trusted computing platform alliance david grawrock security architect desktop architecture labs...
Post on 28-Dec-2015
224 Views
Preview:
TRANSCRIPT
Trusted Computing Platform Trusted Computing Platform AllianceAlliance
David GrawrockDavid Grawrock
Security ArchitectSecurity Architect
Desktop Architecture LabsDesktop Architecture Labs
Intel CorporationIntel Corporation
April 19, 2023April 19, 2023
2
AgendaAgenda
BackgroundBackground
• AttestationAttestation
• SpecificationSpecification
• What Is NextWhat Is Next
Trusted Computing Platform AllianceTrusted Computing Platform Alliance
3
TCPA HistoryTCPA History
• Established in spring 1999Established in spring 1999• Promoters are:Promoters are:
– Compaq, IBM, Intel, HP and Compaq, IBM, Intel, HP and MicrosoftMicrosoft
• Membership over 160 Membership over 160 companiescompanies
• Web siteWeb site– http://www.http://www.trustedpctrustedpc.org/.org/
BackgroundBackground
4
TCPA Technical ChallengeTCPA Technical Challenge
To maintain the To maintain the privacyprivacy of the platform of the platform owner while providing a owner while providing a ubiquitousubiquitous
interoperable mechanism to validate the interoperable mechanism to validate the identity and identity and integrityintegrity of a computing of a computing
platformplatform
BackgroundBackground
TCPA provides the base for reporting identity and TCPA provides the base for reporting identity and integrityintegrity
TCPA provides the base for reporting identity and TCPA provides the base for reporting identity and integrityintegrity
5
Are You A Dog?Are You A Dog?
• On the Internet no On the Internet no one knows you are one knows you are a doga dog
• On the Internet no one knows if you On the Internet no one knows if you have a proper configurationhave a proper configuration
AttestationAttestation
6
Attestation DefinitionAttestation Definition
• ““To affirm to be true, To affirm to be true, correct or genuine”correct or genuine”11
• Cryptographic proof of Cryptographic proof of information regarding the information regarding the platformplatform
• Information that could be attested to Information that could be attested to includes:includes:– HW on platformHW on platform– BIOSBIOS– Configuration optionsConfiguration options– And much moreAnd much more
1 American 1 American Heritage Heritage DictionaryDictionary
AttestationAttestation
7
Attestation PromiseAttestation Promise
• TCPA never lies about the TCPA never lies about the state of measured state of measured informationinformation
• This requiresThis requires–Accurate measurementAccurate measurement–Protected storageProtected storage–Provable reporting of Provable reporting of
measurementmeasurement
AttestationAttestation
TCPA defines an attestation deviceTCPA defines an attestation device TCPA defines an attestation deviceTCPA defines an attestation device
8
Specifications AvailableSpecifications Available
• Main specification defines Main specification defines Trusted Platform Module Trusted Platform Module (TPM)(TPM)– Definition is platform neutralDefinition is platform neutral– All command to TPM are All command to TPM are
defineddefined
• PC Specific specification defines how to PC Specific specification defines how to implement on a PC platformimplement on a PC platform
• These specs are available on the web site These specs are available on the web site
SpecificationSpecification
TPMTPM
9
TPM
TPM ComponentsTPM Components
• Generate and use RSA keysGenerate and use RSA keys• Provide long-term protected storage of RSA root keyProvide long-term protected storage of RSA root key• Store measurements in PCRStore measurements in PCR• Use anonymous identities to report PCR statusUse anonymous identities to report PCR status
SpecificationSpecification
RNG RSA
Non-Volatile
Storage
Key
Generation
PCR
Anonymous
Identities
Opt-In
TPM definition is completeTPM definition is complete TPM definition is completeTPM definition is complete
10
SummarySummary
• TCPA provides the base for reporting TCPA provides the base for reporting identity and integrityidentity and integrity
• TCPA defines an attestation deviceTCPA defines an attestation device
• TPM definition is completeTPM definition is complete
Trusted Computing Platform AllianceTrusted Computing Platform Alliance
11
What Next?What Next?
• Design platforms and applications Design platforms and applications for TPM usefor TPM use
• Extend the trust and integrity of Extend the trust and integrity of platforms platforms
Trusted Computing Platform AllianceTrusted Computing Platform Alliance
13
Trusted Computing Platform AllianceTrusted Computing Platform Alliance
Backup MaterialBackup Material
14
Non-volatile StorageNon-volatile Storage
• The storage is to hold The storage is to hold secure the endorsement secure the endorsement key (EK)key (EK)– Each TPM has a unique Each TPM has a unique
EKEK
• The endorsement key must be protected The endorsement key must be protected from both exposure and improper usefrom both exposure and improper use
• In addition to the EK there are some flags In addition to the EK there are some flags that are kept in non-volatile storagethat are kept in non-volatile storage
FunctionalityFunctionality
TPM
RNG RSA
Non-Volatile
Storage
Key
Generation
PCR
Anonymous
Identities
Opt-In
15
Key GenerationKey Generation
• The TPM can generate The TPM can generate RSA keysRSA keys– Default size 2048 bitsDefault size 2048 bits– Other algorithms possibleOther algorithms possible
• The keys can be used for signing / The keys can be used for signing / verification or encryption / decryptionverification or encryption / decryption– Use of key must be specified at creation timeUse of key must be specified at creation time
• There is no speed requirement on how long There is no speed requirement on how long or how short a time generation will takeor how short a time generation will take
FunctionalityFunctionality
TPM
RNG RSA
Non-Volatile
Storage
Key
Generation
PCR
Anonymous
Identities
Opt-In
16
Anonymous IdentitiesAnonymous Identities
• All operations attesting All operations attesting to the TPM use an to the TPM use an anonymous identity anonymous identity rather than the EKrather than the EK
• An anonymous identity certifies that the key An anonymous identity certifies that the key came from A TPM not WHICH TPMcame from A TPM not WHICH TPM– Devil is in the details see the main specDevil is in the details see the main spec
FunctionalityFunctionality
TPM
RNG RSA
Non-Volatile
Storage
Key
Generation
PCR
Anonymous
Identities
Opt-In
17
Random Number GeneratorRandom Number Generator
• All TPM’s must have a All TPM’s must have a RNGRNG– Implementation is Implementation is
manufacturer specificmanufacturer specific
• The specification asks for, but does not The specification asks for, but does not require, FIPS evaluation of the RNGrequire, FIPS evaluation of the RNG
• The RNG output is used both internally by The RNG output is used both internally by the TPM and is offered to outside the TPM and is offered to outside consumers of randomnessconsumers of randomness
FunctionalityFunctionality
TPM
RNG RSA
Non-Volatile
Storage
Key
Generation
PCR
Anonymous
Identities
Opt-In
18
PCR RegistersPCR Registers
• The TPM has a minimum The TPM has a minimum of 16 Platform of 16 Platform Configuration Registers Configuration Registers (PCR)(PCR)
• The PCR registers uses the EXTEND The PCR registers uses the EXTEND operation to store measurements regarding operation to store measurements regarding the platformthe platform– PCR value = SHA(new value, old value)PCR value = SHA(new value, old value)
FunctionalityFunctionality
TPM
RNG RSA
Non-Volatile
Storage
Key
Generation
PCR
Anonymous
Identities
Opt-In
19
RSA EngineRSA Engine
• The TPM can encrypt The TPM can encrypt and decrypt using RSA and decrypt using RSA keyskeys
• The use of keys is segregated into signing The use of keys is segregated into signing or encryption usesor encryption uses
• The TPM must handle RSA keys of 2048 bits The TPM must handle RSA keys of 2048 bits in size in size
FunctionalityFunctionality
TPM
RNG RSA
Non-Volatile
Storage
Key
Generation
PCR
Anonymous
Identities
Opt-In
20
Opt-InOpt-In
• The TPM has The TPM has mechanisms that make mechanisms that make the use of the TPM a the use of the TPM a complete Opt-In systemcomplete Opt-In system
• The Opt-in selections are maintained across The Opt-in selections are maintained across power cycles and the TPM can be power cycles and the TPM can be deactivated deactivated
FunctionalityFunctionality
TPM
RNG RSA
Non-Volatile
Storage
Key
Generation
PCR
Anonymous
Identities
Opt-In
21
Version 1.0Version 1.0 TCPA Functional LayoutTCPA Functional Layout
TPS – Trusted Platform TPS – Trusted Platform SubsystemSubsystemBIOSBIOSDriversDriversALL operations come ALL operations come
through TPS through TPS TPM – Trusted Platform TPM – Trusted Platform
ModuleModuleHardwareHardwareMicrocodeMicrocodeProtected functionalityProtected functionalityShielded locationsShielded locations
TPM
TPS
Requests
22
Version 1.0Version 1.0 TCPA System ArchitectureTCPA System Architecture
OS
Pre
sen
t
TPM Hardware and Microcode
BIOS
Application
Ring 3 Library
OS / Driver
Ring 0 Library
TCPA Security Driver
OS Absent Library
Middleware
OS Present TPS Security API
OS Absent TPS Security API
OS
Ab
sen
tH
ard
-w
are
23
Version 1.0Version 1.0 TCPA Software ArchitectureTCPA Software Architecture
Applications
Existing Infrastructure
TPS Interface
TPM Interface
Modified Infrastructure
Application Application Application
CSSM CAPI
TPS
Other API
Application
CDSA
TPM
CSPCSPCSP DL
24
Version 1.0Version 1.0 Possible TPM Placement Possible TPM Placement
CPU
MCH
LP
C
TPMTPM
ICH
SystemMemory
SystemFlash
TPM connecting on TPM connecting on LPC busLPC busTPM has low TPM has low
transaction volume so transaction volume so speed of bus not speed of bus not issueissue
Connection of TPM is Connection of TPM is vendor specific and not vendor specific and not specified in specified in specificationspecification
Specification provides robust set of featuresSpecification provides robust set of featuresSpecification provides robust set of featuresSpecification provides robust set of features
top related