Auditing the TPM
The TPM and TSS need to be able to report a log of events that occur at the TPM. The log uses the same paradigm as the PCRs, in that the TPM keeps a PCR value that is extended with each log event (see Chapter 6 for the notion of “extending” a PCR), and the TSS maintains the log entries for challengers to review.
The TPM owner can define which functions generate an audit event, and change which functions generate the event at any time.
TPM_SetOrdinalAuditStatus
This capability is used to instruct the TPM to audit, or not to audit, a particular command. It requires TPM owner authorization, and it must be passed the command ordinal of the TPM command whose audit status is required. The command causes a TPM first to verify the owner authorization, and then to set the state of the non-volatile flag for the given ordinal to the indicated state, and output TRUE if the command should be audited, and FALSE if it shouldn't.
TPM_GetOrdinalAuditStatus
This capability is used to retrieve the audit status of a command. It does not require any authorization, but it must be passed the command ordinal of the TPM command whose audit status is required. The command causes a TPM to check the status of the audit flag for the given ordinal, and output the Boolean value for the given ordinal: TRUE if the command is being audited, FALSE if not.
TPM_GetAuditEvent
This capability is used to retrieve the last audited command. It does not require any authorization. The capability causes a TPM to export the command code of the last audited command, the result code of the last audited command, and the hash value calculated over all audited commands and results since startup.
TPM_GetAuditEventSigned
This capability is the same as TPM_GetAuditEvent, except that it returns a signed value. It must be passed the handle to a loaded TPM signing key, and it requires authorization for use of that TPM signing key. The capability causes a TPM first to verify the authorization, and then to create and output a signature over the following information: an anti-replay nonce, the command code of the last audited command, the result code of the last audited command, a hash value calculated over all audited commands and results since startup, and a list of all commands currently audited.
The recommended type of the hash function is SHA-1.
Synchronizing a Host Platform with Its TPM
The host platform uses some TPM functions to synchronize the TPM with the host platform.
TPM_Reset
This capability is used to allow the host to reset a TPM to a known state when the host loses track of the internal state of the TPM.
To bring the TPM back to that known state, the command causes a TPM to delete handles to all items in the TPM (which includes all authorization sessions), and to destroy all memory inside the TPM that is associated with any session (which includes secrets, nonces and state). If an SHA-1 operation is in progress, it is terminated. However, during the command execution, the PCR and DIR values, any flags in the TCPA_VOLATILE_FLAGS, and the loaded keys, all remain unchanged.
TPM_Init
This capability is used to prepare the TPM for a TPM_Startup command.
The capability destroys most information on a TPM, but will not unload keys that are both non-volatile and independent of keys bound to a PCR. This permits keys to be loaded for use during the next boot sequence.
The command causes a TPM to perform a TPM_Reset, and sets an internal state such that the next command has to be TPM_Startup.
TPM_Startup
This capability is used to allow a trusted entity, the RTM for example, to inform the TPM of the startup state.
This capability is sent to a TPM after a TPM_Init command (see above) and prior to presentation of any other TPM command. The command causes a TPM to reset the state of TPM dependent upon different startup types, namely: TCPA_ST_CLEAR, TCPA_ST_STATE and TCPA_ST_DEACTIVATED.
TPM_SaveState
This capability is used to let a TPM save state information that will be used by the TPM_Startup capability.
The command causes a TPM to preserve the contents of all PCRs (see “Synchronizing a Host Platform with its TPM” earlier in this chapter), the state of the TCPA flags, the contents of the audit digest, the contents of any key currently loaded, and all non-volatile values.
If the parameter mirrored by a preserved value is altered by a protected capability other than TPM_INIT, the preserved value must be declared invalid. If the parameter mirrored by any preserved value is altered by a protected capability other than TPM_INIT, all preserved values may be declared invalid.
Note that if a TPM's internal memory used is volatile, and the TPM alone is unable to detect the loss of external power in time to move data to non-volatile memory, this command should be presented before the TPM enters a low or no power state. If this command is not presented in time, the next TPM_Startup will generate an exception if invoked in TCPA_ST_STATE mode.
Testing a TPM
The TPM has the ability to perform a self-test upon request. The test can be either a full test of the complete TPM, or any tests outstanding since initialization. The tests return only TCPA_SUCCESS or TCPA_FAIL. Upon the failure of a self-test, the TPM goes into failure mode and only the capability TPM_GetTestResult operates.
TPM_SelfTestFull
This capability is used to perform a full self-test.
The command causes a TPM to test each TPM internal function. If any of the tests fail, all future commands (apart from TPM_GetTestResult) will fail, and the TPM will return the error code TCPA_FAILEDSELFTEST.
TPM_CertifySelfTest
This capability is the same as TPM_SelfTestFull, except that it is signed.
The capability requires authorization to use a loaded key that can perform digital signatures, the TPM handle to that loaded TPM key, and an externally generated nonce, which is used to prevent replay of message.
The command causes the TPM to perform a full self-test. If the test fails, the TPM returns the appropriate error code. If the test passes, the TPM returns an authenticated value.
If a caller requires evidence, it is sufficient to use any TPM signing key for which only the TPM and the caller have authorization data. If a caller requires proof for a third party, the signing key must be one whose signature is trusted by the third party. A TPM identity key may be suitable.
TPM_ContinueSelfTest
This capability is used to inform a TPM that it may complete the self-test of all TPM functions that were not tested at initialization.
The capability causes a TPM to respond immediately with a return code, and then to execute all self-tests that are outstanding since startup. When the TPM finishes executing this command, it does not respond to the caller with a return code.
TPM_GetTestResult
This capability is used to provide manufacturer-specific information about a failed test result.
The command causes a TPM to respond with a manufacturer-specific block of information that describes the result of the latest self-test. However, the information does not contain any data that uniquely identifies an individual TPM.
Upgrading a TPM in situ
TPM_FieldUpgrade
TPM_FieldUpgrade is an optional capability that permits a manufacturer to cooperate with a TPM owner and upgrade the firmware inside a TPM.
The TCPA specification dictates just a set of security and privacy requirements, and the overall response. Precise details of the capability are manufacturer-specific. TPM_FieldUpgrade must do the following:
Verify that the TPM owner authorizes the change
Verify that the change information was sent by a TPM manufacturer (or the manufacturer's agent)
Verify that this TPM is the target for this upgrade
Perform the update
Increase the TPM version number
Deactivate the TPM, to make sure that the upgrade won't come into effect until TPM reboot
Calculating Integrity Metrics
The following hash capabilities are exported by the TPM solely in order to improve hash availability during the boot phase of a platform (when the RTM and other measurement agents could well have restricted access to the platform's main processing engine).
TPM_SHA1Start
This capability is used to initiate an SHA-1 session. There can only be one active SHA-1 session at any one time.
TPM_SHA1Update
This capability is used to update an SHA-1 calculation. This command must be passed the value with which to update the hash calculation; this value must be 64 bytes long.
TPM_SHA1Complete
This capability is used to complete an SHA-1 hash calculation. This command must be passed the data with which to update the hash calculation; this is the final block to be included in the hash, and must be at most 64 bytes long. The command causes a TPM to output the result of the hash calculation.
TPM_SHA1CompleteExtend
This capability is used to complete an SHA-1 hash calculation, and update a PCR with the result. This command is for use by memory-less environments. This command needs to know the index of the PCR to be updated, and the data with which to update the hash calculation. The command causes a TPM to complete the SHA-1 hash calculation, output the result of the hash calculation, and update the value of the PCR accordingly.
Connecting a TPM to Another Processor
TPM_SetRedirection is an optional capability that causes returned data (but not authorization protocol data) to be redirected to a different TPM output.
This capability needs to know the authorization to use a loaded key whose redirection flag has been set, plus details of an alternate TPM output port. It causes all data produced as result of using that key to be output at that alternate output port.
Certifying Keys Hosted by a Trusted Platform
This section discusses the TPM command that is used to certify keys hosted by a TP.
TPM_CertifyKey
TPM_CertifyKey is used to certify the public portion of selected storage and signing keys.
This capability needs to know the following:
The authorization to use the signing key
The authorization to use the key being certified
The handle to the loaded TPM key that is being certified (keyHandle)
A nonce inserted into the returned certificate to prevent replay attacks (160 bits of externally supplied data)
The command causes a TPM to do the following:
Verify the authorization values
Make a signature, using the specified signing key
Output information about the key being certified and the signature calculated over the above certificate information
Removing an Owner from a TPM
If a new TPM owner is to be installed into a TPM, it is first necessary to remove the existing TPM owner.
TPM_OwnerClear
This capability is used to reset the TPM to factory defaults. It requires TPM owner authorization. The command causes a TPM to verify the owner authorization, then execute TPM_Reset, destroy the SRK and any internal data associated with the SRK, destroy the TPM ownership data, unload all loaded keys, set all Data Integrity Registers (DIRs) to their default value, and set TCPA flags to their default value.
This command is available until the owner executes DisableOwnerClear, at which time any further invocation of this command returns TCPA_CLEAR_DISABLED.
TPM_DisableOwnerClear
This capability is used to disable the above TPM_OwnerClear capability permanently. Once invoked, the only method of clearing the TPM is the TPM_ForceClear capability, which requires physical access to the TPM.
The capability requires TPM owner authorization.
The command causes a TPM to verify the owner authorization, and then set the TCPA_PERSISTENT_FLAGS -> disableownerclear flag to TRUE.
TPM_ForceClear
This capability is used to reset the TPM to factory defaults. This capability requires physical access to the TPM, and performs the same operations as TPM_OwnerClear.
This command is available until the execution of the DisableForceClear. The command causes a TPM to check for a prior execution of the TPM_DisableForceClear command; if executed, the TPM returns TCPA_CLEAR_DISABLED.
There must be some evidence of physical access to the platform in order for the TPM to verify that this has taken place. After verification of physical access, the TPM performs a clear operation, which is the same as TPM_OwnerClear.
The implementation of this command is a manufacturer option. The evidence of physical access could be achieved by using a control to set a pin high on a chip, or by sending special bus cycles, or by any other mechanism that provides evidence of physical access.
TPM_DisableForceClear
This capability is used to disable the execution of TPM_ForceClear until the next startup cycle.
The capability causes a TPM to disable the execution of the TPM_ForceClear command by setting the TCPA_VOLATILE_FLAGS.disableforceclear flag in the TPM.