IV1 or CTR1 with the input
values transNonceEven, transNonceOdd, and “out”. Note that any terminating
characters within the string “out” are ignored, so a total of 43 bytes are hashed.
4953
ii. The symmetric key is taken from the first bytes of T1 -> authData
4954
iii. Create E2 by encrypting C2 starting at S2
495518.Else
4956
a. Set E2 to the DATAw area S2 of wrappedRsp
495719.If continueTransSession is FALSE
4958
a. Invalidate all session data related to transHandle
495920.If TPM_ExecuteTranport requires auditing
4960
4961
a. Create TPM_AUDIT_EVENT_OUT using H2 for the parameters and update the
auditDigest
4962
4963
b. On
any
errors
return
TPM_AUDITFAIL_SUCCESSFUL
TPM_AUDITFAIL_UNSUCCESSFUL depending on RCw
496421.Return C2 but with S2 replaced by E2 in the wrappedRsp parameter
1182
1183
252
Level 2 Revision 116 28 February 2011
TCG Published
or
1184TPM Main Part 3 Commands
TCG © Copyright
1185Specification Version 1.2
496524.3
TPM_ReleaseTransportSigned
4966Start of informative comment:
4967This command completes the transport session. If logging for this session is turned on, then
4968this command returns a digital signature of the hash of all operations performed during the
4969session.
4970This command serves no purpose if logging is turned off, and results in an error if
4971attempted.
4972This command uses two authorization sessions, the key that will sign the log and the
4973authorization from the session. Having the session authorization proves that the requestor
4974that is signing the log is the owner of the session. If this restriction is not put in then an
4975attacker can close the log and sign using their own key.
4976The hash of the session log includes the information associated with the input phase of
4977execution of the TPM_ReleaseTransportSigned command. It cannot include the output
4978phase information.
4979End of informative comment.
4980Incoming Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH2_COMMAND
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ReleaseTransportSigned
TPM_KEY_HANDLE
keyHandle
Handle of a loaded key that will perform the signing
TPM_NONCE
antiReplay
Value provided by caller for anti-replay protection
TPM_AUTHHANDLE
authHandle
The authorization session to use key
#
SZ
1
2
3
4
4
4
5
20
6
#
4
1S
2S
SZ
4
20
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
7
20
3H1
20
TPM_NONCE
authNonceOdd
Nonce generated by system associated with authHandle
8
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
9
20
TPM_AUTHDATA
keyAuth
The authorization session digest that authorizes the use of key. HMAC
key: key -> usageAuth
10
4
TPM_TRANSHANDLE
transHandle
The transport session handle
2H2
20
TPM_NONCE
transLastNonceEven
Even nonce in use by execute Transport
11
20
3H2
20
TPM_NONCE
transNonceOdd
Nonce supplied by caller for transport session
12
1
4H2
1
BOOL
continueTransSession
The continue use flag for the authorization session handle
13
20
TPM_AUTHDATA
transAuth
HMAC for transport session key: transHandle -> authData
1186Level 2 Revision 116 28 February 2011
1187
253
TCG Published
1188Copyright © TCG
1189
1190
TPM Main Part 3 Commands
Specification Version 1.2
4981Outgoing Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH2_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ReleaseTransportSigned
4
4
3S
4
TPM_MODIFIER_INDICATOR
locality
The locality that called this command
5
32
4S
32
TPM_CURRENT_TICKS
currentTicks
The current ticks when the command executed
6
4
5S
4
UINT32
signSize
The size of the signature area
7
<>
6S
<>
BYTE[]
signature
The signature of the digest
8
20
2H1
20
TPM_NONCE
authNonceEven
Even nonce newly generated by TPM
3H1
20
TPM_NONCE
authNonceOdd
Nonce generated by caller
4H1
1
BOOL
continueAuthSession
The continue use flag for the session
TPM_AUTHDATA
keyAuth
HMAC: key -> usageAuth
9
1
10
20
11
20
1
13
20
TPM_NONCE
transNonceEven
Even nonce newly generated by TPM
3H2
12
2H2
20
TPM_NONCE
transNonceOdd
Nonce generated by caller
4H2
1
BOOL
continueTransSession
The continue use flag for the session
TPM_AUTHDATA
transAuth
HMAC: transHandle -> authData
20
4982Description
4983This command releases a transport session and signs the transport log
4984Actions
49851. Using transHandle locate the TPM_TRANSPORT_INTERNAL structure T1
49862. Validate that keyHandle -> sigScheme is TPM_SS_RSASSAPKCS1v15_SHA1 or
4987
TPM_SS_RSASSAPKCS1v15_INFO, if not return TPM_INAPPROPRIATE_SIG.
49883. Validate that keyHandle
4989
TPM_INVALID_KEYUSAGE
->
keyUsage
is
TPM_KEY_SIGNING,
if
not
return
49904. Using key -> authData validate the command and parameters, on error return
4991
TPM_AUTHFAIL
49925. Using transHandle -> authData validate the command and parameters, on error return
4993
TPM_AUTH2FAIL
49946. If T1 -> transAttributes has TPM_TRANSPORT_LOG set then
4995
a. Create A1 a TPM_TRANSPORT_LOG_OUT structure
4996
b. Set A1 –> parameters to the SHA-1 (ordinal || antiReplay)
4997
c. Set A1 -> currentTicks to TPM_STANY_DATA -> currentTicks
4998
d. Set A1 -> locality to the locality modifier for this command
1191
1192
254
Level 2 Revision 116 28 February 2011
TCG Published
1193TPM Main Part 3 Commands
TCG © Copyright
1194Specification Version 1.2
4999
e. Set T1 -> transDigest to SHA-1 (T1 -> transDigest || A1)
50007. Else
5001
a. Return TPM_BAD_MODE
50028. Create H1 a TPM_SIGN_INFO structure and set the structure defaults
5003
a. Set H1 -> fixed to “TRAN”
5004
b. Set H1 -> replay to antiReplay
5005
c. Set H1 -> data to T1 -> transDigest
5006
d. Sign SHA-1 hash of H1 using the key pointed to by keyHandle
50079. Invalidate all session data related to T1
500810.Set continueTransSession to FALSE
500911.Return TPM_SUCCESS
1195Level 2 Revision 116 28 February 2011
1196
255
TCG Published
1197Copyright © TCG
1198
1199
501025.
TPM Main Part 3 Commands
Specification Version 1.2
Monotonic Counter
501125.1
TPM_CreateCounter
5012Start of informative comment:
5013This command creates the counter but does not select the counter. Counter creation
5014assigns an AuthData value to the counter and sets the counters original start value. The
5015original start value is the current internal base value plus one. Setting the new counter to
5016the internal base avoids attacks on the system that are attempting to use old counter
5017values.
5018End of informative comment.
5019Incoming Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes incl. paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_CreateCounter
4
20
2S
20
TPM_ENCAUTH
encAuth
The encrypted auth data for the new counter
5
4
3s
4
BYTE
label
Label to associate with counter
7
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for owner authentication.
#
SZ
1
#
SZ
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
8
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
9
1
4H1
1
BOOL
continueAuthSession
Ignored
10
20
20
TPM_AUTHDATA
ownerAuth
Authorization ownerAuth.
Type
Name
Description
5020Outgoing Parameters and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_CreateCounter
4
4
3s
4
TPM_COUNT_ID
countID
The handle for the counter
5
10
4S
10
TPM_COUNTER_VALUE
counterValue
The starting counter value
6
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Fixed value of FALSE
20
TPM_AUTHDATA
resAuth
Authorization. HMAC key: ownerAuth.
7
1
8
20
5021Description
1200
1201
256
Level 2 Revision 116 28 February 2011
TCG Published
1202TPM Main Part 3 Commands
TCG © Copyright
1203Specification Version 1.2
5022This command creates a new monotonic counter. The TPM MUST support a minimum of 4
5023concurrent counters.
5024Actions
5025The TPM SHALL do the following:
50261. Using the authHandle field, validate the owner’s AuthData to execute the command and
5027
all of the incoming parameters. The authorization session MUST be OSAP or DSAP
50282. Ignore continueAuthSession on input and set continueAuthSession to FALSE on output
50293. Create a1 by decrypting encAuth according to the ADIP indicated by authHandle.
50304. Validate that there is sufficient internal space in the TPM to create a new counter. If
5031
there is insufficient space, the command returns an error.
5032
5033
a. The TPM MUST provide storage for a1, TPM_COUNTER_VALUE, countID, and any
other internal data the TPM needs to associate with the counter
50345. Increment the max counter value
50356. Set the counter to the max counter value
50367. Set the counter label to label
50378. Create a countID
1204Level 2 Revision 116 28 February 2011
1205
257
TCG Published
1206Copyright © TCG
1207
1208
503825.2
TPM Main Part 3 Commands
Specification Version 1.2
TPM_IncrementCounter
5039Start of informative comment:
5040This authorized command increments the indicated counter by one. Once a counter has
5041been incremented then all subsequent increments must be for the same handle until a
5042successful TPM_Startup(ST_CLEAR) is executed.
5043The order for checking validation of the command parameters when no counter is active,
5044keeps an attacker from creating a denial-of-service attack.
5045End of informative comment.
5046Incoming Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_IncrementCounter
4
4
2s
4
TPM_COUNT_ID
countID
The handle of a valid counter
5
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for counter authorization
#
SZ
1
#
SZ
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
6
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
7
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
8
20
TPM_AUTHDATA
counterAuth
The authorization session digest that authorizes the use of countID.
HMAC key: countID -> authData
Type
Name
Description
5047Outgoing Parameters and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_IncrementCounter
5
10
3S
10
TPM_COUNTER_VALUE
count
The counter value
6
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
countID -> authData
7
1
8
20
5048Description
5049This function increments the counter by 1.
5050The TPM MAY implement increment throttling to avoid burn problems
1209
1210
258
Level 2 Revision 116 28 February 2011
TCG Published
1211TPM Main Part 3 Commands
TCG © Copyright
1212Specification Version 1.2
5051Actions
50521. If TPM_STCLEAR_DATA -> countID is 0
5053
a. Validate that countID is a valid counter, return TPM_BAD_COUNTER on mismatch
5054
b. Validate the command parameters using counterAuth
5055
c. Set TPM_STCLEAR_DATA -> countID to countID
50562. else
5057
5058
5059
a. If TPM_STCLEAR_DATA -> countID does not equal countID
i.
Return TPM_BAD_COUNTER
b. Validate the command parameters using counterAuth
50603. Increments the counter by 1
50614. Return new count value in count
1213Level 2 Revision 116 28 February 2011
1214
259
TCG Published
1215Copyright © TCG
1216
1217
506225.3
TPM Main Part 3 Commands
Specification Version 1.2
TPM_ReadCounter
5063Start of informative comment:
5064Reading the counter provides the caller with the current number in the sequence.
5065End of informative comment.
5066Incoming Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes incl. paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ReadCounter
4
4
2S
4
TPM_COUNT_ID
countID
ID value of the counter
Type
Name
Description
#
SZ
1
#
SZ
5067Outgoing Parameters and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
10
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ReadCounter
3S
10
TPM_COUNTER_VALUE
count
The counter value
5068Description
5069This returns the current value for the counter indicated. The counter MAY be any valid
5070counter.
5071Actions
50721. Validate that countID points to a valid counter. Return TPM_BAD_COUNTER on error.
50732. Return count
1218
1219
260
Level 2 Revision 116 28 February 2011
TCG Published
1220TPM Main Part 3 Commands
TCG © Copyright
1221Specification Version 1.2
507425.4
TPM_ReleaseCounter
5075Start of informative comment:
5076This command releases a counter such that no reads or increments of the indicated counter
5077will succeed.
5078End of informative comment.
5079Incoming Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ReleaseCounter
4
4
2s
4
TPM_COUNT_ID
countID
ID value of the counter
5
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for countID authorization
#
SZ
1
#
SZ
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
6
20
3H1
20
TPM_NONCE
nonceOdd
Nonce associated with countID
7
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
8
20
TPM_AUTHDATA
counterAuth
The authorization session digest that authorizes the use of countID.
HMAC key: countID -> authData
Type
Name
Description
5080Outgoing Parameters and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
5
1
6
TPM_RESULT
returnCode
The return code of the operation.
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ReleaseCounter
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
4
2S
4
1S
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
countID -> authData
20
5081Actions
5082The TPM uses countID to locate a valid counter.
50831. Authenticate the command and the parameters using the AuthData pointed to by
5084
countID. Return TPM_AUTHFAIL on error
50852. The TPM invalidates all internal information regarding the counter. This includes
5086
releasing countID such that any subsequent attempts to use countID will fail.
50873. The TPM invalidates sessions
1222Level 2 Revision 116 28 February 2011
1223
261
TCG Published
1224Copyright © TCG
1225
1226
TPM Main Part 3 Commands
Specification Version 1.2
5088
a. MUST invalidate all OSAP sessions associated with the counter
5089
b. MAY invalidate any other session
50904. If TPM_STCLEAR_DATA -> countID equals countID,
5091
1227
1228
a. Set TPM_STCLEAR_DATA -> countID to an illegal value (not the zero value)
262
Level 2 Revision 116 28 February 2011
TCG Published
1229TPM Main Part 3 Commands
TCG © Copyright
1230Specification Version 1.2
509225.5
TPM_ReleaseCounterOwner
5093Start of informative comment:
5094This command releases a counter such that no reads or increments of the indicated counter
5095will succeed.
5096End of informative comment.
5097Incoming Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ReleaseCounterOwner
4
4
2s
4
TPM_COUNT_ID
countID
ID value of the counter
5
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for owner authentication
#
SZ
1
#
SZ
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
6
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
7
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
8
20
TPM_AUTHDATA
ownerAuth
The authorization session digest that authorizes the inputs. HMAC key:
ownerAuth
Type
Name
Description
5098Outgoing Parameters and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
5
1
6
TPM_RESULT
returnCode
The return code of the operation.
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ReleaseCounterOwner
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
4
2S
4
1S
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
ownerAuth
20
5099Description
5100This invalidates all information regarding a counter.
5101Actions
51021. Validate that ownerAuth properly authorizes the command and parameters
51032. The TPM uses countID to locate a valid counter. Return TPM_BAD_COUNTER if not
5104
found.
1231Level 2 Revision 116 28 February 2011
1232
263
TCG Published
1233Copyright © TCG
1234
1235
TPM Main Part 3 Commands
Specification Version 1.2
51053. The TPM invalidates all internal information regarding the counter. This includes
5106
releasing countID such that any subsequent attempts to use countID will fail.
51074. The TPM invalidates sessions
5108
a. MUST invalidate all OSAP sessions associated with the counter
5109
b. MAY invalidate any other session
51105. If TPM_STCLEAR_DATA -> countID equals countID,
5111
1236
1237
a. Set TPM_STCLEAR_DATA -> countID to an illegal value (not the zero value)
264
Level 2 Revision 116 28 February 2011
TCG Published
1238TPM Main Part 3 Commands
TCG © Copyright
1239Specification Version 1.2
511226.
DAA commands
511326.1
TPM_DAA_Join
5114Start of informative comment:
5115TPM_DAA_Join is the process that establishes the DAA parameters in the TPM for a specific
5116DAA issuing authority.
5117outputSize and outputData are always included in the outParamDigest. This includes stage
51180, where the outputData contains the DAA session handle.
5119 End of informative comment.
5120Incoming Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes incl. paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_DAA_Join.
4
4
TPM_HANDLE
handle
Session handle
5
1
2S
1
BYTE
stage
Processing stage of join
6
4
3S
4
UINT32
inputSize0
Size of inputData0 for this stage of JOIN
7
<>
4S
<>
BYTE[]
inputData0
Data to be used by this capability
8
4
5S
4
UINT32
inputSize1
Size of inputData1 for this stage of JOIN
9
<>
6S
<>
BYTE[]
inputData1
Data to be used by this capability
10
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for owner authentication
#
SZ
1
#
1S
SZ
4
2 H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
11
20
3 H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
12
1
4 H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
13
20
20
TPM_AUTHDATA
ownerAuth
The authorization session digest for inputs and owner. HMAC key:
ownerAuth.
1240Level 2 Revision 116 28 February 2011
1241
265
TCG Published
1242Copyright © TCG
1243
1244
TPM Main Part 3 Commands
Specification Version 1.2
5121Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes incl. paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_DAA_Join.
4
4
3S
4
UINT32
outputSize
Size of outputData
5
<>
4S
<>
BYTE[]
outputData
Data produced by this capability
6
20
2 H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3 H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4 H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
20
TPM_AUTHDATA
resAuth
Authorization HMAC key: ownerAuth.
7
8
1245
1246
1
20
266
Level 2 Revision 116 28 February 2011
TCG Published
1247TPM Main Part 3 Commands
TCG © Copyright
1248Specification Version 1.2
5122Description
5123This table summaries the input, output and saved data that is associated with each stage of
5124processing.
Stage
0
Input Data0
Input Data1
Operation
Output Data
Scratchpad
DAA_count
NULL
initialise
Session Handle
NULL
(used as # repetitions of stage 1)
1
n0
signatureValue
rekeying
NULL
n0
2
DAA_issuerSettings
signatureValue
issuer settings
NULL
NULL
3
DAA_count
NULL
DAA_join_uo,
NULL
NULL
DAA_join_u1
4
DAA_generic_R0
DAA_generic_n
P1=R0^f0 mod n
NULL
P1
5
DAA_generic_R1
DAA_generic_n
P2 = P1*(R1^f1) mod n
NULL
P2
6
DAA_generic_S0
DAA_generic_n
P3 = P2*(S0^u0) mod n
NULL
P3
7
DAA_generic_S1
DAA_generic_n
U = P3*(S1^u1) mod n
U
NULL
8
NE
NULL
U2
U2
NULL
9
DAA_generic_R0
DAA_generic_n
P1=R0^r0 mod n
NULL
P1
10
DAA_generic_R1
DAA_generic_n
P2 = P1*(R1^r1) mod n
NULL
P2
11
DAA_generic_S0
DAA_generic_n
P3 = P2*(S0^r2) mod n
NULL
P3
12
DAA_generic_S1
DAA_generic_n
P4 = P3*(S1^r3) mod n
P4
NULL
13
DAA_generic_gamma
w
w1 = w^q mod gamma
NULL
w
14
DAA_generic_gamma
NULL
E = w^f mod gamma
E
w
15
DAA_generic_gamma
NULL
r = r0 + (2^power0)*r1 mod q,
E1
NULL
E1 = w^r mod gamma
16
c1
NULL
c = hash(c1 || NT)
nt
NULL
17
NULL
NULL
s0 = r0 + c*f0
s0
NULL
18
NULL
NULL
s1 = r1 + c*f1
s1
NULL
19
NULL
NULL
s2 = r2 + c*u0
s2
NULL
c
s12
mod 2^power1
20
NULL
NULL
s12 = r2 + c*u0
>> power1
21
NULL
NULL
s3 = r3 + c*u1 + s12
s3
NULL
22
u2
NULL
v0 = u2 + u0 mod 2^power1
enc(v0)
v10
v10 = u2 + u0 >> power1
23
u3
NULL
V1 = u3 + u1 + v10
enc(v1)
NULL
24
NULL
NULL
enc(DAA_tpmSpecific)
enc(DAA_tpmSpecific)
NULL
5125
1249Level 2 Revision 116 28 February 2011
1250
267
TCG Published
1251Copyright © TCG
1252
1253
TPM Main Part 3 Commands
Specification Version 1.2
5126Actions
5127A Trusted Platform Module that receives a valid TPM_DAA_Join command SHALL:
51281. Use ownerAuth to verify that the Owner authorized all TPM_DAA_Join input parameters.
51292. Any error return results in the TPM invalidating all resources associated with the join
51303. Constant values of 0 or 1 are 1 byte integers, stages affected are
5131
a. 4(j), 5(j), 14(f), 17(e)
51324. Representation of the strings “r0” to “r4” are 2-byte ASCII encodings, stages affected are
5133
a. 9(i), 10(h), 11(h), 12(h), 15(f),15(g), 17(d), 18(d), 19(d), 20(d), 21(d)
5134Start of informative comment:
51355. Variable DAA_Count
5136
5137
5138
a. In stage 0, DAA_Count denotes the length of the RSA key chain, which certifies the
main DAA public key and which will be loaded in stage 1. It also denotes the number of
times stage 1 is executed.
5139
5140
5141
b. In stage 3 the variable DAA_count denotes the actual DAA counter. It allows a DAA
issuer to keep track of the number of times it has issued 'different' DAA credentials to
the same platform. (The counter does not need to be equal to the actual number.)
5142End of informative comment.
5143Stages
51440. If stage==0
5145
c. Determine that sufficient resources are available to perform a TPM_DAA_Join.
5146
5147
5148
i. The TPM MUST support sufficient resources to perform one (1)
TPM_DAA_Join/
TPM_DAA_Sign.
The
TPM
MAY
support
additional
TPM_DAA_Join/ TPM_DAA_Sign sessions.
5149
5150
ii. The TPM may share internal resources between the DAA operations and other
variable resource requirements:
5151
5152
5153
iii.
If there are insufficient resources within the stored key pool (and one or
more keys need to be removed to permit the DAA operation to execute) return
TPM_NOSPACE
5154
5155
5156
iv.
If there are insufficient resources within the stored session pool (and
one or more authorization or transport sessions need to be removed to permit
the DAA operation to execute), return TPM_RESOURCES.
5157
d. Set all fields in DAA_issuerSettings = NULL
5158
e. set all fields in DAA_tpmSpecific = NULL
5159
f. set all fields in DAA_session = NULL
5160
g. Set all fields in DAA_joinSession = NULL
5161
5162
h. Verify that sizeOf(inputData0) == sizeOf(DAA_tpmSpecific -> DAA_count) and return
error TPM_DAA_INPUT_DATA0 on mismatch
1254
1255
268
Level 2 Revision 116 28 February 2011
TCG Published
1256TPM Main Part 3 Commands
TCG © Copyright
1257Specification Version 1.2
5163
i.
Verify that inputData0 > 0, and return error TPM_DAA_INPUT_DATA0 on mismatch
5164
j.
Set DAA_tpmSpecific -> DAA_count = inputData0
5165
5166
k. set
DAA_session
DAA_joinSession)
5167
l.
5168
m. Assign session handle for TPM_DAA_Join
5169
n. set outputData = new session handle
5170
5171
->
DAA_digestContext
=
SHA-1(DAA_tpmSpecific
||
set DAA_session -> DAA_stage = 1
i.
The handle in outputData is included the output HMAC.
o. return TPM_SUCCESS
51726. If stage==1
5173
5174
a. Verify that DAA_session ->DAA_stage==1. Return TPM_DAA_STAGE and flush handle
on mismatch
5175
5176
b. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||
DAA_joinSession) and return TPM_DAA_TPM_SETTINGS on mismatch
5177
5178
c. Verify that sizeOf(inputData0) == DAA_SIZE_issuerModulus and return error
TPM_DAA_INPUT_DATA0 on mismatch
5179
d. If DAA_session -> DAA_scratch == NULL:
5180
i.
5181
ii. set DAA_joinSession -> DAA_digest_n0 = SHA-1(DAA_session -> DAA_scratch)
5182
5183
iii. set DAA_tpmSpecific -> DAA_rekey = SHA-1(tpmDAASeed || DAA_joinSession
-> DAA_digest_n0)
5184
Set DAA_session -> DAA_scratch = inputData0
e. Else (If DAA_session -> DAA_scratch != NULL):
5185
i.
5186
5187
ii. Verify that sizeOf(inputData1) == DAA_SIZE_issuerModulus and return error
TPM_DAA_INPUT_DATA1 on mismatch
5188
iii. Set signatureValue = inputData1
5189
5190
5191
5192
iv. Use the RSA key == [DAA_session -> DAA_scratch] to verify that
signatureValue
is
a
signature
on
signedData
using
TPM_SS_RSASSAPKCS1v15_SHA1 (RSA PKCS1.5 with SHA-1), and return error
TPM_DAA_ISSUER_VALIDITY on mismatch
5193
v. Set DAA_session -> DAA_scratch = signedData
Set signedData = inputData0
5194
f. Decrement DAA_tpmSpecific -> DAA_count by 1 (unity)
5195
g. If DAA_tpmSpecific -> DAA_count == 0:
5196
i.
increment DAA_session -> DAA_stage by 1
5197
5198
h. set
DAA_session
DAA_joinSession)
5199
i.
->
DAA_digestContext
set outputData = NULL
1258Level 2 Revision 116 28 February 2011
1259
269
TCG Published
=
SHA-1(DAA_tpmSpecific
||
1260Copyright © TCG
1261
1262
5200
j.
TPM Main Part 3 Commands
Specification Version 1.2
return TPM_SUCCESS
52017. If stage==2
5202
5203
a. Verify that DAA_session ->DAA_stage==2. Return TPM_DAA_STAGE and flush handle
on mismatch
5204
5205
b. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||
DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch
5206
5207
c. Verify that sizeOf(inputData0) == sizeOf(TPM_DAA_ISSUER) and return error
TPM_DAA_INPUT_DATA0 on mismatch
5208
5209
d. Set DAA_issuerSettings = inputData0. Verify that all fields in DAA_issuerSettings are
present and return error TPM_DAA_INPUT_DATA0 if not.
5210
5211
e. Verify that sizeOf(inputData1) == DAA_SIZE_issuerModulus and return error
TPM_DAA_INPUT_DATA1 on mismatch
5212
f. Set signatureValue = inputData1
5213
g. Set signedData = (DAA_joinSession -> DAA_digest_n0 ||DAA_issuerSettings)
5214
5215
5216
h. Use the RSA key [DAA_session -> DAA_scratch] to verify that signatureValue is a
signature on signedData using TPM_SS_RSASSAPKCS1v15_SHA1 (RSA PKCS1.5 with
SHA-1),, and return error TPM_DAA_ISSUER_VALIDITY on mismatch
5217
i.
5218
5219
j. set
DAA_session
DAA_joinSession)
5220
k. Set DAA_session -> DAA_scratch = NULL
5221
l.
5222
m. return TPM_SUCCESS
Set DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings)
->
DAA_digestContext
=
SHA-1(DAA_tpmSpecific
||
increment DAA_session -> DAA_stage by 1
52238. If stage==3
5224
5225
a. Verify that DAA_session ->DAA_stage==3. Return TPM_DAA_STAGE and flush handle
on mismatch
5226
5227
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5228
5229
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||
DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch
5230
5231
d. Verify that sizeOf(inputData0) == sizeOf(DAA_tpmSpecific -> DAA_count) and return
error TPM_DAA_INPUT_DATA0 on mismatch
5232
e. Set DAA_tpmSpecific -> DAA_count = inputData0
5233
f. Obtain random data from the RNG and store it as DAA_joinSession -> DAA_join_u0
5234
g. Obtain random data from the RNG and store it as DAA_joinSession -> DAA_join_u1
5235
h. set outputData = NULL
5236
i.
1263
1264
increment DAA_session -> DAA_stage by 1
270
Level 2 Revision 116 28 February 2011
TCG Published
1265TPM Main Part 3 Commands
TCG © Copyright
1266Specification Version 1.2
5237
5238
j. set
DAA_session
DAA_joinSession)
5239
k. return TPM_SUCCESS
->
DAA_digestContext
=
SHA-1(DAA_tpmSpecific
||
52409. If stage==4,
5241
5242
a. Verify that DAA_session ->DAA_stage==4. Return TPM_DAA_STAGE and flush handle
on mismatch
5243
5244
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5245
5246
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||
DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch
5247
d. Set DAA_generic_R0 = inputData0
5248
5249
e. Verify that SHA-1(DAA_generic_R0) == DAA_issuerSettings -> DAA_digest_R0 and
return error TPM_DAA_INPUT_DATA0 on mismatch
5250
f. Set DAA_generic_n = inputData1
5251
5252
g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and
return error TPM_DAA_INPUT_DATA1 on mismatch
5253
h. Set X = DAA_generic_R0
5254
i.
5255
5256
5257
j. Set f = SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count ||
0 ) || SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 1 )
mod DAA_issuerSettings -> DAA_generic_q
5258
k. Set f0 = f mod 2^DAA_power0 (erase all but the lowest DAA_power0 bits of f)
5259
l.
5260
m. set outputData = NULL
5261
n. increment DAA_session -> DAA_stage by 1
5262
o. return TPM_SUCCESS
Set n = DAA_generic_n
Set DAA_session -> DAA_scratch = (X^f0) mod n
526310.If stage==5
5264
5265
a. Verify that DAA_session ->DAA_stage==5. Return TPM_DAA_STAGE and flush handle
on mismatch
5266
5267
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5268
5269
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||
DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch
5270
d. Set DAA_generic_R1 = inputData0
5271
5272
e. Verify that SHA-1(DAA_generic_R1) == DAA_issuerSettings -> DAA_digest_R1 and
return error TPM_DAA_INPUT_DATA0 on mismatch
5273
f. Set DAA_generic_n = inputData1
1267Level 2 Revision 116 28 February 2011
1268
271
TCG Published
1269Copyright © TCG
1270
1271
TPM Main Part 3 Commands
Specification Version 1.2
5274
5275
g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and
return error TPM_DAA_INPUT_DATA1 on mismatch
5276
h. Set X = DAA_generic_R1
5277
i.
5278
5279
5280
j. Set f = SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count ||
0 ) || SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 1 )
mod DAA_issuerSettings -> DAA_generic_q.
5281
5282
k. Shift f right by DAA_power0 bits (discard the lowest DAA_power0 bits) and label the
result f1
5283
l.
5284
m. Set DAA_session -> DAA_scratch = Z*(X^f1) mod n
5285
n. set outputData = NULL
5286
o. increment DAA_session -> DAA_stage by 1
5287
p. return TPM_SUCCESS
Set n = DAA_generic_n
Set Z = DAA_session -> DAA_scratch
528811.If stage==6
5289
5290
a. Verify that DAA_session ->DAA_stage==6. Return TPM_DAA_STAGE and flush handle
on mismatch
5291
5292
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5293
5294
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||
DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch
5295
d. Set DAA_generic_S0 = inputData0
5296
5297
e. Verify that SHA-1(DAA_generic_S0) == DAA_issuerSettings -> DAA_digest_S0 and
return error TPM_DAA_INPUT_DATA0 on mismatch
5298
f. Set DAA_generic_n = inputData1
5299
5300
g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and
return error TPM_DAA_INPUT_DATA1 on mismatch
5301
h. Set X = DAA_generic_S0
5302
i.
Set n = DAA_generic_n
5303
j.
Set Z = DAA_session -> DAA_scratch
5304
k. Set Y = DAA_joinSession -> DAA_join_u0
5305
l.
5306
m. set outputData = NULL
5307
n. increment DAA_session -> DAA_stage by 1
5308
o. return TPM_SUCCESS
Set DAA_session -> DAA_scratch = Z*(X^Y) mod n
530912.If stage==7
1272
1273
272
Level 2 Revision 116 28 February 2011
TCG Published
1274TPM Main Part 3 Commands
TCG © Copyright
1275Specification Version 1.2
5310
5311
a. Verify that DAA_session ->DAA_stage==7. Return TPM_DAA_STAGE and flush handle
on mismatch
5312
5313
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5314
5315
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||
DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch
5316
d. Set DAA_generic_S1 = inputData0
5317
5318
e. Verify that SHA-1(DAA_generic_S1) == DAA_issuerSettings -> DAA_digest_S1 and
return error TPM_DAA_INPUT_DATA0 on mismatch
5319
f. Set DAA_generic_n = inputData1
5320
5321
g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and
return error TPM_DAA_INPUT_DATA1 on mismatch
5322
h. Set X = DAA_generic_S1
5323
i.
Set n = DAA_generic_n
5324
j.
Set Y = DAA_joinSession -> DAA_join_u1
5325
k. Set Z = DAA_session -> DAA_scratch
5326
l.
5327
5328
m. Set DAA_session -> DAA_digest to the SHA-1 (DAA_session -> DAA_scratch ||
DAA_tpmSpecific -> DAA_count || DAA_joinSession -> DAA_digest_n0)
5329
n. set outputData = DAA_session -> DAA_scratch
5330
o. set DAA_session -> DAA_scratch = NULL
5331
p. increment DAA_session -> DAA_stage by 1
5332
q. return TPM_SUCCESS
Set DAA_session -> DAA_scratch = Z*(X^Y) mod n
533313.If stage==8
5334
5335
a. Verify that DAA_session ->DAA_stage==8. Return TPM_DAA_STAGE and flush handle
on mismatch
5336
5337
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5338
5339
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||
DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch
5340
5341
d. Verify inputSize0 == DAA_SIZE_NE and return error TPM_DAA_INPUT_DATA0 on
mismatch
5342
e. Set NE = decrypt(inputData0, privEK)
5343
f. set outputData = SHA-1(DAA_session -> DAA_digest || NE)
5344
g. set DAA_session -> DAA_digest = NULL
5345
h. increment DAA_session -> DAA_stage by 1
5346
i.
return TPM_SUCCESS
1276Level 2 Revision 116 28 February 2011
1277
273
TCG Published
1278Copyright © TCG
1279
1280
TPM Main Part 3 Commands
Specification Version 1.2
534714.If stage==9
5348
5349
a. Verify that DAA_session ->DAA_stage==9. Return TPM_DAA_STAGE and flush handle
on mismatch
5350
5351
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5352
5353
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||
DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch
5354
d. Set DAA_generic_R0 = inputData0
5355
5356
e. Verify that SHA-1(DAA_generic_R0) == DAA_issuerSettings -> DAA_digest_R0 and
return error TPM_DAA_INPUT_DATA0 on mismatch
5357
f. Set DAA_generic_n = inputData1
5358
5359
g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and
return error TPM_DAA_INPUT_DATA1 on mismatch
5360
h. Obtain random data from the RNG and store it as DAA_session -> DAA_contextSeed
5361
5362
i. Obtain DAA_SIZE_r0 bytes using the MGF1 function and label them Y.
DAA_session -> DAA_contextSeed is the Z seed.
5363
j.
5364
k. Set n = DAA_generic_n
5365
l.
5366
m. set outputData = NULL
5367
n. increment DAA_session -> DAA_stage by 1
5368
o. return TPM_SUCCESS
“r0” ||
Set X = DAA_generic_R0
Set DAA_session -> DAA_scratch = (X^Y) mod n
536915.If stage==10
5370
5371
a. Verify that DAA_session ->DAA_stage==10. Return TPM_DAA_STAGE and flush
handle on mismatch h
5372
5373
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5374
5375
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||
DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch
5376
d. Set DAA_generic_R1 = inputData0
5377
5378
e. Verify that SHA-1(DAA_generic_R1) == DAA_issuerSettings -> DAA_digest_R1 and
return error TPM_DAA_INPUT_DATA0 on mismatch
5379
f. Set DAA_generic_n = inputData1
5380
5381
g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and
return error TPM_DAA_INPUT_DATA1 on mismatch
5382
5383
h. Obtain DAA_SIZE_r1 bytes using the MGF1 function and label them Y. “r1” ||
DAA_session -> DAA_contextSeed is the Z seed.
5384
i.
1281
1282
Set X = DAA_generic_R1
274
Level 2 Revision 116 28 February 2011
TCG Published
1283TPM Main Part 3 Commands
TCG © Copyright
1284Specification Version 1.2
5385
j.
5386
k. Set Z = DAA_session -> DAA_scratch
5387
l.
5388
m. set outputData = NULL
5389
n. increment DAA_session -> DAA_stage by 1
5390
o. return TPM_SUCCESS
Set n = DAA_generic_n
Set DAA_session -> DAA_scratch = Z*(X^Y) mod n
539116.If stage==11
5392
5393
a. Verify that DAA_session ->DAA_stage==11. Return TPM_DAA_STAGE and flush
handle on mismatch
5394
5395
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5396
5397
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||
DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch
5398
d. Set DAA_generic_S0 = inputData0
5399
5400
e. Verify that SHA-1(DAA_generic_S0) == DAA_issuerSettings -> DAA_digest_S0 and
return error TPM_DAA_INPUT_DATA0 on mismatch
5401
f. Set DAA_generic_n = inputData1
5402
5403
g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and
return error TPM_DAA_INPUT_DATA1 on mismatch
5404
5405
h. Obtain DAA_SIZE_r2 bytes using the MGF1 function and label them Y.
DAA_session -> DAA_contextSeed is the Z seed.
5406
i.
Set X = DAA_generic_S0
5407
j.
Set n = DAA_generic_n
5408
k. Set Z = DAA_session -> DAA_scratch
5409
l.
5410
m. set outputData = NULL
5411
n. increment DAA_session -> DAA_stage by 1
5412
o. return TPM_SUCCESS
“r2” ||
Set DAA_session -> DAA_scratch = Z*(X^Y) mod n
541317.If stage==12
5414
5415
a. Verify that DAA_session ->DAA_stage==12. Return TPM_DAA_STAGE and flush
handle on mismatch
5416
5417
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings ) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5418
5419
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||
DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch
5420
d. Set DAA_generic_S1 = inputData0
1285Level 2 Revision 116 28 February 2011
1286
275
TCG Published
1287Copyright © TCG
1288
1289
TPM Main Part 3 Commands
Specification Version 1.2
5421
5422
e. Verify that SHA-1(DAA_generic_S1) == DAA_issuerSettings -> DAA_digest_S1 and
return error TPM_DAA_INPUT_DATA0 on mismatch
5423
f. Set DAA_generic_n = inputData1
5424
5425
g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and
return error TPM_DAA_INPUT_DATA1 on mismatch
5426
5427
h. Obtain DAA_SIZE_r3 bytes using the MGF1 function and label them Y.
DAA_session -> DAA_contextSeed is the Z seed.
5428
i.
Set X = DAA_generic_S1
5429
j.
Set n = DAA_generic_n
5430
k. Set Z = DAA_session -> DAA_scratch
5431
l.
5432
m. set outputData = DAA_session -> DAA_scratch
5433
n. Set DAA_session -> DAA_scratch = NULL
5434
o. increment DAA_session -> DAA_stage by 1
5435
p. return TPM_SUCCESS
“r3” ||
Set DAA_session -> DAA_scratch = Z*(X^Y) mod n
543618.If stage==13
5437
5438
a. Verify that DAA_session->DAA_stage==13. Return TPM_DAA_STAGE and flush
handle on mismatch
5439
5440
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5441
5442
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||
DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch
5443
d. Set DAA_generic_gamma = inputData0
5444
5445
e. Verify
that
SHA-1(DAA_generic_gamma)
==
DAA_issuerSettings
DAA_digest_gamma and return error TPM_DAA_INPUT_DATA0 on mismatch
5446
5447
f. Verify that inputSize1 == DAA_SIZE_w and return error TPM_DAA_INPUT_DATA1 on
mismatch
5448
g. Set w = inputData1
5449
h. Set w1 = w^( DAA_issuerSettings -> DAA_generic_q) mod (DAA_generic_gamma)
5450
i.
If w1 != 1 (unity), return error TPM_DAA_WRONG_W
5451
j.
Set DAA_session -> DAA_scratch = w
5452
k. set outputData = NULL
5453
l.
5454
m. return TPM_SUCCESS.
->
increment DAA_session -> DAA_stage by 1
545519.If stage==14
5456
5457
1290
1291
a. Verify that DAA_session ->DAA_stage==14. Return TPM_DAA_STAGE and flush
handle on mismatch
276
Level 2 Revision 116 28 February 2011
TCG Published
1292TPM Main Part 3 Commands
TCG © Copyright
1293Specification Version 1.2
5458
5459
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings ) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5460
5461
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||
DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch
5462
d. Set DAA_generic_gamma = inputData0
5463
5464
e. Verify
that
SHA-1(DAA_generic_gamma)
==
DAA_issuerSettings
DAA_digest_gamma and return error TPM_DAA_INPUT_DATA0 on mismatch
5465
5466
5467
f. Set f = SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count ||
0 ) || SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 1 )
mod DAA_issuerSettings -> DAA_generic_q.
5468
g. Set E = ((DAA_session -> DAA_scratch)^f) mod (DAA_generic_gamma).
5469
h. Set outputData = E
5470
i.
increment DAA_session -> DAA_stage by 1
5471
j.
return TPM_SUCCESS.
->
547220.If stage==15
5473
5474
a. Verify that DAA_session ->DAA_stage==15. Return TPM_DAA_STAGE and flush
handle on mismatch
5475
5476
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5477
5478
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||
DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch
5479
d. Set DAA_generic_gamma = inputData0
5480
5481
e. Verify
that
SHA-1(DAA_generic_gamma)
==
DAA_issuerSettings
DAA_digest_gamma and return error TPM_DAA_INPUT_DATA0 on mismatch
5482
5483
f. Obtain DAA_SIZE_r0 bytes using the MGF1 function and label them r0.
DAA_session -> DAA_contextSeed is the Z seed.
“r0” ||
5484
5485
g. Obtain DAA_SIZE_r1 bytes using the MGF1 function and label them r1.
DAA_session -> DAA_contextSeed is the Z seed.
“r1” ||
5486
h. set r = r0 + 2^DAA_power0 * r1 mod (DAA_issuerSettings -> DAA_generic_q).
5487
i.
set E1 = ((DAA_session -> DAA_scratch)^r) mod (DAA_generic_gamma).
5488
j.
Set DAA_session -> DAA_scratch = NULL
5489
k. Set outputData = E1
5490
l.
5491
m. return TPM_SUCCESS.
->
increment DAA_session -> DAA_stage by 1
549221.If stage==16
5493
5494
a. Verify that DAA_session ->DAA_stage==16. Return TPM_DAA_STAGE and flush
handle on mismatch
1294Level 2 Revision 116 28 February 2011
1295
277
TCG Published
1296Copyright © TCG
1297
1298
TPM Main Part 3 Commands
Specification Version 1.2
5495
5496
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5497
5498
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||
DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch
5499
5500
d. Verify
that
inputSize0
==
TPM_DAA_INPUT_DATA0 on mismatch
5501
e. Set DAA_session -> DAA_digest = inputData0
5502
f. Obtain DAA_SIZE_NT bytes from the RNG and label them NT
5503
g. Set DAA_session -> DAA_digest to the SHA-1 ( DAA_session -> DAA_digest || NT )
5504
h. Set outputData = NT
5505
i.
increment DAA_session -> DAA_stage by 1
5506
j.
return TPM_SUCCESS.
sizeOf(TPM_DIGEST)
and
return
error
550722.If stage==17
5508
5509
a. Verify that DAA_session ->DAA_stage==17. Return TPM_DAA_STAGE and flush
handle on mismatch
5510
5511
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5512
5513
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||
DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch
5514
5515
d. Obtain DAA_SIZE_r0 bytes using the MGF1 function and label them r0.
DAA_session -> DAA_contextSeed is the Z seed.
5516
5517
5518
e. Set f = SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count ||
0 ) || SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 1 )
mod DAA_issuerSettings -> DAA_generic_q.
5519
f. Set f0 = f mod 2^DAA_power0 (erase all but the lowest DAA_power0 bits of f)
5520
5521
g. Set s0 = r0 + (DAA_session -> DAA_digest) * f0 in Z. Compute over the integers. The
computation is not reduced with a modulus.
5522
h. set outputData = s0
5523
i.
increment DAA_session -> DAA_stage by 1
5524
j.
return TPM_SUCCESS
“r0” ||
552523.If stage==18
5526
5527
a. Verify that DAA_session ->DAA_stage==18. Return TPM_DAA_STAGE and flush
handle on mismatch
5528
5529
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5530
5531
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||
DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch
1299
1300
278
Level 2 Revision 116 28 February 2011
TCG Published
1301TPM Main Part 3 Commands
TCG © Copyright
1302Specification Version 1.2
5532
5533
d. Obtain DAA_SIZE_r1 bytes using the MGF1 function and label them r1. “r1” ||
DAA_session -> DAA_contextSeed is the Z seed.
5534
5535
5536
e. Set f = SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count ||
0 ) || SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 1 )
mod DAA_issuerSettings -> DAA_generic_q.
5537
5538
f. Shift f right by DAA_power0 bits (discard the lowest DAA_power0 bits) and label the
result f1
5539
5540
g. Set s1 = r1 + (DAA_session -> DAA_digest)* f1 in Z. Compute over the integers. The
computation is not reduced with a modulus.
5541
h. set outputData = s1
5542
i.
increment DAA_session -> DAA_stage by 1
5543
j.
return TPM_SUCCESS
554424.If stage==19
5545
5546
a. Verify that DAA_session ->DAA_stage==19. Return TPM_DAA_STAGE and flush
handle on mismatch
5547
5548
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5549
5550
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||
DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch
5551
5552
d. Obtain DAA_SIZE_r2 bytes using the MGF1 function and label them r2.
DAA_session -> DAA_contextSeed is the Z seed.
5553
5554
e. Set s2 = r2 + (DAA_session -> DAA_digest)*( DAA_joinSession -> DAA_join_u0) mod
2^DAA_power1 (Erase all but the lowest DAA_power1 bits of s2)
5555
f. set outputData = s2
5556
g. increment DAA_session -> DAA_stage by 1
5557
h. return TPM_SUCCESS
“r2” ||
555825.If stage==20
5559
5560
a. Verify that DAA_session ->DAA_stage==20. Return TPM_DAA_STAGE and flush
handle on mismatch
5561
5562
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5563
5564
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||
DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch
5565
5566
d. Obtain DAA_SIZE_r2 bytes using the MGF1 function and label them r2.
DAA_session -> DAA_contextSeed is the Z seed.
5567
e. Set s12 = r2 + (DAA_session -> DAA_digest)*( DAA_joinSession -> DAA_join_u0)
5568
f. Shift s12 right by DAA_power1 bit (discard the lowest DAA_power1 bits).
5569
g. Set DAA_session -> DAA_scratch = s12
1303Level 2 Revision 116 28 February 2011
1304
279
TCG Published
“r2” ||
1305Copyright © TCG
1306
1307
TPM Main Part 3 Commands
Specification Version 1.2
5570
h. Set outputData = DAA_session -> DAA_digest
5571
i.
increment DAA_session -> DAA_stage by 1
5572
j.
return TPM_SUCCESS
557326.If stage==21
5574
5575
a. Verify that DAA_session ->DAA_stage==21. Return TPM_DAA_STAGE and flush
handle on mismatch
5576
5577
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5578
5579
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||
DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch
5580
5581
d. Obtain DAA_SIZE_r3 bytes using the MGF1 function and label them r3.
DAA_session -> DAA_contextSeed is the Z seed.
5582
5583
e. Set s3 = r3 + (DAA_session -> DAA_digest)*( DAA_joinSession -> DAA_join_u1) +
(DAA_session -> DAA_scratch).
5584
f. Set DAA_session -> DAA_scratch = NULL
5585
g. set outputData = s3
5586
h. increment DAA_session -> DAA_stage by 1
5587
i.
“r3” ||
return TPM_SUCCESS
558827.If stage==22
5589
5590
a. Verify that DAA_session ->DAA_stage==22. Return TPM_DAA_STAGE and flush
handle on mismatch
5591
5592
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5593
5594
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||
DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch
5595
5596
d. Verify inputSize0 == DAA_SIZE_v0 and return error TPM_DAA_INPUT_DATA0 on
mismatch
5597
e. Set u2 = inputData0
5598
5599
f. Set v0 = u2 + (DAA_joinSession -> DAA_join_u0) mod 2^DAA_power1 (Erase all but
the lowest DAA_power1 bits of v0).
5600
g. Set DAA_tpmSpecific -> DAA_digest_v0 = SHA-1(v0)
5601
5602
h. Set v10 = u2 + (DAA_joinSession -> DAA_join_u0) in Z. Compute over the integers.
The computation is not reduced with a modulus.
5603
i.
Shift v10 right by DAA_power1 bits (erase the lowest DAA_power1 bits).
5604
j.
Set DAA_session ->DAA_scratch = v10
5605
k. Set outputData
5606
5607
1308
1309
i. Fill in TPM_DAA_BLOB with a type of TPM_RT_DAA_V0 and encrypt the v0
parameters using TPM_PERMANENT_DATA -> daaBlobKey
280
Level 2 Revision 116 28 February 2011
TCG Published
1310TPM Main Part 3 Commands
TCG © Copyright
1311Specification Version 1.2
5608
ii. set outputData to the encrypted TPM_DAA_BLOB
5609
l.
5610
5611
m. set
DAA_session
DAA_joinSession)
5612
n. return TPM_SUCCESS
increment DAA_session -> DAA_stage by 1
->
DAA_digestContext
=
SHA-1(DAA_tpmSpecific
||
561328.If stage==23
5614
5615
a. Verify that DAA_session ->DAA_stage==23. Return TPM_DAA_STAGE and flush
handle on mismatch
5616
5617
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5618
5619
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||
DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch
5620
5621
d. Verify inputSize0 == DAA_SIZE_v1 and return error TPM_DAA_INPUT_DATA0 on
mismatch
5622
e. Set u3 = inputData0
5623
f. Set v1 = u3 + DAA_joinSession -> DAA_join_u1 + DAA_session ->DAA_scratch
5624
g. Set DAA_tpmSpecific -> DAA_digest_v1 = SHA-1(v1)
5625
h. Set outputData
5626
5627
i. Fill in TPM_DAA_BLOB with a type of TPM_RT_DAA_V1 and encrypt the v1
parameters using TPM_PERMANENT_DATA -> daaBlobKey
5628
ii. set outputData to the encrypted TPM_DAA_BLOB
5629
i.
Set DAA_session ->DAA_scratch = NULL
5630
j.
increment DAA_session -> DAA_stage by 1
5631
5632
k. set
DAA_session
DAA_joinSession)
5633
l.
->
DAA_digestContext
=
SHA-1(DAA_tpmSpecific
||
return TPM_SUCCESS
563429.If stage==24
5635
5636
a. Verify that DAA_session ->DAA_stage==24. Return TPM_DAA_STAGE and flush
handle on mismatch
5637
5638
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5639
5640
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||
DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch
5641
5642
d. set outputData
daaBlobKey
5643
5644
e. Terminate the DAA session and all resources associated with the DAA join session
handle.
5645
f. return TPM_SUCCESS
=
enc(DAA_tpmSpecific)
1312Level 2 Revision 116 28 February 2011
1313
281
TCG Published
using
TPM_PERMANENT_DATA
->
1314Copyright © TCG
1315
1316
TPM Main Part 3 Commands
Specification Version 1.2
564630.If stage > 24, return error: TPM_DAA_STAGE
1317
1318
282
Level 2 Revision 116 28 February 2011
TCG Published
1319TPM Main Part 3 Commands
TCG © Copyright
1320Specification Version 1.2
564726.2
TPM_DAA_Sign
5648Start of informative comment:
5649outputSize and outputData are always included in the outParamDigest. This includes stage
56500, where the outputData contains the DAA session handle.
5651 End of informative comment.
5652TPM protected capability; user must provide authorizations from the TPM Owner.
5653Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
Tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes incl. paramSize and tag
3
4
TPM_COMMAND_CODE
Ordinal
Command ordinal: TPM_ORD_DAA_Sign
4
4
TPM_HANDLE
handle
Handle to the sign session
5
1
2S
1
BYTE
stage
Stage of the sign process
6
4
3S
4
UINT32
inputSize0
Size of inputData0 for this stage of DAA_Sign
7
<>
4S
<>
BYTE[]
inputData0
Data to be used by this capability
8
4
5S
4
UINT32
inputSize1
Size of inputData1 for this stage of DAA_Sign
9
<>
6S
<>
BYTE[]
inputData1
Data to be used by this capability
10
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for owner authentication
#
SZ
1
#
SZ
1S
4
2 H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
11
20
3 H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
12
1
4 H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
13
20
20
TPM_AUTHDATA
ownerAuth
The authorization session digest for inputs and owner. HMAC key:
ownerAuth.
5654Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes incl. paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal:TPM_ORD_DAA_Sign
4
4
3S
4
UINT32
outputSize
Size of outputData
5
<>
4S
<>
BYTE[]
outputData
Data produced by this capability
6
20
2 H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3 H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4 H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
20
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
ownerAuth.
7
1
8
20
1321Level 2 Revision 116 28 February 2011
1322
283
TCG Published
1323Copyright © TCG
1324
1325
TPM Main Part 3 Commands
Specification Version 1.2
5655Description
5656This table summaries the input, output and saved data that is associated with each stage of
5657processing.
Stage
Input Data0
Input Data1
Operation
Output Data
Scratchpad
0
DAA_issuerSettings
NULL
initialise
handle
NULL
1
enc(DAA_tpmSpecific)
NULL
initialise
NULL
NULL
2
DAA_generic_R0
DAA_generic_n
P1=R0^r0 mod n
NULL
P1
3
DAA_generic_R1
DAA_generic_n
P2 = P1*(R1^r1) mod n
NULL
P2
4
DAA_generic_S0
DAA_generic_n
P3 = P2*(S0^r2) mod n
NULL
P3
5
DAA_generic_S1
DAA_generic_n
T = P3*(S1^r4) mod n
T
NULL
6
DAA_generic_gamma
w
w1 = w^q mod gamma
NULL
w
7
DAA_generic_gamma
NULL
E = w^f mod gamma
E
w
8
DAA_generic_gamma
NULL
r = r0 + (2^power0)*r1
mod q,
E1
NULL
E1 = w^r mod gamma
9
c1
NULL
c = hash(c1 || NT)
NT
NULL
10
b (selector)
m or handle to AIK
c = hash(c || 1 || m)
c
NULL
or
c = hash(c || 0 || AIKmodulus)
11
NULL
NULL
s0 = r0 + c*f0
s0
NULL
12
NULL
NULL
s1 = r1 + c*f1
s1
NULL
13
enc(v0)
NULL
s2 = r2 + c*v0
s2
NULL
NULL
s12
s3
NULL
mod 2^power1
14
enc(v0)
NULL
s12 = r2 + c*v0
>> power1
15
enc(v1)
NULL
s3 = r4 + c*v1 + s12
5658
5659When a TPM receives an Owner authorized command to input enc(DAA_tpmSpecific) or
5660enc(v0) or enc(v1), the TPM MUST verify that the TPM created the data and that neither the
5661data nor the TPM's daaProof has been changed since the data was created. Loading one of
5662these wrapped blobs does not require authorization, since correct blobs were created by the
5663TPM under Owner authorization, and unwrapped blobs cannot be used without Owner
5664authorisation. The TPM MUST NOT restrict the number of times that the contents of
5665enc(DAA_tpmSpecific) or enc(v0) or enc(v1) can be used by the same combination of TPM
5666and daaProof that created them.
5667Actions
5668A Trusted Platform Module that receives a valid TPM_DAA_Sign command SHALL:
56691. Use ownerAuth to verify that the Owner authorized all TPM_DAA_Sign input parameters.
56702. Any error results in the TPM invalidating all resources associated with the command
56713. Constant values of 0 or 1 are 1 byte integers, stages affected are
5672
1326
1327
a. 7(f), 11(e), 12(e)
284
Level 2 Revision 116 28 February 2011
TCG Published
1328TPM Main Part 3 Commands
TCG © Copyright
1329Specification Version 1.2
56734. Representation of the strings “r0” to “r4” are 2-byte ASCII encodings, stages affected are
5674
a. 2(h), 3(h), 4(h), 5(h), 12(d), 13(f), 14(f), 15(f)
5675Stages
56760. If stage==0
5677
b. Determine that sufficient resources are available to perform a TPM_DAA_Sign.
5678
5679
5680
i. The TPM MUST support sufficient resources to perform one (1)
TPM_DAA_Join/ TPM_DAA_Sign. The TPM MAY support addition TPM_DAA_Join/
TPM_DAA_Sign sessions.
5681
5682
ii. The TPM may share internal resources between the DAA operations and other
variable resource requirements:
5683
5684
5685
iii. If there are insufficient resources within the stored key pool (and one or more
keys need to be removed to permit the DAA operation to execute) return
TPM_NOSPACE
5686
5687
5688
iv. If there are insufficient resources within the stored session pool (and one or
more authorization or transport sessions need to be removed to permit the DAA
operation to execute), return TPM_RESOURCES.
5689
c. Set DAA_issuerSettings = inputData0
5690
5691
d. Verify that all fields in DAA_issuerSettings
TPM_DAA_INPUT_DATA0 if not.
5692
e. set all fields in DAA_session = NULL
5693
f. Assign new handle for session
5694
g. Set outputData to new handle
5695
i.
are
present
and
return
error
The handle in outputData is included the output HMAC.
5696
h. set DAA_session -> DAA_stage = 1
5697
i.
return TPM_SUCCESS
56985. If stage==1
5699
5700
a. Verify that DAA_session ->DAA_stage==1. Return TPM_DAA_STAGE and flush handle
on mismatch
5701
5702
b. Set DAA_tpmSpecific = unwrap(inputData0) using TPM_PERMANENT_DATA ->
daaBlobKey
5703
5704
c. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5705
d. set DAA_session -> DAA_digestContext = SHA-1(DAA_tpmSpecific)
5706
e. set outputData = NULL
5707
f. set DAA_session -> DAA_stage =2
5708
g. return TPM_SUCCESS
57096. If stage==2
1330Level 2 Revision 116 28 February 2011
1331
285
TCG Published
1332Copyright © TCG
1333
1334
TPM Main Part 3 Commands
Specification Version 1.2
5710
5711
a. Verify that DAA_session ->DAA_stage==2. Return TPM_DAA_STAGE and flush handle
on mismatch
5712
5713
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5714
5715
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and
return error TPM_DAA_TPM_SETTINGS on mismatch
5716
d. Set DAA_generic_R0 = inputData0
5717
5718
e. Verify that SHA-1(DAA_generic_R0) == DAA_issuerSettings -> DAA_digest_R0 and
return error TPM_DAA_INPUT_DATA0 on mismatch
5719
f. Set DAA_generic_n = inputData1
5720
5721
g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and
return error TPM_DAA_INPUT_DATA1 on mismatch
5722
h. Obtain random data from the RNG and store it as DAA_session -> DAA_contextSeed
5723
5724
i. Obtain DAA_SIZE_r0 bytes using the MGF1 function and label them Y.
DAA_session -> DAA_contextSeed is the Z seed.
5725
j.
5726
k. Set n = DAA_generic_n
5727
l.
5728
m. set outputData = NULL
5729
n. increment DAA_session -> DAA_stage by 1
5730
o. return TPM_SUCCESS
“r0” ||
Set X = DAA_generic_R0
Set DAA_session -> DAA_scratch = (X^Y) mod n
57317. If stage==3
5732
5733
a. Verify that DAA_session ->DAA_stage==3. Return TPM_DAA_STAGE and flush handle
on mismatch
5734
5735
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5736
5737
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and
return error TPM_DAA_TPM_SETTINGS on mismatch
5738
d. Set DAA_generic_R1 = inputData0
5739
5740
e. Verify that SHA-1(DAA_generic_R1) == DAA_issuerSettings -> DAA_digest_R1 and
return error TPM_DAA_INPUT_DATA0 on mismatch
5741
f. Set DAA_generic_n = inputData1
5742
5743
g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and
return error TPM_DAA_INPUT_DATA1 on mismatch
5744
5745
h. Obtain DAA_SIZE_r1 bytes using the MGF1 function and label them Y.
DAA_session -> DAA_contextSeed is the Z seed.
5746
i.
Set X = DAA_generic_R1
5747
j.
Set n = DAA_generic_n
1335
1336
286
“r1” ||
Level 2 Revision 116 28 February 2011
TCG Published
1337TPM Main Part 3 Commands
TCG © Copyright
1338Specification Version 1.2
5748
k. Set Z = DAA_session -> DAA_scratch
5749
l.
5750
m. set outputData = NULL
5751
n. increment DAA_session -> DAA_stage by 1
5752
o. return TPM_SUCCESS
Set DAA_session -> DAA_scratch = Z*(X^Y) mod n
57538. If stage==4
5754
5755
a. Verify that DAA_session ->DAA_stage==4. Return TPM_DAA_STAGE and flush handle
on mismatch
5756
5757
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5758
5759
c. Verify that DAA_session -> DAA_digestContext = SHA-1(DAA_tpmSpecific)
return error TPM_DAA_TPM_SETTINGS on mismatch
5760
d. Set DAA_generic_S0 = inputData0
5761
5762
e. Verify that SHA-1(DAA_generic_S0) == DAA_issuerSettings -> DAA_digest_S0 and
return error TPM_DAA_INPUT_DATA0 on mismatch
5763
f. Set DAA_generic_n = inputData1
5764
5765
g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and
return error TPM_DAA_INPUT_DATA1 on mismatch
5766
5767
h. Obtain DAA_SIZE_r2 bytes using the MGF1 function and label them Y.
DAA_session -> DAA_contextSeed is the Z seed.
5768
i.
Set X = DAA_generic_S0
5769
j.
Set n = DAA_generic_n
5770
k. Set Z = DAA_session -> DAA_scratch
5771
l.
5772
m. set outputData = NULL
5773
n. increment DAA_session -> DAA_stage by 1
5774
o. return TPM_SUCCESS
and
“r2” ||
Set DAA_session -> DAA_scratch = Z*(X^Y) mod n
57759. If stage==5
5776
5777
a. Verify that DAA_session ->DAA_stage==5. Return TPM_DAA_STAGE and flush handle
on mismatch
5778
5779
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5780
5781
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and
return error TPM_DAA_TPM_SETTINGS on mismatch
5782
d. Set DAA_generic_S1 = inputData0
5783
5784
e. Verify that SHA-1(DAA_generic_S1) == DAA_issuerSettings -> DAA_digest_S1 and
return error TPM_DAA_INPUT_DATA0 on mismatch
1339Level 2 Revision 116 28 February 2011
1340
287
TCG Published
1341Copyright © TCG
1342
1343
TPM Main Part 3 Commands
Specification Version 1.2
5785
f. Set DAA_generic_n = inputData1
5786
5787
g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and
return error TPM_DAA_INPUT_DATA1 on mismatch
5788
5789
h. Obtain DAA_SIZE_r4 bytes using the MGF1 function and label them Y.
DAA_session -> DAA_contextSeed is the Z seed.
5790
i.
Set X = DAA_generic_S1
5791
j.
Set n = DAA_generic_n
5792
k. Set Z = DAA_session -> DAA_scratch
5793
l.
5794
m. set outputData = DAA_session -> DAA_scratch
5795
n. set DAA_session -> DAA_scratch = NULL
5796
o. increment DAA_session -> DAA_stage by 1
5797
p. return TPM_SUCCESS
“r4” ||
Set DAA_session -> DAA_scratch = Z*(X^Y) mod n
579810.If stage==6
5799
5800
a. Verify that DAA_session ->DAA_stage==6. Return TPM_DAA_STAGE and flush handle
on mismatch
5801
5802
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5803
5804
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and
return error TPM_DAA_TPM_SETTINGS on mismatch
5805
d. Set DAA_generic_gammma = inputData0
5806
5807
e. Verify
that
SHA-1(DAA_generic_gamma)
==
DAA_issuerSettings
DAA_digest_gamma and return error TPM_DAA_INPUT_DATA0 on mismatch
5808
5809
f. Verify that inputSize1 == DAA_SIZE_w and return error TPM_DAA_INPUT_DATA1 on
mismatch
5810
g. Set w = inputData1
5811
h. Set w1 = w^( DAA_issuerSettings -> DAA_generic_q) mod (DAA_generic_gamma)
5812
i.
If w1 != 1 (unity), return error TPM_DAA_WRONG_W
5813
j.
Set DAA_session -> DAA_scratch = w
5814
k. set outputData = NULL
5815
l.
5816
m. return TPM_SUCCESS.
->
increment DAA_session -> DAA_stage by 1
581711.If stage==7
5818
5819
a. Verify that DAA_session ->DAA_stage==7. Return TPM_DAA_STAGE and flush handle
on mismatch
5820
5821
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
1344
1345
288
Level 2 Revision 116 28 February 2011
TCG Published
1346TPM Main Part 3 Commands
TCG © Copyright
1347Specification Version 1.2
5822
5823
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and
return error TPM_DAA_TPM_SETTINGS on mismatch
5824
d. Set DAA_generic_gamma = inputData0
5825
5826
e. Verify
that
SHA-1(DAA_generic_gamma)
==
DAA_issuerSettings
DAA_digest_gamma and return error TPM_DAA_INPUT_DATA0 on mismatch
5827
5828
5829
f. Set f = SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count ||
0 ) || SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 1 )
mod DAA_issuerSettings -> DAA_generic_q.
5830
g. Set E = ((DAA_session -> DAA_scratch)^f) mod (DAA_generic_gamma).
5831
h. Set outputData = E
5832
i.
increment DAA_session -> DAA_stage by 1
5833
j.
return TPM_SUCCESS.
->
583412.If stage==8
5835
5836
a. Verify that DAA_session ->DAA_stage==8. Return TPM_DAA_STAGE and flush handle
on mismatch
5837
5838
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5839
5840
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and
return error TPM_DAA_TPM_SETTINGS on mismatch
5841
d. Set DAA_generic_gamma = inputData0
5842
5843
e. Verify
that
SHA-1(DAA_generic_gamma)
==
DAA_issuerSettings
DAA_digest_gamma and return error TPM_DAA_INPUT_DATA0 on mismatch
5844
5845
f. Obtain DAA_SIZE_r0 bytes using the MGF1 function and label them r0.
DAA_session -> DAA_contextSeed is the Z seed.
“r0” ||
5846
5847
g. Obtain DAA_SIZE_r1 bytes using the MGF1 function and label them r1.
DAA_session -> DAA_contextSeed is the Z seed.
“r1” ||
5848
h. set r = r0 + 2^DAA_power0 * r1 mod (DAA_issuerSettings -> DAA_generic_q).
5849
i.
Set E1 = ((DAA_session -> DAA_scratch)^r) mod (DAA_generic_gamma)
5850
j.
Set DAA_session -> DAA_scratch = NULL
5851
k. Set outputData = E1
5852
l.
5853
m. return TPM_SUCCESS.
->
increment DAA_session -> DAA_stage by 1
585413.If stage==9
5855
5856
a. Verify that DAA_session ->DAA_stage==9. Return TPM_DAA_STAGE and flush handle
on mismatch
5857
5858
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
1348Level 2 Revision 116 28 February 2011
1349
289
TCG Published
1350Copyright © TCG
1351
1352
TPM Main Part 3 Commands
Specification Version 1.2
5859
5860
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and
return error TPM_DAA_TPM_SETTINGS on mismatch
5861
5862
d. Verify
that
inputSize0
==
TPM_DAA_INPUT_DATA0 on mismatch
5863
e. Set DAA_session -> DAA_digest = inputData0
5864
f. Obtain DAA_SIZE_NT bytes from the RNG and label them NT
5865
g. Set DAA_session -> DAA_digest to the SHA-1 ( DAA_session -> DAA_digest || NT )
5866
h. Set outputData = NT
5867
i.
increment DAA_session -> DAA_stage by 1
5868
j.
return TPM_SUCCESS.
sizeOf(TPM_DIGEST)
and
return
error
586914.If stage==10
5870
5871
a. Verify that DAA_session ->DAA_stage==10. Return TPM_DAA_STAGE and flush
handle on mismatch
5872
5873
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5874
5875
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and
return error TPM_DAA_TPM_SETTINGS on mismatch
5876
5877
d. Verify that inputSize0 == sizeOf(BYTE), and return error TPM_DAA_INPUT_DATA0 on
mismatch
5878
5879
e. Set selector = inputData0, verify that selector == 0 or 1, and return error
TPM_DAA_INPUT_DATA0 on mismatch
5880
5881
f. If selector == 1, verify that inputSize1 == sizeOf(TPM_DIGEST), and return error
TPM_DAA_INPUT_DATA1 on mismatch
5882
5883
g. Set DAA_session -> DAA_digest to SHA-1 (DAA_session -> DAA_digest || 1 ||
inputData1)
5884
5885
h. If selector == 0, verify that inputData1 is a handle to a TPM identity key (AIK), and
return error TPM_DAA_INPUT_DATA1 on mismatch
5886
5887
i. Set DAA_session -> DAA_digest to SHA-1 (DAA_session -> DAA_digest || 0 || n2)
where n2 is the modulus of the AIK
5888
j.
5889
k. increment DAA_session -> DAA_stage by 1
5890
l.
Set outputData = DAA_session -> DAA_digest
return TPM_SUCCESS.
589115.If stage==11
5892
5893
a. Verify that DAA_session ->DAA_stage==11. Return TPM_DAA_STAGE and flush
handle on mismatch
5894
5895
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
1353
1354
290
Level 2 Revision 116 28 February 2011
TCG Published
1355TPM Main Part 3 Commands
TCG © Copyright
1356Specification Version 1.2
5896
5897
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and
return error TPM_DAA_TPM_SETTINGS on mismatch
5898
5899
d. Obtain DAA_SIZE_r0 bytes using the MGF1 function and label them r0.
DAA_session -> DAA_contextSeed is the Z seed.
5900
5901
5902
e. Set f = SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count ||
0 ) || SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 1 )
mod DAA_issuerSettings -> DAA_generic_q.
5903
f. Set f0 = f mod 2^DAA_power0 (erase all but the lowest DAA_power0 bits of f)
5904
g. Set s0 = r0 + (DAA_session -> DAA_digest)*(f0)
5905
h. set outputData = s0
5906
i.
increment DAA_session -> DAA_stage by 1
5907
j.
return TPM_SUCCESS
“r0” ||
590816.If stage==12
5909
5910
a. Verify that DAA_session ->DAA_stage==12. Return TPM_DAA_STAGE and flush
handle on mismatch
5911
5912
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5913
5914
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and
return error TPM_DAA_TPM_SETTINGS on mismatch
5915
5916
d. Obtain DAA_SIZE_r1 bytes using the MGF1 function and label them r1.
DAA_session -> DAA_contextSeed is the Z seed.
5917
5918
5919
e. Set f = SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count ||
0 ) || SHA-1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 1 )
mod DAA_issuerSettings -> DAA_generic_q.
5920
5921
f. Shift f right by DAA_power0 bits (discard the lowest DAA_power0 bits) and label the
result f1
5922
g. Set s1 = r1 + (DAA_session -> DAA_digest)*(f1)
5923
h. set outputData = s1
5924
i.
increment DAA_session -> DAA_stage by 1
5925
j.
return TPM_SUCCESS
“r1” ||
592617.If stage==13
5927
5928
a. Verify that DAA_session ->DAA_stage==13. Return TPM_DAA_STAGE and flush
handle on mismatch
5929
5930
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5931
5932
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and
return error TPM_DAA_TPM_SETTINGS on mismatch
5933
5934
d. Set DAA_private_v0=
daaBlobKey
unwrap(inputData0)
1357Level 2 Revision 116 28 February 2011
1358
291
TCG Published
using
TPM_PERMANENT_DATA
->
1359Copyright © TCG
1360
1361
TPM Main Part 3 Commands
Specification Version 1.2
5935
5936
e. Verify that SHA-1(DAA_private_v0) == DAA_tpmSpecific -> DAA_digest_v0 and return
error TPM_DAA_INPUT_DATA0 on mismatch
5937
5938
f. Obtain DAA_SIZE_r2 bytes from the MGF1 function and label them r2.
DAA_session -> DAA_contextSeed is the Z seed.
5939
5940
g. Set s2 = r2 + (DAA_session -> DAA_digest)*( DAA_private_v0) mod 2^DAA_power1
(erase all but the lowest DAA_power1 bits of s2)
5941
h. set outputData = s2
5942
i.
increment DAA_session -> DAA_stage by 1
5943
j.
return TPM_SUCCESS
“r2” ||
594418.If stage==14
5945
5946
a. Verify that DAA_session ->DAA_stage==14. Return TPM_DAA_STAGE and flush
handle on mismatch
5947
5948
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5949
5950
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and
return error TPM_DAA_TPM_SETTINGS on mismatch
5951
5952
d. Set DAA_private_v0=
daaBlobKey
5953
5954
e. Verify that SHA-1(DAA_private_v0) == DAA_tpmSpecific -> DAA_digest_v0 and return
error TPM_DAA_INPUT_DATA0 on mismatch
5955
5956
f. Obtain DAA_SIZE_r2 bytes using the MGF1 function and label them r2.
DAA_session -> DAA_contextSeed is the Z seed.
5957
g. Set s12 = r2 + (DAA_session -> DAA_digest)*(DAA_private_v0).
5958
h. Shift s12 right by DAA_power1 bits (erase the lowest DAA_power1 bits).
5959
i.
Set DAA_session -> DAA_scratch = s12
5960
j.
set outputData = NULL
5961
k. increment DAA_session -> DAA_stage by 1
5962
l.
unwrap(inputData0)
using
TPM_PERMANENT_DATA
->
“r2” ||
return TPM_SUCCESS
596319.If stage==15
5964
5965
a. Verify that DAA_session ->DAA_stage==15. Return TPM_DAA_STAGE and flush
handle on mismatch
5966
5967
b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and
return error TPM_DAA_ISSUER_SETTINGS on mismatch
5968
5969
c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and
return error TPM_DAA_TPM_SETTINGS on mismatch
5970
5971
d. Set DAA_private_v1 = unwrap(inputData0) using
daaBlobKey
1362
1363
292
TPM_PERMANENT_DATA
Level 2 Revision 116 28 February 2011
TCG Published
->
1364TPM Main Part 3 Commands
TCG © Copyright
1365Specification Version 1.2
5972
5973
e. Verify that SHA-1(DAA_private_v1) == DAA_tpmSpecific -> DAA_digest_v1 and return
error TPM_DAA_INPUT_DATA0 on mismatch
5974
5975
f. Obtain DAA_SIZE_r4 bytes using the MGF1 function and label them r4.
DAA_session -> DAA_contextSeed is the Z seed.
5976
5977
g. Set s3 = r4 + (DAA_session -> DAA_digest)*(DAA_private_v1) + (DAA_session ->
DAA_scratch).
5978
h. Set DAA_session -> DAA_scratch = NULL
5979
i.
5980
5981
j. Terminate the DAA session and all resources associated with the DAA sign session
handle.
5982
k. return TPM_SUCCESS
“r4” ||
set outputData = s3
598320.If stage > 15, return error: TPM_DAA_STAGE
1366Level 2 Revision 116 28 February 2011
1367
293
TCG Published
1368Copyright © TCG
1369
1370
598427.
Deprecated
5985Start of informative comment:
TPM Main Part 3 Commands
Specification Version 1.2
commands
5986This section covers the commands that were in version 1.1 but now have new functionality
5987in other functions. The deprecated commands are still available in 1.2 but all new software
5988should use the new functionality.
5989There is no requirement that the deprecated commands work with new structures.
5990End of informative comment.
59911. Commands deprecated in version 1.2 MUST work with version 1.1 structures
59922. Commands deprecated in version 1.2 MAY work with version 1.2 structures
1371
1372
294
Level 2 Revision 116 28 February 2011
TCG Published
1373TPM Main Part 3 Commands
TCG © Copyright
1374Specification Version 1.2
599327.1
Key commands
5994Start of informative comment:
5995The key commands are deprecated as the new way to handle keys is to use the standard
5996context commands. So TPM_EvictKey is now handled by TPM_FlushSpecific,
5997TPM_Terminate_Handle by TPM_FlushSpecific.
5998End of informative comment.
599927.1.1
TPM_EvictKey
6000Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_EvictKey
4
4
TPM_KEY_HANDLE
evictHandle
The handle of the key to be evicted.
Type
Name
Description
#
SZ
1
#
1S
SZ
4
6001Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_EvictKey
6002Actions
6003The TPM will invalidate the key stored in the specified handle and return the space to the
6004available internal pool for subsequent query by TPM_GetCapability and usage by
6005TPM_LoadKey. If the specified key handle does not correspond to a valid key, an error will
6006be returned.
6007New 1.2 functionality
6008The command must check the status of the ownerEvict flag for the key and if the flag is
6009TRUE return TPM_KEY_CONTROL_OWNER
1375Level 2 Revision 116 28 February 2011
1376
295
TCG Published
1377Copyright © TCG
1378
1379
601027.1.2
TPM Main Part 3 Commands
Specification Version 1.2
TPM_Terminate_Handle
6011Start of informative comment:
6012This allows the TPM manager to clear out information in a session handle.
6013The TPM may maintain the authorization session even though a key attached to it has been
6014unloaded or the authorization session itself has been unloaded in some way. When a
6015command is executed that requires this session, it is the responsibility of the external
6016software to load both the entity and the authorization session information prior to
6017command execution.
6018End of informative comment.
6019Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Terminate_Handle.
4
4
TPM_AUTHHANDLE
handle
The handle to terminate
Type
Name
Description
#
SZ
1
#
SZ
1S
4
6020Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Terminate_Handle.
6021Description
6022The TPM SHALL terminate the session and destroy all data associated with the session
6023indicated.
6024Actions
6025A TPM SHALL unilaterally perform the actions of TPM_Terminate_Handle upon detection of
6026the following events:
60271. Completion of a received command whose authorization “continueUse” flag is FALSE.
60282. Completion of a received command when a shared secret derived from the authorization
6029
session was exclusive-or’ed with data (to provide confidentiality for that data). This
6030
occurs during execution of a TPM_ChangeAuth command, for example.
60313. When the associated entity is destroyed (in the case of TPM Owner or SRK, for example)
60324. Upon execution of TPM_Init
1380
1381
296
Level 2 Revision 116 28 February 2011
TCG Published
1382TPM Main Part 3 Commands
TCG © Copyright
1383Specification Version 1.2
60335. When the command returns an error. This is due to the fact that when returning an
6034
error the TPM does not send back nonceEven. There is no way to maintain the rolling
6035
nonces, hence the TPM MUST terminate the authorization session.
60366. Failure of an authorization check belonging to that authorization session.
1384Level 2 Revision 116 28 February 2011
1385
297
TCG Published
1386Copyright © TCG
1387
1388
603727.2
TPM Main Part 3 Commands
Specification Version 1.2
Context management
6038Start of informative comment:
6039The 1.1 context commands were written for specific resource types. The 1.2 commands are
6040generic for all resource types. So the Savexxx commands are replaced by TPM_SaveContext
6041and the LoadXXX commands by TPM_LoadContext.
6042End of informative comment.
604327.2.1
TPM_SaveKeyContext
6044Start of informative comment:
6045TPM_SaveKeyContext saves a loaded key outside the TPM. After creation of the key context
6046blob the TPM automatically releases the internal memory used by that key. The format of
6047the key context blob is specific to a TPM.
6048End of informative comment.
6049Incoming Operands and Sizes
PARAM
#
SZ
1
4
4
4
1S
4
Description
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
UINT32
paramSize
Total number of input bytes including paramSize and tag
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_SaveKeyContext
TPM_KEY_HANDLE
SZ
Name
4
3
#
Type
2
2
HMAC
keyHandle
The key which will be kept outside the TPM
Type
Name
Description
6050Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_SaveKeyContext
4
4
3S
4
UINT32
keyContextSize
The actual size of the outgoing key context blob. If the command fails the value
will be 0
5
<>
4S
<>
BYTE[]
keyContextBlob
The key context blob.
6051Description
60521. This command allows saving a loaded key outside the TPM. After creation of the
6053
keyContextBlob, the TPM automatically releases the internal memory used by that key.
6054
The format of the key context blob is specific to a TPM.
60552.
6056
6057
6058
1389
1390
A TPM protected capability belonging to the TPM that created a key context blob MUST
be the only entity that can interpret the contents of that blob. If a cryptographic
technique is used for this purpose, the level of security provided by that technique
SHALL be at least as secure as a 2048 bit RSA algorithm. Any secrets (such as keys)
298
Level 2 Revision 116 28 February 2011
TCG Published
1391TPM Main Part 3 Commands
TCG © Copyright
1392Specification Version 1.2
6059
6060
6061
used in such a cryptographic technique MUST be generated using the TPM’s random
number generator. Any symmetric key MUST be used within the power-on session
during which it was created, only.
60623. A key context blob SHALL enable verification of the integrity of the contents of the blob
6063
by a TPM protected capability.
60644. A key context blob SHALL enable verification of the session validity of the contents of the
6065
blob by a TPM protected capability. The method SHALL ensure that all key context blobs
6066
are rendered invalid if power to the TPM is interrupted.
1393Level 2 Revision 116 28 February 2011
1394
299
TCG Published
1395Copyright © TCG
1396
1397
TPM Main Part 3 Commands
Specification Version 1.2
6067
606827.2.2
TPM_LoadKeyContext
6069Start of informative comment:
6070TPM_LoadKeyContext loads a key context blob into the TPM previously retrieved by a
6071TPM_SaveKeyContext call. After successful completion the handle returned by this
6072command can be used to access the key.
6073End of informative comment.
6074Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_LoadKeyContext
4
4
2S
4
UINT32
keyContextSize
The size of the following key context blob.
5
<>
3S
<>
BYTE[]
keyContextBlob
The key context blob.
Type
Name
Description
#
SZ
1
#
SZ
6075Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_LoadKeyContext
TPM_KEY_HANDLE
keyHandle
The handle assigned to the key after it has been successfully loaded.
4
6076Description
60771. This command allows loading a key context blob into the TPM previously retrieved by a
6078
TPM_SaveKeyContext call. After successful completion the handle returned by this
6079
command can be used to access the key.
60802. The contents of a key context blob SHALL be discarded unless the contents have passed
6081
an integrity test. This test SHALL (statistically) prove that the contents of the blob are
6082
the same as when the blob was created.
60833. The contents of a key context blob SHALL be discarded unless the contents have passed
6084
a session validity test. This test SHALL (statistically) prove that the blob was created by
6085
this TPM during this power-on session.
1398
1399
300
Level 2 Revision 116 28 February 2011
TCG Published
1400TPM Main Part 3 Commands
TCG © Copyright
1401Specification Version 1.2
6086
608727.2.3
TPM_SaveAuthContext
6088Start of informative comment:
6089TPM_SaveAuthContext saves a loaded authorization session outside the TPM. After creation
6090of the authorization context blob, the TPM automatically releases the internal memory used
6091by that session. The format of the authorization context blob is specific to a TPM.
6092End of informative comment.
6093Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_SaveAuthContext
4
4
TPM_AUTHHANDLE
authHandle
Authorization session which will be kept outside the TPM
Type
Name
Description
#
SZ
1
#
SZ
1S
4
6094Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_SaveAuthContext
4
4
3S
4
UINT32
authContextSize
The actual size of the outgoing authorization context blob. If the command fails
the value will be 0.
5
<>
4S
4
BYTE[]
authContextBlob
The authorization context blob.
6095Description
6096This command allows saving a loaded authorization session outside the TPM. After creation
6097of the authContextBlob, the TPM automatically releases the internal memory used by that
6098session. The format of the authorization context blob is specific to a TPM.
6099A TPM protected capability belonging to the TPM that created an authorization context blob
6100MUST be the only entity that can interpret the contents of that blob. If a cryptographic
6101technique is used for this purpose, the level of security provided by that technique SHALL
6102be at least as secure as a 2048 bit RSA algorithm. Any secrets (such as keys) used in such a
6103cryptographic technique MUST be generated using the TPM’s random number generator.
6104Any symmetric key MUST be used within the power-on session during which it was created,
6105only.
6106An authorization context blob SHALL enable verification of the integrity of the contents of
6107the blob by a TPM protected capability.
1402Level 2 Revision 116 28 February 2011
1403
301
TCG Published
1404Copyright © TCG
1405
1406
TPM Main Part 3 Commands
Specification Version 1.2
6108An authorization context blob SHALL enable verification of the session validity of the
6109contents of the blob by a TPM protected capability. The method SHALL ensure that all
6110authorization context blobs are rendered invalid if power to the TPM is interrupted.
611127.2.4
TPM_LoadAuthContext
6112Start of informative comment:
6113TPM_LoadAuthContext loads an authorization context blob into the TPM previously
6114retrieved by a TPM_SaveAuthContext call. After successful completion, the handle returned
6115by this command can be used to access the authorization session.
6116End of informative comment.
6117Incoming Operands and Sizes
PARAM
HMAC
Name
Description
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
UINT32
#
Type
paramSize
Total number of input bytes including paramSize and tag
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_LoadAuthContext
4
UINT32
authContextSize
The size of the following authorization context blob.
<>
BYTE[]
authContextBlob
The authorization context blob.
Type
Name
Description
#
SZ
SZ
1
2
2
4
3
4
1S
4
4
4
2S
5
<>
3S
6118Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_LoadAuthContext
TPM_KEY_HANDLE
authHandle
The handle assigned to the authorization session after it has been successfully
loaded.
4
6119Description
6120This command allows loading an authorization context blob into the TPM previously
6121retrieved by a TPM_SaveAuthContext call. After successful completion, the handle returned
6122by this command can be used to access the authorization session.
6123The contents of an authorization context blob SHALL be discarded unless the contents have
6124passed an integrity test. This test SHALL (statistically) prove that the contents of the blob
6125are the same as when the blob was created.
6126The contents of an authorization context blob SHALL be discarded unless the contents have
6127passed a session validity test. This test SHALL (statistically) prove that the blob was created
6128by this TPM during this power-on session.
6129For an OSAP authorization context blob referring to a key, verify that the key linked to this
6130session is resident in the TPM.
1407
1408
302
Level 2 Revision 116 28 February 2011
TCG Published
1409TPM Main Part 3 Commands
TCG © Copyright
1410Specification Version 1.2
6131
1411Level 2 Revision 116 28 February 2011
1412
303
TCG Published
1413Copyright © TCG
1414
1415
613227.3
TPM Main Part 3 Commands
Specification Version 1.2
DIR commands
6133Start of informative comment:
6134The DIR commands are replaced by the NV storage commands.
6135The DIR [0] in 1.1 is now TPM_PERMANENT_DATA -> authDIR[0] and is always available for
6136the TPM to use. It is accessed by DIR commands using dirIndex 0 and by NV commands
6137using nvIndex TPM_NV_INDEX_DIR.
6138If the TPM vendor supports additional DIR registers, the TPM vendor may return errors or
6139provide vendor specific mappings for those DIR registers to NV storage locations.
6140End of informative comment.
61411. A dirIndex value of 0 MUST corresponds to an NV storage nvIndex value
6142
TPM_NV_INDEX_DIR.
61432. The TPM vendor MAY return errors or MAY provide vendor specific mappings for DIR
6144
dirIndex values greater than 0 to NV storage locations.
1416
1417
304
Level 2 Revision 116 28 February 2011
TCG Published
1418TPM Main Part 3 Commands
TCG © Copyright
1419Specification Version 1.2
614527.3.1
TPM_DirWriteAuth
6146Start of informative comment:
6147The TPM_DirWriteAuth operation provides write access to the Data Integrity Registers. DIRs
6148are non-volatile memory registers held in a TPM-shielded location. Owner authentication is
6149required to authorize this action.
6150Access is also provided through the NV commands with nvIndex TPM_NV_INDEX_DIR.
6151Owner authorization is not required when nvLocked is FALSE.
6152Version 1.2 requires only one DIR. If the DIR named does not exist, the TPM_DirWriteAuth
6153operation returns TPM_BADINDEX.
6154End of informative comment.
6155Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_DirWriteAuth.
4
4
2S
4
TPM_DIRINDEX
dirIndex
Index of the DIR
5
20
3S
20
TPM_DIRVALUE
newContents
New value to be stored in named DIR
6
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for command.
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
7
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
8
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
9
20
TPM_AUTHDATA
ownerAuth
The authorization session digest for inputs. HMAC key: ownerAuth.
Type
Name
Description
#
SZ
1
#
SZ
6156Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
5
1
6
TPM_RESULT
returnCode
The return code of the operation.
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_DirWriteAuth
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
4
2S
4
1S
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
ownerAuth.
20
6157Actions
1420Level 2 Revision 116 28 February 2011
1421
305
TCG Published
1422Copyright © TCG
1423
1424
TPM Main Part 3 Commands
Specification Version 1.2
61581. Validate that authHandle contains a TPM Owner AuthData to execute the
6159
TPM_DirWriteAuth command
61602. Validate that dirIndex points to a valid DIR on this TPM
61613. Write newContents into the DIR pointed to by dirIndex
1425
1426
306
Level 2 Revision 116 28 February 2011
TCG Published
1427TPM Main Part 3 Commands
TCG © Copyright
1428Specification Version 1.2
6162
616327.3.2
TPM_DirRead
6164Start of informative comment:
6165The TPM_DirRead operation provides read access to the DIRs. No authentication is required
6166to perform this action because typically no cryptographically useful AuthData is available
6167early in boot. TSS implementers may choose to provide other means of authorizing this
6168action. Version 1.2 requires only one DIR. If the DIR named does not exist, the
6169TPM_DirRead operation returns TPM_BADINDEX.
6170End of informative comment.
6171Incoming Operands and Sizes
PARAM
HMAC
#
SZ
1
2
2
4
3
4
1S
4
4
4
2S
4
Name
Description
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
UINT32
SZ
Type
#
paramSize
Total number of input bytes including paramSize and tag
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_DirRead.
TPM_DIRINDEX
dirIndex
Index of the DIR to be read
Type
Name
Description
6172Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
20
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
1S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_DirRead.
3S
20
TPM_DIRVALUE
dirContents
The current contents of the named DIR
6173Actions
61741. Validate that dirIndex points to a valid DIR on this TPM
61752. Return the contents of the DIR in dirContents
1429Level 2 Revision 116 28 February 2011
1430
307
TCG Published
1431Copyright © TCG
1432
1433
617627.4
TPM Main Part 3 Commands
Specification Version 1.2
Change Auth
6177Start of informative comment:
6178The change auth commands can be duplicated by creating a transport session with
6179confidentiality and issuing the changeAuth command.
6180End of informative comment.
1434
1435
308
Level 2 Revision 116 28 February 2011
TCG Published
1436TPM Main Part 3 Commands
TCG © Copyright
1437Specification Version 1.2
6181
618227.4.1
TPM_ChangeAuthAsymStart
6183Start of informative comment:
6184The TPM_ChangeAuthAsymStart starts the process of changing AuthData for an entity. It
6185sets up an OIAP session that must be retained for use by its twin
6186TPM_ChangeAuthAsymFinish command.
6187TPM_ChangeAuthAsymStart creates a temporary asymmetric public key “tempkey” to
6188provide confidentiality for new AuthData to be sent to the TPM. TPM_ChangeAuthAsymStart
6189certifies that tempkey was generated by a genuine TPM, by generating a certifyInfo
6190structure that is signed by a TPM identity. The owner of that TPM identity must cooperate
6191to produce this command, because TPM_ChangeAuthAsymStart requires authorization to
6192use that identity.
6193It is envisaged that tempkey and certifyInfo are given to the owner of the entity whose
6194authorization
is
to
be
changed.
That
owner
uses
certifyInfo
and
a
6195TPM_IDENTITY_CREDENTIAL to verify that tempkey was generated by a genuine TPM. This
6196is done by verifying the TPM_IDENTITY_CREDENTIAL using the public key of a CA,
6197verifying the signature on the certifyInfo structure with the public key of the identity in
6198TPM_IDENTITY_CREDENTIAL, and verifying tempkey by comparing its digest with the value
6199inside certifyInfo. The owner uses tempkey to encrypt the desired new AuthData and inserts
6200that encrypted data in a TPM_ChangeAuthAsymFinish command, in the knowledge that
6201only a TPM with a specific identity can interpret the new AuthData.
6202End of informative comment.
6203Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ChangeAuthAsymStart.
4
4
TPM_KEY_HANDLE
idHandle
The keyHandle identifier of a loaded identity ID key
5
20
2s
20
TPM_NONCE
antiReplay
The nonce to be inserted into the certifyInfo structure
6
<>
3S
<>
TPM_KEY_PARMS
tempKey
Structure contains all parameters of ephemeral key.
7
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for idHandle authorization.
#
SZ
1
#
1S
SZ
4
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
8
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
9
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
10
20
TPM_AUTHDATA
idAuth
Authorization. HMAC key: idKey.usageAuth.
1438Level 2 Revision 116 28 February 2011
1439
309
TCG Published
1440Copyright © TCG
1441
1442
TPM Main Part 3 Commands
Specification Version 1.2
6204Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ChangeAuthAsymStart
7
95
3S
95
TPM_CERTIFY_INFO
certifyInfo
The certifyInfo structure that is to be signed.
8
4
4S
4
UINT32
sigSize
The used size of the output area for the signature
9
<>
5S
<>
BYTE[ ]
sig
The signature of the certifyInfo parameter.
10
4
6s
4
TPM_KEY_HANDLE
ephHandle
The keyHandle identifier to be used by ChangeAuthAsymFinish for the
ephemeral key
11
<>
7S
<>
TPM_KEY
tempKey
Structure containing all parameters and public part of ephemeral key. TPM_KEY.encSize is set to 0.
12
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
Authorization. HMAC key: idKey.usageAuth.
13
1
14
20
6205Actions
62061. The TPM SHALL verify the AuthData to use the TPM identity key held in idHandle. The
6207
TPM MUST verify that the key is a TPM identity key.
62082. The TPM SHALL validate the algorithm parameters for the key to create from the
6209
tempKey parameter.
62103. Recommended key type is RSA
62114. Minimum RSA key size MUST is 512 bits, recommended RSA key size is 1024
62125. For other key types the minimum key size strength MUST be comparable to RSA 512
62136. If the TPM is not designed to create a key of the requested type, return the error code
6214
TPM_BAD_KEY_PROPERTY
62157. The TPM SHALL create a new key (k1) in accordance with the algorithm parameter. The
6216
newly created key is pointed to by ephHandle.
62178. The TPM SHALL fill in all fields in tempKey using k1 for the information. The TPM_KEY
6218
-> encSize MUST be 0.
62199. The TPM SHALL fill in certifyInfo using k1 for the information. The certifyInfo -> data
6220
field is supplied by the antiReplay.
622110.The TPM then signs the certifyInfo parameter using the key pointed to by idHandle. The
6222
resulting signed blob is returned in sig parameter
1443
1444
310
Level 2 Revision 116 28 February 2011
TCG Published
1445TPM Main Part 3 Commands
TCG © Copyright
1446Specification Version 1.2
6223Field Descriptions for certifyInfo parameter
Type
Name
Description
TPM_VERSION
Version
TPM version structure; Part 2 TPM_VERSION
keyFlags
Redirection
This SHALL be set to FALSE
Migratable
This SHALL be set to FALSE
Volatile
This SHALL be set to TRUE
TPM_AUTH_DATA_USAGE
authDataUsage
This SHALL be set to TPM_AUTH_NEVER
TPM_KEY_USAGE
KeyUsage
This SHALL be set to TPM_KEY_AUTHCHANGE
UINT32
PCRInfoSize
This SHALL be set to 0
TPM_DIGEST
pubDigest
This SHALL be the hash of the public key being certified.
TPM_NONCE
Data
This SHALL be set to antiReplay
TPM_KEY_PARMS
info
This specifies the type of key and its parameters.
BOOL
parentPCRStatus
This SHALL be set to FALSE.
1447Level 2 Revision 116 28 February 2011
1448
311
TCG Published
1449Copyright © TCG
1450
1451
TPM Main Part 3 Commands
Specification Version 1.2
6224
622527.4.2
TPM_ChangeAuthAsymFinish
6226Start of informative comment:
6227The TPM_ChangeAuthAsymFinish command allows the owner of an entity to change the
6228AuthData for the entity.
6229The command requires the cooperation of the owner of the parent of the entity, since
6230AuthData must be provided to use that parent entity. The command requires knowledge of
6231the existing AuthData information and passes the new AuthData information. The
6232newAuthLink parameter proves knowledge of existing AuthData information and new
6233AuthData information. The new AuthData information “encNewAuth” is encrypted using the
6234“tempKey” variable obtained via TPM_ChangeAuthAsymStart.
6235A parent therefore retains control over a change in the AuthData of a child, but is prevented
6236from knowing the new AuthData for that child.
6237The changeProof parameter provides a proof that the new AuthData value was properly
6238inserted into the entity. The inclusion of a nonce from the TPM provides an entropy source
6239in the case where the AuthData value may be in itself be a low entropy value (hash of a
6240password etc).
6241 End of informative comment.
6242Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ChangeAuthAsymFinish
4
4
TPM_KEY_HANDLE
parentHandle
The keyHandle of the parent key for the input data
5
4
TPM_KEY_HANDLE
ephHandle
The keyHandle identifier for the ephemeral key
6
2
3S
2
TPM_ENTITY_TYPE
entityType
The type of entity to be modified
7
20
4s
20
TPM_HMAC
newAuthLink
HMAC calculation that links the old and new AuthData values together
8
4
5S
4
UINT32
newAuthSize
Size of encNewAuth
9
<>
6S
<>
BYTE[ ]
encNewAuth
New AuthData encrypted with ephemeral key.
10
4
7S
4
UINT32
encDataSize
The size of the inData parameter
11
<>
8S
<>
BYTE[ ]
encData
The encrypted entity that is to be modified.
12
4
TPM_AUTHHANDLE
authHandle
Authorization for parent key.
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
13
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
14
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
15
20
TPM_AUTHDATA
privAuth
The authorization session digest for inputs and parentHandle. HMAC key:
parentKey.usageAuth.
#
SZ
1
#
1S
SZ
4
6243
1452
1453
312
Level 2 Revision 116 28 February 2011
TCG Published
1454TPM Main Part 3 Commands
TCG © Copyright
1455Specification Version 1.2
6244Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_ChangeAuthAsymFinish
4
4
3S
4
UINT32
outDataSize
The used size of the output area for outData
5
<>
4S
<>
BYTE[ ]
outData
The modified, encrypted entity.
6
20
5s
20
TPM_NONCE
saltNonce
A nonce value from the TPM RNG to add entropy to the changeProof
value
7
<>
6S
<>
TPM_DIGEST
changeProof
Proof that AuthData has changed.
8
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
parentKey.usageAuth.
9
1
10
20
6245Description
6246If the parentHandle points to the SRK then the HMAC key MUST be built using the TPM
6247Owner authentication.
6248Actions
62491. The TPM SHALL validate that the authHandle parameter authorizes use of the key in
6250
parentHandle.
62512. The encData field MUST be the encData field from TPM_STORED_DATA or TPM_KEY.
62523. The TPM SHALL create e1 by decrypting the entity held in the encData parameter.
62534. The TPM SHALL create a1 by decrypting encNewAuth using the ephHandle ->
6254
TPM_KEY_AUTHCHANGE
private
key.
a1
is
a
structure
of
type
6255
TPM_CHANGEAUTH_VALIDATE.
62565.
6257
6258
6259
The TPM SHALL create b1 by performing the following HMAC calculation: b1 = HMAC
(a1 -> newAuthSecret). The secret for this calculation is encData -> currentAuth. This
means that b1 is a value built from the current AuthData value (encData ->
currentAuth) and the new AuthData value (a1 -> newAuthSecret).
62606. The TPM SHALL compare b1 with newAuthLink. The TPM SHALL indicate a failure if the
6261
values do not match.
62627. The TPM SHALL replace e1 -> authData with a1 -> newAuthSecret
62638. The TPM SHALL encrypt e1 using the appropriate functions for the entity type. The key
6264
to encrypt with is parentHandle.
62659. The TPM SHALL create saltNonce by taking the next 20 bytes from the TPM RNG.
1456Level 2 Revision 116 28 February 2011
1457
313
TCG Published
1458Copyright © TCG
1459
1460
TPM Main Part 3 Commands
Specification Version 1.2
626610.The TPM SHALL create changeProof a HMAC of (saltNonce concatenated with a1 -> n1)
6267
using a1 -> newAuthSecret as the HMAC secret.
626811.The TPM MUST destroy the TPM_KEY_AUTHCHANGE key associated with the
6269
authorization session.
1461
1462
314
Level 2 Revision 116 28 February 2011
TCG Published
1463TPM Main Part 3 Commands
TCG © Copyright
1464Specification Version 1.2
627027.5
TPM_Reset
6271Start of informative comment:
6272TPM_Reset releases all resources associated with existing authorization sessions. This is
6273useful if a TSS driver has lost track of the state in the TPM.
6274End of informative comment.
6275Deprecated Command in 1.2
6276Incoming Parameters and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Reset.
Type
Name
Description
#
SZ
1
#
SZ
1S
4
6277Outgoing Parameters and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_Reset.
6278Description
6279This is a deprecated command in V1.2. This command in 1.1 only referenced authorization
6280sessions and is not upgraded to affect any other TPM entity in 1.2
6281Actions
62821. The TPM invalidates all resources allocated to authorization sessions as per version 1.1
6283
extant in the TPM
6284
a. This includes structures created by TPM_SaveAuthContext and TPM_SaveKeyContext
6285
b. The TPM MUST invalidate OSAP sessions
6286
c. The TPM MAY invalidate DSAP sessions
6287
d. The TPM MUST NOT invalidate structures created by TPM_SaveContext
62882. The TPM does not reset any PCR or DIR values.
62893. The TPM does not reset any flags in the TPM_STCLEAR_FLAGS structure.
62904. The TPM does not reset or invalidate any keys
1465Level 2 Revision 116 28 February 2011
1466
315
TCG Published
1467Copyright © TCG
1468
1469
629127.6
TPM Main Part 3 Commands
Specification Version 1.2
TPM_OwnerReadPubek
6292Start of informative comment:
6293Return the endorsement key public portion. This is authorized by the TPM Owner.
6294End of informative comment.
6295Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_OwnerReadPubek
4
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for owner authentication.
#
SZ
1
#
SZ
1S
4
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
5
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
6
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
7
20
TPM_AUTHDATA
ownerAuth
The authorization session digest for inputs and owner authentication.
HMAC key: ownerAuth.
6296Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_OwnerReadPubek
4
<>
3S
<>
TPM_PUBKEY
pubEndorsementKey
The public endorsement key
5
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
ownerAuth.
6
1
7
20
6297Description
6298This command returns the PUBEK.
6299Actions
6300The TPM_OwnerReadPubek command SHALL
63011. Validate the TPM Owner AuthData to execute this command
63022. Export the PUBEK
1470
1471
316
Level 2 Revision 116 28 February 2011
TCG Published
1472TPM Main Part 3 Commands
TCG © Copyright
1473Specification Version 1.2
630327.7
TPM_DisablePubekRead
6304Start of informative comment:
6305The TPM Owner may wish to prevent any entity from reading the PUBEK. This command
6306sets the non-volatile flag so that the TPM_ReadPubek command always returns
6307TPM_DISABLED_CMD.
6308This command has in essence been deprecated as TPM_TakeOwnership now sets the value
6309to false. The command remains at this time for backward compatibility.
6310End of informative comment.
6311Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_DisablePubekRead
4
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for owner authentication.
#
SZ
1
#
SZ
1S
4
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
5
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
6
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
7
20
TPM_AUTHDATA
ownerAuth
The authorization session digest for inputs and owner authorization.
HMAC key: ownerAuth.
6312Outgoing Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
#
SZ
1
#
SZ
5
1
6
TPM_RESULT
returnCode
The return code of the operation.
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_DisablePubekRead
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
4
2S
4
1S
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
ownerAuth.
20
6313Actions
63141. This capability sets the TPM_PERMANENT_FLAGS -> readPubek flag to FALSE.
1474Level 2 Revision 116 28 February 2011
1475
317
TCG Published
1476Copyright © TCG
1477
1478
631527.8
TPM Main Part 3 Commands
Specification Version 1.2
TPM_LoadKey
6316Start of informative comment:
6317Version 1.2 deprecates TPM_LoadKey due to the HMAC of the new key handle on return.
6318The wrapping makes use of the handle difficult in an environment where the TSS, or other
6319management entity, is changing the TPM handle to a virtual handle.
6320Software using TPM_LoadKey on a 1.2 TPM can have a collision with the returned handle as
6321the 1.2 TPM uses random values in the lower three bytes of the handle. All new software
6322must use LoadKey2 to allow management software the ability to manage the key handle.
6323Before the TPM can use a key to either wrap, unwrap, bind, unbind, seal, unseal, sign or
6324perform any other action, it needs to be present in the TPM. The TPM_LoadKey function
6325loads the key into the TPM for further use.
6326The TPM assigns the key handle. The TPM always locates a loaded key by use of the handle.
6327The assumption is that the handle may change due to key management operations. It is the
6328responsibility of upper level software to maintain the mapping between handle and any
6329label used by external software.
6330This command has the responsibility of enforcing restrictions on the use of keys. For
6331example, when attempting to load a STORAGE key it will be checked for the restrictions on
6332a storage key (2048 size etc.).
6333The load command must maintain a record of whether any previous key in the key
6334hierarchy was bound to a PCR using parentPCRStatus.
6335The flag parentPCRStatus enables the possibility of checking that a platform passed
6336through some particular state or states before finishing in the current state. A grandparent
6337key could be linked to state-1, a parent key could linked to state-2, and a child key could be
6338linked to state-3, for example. The use of the child key then indicates that the platform
6339passed through states 1 and 2 and is currently in state 3, in this example. TPM_Startup
6340with stType == TPM_ST_CLEAR indicates that the platform has been reset, so the platform
6341has not passed through the previous states. Hence keys with parentPCRStatus==TRUE
6342must be unloaded if TPM_Startup is issued with stType == TPM_ST_CLEAR.
6343If a TPM_KEY structure has been decrypted AND the integrity test using "pubDataDigest"
6344has passed AND the key is non-migratory, the key must have been created by the TPM. So
6345there is every reason to believe that the key poses no security threat to the TPM. While there
6346is no known attack from a rogue migratory key, there is a desire to verify that a loaded
6347migratory key is a real key, arising from a general sense of unease about execution of
6348arbitrary data as a key. Ideally a consistency check would consist of an encrypt/decrypt
6349cycle, but this may be expensive. For RSA keys, it is therefore suggested that the
6350consistency test consists of dividing the supposed RSA product by the supposed RSA prime,
6351and checking that there is no remainder.
6352End of informative comment.
1479
1480
318
Level 2 Revision 116 28 February 2011
TCG Published
1481TPM Main Part 3 Commands
TCG © Copyright
1482Specification Version 1.2
6353Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_LoadKey.
4
4
TPM_KEY_HANDLE
parentHandle
TPM handle of parent key.
5
<>
TPM_KEY
inKey
Incoming key structure, both encrypted private and clear public portions.
MAY be TPM_KEY12
6
4
TPM_AUTHHANDLE
authHandle
The authorization session handle used for parentHandle authorization.
#
SZ
1
#
SZ
1S
2S
4
<>
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
7
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
8
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
9
20
TPM_AUTHDATA
parentAuth
The authorization session digest for inputs and parentHandle. HMAC key:
parentKey.usageAuth.
Type
Name
Description
6354Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_LoadKey
4
4
3S
4
TPM_KEY_HANDLE
inkeyHandle
Internal TPM handle where decrypted key was loaded.
5
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
parentKey.usageAuth.
6
1
7
20
6355Actions
6356The TPM SHALL perform the following steps:
63571. Validate the command and the parameters using parentAuth and parentHandle ->
6358
usageAuth
63592. If
parentHandle
->
6360
TPM_INVALID_KEYUSAGE
keyUsage
is
NOT
TPM_KEY_STORAGE
return
63613. If the TPM is not designed to operate on a key of the type specified by inKey, return the
6362
error code TPM_BAD_KEY_PROPERTY
63634. The TPM MUST handle both TPM_KEY and TPM_KEY12 structures
63645. Decrypt the inKey -> privkey to obtain TPM_STORE_ASYMKEY structure using the key
6365
in parentHandle
1483Level 2 Revision 116 28 February 2011
1484
319
TCG Published
1485Copyright © TCG
1486
1487
TPM Main Part 3 Commands
Specification Version 1.2
63666. Validate the integrity of inKey and decrypted TPM_STORE_ASYMKEY
6367
6368
a. Reproduce inKey -> TPM_STORE_ASYMKEY -> pubDataDigest using the fields of
inKey, and check that the reproduced value is the same as pubDataDigest
63697. Validate the consistency of the key and it’s key usage.
6370
6371
6372
6373
6374
6375
a. If inKey -> keyFlags -> migratable is TRUE, the TPM SHALL verify consistency of the
public and private components of the asymmetric key pair. If inKey -> keyFlags ->
migratable is FALSE, the TPM MAY verify consistency of the public and private
components of the asymmetric key pair. The consistency of an RSA key pair MAY be
verified by dividing the supposed (P*Q) product by a supposed prime and checking that
there is no remainder.
6376
6377
b. If inKey -> keyUsage is TPM_KEY_IDENTITY, verify that inKey->keyFlags->migratable
is FALSE. If it is not, return TPM_INVALID_KEYUSAGE
6378
c. If inKey -> keyUsage is TPM_KEY_AUTHCHANGE, return TPM_INVALID_KEYUSAGE
6379
6380
d. If inKey -> keyFlags -> migratable equals 0 then verify that TPM_STORE_ASYMKEY
-> migrationAuth equals TPM_PERMANENT_DATA -> tpmProof
6381
e. Validate the mix of encryption and signature schemes
6382
f. If TPM_PERMANENT_FLAGS -> FIPS is TRUE then
6383
i.
6384
6385
ii. If keyInfo
TPM_NOTFIPS
6386
iii. If keyInfo -> keyUsage specifies TPM_KEY_LEGACY return TPM_NOTFIPS
6387
If keyInfo -> keySize is less than 1024 return TPM_NOTFIPS
->
authDataUsage
specifies
TPM_AUTH_NEVER
return
g. If inKey -> keyUsage is TPM_KEY_STORAGE or TPM_KEY_MIGRATE
6388
i.
6389
ii. Key size MUST be 2048
6390
iii. exponentSize MUST be 0
6391
iv. sigScheme MUST be TPM_SS_NONE
6392
algorithmID MUST be TPM_ALG_RSA
h. If inKey -> keyUsage is TPM_KEY_IDENTITY
6393
i.
6394
ii. Key size MUST be 2048
6395
iii. exponentSize MUST be 0
6396
iv. encScheme MUST be TPM_ES_NONE
6397
i.
6398
6399
6400
If the decrypted inKey -> pcrInfo is NULL,
i. The TPM MUST set the internal indicator to indicate that the key is not using
any PCR registers.
j.
6401
6402
1488
1489
algorithmID MUST be TPM_ALG_RSA
Else
i. The TPM MUST store pcrInfo in a manner that allows the TPM to calculate a
composite hash whenever the key will be in use
320
Level 2 Revision 116 28 February 2011
TCG Published
1490TPM Main Part 3 Commands
TCG © Copyright
1491Specification Version 1.2
6403
6404
ii. The TPM MUST handle both version 1.1 TPM_PCR_INFO and 1.2
TPM_PCR_INFO_LONG structures according to the type of TPM_KEY structure
6405
6406
6407
(1) The TPM MUST validate the TPM_PCR_INFO or TPM_PCR_INFO_LONG
structures for legal values.
However, the digestAtRelease and
localityAtRelease are not validated for authorization until use time.
64088. Perform any processing necessary to make TPM_STORE_ASYMKEY key available for
6409
operations
64109. Load key and key information into internal memory of the TPM. If insufficient memory
6411
exists, return error TPM_NOSPACE.
641210.Assign inKeyHandle according to internal TPM rules.
641311.Set InKeyHandle -> parentPCRStatus to parentHandle -> parentPCRStatus.
641412.If parentHandle indicates it is using PCR registers, then set inKeyHandle ->
6415
parentPCRStatus to TRUE.
1492Level 2 Revision 116 28 February 2011
1493
321
TCG Published
1494Copyright © TCG
1495
1496
TPM Main Part 3 Commands
Specification Version 1.2
641628.
Deleted Commands
6417Start of informative comment:
6418These commands are no longer active commands. Their removal is due to security concerns
6419with their use.
6420End of informative comment.
64211. The TPM MUST return TPM_BAD_ORDINAL for any deleted command
1497
1498
322
Level 2 Revision 116 28 February 2011
TCG Published
1499TPM Main Part 3 Commands
TCG © Copyright
1500Specification Version 1.2
323
TCG Published
1503Copyright © TCG
1504
1505
643628.2
TPM Main Part 3 Commands
Specification Version 1.2
TPM_GetOrdinalAuditStatus
6437Start of informative comment:
6438Get the status of the audit flag for the given ordinal.
6439End of informative comment.
6440Incoming Operands and Sizes
PARAM
HMAC
Type
Name
Description
2
TPM_TAG
tag
TPM_TAG_RQU_COMMAND
2
4
UINT32
paramSize
Total number of input bytes including paramSize and tag
3
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_GetOrdinalAuditStatus
4
4
TPM_COMMAND_CODE
ordinalToQuery
The ordinal whose audit flag is to be queried
Type
Name
Description
#
SZ
1
#
SZ
6441Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
TPM_RESULT
returnCode
The return code of the operation.
4
1
BOOL
State
Value of audit flag for ordinalToQuery
6442Actions
64431. The TPM returns the Boolean value for the given ordinal. The value is TRUE if the
6444
command is being audited.
1506
1507
324
Level 2 Revision 116 28 February 2011
TCG Published
1508TPM Main Part 3 Commands
TCG © Copyright
1509Specification Version 1.2
644528.3
TPM_CertifySelfTest
6446Start of informative comment:
6447TPM_CertifySelfTest causes the TPM to perform a full self-test and return an authenticated
6448value if the test passes.
6449If a caller itself requires proof, it is sufficient to use any signing key for which only the TPM
6450and the caller have AuthData.
6451If a caller requires proof for a third party, the signing key must be one whose signature is
6452trusted by the third party. A TPM-identity key may be suitable.
6453End of informative comment.
6454Incoming Operands and Sizes
PARAM
#
SZ
1
4
4
5
20
6
4
2S
4
20
TPM_TAG
tag
TPM_TAG_RQU_AUTH1_COMMAND
UINT32
paramSize
Total number of input bytes including paramSize and tag
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_CertifySelfTest
TPM_KEY_HANDLE
keyHandle
The keyHandle identifier of a loaded key that can perform digital
signatures.
TPM_NONCE
antiReplay
Anti Replay nonce to prevent replay of messages
TPM_AUTHHANDLE
4
1S
SZ
Name
3
#
Type
2
2
HMAC
authHandle
The authorization session handle used for keyHandle authorization
2H1
20
TPM_NONCE
authLastNonceEven
Even nonce previously generated by TPM to cover inputs
7
20
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
8
1
4H1
1
BOOL
continueAuthSession
The continue use flag for the authorization session handle
9
20
TPM_AUTHDATA
privAuth
The authorization session digest that authorizes the inputs and use of
keyHandle. HMAC key: key.usageAuth
Type
Name
Description
6455Outgoing Operands and Sizes
PARAM
HMAC
#
SZ
#
SZ
1
2
TPM_TAG
tag
TPM_TAG_RSP_AUTH1_COMMAND
2
4
UINT32
paramSize
Total number of output bytes including paramSize and tag
3
4
1S
4
TPM_RESULT
returnCode
The return code of the operation.
2S
4
TPM_COMMAND_CODE
ordinal
Command ordinal: TPM_ORD_CertifySelfTest
4
4
3S
4
UINT32
sigSize
The length of the returned digital signature
5
<>
4S
<>
BYTE[ ]
sig
The resulting digital signature.
6
20
2H1
20
TPM_NONCE
nonceEven
Even nonce newly generated by TPM to cover outputs
3H1
20
TPM_NONCE
nonceOdd
Nonce generated by system associated with authHandle
4H1
1
BOOL
continueAuthSession
Continue use flag, TRUE if handle is still active
TPM_AUTHDATA
resAuth
The authorization session digest for the returned parameters. HMAC key:
key.usageAuth
7
1
8
20
1510Level 2 Revision 116 28 February 2011
1511
325
TCG Published
1512Copyright © TCG
1513
1514
TPM Main Part 3 Commands
Specification Version 1.2
6456Description
6457The key in keyHandle MUST have a KEYUSAGE value of type TPM_KEY_SIGNING or
6458TPM_KEY_LEGACY or TPM_KEY_IDENTITY.
6459Information returned by TPM_CertifySelfTest MUST NOT aid identification of an individual
6460TPM.
6461Actions
64621. The TPM SHALL perform TPM_SelfTestFull. If the test fails the TPM returns the
6463
appropriate error code.
64642. After successful completion of the self-test the TPM then validates the authorization to
6465
use the key pointed to by keyHandle
6466
6467
6468
a. If the key pointed to by keyHandle has a signature scheme that is not
TPM_SS_RSASSAPKCS1v15_SHA1, the TPM may either return TPM_BAD_SCHEME or
may return TPM_SUCCESS and a vendor specific signature.
64693. Create t1 the NOT null terminated string of "Test Passed", i.e. 11 bytes.
64704. The TPM creates m2 the message to sign by concatenating t1 || AntiReplay || ordinal.
64715. The TPM signs the SHA-1 of m2 using the key identified by keyHandle, and returns the
6472
signature as sig.
6473
1515
1516
326
Level 2 Revision 116 28 February 2011
TCG Published
1517TPM Main Part 3 Commands
TCG © Copyright
1518Specification Version 1.2