Transcript TCPA - Carnegie Mellon University
Trusted Computing Platform Alliance
David Grawrock Security Architect Desktop Architecture Labs Intel Corporation 27 April 2020
Trusted Computing Platform Alliance
Agenda
• • •
Background Attestation Specification What Is Next 2
Background
TCPA History
• • • •
Established in spring 1999 Promoters are:
–
Compaq, IBM, Intel, HP and Microsoft Membership over 160 companies Web site
–
http://www.trustedpc.org/ 3
Background
TCPA Technical Challenge
To maintain the privacy of the platform owner while providing a ubiquitous interoperable mechanism to validate the identity and integrity of a computing platform TCPA provides the base for reporting identity and integrity 4
Attestation
Are You A Dog?
•
On the Internet no one knows you are a dog
•
On the Internet no one knows if you have a proper configuration 5
Attestation
Attestation Definition
• • •
“To affirm to be true, correct or genuine” 1 Cryptographic proof of information regarding the platform Information that could be attested to includes:
–
HW on platform
–
BIOS
–
Configuration options
–
And much more
1 American Heritage Dictionary
6
Attestation
Attestation Promise
• •
TCPA never lies about the state of measured information This requires
–
Accurate measurement
–
Protected storage
–
Provable reporting of measurement TCPA defines an attestation device 7
Specification
Specifications Available
• • •
Main specification defines Trusted Platform Module (TPM)
– –
Definition is platform neutral All command to TPM are defined TPM PC Specific specification defines how to implement on a PC platform These specs are available on the web site 8
Specification
TPM Components
Non-Volatile Storage Key Generation Anonymous Identities RNG PCR RSA Opt-In TPM
• • • •
Generate and use RSA keys Provide long-term protected storage of RSA root key Store measurements in PCR Use anonymous identities to report PCR status TPM definition is complete 9
Trusted Computing Platform Alliance
Summary
• • •
TCPA provides the base for reporting identity and integrity TCPA defines an attestation device TPM definition is complete 10
Trusted Computing Platform Alliance
What Next?
• •
Design platforms and applications for TPM use Extend the trust and integrity of platforms 11
Trusted Computing Platform Alliance
Questions?
12
Trusted Computing Platform Alliance
Backup Material
13
Functionality
Non-volatile Storage
• • •
The storage is to hold secure the endorsement key (EK)
–
Each TPM has a unique EK Non-Volatile Storage RNG PCR Key Generation TPM RSA from both exposure and improper use Anonymous Identities The endorsement key must be protected Opt-In In addition to the EK there are some flags that are kept in non-volatile storage 14
Functionality
Key Generation
•
The TPM can generate RSA keys
–
Default size 2048 bits
–
Other algorithms possible Non-Volatile Storage RNG PCR Key Generation TPM RSA Anonymous Identities Opt-In
• •
The keys can be used for signing / verification or encryption / decryption
–
Use of key must be specified at creation time There is no speed requirement on how long or how short a time generation will take 15
Functionality
Anonymous Identities
•
All operations attesting to the TPM use an anonymous identity rather than the EK Non-Volatile Storage RNG PCR Key Generation TPM RSA Anonymous Identities Opt-In
•
An anonymous identity certifies that the key came from A TPM not WHICH TPM
–
Devil is in the details see the main spec 16
Functionality
Random Number Generator
•
All TPM’s must have a RNG
–
Implementation is manufacturer specific Non-Volatile Storage RNG PCR Key Generation TPM RSA Anonymous Identities Opt-In
• •
The specification asks for, but does not require, FIPS evaluation of the RNG The RNG output is used both internally by the TPM and is offered to outside consumers of randomness 17
Functionality
PCR Registers
•
The TPM has a minimum of 16 Platform Configuration Registers (PCR) Non-Volatile Storage RNG PCR Key Generation TPM RSA Anonymous Identities Opt-In
•
The PCR registers uses the EXTEND operation to store measurements regarding the platform
–
PCR value = SHA(new value, old value) 18
Functionality
RSA Engine
•
The TPM can encrypt and decrypt using RSA keys Non-Volatile Storage RNG Key Generation Anonymous Identities Opt-In PCR TPM RSA
• •
The use of keys is segregated into signing or encryption uses The TPM must handle RSA keys of 2048 bits in size 19
Functionality
Opt-In
•
The TPM has mechanisms that make the use of the TPM a complete Opt-In system Non-Volatile Storage RNG PCR Key Generation TPM RSA Anonymous Identities Opt-In
•
The Opt-in selections are maintained across power cycles and the TPM can be deactivated 20
Version 1.0
TCPA Functional Layout
Requests TPS TPM
TPS – Trusted Platform Subsystem
BIOS
Drivers
ALL operations come through TPS TPM – Trusted Platform Module
Hardware
Microcode
Protected functionality
Shielded locations 21
Version 1.0
TCPA System Architecture
Application Middleware OS / Driver Ring 0 Library OS Present TPS Security API Ring 3 Library TCPA Security Driver
BIOS
OS Absent Library TPM Hardware and Microcode OS Absent TPS Security API 22
Version 1.0
TCPA Software Architecture
Application Applications Application Application Application CDSA Existing Infrastructure CSSM CAPI Other API Modified Infrastructure CSP DL CSP CSP TPS Interface TPM Interface TPS TPM 23
Version 1.0
Possible TPM Placement
System Memory System Flash CPU MCH ICH
TPM
TPM connecting on LPC bus
TPM has low transaction volume so speed of bus not issue
Connection of TPM is vendor specific and not specified in specification Specification provides robust set of features 24