Trusted Computing Platforms This Is a FM Blank Page Graeme Proudler • Liqun Chen • Chris Dalton

Trusted Computing Platforms ThiS is a FM Blank Page Graeme Proudler • Liqun Chen • Chris Dalton

Trusted Computing Platforms TPM2.0 in Context Graeme Proudler Liqun Chen Chris Dalton Hewlett-Packard Laboratories Bristol United Kingdom

ISBN 978-3-319-08743-6 ISBN 978-3-319-08744-3 (eBook) DOI 10.1007/978-3-319-08744-3 Springer Cham Heidelberg New York Dordrecht London

Library of Congress Control Number: 2014957751

© Springer International Publishing Switzerland 2014 This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. Exempted from this legal reservation are brief excerpts in connection with reviews or scholarly analysis or material supplied specifically for the purpose of being entered and executed on a computer system, for exclusive use by the purchaser of the work. Duplication of this publication or parts thereof is permitted only under the provisions of the Copyright Law of the Publisher’s location, in its current version, and permission for use must always be obtained from Springer. Permissions for use may be obtained through RightsLink at the Copyright Clearance Center. Violations are liable to prosecution under the respective Copyright Law. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. While the advice and information in this book are believed to be true and accurate at the date of publication, neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions that may be made. The publisher makes no warranty, express or implied, with respect to the material contained herein.

Printed on acid-free paper

Springer is part of Springer Science+Business Media (www.springer.com) Preface

Attacks on computer platforms are unrelenting. Governments, businesses, organisations, and consumers are battle fatigued. They cope the best they can and carry on regardless. Successful attacks disclose the secrets and private information stored and processed by computers. At the turn of the century, the computer industry responded by starting to design Trusted Computing platforms with built-in security mechanisms and built-in trust mechanisms. The security mechanisms are reason- ably conventional but the trust mechanisms are novel. Security mechanisms in computers protect data by isolating data and constraining access to that isolated data. In principle, Trusted Computing enables computer users to select a spectrum of isolation and access controls from non-existent up to the level of the strongest mechanisms implemented in a partic- ular platform. • The security mechanisms provided by real trusted platforms are anticipated to be somewhat inferior to those of conventional secure platforms traditionally used in critical infrastructures, albeit far superior to those provided by ordinary mass- market platforms. One doesn’t always need to protect data, however, and there is always a balance between convenience of access to data and the level of protection afforded to that data. Sometimes one just doesn’t care; or some information in a platform might not need any protection, but other information might need a lot of protection; or the level of protection might vary with time and other circumstances. The real question for most computer users is whether one trusts a computer platform enough to perform the current task. In other words, is a given platform doing what the user expects it to be doing, and is that behaviour adequate for the user’s current purposes? Trusted Computing addresses this question via trust mechanisms that help to determine whether a computing service is trustworthy enough for the current task, instead of just hoping that it is. Thirteen years on (at time of writing), the greatest difficulty in Trusted Com- puting has been determining a compromise between incompatible consent, privacy, v vi Preface protection, and ease-of-use requirements whilst meeting legal, commercial and manufacturing constraints. The greatest business difficulty has been continually solving the chicken-and-egg business problem of introducing new technology for services that don’t exist because the technology doesn’t exist. The next significant business hurdle may well be avoiding a “race to the bottom”, where trusted platforms are implemented in the cheapest but weakest possible ways, to reduce costs to the bare bones. Speculative criticism of Trusted Computing has probably delayed its adoption, despite the fact that there is no known technical alternative to Trusted Computing for protecting customers’ data in mass-market platforms, short of constraining customers’ choice of software. The reader may decide for themselves whether this delay has unnecessarily exposed people and organisations to certain types of attack, or has encouraged development of closed computing ecosystems or platforms that constrain the choice of software. The computer industry has continued to put components of Trusted Computing in place, one by one, even though the components couldn’t (and can’t) be used to their full potential until all the components are in place. Trusted Platform Module (TPM1) chips have been installed in literally hundreds of millions of computers. To assuage initial concerns, TPMs were shipped in an “off” state, so that customers had to opt in in order to use Trusted Computing. Initially, however, the only computer users who understood what a TPM might be were enthusiasts who feared the technology because they had read sensationalist speculative descriptions. Ordinary computer users (whom Trusted Computing is intended to protect) neither knew nor understood, nor wanted to understand, what Trusted Computing is or does. Eventually corporate customers came to appreciate that trusted platforms are safer platforms, but complained that the technology had to be turned on before it could be used. Then it transpired that application developers were reluctant for their software to have any reliance on the TPM, lest the TPM be “off” and hence unavailable. The net effect was that some TPMs were used to protect “data at rest” (when a platform was turned off), via Microsoft’s BitLocker™ technology, for example, but the overall level of TPM usage was very low. This has (so far) eliminated the business case for development of a Trusted Computing infrastructure.2 Despite everything, Trusted Computing has gained credibility amongst those who have studied the technology. Universities3 have started teaching and researching the technology, and it has emerged that governments encourage use of the technology to help protect government information. The UK government, for

1 It is a coincidence that TPM is also the acronym for Technical Protection Measure, which is a legal term for a technique used to prevent illegal copying of computer programs. 2 Albeit the USA’s NIST does maintain a National Software Reference Library (NSRL www.nsrl. nist.gov, visited April 2014), which contains “a collection of digital signatures of known, traceable software applications”, including applications that may be malicious. 3 Including Birmingham University (UK), Royal Holloway College - University of London (UK), IAIK (Graz, Austria), Oxford University (UK), Bochum (Germany), Darmstadt (Germany), Hochschule Hannover (Germany). Preface vii example, has published the recommendation “CESG IA Top Tips – Trusted Plat- form Modules” [CESG01]. The Trusted Computing Group (the industry organisation that promotes Trusted Computing) has become a rallying point for manufacturers to build information protection into their products, and the initiative has expanded to cover other aspects of computers and computing. Besides the Trusted Platform Module chip, new platform firmware, new platform chip sets, self-encrypting hard disk drives (SEDs), trusted networks (Trusted Network Connect, TNC), and more secure parts of the pre-OS platform have been developed. In fact, SEDs and TNC are arguably becoming important and successful in their own right. The first proper trusted platform is arguably a Personal Computer running Microsoft’s Windows 8™ operating system, which has a Trusted Platform Module (TPM) in its Trusted Computing Base (TCB). This TCB manages the TPM, uses the TPM’s functions to help protect the platform, and enables applications to use the TPM to protect their data. There are as yet no mobile phones that support Trusted Computing because they are arguably really needed only for compatibility with services built for trusted platforms, but there are currently no such services. There’s currently a dearth of trusted hypervisors. There is no avoiding the fact that mass-market computing needs improved data protection. It’s indisputable that secrets and private information are increasingly stored as data in commercial networked computer platforms, which are under continuous and escalating attack. Improving the level of protection in mass-market computers and computer networks is an enormous task and (given a choice) the ICT industry would have started afresh, instead of with computer and network archi- tectures that were not designed to protect information. The task is complicated by incompatible stakeholder requirements. Providing protection for computer platforms is much simpler if platforms have less flexibility, users have less control, and privacy is irrelevant, but these easy options are incompatible with many existing types of computer platform. Consequently manufacturers have had to devise a compromise that gives almost everyone almost everything they wanted. The Trusted Computing initiative has forced everyone involved to think about what trust means, who and what is trustworthy, and whether they themselves are trustworthy. Some commentators found the conclusions disturbing and were upset by the effect on the status quo. Some are still upset because, if nothing else, Trusted Computing: • complicates the way that a platform boots and shuts down, • complicates access to data, and can prevent existing tools and services from working, • can help prevent the platform state from being rolled back, • can be used to implement digital rights management systems, which are anath- ema to some commentators, • prevents some repurposing of platforms.4

4 At some point, imaginative use of a platform becomes an attack on that platform. viii Preface

Trusted Computing requires evidence that products are trustworthy, and the technology is undoubtedly an obstacle for those who want to repurpose platforms. Fundamentally, however, no one can dispute that better protection is beneficial for mass-market communicating computer platforms, or that any credible data protection mechanism involves constraining the environment that has access to programs and data. The most liberal constraint is to allow whoever has an unprotected copy of software or data to choose the environment to protect that software or data, and that is exactly what Trusted Computing enables. Trusted platforms and Trusted Computing will no doubt change with time but this book should continue to provide a record of origins and justifications. The authors have worked in the field of trusted platforms and Trusted Computing for many years. Chapters 12 and 13 were written by Liqun Chen and Chris Dalton respectively. The rest of this book was written by Graeme Proudler with some input from Chen and Dalton.

Bristol Graeme Proudler May 2014 Liqun Chen Chris Dalton

Naturally, this book also draws upon the expertise of many other people over many years. The authors are particularly obliged to colleagues for information on the Federal Information Processing Standard and on export/import regulations; to Paul Waller of CESG for comments and information about certiﬁcation; and to Dirk Kuhlmann of HP Labs-Bristol for compiling this book’s index.

Reference

[CESG01] “CESG IA Top Tips - Trusted Platform Modules” (April 2014) http://www.cesg. gov.uk/publications/Documents/ciatt-01-11-trusted_platform_modules.pdf Abbreviations

Acronym Description ACA An Attestation Certification Authority is a Certification Authority in a Public Key Infrastructure that issues credentials for TPM2.0 keys, especially keys used as TPM identities AIK An Attestation Identity Key is an asymmetric signing keypair in TPMv1.2 that is used as a TPM identity AK An Attestation Key is an asymmetric keypair in TPM2.0, which could be used as a TPM identity BBB The BIOS Boot Block is part of the Basic Input/Output System in a Personal Computer BIOS The Basic Input/Output System historically comprises the first instructions to execute in a Personal Computer BLOB A Binary Large OBject comprises TPM data, usually encrypted and integrity- protected data, that is outside a TPM BSI Germany’s Bundesamt fu¨r Sicherheit in der Informationstechnik is a security agency CC The Common Criteria certification scheme—ISO 15408 CESG The UK’s National Technical Authority for Information Assurance is a security agency CCRA The Common Criteria Recognition Agreement is an agreement between governments about a method of security certification CMK A Certified Migration Key is a type of key in TPMv1.2 that can be migrated via a Migration Authority and under control of a Migration Selection Authority COTS A Commercial Off The Shelf mass-market product is one that is suitable for deployment in government systems CRTM The Core Root of Trust for Measurement comprises instructions executed by a Root of Trust for Measurement (RTM) DA A Dictionary Attack is a method of discovering an authorisation value (in order to use a resource without being given permission) DAA Direct Anonymous Attestation is an identity protocol built into TPMs that pro- vides anonymity and pseudonymity (continued)

ix x Abbreviations

Acronym Description D-CRTM The Dynamic Core Root of Trust for Measurement comprises the instructions executed by a Dynamic Root of Trust for Measurement, which takes measurements after part (but not all) of a computer platform is reset DEM The Data Encapsulation Method of modern hybrid encryption DRM A Digital Rights Management system controls the distribution of data in a network D-RTM The Dynamic Root of Trust for Measurement is an inherently trustworthy entity that takes measurements after part (but not all) of a computer platform is reset EAL An Evaluation Assurance Level is a measure of the protection provided by a device, used by the Common Criteria certification scheme ECC Elliptic Curve Cryptography EK An Endorsement Key is an asymmetric keypair, usually accompanied by an Endorsement Credential to vouch that the device containing the private Endorsement Key is a genuine TPM EPS The Endorsement Primary Seed is a secret value used to create primary Endorsement Keys in TPM2.0 FIPS The USA’s Federal Information Processing Standard HDD Hard Disk Drive HMAC Hash-based Message Authentication Code IMEI The International Mobile Equipment Identity of a mobile device ISO The International Organization for Standardisation is a body that publishes specifications JTAG A boundary-scan method of testing electronic devices KDF A Key Derivation Function is a method of generating a cryptographic key from arbitrary data KEM The Key Encapsulation Method of modern hybrid encryption LPC The Low Pin Count bus is a data bus in computer platforms MA A Measurement Agent is a computing engine that performs a measurement of the software environment in a computer platform, other than the first such measurement MA A Migration Authority is an entity used as a backup repository for TPMv1.2 Certified Migration Keys MLTM A type of Mobile Trusted Module that is administered (owned) by a Local entity MRTM A type of Mobile Trusted Module that is administered (owned) by a Remote entity MSA A Migration Selection Authority is an entity that approves the migration of TPMv1.2 Certified Migration Keys MTM A Mobile Trusted Module is a TPM variant optimised for use in mobile platforms, especially embedded platforms NSA The USA’s National Security Agency NIST The USA’s National Institute of Standards and Technology is a body that publishes specifications NV Shorthand for non-volatile memory, meaning memory that retains data when the memory has no external power source OEM An Original Equipment Manufacturer is an entity that markets a product (continued) Abbreviations xi

Acronym Description OIAP The Object Independent Authorization Protocol is a method of demonstrating multiple separate authorisation privileges to TPMv1.2 OSAP The Object Specific Application Protocol is a method of repeatedly demonstrating a single authorisation privilege to TPMv1.2 PCA A Privacy Certification Authority (Privacy-CA) is a Certification Authority in a Public Key Infrastructure that issues credentials for TPMv1.2 identity keys PKCS Public Key Cryptography Standards privEK The private part of an Endorsement Key PCR A Platform Configuration Register is a register containing a summary of instructions executed in a platform, starting from an instant where previously executed instructions have no effect on the platform’s behaviour. pubEK The public part of an Endorsement Key PSAP The Policy Session Authorization Protocol is a method of demonstrating multiple multi-factor authorisation privileges to TPM2.0 PWAP The PassWord Authorization Protocol is a method of passing multiple plaintext authorisation privileges to TPM2.0 QN A Qualified Name is a label that (statistically) uniquely identifies an instance of a specific object in a specific TPM2.0 Protected Storage hierarchy RNG Random Number Generator RoT Root of Trust RSA An asymmetric cryptographic algorithm, named after its inventors RTM The Root of Trust for Measurement is an inherently trustworthy computing engine that performs the first measurement of the software environment in a computer plaform RTR The Root of Trust for Reporting is an inherently trustworthy computing engine that signs on behalf of a computer plaform RTS The Root of Trust for Storage is an inherently trustworthy computing engine that stores data (including secrets) in a computer plaform RTV A Root of Trust for Verification is an inherently trustworthy computing engine that can verify the authenticity of executable instructions in a computer platform S-CRTM The Static Core Root of Trust for Measurement comprises the instructions executed by a Static Root of Trust for Measurement, which takes measurements after an entire computer platform is reset SHA A hash algorithm defined by the USA’s National Institute of Standards and Technology SIM A Subscriber Identity Module is a type of smartcard that identifies the user of a mobile device SRK A Storage Root Key is an asymmetric encrypting keypair at the root of a TPM’s key hierarchy S-RTM The Static Root of Trust for Measurement is an inherently trustworthy entity that takes measurements after an entire computer platform is reset TCB A Trusted Computing Base is a trustworthy computing engine that can protect itself and its resources TCG The Trusted Computing Group is an industry organisation that writes Trusted Computing specifications (continued) xii Abbreviations

Acronym Description TPM The Trusted Platform Module is a computing engine that comprises the Root of Trust for Storage and the Root of Trust for Reporting in a computer platform UEFI The Uniﬁed Extensible Firmware Interface is a replacement for the BIOS in a Personal Computer VM A Virtual Machine is an implementation of a hardware architecture interface (e.g. x86) provided by a VMM VMM A Virtual Machine Monitor, often called a hypervisor VPN A Virtual Private Network is a private method of communication that operates over shared communication paths Contents

1 Introduction ...... 1 1.1 The State of Play ...... 2 1.2 Objectives ...... 4 1.3 Trusted Computing Technology ...... 6 1.4 Beneﬁts of Trusted Computing ...... 7 1.5 Trust, Instead of Security ...... 9 1.5.1 Secure Computing ...... 9 1.5.2 Trusted Computing ...... 10 1.6 Limitations of Trusted Computing ...... 12 1.7 Concerns About Trusted Computing ...... 13 1.8 First Generation Trusted Computing ...... 18 References ...... 19 2 Futures for Trusted Computing ...... 21 2.1 Trusted Virtualisation ...... 21 2.1.1 Privacy Implications of Trusted Virtualisation ...... 24 2.1.2 Virtualised Trusted Platforms ...... 25 2.2 Future Trusted Services ...... 26 2.2.1 Data Deletion ...... 26 2.2.2 Contracts and Negotiations ...... 27 2.2.3 Single Sign-On ...... 28 2.2.4 Trusted Software Agents ...... 28 2.2.5 What You See Is What You Sign ...... 29 2.3 Infrastructure Requirements ...... 29 2.3.1 Public Key Infrastructure ...... 29 2.3.2 Manufacture ...... 30 2.3.3 Upgrading TPMs ...... 31 2.3.4 Upgrading Integrity Metrics ...... 31 2.3.5 Auditing Trusted Platforms ...... 32 2.3.6 Discovering Trusted Services ...... 33

xiii xiv Contents

3 Basics of Trusted Platforms ...... 37 3.1 Design Constraints, Requirements, and Motivations ...... 37 3.1.1 Legacy Platforms, Software and Infrastructure ...... 37 3.1.2 Out of the Box ...... 38 3.1.3 Legal ...... 38 3.1.4 Privacy Constraints ...... 40 3.1.5 Disaster Recovery ...... 41 3.2 Conventional Security in Trusted Platforms ...... 43 3.2.1 High Security ...... 44 3.2.2 No Global Secrets ...... 45 3.2.3 Separation of Privilege ...... 45 3.2.4 Authorisation and Authentication of the Owner and User ...... 46 3.2.5 Dictionary Attacks ...... 48 3.2.6 Cryptographic Algorithms ...... 49 3.2.7 Isolation of Processes ...... 50 3.2.8 Certiﬁcation ...... 51 3.3 Innovations in Trusted Platforms ...... 57 3.3.1 General Principles ...... 59 3.3.2 Roots of Trust ...... 61 3.3.3 Platform Conﬁguration Registers ...... 66 3.3.4 Authenticated/Measured Boot ...... 66 3.3.5 Authenticated/Measured Secure Boot ...... 67 3.3.6 Protected Storage, Data Backup and Recovery ...... 67 3.3.7 Attestation ...... 72 3.3.8 Physical Presence and Provisioning Authorisation . . . 74 3.3.9 Recognising and Identifying a Trusted Platform . .... 77 3.4 Types of Trusted Platform ...... 84 3.4.1 Personal Computers ...... 84 3.4.2 Servers and Data Centres ...... 86 3.4.3 Mobile Phones ...... 86 3.4.4 Appliances ...... 91 3.5 Trusted Platform Lifecycle ...... 92 3.5.1 TPM Design ...... 92 3.5.2 TPM Manufacture ...... 93 3.5.3 Platform Manufacture ...... 96 3.5.4 Platform Deployment ...... 98 3.5.5 Platform Use ...... 101 3.5.6 Platform Maintenance and Recovery ...... 102 3.5.7 Platform Redeployment ...... 105 3.5.8 TPM and Platform Revocation ...... 105 3.5.9 Platform Decommissioning ...... 106 References ...... 106 Contents xv

4 Trusted Platform Architecture ...... 109 4.1 Isolation ...... 110 4.1.1 Isolation Hardware ...... 111 4.2 Credentials ...... 112 4.3 Chain of Trust ...... 112 4.4 Integrity Metrics ...... 115 4.5 Platform Conﬁguration Registers ...... 116 4.6 Audit ...... 118 4.7 Verifying the State of a Trusted Platform ...... 118 4.8 Trusted Platform Module ...... 119 4.9 Locality ...... 122 4.10 Peripherals ...... 123 4.10.1 Trusted Drives ...... 123 4.11 TPM Software Interface ...... 124 4.12 Virtualisation ...... 126 4.12.1 Hosts of Virtualised Trusted Platforms ...... 127 4.12.2 Virtualised Trusted Platforms ...... 127 4.12.3 TPM Virtualisation ...... 128 References ...... 129 5 TPM2 Requirements ...... 131 5.1 Controllability and Privacy ...... 131 5.1.1 Controllability ...... 132 5.1.2 Privacy ...... 135 5.2 Protecting the Platform’s Services ...... 135 5.3 Cryptographic Agility ...... 136 5.4 The Commercial Environment ...... 139 5.5 What Works, and What Doesn’t Work ...... 140 5.6 What’s Unpopular ...... 142 5.7 Platform Manufacturer Requirements ...... 143 5.8 Hypervisor and OS Enhancements ...... 147 5.9 Other Considerations ...... 149 Reference ...... 150 6 TPM2 Operation ...... 151 6.1 TPM2 and Its Host Platform ...... 155 6.2 Using TPM2 Instead of TPMv1.2 ...... 157 7 Initialising TPM2 ...... 173 7.1 Manufacture ...... 173 7.1.1 Providing TPM Endorsement ...... 173 7.1.2 Providing Platform Credentials ...... 175 7.1.3 Providing a Trusted Computing Base ...... 175 7.1.4 TCB Authorisation Requirements ...... 177 7.1.5 Storing TCB Keys in the TPM ...... 178 xvi Contents

7.1.6 Storing TCB data in the TPM ...... 179 7.1.7 Provisioning Platform Conﬁguration Registers ...... 181 7.1.8 Allowing “Physical Presence” Authorisation ...... 183 7.2 Booting the Platform ...... 184 7.2.1 Initialising the TPM ...... 184 7.2.2 Ensuring that the Primary TCB can Manage theTPM...... 186 7.2.3 Testing the TPM ...... 187 7.2.4 Using the TPM to Assist the TCB ...... 187 7.2.5 Enabling the Customer to Control the TPM via the Primary TCB ...... 188 7.2.6 Enabling or Disabling Further Access to the TPM . . . 189 7.3 Recording Platform History in PCRs ...... 189 7.4 Run-Time Initialisation ...... 192 7.5 Late Launch Environments ...... 193 8 Managing TPM2 ...... 197 8.1 Obtaining Management Information ...... 197 8.2 Keeping TPM Data Outside the TPM ...... 200 8.2.1 Short-Term Cached TPM Data ...... 204 8.2.2 Long-Term Cached TPM Data ...... 209 8.3 Dictionary Attacks ...... 214 8.4 Auditing Commands ...... 218 8.5 Clock and Timer ...... 221 8.5.1 Clock Functionality ...... 221 8.5.2 Timer Functionality ...... 222 8.6 Platform Shutdown ...... 222 9 Accessing Keys and Data in TPM2 ...... 225 9.1 Names and QualiﬁedNames ...... 225 9.2 Session Basics ...... 226 9.3 HMAC Sessions ...... 228 9.3.1 Freshness Nonces in HMAC Sessions ...... 228 9.3.2 Binding and Salting HMAC Sessions ...... 229 9.3.3 SessionKeys in HMAC Sessions ...... 230 9.3.4 HMAC Checksums on Commands and Responses . . . 231 9.3.5 Encrypting Command Parameters and Response Parameters ...... 232 9.3.6 Auditing HMAC Sessions ...... 233 9.4 Authorisation Roles ...... 235 9.5 Authorisation Session Types ...... 236 9.6 Plain Authorisation ...... 238 9.6.1 Plain Authorisation Without a Session ...... 239 9.6.2 Plain Authorisation with HMAC Sessions ...... 239 Contents xvii

9.7 Policy Authorisation ...... 240 9.7.1 Composing a Policy ...... 240 9.7.2 Enumerating a Policy ...... 249 9.7.3 Assigning a Policy ...... 252 9.7.4 Executing a Policy ...... 252 10 Customer Conﬁguration of TPM2 and Its Host Platform ...... 255 10.1 Customer Responsibilities ...... 255 10.2 Provisioning ...... 257 10.3 Setting up NV Storage ...... 260 10.4 Assigning Physical Presence Gating to Commands ...... 264 10.5 Assigning Personal Endorsement Keys ...... 265 10.6 Assigning Platform Identities ...... 267 10.6.1 Identities with Some Privacy Risk but Low Complexity ...... 268 10.6.2 Identities with Intermediate Privacy Risk, but Intermediate Complexity ...... 270 10.6.3 Identities with No Known Privacy Risk, but Higher Complexity ...... 273 Reference ...... 275 11 Starting to Use TPM2 ...... 277 11.1 Testing TPM2 ...... 278 11.2 Creating and Obtaining Random Numbers ...... 279 11.3 Starting a Key Hierarchy ...... 279 11.4 Populating a Key Hierarchy by Creating Keys ...... 284 11.5 Populating a Key Hierarchy by Importing Keys ...... 290 11.6 Making a Key from an External Hierarchy Ready for Use . . . . 290 11.7 Making an External Public Key or Plaintext Key Ready for Use ...... 291 11.8 Duplicating a Key ...... 292 11.9 Embedding and Ejecting Keys ...... 294 11.10 Reading the Public Part of a Loaded Key ...... 295 11.11 Changing Authorisation Values ...... 295 11.12 Encrypting and Sealing Data ...... 297 11.13 Decrypting Data and Unsealing Data ...... 300 11.14 Signing ...... 301 11.15 Verifying Signatures ...... 304 11.16 Obtaining PCR Values ...... 305 11.17 Certifying Key Creation ...... 309 11.18 Cross Certiﬁcation of Keys ...... 314 11.19 Certifying Sequences of Commands ...... 319 11.20 Certifying the Usage of Commands ...... 322 11.21 Certifying TPM Time, Resets, and TPM Firmware Version . . . 326 11.22 Storing Data in NV Storage ...... 330 xviii Contents

11.23 Certifying NV Storage ...... 333 11.24 Using TPM2 as an Ordinary Cryptographic Service ...... 337 12 Direct Anonymous Attestation (DAA) in More Depth ...... 339 12.1 The Concept of General Anonymous Digital Signatures . . . . . 339 12.2 The Concept of DAA ...... 341 12.3 The Setup Algorithm ...... 343 12.4 The DAA Join Protocol ...... 344 12.5 The Sign/Verify Protocol ...... 346 12.6 The Link Algorithm ...... 348 12.7 Revocation Considerations ...... 348 12.8 Discussion on DAA Security Levels ...... 350 References ...... 351 13 Machine Virtualisation, Virtual Machines, and TPMs ...... 353 13.1 Introduction ...... 353 13.2 Machine Virtualisation and Security ...... 354 13.3 Containment and Isolation ...... 354 13.4 Robust Control and Introspection Point ...... 355 13.5 Small Code Base ...... 355 13.6 Examples of Hypervisor-Based Enhanced Security ...... 356 13.6.1 The TPM and Supporting Machine Virtualisation . . . 357 13.6.2 Additional Chipset and CPU Hardware Extensions . . . 358 13.6.3 Machine Virtualisation and Supporting the TPM . . . . 359 13.6.4 Challenges Around TPM and Virtualisation ...... 360 13.6.5 Summary ...... 360 References ...... 360 Index ...... 361