|
| 1 | +## Trusted Platform Module (TPM) |
| 2 | + |
| 3 | +### **Intro** |
| 4 | + |
| 5 | +The Trusted Computing Group (TCG) has been |
| 6 | +addressing the trust issue – and related security |
| 7 | +benefits - for PCs, servers, networking gear and |
| 8 | +embedded systems for more than a decade, driven |
| 9 | +by the Trusted Platform Module (TPM) specification. |
| 10 | + |
| 11 | +The TPM standard defines a hardware root of trust |
| 12 | +(HRoT) widely accepted as more secure than software |
| 13 | +that can be more easily breached by attackers. |
| 14 | + |
| 15 | +The TPM is used with software to enable features; |
| 16 | +open source APIs are available and custom software |
| 17 | +can be developed. Additional resources for software |
| 18 | +support also are provided later in this paper. |
| 19 | + |
| 20 | +In many systems, the TPM provides integrity |
| 21 | +measurements, health checks and authentication |
| 22 | +services. |
| 23 | + |
| 24 | +```TPM are passive, low-end devices that offer strong security guarantees.``` |
| 25 | + |
| 26 | +**ATTRIBUTES OF THE TPM INCLUDE:** |
| 27 | + |
| 28 | +- Support for bulk (symmetric) encryption |
| 29 | +in the platform |
| 30 | +- High quality random numbers |
| 31 | +- Cryptographic services |
| 32 | +- A protected persistent store for small amounts |
| 33 | +of data, sticky- bits, monotonic counters and |
| 34 | +extendible registers |
| 35 | +- A protected pseudo-persistent store for |
| 36 | +unlimited amounts of keys and data |
| 37 | +- An extensive choice of authorization methods |
| 38 | +to access protected keys and data |
| 39 | +- Platform identities |
| 40 | +- Support for platform privacy |
| 41 | +- Signing and verifying digital signatures |
| 42 | +(normal, anonymous, pseudonymous) |
| 43 | +- Certifying the properties of keys and data |
| 44 | +- Auditing the usage of keys and data |
| 45 | +IN A TRUSTED PLATFORM |
| 46 | +THE TPM ALSO PROVIDES: |
| 47 | +- Attestation: reporting platform state |
| 48 | +- Sealing: using platform state to authorize |
| 49 | +access to keys and data |
| 50 | + |
| 51 | +**IN A TRUSTED PLATFORM THE TPM ALSO PROVIDES:** |
| 52 | +- Attestation: reporting platform state |
| 53 | +- Sealing: using platform state to authorize |
| 54 | +access to keys and data |
| 55 | + |
| 56 | +[***TPM 2.0 - A Brief Introduction***](https://trustedcomputinggroup.org/wp-content/uploads/2019_TCG_TPM2_BriefOverview_DR02web.pdf) |
| 57 | + |
| 58 | +This PDF document gives a very good overview of what is TPM and its attributes. It also gives a brief summary of TPM history, application and types of TPM solutions. A few vaulable links about more TPM details are also given at the end of the document. |
| 59 | + |
| 60 | +### **TPM usage** |
| 61 | + |
| 62 | +```TPMs support two main use-cases: secure key generation and remote system attestation.``` |
| 63 | + |
| 64 | +**Secure Key Generation** |
| 65 | + |
| 66 | +TPM is a cryptographic device. It can securely generate new cryptographic keys: the keys are only available to the TPM - private key material never leaves the device in plain form. |
| 67 | +TPM can do crypto operations such as encryption and signing. TPM can certify new keys, so in a way a TPM acts as a certificate authority (CA). Trust in these keys is rooted in a primary key provisioned by the manufacturer or the owner of the TPM. |
| 68 | + |
| 69 | +**Remote System Attestation** |
| 70 | + |
| 71 | +TPM can capture the host system state: this is done by storing a sequence of measurements in a special set of registers called Platform Configuration Registers (PCRs). The TPM can later report its PCR values to a remote party. It is done in a secure way such that the remote attester can verify the report is fresh, genuine, and has not been tampered with. |
| 72 | + |
| 73 | +### **TPM types** |
| 74 | + |
| 75 | +**DISCRETE TPM** |
| 76 | + |
| 77 | +Provides the highest level of security, as might be needed for a TPM used to secure |
| 78 | +the brake controller in a car. The intent of this level is to ensure that the device it’s protecting does |
| 79 | +not get hacked via even sophisticated methods. To accomplish this, a discrete chip is designed, built |
| 80 | +and evaluated for the highest level of security that can resist tampering with the chip, including |
| 81 | +probing it and freezing it with all sorts of sophisticated attacks. |
| 82 | + |
| 83 | +**INTEGRATED TPM** |
| 84 | + |
| 85 | +is the next level down in terms of security. This level still has a hardware TPM but |
| 86 | +it is integrated into a chip that provides functions other than security. The hardware implementation |
| 87 | +makes it resistant to software bugs, however, this level is not designed to be tamper-resistant. |
| 88 | + |
| 89 | +**FIRMWARE TPM** |
| 90 | + |
| 91 | +is implemented in protected software. The code runs on the main CPU, so a |
| 92 | +separate chip is not required. While running like any other program, the code is in a protected |
| 93 | +execution environment called a trusted execution environment (TEE) that is separated from the rest |
| 94 | +of the programs that are running on the CPU. By doing this, secrets like private keys that might be |
| 95 | +needed by the TPM but should not be accessed by others can be kept in the TEE creating a more |
| 96 | +difficult path for hackers. |
| 97 | +In addition to the lack of tamper resistance, the downside to the TEE or firmware TPM is that now |
| 98 | +the TPM is dependent on many additional aspects to keep it secure, including the TEE operating |
| 99 | +system, bugs in the application code running in the TEE, etc. |
| 100 | + |
| 101 | +**SOFTWARE TPM** |
| 102 | + |
| 103 | +can be implemented as a software emulator of the TPM. However, a software |
| 104 | +TPM is open to many vulnerabilities, not only tampering but also the bugs in any operating system |
| 105 | +running it. It does have key applications: it is very good for testing or building a system prototype |
| 106 | +with a TPM in it. For testing purposes, a software TPM could provide the right solution/approach. |
| 107 | + |
| 108 | +[***Google TPM-JS Interactive TPM Simulator***](https://google.github.io/tpm-js/) |
| 109 | + |
| 110 | +TPM-JS is a webpage TPM simulator that lets you experiment with a software Trusted Platform Module (TPM) in your browser. TPM-JS includes the following libraries: |
| 111 | + |
| 112 | +Intel TPM2 Software Stack (TSS). |
| 113 | +IBM software TPM simulator. |
| 114 | +Google BoringSSL. |
| 115 | +The TSS library provides high-level APIs to the TPM. It manages TPM resources, marshals command buffers and unmarshals response buffers. |
| 116 | + |
| 117 | +The simulator executes TPM commands. It maintains internal state and uses the BoringSSL library for cryptographic operations. |
| 118 | + |
| 119 | +**Some observations about TPM** |
| 120 | +- TPM is a discrete device soldered on the motherboard. It is a cheap (costs less than a dollar to manufacture), low-end device that communicates with the main CPU over a slow, low-bandwidth channel. |
| 121 | + |
| 122 | +- TPM is a passive device: it doesn't monitor the system and it can't halt CPU execution. For it to work, it must be fed data. |
| 123 | + |
| 124 | +- TPM has limited storage for runtime state and persistent data: its non-volatile storage is about 64KB in size. TPM can only hold a limited number of objects at the same time. For this reason, a dedicated software layer on the host (resource manager) loads and unloads session objects at runtime. |
| 125 | + |
| 126 | +- TPM command execution is single-threaded: it executes one command at a time. Commands cannot be queued or batched together - each command must wait for the currently running command to finish. Note that command execution can be canceled. |
| 127 | + |
| 128 | + |
| 129 | + |
0 commit comments