TCG TPM Main Part 3 Commands Specification Version 1.2 Level 2 Revision 94 29 March 2006 Contact: tpmwg@trustedcomputinggroup.org TCG Published Copyright TCG 2003-2006 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 ii Level 2 Revision 94 29 March 2006 Draft TCG Published Copyright 2003-2006 Trusted Computing Group, Incorporated. Disclaimer THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY, NONINFRINGEMENT, FITNESS FOR ANY PARTICULAR PURPOSE, OR ANY WARRANTY OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE. Without limitation, TCG disclaims all liability, including liability for infringement of any proprietary rights, relating to use of information in this specification and to the implementation of this specification, and TCG disclaims all liability for cost of procurement of substitute goods or services, lost profits, loss of use, loss of data or any incidental, consequential, direct, indirect, or special damages, whether under contract, tort, warranty or otherwise, arising in any way out of use or reliance upon this specification or any information herein. No license, express or implied, by estoppel or otherwise, to any TCG or TCG member intellectual property rights is granted herein. Except that a license is hereby granted by TCG to copy and reproduce this specification for internal use only. Contact the Trusted Computing Group at www.trustedcomputinggroup.org for information on specification licensing through membership agreements. Any marks and brands contained herein are the property of their respective owners. TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Error! No text of specified style in document. iii TCG Published Acknowledgement TCG wishes to thank all those who contributed to this specification. This version builds on the work published in version 1.1 and those who helped on that version have helped on this version. A special thank you goes to the members of the TPM workgroup who had early access to this version and made invaluable contributions, corrections and support. David Grawrock TPM Workgroup chair Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 iv Level 2 Revision 94 29 March 2006 Draft TCG Published Change History Version Date Description Rev 50 Jul 2003 Started 01 Jul 2003 by David Grawrock Breakup into parts and the merge of 1.1 commands Rev 63 Oct 2003 Change history tied to part 1 and kept in part 1 (DP) Rev 71 Mar 2004 Change in terms from authorization data to AuthData. Rev 91 Sept 2005 The following modifications were made by Tasneem Brutch: § Update to section 6.2 informative, for TPM_OwnerClear. § Addtion of action item 15, to section 6.2, for TPM_OwnerClear. § Addition of "MAY" to section 20.1, TPM_NV_DefineSpace, Action 1(a). § Addition of a new Action (4) to Section 20.2, TPM_NV_WriteValue § Addtion of a new Action (3) to Section 20.4, TPM_NV_ReadValue. § Typo corrected in Section 21.1 § Moved TPM_GetCapabilityOwner from Section the Deleted Commands (section 28.1) to section 7.3. Added information on operands, command description and actions from Rev. 67. Rev 92 Sept 2005 Section 7.3 TPM_GetCapabilityOwner Ordinal was added to the outgoing params, which is not returned but is typically included in outParamDigest. Rev 92 Sept 2005 Corrected a copy and paste error: Part 3 20.2 TPM_NV_WriteValue Removed the Action "3. If D1 -> TPM_NV_PER_AUTHREAD is TRUE return TPM_AUTH_CONFLICT" Rev 93 Sept. 2005 Moved TPM_CertifySelfTest command to the deleted section. TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Error! No text of specified style in document. v TCG Published Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 vi Level 2 Revision 94 29 March 2006 Draft TCG Published TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Error! No text of specified style in document. vii TCG Published Table of Contents 1. Scope and Audience...............................................................................................................................1 1.1 Key words ...................................................................................................................................2 1.2 Statement Type ...........................................................................................................................3 2. Description and TODO............................................................................................................................4 3. Admin Startup and State .........................................................................................................................5 3.1 TPM_Init .....................................................................................................................................5 3.2 TPM_Startup...............................................................................................................................6 3.3 TPM_SaveState ..........................................................................................................................9 4. Admin Testing ......................................................................................................................................11 4.1 TPM_SelfTestFull ......................................................................................................................11 4.2 TPM_ContinueSelfTest ..............................................................................................................12 4.3 TPM_GetTestResult ..................................................................................................................14 5. Admin Opt-in........................................................................................................................................15 5.1 TPM_SetOwnerInstall ................................................................................................................15 5.2 TPM_OwnerSetDisable ..............................................................................................................16 5.3 TPM_PhysicalEnable.................................................................................................................17 5.4 TPM_PhysicalDisable ................................................................................................................18 5.5 TPM_PhysicalSetDeactivated.....................................................................................................19 5.6 TPM_SetTempDeactivated.........................................................................................................20 5.7 TPM_SetOperatorAuth...............................................................................................................22 6. Admin Ownership .................................................................................................................................23 6.1 TPM_TakeOwnership ................................................................................................................23 6.2 TPM_OwnerClear......................................................................................................................26 6.3 TPM_ForceClear .......................................................................................................................29 6.4 TPM_DisableOwnerClear ...........................................................................................................30 6.5 TPM_DisableForceClear ............................................................................................................32 6.6 TSC_PhysicalPresence..............................................................................................................33 6.7 TSC_ResetEstablishmentBit.......................................................................................................36 7. The Capability Commands ....................................................................................................................37 7.1 TPM_GetCapability....................................................................................................................38 7.2 TPM_SetCapability ....................................................................................................................39 7.3 TPM_GetCapabilityOwner ..........................................................................................................41 8. Auditing ...............................................................................................................................................43 8.1 Audit Generation........................................................................................................................43 8.2 Effect of audit failing after completion of a command ....................................................................45 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 viii Level 2 Revision 94 29 March 2006 Draft TCG Published 8.3 TPM_GetAuditDigest .................................................................................................................46 8.4 TPM_GetAuditDigestSigned.......................................................................................................48 8.5 TPM_SetOrdinalAuditStatus .......................................................................................................51 9. Administrative Functions - Management .................................................................................................52 9.1 TPM_FieldUpgrade....................................................................................................................52 9.2 TPM_SetRedirection ..................................................................................................................54 9.3 TPM_ResetLockValue ...............................................................................................................56 10. Storage functions .................................................................................................................................58 10.1 TPM_Seal .................................................................................................................................58 10.2 TPM_Unseal .............................................................................................................................62 10.3 TPM_UnBind .............................................................................................................................66 10.4 TPM_CreateWrapKey ................................................................................................................69 10.5 TPM_LoadKey2.........................................................................................................................72 10.6 TPM_GetPubKey .......................................................................................................................76 10.7 TPM_Sealx ...............................................................................................................................78 11. Migration..............................................................................................................................................82 11.1 TPM_CreateMigrationBlob .........................................................................................................82 11.2 TPM_ConvertMigrationBlob........................................................................................................86 11.3 TPM_AuthorizeMigrationKey ......................................................................................................88 11.4 TPM_MigrateKey .......................................................................................................................90 11.5 TPM_CMK_SetRestrictions ........................................................................................................92 11.6 TPM_CMK_ApproveMA .............................................................................................................94 11.7 TPM_CMK_CreateKey ...............................................................................................................96 11.8 TPM_CMK_CreateTicket............................................................................................................99 11.9 TPM_CMK_CreateBlob ............................................................................................................ 101 11.10 TPM_CMK_ConvertMigration ................................................................................................... 106 12. Maintenance Functions (optional) ........................................................................................................ 109 12.1 TPM_CreateMaintenanceArchive.............................................................................................. 110 12.2 TPM_LoadMaintenanceArchive ................................................................................................ 112 12.3 TPM_KillMaintenanceFeature................................................................................................... 115 12.4 TPM_LoadManuMaintPub ........................................................................................................ 116 12.5 TPM_ReadManuMaintPub ....................................................................................................... 118 13. Cryptographic Functions ..................................................................................................................... 119 13.1 TPM_SHA1Start ...................................................................................................................... 119 13.2 TPM_SHA1Update .................................................................................................................. 120 13.3 TPM_SHA1Complete............................................................................................................... 121 13.4 TPM_SHA1CompleteExtend .................................................................................................... 122 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Error! No text of specified style in document. ix TCG Published 13.5 TPM_Sign ............................................................................................................................... 124 13.6 TPM_GetRandom.................................................................................................................... 126 13.7 TPM_StirRandom .................................................................................................................... 127 13.8 TPM_CertifyKey ...................................................................................................................... 128 13.9 TPM_CertifyKey2 .................................................................................................................... 133 14. Endorsement Key Handling ................................................................................................................. 137 14.1 TPM_CreateEndorsementKeyPair ............................................................................................ 138 14.2 TPM_CreateRevocableEK........................................................................................................ 140 14.3 TPM_RevokeTrust................................................................................................................... 142 14.4 TPM_ReadPubek .................................................................................................................... 143 14.5 TPM_OwnerReadInternalPub ................................................................................................... 144 15. Identity Creation and Activation ........................................................................................................... 146 15.1 TPM_MakeIdentity................................................................................................................... 146 15.2 TPM_ActivateIdentity ............................................................................................................... 150 16. Integrity Collection and Reporting ........................................................................................................ 153 16.1 TPM_Extend ........................................................................................................................... 154 16.2 TPM_PCRRead....................................................................................................................... 156 16.3 TPM_Quote............................................................................................................................. 157 16.4 TPM_PCR_Reset .................................................................................................................... 159 16.5 TPM_Quote2 ........................................................................................................................... 161 17. Changing AuthData ............................................................................................................................ 164 17.1 TPM_ChangeAuth ................................................................................................................... 164 17.2 TPM_ChangeAuthOwner ......................................................................................................... 167 18. Authorization Sessions ....................................................................................................................... 169 18.1 TPM_OIAP.............................................................................................................................. 169 18.1.1 Actions to validate an OIAP session ................................................................................... 169 18.2 TPM_OSAP ............................................................................................................................ 172 18.2.1 Actions to validate an OSAP session .................................................................................. 174 18.3 TPM_DSAP............................................................................................................................. 176 18.4 TPM_SetOwnerPointer ............................................................................................................ 180 19. Delegation Commands ....................................................................................................................... 182 19.1 TPM_Delegate_Manage .......................................................................................................... 182 19.2 TPM_Delegate_CreateKeyDelegation ....................................................................................... 186 19.3 TPM_Delegate_CreateOwnerDelegation................................................................................... 189 19.4 TPM_Delegate_LoadOwnerDelegation ..................................................................................... 192 19.5 TPM_Delegate_ReadTable ...................................................................................................... 195 19.6 TPM_Delegate_UpdateVerification ........................................................................................... 197 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 x Level 2 Revision 94 29 March 2006 Draft TCG Published 19.7 TPM_Delegate_VerifyDelegation .............................................................................................. 200 20. Non-volatile Storage ........................................................................................................................... 202 20.1 TPM_NV_DefineSpace ............................................................................................................ 203 20.2 TPM_NV_WriteValue............................................................................................................... 207 20.3 TPM_NV_WriteValueAuth ........................................................................................................ 210 20.4 TPM_NV_ReadValue............................................................................................................... 212 20.5 TPM_NV_ReadValueAuth........................................................................................................ 214 21. Session Management ......................................................................................................................... 216 21.1 TPM_KeyControlOwner ........................................................................................................... 216 21.2 TPM_SaveContext................................................................................................................... 219 21.3 TPM_LoadContext................................................................................................................... 222 22. Eviction.............................................................................................................................................. 224 22.1 TPM_FlushSpecific .................................................................................................................. 225 23. Timing Ticks....................................................................................................................................... 227 23.1 TPM_GetTicks......................................................................................................................... 227 23.2 TPM_TickStampBlob ............................................................................................................... 228 24. Transport Sessions ............................................................................................................................. 231 24.1 TPM_EstablishTransport .......................................................................................................... 231 24.2 TPM_ExecuteTransport ........................................................................................................... 235 24.3 TPM_ReleaseTransportSigned ................................................................................................. 242 25. Monotonic Counter ............................................................................................................................. 245 25.1 TPM_CreateCounter ................................................................................................................ 245 25.2 TPM_IncrementCounter ........................................................................................................... 248 25.3 TPM_ReadCounter.................................................................................................................. 250 25.4 TPM_ReleaseCounter.............................................................................................................. 251 25.5 TPM_ReleaseCounterOwner .................................................................................................... 253 26. DAA commands ................................................................................................................................. 255 26.1 TPM_DAA_Join ....................................................................................................................... 255 26.2 TPM_DAA_Sign ...................................................................................................................... 272 27. Deprecated commands ....................................................................................................................... 283 27.1 Key commands ........................................................................................................................ 284 27.1.1 TPM_EvictKey .................................................................................................................. 284 27.1.2 TPM_Terminate_Handle .................................................................................................... 285 27.2 Context management ............................................................................................................... 287 27.2.1 TPM_SaveKeyContext ...................................................................................................... 287 27.2.2 TPM_LoadKeyContext....................................................................................................... 289 27.2.3 TPM_SaveAuthContext ..................................................................................................... 290 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Error! No text of specified style in document. xi TCG Published 27.2.4 TPM_LoadAuthContext ..................................................................................................... 291 27.3 DIR commands ........................................................................................................................ 292 27.3.1 TPM_DirWriteAuth ............................................................................................................ 293 27.3.2 TPM_DirRead................................................................................................................... 295 27.4 Change Auth ........................................................................................................................... 296 27.4.1 TPM_ChangeAuthAsymStart ............................................................................................. 297 27.4.2 TPM_ChangeAuthAsymFinish ........................................................................................... 300 27.5 TPM_Reset ............................................................................................................................. 303 27.6 TPM_OwnerReadPubek .......................................................................................................... 304 27.7 TPM_DisablePubekRead ......................................................................................................... 305 27.8 TPM_LoadKey......................................................................................................................... 306 28. Deleted Commands ............................................................................................................................ 310 28.1 TPM_GetCapabilitySigned ....................................................................................................... 311 28.2 TPM_GetOrdinalAuditStatus..................................................................................................... 312 28.3 TPM_CertifySelfTest................................................................................................................ 313 End of Introduction do not delete TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 1 TCG Published 1. Scope and Audience1 The TPCA main specification is an industry specification that enables trust in computing2 platforms in general. The main specification is broken into parts to make the role of each3 document clear. A version of the specification (like 1.2) requires all parts to be a complete4 specification.5 This is Part 3 the structures that the TPM will use.6 This document is an industry specification that enables trust in computing platforms in7 general.8 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 2 Level 2 Revision 94 29 March 2006 Draft TCG Published 1.1 Key words9 The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," "SHOULD,"10 "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in the chapters 2-1011 normative statements are to be interpreted as described in [RFC-2119].12 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 3 TCG Published 1.2 Statement Type13 Please note a very important distinction between different sections of text throughout this14 document. You will encounter two distinctive kinds of text: informative comment and15 normative statements. Because most of the text in this specification will be of the kind16 normative statements, the authors have informally defined it as the default and, as such,17 have specifically called out text of the kind informative comment. They have done this by18 flagging the beginning and end of each informative comment and highlighting its text in19 gray. This means that unless text is specifically marked as of the kind informative20 comment, you can consider it of the kind normative statements.21 For example:22 Start of informative comment:23 This is the first paragraph of 1­n paragraphs containing text of the kind informative24 comment ...25 This is the second paragraph of text of the kind informative comment ...26 This is the nth paragraph of text of the kind informative comment ...27 To understand the TPM specification the user must read the specification. (This use of28 MUST does not require any action).29 End of informative comment.30 This is the first paragraph of one or more paragraphs (and/or sections) containing the text31 of the kind normative statements ...32 To understand the TPM specification the user MUST read the specification. (This use of33 MUST indicates a keyword usage and requires an action).34 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 4 Level 2 Revision 94 29 March 2006 Draft TCG Published 2. Description and TODO35 This document is to show the changes necessary to create the 1.2 version of the TCG36 specification. Some of the sections are brand new text; some are rewritten sections of the37 1.1 version. Upon approval of the 1.2 changes, there will be a merging of the 1.1 and 1.238 versions to create a single 1.2 document.39 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 5 TCG Published 3. Admin Startup and State40 Start of informative comment:41 This section is the commands that start a TPM.42 End of informative comment.43 3.1 TPM_Init44 Start of informative comment:45 TPM_Init is a physical method of initializing a TPM. There is no TPM_Init ordinal as this is a46 platform message sent on the platform internals to the TPM. On a PC this command arrives47 at the TPM via the LPC bus and informs the TPM that the platform is performing a boot48 process.49 TPM_Init puts the TPM into a state where it waits for the command TPM_Startup (which50 specifies the type of initialization that is required.51 End of informative comment.52 Definition53 TPM_Init();54 55 Operation of the TPM. This is not a command that any software can execute. It is inherent56 in the design of the TPM and the platform that the TPM resides on.57 Parameters58 None59 Description60 1. The TPM_Init signal indicates to the TPM that platform initialization is taking place. The61 TPM SHALL set the TPM into a state such that the only legal command to receive after62 the TPM_Init is the TPM_Startup command. The TPM_Startup will further indicate to the63 TPM how to handle and initialize the TPM resources.64 2. The platform design MUST be that the TPM is not the only component undergoing65 initialization. If the TPM_Init signal forces the TPM to perform initialization then the66 platform MUST ensure that ALL components of the platform receive an initialization67 signal. This is to prevent an attacker from causing the TPM to initialize to a state where68 various masquerades are allowable. For instance, on a PC causing the TPM to initialize69 and expect measurements in PCR0 but the remainder of the platform does not initialize.70 3. The design of the TPM MUST be such that the ONLY mechanism that signals TPM_Init71 also signals initialization to the other platform components.72 Actions73 1. The TPM sets TPM_STANY_FLAGS -> postInitialise to TRUE.74 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 6 Level 2 Revision 94 29 March 2006 Draft TCG Published 3.2 TPM_Startup75 Start of informative comment:76 TPM_Startup is always preceded by TPM_Init, which is the physical indication (a system-77 wide reset) that TPM initialization is necessary.78 There are many events on a platform that can cause a reset and the response to these79 events can require different operations to occur on the TPM. The mere reset indication does80 not contain sufficient information to inform the TPM as to what type of reset is occurring.81 Additional information known by the platform initialization code needs transmitting to the82 TPM. The TPM_Startup command provides the mechanism to transmit the information.83 The TPM can startup in three different modes:84 A "clear" start where all variables go back to their default or non-volatile set state85 A "save" start where the TPM recovers appropriate information and restores various values86 based on a prior TPM_SaveState. This recovery requires an invocation of TPM_Init to be87 successful.88 A failing "save" start must shut down the TPM. The CRTM cannot leave the TPM in a state89 where an untrusted upper software layer could issue a "clear" and then extend PCR's and90 thus mimic the CRTM.91 A "deactivated" start where the TPM turns itself off and requires another TPM_Init before92 the TPM will execute in a fully operational state.93 End of informative comment.94 Incoming Parameters and Sizes95 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal TPM_ORD_Startup 4 2 2S 2 TPM_STARTUP_TYPE startupType Type of startup that is occurring Outgoing Parameters and Sizes96 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_Startup Description97 TPM_Startup MUST be generated by a trusted entity (the RTM or the TPM, for example).98 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 7 TCG Published Actions99 1. If TPM_STANY_FLAGS -> postInitialise is FALSE,100 a. Then the TPM MUST return TPM_INVALID_POSTINIT, and exit this capability101 2. If stType = TPM_ST_CLEAR102 a. Ensure that sessions associated with resources TPM_RT_CONTEXT, TPM_RT_AUTH103 and TPM_RT_TRANS are invalidated104 b. Reset TPM_STCLEAR_DATA -> PCR[] values to each correct default value105 i. pcrReset is FALSE, set to 0x00..00106 ii. pcrReset is TRUE, set to 0xFF..FF107 c. Set the following TPM_STCLEAR_FLAGS to their default state108 i. PhysicalPresence109 ii. PhysicalPresenceLock110 iii. disableForceClear111 d. The TPM MAY initialize auditDigest to NULL112 i. If not initialized to NULL the TPM SHALL ensure that auditDigest contains a valid113 value114 ii. If initialization fails the TPM SHALL set auditDigest to NULL and SHALL set the115 internal TPM state so that the TPM returns TPM_FAILEDSELFTEST to all116 subsequent commands.117 e. The TPM SHALL set TPM_STCLEAR_FLAGS -> deactivated to the same state as118 TPM_PERMANENT_FLAGS -> deactivated119 f. The TPM MUST set the TPM_STANY_DATA fields to:120 i. TPM_STANY_DATA->contextNonceSession is set to NULLS121 ii. TPM_STANY_DATA->contextCount is set to 0122 iii. TPM_STANY_DATA->contextList is set to 0123 g. The TPM MUST set TPM_STCLEAR_DATA fields to:124 i. Invalidate contextNonceKey125 ii. countID to NULL126 iii. ownerReference to TPM_KH_OWNER127 h. The TPM MUST set the following TPM_STCLEAR_FLAGS to128 i. bGlobalLock to FALSE129 i. Determine which keys should remain in the TPM130 i. For each key that has a valid preserved value in the TPM131 (1) if parentPCRStatus is TRUE then call TPM_FlushSpecific(keyHandle)132 (2) if IsVolatile is TRUE then call TPM_FlushSpecific(keyHandle)133 ii. Keys under control of the OwnerEvict flag MUST stay resident in the TPM134 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 8 Level 2 Revision 94 29 March 2006 Draft TCG Published 3. If stType = TPM_ST_STATE135 a. If the TPM has no state to restore the TPM MUST set the internal state such that it136 returns TPM_FAILEDSELFTEST to all subsequent commands137 b. The TPM MAY determine for each session type (authorization, transport...) to release138 or maintain the session information. The TPM reports how it manages sessions in the139 TPM_GetCapability command.140 c. The TPM SHALL take all necessary actions to ensure that all PCRs contain valid141 preserved values. If the TPM is unable to successfully complete these actions, it SHALL142 enter the TPM failure mode.143 i. For resettable PCR the TPM MUST set the value of TPM_STCLEAR_DATA ->144 PCR[]to the resettable PCR default value. The TPM MUST NOT restore a resettable145 PCR to a preserved value146 d. The TPM MAY initialize auditDigest to NULL147 i. Otherwise, the TPM SHALL take all actions necessary to ensure that auditDigest148 contains a valid value. If the TPM is unable to successfully complete these149 actions, the TPM SHALL initialize auditDigest to NULL and SHALL set the internal150 set such that the TPM returns TPM_FAILEDSELFTEST to all subsequent151 commands.152 e. The TPM MUST restore the following flags to their preserved states:153 i. All values in TPM_STCLEAR_FLAGS154 ii. All values in TPM_STCLEAR_DATA155 f. The TPM MUST restore all keys that have a valid preserved value156 g. The TPM resumes normal operation. If the TPM is unable to resume normal157 operation, it SHALL enter the TPM failure mode.158 4. If stType = TPM_ST_DEACTIVATED159 a. Invalidate sessions160 i. Ensure that all resources associated with saved and active sessions are161 invalidated162 b. Set the TPM_STCLEAR_FLAGS to their default state.163 c. Set TPM_STCLEAR_FLAGS -> deactivated to TRUE164 5. The TPM MUST ensure that state associated with TPM_SaveState is invalidated165 6. The TPM MUST set TPM_STANY_FLAGS -> postInitialise to FALSE166 a. postInitialize is set to FALSE even if the TPM is in failure mode.167 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 9 TCG Published 3.3 TPM_SaveState168 Start of informative comment:169 This warns a TPM to save some state information.170 If the relevant shielded storage is non-volatile, this command need have no effect.171 If the relevant shielded storage is volatile and the TPM alone is unable to detect the loss of172 external power in time to move data to non-volatile memory, this command should be173 presented before the TPM enters a low or no power state.174 End of informative comment.175 Incoming Parameters and Sizes176 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_SaveState. Outgoing Parameters and Sizes177 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_SaveState. Description178 1. Preserved values MUST be non-volatile.179 2. If data is never stored in a volatile medium, that data MAY be used as preserved data. In180 such cases, no explicit action may be required to preserve that data.181 3. If an explicit action is required to preserve data, it MUST be possible for the TPM to182 determine whether preserved data is valid.183 4. If a parameter mirrored by any preserved value is altered, all preserved values MUST be184 declared invalid.185 5. The TPM MAY declare all preserved values invalid in response to any command other186 than TPM_Init.187 Actions188 1. Store TPM_STCLEAR_DATA -> PCR contents except for189 a. If the PCR attribute pcrReset is TRUE190 b. Any platform identified debug PCR191 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 10 Level 2 Revision 94 29 March 2006 Draft TCG Published 2. The auditDigest MUST be handled according to the audit requirements as reported by192 TPM_GetCapability193 a. If the ordinalAuditStatus is TRUE for the TPM_SaveState ordinal and the auditDigest194 is being stored in the saved state, the saved auditDigest MUST include the195 TPM_SaveState input parameters and MUST NOT include the output parameters.196 3. All values in TPM_STCLEAR_DATA MUST be preserved197 4. All values in TPM_STCLEAR_FLAGS MUST be preserved198 5. The contents of any key that is currently loaded SHOULD be preserved if the key's199 parentPCRStatus indicator is FALSE and its IsVolatile indicator is FALSE.200 6. The contents of any key that has TPM_KEY_CONTROL_OWNER_EVICT set MUST be201 preserved202 7. The contents of any key that is currently loaded MAY be preserved as reported by203 TPM_GetCapability204 8. The contents of sessions (authorization, transport etc.) MAY be preserved as reported by205 TPM_GetCapability206 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 11 TCG Published 4. Admin Testing207 4.1 TPM_SelfTestFull208 Start of informative comment:209 TPM_SelfTestFull tests all of the TPM capabilities.210 Unlike TPM_ContinueSelfTest, which may optionally return immediately and then perform211 the tests, TPM_SelfTestFull always performs the tests and then returns success or failure.212 End of informative comment.213 Incoming Operands and Sizes214 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_SelfTestFull Outgoing Operands and Sizes215 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_SelfTestFull Actions216 1. TPM_SelfTestFull SHALL cause a TPM to perform self-test of each TPM internal function.217 a. If the self-test succeeds, return TPM_SUCCESS.218 b. If the self-test fails, return TPM_FAILEDSELFTEST.219 2. Failure of any test results in overall failure, and the TPM goes into failure mode.220 3. If the TPM has not executed the action of TPM_ContinueSelfTest, the TPM221 a. MAY perform the full self-test.222 b. MAY return TPM_NEEDS_SELFTEST.223 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 12 Level 2 Revision 94 29 March 2006 Draft TCG Published 4.2 TPM_ContinueSelfTest224 Start of informative comment:225 TPM_ContinueSelfTest informs the TPM that it should complete the self-test of all TPM226 functions.227 The TPM may return success immediately and then perform the self-test, or it may perform228 the self-test and then return success or failure.229 End of informative comment.230 Incoming Operands and Sizes231 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ContinueSelfTest Outgoing Operands and Sizes232 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ContinueSelfTest Description233 1. Prior to executing the actions of TPM_ContinueSelfTest, if the TPM receives a command234 C1 that uses an untested TPM function, the TPM MUST take one of these actions:235 a. The TPM MAY return TPM_NEEDS_SELFTEST236 i. This indicates that the TPM has not tested the internal resources required to237 execute C1.238 ii. The TPM does not execute C1.239 iii. The caller MUST issue TPM_ContinueSelfTest before re-issuing the command C1.240 (1) If the TPM permits TPM_SelfTestFull prior to completing the actions of241 TPM_ContinueSelfTest, the caller MAY issue TPM_SelfTestFull rather than242 TPM_ContinueSelfTest.243 b. The TPM MAY return TPM_DOING_SELFTEST244 i. This indicates that the TPM is doing the actions of TPM_ContinueSelfTest245 implicitly, as if the TPM_ContinueSelfTest command had been issued.246 ii. The TPM does not execute C1.247 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 13 TCG Published iii. The caller MUST wait for the actions of TPM_ContinueSelfTest to complete before248 reissuing the command C1.249 c. The TPM MAY return TPM_SUCCESS or an error code associated with C1.250 i. This indicates that the TPM has completed the actions of TPM_ContinueSelfTest251 and has completed the command C1.252 ii. The error code MAY be TPM_FAILEDSELFTEST.253 Actions254 1. If TPM_PERMANENT_FLAGS -> FIPS is TRUE or TPM_PERMANENT_FLAGS -> TPMpost255 is TRUE256 a. The TPM MUST run all self-tests257 2. Else258 a. The TPM MUST complete all self-tests that are outstanding259 i. Instead of completing all outstanding self-tests the TPM MAY run all self-tests260 3. The TPM either261 a. MAY immediately return TPM_SUCCESS262 i. When TPM_ContinueSelfTest finishes execution, it MUST NOT respond to the263 caller with a return code.264 b. MAY complete the self-test and then return TPM_SUCCESS or265 TPM_FAILEDSELFTEST.266 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 14 Level 2 Revision 94 29 March 2006 Draft TCG Published 4.3 TPM_GetTestResult267 Start of informative comment:268 TPM_GetTestResult provides manufacturer specific information regarding the results of the269 self-test. This command will work when the TPM is in self-test failure mode. The reason for270 allowing this command to operate in the failure mode is to allow TPM manufacturers to271 obtain diagnostic information.272 End of informative comment.273 Incoming Operands and Sizes274 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_GetTestResult Outgoing Operands and Sizes275 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_GetTestResult 4 4 3S 4 UINT32 outDataSize The size of the outData area 5 <> 4S <> BYTE[] outData The outData this is manufacturer specific Description276 This command will work when the TPM is in self test failure mode.277 Actions278 1. The TPM SHALL respond to this command with a manufacturer specific block of279 information that describes the result of the latest self-test280 2. The information MUST NOT contain any data that uniquely identifies an individual TPM.281 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 15 TCG Published 5. Admin Opt-in282 5.1 TPM_SetOwnerInstall283 Start of informative comment:284 When enabled but without an owner this command sets the PERMANENT flag that allows or285 disallows the ability to insert an owner.286 End of informative comment.287 Incoming Operands and Sizes288 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_SetOwnerInstall 4 1 2S 1 BOOL state State to which ownership flag is to be set. Outgoing Operands and Sizes289 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_SetOwnerInstall Action290 1. If the TPM has a current owner, this command immediately returns with291 TPM_SUCCESS.292 2. The TPM validates the assertion of physical access. The TPM then sets the value of293 TPM_PERMANENT_FLAGS -> ownership to the value in state.294 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 16 Level 2 Revision 94 29 March 2006 Draft TCG Published 5.2 TPM_OwnerSetDisable295 Start of informative comment:296 The TPM owner sets the PERMANENT disable flag297 End of informative comment.298 Incoming Operands and Sizes299 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_OwnerSetDisable 4 1 2S 1 BOOL disableState Value for disable state ­enable if TRUE 5 4 TPM_AUTHHANDLE authHandle The authorization session handle used for owner authentication. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 6 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 7 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 8 20 TPM_AUTHDATA ownerAuth The authorization session digest for inputs and owner authentication. HMAC key: ownerAuth. Outgoing Operands and Sizes300 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_OwnerSetDisable 4 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 5 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 6 20 TPM_AUTHDATA resAuth The authorization session digest for the returned parameters. HMAC key: ownerAuth. Action301 1. The TPM SHALL authenticate the command as coming from the TPM Owner. If302 unsuccessful, the TPM SHALL return TPM_AUTHFAIL.303 2. The TPM SHALL set the TPM_PERMANENT_FLAGS -> disable flag to the value in the304 disableState parameter.305 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 17 TCG Published 5.3 TPM_PhysicalEnable306 Start of informative comment:307 Sets the PERMANENT disable flag to FALSE using physical presence as authorization.308 End of informative comment.309 Incoming Operands and Sizes310 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_PhysicalEnable Outgoing Operands and Sizes311 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_PhysicalEnable Action312 1. Validate that physical presence is being asserted, if not return TPM_BAD_PRESENCE313 2. The TPM SHALL set the TPM_PERMANENT_FLAGS.disable value to FALSE.314 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 18 Level 2 Revision 94 29 March 2006 Draft TCG Published 5.4 TPM_PhysicalDisable315 Start of informative comment:316 Sets the PERMANENT disable flag to TRUE using physical presence as authorization317 End of informative comment.318 Incoming Operands and Sizes319 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_PhysicalDisable Outgoing Operands and Sizes320 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_OR D_PhysicalDisable Action321 1. Validate that physical presence is being asserted, if not return TPM_BAD_PRESENCE322 2. The TPM SHALL set the TPM_PERMANENT_FLAGS.disable value to TRUE.323 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 19 TCG Published 5.5 TPM_PhysicalSetDeactivated324 Start of informative comment:325 Enables the TPM using physical presence as authorization.326 This command is not available when the TPM is disabled.327 End of informative comment.328 Incoming Operands and Sizes329 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_PhysicalSetDeactivated 4 1 2S 1 BOOL state State to which deactivated flag is to be set. Outgoing Operands and Sizes330 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_PhysicalSetDeactivated Action331 1. Validate that physical presence is being asserted, if not return TPM_BAD_PRESENCE332 2. The TPM SHALL set the TPM_PERMANENT_FLAGS.deactivated flag to the value in the333 state parameter.334 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 20 Level 2 Revision 94 29 March 2006 Draft TCG Published 5.6 TPM_SetTempDeactivated335 Start of informative comment:336 This command allows the operator of the platform to deactivate the TPM until the next boot337 of the platform.338 This command requires operator authentication. The operator can provide the339 authentication by either the assertion of physical presence or presenting the operator340 AuthData value.341 End of informative comment.342 Incoming Operands and Sizes343 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_SetTempDeactivated 4 4 4 TPM_AUTHHANDLE authHandle Auth handle for operation validation. Session type MUST be OIAP 2H1 20 TPM_NONCE authLastNonceEven Even nonce prev iously generated by TPM to cover inputs 5 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 6 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 7 20 TPM_AUTHDATA operatorAuth HMAC key: operatorAuth Outgoing Operands and Sizes344 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_SetTempDeactivated 4 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 5 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 6 20 TPM_AUTHDATA resAuth The authorization session digest for the returned parameters. HMAC key: operatorAuth. Action345 1. If tag = TPM_TAG_REQ_AUTH1_COMMAND346 a. If TPM_PERMANENT_FLAGS -> operator is FALSE return TPM_NOOPERATOR347 b. Validate command and parameters using operatorAuth, on error return348 TPM_AUTHFAIL349 2. Else350 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 21 TCG Published a. If physical presence is not asserted the TPM MUST return TPM_BAD_PRESENCE351 3. The TPM SHALL set the TPM_STCLEAR_FLAGS.deactivated flag to the value TRUE.352 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 22 Level 2 Revision 94 29 March 2006 Draft TCG Published 5.7 TPM_SetOperatorAuth353 Start of informative comment:354 This command allows the setting of the operator AuthData value.355 There is no confidentiality applied to the operator authentication as the value is sent under356 the assumption of being local to the platform. If there is a concern regarding the path357 between the TPM and the keyboard then unless the keyboard is using encryption and a358 secure channel an attacker can read the values.359 End of informative comment.360 Incoming Operands and Sizes361 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_SetOperatorAuth 4 20 2S 20 TPM_SECRET operatorAuth The operator AuthData Outgoing Operands and Sizes362 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_SetOperatorAuth Action363 1. If physical presence is not asserted the TPM MUST return TPM_BAD_PRESENCE364 2. The TPM SHALL set the TPM_PERMANENT_DATA -> operatorAuth365 3. The TPM SHALL set TPM_PERMANENT_FLAGS -> operator to TRUE366 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 23 TCG Published 6. Admin Ownership367 6.1 TPM_TakeOwnership368 Start of informative comment:369 This command inserts the TPM Ownership value into the TPM.370 End of informative comment.371 Incoming Operands and Sizes372 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_TakeOwnership 4 2 2S 2 TPM_PROTOCOL_ID protocolID The ownership protocol in use. 5 4 3S 4 UINT32 encOwnerAuthSize The size of the encOwnerAuth field 6 <> 4S <> BYTE[ ] encOwnerAuth The owner AuthData encrypted with PUBEK 7 4 5S 4 UINT32 encSrkAuthSize The size of the encSrkAuth field 8 <> 6S <> BYTE[ ] encSrkAuth The SRK AuthData encrypted with PUBEK 9 <> 7S <> TPM_KEY srkParams Structure containing all parameters of new SRK. pubKey.keyLength & encSize are both 0. This structure MAY be TPM_KEY12. 10 4 TPM_AUTHHANDLE authHandle The authorization session handle used for this command 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 11 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 12 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 13 20 TPM_AUTHDATA ownerAuth Authorization session digest for input params. HMAC key: the new ownerAuth value. See actions for validation operations 373 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 24 Level 2 Revision 94 29 March 2006 Draft TCG Published Outgoing Operands and Sizes374 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_TakeOwnership 4 <> 3S <> TPM_KEY srkPub Structure containing all parameters of new SRK. srkPub.encData is set to 0. This structure MAY be TPM_KEY12. 5 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 6 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 7 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters. HMAC key: the new ownerAuth value Description375 The type of the output srkPub MUST be the same as the type of the input srkParams, either376 both TPM_KEY or both TPM_KEY12.377 Actions378 1. If TPM_PERMANENT_DATA -> ownerAuth is valid return TPM_OWNER_SET379 2. If TPM_PERMANENT_FLAGS -> ownership is FALSE return TPM_INSTALL_DISABLED380 3. If TPM_PERMANENT_DATA -> endorsementKey is invalid return381 TPM_NO_ENDORSEMENT382 4. Verify that authHandle is of type OIAP on error return TPM_AUTHFAIL383 5. Create A1 a TPM_SECRET by decrypting encOwnerAuth using PRIVEK as the key384 a. This requires that A1 was encrypted using the PUBEK385 b. Validate that A1 is a length of 20 bytes, on error return TPM_BAD_KEY_PROPERTY386 6. Validate the command and parameters using A1 and ownerAuth, on error return387 TPM_AUTHFAIL388 7. Validate srkParams389 a. If srkParams -> keyUsage is not TPM_KEY_STORAGE return390 TPM_INVALID_KEYUSAGE391 b. If srkParams -> migratable is TRUE return TPM_INVALID_KEYUSAGE392 c. If srkParams -> algorithmParms -> algorithmID is NOT TPM_ALG_RSA return393 TPM_BAD_KEY_PROPERTY394 d. If srkParams -> algorithmParms -> encScheme is NOT395 TPM_ES_RSAESOAEP_SHA1_MGF1 return TPM_BAD_KEY_PROPERTY396 e. If srkParams -> algorithmParms -> sigScheme is NOT TPM_SS_NONE return397 TPM_BAD_KEY_PROPERTY398 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 25 TCG Published f. If srkParams -> algorithmParms -> parms -> keyLength MUST be greater than or399 equal to 2048, on error return TPM_BAD_KEY_PROPERTY400 g. If TPM_PERMANENT_FLAGS -> FIPS is TRUE401 i. If srkParams -> authDataUsage specifies TPM_AUTH_NEVER return402 TPM_NOTFIPS403 8. Generate K1 according to the srkParams on error return TPM_BAD_KEY_PROPERTY404 9. Create A2 a TPM_SECRET by decrypting encSrkAuth using the PRIVEK405 a. This requires A2 to be encrypted using the PUBEK406 b. Validate that A2 is a length of 20 bytes, on error return TPM_BAD_KEY_PROPERTY407 c. Store A2 in K1 -> usageAuth408 10.Store K1 in TPM_PERMANENT_DATA -> srk409 11.Store A1 in TPM_PERMANENT_DATA -> ownerAuth410 12.Create TPM_PERMANENT_DATA -> contextKey according to the rules for the algorithm411 in use by the TPM to save context blobs412 13.Create TPM_PERMANENT_DATA -> delegateKey according to the rules for the algorithm413 in use by the TPM to save delegate blobs414 14.Create TPM_PERMANENT_DATA -> tpmProof by using the TPM RNG415 15.Export TPM_PERMANENT_DATA -> srk as srkPub416 16.Set TPM_PERMANENT_FLAGS -> readPubek to FALSE417 17.Calculate resAuth using the newly established TPM_PERMANENT_DATA -> ownerAuth418 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 26 Level 2 Revision 94 29 March 2006 Draft TCG Published 6.2 TPM_OwnerClear419 Start of informative comment:420 The TPM_OwnerClear command performs the clear operation under Owner authentication.421 This command is available until the Owner executes the TPM_DisableOwnerClear, at which422 time any further invocation of this command returns TPM_CLEAR_DISABLED.423 All state in the TPM should be cleared when the command TPM_OwnerClear is invoked.424 End of informative comment.425 Incoming Operands and Sizes426 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_OwnerClear 4 4 TPM_AUTHHANDLE authHandle The authorization session handle used for owner authentication. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 5 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 6 1 4H1 1 BOOL continueAuthSession Ignored 7 20 TPM_AUTHDATA ownerAuth The authorization session digest for inputs and owner authentication. HMAC key: ownerAuth. Outgoing Operands and Sizes427 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_OwnerClear 4 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 5 1 4H1 1 BOOL continueAuthSession Fixed value FALSE 6 20 TPM_AUTHDATA resAuth The authorization session digest for the returned parameters. HMAC key: old ownerAuth. Actions428 1. Verify that the TPM Owner authorizes the command and all of the input, on error return429 TPM_AUTHFAIL.430 2. If TPM_PERMANENT_FLAGS -> disableOwnerClear is TRUE then return431 TPM_CLEAR_DISABLED.432 3. Unload all loaded keys.433 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 27 TCG Published 4. The TPM MUST NOT modify the following TPM_PERMANENT_DATA items434 a. endorsementKey435 b. revMajor436 c. revMinor437 d. manuMaintPub438 e. auditMonotonicCounter439 f. monotonicCounter440 g. pcrAttrib441 h. rngState442 i. EKReset443 j. maxNVBufSize444 k. lastFamilyID445 l. tpmDAASeed446 m. authDIR[0]447 5. The TPM MUST invalidate the following TPM_PERMANENT_DATA items and any internal448 resources associated with these items449 a. ownerAuth450 b. srk451 c. delegateKey452 d. delegateTable453 e. contextKey454 f. tpmProof455 g. operatorAuth456 6. The TPM MUST reset to manufacturing defaults the following TPM_PERMANENT_DATA457 items458 a. noOwnerNVWrite MUST be set to 0459 b. ordinalAuditStatus460 c. restrictDelegate461 7. The TPM MUST invalidate or reset all fields of TPM_STANY_DATA462 a. Nonces SHALL be reset463 b. Lists (e.g. contextList) SHALL be invalidated464 8. The TPM MUST invalidate or reset all fields of TPM_STCLEAR_DATA465 a. Nonces SHALL be reset466 b. Lists (e.g. contextList) SHALL be invalidated467 9. The TPM MUST set the following TPM_PERMANENT_FLAGS to their default values468 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 28 Level 2 Revision 94 29 March 2006 Draft TCG Published a. disable469 b. deactivated470 c. readPubek471 d. disableOwnerClear472 10.The TPM MUST set the following TPM_PERMANENT_FLAGS473 a. ownership to TRUE474 b. operator to FALSE475 c. maintenanceDone to FALSE476 d. allowMaintenance to TRUE477 11.The TPM releases all TPM_PERMANENT_DATA -> monotonicCounter settings478 a. This includes invalidating all currently allocated counters. The result will be no479 currently allocated counters and the new owner will need to allocate counters. The480 actual count value will continue to increase.481 12.The TPM MUST deallocate all defined NV storage areas where482 TPM_NV_PER_OWNERWRITE is TRUE and nvIndex does not have the "D" bit set and483 MUST NOT deallocate any other currently defined NV storage areas.484 13.The TPM MUST invalidate all familyTable entries485 14.The TPM MUST terminate all OSAP, DSAP, and transport sessions.486 15.The TPM MUST terminate all sessions, active or saved.487 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 29 TCG Published 6.3 TPM_ForceClear488 Start of informative comment:489 The TPM_ForceClear command performs the Clear operation under physical access. This490 command is available until the execution of the TPM_DisableForceClear, at which time any491 further invocation of this command returns TPM_CLEAR_DISABLED.492 End of informative comment.493 Incoming Operands and Sizes494 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ForceClear Outgoing Operands and Sizes495 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ForceClear Actions496 1. The TPM SHALL check for the assertion of physical presence, if not present return497 TPM_BAD_PRESENCE498 2. If TPM_STCLEAR_FLAGS -> disableForceClear is TRUE return TPM_CLEAR_DISABLED499 3. The TPM SHALL execute the actions of TPM_OwnerClear (except for the TPM Owner500 authentication check)501 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 30 Level 2 Revision 94 29 March 2006 Draft TCG Published 6.4 TPM_DisableOwnerClear502 Start of informative comment:503 The TPM_DisableOwnerClear command disables the ability to execute the TPM_OwnerClear504 command permanently. Once invoked the only method of clearing the TPM will require505 physical access to the TPM.506 After the execution of TPM_ForceClear, ownerClear is re-enabled and must be explicitly507 disabled again by the new TPM Owner.508 End of informative comment.509 Incoming Operands and Sizes510 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_DisableOwnerClear 4 4 TPM_AUTHHANDLE authHandle The authorization session handle used for owner authentication. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 5 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 6 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 7 20 TPM_AUTHDATA ownerAuth The authorization session digest for inputs and owner authentication. HMAC key: ownerAuth. Outgoing Operands and Sizes511 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_DisableOwnerClear 4 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 5 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 6 20 TPM_AUTHDATA resAuth The authorization session digest for the returned parameters. HMAC key: ownerAuth. Actions512 1. The TPM verifies that the authHandle properly authorizes the owner.513 2. The TPM sets the TPM_PERMANENT_FLAGS -> disableOwnerClear flag to TRUE.514 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 31 TCG Published 3. When this flag is TRUE the only mechanism that can clear the TPM is the515 TPM_ForceClear command. The TPM_ForceClear command requires physical access to516 the TPM to execute.517 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 32 Level 2 Revision 94 29 March 2006 Draft TCG Published 6.5 TPM_DisableForceClear518 Start of informative comment:519 The TPM_DisableForceClear command disables the execution of the TPM_ForceClear520 command until the next startup cycle. Once this command is executed, the TPM_ForceClear521 is disabled until another startup cycle is run.522 End of informative comment.523 Incoming Operands and Sizes524 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_DisableForceClear Outgoing Operands and Sizes525 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_DisableForceClear Actions526 1. The TPM sets the TPM_STCLEAR_FLAGS.disableForceClear flag in the TPM that disables527 the execution of the TPM_ForceClear command.528 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 33 TCG Published 6.6 TSC_PhysicalPresence529 Start of informative comment:530 Some TPM operations require the indication of a human's physical presence at the platform.531 The presence of the human either provides another indication of platform ownership or a532 mechanism to ensure that the execution of the command is not the result of a remote533 software process.534 This command allows a process on the platform to indicate the assertion of physical535 presence. As this command is executable by software there must be protections against the536 improper invocation of this command.537 The physicalPresenceHWEnable and physicalPresenceCMDEnable indicate the ability for538 either SW or HW to indicate physical presence. These flags can be reset until the539 physicalPresenceLifetimeLock is set. The platform manufacturer should set these flags to540 indicate the capabilities of the platform the TPM is bound to.541 The command provides two sets of functionality. The first is to enable, permanently, either542 the HW or the SW ability to assert physical presence. The second is to allow SW, if enabled,543 to assert physical presence.544 End of informative comment.545 Incoming Operands and Sizes546 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TSC_ORD_PhysicalPresence. 4 2 2S 2 TPM_PHYSICAL_PRESENCE physicalPresence The state to set the TPM's Physical Presence flags. Outgoing Operands and Sizes547 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TSC_ORD_PhysicalPresence. Actions548 1. For documentation ease, the bits break into two categories. The first is the lifetime549 settings and the second is the assertion settings.550 a. Define A1 to be the lifetime settings: TPM_PHYSICAL_PRESENCE_LIFETIME_LOCK,551 TPM_PHYSICAL_PRESENCE_HW_ENABLE, TPM_PHYSICAL_PRESENCE_CMD_ENABLE,552 TPM_PHYSICAL_PRESENCE_HW_DISABLE, and553 TPM_PHYSICAL_PRESENCE_CMD_DISABLE554 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 34 Level 2 Revision 94 29 March 2006 Draft TCG Published b. Define A2 to be the assertion settings: TPM_PHYSICAL_PRESENCE_LOCK,555 TPM_PHYSICAL_PRESENCE_PRESENT, and TPM_PHYSICAL_PRESENCE_NOTPRESENT556 Lifetime lock settings557 2. If any A1 setting is present558 a. If TPM_PERMANENT_FLAGS -> physicalPresenceLifetimeLock is TRUE, return559 TPM_BAD_PARAMETER560 b. If any A2 setting is present return TPM_BAD_PARAMETER561 c. If both physicalPresence -> TPM_PHYSICAL_PRESENCE_HW_ENABLE and562 physicalPresence -> TPM_PHYSICAL_PRESENCE_HW_DISABLE are TRUE, return563 TPM_BAD_PARAMETER.564 d. If both physicalPresence -> TPM_PHYSICAL_PRESENCE_CMD_ENABLE and565 physicalPresence -> TPM_PHYSICAL_PRESENCE_CMD_DISABLE are TRUE, return566 TPM_BAD_PARAMETER.567 e. If physicalPresence -> TPM_PHYSICAL_PRESENCE_HW_ENABLE is TRUE Set568 TPM_PERMANENT_FLAGS -> physicalPresenceHWEnable to TRUE569 f. If physicalPresence -> TPM_PHYSICAL_PRESENCE_HW_DISABLE is TRUE Set570 TPM_PERMANENT_FLAGS -> physicalPresenceHWEnable to FALSE571 g. If physicalPresence -> TPM_PHYSICAL_PRESENCE_CMD_ENABLE is TRUE, Set572 TPM_PERMANENT_FLAGS -> physicalPresenceCMDEnable to TRUE.573 h. If physicalPresence -> TPM_PHYSICAL_PRESENCE_CMD_DISABLE is TRUE, Set574 TPM_PERMANENT_FLAGS -> physicalPresenceCMDEnable to FALSE.575 i. If physicalPresence -> TPM_PHYSICAL_PRESENCE_LIFETIME_LOCK is TRUE576 i. Set TPM_PERMANENT_FLAGS -> physicalPresenceLifetimeLock to TRUE577 j. Return TPM_SUCCESS578 SW physical presence assertion579 3. If any A2 setting is present580 a. If any A1 setting is present return TPM_BAD_PARAMETER581 i. This check here just for consistency, the prior checks would have already ensured582 that this was ok583 b. If TPM_PERMANENT_FLAGS -> physicalPresenceCMDEnable is FALSE, return584 TPM_BAD_PARAMETER585 c. If both physicalPresence -> TPM_PHYSICAL_PRESENCE_LOCK and physicalPresence586 -> TPM_PHYSICAL_PRESENCE_PRESENT are TRUE, return TPM_BAD_PARAMETER587 d. If both physicalPresence -> TPM_PHYSICAL_PRESENCE_PRESENT and588 physicalPresence -> TPM_PHYSICAL_PRESENCE_NOTPRESENT are TRUE, return589 TPM_BAD_PARAMETER590 e. If TPM_STCLEAR_FLAGS -> physicalPresenceLock is TRUE, return591 TPM_BAD_PARAMETER592 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 35 TCG Published f. If physicalPresence -> TPM_PHYSICAL_PRESENCE_LOCK is TRUE593 i. Set TPM_STCLEAR_FLAGS -> physicalPresence to FALSE594 ii. Set TPM_STCLEAR_FLAGS -> physicalPresenceLock to TRUE595 iii. Return TPM_SUCCESS596 g. If physicalPresence -> TPM_PHYSICAL_PRESENCE_PRESENT is TRUE597 i. Set TPM_STCLEAR_FLAGS -> physicalPresence to TRUE598 h. If physicalPresence -> TPM_PHYSICAL_PRESENCE_NOTPRESENT is TRUE599 i. Set TPM_STCLEAR_FLAGS -> physicalPresence to FALSE600 i. Return TPM_SUCCESS601 4. Else // There were no A1 or A2 parameters set602 a. Return TPM_BAD_PARAMETER603 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 36 Level 2 Revision 94 29 March 2006 Draft TCG Published 6.7 TSC_ResetEstablishmentBit604 Start of informative comment:605 The PC TPM Interface Specification (TIS) specifies setting tpmEstablished to TRUE upon606 execution of the HASH_START sequence. The setting implies the creation of a Trusted607 Operating System on the platform. Platforms will use the value of tpmEstablished to608 determine if operations necessary to maintain the security perimeter are necessary.609 The tpmEstablished bit provides a non-volatile, secure reporting that a HASH_START was610 previously run on the platform. When a platform makes use of the tpmEstablished bit, the611 platform can reset tpmEstablished as the operation is no longer necessary.612 For example, a platform could use tpmEstablished to ensure that, if HASH_START had ever613 been, executed the platform could use the value to invoke special processing. Once the614 processing is complete the platform will wish to reset tpmEstablished to avoid invoking the615 special process again.616 The TPM_PERMANENT_FLAGS -> tpmEstablished bit described in the TPM specifications617 uses positive logic. The TPM_ACCESS register uses negative logic, so that TRUE is reflected618 as a 0.619 End of informative comment.620 Incoming Operands and Sizes621 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TSC_ORD_ResetEstablishmentBit Outgoing Operands and Sizes622 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TSC_ORD_ResetEstablishmentBit Actions623 1. Validate the assertion of locality 3 or locality 4624 2. Set TPM_PERMANENT_FLAGS -> tpmEstablished to FALSE625 3. Return TPM_SUCCESS626 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 37 TCG Published 7. The Capability Commands627 Start of informative comment:628 The TPM has numerous capabilities that a remote entity may wish to know about. These629 items include support of algorithms, key sizes, protocols and vendor-specific additions. The630 TPM_GetCapability command allows the TPM to report back to the requestor what type of631 TPM it is dealing with.632 The request for information requires the requestor to specify which piece of information that633 is required. The request does not allow the "merging" of multiple requests and returns only634 a single piece of information.635 In failure mode, the TPM returns a limited set of information that includes the TPM636 manufacturer and version.637 In version 1.2 with the deletion of TPM_GetCapabilitySigned the way to obtain a signed638 listing of the capabilities is to create a transport session, perform TPM_GetCapability639 commands to list the information and then close the transport session using640 TPM_ReleaseTransportSigned.641 End of informative comment.642 1. The standard information provided in TPM_GetCapability MUST NOT provide unique643 information644 a. The TPM has no control of information placed into areas on the TPM like the NV store645 that is reported by the TPM. Configuration information for these areas could conceivably646 be unique647 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 38 Level 2 Revision 94 29 March 2006 Draft TCG Published 7.1 TPM_GetCapability648 Start of informative comment:649 This command returns current information regarding the TPM.650 The limitation on what can be returned in failure mode restricts the information a651 manufacturer may return when capArea indicates TPM_CAP_MFR.652 End of informative comment.653 Incoming Parameters and Sizes654 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_GetCapability 4 4 2S 4 TPM_CAPABILITY_AREA capArea Partition of capabilities to be interrogated 5 4 3S 4 UINT32 subCapSize Size of subCap parameter 6 <> 4S <> BYTE[] subCap Further definition of information Outgoing Parameters and Sizes655 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_GetCapability 4 4 3S 4 UINT32 respSize The length of the returned capability response 5 <> 4S <> BYTE[ ] resp The capability response Actions656 1. The TPM validates the capArea and subCap indicators. If the information is available,657 the TPM creates the response field and fills in the actual information.658 2. The structure document contains the list of caparea and subCap values659 3. If the TPM is in failure mode660 a. The TPM MUST only return TPM manufacturer and TPM version.661 4. If the TPM is in limited operation mode662 a. The TPM MUST only return TPM_CAP_PROPERTY -> TPM_CAP_PROP_DURATION.663 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 39 TCG Published 7.2 TPM_SetCapability664 Start of informative comment:665 This command sets values in the TPM.666 A setValue that is inconsistent with the capArea and subCap is considered a bad667 parameter.668 End of informative comment.669 Incoming Parameters and Sizes670 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal ordinal:TPM_ORD_SetCapability 4 4 2S 4 TPM_CAPABILITY_AREA capArea Partition of capabilities to be set 5 4 3S 4 UINT32 subCapSize Size of subCap parameter 6 <> 4S <> BYTE[] subCap Further definition of information 7 4 5S 4 UINT32 setValueSize The size of the value to set 8 <> 6S <> BYTE[] setValue The value to set 9 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for owner authentication. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 10 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 11 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 12 20 TPM_AUTHDATA ownerAuth Authorization. HMAC key: owner.usageAuth. Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 40 Level 2 Revision 94 29 March 2006 Draft TCG Published Outgoing Parameters and Sizes671 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal ordinal:TPM_ORD_SetCapability 4 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 5 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 6 20 TPM_AUTHDATA resAuth Authorization HMAC key:owner.usageAuth. Actions672 1. If tag = TPM_TAG_RQU_AUTH1_COMMAND, validate the command and parameters673 using ownerAuth, return TPM_AUTHFAIL on error674 2. The TPM validates the capArea and subCap indicators, including the ability to set value675 based on any set restrictions676 3. If the capArea and subCap indicators conform with one of the entries in the structure677 TPM_CAPABILITY_AREA (Values for TPM_SetCapability)678 a. The TPM sets the relevant flag/data to the value of setValue parameter.679 4. Else680 a. Return the error code TPM_BAD_PARAMETER.681 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 41 TCG Published 7.3 TPM_GetCapabilityOwner682 Start of informative comment:683 It can provide information to TPM_GetCapabilitySigned which may result in an invalid684 signature.685 TPM_GetCapabilityOwner enables the TPM Owner to retrieve all the non-volatile flags and686 the volatile flags in a single operation. This command is deprecated, mandatory.687 The flags summarize many operational aspects of the TPM. The information represented by688 some flags is private to the TPM Owner. So, for simplicity, proof of ownership of the TPM689 must be presented to retrieve the set of flags. When necessary, the flags that are not private690 to the Owner can be deduced by Users via other (more specific) means.691 The normal TPM authentication mechanisms are sufficient to prove the integrity of the692 response. No additional integrity check is required.693 End of informative comment.694 Incoming Operands and Sizes695 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COM MAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_GetCapbilityOwner 4 4 TPM_AUTHHANDLE authHandle The authorization handle used for Owner authorization. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 5 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 6 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization handle 7 20 TPM_AUTHDATA ownerAuth The authorization digest for inputs and owner authorization. HMAC key: OwnerAuth. 696 Outgoing Operands and Sizes697 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. See section 4.3. 2S 4 TPM_COMMAND_CODE ordinal Ordinal:TPM_ORD_GetCapabilityOwner 4 4 3S 4 TPM_VERSION version A properly filled out version structure. 5 4 4S 4 UINT32 non_volatile_flags The current state of the non-volatile flags. 6 4 5S 4 UINT32 volatile_flags The current state of the volatile flags. 7 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 8 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 42 Level 2 Revision 94 29 March 2006 Draft TCG Published 9 20 TPM_AUTHDATA resAuth The authorization digest for the returned parameters. HMAC key: OwnerAuth. 698 Description699 For 31>=N>=0700 1. Bit-N of the TPM_PERMANENT_FLAGS structure is the Nth bit after the opening bracket701 in the definition of TPM_PERMANENT_FLAGS in the version of the specification702 indicated by the parameter "ve rsion". The bit immediately after the opening bracket is703 the 0th bit.704 2. Bit-N of the TPM_STCLEAR_FLAGS structure is the Nth bit after the opening bracket in705 the definition of TPM_STCLEAR_FLAGS in the version of the specification indicated by706 the parameter "version". The bit immediately after the opening bracket is the 0th bit.707 3. Bit-N of non_volatile_flags corresponds to the Nth bit in TPM_PERMANENT_FLAGS, and708 the lsb of non_volatile_flags corresponds to bit0 of TPM_PERMANENT_FLAGS709 4. Bit-N of volatile_flags corresponds to the Nth bit in TPM_STCLEAR_FLAGS, and the lsb710 of volatile_flags corresponds to bit0 of TPM_STCLEAR_FLAGS711 Actions712 1. The TPM validates that the TPM Owner authorizes the command.713 2. The TPM creates the parameter non_volatile_flags by setting each bit to the same state714 as the corresponding bit in TPM_PERMANENT_FLAGS. Bits in non_volatile_flags for715 which there is no corresponding bit in TPM_PERMANENT_FLAGS are set to zero.716 3. The TPM creates the parameter volatile_flags by setting each bit to the same state as the717 corresponding bit in TPM_STCLEAR_FLAGS. Bits in volatile_flags for which there is no718 corresponding bit in TPM_STCLEAR_FLAGS are set to zero.719 4. The TPM generates the parameter "version".720 5. The TPM returns non_volatile_flags, volatile_flags and version to the caller.721 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 43 TCG Published 8. Auditing722 8.1 Audit Generation723 Start of informative comment:724 The TPM generates an audit event in response to the TPM executing a function that has the725 audit flag set to TRUE for that function.726 The TPM maintains an extended value for all audited operations.727 Input audit generation occurs before the listed actions and output audit generation occurs728 after the listed actions.729 End of informative comment.730 Description731 1. The TPM extends the audit digest whenever the ordinalAuditStatus is TRUE for the732 ordinal about to be executed. The only exception is if the ordinal about to be executed is733 TPM_SetOrdinalAuditStatus. In that case, output parameter auditing is performed if the734 ordinalAuditStatus resulting from command execution is TRUE.735 2. If the command is malformed736 a. If the ordinal is unknown, unimplemented, or cannot be determined, no auditing is737 performed.738 b. If the ordinal is known and audited, but the "above the line" parameters are739 malformed and the input parameter digest cannot be determined, use an input digest of740 all zeros.741 i. Use an output digest of the return code and ordinal.742 c. If the ordinal is known and audited, the "above the line" parameters are determined,743 but the "below the line" parameters are malformed, use an input digest of the "above the744 line" parameters.745 i. Use an output digest of the return code and ordinal.746 d. Malformed in this context means that, when breaking up a command into its747 parameters, there are too few or too many bytes in the command stream.748 e. Breaking up a command in this context means only the parsing required to extract749 the parameters.750 i. E.g., for parameter set comprising a UINT32 size and a BYTE[] array, the BYTE[]751 array should not be further parsed.752 Actions753 The TPM will execute the ordinal and perform auditing in the following manner754 1. Map V1 to TPM_STANY_DATA755 2. Map P1 to TPM_PERMANENT_DATA756 3. If V1 -> auditDigest is NULL757 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 44 Level 2 Revision 94 29 March 2006 Draft TCG Published a. Increment P1 -> auditMonotonicCounter by 1758 4. Create A1 a TPM_AUDIT_EVENT_IN structure759 a. Set A1 -> inputParms to the digest of the input parameters from the command760 i. Digest value according to the HMAC digest rules of the "above the line"761 parameters (i.e. the first HMAC digest calculation).762 b. Set A1 -> auditCount to P1 -> auditMonotonicCounter763 c. Set V1 -> auditDigest to SHA-1 (V1 -> auditDigest || A1)764 5. Execute command765 a. Execution implies the performance of the listed actions for the ordinal.766 6. Create A2 a TPM_AUDIT_EVENT_OUT structure767 a. Set A2 -> outputParms to the digest of the output parameters from the command768 i. Digest value according to the HMAC digest rules of the "above the line"769 parameters (i.e. the first HMAC digest calculation).770 b. Set A2 -> auditCount to P1 -> auditMonotonicCounter771 c. Set V1 -> auditDigest to SHA-1 (V1 -> auditDigest || A2)772 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 45 TCG Published 8.2 Effect of audit failing after completion of a command773 Start of informative comment:774 An operation could complete and then when the TPM attempts to audit the command the775 audit process could have an internal error.776 With one return parameter, The TPM is unable to return both the audit failure and the777 command success or failure results. To indicate the audit failure, the TPM will return one of778 two error codes: TPM_AUDITFAIL_SUCCESSFUL (if the command completed successfully)779 or TPM_AUDITFAIL_UNSUCCESSFUL (if the command completed unsuccessfully).780 This new functionality changes the 1.1 TPM functionality when this condition occurs.781 End of informative comment.782 1. When after completion of an operation, and in performing the audit process, the TPM783 has an internal failure (unable to write, SHA-1 failure etc.) the TPM MUST set the784 internal TPM state such that the TPM returns the TPM_FAILEDSELFTEST error on785 subsequent attempts to execute a command786 2. The return code for the command uses the following rules787 a. Command result success, Audit success -> return TPM_SUCCESS788 b. Command result failure, Audit success -> return command result failure789 c. Command result success, Audit failure -> return TPM_AUDITFAIL_SUCCESSFUL790 d. Command result failure, Audit failure -> return TPM_AUDITFAIL_UNSUCCESSFUL791 3. If the TPM is permanently nonrecoverable after an audit failure, then the TPM MUST792 always return TPM_FAILEDSELFTEST for every command other than793 TPM_GetTestResult. This state must persist regardless of power cycling, the execution of794 TPM_Init or any other actions.795 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 46 Level 2 Revision 94 29 March 2006 Draft TCG Published 8.3 TPM_GetAuditDigest796 Start of informative comment:797 This returns the current audit digest. The external audit log has the responsibility to track798 the parameters that constitute the audit digest.799 This value may be unique to an individual TPM. The value however will be changing at a800 rate set by the TPM Owner. Those attempting to use this value may find it changing without801 their knowledge. This value represents a very poor source of tracking uniqueness.802 End of informative comment.803 Incoming Parameters and Sizes804 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_GetAuditDigest 4 4 UINT32 startOrdinal The starting ordinal for the list of audited ordinals Outgoing Parameters and Sizes805 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG Tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 TPM_RESULT returnCode The return code of the operation. 5 10 TPM_COUNTER_VALUE counterValue The current value of the audit monotonic counter 4 20 TPM_DIGEST auditDigest Log of all audited events 5 1 BOOL more TRUE if the output does not contain a full list of audited ordinals 5 4 UINT32 ordSize Size of the ordinal list in bytes 6 <> UINT32[] ordList List of ordinals that are audited. Description806 1. This command is never audited.807 Actions808 1. The TPM sets auditDigest to TPM_STANY_DATA -> auditDigest809 2. The TPM sets counterValue to TPM_PERMANENT_DATA -> auditMonotonicCounter810 3. The TPM creates an ordered list of audited ordinals. The list starts at startOrdinal listing811 each ordinal that is audited.812 a. If startOrdinal is 0 then the first ordinal that could be audited would be TPM_OIAP813 (ordinal 0x0000000A)814 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 47 TCG Published b. The next ordinal would be TPM_OSAP (ordinal 0x0000000B)815 4. If the ordered list does not fit in the output buffer the TPM sets more to TRUE816 5. Return TPM_STANY_DATA -> auditDigest as auditDigest817 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 48 Level 2 Revision 94 29 March 2006 Draft TCG Published 8.4 TPM_GetAuditDigestSigned818 Start of informative comment:819 The signing of the audit log returns the entire digest value and the list of currently audited820 commands.821 The inclusion of the list of audited commands as an atomic operation is to tie the current822 digest value with the list of commands that are being audited.823 Note to future architects824 When auditing functionality is active in a TPM, it may seem logical to remove this ordinal825 from the active set of ordinals as the signing functionality of this command could be826 handled in a signed transport session. While true, this command has a secondary affect827 also, resetting the audit log digest. As the reset requires TPM Owner authentication, there828 must be some way in this command to reflect the TPM Owner wishes. By requiring that a829 TPM Identity key be the only key that can sign and reset, the TPM Owner's authentication is830 implicit in the execution of the command (TPM Identity Keys are created and controlled by831 the TPM Owner only). Hence, while one might want to remove an ordinal this is not one that832 can be removed if auditing is functional.833 End of informative comment.834 Incoming Parameters and Sizes835 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_GetAuditDigestSigned 4 4 TPM_KEY_HANDLE keyHandle The handle of a loaded key that can perform digital signatures. 5 1 2S 1 BOOL closeAudit Indication if audit session should be closed 6 20 3S 20 TPM_NONCE antiReplay A nonce to prevent replay attacks 7 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for key authentication. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 8 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 9 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 10 20 TPM_AUTHDATA keyAuth Authorization. HMAC key: key.usageAuth. TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 49 TCG Published Outgoing Parameters and Sizes836 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_GetAuditDigestSigned 4 10 3S 10 TPM_COUNTER_VALUE counterValue The value of the audit monotonic counter 5 20 4S 20 TPM_DIGEST auditDigest Log of all audited events 6 20 5S 20 TPM_DIGEST ordinalDigest Digest of all audited ordinals 7 4 6S 4 UINT32 sigSize The size of the sig parameter 8 <> 7S <> BYTE[] sig The signature of the area 9 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 10 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 11 20 TPM_AUTHDATA resAuth Authorization HMAC key: key.usageAuth. Actions837 1. Validate the AuthData and parameters using keyAuth, return TPM_AUTHFAIL on error838 2. The TPM validates that the key pointed to by keyHandle has a signature scheme of839 TPM_SS_RSASSAPKCS1V15_SHA1, return TPM_INVALID_KEYUSAGE on error840 3. Create D1 a TPM_SIGN_INFO structure and set the structure defaults841 a. Set D1 -> fixed to "ADIG"842 b. Set D1 -> replay to antiReplay843 c. Create D3 a list of all audited ordinals as defined in the TPM_GetAuditDigest844 UINT32[] ordList outgoing parameter845 d. Create D4 the SHA-1 of D3846 e. Set auditDigest to TPM_STANY_DATA -> auditDigest847 f. Set counterValue to TPM_PERMANENT_DATA -> auditMonotonicCounter848 g. Create D2 the concatenation of auditDigest || counterValue || D4849 h. Set D1 -> data to D2850 i. Create a digital signature of the SHA-1 of D1 by using the signature scheme for851 keyHandle852 j. Set ordinalDigest to D4853 4. If closeAudit == TRUE854 a. If keyHandle->keyUsage is TPM_KEY_IDENTITY855 i. TPM_STANY_DATA -> auditDigest MUST be set to NULLS.856 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 50 Level 2 Revision 94 29 March 2006 Draft TCG Published b. Else857 i. Return TPM_INVALID_KEYUSAGE858 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 51 TCG Published 8.5 TPM_SetOrdinalAuditStatus859 Start of informative comment:860 Set the audit flag for a given ordinal. Requires the authentication of the TPM Owner.861 End of informative comment.862 Incoming Parameters and Sizes863 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_SetOrdinalAuditStatus 4 4 2S 4 TPM_COMMAND_CODE ordinalToAudit The ordinal whose audit flag is to be set 5 1 3S 1 BOOL auditState Value for audit flag 6 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for owner authentication. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 7 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 8 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 9 20 TPM_AUTHDATA ownerAuth HMAC key: ownerAuth. Outgoing Parameters and Sizes864 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes inc luding paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_SetOrdinalAuditStatus 4 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 5 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 6 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters. HMAC key: ownerAuth. Actions865 1. Validate the AuthData to execute the command and the parameters866 2. Validate that the ordinal points to a valid TPM ordinal, return TPM_BADINDEX on error867 a. Valid TPM ordinal means an ordinal that the TPM implementation supports868 3. Set the non-volatile flag associated with ordinalToAudit to the value in auditState869 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 52 Level 2 Revision 94 29 March 2006 Draft TCG Published 9. Administrative Functions - Management870 9.1 TPM_FieldUpgrade871 Start of informative comment:872 The TPM needs a mechanism to allow for updating the protected capabilities once a TPM is873 in the field. Given the varied nature of TPM implementations there will be numerous874 methods of performing an upgrade of the protected capabilities. This command, when875 implemented, provides a manufacturer specific method of performing the upgrade.876 The manufacturer can determine, within the listed requirements, how to implement this877 command. The command may be more than one command and actually a series of878 commands.879 The IDL definition is to create an ordinal for the command, however the remaining880 parameters are manufacturer specific.881 The policy to determine when it is necessary to perform the actions of TPM_RevokeTrust is882 outside the TPM spec and determined by other TCG workgroups.883 End of informative comment.884 IDL Definition885 TPM_RESULT TPM_FieldUpgrade(886 [in, out] TPM_AUTH* ownerAuth,887 ...);888 Type889 This is an optional command and a TPM is not required to implement this command in any890 form.891 Parameters892 Type Name Description TPM_AUTH ownerAuth Authentication from TPM owner to execute command ... Remaining parameters are manufacturer specific Descriptions893 The upgrade mechanisms in the TPM MUST not require the TPM to hold a global secret. The894 definition of global secret is a secret value shared by more than one TPM.895 The TPME is not allowed to pre-store or use unique identifiers in the TPM for the purpose of896 field upgrade. The TPM MUST NOT use the endorsement key for identification or encryption897 in the upgrade process. The upgrade process MAY use a TPM Identity to deliver upgrade898 information to specific TPM's.899 The upgrade process can only change protected capabilities.900 The upgrade process can only access data in shielded locations where this data is necessary901 to validate the TPM Owner, validate the TPME and manipulate the blob902 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 53 TCG Published The TPM MUST be conformant to the TPM spe cification, protection profiles and security903 targets after the upgrade. The upgrade MAY NOT decrease the security values from the904 original security target.905 The security target used to evaluate this TPM MUST include this command in the TOE.906 When a field upgrade occurs, it is always sufficient to put the TPM into the same state as a907 successfully executed TPM_RevokeTrust.908 Actions909 The TPM SHALL perform the following when executing the command:910 1. Validate the TPM Owners AuthData to execute the command911 2. Validate that the upgrade information was sent by the TPME. The validation mechanism912 MUST use a strength of function that is at least the same strength of function as a913 digital signature performed using a 2048 bit RSA key.914 3. Validate that the upgrade target is the appropriate TPM model and version.915 4. Process the upgrade information and update the protected capabilities916 5. Set the TPM_PERMANENT_DATA.revMajor and TPM_PERMANENT_DATA.revMinor to the917 values indicated in the upgrade. The selection of the value is a manufacturer option. The918 values MUST be monotonically increasing. Installing an upgrade with a major and minor919 revision that is less than currently installed in the TPM is a valid operation.920 6. Set the TPM_STCLEAR_FLAGS.deactivated to TRUE921 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 54 Level 2 Revision 94 29 March 2006 Draft TCG Published 9.2 TPM_SetRedirection922 Informative comment923 The redirection command attaches a key to a redirection receiver.924 When making the connection to a GPIO channel the authorization restrictions are set at925 connection time and not for each invocation that uses the channel.926 End of informative comments927 Incoming Operands and Sizes928 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_SetRedirection 4 4 TPM_KEY_HANDLE keyHandle The keyHandle identifier of a loaded key that can implement redirection. 5 4 2S 4 TPM_REDIR_COMMAND redirCmd The command to execute 6 4 3S 4 UINT32 inputDataSize The size of the input data 7 <> 4S <> BYTE inputData Manufacturer parameter 8 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for keyHandle authorization 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 9 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 10 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 11 20 TPM_AUTHDATA ownerAuth HMAC key ownerAuth Outgoing Operands and Sizes929 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_SetRedirection 4 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 5 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 6 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters. HMAC key: key.usageAuth 930 Action931 1. If tag == TPM_TAG_REQ_AUTH1_COMMAND932 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 55 TCG Published a. Validate the command and parameters using TPM Owner authentication, on error933 return TPM_AUTHFAIL934 2. if redirCmd == TPM_REDIR_GPIO935 a. Validate that keyHandle points to a loaded key, return TPM_INVALID_KEYHANDLE936 on error937 b. Validate the key attributes specify redirection, return TPM_BAD_TYPE on error938 c. Validate that inputDataSize is 4, return TPM_BAD_PARAM_SIZE on error939 d. Validate that inputData points to a valid GPIO channel, return940 TPM_BAD_PARAMETER on error941 e. Map C1 to the TPM_GPIO_CONFIG_CHANNEL structure indicated by inputData942 f. If C1 -> attr specifies TPM_GPIO_ATTR_OWNER943 i. If tag != TPM_TAG_REQ_AUTH1_COMMAND return TPM_AUTHFAIL944 g. If C1 -> attr specifies TPM_GPIO_ATTR_PP945 i. If TPM_STCLEAR_FLAGS -> physicalPresence == FALSE, then return946 TPM_BAD_PRESENCE947 h. Return TPM_SUCCESS948 3. The TPM MAY support other redirection types. These types may be specified by TCG or949 provided by the manufacturer.950 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 56 Level 2 Revision 94 29 March 2006 Draft TCG Published 9.3 TPM_ResetLockValue951 Informative comment952 Command that resets the TPM dictionary attack mitigation values953 This allows the TPM owner to cancel the effect of a number of successive authorization954 failures. Dictionary attack mitigation is vendor specific, and the actions here are one955 possible implementation. The TPM may treat an authorization failure outside the mitigation956 time as a normal failure and not disable the command.957 If this command itself has an authorization failure, it is blocked for the remainder of the958 lock out period. This prevents a dictionary attack on the owner authorization using this959 command.960 It is understood that this command allows the TPM owner to perform a dictionary attack on961 other authorization values by alternating a trial and this command.962 End of informative comments963 Incoming Operands and Sizes964 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ResetLockValue 4 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for TPM Owner authorization 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 5 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 6 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 7 20 TPM_AUTHDATA ownerAuth HMAC key TPM Owner auth Outgoing Operands and Sizes965 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ResetLockValue 4 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 5 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 6 20 TPM_AUTHDATA resAuth HMAC key: TPM Owner auth TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 57 TCG Published Action966 1. If TPM_STCLEAR_DATA -> disableResetLock is TRUE return TPM_AUTHFAIL967 a. The internal dictionary attack mechanism will set TPM_STCLEAR_DATA ->968 disableResetLock to FALSE when the timeout period expires969 2. If the command and parameters validation using ownerAuth fails970 a. Set TPM_STCLEAR_DATA -> disableResetLock to TRUE971 b. Restart the TPM dictionary attack lock out period972 c. Return TPM_AUTHFAIL973 3. Reset the internal TPM dictionary attack mitigation mechanism974 a. The mechanism is vendor specific and can include time outs, reboots, and other975 mitigation strategies976 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 58 Level 2 Revision 94 29 March 2006 Draft TCG Published 10. Storage functions977 10.1 TPM_Seal978 Start of informative comment:979 The SEAL operation allows software to explicitly state the future "trusted" configuration that980 the platform must be in for the secret to be revealed. The SEAL operation also implicitly981 includes the relevant platform configuration (PCR-values) when the SEAL operation was982 performed. The SEAL operation uses the tpmProof value to BIND the blob to an individual983 TPM.984 If the UNSEAL operation succeeds, proof of the platform configuration that was in effect985 when the SEAL operation was performed is returned to the caller, as well as the secret data.986 This proof may, or may not, be of interest. If the SEALed secret is used to authenticate the987 platform to a third party, a caller is normally unconcerned about the state of the platform988 when the secret was SEALed, and the proof may be of no interest. On the other hand, if the989 SEALed secret is used to authenticate a third party to the platform, a caller is normally990 concerned about the state of the platform when the secret was SEALed. Then the proof is of991 interest.992 For example, if SEAL is used to store a secret key for a future configuration (probably to993 prove that the platform is a particular platform that is in a particular configuration), the994 only requirement is that that key can be used only when the platform is in that future995 configuration. Then there is no interest in the platform configuration when the secret key996 was SEALed. An example of this case is when SEAL is used to store a network997 authentication key.998 On the other hand, suppose an OS contains an encrypted database of users allowed to log999 on to the platform. The OS uses a SEALED blob to store the encryption key for the user-1000 database. However, the nature of SEAL is that any SW stack can SEAL a blob for any other1001 software stack. Hence the OS can be attacked by a second OS replacing both the SEALED-1002 blob encryption key, and the user database itself, allowing untrusted parties access to the1003 services of the OS. To thwart such attacks, SEALED blobs include the past SW1004 configuration. Hence, if the OS is concerned about such attacks, it may check to see1005 whether the past configuration is one that is known to be trusted.1006 TPM_Seal requires the encryption of one parameter ("Secret"). For the sake of uniformity1007 with other commands that require the encryption of more than one parameter, the string1008 used for XOR encryption is generated by concatenating a nonce (created during the OSAP1009 session) with the session shared secret and then hashing the result.1010 End of informative comment.1011 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 59 TCG Published Incoming Operands and Sizes1012 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_Seal. 4 4 TPM_KEY_HANDLE keyHandle Handle of a loaded key that can perform seal operations. 5 20 2S 20 TPM_ENCAUTH encAuth The encrypted AuthData for the sealed data. The encryption key is the shared secret from the OSAP protocol. 6 4 3S 4 UINT32 pcrInfoSize The size of the pcrInfo parameter. If 0 there are no PCR registers in use 7 <> 4S <> TPM_PCR_INFO pcrInfo The PCR selection information. The caller MAY use TPM_PCR_INFO_LONG. 8 4 5S 4 UINT32 inDataSize The size of the inData parameter 9 <> 6S <> BYTE[ ] inData The data to be sealed to the platform and anyspecified PCRs 10 4 TPM_AUTHHANDLE authHandle The authorization session handle used for keyHandle authorization. Must be an OSAP session for this command. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 11 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 12 1 4H1 1 BOOL continueAuthSession Ignored 13 20 TPM_AUTHDATA pubAuth The authorization session digest for inputs and keyHandle. HMAC key: key.usageAuth. Outgoing Operands and Sizes1013 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_Seal. 4 <> 3S <> TPM_STORED_DATA sealedData Encrypted, integrity -protected data object that is the result of the TPM_Seal operation. 5 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 6 1 4H1 1 BOOL continueAuthSession Continue use flag, fixed value of FALSE 7 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters. HMAC key: key.usageAuth. Descriptions1014 TPM_Seal is used to encrypt private objects that can only be decrypted using TPM_Unseal.1015 Actions1016 1. Validate the authorization to use the key pointed to by keyHandle1017 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 60 Level 2 Revision 94 29 March 2006 Draft TCG Published 2. If the inDataSize is 0 the TPM returns TPM_BAD_PARAMETER1018 3. If the keyUsage field of the key indicated by keyHandle does not have the value1019 TPM_KEY_STORAGE, the TPM must return the error code TPM_INVALID_KEYUSAGE.1020 4. If the keyHandle points to a migratable key then the TPM MUST return the error code1021 TPM_INVALID_KEY_USAGE.1022 5. Determine the version of pcrInfo1023 a. If pcrInfoSize is 01024 i. set V1 to 11025 b. Else1026 i. Point X1 as TPM_PCR_INFO_LONG structure to pcrInfo1027 ii. If X1 -> tag is TPM_TAG_PCR_INFO_LONG1028 (1) Set V1 to 21029 iii. Else1030 (1) Set V1 to 11031 6. If V1 is 1 then1032 a. Create S1 a TPM_STORED_DATA structure1033 7. else1034 a. Create S1 a TPM_STORED_DATA12 structure1035 b. Set S1 -> et to NULL1036 8. Set s1 -> encDataSize to 01037 9. Set s1 -> encData to NULL1038 10.Set s1 -> sealInfoSize to pcrInfoSize1039 11.If pcrInfoSize is not 0 then1040 a. if V1 is 1 then1041 i. Validate pcrInfo as a valid TPM_PCR_INFO structure, return TPM_BADINDEX on1042 error1043 ii. Set s1 -> sealInfo -> pcrSelection to pcrInfo -> pcrSelection1044 iii. Create h1 the composite hash of the PCR selected by pcrInfo -> pcrSelection1045 iv. Set s1 -> sealInfo -> digestAtCreation to h11046 v. Set s1 -> sealInfo -> digestAtRelease to pcrInfo -> digestAtRelease1047 b. else1048 i. Validate pcrInfo as a valid TPM_PCR_INFO_LONG structure, return1049 TPM_BADINDEX on error1050 ii. Set s1 -> sealInfo -> creationPCRSelection to pcrInfo -> creationPCRSelection1051 iii. Set s1 -> sealInfo -> releasePCRSelection to pcrInfo -> releasePCRSelection1052 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 61 TCG Published iv. Set s1 -> sealInfo -> digestAtRelease to pcrInfo -> digestAtRelease1053 v. Set s1 -> sealInfo -> localityAtRelease to pcrInfo -> localityAtRelease1054 vi. Create h2 the composite hash of the TPM_STCLEAR_DATA -> PCR selected by1055 pcrInfo -> creationPCRSelection1056 vii.Set s1 -> sealInfo -> digestAtCreation to h21057 viii. Set s1 -> sealInfo -> localityAtCreation to TPM_STANY_FLAGS ->1058 localityModifier1059 12.If authHandle indicates XOR encryption for the AuthData secrets1060 a. Create X1 the SHA-1 of the concatenation of (authHandle -> sharedSecret ||1061 authLastNonceEven)1062 b. Create a1 by XOR X1 and encAuth1063 13.Else1064 a. Create a1 by decrypting encAuth using the algorithm indicated in the OSAP session1065 b. Key is from authHandle -> sharedSecret1066 c. IV is SHA-1 of (authLastNonceEven || nonceOdd)1067 14.The TPM provides NO validation of a1. Well-known values (like NULLS) are valid and1068 possible.1069 15.Create s2 a TPM_SEALED_DATA structure1070 a. Set s2 -> payload to TPM_PT_SEAL1071 b. Set s2 -> tpmProof to TPM_PERMANENT_DATA -> tpmProof1072 c. Create h3 the SHA-1 of s11073 d. Set s2 -> storedDigest to h31074 e. Set s2 -> authData to a11075 f. Set s2 -> dataSize to inDataSize1076 g. Set s2 -> data to inData1077 16.Validate that the size of s2 can be encrypted by the key pointed to by keyHandle, return1078 TPM_BAD_DATASIZE on error1079 17.Create s3 the encryption of s2 using the key pointed to by keyHandle1080 18.Set continueAuthSession to FALSE1081 19.Set s1 -> encDataSize to the size of s31082 20.Set s1 -> encData to s31083 21.Return s1 as sealedData1084 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 62 Level 2 Revision 94 29 March 2006 Draft TCG Published 10.2 TPM_Unseal1085 Start of informative comment:1086 The TPM_Unseal operation will reveal TPM_Seaľed data only if it was encrypted on this1087 platform and the current configuration (as defined by the named PCR contents) is the one1088 named as qualified to decrypt it. Internally, TPM_Unseal accepts a data blob generated by a1089 TPM_Seal operation. TPM_Unseal decrypts the structure internally, checks the integrity of1090 the resulting data, and checks that the PCR named has the value named during TPM_Seal.1091 Additionally, the caller must supply appropriate AuthData for blob and for the key that was1092 used to seal that data.1093 If the integrity, platform configuration and authorization checks succeed, the sealed data is1094 returned to the caller; otherwise, an error is generated.1095 End of informative comment.1096 Incoming Operands and Sizes1097 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH2_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_Unseal. 4 4 TPM_KEY_HANDLE parentHandle Handle of a loaded key that can unseal the data. 5 <> 2S <> TPM_STORED_DATA inData The encrypted data generated by TPM_Seal. 6 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for parentHandle. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 7 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 8 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 9 20 TPM_AUTHDATA parentAuth Theauthorization session digest for inputs and parentHandle. HMAC key: parentKey.usageAuth. 10 4 TPM_AUTHHANDLE dataAuthHandle Theauthorization session handle used to authorize inData. 2H2 20 TPM_NONCE dataLastNonceEven Even nonce previously generated by TPM 11 20 3H2 20 TPM_NONCE datanonceOdd Nonce generated by system associated with entityAuthHandle 12 1 4H2 1 BOOL continueDataSession Continue usage flag for dataAuthHandle. 13 20 TPM_AUTHDATA dataAuth Theauthorization session digest for the encrypted entity. HMAC key: entity.usageAuth. TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 63 TCG Published Outgoing Operands and Sizes1098 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH2_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_Unseal. 4 4 3S 4 UINT32 secretSize The used size of the output area for secret 5 <> 4S <> BYTE[ ] secret Decrypted data that had been sealed 6 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 7 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 8 20 TPM_AUTHDATA resAuth The authorization session digest for the returned parameters. HMAC key: parentKey.usageAuth. 9 20 2H2 20 TPM_NONCE dataNonceEven Even nonce newly generated by TPM. 3H2 20 TPM_NONCE datanonceOdd Nonce generated by system associated with dataAuthHandle 10 1 4H2 1 BOOL continueDataSession Continue use flag, TRUE if handle is still active 11 20 TPM_AUTHDATA dataAuth Theauthorization session digest used for the dataAuth session. HMAC key: entity.usageAuth. Actions1099 1. The TPM MUST validate that parentAuth authorizes the use of the key in parentHandle,1100 on error return TPM_AUTHFAIL1101 2. If the keyUsage field of the key indicated by parentHandle does not have the value1102 TPM_KEY_STORAGE, the TPM MUST return the error code TPM_INVALID_KEYUSAGE.1103 3. The TPM MUST check that the TPM_KEY_FLAGS -> Migratable flag has the value FALSE1104 in the key indicated by parentHandle. If not, the TPM MUST return the error code1105 TPM_INVALID_KEYUSAGE1106 4. Determine the version of inData1107 a. If inData -> tag = TPM_TAG_STORED_DATA121108 i. Set V1 to 21109 ii. Map S2 a TPM_STORED_DATA12 structure to inData1110 b. Else If inData -> ver = 1.11111 i. Set V1 to 11112 ii. Map S2 a TPM_STORED_DATA structure to inData1113 c. Else1114 i. Return TPM_BAD_VERSION1115 5. Create d1 by decrypting S2 -> encData using the key pointed to by parentHandle1116 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 64 Level 2 Revision 94 29 March 2006 Draft TCG Published 6. Validate d11117 a. d1 MUST be a TPM_SEALED_DATA structure1118 b. d1 -> tpmProof MUST match TPM_PERMANENT_DATA -> tpmProof1119 c. Set S2 -> encDataSize to 01120 d. Set S2 -> encData to NULL1121 e. Create h1 the SHA-1 of inData1122 f. d1 -> storedDigest MUST match h11123 g. d1 -> payload MUST be TPM_PT_SEAL1124 h. Any failure MUST return TPM_NOTSEALED_BLOB1125 7. The TPM MUST validate authorization to use d1 by checking that the HMAC calculation1126 using d1 -> authData as the shared secret matches the dataAuth. Return1127 TPM_AUTHFAIL on mismatch.1128 8. If S2 -> sealInfoSize is not 0 then1129 a. If V1 is 1 then1130 i. Validate that S2 -> pcrInfo is a valid TPM_PCR_INFO structure1131 ii. Create h2 the composite hash of the PCR selected by S2 -> pcrInfo -> pcrSelection1132 b. If V1 is 2 then1133 i. Validate that S2 -> pcrInfo is a valid TPM_PCR_INFO_LONG structure1134 ii. Create h2 the composite hash of the TPM_STCLEAR_DATA -> PCR selected by S21135 -> pcrInfo -> releasePCRSelection1136 iii. Check that S2 -> pcrInfo -> localityAtRelease for TPM_STANY_DATA ->1137 localityModifier is TRUE1138 (1) For example if TPM_STANY_DATA -> localityModifier was 2 then S2 -> pcrInfo1139 -> localityAtRelease -> TPM_LOC_TWO would have to be TRUE1140 c. Compare h2 with S2 -> pcrInfo -> digestAtRelease, on mismatch return1141 TPM_WRONGPCRVAL1142 9. If V1 is 2 and inData -> et specifies encryption (i.e. is not NULL) then1143 a. If tag is not TPM_TAG_RQU_AUTH2_COMMAND, return TPM_AUTHFAIL1144 b. Verify that the authHandle session type is TPM_PID_OSAP, return TPM_BAD_MODE1145 on error.1146 c. If inData -> et is TPM_ET_XOR1147 i. Use MGF1 to create string X1 of length sealedDataSize. The inputs to MGF1 are;1148 authLastnonceEven, nonceOdd, "XOR", and authHandle -> sharedSecret. The1149 four concatenated values form the Z value that is the seed for MFG1.1150 ii. Create o1 by XOR of d1 -> data and X11151 d. Else1152 i. Create o1 by encrypting d1 -> data using the algorithm indicated by inData -> et1153 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 65 TCG Published ii. Key is from authHandle -> sharedSecret1154 iii. IV is SHA-1 of (authLastNonceEven || nonceOdd)1155 e. Set continueAuthSession to FALSE1156 10.else1157 a. Set o1 to d1 -> data1158 11.Set the return secret as o11159 12.Return TPM_SUCCESS1160 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 66 Level 2 Revision 94 29 March 2006 Draft TCG Published 10.3 TPM_UnBind1161 Start of informative comment:1162 TPM_UnBind takes the data blob that is the result of a Tspi_Data_Bind command and1163 decrypts it for export to the User. The caller must authorize the use of the key that will1164 decrypt the incoming blob.1165 TPM_UnBind operates on a block-by-block basis, and has no notion of any relation between1166 one block and another.1167 End of informative comment.1168 Incoming Operands and Sizes1169 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_UnBind. 4 4 TPM_KEY_HANDLE keyHandle The keyHandle identifier of a loaded key that can perform UnBind operations. 5 4 2S 4 UINT32 inDataSize The size of the input blob 6 <> 3S <> BYTE[ ] inData Encrypted blob to be decrypted 7 4 TPM_AUTHHANDLE authHandle The handle used for keyHandle authorization 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 8 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 9 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 10 20 TPM_AUTHDATA privAuth Theauthorization session digest that authorizes the inputs and use of keyHandle. HMAC key: key.usageAuth. TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 67 TCG Published Outgoing Operands and Sizes1170 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_UnBind 4 4 3S 4 UINT32 outDataSize The length of the returned decrypted data 5 <> 4S <> BYTE[ ] outData The resulting decrypted data. 6 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 7 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 8 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters. HMAC key: key.usageAuth. Description1171 TPM_UnBind SHALL operate on a single block only.1172 Actions1173 The TPM SHALL perform the following:1174 1. If the inDataSize is 0 the TPM returns TPM_BAD_PARAMETER1175 2. Validate the AuthData to use the key pointed to by keyHandle1176 3. If the keyUsage field of the key referenced by keyHandle does not have the value1177 TPM_KEY_BIND or TPM_KEY_LEGACY, the TPM must return the error code1178 TPM_INVALID_KEYUSAGE1179 4. Decrypt the inData using the key pointed to by keyHandle1180 5. if (keyHandle -> encScheme does not equal TPM_ES_RSAESOAEP_SHA1_MGF1) and1181 (keyHandle -> keyUsage equals TPM_KEY_LEGACY),1182 a. The payload does not have TPM specific markers to validate, so no consistency check1183 can be performed.1184 b. Set the output parameter outData to the value of the decrypted value of inData.1185 (Padding associated with the encryption wrapping of inData SHALL NOT be returned.)1186 c. Set the output parameter outDataSize to the size of outData, as deduced from the1187 decryption process.1188 6. else1189 a. Interpret the decrypted data under the assumption that it is a TPM_BOUND_DATA1190 structure, and validate that the payload type is TPM_PT_BIND1191 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 68 Level 2 Revision 94 29 March 2006 Draft TCG Published b. Set the output parameter outData to the value of TPM_BOUND_DATA ->1192 payloadData. (Other parameters of TPM_BOUND_DATA SHALL NOT be returned.1193 Padding associated with the encryption wrapping of inData SHALL NOT be returned.)1194 c. Set the output parameter outDataSize to the size of outData, as deduced from the1195 decryption process and the interpretation of TPM_BOUND_DATA.1196 7. Return the output parameters.1197 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 69 TCG Published 10.4 TPM_CreateWrapKey1198 Start of informative comment:1199 The TPM_CreateWrapKey command both generates and creates a secure storage bundle for1200 asymmetric keys.1201 The newly created key can be locked to a specific PCR value by specifying a set of PCR1202 registers.1203 End of informative comment.1204 Incoming Operands and Sizes1205 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_CreateWrapKey 4 4 TPM_KEY_HANDLE parentHandle Handle of a loaded key that can perform key wrapping. 5 20 2S 20 TPM_ENCAUTH dataUsageAuth Encrypted usage AuthData for the sealed data. 6 20 3S 20 TPM_ENCAUTH dataMigrationAuth Encrypted migration AuthData for the sealed data. 7 <> 4S <> TPM_KEY keyInfo Information about key to be created, pubkey.keyLength and keyInfo.encData elements are 0. MAY be TPM_KEY12 8 4 TPM_AUTHHANDLE authHandle parent key authorization. Must be an OSAP session. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 9 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 10 1 4H1 1 BOOL continueAuthSession Ignored 11 20 TPM_AUTHDATA pubAuth Authorization HMAC key: parentKey.usageAuth. Outgoing Operands and Sizes1206 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_CreateWrapKey 4 <> 4S <> TPM_KEY wrappedKey The TPM_KEY structure which includes the public and encrypted private key. MAY be TPM_KEY12 5 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 6 1 4H1 1 BOOL continueAuthSession Continue use flag, fixed at FALSE 7 20 TPM_AUTHDATA resAuth Authorization HMAC key: parentKey.usageAuth. Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 70 Level 2 Revision 94 29 March 2006 Draft TCG Published Actions1207 The TPM SHALL do the following:1208 1. Validate the AuthData to use the key pointed to by parentHandle. Return1209 TPM_AUTHFAIL on any error.1210 2. Validate the session type for parentHandle is OSAP.1211 3. If the TPM is not designed to create a key of the type requested in keyInfo, return the1212 error code TPM_BAD_KEY_PROPERTY1213 4. Verify that parentHandle->keyUsage equals TPM_KEY_STORAGE1214 5. If parentHandle -> keyFlags -> migratable is TRUE and keyInfo -> keyFlags -> migratable1215 is FALSE then return TPM_INVALID_KEYUSAGE1216 6. Validate key parameters1217 a. keyInfo -> keyUsage MUST NOT be TPM_KEY_IDENTITY or1218 TPM_KEY_AUTHCHANGE. If it is, return TPM_INVALID_KEYUSAGE1219 b. If keyInfo -> keyFlags -> migrateAuthority is TRUE then return1220 TPM_INVALID_KEYUSAGE1221 7. If TPM_PERMANENT_FLAGS -> FIPS is TRUE then1222 a. If keyInfo -> keySize is less than 1024 return TPM_NOTFIPS1223 b. If keyInfo -> authDataUsage specifies TPM_AUTH_NEVER return TPM_NOTFIPS1224 c. If keyInfo -> keyUsage specifies TPM_KEY_LEGACY return TPM_NOTFIPS1225 8. If keyInfo -> keyUsage equals TPM_KEY_STORAGE or TPM_KEY_MIGRATE1226 i. algorithmID MUST be TPM_ALG_RSA1227 ii. encScheme MUST be TPM_ES_RSAESOAEP_SHA1_MGF11228 iii. sigScheme MUST be TPM_SS_NONE1229 iv. key size MUST be 20481230 9. Determine the version of key1231 a. If keyInfo -> ver is 1.11232 i. Set V1 to 11233 ii. Map wrappedKey to a TPM_KEY structure1234 iii. Validate all remaining TPM_KEY structures1235 b. Else if keyInfo -> tag is TPM_TAG_KEY121236 i. Set V1 to 21237 ii. Map wrappedKey to a TPM_KEY12 structure1238 iii. Validate all remaining TPM_KEY12 structures1239 10.If authHandle indicates XOR encryption for the AuthData secrets1240 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 71 TCG Published a. Create X1 the SHA-1 of the concatenation of (authHandle -> sharedSecret ||1241 authLastNonceEven)1242 b. Create X2 the SHA-1 of the concatenation of (authHandle -> sharedSecret ||1243 nonceOdd)1244 c. Create DU1 the XOR of dataUsageAuth and X11245 d. Create DM1 the XOR of dataMigrationAuth and X21246 11.Else1247 a. Decrypt dataUsageAuth and dataMigrationAuth using the algorithm indicated in the1248 OSAP session1249 i. Create DU1 from dataUsageAuth1250 ii. Create DM1 from dataMigrationAuth1251 b. Key is from authHandle -> sharedSecret1252 c. IV is SHA-1 of (authLastNonceEven || nonceOdd)1253 12.Set continueAuthSession to FALSE1254 13.Generate asymmetric key according to algorithm information in keyInfo1255 14.Fill in the wrappedKey structure with information from the newly generated key.1256 a. Set wrappedKey -> encData -> usageAuth to DU11257 b. If the KeyFlags -> migratable bit is set to 1, the wrappedKey -> encData ->1258 migrationAuth SHALL contain the decrypted value from DataMigrationAuth.1259 c. If the KeyFlags -> migratable bit is set to 0, the wrappedKey -> encData ->1260 migrationAuth SHALL be set to the value tpmProof1261 15.If keyInfo->PCRInfoSize is non-zero1262 a. If V1 is 11263 i. Set wrappedKey -> pcrInfo to a TPM_PCR_INFO structure using the pcrSelection1264 to indicate the PCR's in use1265 b. Else1266 i. Set wrappedKey -> pcrInfo to a TPM_PCR_INFO_LONG structure1267 c. Set digestAtCreation to the TPM_COMPOSITE_HASH indicated by1268 creationPCRSelection1269 d. If V1 is 2 set localityAtCreation to TPM_STANY_DATA -> locality1270 16.Encrypt the private portions of the wrappedKey structure using the key in parentHandle1271 17.Return the newly generated key in the wrappedKey parameter1272 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 72 Level 2 Revision 94 29 March 2006 Draft TCG Published 10.5 TPM_LoadKey21273 Start of informative comment:1274 Before the TPM can use a key to either wrap, unwrap, bind, unbind, seal, unseal, sign or1275 perform any other action, it needs to be present in the TPM. The TPM_LoadKey2 function1276 loads the key into the TPM for further use.1277 The TPM assigns the key handle. The TPM always locates a loaded key by use of the handle.1278 The assumption is that the handle may change due to key management operations. It is the1279 responsibility of upper level software to maintain the mapping between handle and any1280 label used by external software.1281 This command has the responsibility of enforcing restrictions on the use of keys. For1282 example, when attempting to load a STORAGE key it will be checked for the restrictions on1283 a storage key (2048 size etc.).1284 The load command must maintain a record of whether any previous key in the key1285 hierarchy was bound to a PCR using parentPCRStatus.1286 The flag parentPCRStatus enables the possibility of checking that a platform passed1287 through some particular state or states before finishing in the current state. A grandparent1288 key could be linked to state-1, a parent key could linked to state-2, and a child key could be1289 linked to state-3, for example. The use of the child key then indicates that the platform1290 passed through states 1 and 2 and is currently in state 3, in this example. TPM_Startup1291 with stType == TPM_ST_CLEAR indicates that the platform has been reset, so the platform1292 has not passed through the previous states. Hence keys with parentPCRStatus==TRUE1293 must be unloaded if TPM_Startup is issued with stType == TPM_ST_CLEAR.1294 If a TPM_KEY structure has been decrypted AND the integrity test using "pubDataDigest"1295 has passed AND the key is non-migratory, the key must have been created by the TPM. So1296 there is every reason to believe that the key poses no security threat to the TPM. While there1297 is no known attack from a rogue migratory key, there is a desire to verify that a loaded1298 migratory key is a real key, arising from a general sense of unease about execution of1299 arbitrary data as a key. Ideally a consistency check would consist of an encrypt/decrypt1300 cycle, but this may be expensive. For RSA keys, it is therefore suggested that the1301 consistency test consists of dividing the supposed RSA product by the supposed RSA prime,1302 and checking that there is no remainder.1303 End of informative comment.1304 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 73 TCG Published Incoming Operands and Sizes1305 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_LoadKey 2. 4 4 TPM_KEY_HANDLE parentHandle TPM handle of parent key. 5 <> 2S <> TPM_KEY inKey Incoming key structure, both encrypted private and clear public portions. MAY be TPM_KEY12 6 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for parentHandle authorization. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 7 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 8 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 9 20 TPM_AUTHDATA parentAuth Theauthorization session digest for inputs and parentHandle. HMAC key: parentKey.usageAuth. Outgoing Operands and Sizes1306 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_LoadKey 2 4 4 TPM_KEY_HANDLE inkeyHandle Internal TPM handle where decrypted key was loaded. 5 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 6 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 7 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters. HMAC key: parentKey.usageAuth. Actions1307 The TPM SHALL perform the following steps:1308 1. Validate the command and the parameters using parentAuth and parentHandle ->1309 usageAuth1310 2. If parentHandle -> keyUsage is NOT TPM_KEY_STORAGE return1311 TPM_INVALID_KEYUSAGE1312 3. If the TPM is not designed to operate on a key of the type specified by inKey, return the1313 error code TPM_BAD_KEY_PROPERTY1314 4. The TPM MUST handle both TPM_KEY and TPM_KEY12 structures1315 5. Decrypt the inKey -> privkey to obtain TPM_STORE_ASYMKEY structure using the key1316 in parentHandle1317 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 74 Level 2 Revision 94 29 March 2006 Draft TCG Published 6. Validate the integrity of inKey and decrypted TPM_STORE_ASYMKEY1318 a. Reproduce inKey -> TPM_STORE_ASYMKEY -> pubDataDigest using the fields of1319 inKey, and check that the reproduced value is the same as pubDataDigest1320 7. Validate the consistency of the key and iťs key usage.1321 a. If inKey -> keyFlags -> migratable is TRUE, the TPM SHALL verify consistency of the1322 public and private components of the asymmetric key pair. If inKey -> keyFlags ->1323 migratable is FALSE, the TPM MAY verify consistency of the public and private1324 components of the asymmetric key pair. The consistency of an RSA key pair MAY be1325 verified by dividing the supposed (P*Q) product by a supposed prime and checking that1326 there is no remainder..1327 b. If inKey -> keyUsage is TPM_KEY_IDENTITY, verify that inKey->keyFlags->migratable1328 is FALSE. If it is not, return TPM_INVALID_KEYUSAGE1329 c. If inKey -> keyUsage is TPM_KEY_AUTHCHANGE, return TPM_INVALID_KEYUSAGE1330 d. If inKey -> keyFlags -> migratable equals 0 then verify that TPM_STORE_ASYMKEY -1331 > migrationAuth equals TPM_PERMANENT_DATA -> tpmProof1332 e. Validate the mix of encryption and signature schemes1333 f. If TPM_PERMANENT_FLAGS -> FIPS is TRUE then1334 i. If keyInfo -> keySize is less than 1024 return TPM_NOTFIPS1335 ii. If keyInfo -> authDataUsage specifies TPM_AUTH_NEVER return TPM_NOTFIPS1336 iii. If keyInfo -> keyUsage specifies TPM_KEY_LEGACY return TPM_NOTFIPS1337 g. If inKey -> keyUsage is TPM_KEY_STORAGE or TPM_KEY_MIGRATE1338 i. algorithmID MUST be TPM_ALG_RSA1339 ii. Key size MUST be 20481340 iii. sigScheme MUST be TPM_SS_NONE1341 h. If inKey -> keyUsage is TPM_KEY_IDENTITY1342 i. algorithmID MUST be TPM_ALG_RSA1343 ii. Key size MUST be 20481344 iii. encScheme MUST be TPM_ES_NONE1345 i. If the decrypted inKey -> pcrInfo is NULL,1346 i. The TPM MUST set the internal indicator to indicate that the key is not using any1347 PCR registers.1348 j. Else1349 i. The TPM MUST store pcrInfo in a manner that allows the TPM to calculate a1350 composite hash whenever the key will be in use1351 ii. The TPM MUST handle both version 1.1 TPM_PCR_INFO and 1.21352 TPM_PCR_INFO_LONG structures according to the type of TPM_KEY structure1353 (1) The TPM MUST validate the TPM_PCR_INFO or TPM_PCR_INFO_LONG1354 structures1355 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 75 TCG Published 8. Perform any processing necessary to make TPM_STORE_ASYMKEY key available for1356 operations1357 9. Load key and key information into internal memory of the TPM. If insufficient memory1358 exists return error TPM_NOSPACE.1359 10.Assign inKeyHandle according to internal TPM rules.1360 11.Set InKeyHandle -> parentPCRStatus to parentHandle -> parentPCRStatus.1361 12.If ParentHandle indicates that it is using PCR registers, then set inKeyHandle ->1362 parentPCRStatus to TRUE.1363 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 76 Level 2 Revision 94 29 March 2006 Draft TCG Published 10.6 TPM_GetPubKey1364 Start of informative comment:1365 The owner of a key may wish to obtain the public key value from a loaded key. This1366 information may have privacy concerns so the command must have authorization from the1367 key owner.1368 End of informative comment.1369 Incoming Operands and Sizes1370 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_GetPubKey. 4 4 TPM_KEY_HANDLE keyHandle TPM handle of key. 5 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for keyHandle authorization. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 6 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 7 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 8 20 TPM_AUTHDATA keyAuth Authorization HMAC key: key.usageAuth. Outgoing Operands and Sizes1371 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_GetPubKey. 4 <> 3S <> TPM_PUBKEY pubKey Public portion of key in keyHandle. 5 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 6 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 7 20 TPM_AUTHDATA resAuth Authorization. HMAC key: key.usageAuth. Actions1372 The TPM SHALL perform the following steps:1373 1. Validate the command the parameters using keyAuth, on error1374 a. If keyHandle has TPM_AUTH_PRIV_USE_ONLY ignore the error1375 b. Otherwise return TPM_AUTHFAIL1376 2. If keyHandle == TPM_KH_SRK then1377 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 77 TCG Published a. If TPM_PERMANENT_FLAGS -> readSRKPub is FALSE then return1378 TPM_INVALID_KEYHANDLE1379 3. If keyHandle -> pcrInfoSize is not 01380 a. If keyHandle -> keyFlags has pcrIgnoredOnRead set to FALSE1381 i. Create a digestAtRelease according to the specified PCR registers and compare to1382 keyHandle -> digestAtRelease and if a mismatch return TPM_WRONGPCRVAL1383 ii. If specified validate any locality requests1384 4. Create a TPM_PUBKEY structure and return1385 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 78 Level 2 Revision 94 29 March 2006 Draft TCG Published 10.7 TPM_Sealx1386 Start of informative comment:1387 The SEALX command works exactly like the SEAL command with the additional1388 requirement of encryption for the inData parameter. This command also places in the1389 sealed blob the information that the unseal also requires encryption.1390 SEALX requires the use of 1.2 data structures. The actions are the same as SEAL without1391 the checks for 1.1 data structure usage.1392 End of informative comment.1393 Incoming Operands and Sizes1394 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_SealX 4 4 TPM_KEY_HANDLE keyHandle Handle of a loaded key that can perform seal operations. 5 20 2S 20 TPM_ENCAUTH encAuth Theencrypted AuthData for the sealed data. The encryption key is the shared secret from the OSAP protocol. 6 4 3S 4 UINT32 pcrInfoSize The size of the pcrInfo parameter. If 0 there are no PCR registers in use 7 <> 4S <> TPM_PCR_INFO pcrInfo MUST useTPM_PCR_INFO_LONG. 8 4 5S 4 UINT32 inDataSize The size of the inData parameter 9 <> 6S <> BYTE[ ] inData The data to be sealed to the platform and any specified PCRs 10 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for keyHandle authorization. Must be an OSAP session for this command. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 11 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 12 1 4H1 1 BOOL continueAuthSession Ignored 13 20 TPM_AUTHDATA pubAuth Theauthorization session digest for inputs and keyHandle. HMAC key: key.usageAuth. TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 79 TCG Published Outgoing Operands and Sizes1395 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_Sealx 4 <> 3S 4 TPM_STORED_DATA sealedData Encrypted, integrity -protected data object that is the result of the TPM_Sealx operation. 5 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 6 1 4H1 1 BOOL continueAuthSession Continue use flag, fixed value of FALSE 7 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters. HMAC key: key.usageAuth. Actions1396 1. Validate the authorization to use the key pointed to by keyHandle1397 2. If the inDataSize is 0 the TPM returns TPM_BAD_PARAMETER1398 3. If the keyUsage field of the key indicated by keyHandle does not have the value1399 TPM_KEY_STORAGE, the TPM must return the error code TPM_INVALID_KEYUSAGE.1400 4. If the keyHandle points to a migratable key then the TPM MUST return the error code1401 TPM_INVALID_KEY_USAGE.1402 5. Create S1 a TPM_STORED_DATA12 structure1403 6. Set s1 -> encDataSize to 01404 7. Set s1 -> encData to NULL1405 8. Set s1 -> sealInfoSize to pcrInfoSize1406 9. If pcrInfoSize is not 0 then1407 a. Validate pcrInfo as a valid TPM_PCR_INFO_LONG structure, return TPM_BADINDEX1408 on error1409 b. Set s1 -> sealInfo -> creationPCRSelection to pcrInfo -> creationPCRSelection1410 c. Set s1 -> sealInfo -> releasePCRSelection to pcrInfo -> releasePCRSelection1411 d. Set s1 -> sealInfo -> digestAtRelease to pcrInfo -> digestAtRelease1412 e. Set s1 -> sealInfo -> localityAtRelease to pcrInfo -> localityAtRelease1413 f. Create h2 the composite hash of the TPM_STCLEAR_DATA -> PCR selected by1414 pcrInfo -> creationPCRSelection1415 g. Set s1 -> sealInfo -> digestAtCreation to h21416 h. Set s1 -> sealInfo -> localityAtCreation to TPM_STANY_DATA -> localityModifier1417 10.Create s2 a TPM_SEALED_DATA structure1418 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 80 Level 2 Revision 94 29 March 2006 Draft TCG Published 11.If authHandle indicates XOR encryption for the AuthData secrets1419 a. Create X1 the SHA-1 of the concatenation of (authHandle -> sharedSecret ||1420 authLastNonceEven)1421 b. Create a1 by XOR X1 and encAuth1422 c. Set s1 -> et to TPM_ET_XOR || TPM_ET_KEY1423 i. TPM_ET_KEY is added because TPM_Unseal uses NULL as a special value1424 indicating no encryption.1425 12.Else1426 a. Create a1 by decrypting encAuth using the algorithm indicated in the OSAP session1427 b. Key is from authHandle -> sharedSecret1428 c. IV is SHA-1 of (authLastNonceEven || nonceOdd)1429 d. Set S1 -> et to algorithm indicated in the OSAP session1430 13.The TPM provides NO validation of a1. Well-known values (like NULLS) are valid and1431 possible.1432 14.If authHandle indicates XOR encryption1433 a. Use MGF1 to create string X2 of length inDataSize. The inputs to MGF1 are;1434 authLastNonceEven, nonceOdd, "XOR", and authHandle -> sharedSecret. The four1435 concatenated values form the Z value that is the seed for MFG1.1436 b. Create o1 by XOR of inData and X21437 15.Else1438 a. Create o1 by decrypting inData using the algorithm indicated by authHandle1439 b. Key is from authHandle -> sharedSecret1440 c. IV is SHA-1 of (authLastNonceEven || nonceOdd)1441 16.Create s2 a TPM_SEALED_DATA structure1442 a. Set s2 -> payload to TPM_PT_SEAL1443 b. Set s2 -> tpmProof to TPM_PERMANENT_DATA -> tpmProof1444 c. Create h3 the SHA-1 of s11445 d. Set s2 -> storedDigest to h31446 e. Set s2 -> authData to a11447 f. Set s2 -> dataSize to inDataSize1448 g. Set s2 -> data to o11449 17.Validate that the size of s2 can be encrypted by the key pointed to by keyHandle, return1450 TPM_BAD_DATASIZE on error1451 18.Create s3 the encryption of s2 using the key pointed to by keyHandle1452 19.Set continueAuthSession to FALSE1453 20.Set s1 -> encDataSize to the size of s31454 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 81 TCG Published 21.Set s1 -> encData to s31455 22.Return s1 as sealedData1456 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 82 Level 2 Revision 94 29 March 2006 Draft TCG Published 11. Migration1457 Start of informative comment:1458 The migration of a key from one TPM to another is a vital aspect to many use models of the1459 TPM. The migration commands are the commands that allow this operation to occur.1460 There are two types of migratable keys, the version 1.1 migratable keys and the version 1.21461 certifiable migratable keys.1462 End of informative comment.1463 11.1 TPM_CreateMigrationBlob1464 Start of informative comment:1465 The TPM_CreateMigrationBlob command implements the first step in the process of moving1466 a migratable key to a new parent or platform. Execution of this command requires1467 knowledge of the migrationAuth field of the key to be migrated.1468 Migrate mode is generally used to migrate keys from one TPM to another for backup,1469 upgrade or to clone a key on another platform. To do this, the TPM needs to create a data1470 blob that another TPM can deal with. This is done by loading in a backup public key that1471 will be used by the TPM to create a new data blob for a migratable key.1472 The TPM Owner does the selection and authorization of migration public keys at any time1473 prior to the execution of TPM_CreateMigrationBlob by performing the1474 TPM_AuthorizeMigrationKey command.1475 IReWrap mode is used to directly move the key to a new parent (either on this platform or1476 another). The TPM simply re-encrypts the key using a new parent, and outputs a normal1477 encrypted element that can be subsequently used by a TPM_LoadKey command.1478 TPM_CreateMigrationBlob implicitly cannot be used to migrate a non-migratory key. No1479 explicit check is required. Only the TPM knows tpmProof. Therefore it is impossible for the1480 caller to submit an AuthData value equal to tpmProof and migrate a non-migratory key.1481 End of informative comment.1482 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 83 TCG Published Incoming Operands and Sizes1483 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH2_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_CreateMigrationBlob 4 4 TPM_KEY_HANDLE parentHandle Handle of the parent key that can decrypt encData. 5 2 2S 2 TPM_MIGRATE_SCHEME migrationType The migration type, either MIGRATE or REWRAP 6 <> 3S <> TPM_MIGRATIONKEYAUTH migrationKeyAuth Migration public key and its authorization session digest. 7 4 4S 4 UINT32 encDataSize The size of the encData parameter 8 <> 5S <> BYTE[ ] encData The encrypted entity that is to be modified. 9 4 TPM_AUTHHANDLE parentAuthHandle Theauthorization session handle used for the parent key. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 10 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with parentAuthHandle 11 1 4H1 1 BOOL continueAuthSession Continue use flag for parent session 12 20 20 TPM_AUTHDATA parentAuth Authorization HMAC key: parentKey.usageAuth. 13 4 TPM_AUTHHANDLE entityAuthHandle Theauthorization session handle used for the encrypted entity. 2H2 20 TPM_NONCE entitylastNonceEven Even nonce previously generated by TPM 14 20 3H2 20 TPM_NONCE entitynonceOdd Nonce generated by system associated with entityAuthHandle 15 1 4H2 1 BOOL continueEntitySession Continue use flag for entity session 16 20 TPM_AUTHDATA entityAuth Authorization HMAC key: entity.migrationAuth. 1484 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 84 Level 2 Revision 94 29 March 2006 Draft TCG Published Outgoing Operands and Sizes1485 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH2_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_CreateMigrationBlob 4 4 3S 4 UINT32 randomSize The used size of the output area for random 5 <> 4S <> BYTE[ ] random String used for xor encryption 6 4 5S 4 UINT32 outDataSize The used size of the output area for outData 7 <> 6S <> BYTE[ ] outData The modified, encrypted entity. 8 20 3H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 4H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with parentAuthHandle 9 1 5H1 1 BOOL continueAuthSession Continue use flag for parent key session 10 20 20 TPM_AUTHDATA resAuth Authorization. HMAC key: parentKey.usageAuth. 11 20 3H2 20 TPM_NONCE entityNonceEven Even nonce newly generated by TPM to cover entity 4H2 20 TPM_NONCE entitynonceOdd Nonce generated by system associated with entityAuthHandle 12 1 5 H2 1 BOOL continueEntity Session Continue use flag for entity session 13 20 TPM_AUTHDATA entityAuth Authorization HMAC key: entity.migrationAuth. Description1486 The TPM does not check the PCR values when migrating values locked to a PCR.1487 The second authorization session (using entityAuth) MUST be OIAP because OSAP does not1488 have a suitable entityType1489 Actions1490 1. Validate that parentAuth authorizes the use of the key pointed to by parentHandle.1491 2. Create d1 a TPM_STORE_ASYMKEY structure by decrypting encData using the key1492 pointed to by parentHandle.1493 a. Verify that d1 -> payload is TPM_PT_ASYM.1494 3. Validate that entityAuth authorizes the migration of d1. The validation MUST use d1 ->1495 migrationAuth as the secret.1496 4. Verify that the digest within migrationKeyAuth is legal for this TPM and public key1497 5. If migrationType == TPM_MS_MIGRATE the TPM SHALL perform the following actions:1498 a. Build two byte arrays, K1 and K2:1499 i. K1 = d1.privKey[0..19] (d1.privKey.keyLength + 16 bytes of d1.privKey.key),1500 sizeof(K1) = 201501 ii. K2 = d1.privKey[20..131] (position 16-127 of d1 . privKey.key), sizeof(K2) = 1121502 b. Build M1 a TPM_MIGRATE_ASYMKEY structure1503 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 85 TCG Published i. TPM_MIGRATE_ASYMKEY.payload = TPM_PT_MIGRATE1504 ii. TPM_MIGRATE_ASYMKEY.usageAuth = d1.usageAuth1505 iii. TPM_MIGRATE_ASYMKEY.pubDataDigest = d1. pubDataDigest1506 iv. TPM_MIGRATE_ASYMKEY.partPrivKeyLen = 112 ­ 127.1507 v. TPM_MIGRATE_ASYMKEY.partPrivKey = K21508 c. Create o1 (which SHALL be 198 bytes for a 2048 bit RSA key) by performing the1509 OAEP encoding of m using OAEP parameters of1510 i. m = M1 the TPM_MIGRATE_ASYMKEY structure1511 ii. pHash = d1->migrationAuth1512 iii. seed = s1 = K11513 d. Create r1 a random value from the TPM RNG. The size of r1 MUST be the size of o1.1514 Return r1 in the Random parameter.1515 e. Create x1 by XOR of o1 with r11516 f. Copy r1 into the output field "random".1517 g. Encrypt x1 with the migration public key included in migrationKeyAuth.1518 6. If migrationType == TPM_MS_REWRAP the TPM SHALL perform the following actions:1519 a. Rewrap the key using the public key in migrationKeyAuth, keeping the existing1520 contents of that key.1521 b. Set randomSize to 0 in the output parameter array1522 7. Else1523 a. Return TPM_BAD_PARAMETER1524 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 86 Level 2 Revision 94 29 March 2006 Draft TCG Published 11.2 TPM_ConvertMigrationBlob1525 Start of informative comment:1526 This command takes a migration blob and creates a normal wrapped blob. The migrated1527 blob must be loaded into the TPM using the normal TPM_LoadKey function.1528 Note that the command migrates private keys, only. The migration of the associated public1529 keys is not specified by TPM because they are not security sensitive. Migration of the1530 associated public keys may be specified in a platform specific specification. A TPM_KEY1531 structure must be recreated before the migrated key can be used by the target TPM in a1532 TPM_LoadKey command.1533 End of informative comment.1534 Incoming Operands and Sizes1535 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ConvertMigrationBlob. 4 4 TPM_KEY_HANDLE parentHandle Handle of a loaded key that can decrypt keys. 5 4 2S 4 UINT32 inDataSize Size of inData 6 <> 3S <> BYTE [ ] inData The XOR'd and encrypted key 7 4 4S 4 UINT32 randomSize Size of random 8 <> 5S <> BYTE [ ] random Random value used to hide key data. 9 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for keyHandle. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 10 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 11 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 12 20 TPM_AUTHDATA parentAuth Theauthorization session digest that authorizes the inputs and the migration of the key in parentHandle. HMAC key: parentKey.usageAuth 1536 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 87 TCG Published Outgoing Operands and Sizes1537 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_C OMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ConvertMigrationBlob 4 4 3S 4 UINT32 outDataSize The used size of the output area for outData 5 <> 4S <> BYTE[ ] outData The encrypted private key that can be loaded with TPM_LoadKey 6 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 7 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 8 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters. HMAC key: parentKey.usageAuth Action1538 The TPM SHALL perform the following:1539 1. Validate the AuthData to use the key in parentHandle1540 2. If the keyUsage field of the key referenced by parentHandle does not have the value1541 TPM_KEY_STORAGE, the TPM must return the error code TPM_INVALID_KEYUSAGE1542 3. Create d1 by decrypting the inData area using the key in parentHandle1543 4. Create o1 by XOR d1 and random parameter1544 5. Create m1 a TPM_MIGRATE_ASYMKEY structure, seed and pHash by OAEP decoding o11545 6. Create k1 by combining seed and the TPM_MIGRATE_ASYMKEY -> partPrivKey field1546 7. Create d2 a TPM_STORE_ASYMKEY structure1547 a. Verify that m1 -> payload == TPM_PT_MIGRATE1548 b. Set d2 -> payload = TPM_PT_ASYM1549 c. Set d2 -> usageAuth to m1 -> usageAuth1550 d. Set d2 -> migrationAuth to pHash1551 e. Set d2 -> pubDataDigest to m1 -> pubDataDigest1552 f. Set d2 -> privKey field to k11553 8. Create outData using the key in parentHandle to perform the encryption1554 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 88 Level 2 Revision 94 29 March 2006 Draft TCG Published 11.3 TPM_AuthorizeMigrationKey1555 Start of informative comment:1556 This command creates an authorization blob, to allow the TPM owner to specify which1557 migration facility they will use and allow users to migrate information without further1558 involvement with the TPM owner.1559 It is the responsibility of the TPM Owner to determine whether migrationKey is appropriate1560 for migration. The TPM checks just the cryptographic strength of migrationKey.1561 End of informative comment.1562 Incoming Operands and Sizes1563 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_AuthorizeMigrationKey 4 2 2S 2 TPM_MIGRATE_SCHEME migrationScheme Type of migration operation that is to be permitted for this key. 4 <> 3S <> TPM_PUBKEY migrationKey The public key to be authorized. 5 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for owner authentication. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 6 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 7 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 8 20 TPM_AUTHDATA ownerAuth Theauthorization session digest for inputs and owner authorization. HMAC key: ownerAuth. Outgoing Operands and Sizes1564 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_AuthorizeMigrationKey 4 <> 3S <> TPM_MIGRATIONKEYAUTH outData Returned public key and authorization session digest. 5 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 6 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 7 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters. HMAC key: ownerAuth. 1565 Action1566 The TPM SHALL perform the following:1567 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 89 TCG Published 1. Check that the cryptographic strength of migrationKey is at least that of a 2048 bit RSA1568 key. If migrationKey is an RSA key, this means that migrationKey MUST be 2048 bits or1569 greater1570 2. Validate the AuthData to use the TPM by the TPM Owner1571 3. Create a f1 a TPM_MIGRATIONKEYAUTH structure1572 4. Verify that migrationKey-> algorithmParms -> encScheme is1573 TPM_ES_RSAESOAEP_SHA1_MGF1, and return the error code1574 TPM_INAPPROPRIATE_ENC if it is not1575 5. Set f1 -> migrationKey to the input migrationKey1576 6. Set f1 -> migrationScheme to the input migrationScheme1577 7. Create v1 by concatenating (migrationKey || migrationScheme ||1578 TPM_PERMANENT_DATA -> tpmProof)1579 8. Create h1 by performing a SHA1 hash of v11580 9. Set f1 -> digest to h11581 10.Return f1 as outData1582 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 90 Level 2 Revision 94 29 March 2006 Draft TCG Published 11.4 TPM_MigrateKey1583 Start of informative comment:1584 The TPM_MigrateKey command performs the function of a migration authority.1585 The command is relatively simple; it just decrypts the input packet (coming from1586 TPM_CreateMigrationBlob or TPM_CMK_CreateBlob) and then re-encrypts it with the input1587 public key. The output of this command would then be sent to TPM_ConvertMigrationBlob1588 or TPM_CMK_ConvertMigration on the target TPM.1589 TPM_MigrateKey does not make ANY assumptions about the contents of the encrypted blob.1590 Since it does not have the XOR string, it cannot actually determine much about the key1591 that is being migrated.1592 This command exists to permit the TPM to be a migration authority. If used in this way, it is1593 expected that the physical security of the system containing the TPM and the AuthData1594 value for the MA key would be tightly controlled.1595 To prevent the execution of this command using any other key as a parent key, this1596 command works only if keyUsage for maKeyHandle is TPM_KEY_MIGRATE.1597 End of informative comment.1598 Incoming Operands and Sizes1599 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_MigrateKey 4 4 TPM_KEY_HANDLE maKeyHandle Handle of the key to be used to migrate the key. 5 <> 2S <> TPM_PUBKEY pubKey Public key to which the blob is to be migrated 6 4 3S 4 UINT32 inDataSize The size of inData 7 <> 4S <> BYTE[ ] inData The input blob 8 4 TPM_AUTHHANDLE maAuthHandle The authorization session handle used for maKeyHandle. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 9 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with certAuthHandle 10 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 11 20 TPM_AUTHDATA keyAuth The authorization session digest for the inputs and key to be signed. HMAC key: maKeyHandle.usageAuth. TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 91 TCG Published Outgoing Operands and Sizes1600 Param HMAC # Sz # Sz Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_MigrateKey 4 4 3S 4 UINT32 outDataSize The used size of the output area for outData 5 <> 4S <> BYTE[ ] outData The re-encrypted blob 6 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with certAuthHandle 7 1 4H1 1 BOOL continueAuthSession Continue use flag for cert key session 8 20 TPM_AUTHDATA keyAuth The authorization session digest for the target key. HMAC key: maKeyHandle.usageAuth Actions1601 1. Validate that keyAuth authorizes the use of the key pointed to by maKeyHandle1602 2. The TPM validates that the key pointed to by maKeyHandle has a key usage value of1603 TPM_KEY_MIGRATE, and that the allowed encryption scheme is1604 TPM_ES_RSAESOAEP_SHA1_MGF1.1605 3. The TPM validates that pubKey is of a size supported by the TPM and that its size is1606 consistent with the input blob and maKeyHandle.1607 4. The TPM decrypts inData and re-encrypts it using pubKey.1608 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 92 Level 2 Revision 94 29 March 2006 Draft TCG Published 11.5 TPM_CMK_SetRestrictions1609 Start of informative comment:1610 This command is used by the Owner to dictate the usage of a certified-migration key with1611 delegated authorization (authorization other than actual owner authorization).1612 This command is provided for privacy reasons and must not itself be delegated, because a1613 certified-migration-key may involve a contractual relationship between the Owner and an1614 external entity.1615 Since restrictions are validated at DSAP session use, there is no need to invalidate DSAP1616 sessions when the restriction value changes.1617 End of informative comment.1618 Incoming Operands and Sizes1619 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes incl. paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Ordinal: TPM_ORD_CMK_SetRestrictions 4 4 2S 4 TPM_CMK_DELEGATE restriction The bit mask of how to set the restrictions on CMK keys 5 4 TPM_AUTHHANDLE authHandle Theauthorization session handle TPM Owner authentication 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 6 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 7 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 8 20 TPM_AUTHDATA ownerAuth Theauthorization session digest. HMAC key:ownerAuth Outgoing Operands and Sizes1620 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes 3 4 1S 4 TPM_RESULT returnCode The return code of the operation 2S 4 TPM_COMMAND_CODE ordinal Ordinal: TPM_ORD_CMK_SetRestrictions 4 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 5 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 6 20 TPM_AUTHDATA resAuth Authorization HMAC key: ownerAuth. Description1621 TPM_PERMANENT_DATA -> restrictDelegate is used as follows1622 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 93 TCG Published 1. If the session type is TPM_PID_DSAP and TPM_KEY -> keyFlags -> migrateAuthority is1623 TRUE1624 a. If1625 TPM_KEY_USAGE is TPM_KEY_SIGNING and restrictDelegate ->1626 TPM_CMK_DELEGATE_SIGNING is TRUE, or1627 TPM_KEY_USAGE is TPM_KEY_STORAGE and restrictDelegate ->1628 TPM_CMK_DELEGATE_STORAGE is TRUE, or1629 TPM_KEY_USAGE is TPM_KEY_BIND and restrictDelegate -> TPM_CMK_DELEGATE_BIND1630 is TRUE, or1631 TPM_KEY_USAGE is TPM_KEY_LEGACY and restrictDelegate ->1632 TPM_CMK_DELEGATE_LEGACY is TRUE, or1633 TPM_KEY_USAGE is TPM_KEY_MIGRATE and restrictDelegate ->1634 TPM_CMK_DELEGATE_MIGRATE is TRUE1635 then the key can be used.1636 b. Else return TPM_INVALID_KEYUSAGE.1637 Actions1638 1. Validate the ordinal and parameters using TPM Owner authentication, return1639 TPM_AUTHFAIL on error1640 2. Set TPM_PERMANENT_DATA -> TPM_CMK_DELEGATE -> restrictDelegate = restriction1641 3. Return TPM_SUCCESS1642 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 94 Level 2 Revision 94 29 March 2006 Draft TCG Published 11.6 TPM_CMK_ApproveMA1643 Start of informative comment:1644 This command creates an authorization ticket, to allow the TPM owner to specify which1645 Migration Authorities they approve and allow users to create certified-migration-keys1646 without further involvement with the TPM owner.1647 It is the responsibility of the TPM Owner to determine whether a particular Migration1648 Authority is suitable to control migration1649 End of informative comment.1650 Incoming Operands and Sizes1651 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_CMK_ApproveMA 4 20 2S 20 TPM_DIGEST migrationAuthorityDigest A digest of a TPM_MSA_COMPOSITE structure (itself one or more digests of public keys belonging to migration authorities) 5 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for owner authentication. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 6 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 7 1 4H1 1 BOOL continueAuthSession Thecontinue use flag for the authorization session handle 8 20 TPM_AUTHDATA ownerAuth Authorization HMAC, key: ownerAuth. Outgoing Operands and Sizes1652 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_CMK_ApproveMA 4 20 3S 20 TPM_HMAC outData HMAC of migrationAuthorityDigest 5 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 6 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 7 20 TPM_AUTHDATA resAuth Authorization HMAC, key: ownerAuth. Action1653 The TPM SHALL perform the following:1654 1. Validate the AuthData to use the TPM by the TPM Owner1655 2. Create M2 a TPM_CMK_MA_APPROVAL structure1656 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 95 TCG Published a. Set M2 ->migrationAuthorityDigest to migrationAuthorityDigest1657 3. Set outData = HMAC(M2) using tpmProof as the secret1658 4. Return TPM_SUCCESS1659 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 96 Level 2 Revision 94 29 March 2006 Draft TCG Published 11.7 TPM_CMK_CreateKey1660 Start of informative comment:1661 The TPM_CMK_CreateKey command both generates and creates a secure storage bundle for1662 asymmetric keys whose migration is controlled by a migration authority.1663 TPM_CMK_CreateKey is very similar to TPM_CreateWrapKey, but: (1) the resultant key must1664 be a migratable key and can be migrated only by TPM_CMK_CreateBlob; (2) the command is1665 Owner authorized via a ticket.1666 TPM_CMK_CreateKey creates an otherwise normal migratable key except that (1)1667 migrationAuth is an HMAC of the migration authority and the new key's public key, signed1668 by tpmProof (instead of being tpmProof); (2) the migrationAuthority bit is set TRUE; (3) the1669 payload type is TPM_PT_MIGRATE_RESTRICTED.1670 The migration-selection/migration authority is specified by passing in a public key (actually1671 the digests of one or more public keys, so more than one migration authority can be1672 specified).1673 End of informative comment.1674 Incoming Operands and Sizes1675 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_CMK_CreateKey 4 4 TPM_KEY_HANDLE parentHandle Handle of a loaded key that can perform key wrapping. 5 20 2S 20 TPM_ENCAUTH dataUsageAuth Encrypted usage AuthData for the sealed data. 6 <> 3S <> TPM_KEY12 keyInfo Information about key to be created, pubkey.keyLength and keyInfo.encData elements are 0. MUST be TPM_KEY12 7 20 4S 20 TPM_HMAC migrationAuthorityApproval A ticket, created by the TPM Owner usingTPM_CMK_ApproveMA, approving a TPM_MSA_COMPOSITE structure 8 20 5S 20 TPM_DIGEST migrationAuthorityDigest The digest of a TPM_MSA_COMPOSITE structure 9 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for parent key authorization. Must be an OSAP session. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 10 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 11 1 4H1 1 BOOL continueAuthSession Ignored 12 20 TPM_AUTHDATA pubAuth Theauthorization session digest that authorizes the use of the public key in parentHandle. HMAC key: parentKey.usageAuth. TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 97 TCG Published Outgoing Operands and Sizes1676 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_CMK_CreateKey 4 <> 3S <> TPM_KEY12 wrappedKey The TPM_KEY structure which includes the public and encrypted private key. MUST be TPM_KEY12 5 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 6 1 4H1 1 BOOL continueAuthSession Continue use flag, fixed at FALSE 7 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters. HMAC key: parentKey.usageAuth. Actions1677 The TPM SHALL do the following:1678 1. Validate the AuthData to use the key pointed to by parentHandle. Return1679 TPM_AUTHFAIL on any error1680 2. Validate the session type for parentHandle is OSAP1681 3. If the TPM is not designed to create a key of the type requested in keyInfo, return the1682 error code TPM_BAD_KEY_PROPERTY1683 4. Verify that parentHandle->keyUsage equals TPM_KEY_STORAGE1684 5. Verify that parentHandle-> keyFlags-> migratable == FALSE and parentHandle->1685 encData -> migrationAuth == tpmProof1686 6. If keyInfo -> keyFlags -> migratable is FALSE, return TPM_INVALID_KEYUSAGE1687 7. If keyInfo -> keyFlags -> migrateAuthority is FALSE , return TPM_INVALID_KEYUSAGE1688 8. Verify that the migration authority is authorized1689 a. Create M1 a TPM_CMK_MA_APPROVAL structure1690 i. Set M1 ->migrationAuthorityDigest to migrationAuthorityDigest1691 b. Verify that migrationAuthorityApproval == HMAC(M1) using tpmProof as the secret1692 and return error TPM_MA_AUTHORITY on mismatch1693 9. Validate key parameters1694 a. keyInfo -> keyUsage MUST NOT be TPM_KEY_IDENTITY or1695 TPM_KEY_AUTHCHANGE. If it is, return TPM_INVALID_KEYUSAGE1696 10.If TPM_PERMANENT_FLAGS -> FIPS is TRUE then1697 a. If keyInfo -> keySize is less than 1024 return TPM_NOTFIPS1698 b. If keyInfo -> authDataUsage specifies TPM_AUTH_NEVER return TPM_NOTFIPS1699 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 98 Level 2 Revision 94 29 March 2006 Draft TCG Published c. If keyInfo -> keyUsage specifies TPM_KEY_LEGACY return TPM_NOTFIPS1700 11.If keyInfo -> keyUsage equals TPM_KEY_STORAGE or TPM_KEY_MIGRATE1701 a. algorithmID MUST be TPM_ALG_RSA1702 b. encScheme MUST be TPM_ES_RSAESOAEP_SHA1_MGF11703 c. sigScheme MUST be TPM_SS_NONE1704 d. key size MUST be 20481705 12.If keyinfo -> tag is NOT TPM_TAG_KEY12 return error TPM_INVALID_STRUCTURE1706 13.Map wrappedKey to a TPM_KEY12 structure1707 14.If authHandle indicates XOR encryption for the AuthData secrets1708 a. Create X1 the SHA-1 of the concatenation of (authHandle -> sharedSecret ||1709 authLastNonceEven)1710 b. Create DU1 by XOR X1 and dataUsageAuth1711 15.Else1712 a. Create DU1 by decrypting dataUsageAuth using the algorithm indicated in the OSAP1713 session1714 b. Key is from authHandle -> sharedSecret1715 c. IV is SHA-1 of (authLastNonceEven || nonceOdd)1716 16.Set continueAuthSession to FALSE1717 17.Generate asymmetric key according to algorithm information in keyInfo1718 18.Fill in the wrappedKey structure with information from the newly generated key.1719 a. Set wrappedKey -> encData -> usageAuth to DU11720 b. Set wrappedKey -> encData -> payload to TPM_PT_MIGRATE_RESTRICTED1721 c. Create thisPubKey, a TPM_PUBKEY structure containing wrappedKey's public key1722 and algorithm parameters1723 d. Create M2 a TPM_CMK_MIGAUTH structure1724 i. Set M2 -> msaDigest to migrationAuthorityDigest1725 ii. Set M2 -> pubKeyDigest to SHA-1 (thisPubKey)1726 e. Set wrappedKey -> encData -> migrationAuth equal to HMAC(M2), using tpmProof as1727 the shared secret1728 19.If wrappedKey->PCRInfoSize is non-zero1729 a. Set wrappedKey -> pcrInfo to a TPM_PCR_INFO_LONG structure1730 b. Set digestAtCreation to the TPM_COMPOSITE_HASH indicated by1731 creationPCRSelection1732 c. Set localityAtCreation to TPM_STANY_FLAGS -> localityModifier1733 20.Encrypt the private portions of the wrappedKey structure using the key in parentHandle1734 21.Return the newly generated key in the wrappedKey parameter1735 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 99 TCG Published 11.8 TPM_CMK_CreateTicket1736 Start of informative comment:1737 The TPM_CMK_CreateTicket command uses a public key to verify the signature over a1738 digest.1739 TPM_CMK_CreateTicket returns a ticket that can be used to prove to the same TPM that1740 signature verification with a particular public key was successful.1741 End of informative comment.1742 Incoming Operands and Sizes1743 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_CMK_CreateTicket 4 <> 2S <> TPM_PUBKEY verificationKey The public key to be used to check signatureValue 5 20 3S 20 TPM_DIGEST signedData The data to be verified 6 4 4S 4 UINT32 signatureValueSize The size of the signatureValue 7 <> 5S <> BYTE[] signatureValue The signatureValue to be verified 8 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for owner authentication. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 9 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 10 1 4H1 1 BOOL continueAuthSession Ignored 11 20 TPM_AUTHDATA pubAuth The authorization session digest for inputs and owner. HMAC key: ownerAuth. Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 100 Level 2 Revision 94 29 March 2006 Draft TCG Published Outgoing Operands and Sizes1744 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_CMK_CreateTicket 4 20 3S 20 TPM_HMAC sigTicket Ticket that proves digest created on this TPM 5 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 6 1 4H1 1 BOOL continueAuthSession Continue use flag 7 20 TPM_AUTHDATA resAuth Authorization. HMAC key:. ownerAuth. Actions1745 The TPM SHALL do the following:1746 1. Validate the TPM Owner authentication to use the command1747 2. Validate that the key type and algorithm are correct1748 a. Validate that verificationKey -> algorithmParms -> algorithmID == TPM_ALG_RSA1749 b. Validate that verificationKey -> algorithmParms ->encScheme == TPM_ES_NONE1750 c. Validate that verificationKey ->algorithmParms ->sigScheme is1751 TPM_SS_RSASSAPKCS1v15_SHA11752 3. Use verificationKey to verify that signatureValue is a valid signature on signedData, and1753 return error TPM_BAD_SIGNATURE on mismatch1754 4. Create M2 a TPM_CMK_SIGTICKET1755 a. Set M2 -> verKeyDigest to the SHA-1 (verificationKey)1756 b. Set M2 -> signedData to signedData1757 5. Set sigTicket = HMAC(M2) signed by using tpmProof as the secret1758 6. Return TPM_SUCCESS1759 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 101 TCG Published 11.9 TPM_CMK_CreateBlob1760 Start of informative comment:1761 TPM_CMK_CreateBlob command is very similar to TPM_CreateMigrationBlob, except that it:1762 (1) uses an extra ticket (restrictedKeyAuth) instead of a migrationAuth authorization1763 session; (2) uses the migration options TPM_MS_RESTRICT_MIGRATE or1764 TPM_MS_RESTRICT_APPROVE_DOUBLE; (3) produces a wrapped key blob whose1765 migrationAuth is independent of tpmProof.1766 If the destination (parent) public key is the MA, migration is implicitly permitted. Further1767 checks are required if the MA is not the destination (parent) public key, and merely selects1768 a migration destination: (1) sigTicket must prove that restrictTicket was signed by the MA;1769 (2) restrictTicket must vouch that the target public key is approved for migration to the1770 destination (parent) public key. (Obviously, this more complex method may also be used by1771 an MA to approve migration to that MA.) In both cases, the MA must be one of the MAs1772 implicitly listed in the migrationAuth of the target key-to-be-migrated.1773 End of informative comment.1774 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 102 Level 2 Revision 94 29 March 2006 Draft TCG Published Incoming Operands and Sizes1775 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_OR D_CMK_CreateBlob 4 4 TPM_KEY_HANDLE parentHandle Handle of the parent key that can decrypt encData. 5 2 2S 2 TPM_MIGRATE_SCHEME migrationType The migration type, either TPM_MS_RESTRICT_MIGRATE or TPM_MS_RESTRICT_APPROVE_DOUBLE 6 <> 3S <> TPM_MIGRATIONKEYAUTH migrationKeyAuth Migration public key and its authorization session digest. 7 20 4S 20 TPM_DIGEST pubSourceKeyDigest The digest of the TPM_PUBKEY of the entity to be migrated 8 4 5S 4 UINT32 msaListSize The size of the msaList parameter, which is a variable length TPM_MSA_COMPOSITEstructure 9 <> 6S <> TPM_MSA_COMPOSITE msaList One ormore digests of public keys belonging to migration authorities 10 4 7S 4 UINT32 restrictTicketSize The size of the restrictTicket parameter, which is a TPM_CMK_AUTH structure if migration type is TPM_MS_RESTRICT_APPROVE_DOUBLE 11 <> 8S <> BYTE[] restrictTicket Either a NULL parameter or a TPM_CMK_AUTH structure, containing the digests of the public key s belonging to the Migration Authority, the destination parentkey and the key -to-be-migrated. 12 4 9S 4 UINT32 sigTicketSize The size of the sigTicket parameter, which is a TPM_HMAC structure if migration type is TPM_MS_RESTRICT_APPROVE_DOUBLE. 13 <> 10S <> BYTE[] sigTicket Either a NULL parameter or a TPM_HMAC structure, generated by the TPM, signalinga valid signature over restrictTicket 14 4 11S 4 UINT32 encDataSize The size of the encData parameter 15 <> 12S <> BYTE[] encData The encrypted entity that is to be modified. 16 4 TPM_AUTHHANDLE parentAuthHandle Theauthorization session handle used for the parent key. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 17 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with parentAuthHandle 18 1 4H1 1 BOOL continueAuthSession Continue use flag for parent session 19 20 20 TPM_AUTHDATA parentAuth HMAC key: parentKey.usageAuth. TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 103 TCG Published Outgoing Operands and Sizes1776 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_CMK_CreateBlob 4 4 3S 4 UINT32 randomSize The used size of the output area for random 5 <> 4S <> BYTE[ ] random String used for xor encryption 6 4 5S 4 UINT32 outDataSize The used size of the output area for outData 7 <> 6S <> BYTE[ ] outData The modified, encrypted entity. 8 20 3H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 4H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with parentAuthHandle 9 1 5H1 1 BOOL continueAuthSession Continue use flag for parent key session 10 20 20 TPM_AUTHDATA resAuth HMAC key: parentKey.usageAuth. Description1777 The TPM does not check the PCR values when migrating values locked to a PCR.1778 Actions1779 1. Validate that parentAuth authorizes the use of the key pointed to by parentHandle.1780 2. Verify that parentHandle-> keyFlags-> migratable == FALSE and parentHandle->1781 encData -> migrationAuth == tpmProof1782 3. Create d1 by decrypting encData using the key pointed to by parentHandle.1783 4. Verify that the digest within migrationKeyAuth is legal for this TPM and public key1784 5. Verify that d1 -> payload == TPM_PT_MIGRATE_RESTRICTED or1785 TPM_PT_MIGRATE_EXTERNAL1786 6. Verify that the migration authorities in msaList are authorized to migrate this key1787 a. Create M2 a TPM_CMK_MIGAUTH structure1788 i. Set M2 -> msaDigest to SHA1[msaList]1789 ii. Set M2 -> pubKeyDigest to pubSourceKeyDigest1790 b. Verify that d1 -> migrationAuth == HMAC(M2) using tpmProof as the secret and1791 return error TPM_MA_AUTHORITY on mismatch1792 7. If migrationKeyAuth -> migrationScheme == TPM_MS_RESTRICT_MIGRATE1793 a. Verify that intended migration destination is an MA:1794 i. For one of n=1 to n=(msaList -> MSAlist), verify that SHA1[migrationKeyAuth ->1795 migrationKey] == msaList -> migAuthDigest[n]1796 b. Validate that the MA key is the correct type1797 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 104 Level 2 Revision 94 29 March 2006 Draft TCG Published i. Validate that migrationKeyAuth -> migrationKey -> algorithmParms ->1798 algorithmID == TPM_ALG_RSA1799 ii. Validate that migrationKeyAuth -> migrationKey -> algorithmParms -> encScheme1800 is an encryption scheme supported by the TPM1801 iii. Validate that migrationKeyAuth -> migrationKey ->algorithmParms -> sigScheme1802 is TPM_SS_NONE1803 8. else If migrationKeyAuth -> migrationScheme ==1804 TPM_MS_RESTRICT_APPROVE_DOUBLE,1805 a. Verify that the intended migration destination has been approved by the MSA:1806 i. Verify that for one of the n=1 to n=(msaList -> MSAlist) values of msaList ->1807 migAuthDigest[n], sigTicket == HMAC (V1) using tpmProof as the secret where V11808 is a TPM_CMK_SIGTICKET structure such that:1809 (1) V1 -> verKeyDigest = msaList -> migAuthDigest[n]1810 (2) V1 -> signedData = SHA1[restrictTicket]1811 ii. If [restrictTicket -> destinationKeyDigest] != SHA1[migrationKeyAuth ->1812 migrationKey], return error TPM_MA_DESTINATION1813 iii. If [restrictTicket -> sourceKeyDigest] != pubSourceKeyDigest, return error1814 TPM_MA_SOURCE1815 9. Else return with error TPM_BAD_PARAMETER.1816 10.Build two bytes array, K1 and K2, using d1:1817 a. K1 = TPM_STORE_ASYMKEY.privKey[0..19]1818 (TPM_STORE_ASYMKEY.privKey.keyLength + 16 bytes of1819 TPM_STORE_ASYMKEY.privKey.key), sizeof(K1) = 201820 b. K2 = TPM_STORE_ASYMKEY.privKey[20..131] (position 16-127 of1821 TPM_STORE_ASYMKEY . privKey.key), sizeof(K2) = 1121822 11.Build M1 a TPM_MIGRATE_ASYMKEY structure1823 a. TPM_MIGRATE_ASYMKEY.payload = TPM_PT_CMK_MIGRATE1824 b. TPM_MIGRATE_ASYMKEY.usageAuth = TPM_STORE_ASYMKEY.usageAuth1825 c. TPM_MIGRATE_ASYMKEY.pubDataDigest = TPM_STORE_ASYMKEY. pubDataDigest1826 d. TPM_MIGRATE_ASYMKEY.partPrivKeyLen = 112 ­ 127.1827 e. TPM_MIGRATE_ASYMKEY.partPrivKey = K21828 12.Create o1 (which SHALL be 198 bytes for a 2048 bit RSA key) by performing the OAEP1829 encoding of m using OAEP parameters m, pHash, and seed1830 a. m is the previously created M11831 b. pHash = SHA1( SHA1[msaList] || pubSourceKeyDigest)1832 c. seed = s1 = the previously created K11833 13.Create r1 a random value from the TPM RNG. The size of r1 MUST be the size of o1.1834 Return r1 in the random parameter1835 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 105 TCG Published 14.Create x1 by XOR of o1 with r11836 15.Copy r1 into the output field "random"1837 16.Encrypt x1 with the migrationKeyAuth-> migrationKey1838 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 106 Level 2 Revision 94 29 March 2006 Draft TCG Published 11.10TPM_CMK_ConvertMigration1839 Start of informative comment:1840 TPM_CMK_ConvertMigration completes the migration of certified migration blobs.1841 This command takes a certified migration blob and creates a normal wrapped blob with1842 payload type TPM_PT_MIGRATE_EXTERNAL. The migrated blob must be loaded into the1843 TPM using the normal TPM_LoadKey function.1844 Note that the command migrates private keys, only. The migration of the associated public1845 keys is not specified by TPM because they are not security sensitive. Migration of the1846 associated public keys may be specified in a platform specific specification. A TPM_KEY1847 structure must be recreated before the migrated key can be used by the target TPM in a1848 TPM_LoadKey command.1849 TPM_CMK_ConvertMigration checks that one of the MAs implicitly listed in the1850 migrationAuth of the target key has approved migration of the target key to the destination1851 (parent) key, and that the settings (flags etc.) in the target key are those of a CMK.1852 End of informative comment.1853 Incoming Operands and Sizes1854 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_CMK_ConvertMigration 4 4 TPM_KEY_HANDLE parentHandle Handle of a loaded key that can decrypt keys. 5 60 2S 60 TPM_CMK_AUTH restrictTicket The digests of public keys belonging to the Migration Authority, the destination parent key and the key -to-be-migrated. 6 20 3S 20 TPM_HMAC sigTicket A signature ticket, generated by the TPM, signalinga valid signature over restrictTicket 7 <> 4S <> TPM_KEY12 migratedKey The public key of the key -to-be-migrated. The private portion MUST be TPM_MIGRATE_ASYMKEY properly XOR'd 8 4 5S 4 UINT32 msaListSize The size of the msaList parameter, which is a variable length TPM_MSA_COMPOSITEstructure 9 <> 6S <> TPM_MSA_COMPOSITE msaList One ormore digests of public keys belonging to migration authorities 10 4 7S 4 UINT32 randomSize Size of random 11 <> 8S <> BYTE [ ] random Random value used to hide key data. 12 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for keyHandle. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 13 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 14 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 15 20 TPM_AUTHDATA parentAuth Authorization HMAC : parentKey.usageAuth TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 107 TCG Published Outgoing Operands and Sizes1855 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_CMK_ConvertMigration 4 4 3S 4 UINT32 outDataSize The used size of the output area for outData 5 <> 4S <> BYTE[ ] outData The encrypted private key that can be loaded with TPM_LoadKey 6 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 7 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 8 20 TPM_AUTHDATA resAuth Authorization HMAC key.usageAuth Action1856 1. Validate the AuthData to use the key in parentHandle1857 2. If the keyUsage field of the key referenced by parentHandle does not have the value1858 TPM_KEY_STORAGE, the TPM must return the error code TPM_INVALID_KEYUSAGE1859 3. Create d1 by decrypting the migratedKey -> encData area using the key in parentHandle1860 4. Create o1 by XOR d1 and random parameter1861 5. Create m1 a TPM_MIGRATE_ASYMKEY, seed and pHash by OAEP decoding o11862 6. Create migratedPubKey a TPM_PUBKEY structure corresponding to migratedKey1863 a. Verify that pHash == SHA1( SHA1[msaList] || SHA1(migratedPubKey )1864 7. Create k1 by combining seed and the TPM_MIGRATE_ASYMKEY -> partPrivKey field1865 8. Create d2 a TPM_STORE_ASYMKEY structure.1866 a. Set the TPM_STORE_ASYMKEY -> privKey field to k11867 b. Set d2 -> usageAuth to m1 -> usageAuth1868 c. Set d2 -> pubDataDigest to m1 -> pubDataDigest1869 9. Verify that parentHandle-> keyFlags -> migratable == FALSE and parentHandle->1870 encData -> migrationAuth == tpmProof1871 10.Verify that m1 -> payload == TPM_PT_CMK_MIGRATE then set d2-> payload =1872 TPM_PT_MIGRATE_EXTERNAL1873 11.Verify that for one of the n=1 to n=(msaList -> MSAlist) values of msaList ->1874 migAuthDigest[n] sigTicket == HMAC (V1) using tpmProof as the secret where V1 is a1875 TPM_CMK_SIGTICKET structure such that:1876 a. V1 -> verKeyDigest = msaList -> migAuthDigest[n]1877 b. V1 -> signedData = SHA1[restrictTicket]1878 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 108 Level 2 Revision 94 29 March 2006 Draft TCG Published 12.Create parentPubKey, a TPM_PUBKEY structure corresponding to parentHandle1879 13.If [restrictTicket -> destinationKeyDigest] != SHA1(parentPubKey), return error1880 TPM_MA_DESTINATION1881 14.Verify that migratedKey is corresponding to d21882 15.If migratedKey -> keyFlags -> migratable is FALSE, and return error1883 TPM_INVALID_KEYUSAGE1884 16.If migratedKey -> keyFlags -> migrateAuthority is FALSE, return error1885 TPM_INVALID_KEYUSAGE1886 17.If [restrictTicket -> sourceKeyDigest] != SHA1(migratedPubKey), return error1887 TPM_MA_SOURCE1888 18.Create M2 a TPM_CMK_MIGAUTH structure1889 a. Set M2 -> msaDigest to SHA1[msaList]1890 b. Set M2 -> pubKeyDigest to SHA1[migratedPubKey]1891 19.Set d2 -> migrationAuth = HMAC(M2) using tpmProof as the secret1892 20.Create outData using the key in parentHandle to perform the encryption1893 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 109 TCG Published 12. Maintenance Functions (optional)1894 Start of informative comment:1895 When a maintenance archive is created with generateRandom FALSE, the maintenance blob1896 is XOR encrypted with the owner authorization before encryption with the maintenance1897 public key. This prevents the manufacturer from obtaining plaintext data. The receiving1898 TPM must have the same owner authorization as the sending TPM in order to XOR decrypt1899 the archive.1900 When generateRandom is TRUE, the maintenance blob is XOR encrypted with random data,1901 which is also returned. This permits someone trusted by the Owner to load the1902 maintenance archive into the replacement platform in the absence of the Owner and1903 manufacturer, without the Owner having to reveal information about his auth value. The1904 receiving and sending TPM's may have different owner authorizations. The random data is1905 transferred from the sending TPM owner to the receiving TPM owner out of band, so the1906 maintenance blob remains hidden from the manufacturer.1907 This is a typical maintenance sequence:1908 1. Manufacturer:1909 * generates maintenance key pair1910 * gives public key to TPM1 owner1911 2. TPM1: TPM_LoadManuMaintPub1912 * load maintenance public key1913 3. TPM1: TPM_CreateMaintenanceArchive1914 * XOR encrypt with owner auth or random1915 * encrypt with maintenance public key1916 4. Manufacturer:1917 * decrypt with maintenance private key1918 * (still XOR encrypted with owner auth or random)1919 * encrypt with TPM2 SRK public key1920 5. TPM2: TPM_LoadMaintenanceArchive1921 * decrypt with SRK private key1922 * XOR decrypt with owner auth or random1923 End of informative comment.1924 1925 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 110 Level 2 Revision 94 29 March 2006 Draft TCG Published 1926 12.1 TPM_CreateMaintenanceArchive1927 Start of informative comment:1928 This command creates the maintenance archive. It can only be executed by the owner, and1929 may be shut off with the TPM_KillMaintenanceFeature command.1930 End of informative comment.1931 Incoming Operands and Sizes1932 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Cmd ordinal: TPM_ORD_CreateMaintenanceArchive 4 1 2S 1 BOOL generateRandom Use RNG or Owner auth to generate `random'. 5 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for owner authentication. 2H1 20 TPM_NONCE authLastNonceEven Ev en nonce previously generated by TPM to cover inputs 6 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 7 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 8 20 TPM_AUTHDATA ownerAuth HMAC key: ownerAuth. Outgoing Operands and Sizes1933 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Cmd ordinal: TPM_ORD_CreateMaintenanceArchive 4 4 3S 4 UINT32 randomSize Size of the returned random data. Will be 0 if generateRandom is FALSE. 5 <> 4S <> BYTE [ ] random Random data to XOR with result. 6 4 5S 4 UINT32 archiveSize Size of the encrypted archive 7 <> 6S <> BYTE [ ] archive Encrypted key archive. 8 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 9 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 10 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters. HMAC key: ownerAuth. Actions1934 Upon authorization being confirmed this command does the following:1935 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 111 TCG Published 1. Validates that the TPM_PERMANENT_FLAGS -> allowMaintenance is TRUE. If it is1936 FALSE, the TPM SHALL return TPM_DISABLED_CMD and exit this capability.1937 2. Validates the TPM Owner AuthData.1938 3. If the value of TPM_PERMANENT_DATA -> manuMaintPub is zero, the TPM MUST1939 return the error code TPM_KEYNOTFOUND1940 4. Build a1 a TPM_KEY structure using the SRK. The encData field is not a normal1941 TPM_STORE_ASYMKEY structure but rather a TPM_MIGRATE_ASYMKEY structure built1942 using the following actions.1943 5. Build a TPM_STORE_PRIVKEY structure from the SRK. This privKey element should be1944 132 bytes long for a 2K RSA key.1945 6. Create k1 and k2 by splitting the privKey element created in step 4 into 2 parts. k1 is1946 the first 20 bytes of privKey, k2 contains the remainder of privKey.1947 7. Build m1 by creating and filling in a TPM_MIGRATE_ASYMKEY structure1948 a. m1 -> usageAuth is set to TPM_PERMANENT_DATA -> tpmProof1949 b. m1 -> pubDataDigest is set to the digest value of the SRK fields from step 41950 c. m1 -> payload is set to TPM_PT_MAINT1951 d. m1 -> partPrivKey is set to k21952 8. Create o1 (which SHALL be 198 bytes for a 2048 bit RSA key) by performing the OAEP1953 encoding of m using OAEP parameters of1954 a. m = TPM_MIGRATE_ASYMKEY structure (step 7)1955 b. pHash = TPM_PERMANENT_DATA -> ownerAuth1956 c. seed = s1 = k1 (step 6)1957 9. If generateRandom = TRUE1958 a. Create r1 by obtaining values from the TPM RNG. The size of r1 MUST be the same1959 size as o1. Set random parameter to r11960 10.If generateRandom = FALSE1961 a. Create r1 by applying MGF1 to the TPM Owner AuthData. The size of r1 MUST be the1962 same size as o1. Set random parameter to null.1963 11.Create x1 by XOR of o1 with r11964 12.Encrypt x1 with the manuMaintPub key using the TPM_ES_RSAESOAEP_SHA1_MGF11965 encryption scheme.1966 13.Set a1 -> encData to the encryption of x11967 14.Set TPM_PERMANENT_FLAGS -> maintenanceDone to TRUE1968 15.Return a1 in the archive parameter1969 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 112 Level 2 Revision 94 29 March 2006 Draft TCG Published 12.2 TPM_LoadMaintenanceArchive1970 Start of informative comment:1971 This command loads in a Maintenance archive that has been massaged by the1972 manufacturer to load into another TPM.1973 If the maintenance archive was created using the owner authorization for XOR encryption,1974 the current owner authorization must be used for decryption. The owner authorization does1975 not change.1976 If the maintenance archive was created using random data for the XOR encryption, the1977 vendor specific arguments must include the random data. The owner authorization may1978 change.1979 End of informative comment.1980 Incoming Operands and Sizes1981 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_LoadMaintenanceArchive 4 4 2S 4 UINT32 archiveSize Sice of the encrypted archive 5 <> 3S <> BYTE[] archive Encrypted key archive ... ... Vendor specific arguments - 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for owner authentication. 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs - 20 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle - 1 1 BOOL continueAuthSession The continue use flag for the authorization session handle -- 20 TPM_AUTHDATA ownerAuth Theauthorization session digest for inputs and owner authentication. HMAC key: ownerAuth. 1982 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 113 TCG Published Outgoing Operands and Sizes1983 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 4 TPM_RESULT returnCode The return code of the operation. 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_LoadMaintenanceArchive .. .. Vendor specific arguments - 20 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle - 1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active - 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters. HMAC key: ownerAuth, the original value and not the new auth value Descriptions1984 The maintenance mechanisms in the TPM MUST not require the TPM to hold a global1985 secret. The definition of global secret is a secret value shared by more than one TPM.1986 The TPME is not allowed to pre-store or use unique identifiers in the TPM for the purpose of1987 maintenance. The TPM MUST NOT use the endorsement key for identification or encryption1988 in the maintenance process. The maintenance process MAY use a TPM Identity to deliver1989 maintenance information to specific TPM's.1990 The maintenance process can only change the SRK, tpmProof and TPM Owner AuthData1991 fields.1992 The maintenance process can only access data in shielded locations where this data is1993 necessary to validate the TPM Owner, validate the TPME and manipulate the blob1994 The TPM MUST be conformant to the TPM specification, protection profiles and security1995 targets after maintenance. The maintenance MAY NOT decrease the security values from1996 the original security target.1997 The security target used to evaluate this TPM MUST include this command in the TOE.1998 Actions1999 The TPM SHALL perform the following when executing the command2000 1. Validate the TPM Owner's AuthData2001 2. Validate that the maintenance information was sent by the TPME. The validation2002 mechanism MUST use a strength of function that is at least the same strength of2003 function as a digital signature performed using a 2048 bit RSA key.2004 3. The packet MUST contain m2 as defined in section 12.1.2005 4. Ensure that only the target TPM can interpret the maintenance packet. The protection2006 mechanism MUST use a strength of function that is at least the same strength of2007 function as a digital signature performed using a 2048 bit RSA key.2008 5. Process the maintenance information2009 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 114 Level 2 Revision 94 29 March 2006 Draft TCG Published a. Update the SRK2010 i. Set the SRK usageAuth to be the same as the source TPM owner's AuthData2011 b. Update TPM_PERMANENT_DATA -> tpmProof2012 c. Update TPM_PERMANENT_DATA -> ownerAuth2013 6. Set TPM_PERMANENT_FLAGS -> maintenanceDone to TRUE2014 7. Terminate all OSAP and DSAP sessions2015 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 115 TCG Published 12.3 TPM_KillMaintenanceFeature2016 Informative Comments:2017 The TPM_KillMaintencanceFeature is a permanent action that prevents ANYONE from2018 creating a maintenance archive. This action, once taken, is permanent until a new TPM2019 Owner is set.2020 This action is to allow those customers who do not want the maintenance feature to not2021 allow the use of the maintenance feature.2022 At the discretion of the Owner, it should be possible to kill the maintenance feature in such2023 a way that the only way to recover maintainability of the platform would be to wipe out the2024 root keys. This feature is mandatory in any TPM that implements the maintenance feature.2025 End informative Comment2026 Incoming Operands and Sizes2027 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total num ber of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_KillMaintenanceFeature 4 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for owner authentication. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 5 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 6 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 7 20 TPM_AUTHDATA ownerAuth HMAC key: ownerAuth. Outgoing Operands and Sizes2028 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_KillMaintenanceFeature 4 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 5 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 6 20 TPM_AUTHDATA resAuth HMAC key: ownerAuth. Actions2029 1. Validate the TPM Owner AuthData2030 2. Set the TPM_PERMANENT_FLAGS.allowMaintenance flag to FALSE.2031 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 116 Level 2 Revision 94 29 March 2006 Draft TCG Published 12.4 TPM_LoadManuMaintPub2032 Informative Comments:2033 The TPM_LoadManuMaintPub command loads the manufacturer's public key for use in the2034 maintenance process. The command installs manuMaintPub in PERMANENT data storage2035 inside a TPM. Maintenance enables duplication of non-migratory data in protected storage.2036 There is therefore a security hole if a platform is shipped before the maintenance public key2037 has been installed in a TPM.2038 The command is expected to be used before installation of a TPM Owner or any key in TPM2039 protected storage. It therefore does not use authorization.2040 End of Informative Comments2041 Incoming Operands and Sizes2042 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_LoadManuMaintPub 4 20 2S 20 TPM_NONCE antiReplay AntiReplay and validation nonce 5 <> 3S <> TPM_PUBKEY pubKey The public key of the manufacturer to be in use for maintenance Outgoing Operands and Sizes2043 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_LoadManuMaintPub 4 20 3S 20 TPM_DIGEST checksum Digest of pubKey and antiReplay Description2044 The pubKey MUST specify an algorithm whose strength is not less than the RSA algorithm2045 with 2048bit keys.2046 pubKey SHOULD unambiguously identify the entity that will perform the maintenance2047 process with the TPM Owner.2048 TPM_PERMANENT_DATA -> manuMaintPub SHALL exist in a TPM-shielded location, only.2049 If an entity (Platform Entity) does not support the maintenance process but issues a2050 platform credential for a platform containing a TPM that supports the maintenance process,2051 the value of TPM_PERMANENT_DATA -> manuMaintPub MUST be set to zero before the2052 platform leaves the entity's control. That is, this ordinal can only be run once, and used to2053 either load the key or load a NULL key.2054 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 117 TCG Published Actions2055 The first valid TPM_LoadManuMaintPub command received by a TPM SHALL2056 1. Store the parameter pubKey as TPM_PERMANENT_DATA -> manuMaintPub.2057 2. Set checksum to SHA-1 of (pubKey || antiReplay)2058 3. Export the checksum2059 4. Subsequent calls to TPM_LoadManuMaintPub SHALL return code2060 TPM_DISABLED_CMD.2061 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 118 Level 2 Revision 94 29 March 2006 Draft TCG Published 12.5 TPM_ReadManuMaintPub2062 Informative Comments:2063 The TPM_ReadManuMaintPub command is used to check whether the manufacturer's2064 public maintenance key in a TPM has the expected value. This may be useful during the2065 manufacture process. The command returns a digest of the installed key, rather than the2066 key itself. This hinders discovery of the maintenance key, which may (or may not) be useful2067 for manufacturer privacy.2068 The command is expected to be used before installation of a TPM Owner or any key in TPM2069 protected storage. It therefore does not use authorization.2070 End of Informative Comments2071 Incoming Operands and Sizes2072 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ReadManuMaintPub 4 20 2S 20 TPM_NONCE antiReplay AntiReplay and validation nonce Outgoing Operands and Sizes2073 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ReadManuMaintPub 4 20 3S 20 TPM_DIGEST checksum Digest of pubKey and antiReplay Description2074 This command returns the hash of the antiReplay nonce and the previously loaded2075 manufacturer's maintenance public key.2076 Actions2077 The TPM_ReadManuMaintPub command SHALL2078 1. Create "checksum" by concatenating data to form (TPM_PERMANENT_DATA ->2079 manuMaintPub ||antiReplay) and passing the concatenated data through SHA1.2080 2. Export the checksum2081 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 119 TCG Published 13. Cryptographic Functions2082 13.1 TPM_SHA1Start2083 Start of informative comment:2084 This capability starts the process of calculating a SHA-1 digest.2085 The exposure of the SHA-1 processing is a convenience to platforms in a mode that do not2086 have sufficient memory to perform SHA-1 themselves. As such, the use of SHA-1 is2087 restrictive on the TPM.2088 The TPM may not allow any other types of processing during the execution of a SHA-12089 session. There is only one SHA-1 session active on a TPM.2090 After the execution of TPM_SHA1Start, and prior to TPM_SHA1Complete or2091 TPM_SHA1CompleteExtend, the receipt of any command other than TPM_SHA1Update will2092 cause the invalidation of the SHA-1 session.2093 End of informative comment.2094 Incoming Operands and Sizes2095 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_SHA1Start Outgoing Operands and Sizes2096 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_SHA1Start 4 4 3S 4 UINT32 maxNumBytes Maximum number of bytes that can be sent to TPM_SHA1Update. Must be a multiple of 64 bytes. Description2097 1. This capability prepares the TPM for a subsequent TPM_SHA1Update,2098 TPM_SHA1Complete or TPM_SHA1CompleteExtend command. The capability SHALL2099 open a thread that calculates a SHA-1 digest.2100 2. After receipt to TPM_SHA1Start, and prior to the receipt of TPM_SHA1Complete or2101 TPM_SHA1CompleteExtend, receipt of any command other than TPM_SHA1Update2102 invalidates the SHA-1 session.2103 a. If the command received is TPM_ExecuteTransport, the SHA-1 session invalidation is2104 based on the wrapped command, not the TPM_ExecuteTransport ordinal.2105 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 120 Level 2 Revision 94 29 March 2006 Draft TCG Published 13.2 TPM_SHA1Update2106 Start of informative comment:2107 This capability inputs complete blocks of data into a pending SHA-1 digest. At the end of2108 the process, the digest remains pending.2109 End of informative comment.2110 Incoming Operands and Sizes2111 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_SHA1Update 4 4 2S 4 UINT32 numBytes The number of bytes in hashData. Must be a multiple of 64 bytes. 5 <> 3S <> BYTE [ ] hashData Bytes to be hashed Outgoing Operands and Sizes2112 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_SHA1Update Description2113 This command SHALL incorporate complete blocks of data into the digest of an existing2114 SHA-1 thread. Only integral numbers of complete blocks (64 bytes each) can be processed.2115 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 121 TCG Published 13.3 TPM_SHA1Complete2116 Start of informative comment:2117 This capability terminates a pending SHA-1 calculation.2118 End of informative comment.2119 Incoming Operands and Sizes2120 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_SHA1Complete 4 4 2S 4 UINT32 hashDataSize Number of bytes in hashData, MUST be 64 or less 5 <> 3S <> BYTE [ ] hashData Final bytes to be hashed Outgoing Operands and Sizes2121 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_SHA1Complete 4 20 3S 20 TPM_DIGEST hashValue The output of the SHA-1 hash. Description2122 This command SHALL incorporate a partial or complete block of data into the digest of an2123 existing SHA-1 thread, and terminate that thread. hashDataSize MAY have values in the2124 range of 0 through 64, inclusive.2125 If the SHA-1 thread has received no bytes the TPM SHALL calculate the SHA-1 of the empty2126 buffer.2127 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 122 Level 2 Revision 94 29 March 2006 Draft TCG Published 13.4 TPM_SHA1CompleteExtend2128 Start of informative comment:2129 This capability terminates a pending SHA-1 calculation and EXTENDS the result into a2130 Platform Configuration Register using a SHA-1 hash process.2131 This command is designed to complete a hash sequence and extend a PCR in memory-less2132 environments.2133 End of informative comment.2134 Incoming Operands and Sizes2135 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_SHA1CompleteExtend 4 4 2S 4 TPM_PCRINDEX pcrNum Index of the PCR to be modified 5 4 3S 4 UINT32 hashDataSize Number of bytes in hashData, MUST be 64 or less 6 <> 4S <> BYTE [ ] hashData Final bytes to be hashed Outgoing Operands and Sizes2136 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_SHA1CompleteExtend 4 20 3S 20 TPM_DIGEST hashValue The output of the SHA-1 hash. 5 20 4S 20 TPM_PCRVALUE outDigest The PCR value after execution of the command. Description2137 This command SHALL incorporate a partial or complete block of data into the digest of an2138 existing SHA-1 thread, EXTEND the resultant digest into a PCR, and terminate the SHA-12139 session. hashDataSize MAY have values in the range of 0 through 64, inclusive.2140 The SHA-1 session MUST terminate even if the command returns an error, e.g.2141 TPM_BAD_LOCALITY.2142 Actions2143 1. Map V1 to TPM_STANY_DATA2144 2. Map L1 to V1 -> localityModifier2145 3. If the current locality, held in L1, is not selected in TPM_PERMANENT_DATA -> pcrAttrib2146 [pcrNum]. pcrExtendLocal, return TPM_BAD_LOCALITY2147 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 123 TCG Published 4. Create H1 the TPM_DIGEST of the SHA-1 session ensuring that hashData, if any, is2148 added to the SHA-1 session2149 5. Perform the actions of TPM_Extend using H1 as the data and pcrNum as the PCR to2150 extend2151 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 124 Level 2 Revision 94 29 March 2006 Draft TCG Published 13.5 TPM_Sign2152 Start of informative comment:2153 The Sign command signs data and returns the resulting digital signature2154 End of informative comment.2155 Incoming Operands and Sizes2156 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_Sign. 4 4 TPM_KEY_HANDLE keyHandle The keyHandle identifier of a loaded key that can perform digital signatures. 5 4 2s 4 UINT32 areaToSignSize The size of the areaToSign parameter 6 <> 3s <> BYTE[] areaToSign The value to sign 7 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for keyHandle authorization 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 8 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 9 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 10 20 TPM_AUTHDATA privAuth Theauthorization session digest that authorizes the use of keyHandle. HMAC key: key.usageAuth Outgoing Operands and Sizes2157 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_Sign. 4 4 3S 4 UINT32 sigSize The length of the returned digital signature 5 <> 4S <> BYTE[ ] sig The resulting digital signature. 6 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 7 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 8 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters. HMAC key: key.usageAuth Description2158 The TPM MUST support all values of areaToSignSize that are legal for the defined signature2159 scheme and key size. The maximum value of areaToSignSize is determined by the defined2160 signature scheme and key size.2161 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 125 TCG Published In the case of PKCS1v15_SHA1 the areaToSignSize MUST be TPM_DIGEST (the hash size of2162 a SHA-1 operation - see 8.5.1 TPM_SS_RSASSAPKCS1v15_SHA1). In the case of2163 PKCS1v15_DER the maximum size of areaToSign is k-11 octets, where k is limited by the2164 key size (see TPM_SS_RSASSAPKCS1v15_DER).2165 Actions2166 1. The TPM validates the AuthData to use the key pointed to by keyHandle.2167 2. If the areaToSignSize is 0 the TPM returns TPM_BAD_PARAMETER.2168 3. Validate that keyHandle -> keyUsage is TPM_KEY_SIGNING or TPM_KEY_LEGACY, if not2169 return the error code TPM_INVALID_KEYUSAGE2170 4. The TPM verifies that the signature scheme and key size can properly sign the2171 areaToSign parameter.2172 5. If signature scheme is TPM_SS_RSASSAPKCS1v15_SHA1 then2173 a. Validate that areaToSignSize is 20 return TPM_BAD_PARAMETER on error2174 b. Set S1 to areaToSign2175 6. Else if signature scheme is TPM_SS_RSASSAPKCS1v15_DER then2176 a. Validate that areaToSignSize is at least 11 bytes less than the key size, return2177 TPM_BAD_PARAMETER on error2178 b. Set S1 to areaToSign2179 7. else if signature scheme is TPM_SS_RSASSAPKCS1v15_INFO then2180 a. Create S2 a TPM_SIGN_INFO structure2181 b. Set S2 -> fixed to "SIGN"2182 c. Set S2 -> replay to nonceOdd2183 i. If nonceOdd is not present due to an unauthorized command return2184 TPM_BAD_PARAMETER2185 d. Set S2 -> dataLen to areaToSignSize2186 e. Set S2 -> data to areaToSign2187 f. Set S1 to the SHA-1(S2)2188 8. Else return TPM_INVALID_KEYUSAGE2189 9. The TPM computes the signature, sig, using the key referenced by keyHandle using S12190 as the value to sign2191 10.Return the computed signature in Sig2192 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 126 Level 2 Revision 94 29 March 2006 Draft TCG Published 13.6 TPM_GetRandom2193 Start of informative comment:2194 TPM_GetRandom returns the next bytesRequested bytes from the random number2195 generator to the caller.2196 It is recommended that a TPM implement the RNG in a manner that would allow it to return2197 RNG bytes such that the frequency of bytesRequested being more than the number of bytes2198 available is an infrequent occurrence.2199 End of informative comment.2200 Incoming Operands and Sizes2201 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_GetRandom. 4 4 2S 4 UINT32 bytesRequested Number of bytes to return Outgoing Operands and Sizes2202 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_GetRandom. 4 4 3S 4 UINT32 randomBytesSize The number of bytes returned 5 <> 4S <> BYTE[ ] randomBytes The returned bytes Actions2203 1. The TPM determines if amount bytesRequested is available from the TPM.2204 2. Set randomBytesSize to the number of bytes available from the RNG. This number MAY2205 be less than bytesRequested.2206 3. Set randomBytes to the next randomBytesSize bytes from the RNG2207 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 127 TCG Published 13.7 TPM_StirRandom2208 Start of informative comment:2209 TPM_StirRandom adds entropy to the RNG state.2210 End of informative comment.2211 Incoming Operands and Sizes2212 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_StirRandom 4 4 2S 4 UINT32 dataSize Number of bytes of input (<256) 5 <> 3S <> BYTE[ ] inData Data to add entropy to RNG state Outgoing Operands and Sizes2213 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_StirRandom Actions2214 The TPM updates the state of the current RNG using the appropriate mixing function.2215 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 128 Level 2 Revision 94 29 March 2006 Draft TCG Published 13.8 TPM_CertifyKey2216 Start of informative comment:2217 The TPM_CertifyKey operation allows one key to certify the public portion of another key.2218 A TPM identity key may be used to certify non-migratable keys but is not permitted to2219 certify migratory keys or certified migration keys. As such, it allows the TPM to make the2220 statement "this key is held in a TPM-shielded location, and it will never be revealed." For2221 this statement to have veracity, the Challenger must trust the policies used by the entity2222 that issued the identity and the maintenance policy of the TPM manufacturer.2223 Signing and legacy keys may be used to certify both migratable and non-migratable keys.2224 Then the usefulness of a certificate depends on the trust in the certifying key by the2225 recipient of the certificate.2226 The key to be certified must be loaded before TPM_CertifyKey is called.2227 The determination to use the TPM_CERTIFY_INFO or TPM_CERTIFY_INFO2 on the output is2228 based on which PCRs and what localities the certified key is restricted to. A key to be2229 certified that does not have locality restrictions and which uses no PCRs greater than PCR2230 #15 will cause this command return and sign a TPM_CERTIFY_INFO structure, which2231 provides compatibility with V1.1 TPMs.2232 When this command is run to certify all other keys (those that use PCR #16 or higher, as2233 well as those limited by locality in any way) it will return and sign a TPM_CERTIFY_INFO22234 structure.2235 TPM_CertifyKey does not support the case where (a) the certifying key requires a usage2236 authorization to be provided but (b) the key-to-be-certified does not. In such cases,2237 TPM_CertifyKey2 must be used.2238 If a command tag (in the parameter array) specifies only one authorisation session, then the2239 TPM convention is that the first session listed is ignored (authDataUsage must be NEVER2240 for this key) and the incoming session data is used for the second auth session in the list.2241 In TPM_CertifyKey, the first session is the certifying key and the second session is the key-2242 to-be-certified. In TPM_CertifyKey2, the first session is the key-to-be-certified and the2243 second session is the certifying key.2244 End of informative comment.2245 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 129 TCG Published Incoming Operands and Sizes2246 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH2_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_CertifyKey 4 4 TPM_KEY_HANDLE certHandle Handle of the key to be used to certify the key. 5 4 TPM_KEY_HANDLE keyHandle Handle of the key to be certified. 6 20 2S 20 TPM_NONCE antiReplay 160 bits of externally supplied data (typically a nonce provided to prevent replay -attacks) 7 4 TPM_AUTHHANDLE certAuthHandle Theauthorization session handle used for certHandle. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 8 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with certAuthHandle 9 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 10 20 TPM_AUTHDATA certAuth Theauthorization session digest for inputs and certHandle. HMAC key: certKey.auth. 11 4 TPM_AUTHHANDLE keyAuthHandle Theauthorization session handle used for the key to be signed. 2H2 20 TPM_NONCE keylastNonceEven Even nonce previously generated by TPM 12 20 3H2 20 TPM_NONCE keynonceOdd Nonce generated by system associated with keyAuthHandle 13 1 4H2 1 BOOL continueKeySession The continue use flag for the authorization session handle 14 20 TPM_AUTHDATA keyAuth Theauthorization session digest for the inputs and key to be signed. HMAC key: key.usageAuth. Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 130 Level 2 Revision 94 29 March 2006 Draft TCG Published Outgoing Operands and Sizes2247 Param HMAC # Sz # Sz Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH2_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_CertifyKey 4 <> 3S <> TPM_CERTIFY_INFO certifyInfo TPM_CERTIFY_INFO or TPM_CERTIFY_INFO2 structure that provides information relative to keyhandle 5 4 4S 4 UINT32 outDataSize The used size of the output area for outData 6 <> 5S <> BYTE[ ] outData The signature of certifyInfo 7 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with certAuthHandle 8 1 4H1 1 BOOL continueAuthSession Continue use flag for cert key session 9 20 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters and parentHandle. HMAC key: certKey -> auth. 10 20 2H2 20 TPM_NONCE keyNonceEven Even nonce newly generated by TPM 3H2 20 TPM_NONCE keynonceOdd Nonce generated by system associated with keyAuthHandle 11 1 4H2 1 BOOL continueKey Session Continue use flag for target key session 12 20 TPM_AUTHDATA keyAuth Theauthorization session digest for the target key. HMAC key: key.auth. Actions2248 1. The TPM validates that the key pointed to by certHandle has a signature scheme of2249 TPM_SS_RSASSAPKCS1v15_SHA12250 2. Verify command and key AuthData values:2251 a. If tag is TPM_TAG_RQU_AUTH2_COMMAND2252 i. The TPM verifies the AuthData in certAuthHandle provides authorization to use2253 the key pointed to by certHandle, return TPM_AUTHFAIL on error2254 ii. The TPM verifies the AuthData in keyAuthHandle provides authorization to use2255 the key pointed to by keyHandle, return TPM_AUTH2FAIL on error2256 b. else if tag is TPM_TAG_RQU_AUTH1_COMMAND2257 i. Verify that authDataUsage is TPM_AUTH_NEVER for the key referenced by2258 certHandle, return TPM_AUTHFAIL on error.2259 ii. The TPM verifies the AuthData in keyAuthHandle provides authorization to use2260 the key pointed to by keyHandle, return TPM_AUTHFAIL on error2261 c. else if tag is TPM_TAG_RQU_COMMAND2262 i. Verify that authDataUsage is TPM_AUTH_NEVER for the key referenced by2263 certHandle, return TPM_AUTHFAIL on error.2264 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 131 TCG Published ii. Verify that authDataUsage is TPM_AUTH_NEVER or TPM_AUTH_PRIV_USE_ONLY2265 for the key referenced by keyHandle, return TPM_AUTHFAIL on error.2266 3. If the key pointed to by certHandle is an identity key (certHandle -> keyUsage is2267 TPM_KEY_IDENTITY)2268 a. If keyHandle -> keyFlags -> migratable is TRUE return TPM_MIGRATEFAIL2269 4. If keyHandle -> digestAtRelease requires the use of PCRs 16 or higher to calculate or if2270 keyHandle -> localityAtRelease is not 0x1F2271 a. Set V1 to 1.22272 5. Else2273 a. Set V1 to 1.12274 6. If keyHandle -> pcrInfoSize is not 02275 a. If keyHandle -> keyFlags has pcrIgnoredOnRead set to FALSE2276 i. Create a digestAtRelease according to the specified TPM_STCLEAR_DATA -> PCR2277 registers and compare to keyHandle -> digestAtRelease and if a mismatch return2278 TPM_WRONGPCRVAL2279 ii. If specified validate any locality requests on error TPM_BAD_LOCALITY2280 b. If V1 is 1.12281 i. Create C1 a TPM_CERTIFY_INFO structure2282 ii. Fill in C1 with the information from the key pointed to by keyHandle2283 iii. The TPM MUST set c1 -> pcrInfoSize to 44.2284 iv. The TPM MUST set c1 -> pcrInfo to a TPM_PCR_INFO structure properly filled out2285 using the information from keyHandle.2286 v. The TPM MUST set c1 -> digestAtCreation to 20 bytes of 0x00.2287 c. Else2288 i. Create C1 a TPM_CERTIFY_INFO2 structure2289 ii. Fill in C1 with the information from the key pointed to by keyHandle2290 iii. Set C1 -> pcrInfoSize to the size of an appropriate TPM_PCR_INFO_SHORT2291 structure.2292 iv. Set C1 -> pcrInfo to a properly filled out TPM_PCR_INFO_SHORT structure, using2293 the information from keyHandle.2294 v. Set C1 -> migrationAuthoritySize to 02295 7. Else2296 a. Create C1 a TPM_CERTIFY_INFO structure2297 b. Fill in C1 with the information from the key pointed to by keyHandle2298 c. The TPM MUST set c1 -> pcrInfoSize to 02299 8. Create TPM_DIGEST H1 which is the SHA-1 hash of keyHandle -> pubKey -> key. Note2300 that is the actual public modulus, and does not include any structure formatting.2301 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 132 Level 2 Revision 94 29 March 2006 Draft TCG Published 9. Set C1 -> pubKeyDigest to H12302 10.The TPM copies the antiReplay parameter to c1 -> data.2303 11.The TPM sets certifyInfo to C1.2304 12.The TPM creates m1, a message digest formed by taking the SHA1 of c1.2305 a. The TPM then computes a signature using certHandle -> sigScheme. The resulting2306 signed blob is returned in outData.2307 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 133 TCG Published 13.9 TPM_CertifyKey22308 Start of informative comment:2309 This command is based on TPM_CertifyKey, but includes the ability to certify a Certifiable2310 Migration Key (CMK), which requires extra input parameters.2311 TPM_CertifyKey2 always produces a TPM_CERTIFY_INFO2 structure.2312 TPM_CertifyKey2 does not support the case where (a) the key-to-be-certified requires a2313 usage authorization to be provided but (b) the certifying key does not.2314 If a command tag (in the parameter array) specifies only one authorisation session, then the2315 TPM convention is that the first session listed is ignored (authDataUsage must be NEVER2316 for this key) and the incoming session data is used for the second auth session in the list.2317 In TPM_CertifyKey2, the first session is the key to be certified and the second session is the2318 certifying key.2319 End of informative comment.2320 Incoming Operands and Sizes2321 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH2_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_CertifyKey2 4 4 TPM_KEY_HANDLE keyHandle Handle of the key to be certified. 5 4 TPM_KEY_HANDLE certHandle Handle of the key to be used to certify the key. 6 20 2S 20 TPM_DIGEST migrationPubDigest The digest of a TPM_MSA_COMPOSITE structure, containing at least one public key of a Migration Authority 7 20 3S 20 TPM_NONCE antiReplay 160 bits of externally supplied data (typically a nonce provided to prevent replay -attacks) 8 4 TPM_AUTHHANDLE keyAuthHandle Theauthorization session handle used for the key to be signed. 2H1 20 TPM_NONCE keylastNonceEven Even nonce previously generated by TPM 9 20 3H1 20 TPM_NONCE keynonceOdd Nonce generated by system associated with keyAuthHandle 10 1 4H1 1 BOOL continueKeySession The continue use flag for the authorization session handle 11 20 TPM_AUTHDATA keyAuth Theauthorization session digest for the inputs and key to be signed. HMAC key: key.usageAuth. 12 4 TPM_AUTHHANDLE certAuthHandle Theauthorization session handle used for certHandle. 2H2 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 13 20 3H2 20 TPM_NONCE nonceOdd Nonce generated by system associated with certAuthHandle 14 1 4H2 1 BOOL continueAuthSession The continue use flag for the authorization session handle 15 20 TPM_AUTHDATA certAuth Authorization HMAC key: certKey.auth. Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 134 Level 2 Revision 94 29 March 2006 Draft TCG Published Outgoing Operands and Sizes2322 Param HMAC # Sz # Sz Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH2_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_CertifyKey2 4 <> 3S <> TPM_CERTIFY_INFO2 certifyInfo TPM_CERTIFY_INFO2 relativ e to keyHandle 5 4 4S 4 UINT32 outDataSize The used size of the output area for outData 6 <> 5S <> BYTE[ ] outData The signed public key. 7 20 2H1 20 TPM_NONCE keyNonceEven Even nonce newly generated by TPM 3H1 20 TPM_NONCE keyNonceOdd Nonce generated by system associated with certAuthHandle 8 1 4H1 1 BOOL keyContinueAuthSession Continue use flag for cert key session 9 20 20 TPM_AUTHDATA keyResAuth Authorization HMAC key: keyHandle -> auth. 10 20 2H2 20 TPM_NONCE certNonceEven Even nonce new ly generated by TPM 3H2 20 TPM_NONCE AuthLastNonceOdd Nonce generated by system associated with certAuthHandle 11 1 4H2 1 BOOL CertContinueAuthSession Continue use flag for cert key session 12 20 20 TPM_AUTHDATA certResAuth Authorization HMAC key: certHandle -> auth. Actions2323 1. The TPM validates that the key pointed to by certHandle has a signature scheme of2324 TPM_SS_RSASSAPKCS1v15_SHA12325 2. Verify command and key AuthData values:2326 a. If tag is TPM_TAG_RQU_AUTH2_COMMAND2327 i. The TPM verifies the AuthData in keyAuthHandle provides authorization to use2328 the key pointed to by keyHandle, return TPM_AUTHFAIL on error2329 ii. The TPM verifies the AuthData in certAuthHandle provides authorization to use2330 the key pointed to by certHandle, return TPM_AUTH2FAIL on error2331 b. else if tag is TPM_TAG_RQU_AUTH1_COMMAND2332 i. Verify that authDataUsage is TPM_AUTH_NEVER or TPM_AUTH_PRIV_USE_ONLY2333 for the key referenced by keyHandle, return TPM_AUTHFAIL on error2334 ii. The TPM verifies the AuthData in certAuthHandle provides authorization to use2335 the key pointed to by certHandle, return TPM_AUTH2FAIL on error2336 c. else if tag is TPM_TAG_RQU_COMMAND2337 i. Verify that authDataUsage is TPM_AUTH_NEVER or TPM_AUTH_PRIV_USE_ONLY2338 for the key referenced by keyHandle, return TPM_AUTHFAIL on error2339 ii. Verify that authDataUsage is TPM_AUTH_NEVER for the key referenced by2340 certHandle, return TPM_AUTHFAIL on error.2341 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 135 TCG Published 3. If the key pointed to by certHandle is an identity key (certHandle -> keyUsage is2342 TPM_KEY_IDENTITY)2343 a. If keyHandle -> keyFlags -> migratable is TRUE and [keyHandle -> keyFlags->2344 migrateAuthority is FALSE or (keyHandle -> payload != TPM_PT_MIGRATE_RESTRICTED2345 and keyHandle -> payload != TPM_PT_MIGRATE_EXTERNAL)] return2346 TPM_MIGRATEFAIL2347 4. The TPM SHALL create a c1 a TPM_CERTIFY_INFO2 structure from the key pointed to2348 by keyHandle2349 5. Create TPM_DIGEST H1 which is the SHA-1 hash of keyHandle -> pubKey -> key. Note2350 that is the actual public modulus, and does not include any structure formatting.2351 6. Set C1 -> pubKeyDigest to H12352 7. Copy the antiReplay parameter to c1 -> data2353 8. Copy other keyHandle parameters into C12354 9. If keyHandle -> payload == TPM_PT_MIGRATE_RESTRICTED or2355 TPM_PT_MIGRATE_EXTERNAL2356 a. create thisPubKey, a TPM_PUBKEY structure containing the public key, algorithm2357 and parameters corresponding to keyHandle2358 b. Verify that the migration authorization is valid for this key2359 i. Create M2 a TPM_CMK_MIGAUTH structure2360 ii. Set M2 -> msaDigest to migrationPubDigest2361 iii. Set M2 -> pubkeyDigest to SHA1[thisPubKey]2362 iv. Verify that [keyHandle -> migrationAuth] == HMAC(M2) signed by using tpmProof2363 as the secret and return error TPM_MA_SOURCE on mismatch2364 c. Set C1 -> migrationAuthority = SHA-1(migrationPubDigest || keyHandle -> payload)2365 d. if keyHandle -> payload == TPM_PT_MIGRATE_RESTRICTED2366 i. Set C1 -> payloadType = TPM_PT_MIGRATE_RESTRICTED2367 e. if keyHandle -> payload == TPM_PT_MIGRATE_EXTERNAL2368 i. Set C1 -> payloadType = TPM_PT_MIGRATE_EXTERNAL2369 10.Else2370 a. set C1 -> migrationAuthority = NULL2371 b. set C1 -> migrationAuthoritySize =02372 c. Set C1 -> payloadType = TPM_PT_ASYM2373 11.If keyHandle -> pcrInfoSize is not 02374 a. The TPM MUST set c1 -> pcrInfoSize to match the pcrInfoSize from the keyHandle2375 key.2376 b. The TPM MUST set c1 -> pcrInfo to match the pcrInfo from the keyHandle key2377 c. If keyHandle -> keyFlags has pcrIgnoredOnRead set to FALSE2378 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 136 Level 2 Revision 94 29 March 2006 Draft TCG Published i. Create a digestAtRelease according to the specified TPM_STCLEAR_DATA -> PCR2379 registers and compare to keyHandle -> digestAtRelease and if a mismatch return2380 TPM_WRONGPCRVAL2381 ii. If specified validate any locality requests on error TPM_BAD_LOCALITY2382 12.Else2383 a. The TPM MUST set c1 -> pcrInfoSize to 02384 13.The TPM creates m1, a message digest formed by taking the SHA1 of c12385 a. The TPM then computes a signature using certHandle -> sigScheme. The resulting2386 signed blob is returned in outData2387 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 137 TCG Published 14. Endorsement Key Handling2388 Start of informative comment:2389 There are two create EK commands. The first matches the 1.1 functionality. The second2390 provides the mechanism to enable revokeEK.2391 The TPM and platform manufacturer decide on the inclusion or exclusion of the ability to2392 execute revokeEK.2393 The restriction to have the TPM generate the EK does not remove the manufacturing option2394 to "squirt" the EK. During manufacturing, the TPM does not enforce all protections or2395 requirements; hence, the restriction on only TPM generation of the EK is also not in force.2396 End of informative comment.2397 1. A TPM SHALL NOT install an EK unless generated on the TPM by execution of2398 TPM_CreateEndorsementKeyPair or TPM_CreateRevocableEK2399 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 138 Level 2 Revision 94 29 March 2006 Draft TCG Published 14.1 TPM_CreateEndorsementKeyPair2400 Start of informative comment:2401 This command creates the TPM endorsement key. It returns a failure code if an2402 endorsement key already exists.2403 End of informative comment.2404 Incoming Operands and Sizes2405 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM _ORD_CreateEndorsementKeyPair 4 20 2S 20 TPM_NONCE antiReplay Arbitrary data 5 <> 3S <> TPM_KEY_PARMS keyInfo Information about key to be created, this includes all algorithm parameters Outgoing Operands and Sizes2406 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_CreateEndorsementKeyPair 4 <> 3S <> TPM_PUBKEY pubEndorsementKey The public endorsement key 5 20 4S 20 TPM_DIGEST checksum Hash of pubEndorsementKey and antiReplay Actions2407 1. If an EK already exists, return TPM_DISABLED_CMD2408 2. Validate the keyInfo parameters for the key description2409 a. If the algorithm type is RSA the key length MUST be a minimum of 2048. For2410 interoperability the key length SHOULD be 20482411 b. If the algorithm type is other than RSA the strength provided by the key MUST be2412 comparable to RSA 20482413 c. The other parameters of keyInfo (signatureScheme etc.) are ignored.2414 3. Create a key pair called the "endorsement key pair" using a TPM-protected capability.2415 The type and size of key are that indicated by keyInfo2416 4. Create checksum by performing SHA1 on the concatenation of (PUBEK || antiReplay)2417 5. Store the PRIVEK2418 6. Create TPM_PERMANENT_DATA -> tpmDAASeed from the TPM RNG2419 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 139 TCG Published 7. Set TPM_PERMANENT_FLAGS -> CEKPUsed to TRUE2420 8. Set TPM_PERMANENT_FLAGS -> enableRevokeEK to FALSE2421 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 140 Level 2 Revision 94 29 March 2006 Draft TCG Published 14.2 TPM_CreateRevocableEK2422 Start of informative comment:2423 This command creates the TPM endorsement key. It returns a failure code if an2424 endorsement key already exists. The TPM vendor may have a separate mechanism to create2425 the EK and "squirt" the value into the TPM.2426 The input parameters specify whether the EK is capable of being reset, whether the2427 AuthData value to reset the EK will be generated by the TPM, and the new AuthData value2428 itself if it is not to be generated by the TPM. The output parameter is the new AuthData2429 value that must be used when resetting the EK (if it is capable of being reset).2430 The command TPM_RevokeTrust must be used to reset an EK (if it is capable of being2431 reset).2432 Owner authorisation is unsuitable for authorizing resetting of an EK: someone with2433 Physical Presence can remove a genuine Owner, install a new Owner, and revoke the EK.2434 The genuine Owner can reinstall, but the platform will have lost its original attestation and2435 may not be trusted by challengers. Therefore if a password is to be used to revoke an EK, it2436 must be a separate password, given to the genuine Owner.2437 In v1.2 an OEM has extra choices when creating EKs.2438 a) An OEM could manufacture all of its TPMs with enableRevokeEK==TRUE.2439 If the OEM has tracked the EKreset passwords for these TPMs, the OEM can give the2440 passwords to customers. The customers can use the passwords as supplied, change the2441 passwords, or clear the EKs and create new EKs with new passwords.2442 If EKreset passwords are random values, the OEM can discard those values and not give2443 them to customers. There is then a low probability (statistically zero) chance of a local DOS2444 attack to reset the EK by guessing the password. The chance of a remote DOS attack is zero2445 because Physical Presence must also be asserted to use TPM_RevokeTrust.2446 b) An OEM could manufacture some of its TPMs with enableRevokeEK==FALSE. Then the2447 EK can never be revoked, and the chance of even a local DOS attack on the EK is2448 eliminated.2449 End of informative comment.2450 This is an optional command2451 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 141 TCG Published Incoming Operands and Sizes2452 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_CreateRevocableEK 4 20 2S 20 TPM_NONCE antiReplay Arbitrary data 5 <> 3S <> TPM_KEY_PARMS keyInfo Information about key to be created, this includes all algorithm parameters 6 1 4S 1 BOOL generateReset If TRUE use TPM RNG to generate EKreset. If FALSE use the passed value inputEKreset 7 20 5S 20 TPM_NONCE inputEKreset The authorization value to be used with TPM_RevokeTrust if generateReset==FALSE, else the parameter is present but ignored Outgoing Operands and Sizes2453 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_CreateRevocableEK 4 <> 3S <> TPM_PUBKEY pubEndorsementKey The public endorsement key 5 20 4S 20 TPM_DIGEST checksum Hash of pubEndorsementKey and antiReplay 6 20 5S 20 TPM_NONCE outputEKreset The AuthData value to use TPM_RevokeTrust Actions2454 1. If an EK already exists, return TPM_DISABLED_CMD2455 2. Perform the actions of TPM_CreateEndorsementKeyPair, if any errors return with error2456 3. Set TPM_PERMANENT_FLAGS -> enableRevokeEK to TRUE2457 a. If generateReset is TRUE then2458 i. Set TPM_PERMANENT_DATA -> EKreset to the next value from the TPM RNG2459 b. Else2460 i. Set TPM_PERMANENT_DATA -> EKreset to inputEKreset2461 4. Return PUBEK, checksum and Ekreset2462 5. Create TPM_PERMANENT_DATA -> tpmDAASeed from the TPM RNG2463 6. The outputEKreset AuthData is sent in the clear. There is no uniqueness on the TPM2464 available to actually perform encryption or use an encrypted channel. The assumption is2465 that this operation is occurring in a controlled environment and sending the value in the2466 clear is acceptable.2467 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 142 Level 2 Revision 94 29 March 2006 Draft TCG Published 14.3 TPM_RevokeTrust2468 Start of informative comment:2469 This command clears the EK and sets the TPM back to a pure default state. The generation2470 of the AuthData value occurs during the generation of the EK. It is the responsibility of the2471 EK generator to properly protect and disseminate the RevokeTrust AuthData.2472 End of informative comment.2473 This is an optional command2474 Incoming Operands and Sizes2475 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_RevokeTrust 4 20 2S 20 TPM_DIGEST EKReset The value that will be matched to EK Reset Outgoing Operands and Sizes2476 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_RevokeTrust Actions2477 1. The TPM MUST validate that TPM_PERMANENT_FLAGS -> enableRevokeEK is TRUE,2478 return TPM_PERMANENTEK on error2479 2. The TPM MUST validate that the EKReset matches TPM_PERMANENT_DATA -> EKReset2480 return TPM_AUTHFAIL on error.2481 3. Ensure that physical presence is being asserted2482 4. Perform the actions of TPM_OwnerClear (excepting the command authentication)2483 a. NV items with the pubInfo -> nvIndex D value set MUST be deleted. This changes the2484 TPM_OwnerClear handling of the same NV areas2485 b. Set TPM_PERMANENT_FLAGS -> nvLocked to FALSE2486 5. Invalidate TPM_PERMANENT_DATA -> tpmDAASeed2487 6. Invalidate the EK and any internal state associated with the EK2488 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 143 TCG Published 14.4 TPM_ReadPubek2489 Start of informative comment:2490 Return the endorsement key public portion. This value should have controls placed upon2491 access, as it is a privacy sensitive value.2492 The readPubek flag is set to FALSE by TPM_TakeOwnership and set to TRUE by2493 TPM_OwnerClear, thus mirroring if a TPM Owner is present.2494 End of informative comment.2495 Incoming Operands and Sizes2496 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ReadPubek 4 20 2S 20 TPM_NONCE antiReplay Arbitrary data Outgoing Operands and Sizes2497 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ReadPubek 4 <> 3S <> TPM_PUBKEY pubEndorsementKey The public endorsement key 5 20 4S 20 TPM_DIGEST checksum Hash of pubEndorsementKey and antiReplay Description2498 This command returns the PUBEK.2499 Actions2500 The TPM_ReadPubek command SHALL2501 1. If TPM_PERMANENT_FLAGS -> readPubek is FALSE return TPM_DISABLED_CMD2502 2. If no EK is present the TPM MUST return TPM_NO_ENDORSEMENT2503 3. Create checksum by performing SHA1 on the concatenation of (pubEndorsementKey ||2504 antiReplay).2505 4. Export the PUBEK and checksum.2506 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 144 Level 2 Revision 94 29 March 2006 Draft TCG Published 14.5 TPM_OwnerReadInternalPub2507 Start of informative comment:2508 A TPM Owner authorized command that returns the public portion of the EK or SRK.2509 The keyHandle parameter is included in the incoming session authorization to prevent2510 alteration of the value, causing a different key to be read. Unlike most key handles, which2511 can be mapped by higher layer software, this key handle has only two fixed values.2512 End of informative comment.2513 Incoming Operands and Sizes2514 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_OwnerReadInternalPub 4 4 2S 4 TPM_KEY_HANDLE keyHandle Handle for either PUBEK or SRK 5 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for owner authentication. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 6 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 7 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 8 20 TPM_AUTHDATA ownerAuth Theauthorization session digest for inputs and owner authentication. HMAC key: ownerAuth. Outgoing Operands and Sizes2515 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_OwnerReadInternalPub 4 <> 3S <> TPM_PUBKEY publicPortion The public portion of the requested key 5 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 6 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 7 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters. HMAC key: ownerAuth. Actions2516 1. Validate the parameters and TPM Owner AuthData for this command2517 2. If keyHandle is TPM_KH_EK2518 a. Set publicPortion to PUBEK2519 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 145 TCG Published 3. Else If keyHandle is TPM_KH_SRK2520 a. Set publicPortion to the TPM_PUBKEY of the SRK2521 4. Else return TPM_BAD_PARAMETER2522 5. Export the public key of the referenced key2523 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 146 Level 2 Revision 94 29 March 2006 Draft TCG Published 15. Identity Creation and Activation2524 15.1 TPM_MakeIdentity2525 Start of informative comment:2526 Generate a new Attestation Identity Key (AIK)2527 End of informative comment.2528 Incoming Operands and Sizes2529 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH2_COMMAND 2 4 UINT32 paramSize Total number of input bytes incl. paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_MakeIdentity. 4 20 2S 20 TPM_ENCAUTH identityAuth Encrypted usage AuthData for the new identity 5 20 3S 20 TPM_CHOSENID_HASH labelPrivCADigest The digest of the identity label and privacy CA chosen for the AIK 6 <> 4S <> TPM_KEY idKeyParams Structure containing all parameters of new identity key. pubKey.keyLength & idKeyParams.encData are both 0MAY be TPM_KEY12 7 4 TPM_AUTHHANDLE srkAuthHandle The authorization session handle used for SRK authorization. 2H1 20 TPM_NONCE srkLastNonceEven Even nonce previously generated by TPM 8 20 3H1 20 TPM_NONCE srknonceOdd Nonce generated by system associated with srkAuthHandle 9 1 4H1 1 BOOL continueSrkSession Ignored 10 20 TPM_AUTHDATA srkAuth Theauthorization session digest for the inputs and the SRK. HMAC key: srk.usageAuth. 11 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for owner authentication. Session type MUST be OSAP. 2H2 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 12 20 3H2 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 13 1 4H2 1 BOOL continueAuthSession Ignored 14 20 20 TPM_AUTHDATA ownerAuth Theauthorization session digest for inputs and owner. HMAC key: ownerAuth. TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 147 TCG Published Outgoing Operands and Sizes2530 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH2_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal:TPM_ORD_MakeIdentity. 4 <> 3S <> TPM_KEY idKey The newly created identity key . MAY be TPM_KEY12 5 4 4S 4 UINT32 identityBindingSize The used size of the output area for identityBinding 6 <> 5S <> BYTE[ ] identityBinding Signature of TPM_IDENTITY_CONTENTS using idKey.private. 7 20 2H2 20 TPM_NONCE srkNonceEven Even nonce newly generated by TPM. 3H2 20 TPM_NONCE srknonceOdd Nonce generated by system associated with srkAuthHandle 8 1 4H2 1 BOOL continueSrkSession Continue use flag. Fixed value of FALSE 9 20 TPM_AUTHDATA srkAuth Theauthorization session digest used for the outputs and srkAuth session. HMAC key: srk.usageAuth. 10 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 11 1 4H1 1 BOOL continueAuthSession Continue use flag. Fixed value of FALSE 12 20 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters. HMAC key: ownerAuth. Description2531 The public key of the new TPM identity SHALL be identityPubKey. The private key of the2532 new TPM identity SHALL be tpm_signature_key.2533 Properties of the new identity2534 Type Name Description TPM_PUBKEY identityPubKey This SHALL be the public key of a previously unused asymmetric key pair. TPM_STORE_ASYMKEY tpm_signature_key This SHALL be the private key that forms a pair with identityPubKey and SHALL be extant only in a TPM-shielded location. 2535 This capability also generates a TPM_KEY containing the tpm_signature_key.2536 If identityPubKey is stored on a platform it SHALL exist only in storage to which access is2537 controlled and is available to authorized entities.2538 Actions2539 A Trusted Platform Module that receives a valid TPM_MakeIdentity command SHALL do the2540 following:2541 1. Validate the idKeyParams parameters for the key description2542 a. If the algorithm type is RSA the key length MUST be a minimum of 2048. For2543 interoperability the key length SHOULD be 20482544 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 148 Level 2 Revision 94 29 March 2006 Draft TCG Published b. If the algorithm type is other than RSA the strength provided by the key MUST be2545 comparable to RSA 20482546 c. If the TPM is not designed to create a key of the requested type, return the error code2547 TPM_BAD_KEY_PROPERTY2548 d. If TPM_PERMANENT_FLAGS -> FIPS is TRUE then2549 i. If authDataUsage specifies TPM_AUTH_NEVER return TPM_NOTFIPS2550 2. Use authHandle to verify that the Owner authorized all TPM_MakeIdentity input2551 parameters.2552 3. Use srkAuthHandle to verify that the SRK owner authorized all TPM_MakeIdentity input2553 parameters.2554 4. Verify that idKeyParams -> keyUsage is TPM_KEY_IDENTITY. If it is not, return2555 TPM_INVALID_KEYUSAGE2556 5. Verify that idKeyParams -> keyFlags -> migratable is FALSE. If it is not, return2557 TPM_INVALID_KEYUSAGE2558 6. If authHandle indicates XOR encryption for the AuthData secrets2559 a. Create X1 the SHA-1 of the concatenation of (ownerAuth -> sharedSecret ||2560 authLastNonceEven)2561 b. Create a1 by XOR X1 and identityAuth2562 7. Else2563 a. Create a1 by decrypting identityAuth using the algorithm indicated in the OSAP2564 session2565 b. Key is from ownerAuth -> sharedSecret2566 c. IV is SHA-1 of (authLastNonceEven || nonceOdd)2567 8. Set continueAuthSession and continueSRKSession to FALSE.2568 9. Determine the structure version2569 a. If idKeyParms -> tag is TPM_TAG_KEY122570 i. Set V1 to 22571 ii. Create idKey a TPM_KEY12 structure using idKeyParams as the default values for2572 the structure2573 b. If idKeyParms -> ver is 1.12574 i. Set V1 to 12575 ii. Create idKey a TPM_KEY structure using idKeyParams as the default values for2576 the structure2577 10.Set the digestAtCreation values for pcrInfo2578 a. For TPM_PCR_INFO_LONG include the locality of the current command2579 11.Create an asymmetric key pair (identityPubKey and tpm_signature_key) using a TPM-2580 protected capability, in accordance with the algorithm specified in idKeyParams2581 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 149 TCG Published 12.Ensure that the AuthData information in A1 is properly stored in the idKey as2582 usageAuth.2583 13.Attach identityPubKey and tpm_signature_key to idKey2584 14.Set idKey -> migrationAuth to TPM_PERMANENT_DATA-> tpmProof2585 15.Ensure that all TPM_PAYLOAD_TYPE structures identify this key as TPM_PT_ASYM2586 16.Encrypt the private portion of idKey using the SRK as the parent key2587 17.Create a TPM_IDENTITY_CONTENTS structure named idContents using2588 labelPrivCADigest and the information from idKey2589 18.Sign idContents using tpm_signature_key and TPM_SS_RSASSAPKCS1v15_SHA1. Store2590 the result in identityBinding.2591 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 150 Level 2 Revision 94 29 March 2006 Draft TCG Published 15.2 TPM_ActivateIdentity2592 Start of informative comment:2593 The purpose of TPM_ActivateIdentity is to twofold. The first purpose is to obtain assurance2594 that the credential in the TPM_SYM_CA_ATTESTATION is for this TPM. The second purpose2595 is to obtain the session key used to encrypt the TPM_IDENTITY_CREDENTIAL.2596 This is an extension to the 1.1 functionality of TPM_ActivateIdentity. The blob sent to from2597 the CA can be in the 1.1 format or the 1.2 format. The TPM determines the type from the2598 size or version information in the blob.2599 TPM_ActivateIdentity checks that the symmetric session key corresponds to a TPM-identity2600 before releasing that session key.2601 Only the Owner of the TPM has the privilege of activating a TPM identity. The Owner is2602 required to authorize the TPM_ActivateIdentity command. The owner may authorize the2603 command using either the TPM_OIAP or TPM_OSAP authorization protocols.2604 The creator of the ActivateIdentity package can specify if any PCR values are to be checked2605 before releasing the session key.2606 End of informative comment.2607 Incoming Parameters and Sizes2608 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH2_COMMAND 2 4 UINT32 paramSize Total number of input bytes incl. paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ActivateIdentity 4 4 TPM_KEY_HANDLE idKey Handle Identity key to be activated 5 4 2S 4 UINT32 blobSize Size of encrypted blob from CA 6 <> 3S <> BYTE [ ] blob The encrypted ASYM_CA_CONTENTS or TPM_EK_BLOB 7 4 TPM_AUTHHANDLE idKeyAuthHandle Theauthorization session handle used for ID key authorization. 2H1 20 TPM_NONCE idKeyLastNonceEven Even nonce previously generated by TPM 8 20 3H1 20 TPM_NONCE idKeynonceOdd Nonce generated by system associated with idKeyAuthHandle 9 1 4H1 1 BOOL continueIdKeySession Continue usage flag for idKeyAuthHandle. 10 20 TPM_AUTHDATA idKeyAuth Theauthorization session digest for the inputs and ID key. HMAC key: idKey.usageAuth. 11 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for owner authentication. 2H2 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 12 20 3H2 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 13 1 4H2 1 BOOL continueAuthSession The continue use flag for the authorization session handle 14 20 20 TPM_AUTHDATA ownerAuth Theauthorization session digest for inputs and owner. HMAC key: ownerAuth. TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 151 TCG Published Outgoing Parameters and Sizes2609 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH2_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal:TPM_ORD_ActivateIdentity 4 <> 3S <> TPM_SYMMETRIC_KEY symmetricKey The decrypted symmetric key. 5 20 2H1 20 TPM_NONCE idKeyNonceEven Even nonce newly generated by TPM. 3H1 20 TPM_NONCE idKeynonceOdd Nonce generated by system associated with idKeyAuthHandle 6 1 4H1 1 BOOL continueIdKeySession Continue use flag, TRUE if handle is still active 7 20 TPM_AUTHDATA idKeyAuth Theauthorization session digest used for the returned parameters and idKeyAuth session. HMAC key: idKey.usageAuth. 8 20 2H2 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H2 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 9 1 4H2 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 10 20 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters. HMAC key: ownerAuth. Description2610 1. The command TPM_ActivateIdentity activates a TPM identity created using the command2611 TPM_MakeIdentity.2612 2. The command assumes the availability of the private key associated with the identity.2613 The command will verify the association between the keys during the process.2614 3. The command will decrypt the input blob and extract the session key and verify the2615 connection between the public and private keys. The input blob can be in 1.1 or 1.22616 format.2617 Actions2618 A Trusted Platform Module that receives a valid TPM_ActivateIdentity command SHALL do2619 the following:2620 1. Using the authHandle field, validate the owner's AuthData to execute the command and2621 all of the incoming parameters.2622 2. Using the idKeyAuthHandle, validate the AuthData to execute command and all of the2623 incoming parameters2624 3. Validate that the idKey is the public key of a valid TPM identity by checking that2625 idKeyHandle -> keyUsage is TPM_KEY_IDENTITY. Return TPM_BAD_PARAMETER on2626 mismatch2627 4. Create H1 the digest of a TPM_PUBKEY derived from idKey2628 5. Decrypt blob creating B1 using PRIVEK as the decryption key2629 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 152 Level 2 Revision 94 29 March 2006 Draft TCG Published 6. Determine the type and version of B12630 a. If B1 -> tag is TPM_TAG_EK_BLOB then2631 i. B1 is a TPM_EK_BLOB2632 b. Else2633 i. B1 is a TPM_ASYM_CA_CONTENTS. As there is no tag for this structure it is2634 possible for the TPM to make a mistake here but other sections of the structure2635 undergo validation2636 7. If B1 is a version 1.1 TPM_ASYM_CA_CONTENTS then2637 a. Compare H1 to B1 -> idDigest on mismatch return TPM_BAD_PARAMETER2638 b. Set K1 to B1 -> sessionKey2639 8. If B1 is a TPM_EK_BLOB then2640 a. Validate that B1 -> ekType is TPM_EK_TYPE_ACTIVATE, return TPM_BAD_TYPE if2641 not.2642 b. Assign A1 as a TPM_EK_BLOB_ACTIVATE structure from B1 -> blob2643 c. Compare H1 to A1 -> idDigest on mismatch return TPM_BAD_PARAMETER2644 d. If A1 -> pcrSelection is not NULL2645 i. Compute a composite hash C1 using the PCR selection A1 -> pcrSelection2646 ii. Compare C1 to A1 -> pcrInfo->digestAtRelease and return TPM_WRONGPCRVAL2647 on a mismatch2648 iii. If A1 -> pcrInfo specifies a locality ensure that the appropriate locality has been2649 asserted, return TPM_BAD_LOCALITY on error2650 e. Set K1 to A1 -> symmetricKey2651 9. Return K12652 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 153 TCG Published 16. Integrity Collection and Reporting2653 Start of informative comment:2654 This section deals with what commands have direct access to the PCR2655 End of informative comment.2656 1. The TPM SHALL only allow the following commands to alter the value of2657 TPM_STCLEAR_DATA -> PCR2658 a. TPM_Extend2659 b. TPM_SHA1CompleteExtend2660 c. TPM_Startup2661 d. TPM_PCR_Reset2662 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 154 Level 2 Revision 94 29 March 2006 Draft TCG Published 16.1 TPM_Extend2663 Start of informative comment:2664 This adds a new measurement to a PCR2665 End of informative comment.2666 Incoming Operands and Sizes2667 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_Extend. 4 4 2S 4 TPM_PCRINDEX pcrNum The PCR to be updated. 5 20 3S 20 TPM_DIGEST inDigest The 160 bit value representing the event to be recorded. Outgoing Operands and Sizes2668 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_Extend. 4 20 3S 20 TPM_PCRVALUE outDigest The PCR value after execution of the command. Descriptions2669 Add a measurement value to a PCR2670 Actions2671 1. Map L1 to TPM_STANY_FLAGS -> localityModifier2672 2. Map P1 to TPM_PERMANENT_DATA -> pcrAttrib [pcrNum]. pcrExtendLocal2673 3. If, for the value of L1, the corresponding bit is not set in the bit map P1, return2674 TPM_BAD_LOCALITY2675 4. Create c1 by concatenating (TPM_STCLEAR_DATA -> PCR[pcrNum] || inDigest). This2676 takes the current PCR value and concatenates the inDigest parameter.2677 5. Create h1 by performing a SHA1 digest of c1.2678 6. Store h1 to TPM_STCLEAR_DATA -> PCR[pcrNum]2679 7. If TPM_PERMANENT_FLAGS -> disable is TRUE or TPM_STCLEAR_FLAGS -> deactivated2680 is TRUE2681 a. Set outDigest to 20 bytes of 0x002682 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 155 TCG Published 8. Else2683 a. Set outDigest to h12684 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 156 Level 2 Revision 94 29 March 2006 Draft TCG Published 16.2 TPM_PCRRead2685 Start of informative comment:2686 The TPM_PCRRead operation provides non-cryptographic reporting of the contents of a2687 named PCR.2688 End of informative comment.2689 Incoming Operands and Sizes2690 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_PCRRead. 4 4 2S 4 TPM_PCRINDEX pcrIndex Index of the PCR to be read Outgoing Operands and Sizes2691 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_PCRRead. 4 20 3S 20 TPM_PCRVALUE outDigest The current contents of the named PCR Description2692 The TPM_PCRRead operation returns the current contents of the named register to the2693 caller.2694 Actions2695 1. Set outDigest to TPM_STCLEAR_DATA -> PCR[pcrIndex]2696 2. Return TPM_SUCCESS2697 2698 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 157 TCG Published 16.3 TPM_Quote2699 Start of informative comment:2700 The TPM_Quote operation provides cryptographic reporting of PCR values. A loaded key is2701 required for operation. TPM_Quote uses a key to sign a statement that names the current2702 value of a chosen PCR and externally supplied data (which may be a nonce supplied by a2703 Challenger).2704 The term "ExternalData" is used because an important use of TPM_Quote is to provide a2705 digital signature on arbitrary data, where the signature includes the PCR values of the2706 platform at time of signing. Hence the "ExternalData" is not just for anti-replay purposes,2707 although it is (of course) used for that purpose in an integrity challenge.2708 End of informative comment.2709 Incoming Operands and Sizes2710 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_Quote. 4 4 TPM_KEY_HANDLE keyHandle The keyHandle identifier of a loaded key that can sign the PCR values. 5 20 2S 20 TPM_NONCE externalData 160 bits of externally supplied data (typically a nonce provided by a server to prevent replay -attacks) 6 <> 3S <> TPM_PCR_SELECTION targetPCR The indices of the PCRs that are to be reported. 7 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for keyHandle authorization. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 8 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 9 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 10 20 TPM_AUTHDATA privAuth Theauthorization session digest for inputs and keyHandle. HMAC key: key -> usageAuth. Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 158 Level 2 Revision 94 29 March 2006 Draft TCG Published Outgoing Operands and Sizes2711 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_Quote. 4 <> 3S <> TPM_PCR_COMPOSITE pcrData A structure containing the same indices as targetPCR, plus the corresponding current PCR values. 5 4 4S 4 UINT32 sigSize The used size of the output area for the signature 6 <> 5S <> BYTE[ ] sig The signed data blob. 7 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 8 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 9 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters. HMAC key: Key -> usageAuth. Actions2712 1. The TPM MUST validate the AuthData to use the key pointed to by keyHandle.2713 2. The keyHandle -> sigScheme MUST use SHA-1, return TPM_INAPPROPRIATE_SIG if it2714 does not2715 3. Validate that keyHandle -> keyUsage is TPM_KEY_SIGNING, TPM_KEY_IDENTITY, or2716 TPM_KEY_LEGACY, if not return TPM_INVALID_KEYUSAGE2717 4. Validate targetPCR2718 a. targetPCR is a valid TPM_PCR_SELECTION structure2719 b. On errors return TPM_INVALID_PCR_INFO2720 5. Create H1 a SHA-1 hash of a TPM_PCR_COMPOSITE using the TPM_STCLEAR_DATA ->2721 PCR indicated by targetPCR -> pcrSelect2722 6. Create Q1 a TPM_QUOTE_INFO structure2723 a. Set Q1 -> version to 1.1.0.02724 b. Set Q1 -> fixed to "QUOT"2725 c. Set Q1 -> digestValue to H12726 d. Set Q1 -> externalData to externalData2727 7. Sign SHA-1 hash of Q1 using keyHandle as the signature key2728 8. Return the signature in sig2729 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 159 TCG Published 16.4 TPM_PCR_Reset2730 Start of informative comment:2731 For PCR with the pcrReset attribute set to TRUE, this command resets the PCR back to the2732 default value, this mimics the actions of TPM_Init. The PCR may have restrictions as to2733 which locality can perform the reset operation.2734 Sending a null pcrSelection results in an error is due to the requirement that the command2735 actually do something. If pcrSelection is null there are no PCR to reset and the command2736 would then do nothing.2737 For PCR that are resettable, the presence of a Trusted Operating System (TOS) can change2738 the behavior of TPM_PCR_Reset. The following pseudo code shows how the behavior2739 changes2740 At TPM_Startup2741 If TPM_PCR_ATTRIBUTES->pcrReset is FALSE2742 Set PCR to 0x00...002743 Else2744 Set PCR to 0xFF...FF2745 At TPM_PCR_Reset2746 If TPM_PCR_ATTRIBUTES->pcrReset is TRUE2747 If TOSPresent2748 Set PCR to 0x00...002749 Else2750 Set PCR to 0xFF...FF2751 Else2752 Return error2753 The above pseudocode is for example only, for the details of a specific platform, the reader2754 must review the platform specific specification. The purpose of the above pseudocode is to2755 show that both pcrReset and the TOSPresent bit control the value in use to when the PCR2756 resets.2757 End of informative comment.2758 Incoming Parameters and Sizes2759 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_PCR_Reset 4 <> 2S <> TPM_PCR_SELECTION pcrSelection The PCR's to reset Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 160 Level 2 Revision 94 29 March 2006 Draft TCG Published Outgoing Parameters and Sizes2760 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_PCR_Reset Descriptions2761 This command resets PCR values back to the default value. The command MUST validate2762 that all PCR registers that are selected are available to be reset before resetting any PCR.2763 This command MUST either reset all selected PCR registers or none of the PCR registers.2764 Actions2765 1. Validate that pcrSelection is valid2766 a. is a valid TPM_PCR_SELECTION structure2767 b. pcrSelection -> pcrSelect is non-zero2768 c. On errors return TPM_INVALID_PCR_INFO2769 2. Map L1 to TPM_STANY_FLAGS -> localityModifier2770 3. For each PCR selected perform the following2771 a. If TPM_PERMANENT_DATA -> pcrAttrib[pcrIndex].pcrReset is FALSE, return2772 TPM_NOTRESETABLE2773 b. If, for the value L1, the corresponding bit is clear in the bit map2774 TPM_PERMANENT_DATA -> pcrAttrib[pcrIndex].pcrResetLocal, return TPM_NOTLOCAL2775 4. For each PCR selected perform the following2776 a. The PCR MAY only reset to 0x00...00 or 0xFF...FF2777 b. The logic to determine which value to use MUST be described by a platform specific2778 specification2779 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 161 TCG Published 16.5 TPM_Quote22780 Start of informative comment:2781 The TPM_Quote2 operation provides cryptographic reporting of PCR values. A loaded key is2782 required for operation. TPM_Quote2 uses a key to sign a statement that names the current2783 value of a chosen PCR and externally supplied data (which may be a nonce supplied by a2784 Challenger).2785 The term "externalData" is used because an important use of TPM_Quote2 is to provide a2786 digital signature on arbitrary data, where the signature includes the PCR values of the2787 platform at time of signing. Hence the "externalData" is not just for anti-replay purposes,2788 although it is (of course) used for that purpose in an integrity challenge.2789 TPM_Quote2 differs from TPM_Quote in that TPM_Quote2 uses TPM_PCR_INFO_SHORT to2790 hold information relative to the PCR registers. TPM_PCR_INFO_SHORT includes locality2791 information to provide the requestor a more complete view of the current platform2792 configuration.2793 End of informative comment.2794 Incoming Operands and Sizes2795 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_Quote2 4 4 TPM_KEY_HANDLE keyHandle The keyHandle identifier of a loaded key that can sign the PCR values. 5 20 2S 20 TPM_NONCE externalData 160 bits of externally supplied data (typically a nonce provided by a server to prevent replay -attacks) 6 <> 3S <> TPM_PCR_SELECTION targetPCR The indices of the PCRs that are to be reported. 7 1 4S 1 BOOL addVersion When TRUE add TPM_CAP_VERSION_INFO to the output 8 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for keyHandle authorization. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 9 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 10 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 11 20 TPM_AUTHDATA privAuth Theauthorization session digest for inputs and keyHandle. HMAC key: key -> usageAuth. Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 162 Level 2 Revision 94 29 March 2006 Draft TCG Published Outgoing Operands and Sizes2796 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_Quote2 4 <> 3S <> TPM_PCR_INFO_SHORT pcrData The value created and signed for the quote 5 4 4S 4 UINT32 versionInfoSize Size of the version info 6 <> 5S <> TPM_CAP_VERSION_INFO versionInfo The version info 7 4 6S 4 UINT32 sigSize The used size of the output area for the signature 8 <> 7S <> BYTE[ ] sig The signed data blob. 9 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 10 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 11 20 TPM_AUTHDATA resAuth The authorizationsession digest for the returned parameters. HMAC key: Key -> usageAuth. Actions2797 1. The TPM MUST validate the AuthData to use the key pointed to by keyHandle.2798 2. The keyHandle -> sigScheme MUST use SHA-1, return TPM_INAPPROPRIATE_SIG if it2799 does not2800 3. Validate targetPCR is a valid TPM_PCR_SELECTION structure, on errors return2801 TPM_INVALID_PCR_INFO2802 4. Create H1 a SHA-1 hash of a TPM_PCR_COMPOSITE using the TPM_STCLEAR_DATA ->2803 PCR[] indicated by targetPCR -> pcrSelect2804 5. Create S1 a TPM_PCR_INFO_SHORT2805 a. Set S1->pcrSelection to targetPCR2806 b. Set S1->localityAtRelease to TPM_STANY_DATA -> localityModifier2807 c. Set S1->digestAtRelease to H12808 6. Create Q1 a TPM_QUOTE_INFO2 structure2809 a. Set Q1 -> fixed to "QUT2"2810 b. Set Q1 -> infoShort to S12811 c. Set Q1 -> externalData to externalData2812 7. If addVersion is TRUE2813 a. Concatenate to Q1 a TPM_CAP_VERSION_INFO structure2814 b. Set the output parameters for versionInfo2815 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 163 TCG Published 8. Else2816 a. Set versionInfoSize to 02817 b. Return no bytes in versionInfo2818 9. Sign a SHA-1 hash of Q1 using keyHandle as the signature key2819 10.Return the signature in sig2820 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 164 Level 2 Revision 94 29 March 2006 Draft TCG Published 17. Changing AuthData2821 17.1 TPM_ChangeAuth2822 Start of informative comment:2823 The TPM_ChangeAuth command allows the owner of an entity to change the AuthData for2824 the entity.2825 TPM_ChangeAuth requires the encryption of one parameter ("NewAuth"). For the sake of2826 uniformity with other commands that require the encryption of more than one parameter,2827 the parameters used for used encryption are generated from the authLastNonceEven2828 (created during the OSAP session), nonceOdd, and the session shared secret.2829 The parameter list to this command must always include two authorization sessions,2830 regardless of the state of authDataUsage for the respective keys.2831 End of informative comment.2832 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH2_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ChangeAuth 4 4 TPM_KEY_HANDLE parentHandle Handle of the parent key to the entity. 5 2 2 S 2 TPM_PROTOCOL_ID protocolID The protocol in use. 6 20 3 S 20 TPM_ENCAUTH newAuth The encrypted new AuthData for the entity. The encryption key is the shared secret from the OSAP protocol. 7 2 4 S 2 TPM_ENTITY_TYPE entityType The type of entity to be modified 8 4 5 S 4 UINT32 encDataSize The size of the encData parameter 9 <> 6 S <> BYTE[ ] encData The encrypted entity that is to be modified. 10 4 TPM_AUTHHANDLE parentAuthHandle Theauthorization session handle used for the parent key. 2 H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 11 20 3 H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with parentAuthHandle 12 1 4 H1 1 BOOL continueAuthSession Ignored, parentAuthHandle is always terminated. 13 20 TPM_AUTHDATA parentAuth Theauthorization session digest for inputs and parentHandle. HMAC key: parentKey.usageAuth. 14 4 TPM_AUTHHANDLE entityAuthHandle Theauthorization session handle used for the encrypted entity. The session type MUST be OIAP 2 H2 20 TPM_NONCE entitylastNonceEven Even nonce previously generated by TPM 15 20 3 H2 20 TPM_NONCE entitynonceOdd Nonce generated by system associated with entityAuthHandle 16 1 4 H2 1 BOOL continueEntitySession Ignored, entityAuthHandle is always terminated. 17 20 TPM_AUTHDATA entityAuth Theauthorization session digest for the inputs and encrypted entity. HMAC key: entity.usageAuth. TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 165 TCG Published Outgoing Operands and Sizes2833 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH2_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. See section 4.3. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ChangeAuth 4 4 3S 4 UINT32 outDataSize The used size of the output area for outData 5 <> 4S <> BYTE[ ] outData The modified, encrypted entity. 6 20 2 H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3 H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with parentAuthHandle 7 1 4 H1 1 BOOL continueAuthSession Continue use flag, fixed value of FALSE 8 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters and parentHandle. HMAC key: parentKey.usageAuth. 9 20 2 H2 20 TPM_NONCE entityNonceEven Even nonce newly generated by TPM to cover entity 3 H2 20 TPM_NONCE entitynonceOdd Nonce generated by system associated with entityAuthHandle 10 1 4 H2 1 BOOL continueEntity Session Continue use flag, fixed value of FALSE 11 20 TPM_AUTHDATA entityAuth Theauthorization session digest for the returned parameters and entity. HMAC key: entity.usageAuth, the original and not the new auth value Description2834 1. The parentAuthHandle session type MUST be TPM_PID_OSAP.2835 2. In this capability, the SRK cannot be accessed as entityType TPM_ET_KEY, since the2836 SRK is not wrapped by a parent key.2837 Actions2838 1. Verify that entityType is one of TPM_ET_DATA, TPM_ET_KEY and return the error2839 TPM_WRONG_ENTITYTYPE if not.2840 2. Verify that parentAuthHandle session type is TPM_PID_OSAP return TPM_BAD_MODE2841 on error2842 3. Verify that entityAuthHandle session type is TPM_PID_OIAP return TPM_BAD_MODE on2843 error2844 4. The encData parameter MUST be the encData field from either the TPM_STORED_DATA2845 or TPM_KEY structures.2846 5. If parentAuthHandle indicates XOR encryption for the AuthData secrets2847 a. Create X1 the SHA-1 of the concatenation of (parentAuthHandle -> sharedSecret ||2848 authLastNonceEven)2849 b. Create decryptAuth by XOR X1 and newAuth2850 6. Else2851 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 166 Level 2 Revision 94 29 March 2006 Draft TCG Published a. Create newAuth by decrypting newAuth using the algorithm indicated in the OSAP2852 session2853 b. Key is from parentAuthHandle -> sharedSecret2854 c. IV is SHA-1 of (authLastNonceEven || nonceOdd)2855 7. The TPM MUST validate the command using the AuthData in the parentAuth parameter2856 8. After parameter validation the TPM creates b1 by decrypting encData using the key2857 pointed to by parentHandle.2858 9. The TPM MUST validate that b1 is a valid TPM structure, either a2859 TPM_STORE_ASYMKEY or a TPM_SEALED_DATA2860 a. Check the tag, length and authValue for match, return TPM_INVALID_STRUCTURE2861 on any mismatch2862 10.The TPM replaces the AuthData for b1 with decryptAuth created above.2863 11.The TPM encrypts b1 using the appropriate mechanism for the type using the2864 parentKeyHandle to provide the key information.2865 12.The TPM MUST enforce the destruction of both the parentAuthHandle and2866 entityAuthHandle sessions.2867 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 167 TCG Published 17.2 TPM_ChangeAuthOwner2868 Start of informative comment:2869 The TPM_ChangeAuthOwner command allows the owner of an entity to change the2870 AuthData for the TPM Owner or the SRK.2871 This command requires authorization from the current TPM Owner to execute.2872 End of informative comment.2873 Incoming Operands and Sizes2874 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ChangeAuthOwner 4 2 2S 2 TPM_PROTOCOL_ID protocolID The protocol in use. 5 20 3S 20 TPM_ENCAUTH newAuth The encrypted new AuthData for the entity. The encryption key is the shared secret from the OSAP protocol. 6 2 4S 2 TPM_ENTITY_TYPE entityType The type of entity to be modified 7 4 TPM_AUTHHANDLE ownerAuthHandle Theauthorization session handle used for the TPM Owner. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 8 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with ownerAuthHandle 9 1 4H1 1 BOOL continueAuthSession Continue use flag the TPM ignores this value 10 20 TPM_AUTHDATA ownerAuth Theauthorization session digest for inputs and ownerHandle. HMAC key: ownerAuth. Outgoing Operands and Sizes2875 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ChangeAuthOwner 4 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with ownerAuthHandle 5 1 4H1 1 BOOL continueAuthSession Continue use flag, fixed value of FALSE 6 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters and ownerHandle. HMAC key: ownerAuth, the original value and not the new auth value Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 168 Level 2 Revision 94 29 March 2006 Draft TCG Published Actions2876 1. The TPM MUST validate the command using the AuthData in the ownerAuth parameter2877 2. The ownerAuthHandle session type MUST be TPM_PID_OSAP2878 3. Verify that entityType is either TPM_ET_OWNER or TPM_ET_SRK, and return the error2879 TPM_WRONG_ENTITYTYPE if not.2880 4. If ownerAuthHandle indicates XOR encryption for the AuthData secrets2881 a. Create X1 the SHA-1 of the concatenation of (ownerAuthHandle -> sharedSecret ||2882 authLastNonceEven)2883 b. Create decryptAuth by XOR X1 and newAuth2884 5. Else2885 a. Create newAuth by decrypting newAuth using the algorithm indicated in the OSAP2886 session2887 b. Key is the previous ownerAuth2888 c. IV is SHA-1 of (authLastNonceEven || nonceOdd)2889 6. The TPM MUST enforce the destruction of the ownerAuthHandle session upon2890 completion of this command (successful or unsuccessful). This includes setting2891 continueAuthSession to FALSE2892 7. Set the AuthData for the indicated entity to decryptAuth2893 8. Invalidate all sessions, active or saved2894 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 169 TCG Published 18. Authorization Sessions2895 18.1 TPM_OIAP2896 Incoming Operands and Sizes2897 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_OIAP. Outgoing Operands and Sizes2898 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_OIAP. 4 4 TPM_AUTHHANDLE authHandle Handle that TPM creates that points to the authorization state. 5 20 TPM_NONCE nonceEven Nonce generated by TPM and associated with session. Actions2899 1. The TPM_OIAP command allows the creation of an authorization session handle and the2900 tracking of the handle by the TPM. The TPM generates the handle and nonce.2901 2. The TPM has an internal limit as to the number of handles that may be open at one2902 time, so the request for a new handle may fail if there is insufficient space available.2903 3. Internally the TPM will do the following:2904 a. TPM allocates space to save handle, protocol identification, both nonces and any2905 other information the TPM needs to manage the session.2906 b. TPM generates authHandle and nonceEven, returns these to caller2907 4. On each subsequent use of the OIAP session the TPM MUST generate a new nonceEven2908 value.2909 5. When TPM_OIAP is wrapped in an encrypted transport session, no input or output2910 parameters are encrypted.2911 18.1.1 Actions to validate an OIAP session2912 Start of informative comment:2913 This section describes the authorization-related actions of a TPM when it receives a2914 command that has been authorized with the OIAP protocol.2915 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 170 Level 2 Revision 94 29 March 2006 Draft TCG Published Many commands use OIAP authorization. The following description is therefore necessarily2916 abstract.2917 End of informative comment.2918 Actions2919 The TPM MUST perform the following operations:2920 1. The TPM MUST verify that the authorization session handle (H, say) referenced in the2921 command points to a valid session. If it does not, the TPM returns the error code2922 TPM_INVALID_AUTHHANDLE2923 2. The TPM SHALL retrieve the latest version of the caller's nonce (nonceOdd) and2924 continueAuthSession flag from the input parameter list, and store it in internal TPM2925 memory with the authSession `H'.2926 3. The TPM SHALL retrieve the latest version of the TPM's nonce stored with the2927 authorization session H (authLastNonceEven) computed during the previously executed2928 command.2929 4. The TPM MUST retrieve the secret AuthData (SecretE, say) of the target entity. The2930 entity and its secret must have been previously loaded into the TPM.2931 a. If the command using the OIAP session requires owner authorization2932 i. If TPM_STCLEAR_DATA -> ownerReference is TPM_KH_OWNER, the secret2933 AuthData is TPM_PERMANENT_DATA -> ownerAuth2934 ii. If TPM_STCLEAR_DATA -> ownerReference is pointing to a delegate row2935 (1) Set R1 a row index to TPM_STCLEAR_DATA -> ownerReference2936 (2) Set D1 a TPM_DELEGATE_TABLE_ROW to TPM_PERMANENT_DATA ->2937 delegateTable -> delRow[R1]2938 (3) Set the secret AuthData to D1 -> authValue2939 (4) Validate the TPM_DELEGATE_PUBLIC D1 -> pub based on the command2940 ordinal2941 5. The TPM SHALL perform a HMAC calculation using the entity secret data, ordinal, input2942 command parameters and authorization parameters per Part 1 Object-Independent2943 Authorization Protocol.2944 6. The TPM SHALL compare HM to the AuthData value received in the input parameters. If2945 they are different, the TPM returns the error code TPM_AUTHFAIL if the authorization2946 session is the first session of a command, or TPM_AUTH2FAIL if the authorization2947 session is the second session of a command. Otherwise, the TPM executes the command2948 which (for this example) produces an output that requires authentication.2949 7. The TPM SHALL generate a nonce (nonceEven).2950 8. The TPM creates an HMAC digest to authenticate the return code, return values and2951 authorization parameters to the same entity secret per Part 1 Object-Independent2952 Authorization Protocol.2953 9. The TPM returns the return code, output parameters, authorization parameters and2954 authorization session digest.2955 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 171 TCG Published 10.If the output continueUse flag is FALSE, then the TPM SHALL terminate the session.2956 Future references to H will return an error.2957 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 172 Level 2 Revision 94 29 March 2006 Draft TCG Published 18.2 TPM_OSAP2958 Start of informative comment:2959 The TPM_OSAP command creates the authorization session handle, the shared secret and2960 generates nonceEven and nonceEvenOSAP.2961 End of informative comment.2962 Incoming Operands and Sizes2963 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM _ORD_OSAP. 4 2 TPM_ENTITY_TYPE entityType The type of entity in use 5 4 UINT32 entityValue The selection value based on entityType, e.g. a keyHandle # 6 20 TPM_NONCE nonceOddOSAP The nonce generated by the caller associated with the shared secret. Outgoing Operands and Sizes2964 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_OSAP. 4 4 TPM_AUTHHANDLE authHandle Handle that TPM creates that points to the authorization state. 5 20 TPM_NONCE nonceEven Nonce generated by TPM and associated with session. 6 20 TPM_NONCE nonceEvenOSAP Nonce generated by TPM and associated with shared secret. Description2965 1. The TPM_OSAP command allows the creation of an authorization session handle and the2966 tracking of the handle by the TPM. The TPM generates the handle, nonceEven and2967 nonceEvenOSAP.2968 2. The TPM has an internal limit on the number of handles that may be open at one time,2969 so the request for a new handle may fail if there is insufficient space available.2970 3. The TPM_OSAP allows the binding of an authorization to a specific entity. This allows2971 the caller to continue to send in AuthData for each command but not have to request2972 the information or cache the actual AuthData.2973 4. When TPM_OSAP is wrapped in an encrypted transport session, no input or output2974 parameters are encrypted.2975 5. If the owner pointer is pointing to a delegate row, the TPM internally MUST treat the2976 OSAP session as a DSAP session2977 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 173 TCG Published 6. TPM_ET_SRK or TPM_ET_KEYHANDLE with a value of TPM_KH_SRK MUST specify the2978 SRK.2979 Actions2980 1. The TPM creates S1 a storage area that keeps track of the information associated with2981 the authorization.2982 2. S1 MUST track the following information2983 a. Protocol identification (i.e. TPM_PID_OSAP)2984 b. nonceEven2985 i. Initialized to the next value from the TPM RNG2986 c. shared secret2987 d. ADIP encryption scheme from TPM_ENTITY_TYPE entityType2988 e. Any other internal TPM state the TPM needs to manage the session2989 3. The TPM MUST create and MAY track the following information2990 a. nonceEvenOSAP2991 i. Initialized to the next value from the TPM RNG2992 4. The TPM calculates the shared secret using an HMAC calculation. The key for the HMAC2993 calculation is the secret AuthData assigned to the key handle identified by entityValue.2994 The input to the HMAC calculation is the concatenation of nonces nonceEvenOSAP and2995 nonceOddOSAP. The output of the HMAC calculation is the shared secret which is saved2996 in the authorization area associated with authHandle2997 5. Check if the ADIP encryption scheme specified by entityType is supported, if not return2998 TPM_INAPPROPRIATE_ENC.2999 6. If entityType = TPM_ET_KEYHANDLE3000 a. The entity to authorize is a key held in the TPM. entityValue contains the keyHandle3001 that holds the key.3002 b. If entityValue is TPM_KH_OPERATOR return TPM_BAD_HANDLE3003 7. else if entityType = TPM_ET_OWNER3004 a. This value indicates that the entity is the TPM owner. entityValue is ignored3005 b. The HMAC key is the secret pointed to by ownerReference (owner secret or delegated3006 secret)3007 8. else if entityType = TPM_ET_SRK3008 a. The entity to authorize is the SRK. entityValue is ignored.3009 9. else if entityType = TPM_ET_COUNTER3010 a. The entity is a monotonic counter, entityValue contains the counter handle3011 10.else if entityType = TPM_ET_NV3012 a. The entity is a NV index, entityValue contains the NV index3013 11.else return TPM_BAD_PARAMETER3014 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 174 Level 2 Revision 94 29 March 2006 Draft TCG Published 12.On each subsequent use of the OSAP session the TPM MUST generate a new nonce3015 value.3016 13.The TPM MUST ensure that OSAP shared secret is only available while the OSAP session3017 is valid.3018 14.The session MUST terminate upon any of the following conditions:3019 a. The command that uses the session returns an error3020 b. The resource is evicted from the TPM or otherwise invalidated3021 c. The session is used in any command for which the shared secret is used to encrypt3022 an input parameter (TPM_ENCAUTH)3023 d. The TPM Owner is cleared3024 e. TPM_ChangeAuthOwner is executed and this session is attached to the owner3025 authorization3026 f. The session explicitly terminated with continueAuth, TPM_Reset or3027 TPM_FlushSpecific3028 g. All OSAP sessions MUST be invalidated when any of the following commands3029 execute:3030 i. TPM_Delegate_Manage3031 ii. TPM_Delegate_CreateOwnerDelegation with Increment==TRUE3032 iii. TPM_Delegate_LoadOwnerDelegation3033 18.2.1 Actions to validate an OSAP session3034 Start of informative comment:3035 This section describes the authorization-related actions of a TPM when it receives a3036 command that has been authorized with the OSAP protocol.3037 Many commands use OSAP authorization. The following description is therefore necessarily3038 abstract.3039 End of informative comment3040 Actions3041 1. On reception of a command with ordinal C1 that uses an authorization session, the TPM3042 SHALL perform the following actions:3043 2. The TPM MUST have been able to retrieve the shared secret (Shared, say) of the target3044 entity when the authorization session was established with TPM_OSAP. The entity and3045 its secret must have been previously loaded into the TPM.3046 3. The TPM MUST verify that the authorization session handle (H, say) referenced in the3047 command points to a valid session. If it does not, the TPM returns the error code3048 TPM_INVALID_AUTHHANDLE.3049 4. The TPM MUST calculate the HMAC (HM1, say) of the command parameters according3050 to Part 1 Object-Specific Authorization Protocol.3051 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 175 TCG Published 5. The TPM SHALL compare HM1 to the AuthData value received in the command. If they3052 are different, the TPM returns the error code TPM_AUTHFAIL if the authorization session3053 is the first session of a command, or TPM_AUTH2FAIL if the authorization session is the3054 second session of a command., the TPM executes command C1 which produces an3055 output (O, say) that requires authentication and uses a particular return code (RC, say).3056 6. The TPM SHALL generate the latest version of the even nonce (nonceEven).3057 7. The TPM MUST calculate the HMAC (HM2) of the return parameters according to section3058 Part 1 Object-Specific Authorization Protocol.3059 8. The TPM returns HM2 in the parameter list.3060 9. The TPM SHALL retrieve the continue flag from the received command. If the flag is3061 FALSE, the TPM SHALL terminate the session and destroy the thread associated with3062 handle H.3063 10.If the shared secret was used to provide confidentiality for data in the received3064 command, the TPM SHALL terminate the session and destroy the thread associated with3065 handle H.3066 11.Each time that access to an entity (key) is authorized using OSAP, the TPM MUST3067 ensure that the OSAP shared secret is that derived from the entity using TPM_OSAP3068 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 176 Level 2 Revision 94 29 March 2006 Draft TCG Published 18.3 TPM_DSAP3069 Start of informative comment:3070 The TPM_DSAP command creates the authorization session handle using a delegated3071 AuthData value passed into the command as an encrypted blob or from the internal3072 delegation table. It can be used to start an authorization session for a user key or the3073 owner.3074 Identically to TPM_OSAP, it generates a shared secret and generates nonceEven and3075 nonceEvenOSAP.3076 End of informative comment.3077 Incoming Operands and Sizes3078 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_DSAP. 4 2 TPM_ENTITY_TYPE entityType The type of delegation information to use 5 4 TPM_KEY_HANDLE keyHandle Key for which delegated authority corresponds, or 0 if delegated owner activity. Only relevant if entityValue equals TPM_DELEGATE_KEY_BLOB 6 20 TPM_NONCE nonceOddDSAP The nonce generated by the caller associated with the shared secret. 7 4 UINT32 entityValueSize The size of entityValue. 8 <> 2S <> BYTE [ ] entityValue TPM_DELEGATE_KEY_BLOB or TPM_DELEGATE_OWNER_BLOB or index MUST not be empty If entityType is TPM_ET_DEL_ROW then entityValue is a TPM_DELEGATE_INDEX Outgoing Operands and Sizes3079 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_DSAP. 4 4 TPM_AUTHHANDLE authHandle Handle that TPM creates that points to the authorization state. 5 20 TPM_NONCE nonceEven Nonce generated by TPM and associated with session. 6 20 TPM_NONCE nonceEvenDSAP Nonce generated by TPM and associated with shared secret. Description3080 1. The TPM_DSAP command allows the creation of an authorization session handle and the3081 tracking of the handle by the TPM. The TPM generates the handle, nonceEven and3082 nonceEvenOSAP.3083 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 177 TCG Published 2. The TPM has an internal limit on the number of handles that may be open at one time,3084 so the request for a new handle may fail if there is insufficient space available.3085 3. The TPM_DSAP allows the binding of a delegated authorization to a specific entity. This3086 allows the caller to continue to send in AuthData for each command but not have to3087 request the information or cache the actual AuthData.3088 4. Each ordinal that uses the DSAP session MUST validate that TPM_PERMANENT_DATA -3089 > restrictDelegate does not restrict delegation, based on keyHandle -> keyUsage and3090 keyHandle -> keyFlags, return TPM_INVALID_KEYUSAGE on error.3091 5. On each subsequent use of the DSAP session the TPM MUST generate a new nonce3092 value and check if the ordinal to be executed has delegation to execute. The TPM MUST3093 ensure that the DSAP shared secret is only available while the DSAP session is valid.3094 6. When TPM_DSAP is wrapped in an encrypted transport session3095 a. For input the only parameter encrypted is entityValue3096 b. For output no parameters are encrypted3097 7. The DSAP session MUST terminate under any of the following conditions3098 a. The command that uses the session returns an error3099 b. If attached to a key, when the key is evicted from the TPM or otherwise invalidated3100 c. The session is used in any command for which the shared secret is used to encrypt3101 an input parameter (TPM_ENCAUTH)3102 d. The TPM Owner is cleared3103 e. TPM_ChangeAuthOwner is executed and this session is attached to the owner3104 authorization3105 f. The session explicitly terminated with continueAuth, TPM_Reset or3106 TPM_FlushSpecific3107 g. All DSAP sessions MUST be invalidated when any of the following commands3108 execute:3109 i. TPM_Delegate_CreateOwnerDelegation3110 ii. When Increment is TRUE3111 iii. TPM_Delegate_LoadOwnerDelegation3112 iv. TPM_Delegate_Manage3113 entityType = TPM_ET_DEL_OWNER_BLOB3114 The entityValue parameter contains an owner delegation blob structure.3115 entityType = TPM_ET_DEL_ROW3116 The entityValue parameter contains a row number in the nv Delegation table which3117 should be used for the AuthData value.3118 entityType = TPM_DEL_KEY_BLOB3119 The entityValue parameter contains a key delegation blob structure.3120 Actions3121 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 178 Level 2 Revision 94 29 March 2006 Draft TCG Published 1. If entityType == TPM_ET_DEL_OWNER_BLOB3122 a. Map entityValue to B1 a TPM_DELEGATE_OWNER_BLOB3123 b. Validate that B1 is a valid TPM_DELEGATE_OWNER_BLOB, return3124 TPM_WRONG_ENTITYTYPE on error3125 c. Locate B1 -> pub -> familyID in the TPM_FAMILY_TABLE and set familyRow to3126 indicate row, return TPM_BADINDEX if not found3127 d. Set FR to TPM_FAMILY_TABLE.famTableRow[familyRow]3128 e. If FR -> flags TPM_FAMFLAG_ENABLED is FALSE, return TPM_DISABLED_CMD3129 f. Verify that B1->verificationCount equals FR -> verificationCount.3130 g. Validate the integrity of the blob3131 i. Copy B1 -> integrityDigest to H23132 ii. Set B1 -> integrityDigest to NULL3133 iii. Create H3 the HMAC of B1 using tpmProof as the secret3134 iv. Compare H2 to H3 return TPM_AUTHFAIL on mismatch3135 h. Create S1 a TPM_DELEGATE_SENSITIVE by decrypting B1 -> sensitiveArea using3136 TPM_DELEGATE_KEY3137 i. Validate S1 values3138 i. S1 -> tag is TPM_TAG_DELEGATE_SENSITIVE3139 ii. Return TPM_BAD_DELEGATE on error3140 j. Set A1 to S1 -> authValue3141 2. Else if entityType == TPM_ET_DEL_ROW3142 a. Verify that entityValue points to a valid row in the delegation table.3143 b. Set D1 to the delegation information in the row.3144 c. Set A1 to D1->authValue.3145 d. Locate D1 -> familyID in the TPM_FAMILY_TABLE and set familyRow to indicate that3146 row, return TPM_BADINDEX if not found3147 e. Set FR to TPM_FAMILY_TABLE.famTableRow[familyRow]3148 f. If FR -> flags TPM_FAMFLAG_ENABLED is FALSE, return TPM_DISABLED_CMD3149 g. Verify that D1->verificationCount equals FR -> verificationCount.3150 3. Else if entityType == TPM_ET_DEL_KEY_BLOB3151 a. Map entityValue to K1 a TPM_DELEGATE_KEY_BLOB3152 b. Validate that K1 is a valid TPM_DELEGATE_KEY_BLOB, return3153 TPM_WRONG_ENTITYTYPE on error3154 c. Locate K1 -> pub -> familyID in the TPM_FAMILY_TABLE and set familyRow to3155 indicate that row, return TPM_BADINDEX if not found3156 d. Set FR to TPM_FAMILY_TABLE.famTableRow[familyRow]3157 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 179 TCG Published e. If FR -> flags TPM_FAMFLAG_ENABLED is FALSE, return TPM_DISABLED_CMD3158 f. Verify that K1 -> pub -> verificationCount equals FR -> verificationCount.3159 g. Validate the integrity of the blob3160 i. Copy K1 -> integrityDigest to H23161 ii. Set K1 -> integrityDigest to NULL3162 iii. Create H3 the HMAC of K1 using tpmProof as the secret3163 iv. Compare H2 to H3 return TPM_AUTHFAIL on mismatch3164 h. Validate that K1 -> pubKeyDigest identifies keyHandle, return TPM_KEYNOTFOUND3165 on error3166 i. Create S1 a TPM_DELEGATE_SENSITIVE by decrypting K1 -> sensitiveArea using3167 TPM_DELEGATE_KEY3168 j. Validate S1 values3169 i. S1 -> tag is TPM_TAG_DELEGATE_SENSTIVE3170 ii. Return TPM_BAD_DELEGATE on error3171 k. Set A1 to S1 -> authValue3172 4. Else return TPM_BAD_PARAMETER3173 5. Generate a new authorization session handle and reserve space to save protocol3174 identification, shared secret, pcrInfo, both nonces, ADIP encryption scheme, delegated3175 permission bits and any other information the TPM needs to manage the session.3176 6. Read two new values from the RNG to generate nonceEven and nonceEvenOSAP.3177 7. The TPM calculates the shared secret using an HMAC calculation. The key for the HMAC3178 calculation is A1. The input to the HMAC calculation is the concatenation of nonces3179 nonceEvenOSAP and nonceOddOSAP. The output of the HMAC calculation is the shared3180 secret which is saved in the authorization area associated with authHandle.3181 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 180 Level 2 Revision 94 29 March 2006 Draft TCG Published 18.4 TPM_SetOwnerPointer3182 Start of informative comment:3183 This command will set a reference to which secret the TPM will use when executing an3184 owner secret related OIAP or OSAP session.3185 This command should only be used to provide an owner delegation function for legacy code3186 that does not itself support delegation. Normally, TPM_STCLEAR_DATA->ownerReference3187 points to TPM_KH_OWNER, indicating that OIAP and OSAP sessions should use the owner3188 authorization. This command allows ownerReference to point to an index in the delegation3189 table, indicating that OIAP and OSAP sessions should use the delegation authorization.3190 In use, a TSS supporting delegation would create and load the owner delegation and set the3191 owner pointer to that delegation. From then on, a legacy TSS application would use its OIAP3192 and OSAP sessions with the delegated owner authorization.3193 Since this command is not authorized, the ownerReference is open to DoS attacks.3194 Applications can attempt to recover from a failing owner authorization by resetting3195 ownerReference to an appropriate value.3196 End of informative comment.3197 Incoming Operands and Sizes3198 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_ COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Ordinal: TPM_ORD_SetOwnerPointer 4 2 2S 2 TPM_ENTITY_TYPE entityType The type of entity in use 5 4 3S 4 UINT32 entityValue The selection value based on entityType Outgoing Operands and Sizes3199 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_ COMMAND 2 4 UINT32 paramSize Total number of output bytes 3 4 1S 4 TPM_RESULT returnCode The return code of the operation 2S 4 TPM_COMMAND_CODE ordinal Ordinal: TPM_ORD_SetOwnerPointer Actions3200 1. Map TPM_STCLEAR_DATA to V13201 2. If entityType = TPM_ET_DEL_ROW3202 a. This value indicates that the entity is a delegate row. entityValue is a delegate index3203 in the delegation table.3204 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 181 TCG Published b. Validate that entityValue points to a legal row within the delegate table stored within3205 the TPM. If not return TPM_BADINDEX3206 i. Set D1 to the delegation information in the row.3207 c. Locate D1 -> familyID in the TPM_FAMILY_TABLE and set familyRow to indicate that3208 row, return TPM_BADINDEX if not found.3209 d. Set FR to TPM_FAMILY_TABLE.famTableRow[familyRow]3210 e. If FR -> flags TPM_FAMFLAG_ENABLED is FALSE, return TPM_DISABLED_CMD3211 f. Verify that B1->verificationCount equals FR -> verificationCount.3212 g. The TPM sets V1-> ownerReference to entityValue3213 h. Return TPM_SUCCESS3214 3. else if entityType = TPM_ET_OWNER3215 a. This value indicates that the entity is the TPM owner. entityValue is ignored.3216 b. The TPM sets V1-> ownerReference to TPM_KH_OWNER3217 c. Return TPM_SUCCESS3218 4. Return TPM_BAD_PARAMETER3219 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 182 Level 2 Revision 94 29 March 2006 Draft TCG Published 19. Delegation Commands3220 19.1 TPM_Delegate_Manage3221 Start of informative comment:3222 TPM_Delegate_Manage is the fundamental process for managing the Family tables,3223 including enabling/disabling Delegation for a selected Family. Normally3224 TPM_Delegate_Manage must be executed at least once (to create Family tables for a3225 particular family) before any other type of Delegation command in that family can succeed.3226 TPM_Delegate_Manage is authorized by the TPM Owner if an Owner is installed, because3227 changing a table is a privileged Owner operation. If no Owner is installed,3228 TPM_Delegate_Manage requires no privilege to execute. This does not disenfranchise an3229 Owner, since there is no Owner, and simplifies loading of tables during platform3230 manufacture or on first-boot. Burn-out of TPM non-volatile storage by inappropriate use is3231 mitigated by the TPM's normal limits on NV-writes in the absence of an Owner. Tables can3232 be locked after loading, to prevent subsequent tampering, and only unlocked by the Owner,3233 his delegate, or the act of removing the Owner (even if there is no Owner).3234 TPM_Delegate_Manage command is customized by opCode:3235 (1) TPM_FAMILY_ENABLE enables/disables use of a family and all the rows of the delegate3236 table belonging to that family,3237 (2) TPM_FAMILY_ADMIN can be used to prevent further management of the Tables until an3238 Owner is installed, or until the Owner is removed from the TPM. (Note that the Physical3239 Presence command TPM_ForceClear always enables further management, even if3240 TPM_ForceClear is used when no Owner is installed.)3241 (3) TPM_FAMILY_CREATE creates a new family. Sessions are invalidated even in this case3242 because the lastFamilyID could wrap.3243 (4) TPM_FAMILY_INVALIDATE invalidates an existing family.3244 End of informative comment.3245 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 183 TCG Published Incoming Operands and Sizes3246 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_Delegate_Manage 4 4 2S 4 TPM_FAMILY_ID familyID The familyID that is to be managed 5 4 3s 4 TPM_FAMILY_OPERATION opCode Operation to be performed by this command. 6 4 4s 4 UINT32 opDataSize Size in bytes of opData 7 <> 5s <> BYTE [ ] opData Data necessary to implement opCode 8 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for owner authentication. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 9 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 10 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 11 20 TPM_AUTHDATA ownerAuth HMAC key: ownerAuth. Outgoing Operands and Sizes3247 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_Delegate_Manage 4 4 3S 4 UINT32 retDataSize Size in bytes of retData 5 <> 4S <> BYTE [ ] retData Returned data 6 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 7 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 8 20 TPM_AUTHDATA resAuth HMAC key: ownerAuth. Action3248 1. If opCode != TPM_FAMILY_CREATE3249 a. Locate familyID in the TPM_FAMILY_TABLE and set familyRow to indicate row,3250 return TPM_BADINDEX if not found3251 b. Set FR, a TPM_FAMILY_TABLE_ENTRY, to TPM_FAMILY_TABLE. famTableRow3252 [familyRow]3253 2. If tag = TPM_TAG_RQU_AUTH1_COMMAND3254 a. Validate the command and parameters using ownerAuth, return TPM_AUTHFAIL on3255 error3256 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 184 Level 2 Revision 94 29 March 2006 Draft TCG Published b. If the authHandle session type is TPM_PID_DSAP3257 i. If opCode = TPM_FAMILY_CREATE3258 (1) The TPM MUST ignore familyID3259 ii. Else3260 (1) Verify that the familyID associated with authHandle matches the familyID3261 parameter, return TPM_DELEGATE_FAMILY on error3262 3. Else3263 a. If TPM_PERMANENT_DATA -> ownerAuth is valid, return TPM_AUTHFAIL3264 b. If opCode != TPM_FAMILY_CREATE and FR -> flags ->3265 TPM_DELEGATE_ADMIN_LOCK is TRUE, return TPM_DELEGATE_LOCK3266 c. Validate max NV writes without an owner3267 i. Set NV1 to TPM_PERMANENT_DATA -> noOwnerNVWrite3268 ii. Increment NV1 by 13269 iii. If NV1 > TPM_MAX_NV_WRITE_NOOWNER return TPM_MAXNVWRITES3270 iv. Set TPM_PERMANENT_DATA -> noOwnerNVWrite to NV13271 4. The TPM invalidates sessions3272 a. MUST invalidate all DSAP sessions3273 b. MUST invalidate all OSAP sessions associated with the delegation table3274 c. MUST set TPM_STCLEAR_DATA -> ownerReference to TPM_KH_OWNER3275 d. MAY invalidate any other session3276 5. If opCode == TPM_FAMILY_CREATE3277 a. Validate that sufficient space exists within the TPM to store an additional family and3278 map F2 to the newly allocated space.3279 b. Validate that opData is a TPM_FAMILY_LABEL3280 i. If opDataSize != sizeof(TPM_FAMILY_LABEL) return TPM_BAD_PARAM_SIZE3281 c. Map F2 to a TPM_FAMILY_TABLE_ENTRY3282 i. Set F2 -> tag to TPM_TAG_FAMILY_TABLE_ENTRY3283 ii. Set F2 -> familyLabel to opData3284 d. Increment TPM_PERMANENT_DATA -> lastFamilyID by 13285 e. Set F2 -> familyID = TPM_PERMANENT_DATA -> lastFamilyID3286 f. Set F2 -> verificationCount = 13287 g. Set F2 -> flags -> TPM_FAMFLAG_ENABLED to FALSE3288 h. Set F2 -> flags -> TPM_DELEGATE_ADMIN_LOCK to FALSE3289 i. Set retDataSize = 43290 j. Set retData = F2 -> familyID3291 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 185 TCG Published k. Return TPM_SUCCESS3292 6. If authHandle is of type DSAP then continueAuthSession MUST set to FALSE3293 7. If opCode == TPM_FAMILY_ADMIN3294 a. Validate that opDataSize == 1, and that opData is a Boolean value.3295 b. Set (FR -> flags -> TPM_DELEGATE_ADMIN_LOCK) = opData3296 c. Set retDataSize = 03297 d. Return TPM_SUCCESS3298 8. else If opCode == TPM_FAMILY_ENABLE3299 a. Validate that opDataSize == 1, and that opData is a Boolean value.3300 b. Set FR -> flags-> TPM_FAMFLAG_ENABLED = opData3301 c. Set retDataSize = 03302 d. Return TPM_SUCCESS3303 9. else If opCode == TPM_FAMILY_INVALIDATE3304 a. Invalidate all data associated with familyRow3305 i. All data is all information pointed to by FR3306 ii. return TPM_SELFTEST_FAILED on failure3307 b. Set retDataSize = 03308 c. Return TPM_SUCCESS3309 10.Else return TPM_BAD_PARAMETER3310 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 186 Level 2 Revision 94 29 March 2006 Draft TCG Published 19.2 TPM_Delegate_CreateKeyDelegation3311 Start of informative comment:3312 This command delegates privilege to use a key by creating a blob that can be used by3313 TPM_DSAP.3314 There is no check for appropriateness of the key's key usage against the key permission3315 settings. If the key usage is incorrect, this command succeeds, but the delegated command3316 will fail.3317 These blobs CANNOT be used as input data for TPM_LoadOwnerDelegation because the3318 internal TPM delegate table can store owner delegations only.3319 (TPM_Delegate_CreateOwnerDelegation must be used to delegate Owner privilege.)3320 End of informative comment3321 Incoming Operands and Sizes3322 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_Delegate_CreateKeyDelegation. 4 4 TPM_KEY_HANDLE keyHandle The keyHandle identifier of a loaded key. 5 <> 2S <> TPM_DELEGATE_PUBLIC publicInfo The public information necessary to fill in the blob 6 20 3S 20 TPM_ENCAUTH delAuth The encrypted new AuthData for the blob. The encryption key is the shared secret from the OSAP protocol. 7 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for keyHandle authorization 2H1 20 TPM_NONCE authLastNonc eEven Even nonce previously generated by TPM to cover inputs 8 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 9 1 4H1 1 BOOL continueAuthSession Ignored 10 20 TPM_AUTHDATA privAuth Theauthorization session digest that authorizes the use of keyHandle. HMAC key: key.usageAuth 3323 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 187 TCG Published Outgoing Operands and Sizes3324 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_Delegate_CreateKeyDelegation 4 4 3S 4 UINT32 blobSize The length of the returned blob 5 <> 4S <> TPM_DELEGATE_KEY_BLOB blob The partially encrypted delegation information. 6 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 7 1 4H1 1 BOOL continueAuthSession Continue use flag. Fixed value of FALSE 8 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters. HMAC key: key.usageAuth Description3325 1. The use restrictions that may be present on the key pointed to by keyHandle are not3326 enforced for this command. Stated another way, TPM_CreateKeyDelegation is not a use3327 of the key.3328 Action3329 1. Verify AuthData for the command and parameters using privAuth3330 2. Locate publicInfo -> familyID in the TPM_FAMILY_TABLE and set familyRow to indicate3331 row, return TPM_BADINDEX if not found3332 3. If the key authentication is in fact a delegation, then the TPM SHALL validate the3333 command and parameters using Delegation authorisation, then3334 a. Validate that authHandle -> familyID equals publicInfo -> familyID return3335 TPM_DELEGATE_FAMILY on error3336 b. If TPM_FAMILY_TABLE.famTableRow[ authHandle -> familyID] -> flags ->3337 TPM_FAMFLAG_ENABLED is FALSE, return error TPM_DISABLED_CMD.3338 c. Verify that the delegation bits in publicInfo do not grant more permissions then3339 currently delegated. Otherwise return error TPM_AUTHFAIL3340 4. Check that publicInfo -> delegateType is TPM_DEL_KEY_BITS3341 5. Verify that authHandle indicates an OSAP or DSAP session return3342 TPM_INVALID_AUTHHANDLE on error3343 6. If authHandle indicates XOR encryption for the AuthData secrets3344 a. Create X1 the SHA-1 of the concatenation of (authHandle -> sharedSecret ||3345 authLastNonceEven)3346 b. Create a1 by XOR X1 and delAuth3347 7. Else3348 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 188 Level 2 Revision 94 29 March 2006 Draft TCG Published a. Create a1 by decrypting delAuth using the algorithm indicated in the OSAP session3349 b. Key is from authHandle -> sharedSecret3350 c. IV is SHA-1 of (authLastNonceEven || nonceOdd)3351 8. Create h1 the SHA-1 of TPM_STORE_PUBKEY structure of the key pointed to by3352 keyHandle3353 9. Create M1 a TPM_DELEGATE_SENSITIVE structure3354 a. Set M1 -> tag to TPM_TAG_DELEGATE_SENSITIVE3355 b. Set M1 -> authValue to a13356 c. The TPM MAY add additional information of a sensitive nature relative to the3357 delegation3358 10.Create M2 the encryption of M1 using TPM_DELEGATE_KEY3359 11.Create P1 a TPM_DELEGATE_KEY_BLOB3360 a. Set P1 -> tag to TPM_TAG_DELG_KEY_BLOB3361 b. Set P1 -> pubKeyDigest to H13362 c. Set P1 -> pub to PublicInfo3363 d. Set P1 -> pub -> verificationCount to familyRow -> verificationCount3364 e. Set P1 -> integrityDigest to NULL3365 f. The TPM sets additionalArea and additionalAreaSize appropriate for this TPM. The3366 information MAY include symmetric IV, symmetric mode of encryption and other data3367 that allows the TPM to process the blob in the future.3368 g. Set P1 -> sensitiveSize to the size of M23369 h. Set P1 -> sensitiveArea to M23370 12.Calculate H2 the HMAC of P1 using tpmProof as the secret3371 13.Set P1 -> integrityDigest to H23372 14.Ignore continueAuthSession on input set continueAuthSession to FALSE on output3373 15.Return P1 as blob3374 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 189 TCG Published 19.3 TPM_Delegate_CreateOwnerDelegation3375 Start of informative comment:3376 TPM_Delegate_CreateOwnerDelegation delegates the Owner's privilege to use a set of3377 command ordinals, by creating a blob. Such blobs can be used as input data for TPM_DSAP3378 or TPM_Delegate_LoadOwnerDelegation.3379 TPM_Delegate_CreateOwnerDelegation includes the ability to void all existing delegations3380 (by incrementing the verification count) before creating the new delegation. This ensures3381 that the new delegation will be the only delegation that can operate at Owner privilege in3382 this family. This new delegation could be used to enable a security monitor (a local separate3383 entity, or remote separate entity, or local host entity) to reinitialize a family and perhaps3384 perform external verification of delegation settings. Normally the ordinals for a delegated3385 security monitor would include TPM_Delegate_CreateOwnerDelegation (this command) in3386 order to permit the monitor to create further delegations, and3387 TPM_Delegate_UpdateVerification to reactivate some previously voided delegations.3388 If the verification count is incremented and the new delegation does not delegate any3389 privileges (to any ordinals) at all, or uses an authorisation value that is then discarded, this3390 family's delegations are all void and delegation must be managed using actual Owner3391 authorisation.3392 (TPM_Delegate_CreateKeyDelegation must be used to delegate privilege to use a key.)3393 End of informative comment.3394 Incoming Operands and Sizes3395 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal TPM_ORD_Delegate_CreateOwnerDelegation. 4 1 2S 1 BOOL increment Flag dictates whether verificationCount will be incremented 5 <> 3S <> TPM_DELEGATE_PUBLIC publicInfo The public parameters for the blob 6 20 4S 20 TPM_ENCAUTH delAuth The encrypted new AuthData for the blob. The encryption key is the shared secret from the OSAP protocol. 7 4 TPM_AUTHHANDLE authHandle Theauthorization session handle TPM Owner authentication 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 8 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 9 1 4H1 1 BOOL continueAuthSession Ignored 10 20 TPM_AUTHDATA ownerAuth Theauthorization session digest. HMAC key:ownerAuth Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 190 Level 2 Revision 94 29 March 2006 Draft TCG Published Outgoing Operands and Sizes3396 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal TPM_ORD_Delegate_CreateOwnerDelegation 4 4 3S 4 UINT32 blobSize The length of the returned blob 5 <> 4S <> TPM_DELEGATE_OWNER _B LOB blob The partially encrypted delegation information. 6 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 7 1 4H1 1 BOOL continueAuthSession Continue use flag. Fixed value of FALSE 8 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters. HMAC key: ownerAuth Action3397 1. The TPM SHALL authenticate the command using TPM Owner authentication. Return3398 TPM_AUTHFAIL on failure.3399 2. Locate publicInfo -> familyID in the TPM_FAMILY_TABLE and set familyRow to indicate3400 the row return TPM_BADINDEX if not found3401 a. Set FR to TPM_FAMILY_TABLE.famTableRow[familyRow]3402 3. If the TPM Owner authentication is in fact a delegation3403 a. Validate that authHandle -> familyID equals publicInfo -> familyID return3404 TPM_DELEGATE_FAMILY on error3405 b. If FR -> flags -> TPM_FAMFLAG_ENABLED is FALSE, return error3406 TPM_DISABLED_CMD.3407 c. Verify that the delegation bits in publicInfo do not grant more permissions then3408 currently delegated. Otherwise, return error TPM_AUTHFAIL.3409 4. Check that publicInfo -> delegateType is TPM_DEL_OWNER_BITS3410 5. Verify that authHandle indicates an OSAP or DSAP session return3411 TPM_INVALID_AUTHHANDLE on error3412 6. If increment == TRUE3413 a. Increment FR -> verificationCount3414 b. Set TPM_STCLEAR_DATA-> ownerReference to TPM_KH_OWNER3415 c. The TPM invalidates sessions3416 i. MUST invalidate all DSAP sessions3417 ii. MUST invalidate all OSAP sessions associated with the delegation table3418 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 191 TCG Published iii. MAY invalidate any other session3419 7. If authHandle indicates XOR encryption for the AuthData secrets3420 a. Create X1 the SHA-1 of the concatenation of (authHandle -> sharedSecret ||3421 authLastNonceEven)3422 b. Create a1 by XOR X1 and delAuth3423 8. Else3424 a. Create a1 by decrypting delAuth using the algorithm indicated in the OSAP session3425 b. Key is from authHandle -> sharedSecret3426 c. IV is SHA-1 of (authLastNonceEven || nonceOdd)3427 9. Create M1 a TPM_DELEGATE_SENSITIVE structure3428 a. Set M1 -> tag to TPM_TAG_DELEGATE_SENSITIVE3429 b. Set M1 -> authValue to a13430 c. Set other M1 fields as determined by the TPM vendor3431 10.Create M2 the encryption of M1 using TPM_DELEGATE_KEY3432 11.Create B1 a TPM_DELEGATE_OWNER_BLOB3433 a. Set B1 -> tag to TPM_TAG_DELG_OWNER_BLOB3434 b. Set B1 -> pub to publicInfo3435 c. Set B1 -> sensitiveSize to the size of M23436 d. Set B1 -> sensitiveArea to M23437 e. Set B1 -> integrityDigest to NULL3438 f. Set B1 -> pub -> verificationCount to FR -> verificationCount3439 12.The TPM sets additionalArea and additionalAreaSize appropriate for this TPM. The3440 information MAY include symmetric IV, symmetric mode of encryption and other data3441 that allows the TPM to process the blob in the future.3442 13.Create H1 the HMAC of B1 using tpmProof as the secret3443 14.Set B1 -> integrityDigest to H13444 15.Ignore continueAuthSession on input set continueAuthSession to FALSE on output3445 16.Return B1 as blob3446 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 192 Level 2 Revision 94 29 March 2006 Draft TCG Published 19.4 TPM_Delegate_LoadOwnerDelegation3447 Start of informative comment:3448 This command loads a delegate table row blob into a non-volatile delegate table row.3449 TPM_Delegate_LoadOwnerDelegation can be used during manufacturing or on first boot3450 (when no Owner is installed), or after an Owner is installed. If an Owner is installed,3451 TPM_Delegate_LoadOwnerDelegation requires Owner authorisation, and sensitive3452 information must be encrypted.3453 Burn-out of TPM non-volatile storage by inappropriate use is mitigated by the TPM's normal3454 limits on NV-writes in the absence of an Owner. Tables can be locked after loading using3455 TPM_Delegate_Manage, to prevent subsequent tampering.3456 A management system outside the TPM is expected to manage the delegate table rows3457 stored on the TPM, and can overwrite any previously stored data.3458 This command cannot be used to load key delegation blobs into the TPM3459 End of informative comment.3460 Incoming Operands and Sizes3461 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes incl. paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Ordinal: TPM_ORD_Delegate_LoadOwnerDelegation 4 4 3S 4 TPM_DELEGATE_INDEX index The index of the delegate row to be written 5 4 4S 4 UINT32 blobSize The size of the delegate blob 6 <> 5S <> TPM_DELEGATE_OWNER _BLOB blob Delegation information, including encrypted portions as appropriate 7 4 TPM_AUTHHANDLE authHandle Theauthorization session handle TPM Owner authentication 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 8 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 9 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 10 20 TPM_AUTHDATA ownerAuth Theauthorization session digest. HMAC key:ownerAuth TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 193 TCG Published Outgoing Operands and Sizes3462 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes 3 4 1S 4 TPM_RESULT returnCode The return code of the operation 2S 4 TPM_COMMAND_CODE ordinal TPM_ORD_Delegate_LoadOwnerDelegation 5 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 6 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 7 20 TPM_AUTHDATA resAuth Authorization HMAC key: ownerAuth. Actions3463 1. Map blob to D1 a TPM_DELEGATE_OWNER_BLOB.3464 a. Validate that D1 -> tag == TPM_TAG_DELEGATE_OWNER_BLOB3465 2. Locate D1 -> pub -> familyID in the TPM_FAMILY_TABLE and set familyRow to indicate3466 row, return TPM_BADINDEX if not found3467 3. Set FR to TPM_FAMILY_TABLE -> famTableRow[familyRow]3468 4. If TPM Owner is installed3469 a. Validate the command and parameters using TPM Owner authentication, return3470 TPM_AUTHFAIL on error3471 b. If the authHandle session type is TPM_PID_DSAP, verify that D1 -> pub -> familyID3472 matches authHandle -> familyID, on error return TPM_DELEGATE_FAMILY3473 5. Else3474 a. If FR -> flags -> TPM_DELEGATE_ADMIN_LOCK is TRUE return3475 TPM_DELEGATE_LOCK3476 b. Validate max NV writes without an owner3477 i. Set NV1 to PD -> noOwnerNVWrite3478 ii. Increment NV1 by 13479 iii. If NV1 > TPM_MAX_NV_WRITE_NOOWNER return TPM_MAXNVWRITES3480 iv. Set PD -> noOwnerNVWrite to NV13481 6. If FR -> flags -> TPM_FAMFLAG_ENABLED is FALSE, return TPM_DISABLED_CMD3482 7. If TPM Owner is installed, validate the integrity of the blob3483 a. Copy D1 -> integrityDigest to H23484 b. Set D1 -> integrityDigest to NULL3485 c. Create H3 the HMAC of D1 using tpmProof as the secret3486 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 194 Level 2 Revision 94 29 March 2006 Draft TCG Published d. Compare H2 to H3, return TPM_AUTHFAIL on mismatch3487 8. If TPM Owner is installed, create S1 a TPM_DELEGATE_SENSITIVE area by decrypting3488 D1 -> sensitiveArea using TPM_DELEGATE_KEY. Otherwise set S1 = D1 -> sensitiveArea3489 9. Validate S13490 a. Validate that S1 -> tag == TPM_TAG_DELEGATE_SENSITIVE, return3491 TPM_INVALID_STRUCTURE on error3492 10.Validate that index is a valid value for delegateTable, return TPM_BADINDEX on error3493 11.The TPM invalidates sessions3494 a. MUST invalidate all DSAP sessions3495 b. MUST invalidate all OSAP sessions associated with the delegation table3496 c. MAY invalidate any other session3497 12.Copy data to the delegate table row3498 a. Copy the TPM_DELEGATE_PUBLIC from D1 -> pub to TPM_DELEGATE_TABLE ->3499 delRow[index] -> pub.3500 b. Copy the TPM_SECRET from S1 -> authValue to TPM_DELEGATE_TABLE ->3501 delRow[index] -> authValue.3502 c. Set TPM_STCLEAR_DATA-> ownerReference to TPM_KH_OWNER3503 d. If authHandle is of type DSAP then continueAuthSession MUST set to FALSE3504 13.Return TPM_SUCCESS3505 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 195 TCG Published 19.5 TPM_Delegate_ReadTable3506 Start of informative comment:3507 This command reads from the TPM the public contents of the family and delegate tables3508 that are stored on the TPM. Such data is required during external verification of tables.3509 There are no restrictions on the execution of this command; anyone can read this3510 information regardless of the state of the PCRs, regardless of whether they know any3511 specific AuthData value and regardless of whether or not the enable and admin bits are set3512 one way or the other.3513 End of informative comment.3514 Incoming Operands and Sizes3515 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_Delegate_ReadTable Outgoing Operands and Sizes3516 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes inc luding paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_Delegate_ReadTable 4 4 3S 4 UINT32 familyTableSize Size in bytes of familyTable 5 <> 4S <> BYTE [ ] familyTable Array of TPM_FAMILY_TABLE_ENTRYelements 6 4 5S 4 UINT32 delegateTableSize Size in bytes of delegateTable 7 <> 6S <> BYTE[] delegateTable Array of TPM_DELEGATE_INDEX and TPM_DELEGATE_PUBLIC elements Actions3517 1. Set familyTableSize to the number of valid families on the TPM times3518 sizeof(TPM_FAMILY_TABLE_ELEMENT).3519 2. Copy the valid entries in the internal family table to the output array familyTable3520 3. Set delegateTableSize to the number of valid delegate table entries on the TPM times3521 (sizeof(TPM_DELEGATE_PUBLIC) + 4).3522 4. For each valid entry3523 a. Write the TPM_DELEGATE_INDEX to delegateTable3524 b. Copy the TPM_DELEGATE_PUBLIC to delegateTable3525 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 196 Level 2 Revision 94 29 March 2006 Draft TCG Published 5. Return TPM_SUCCESS3526 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 197 TCG Published 19.6 TPM_Delegate_UpdateVerification3527 Start of informative comment:3528 TPM_UpdateVerification sets the verificationCount in an entity (a blob or a delegation row)3529 to the current family value, in order that the delegations represented by that entity will3530 continue to be accepted by the TPM.3531 End of informative comment.3532 Incoming Operands and Sizes3533 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_Delegate_UpdateVerification 4 4 2S 4 UINT32 inputSize The size of inputData 5 <> 3S <> BYTE inputData TPM_DELEGATE_KEY_BLOB or TPM_DELEGATE_OWNER_BLOB or TPM_DELEGATE_INDEX 6 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for owner authentication. 2H1 20 TPM_NONCE authLastNonceEv en Even nonce previously generated by TPM to cover inputs 7 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 8 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 9 20 TPM_AUTHDATA ownerAuth Authorization HMAC key: ownerAuth. Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 198 Level 2 Revision 94 29 March 2006 Draft TCG Published Outgoing Operands and Sizes3534 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_Delegate_UpdateVerification 4 4 3S 4 UINT32 outputSize The size of the output 5 <> 4S <> BYTE outputData TPM_DELEGATE_KEY_BLOB or TPM_DELEGATE_OWNER_BLOB 6 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 7 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 8 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters. HMAC key: ownerAuth. Actions3535 1. Verify the TPM Owner, directly or indirectly through delegation, authorizes the command3536 and parameters, on error return TPM_AUTHFAIL3537 2. Determine the type of inputData (TPM_DELEGATE_TABLE_ROW or3538 TPM_DELEGATE_OWNER_BLOB or TPM_DELEGATE_KEY_BLOB) and map D1 to that3539 structure3540 a. Mapping to TPM_DELEGATE_TABLE_ROW requires taking inputData as a tableIndex3541 and locating the appropriate row in the table3542 3. If D1 is a TPM_DELEGATE_OWNER_BLOB or TPM_DELEGATE_KEY_BLOB, validate the3543 integrity of D13544 a. Copy D1 -> integrityDigest to H23545 b. Set D1 -> integrityDigest to NULL3546 c. Create H3 the HMAC of D1 using tpmProof as the secret3547 d. Compare H2 to H3 return TPM_AUTHFAIL on mismatch3548 4. Locate (D1 -> pub -> familyID) in the TPM_FAMILY_TABLE and set familyRow to indicate3549 row, return TPM_BADINDEX if not found3550 5. Set FR to TPM_FAMILY_TABLE.famTableRow[familyRow]3551 6. If delegated, verify that family of the delegated Owner-auth is the same as D1:3552 (authHandle -> familyID) == (D1 -> pub -> familyID); otherwise return error3553 TPM_DELEGATE_FAMILY3554 7. If delegated, verify that the family of the delegated Owner-auth is enabled: if (authHandle3555 -> familyID -> flags TPM_FAMFLAG_ENABLED) is FALSE, return TPM_DISABLED_CMD3556 8. Set D1 -> verificationCount to FR -> verificationCount3557 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 199 TCG Published 9. If D1 is a TPM_DELEGATE_OWNER_BLOB or TPM_DELEGATE_KEY_BLOB set the3558 integrity of D13559 a. Set D1 -> integrityDigest to NULL3560 b. Create H1 the HMAC of D1 using tpmProof as the secret3561 c. Set D1 -> integrityDigest to H13562 10.If D1 is a blob recreate the blob and return it3563 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 200 Level 2 Revision 94 29 March 2006 Draft TCG Published 19.7 TPM_Delegate_VerifyDelegation3564 Start of informative comment:3565 TPM_VerifyDelegation interprets a delegate blob and returns success or failure, depending3566 on whether the blob is currently valid. The delegate blob is NOT loaded into the TPM.3567 End of informative comment.3568 Incoming Operands and Sizes3569 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal, TPM_Delegate_VerifyDelegation 4 4 2S 4 UINT32 delegationSize The length of the delegated information blob 5 <> 3S <> BYTE[ ] delegation TPM_DELEGATE_KEY_BLOB or TPM_DELEGATE_OWNER_BLOB Outgoing Operands and Sizes3570 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode Thereturncode of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal, TPM_Delegate_VerifyDelegation Actions3571 1. Determine the type of blob, If delegation -> tag is equal to3572 TPM_TAG_DELGATE_OWNER_BLOB then3573 a. Map D1 a TPM_DELEGATE_OWNER_BLOB to delegation3574 2. Else if delegation -> tag = TPM_TAG_DELG_KEY_BLOB3575 a. Map D1 a TPM_DELEGATE_KEY_BLOB to delegation3576 3. Else return TPM_BAD_PARAMETER3577 4. Locate D1 -> familyID in the TPM_FAMILY_TABLE and set familyRow to indicate row,3578 return TPM_BADINDEX if not found3579 5. Set FR to TPM_FAMILY_TABLE.famTableRow[familyRow]3580 6. If FR -> flags TPM_FAMFLAG_ENABLED is FALSE, return TPM_DISABLED_CMD3581 7. Validate that D1 -> pub -> verificationCount matches FR -> verificationCount, on3582 mismatch return TPM_FAMILYCOUNT3583 8. Validate the integrity of D13584 a. Copy D1 -> integrityDigest to H23585 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 201 TCG Published b. Set D1 -> integrityDigest to NULL3586 c. Create H3 the HMAC of D1 using tpmProof as the secret3587 d. Compare H2 to H3 return TPM_AUTHFAIL on mismatch3588 9. Create S1 a TPM_DELEGATE_SENSITIVE area by decrypting D1 -> sensitiveArea using3589 TPM_DELEGATE_KEY3590 10.Validate S1 values3591 a. S1 -> tag is TPM_TAG_DELEGATE_SENSTIVE3592 b. Return TPM_BAD_PARAMETER on error3593 11.Return TPM_SUCCESS3594 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 202 Level 2 Revision 94 29 March 2006 Draft TCG Published 20. Non-volatile Storage3595 Start of informative comment:3596 This section handles the allocation and use of the TPM non-volatile storage.3597 End of informative comment.3598 If nvIndex refers to the DIR, the TPM ignores actions containing access control checks that3599 have no meaning for the DIR. The TPM only checks the owner authorization.3600 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 203 TCG Published 3601 20.1 TPM_NV_DefineSpace3602 Start of informative comment:3603 This establishes the space necessary for the indicated index. The definition will include the3604 access requirements for writing and reading the area.3605 The space definition size does not include the area needed to manage the space.3606 Setting TPM_PERMANENT_FLAGS -> nvLocked TRUE when it is already TRUE is not an3607 error.3608 End of informative comment.3609 Incoming Operands and Sizes3610 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Ordinal, TPM_ORD_NV_DefineSpace 4 <> 2S <> TPM_NV_DATA_PUBLIC pubInfo The public parameters of the NV area 5 20 3S 20 TPM_ENCAUTH encAuth The encrypted AuthData, only valid if the attributes require subsequent authorization 6 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for ownerAuth 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 7 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 8 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 9 20 TPM_AUTHDATA ownerAuth Theauthorization session digest HMAC key: ownerAuth Outgoing Operands and Sizes3611 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal ordinal, TPM_ORD_NV_DefineSpace 4 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 5 1 4H1 1 BOOL continueAuthSession Continue use flag, fixed to FALSE 6 20 TPM_AUTHDATA ownerAuth Theauthorization session digest HMAC key: ownerAuth Actions3612 1. If pubInfo -> nvIndex == TPM_NV_INDEX_LOCK and tag = TPM_TAG_RQU_COMMAND3613 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 204 Level 2 Revision 94 29 March 2006 Draft TCG Published a. If pubInfo -> dataSize is not 0, the command MAY return TPM_BADINDEX.3614 b. Set TPM_PERMANENT_FLAGS -> nvLocked to TRUE3615 c. Return TPM_SUCCESS3616 2. If TPM_PERMANENT_FLAGS -> nvLocked is FALSE then all authorization checks except3617 for the Max NV writes are ignored3618 a. Ignored checks include physical presence, authorization, 'Ď bit check, index 0,3619 bGlobalLock, no authorization with a TPM owner present, and bWriteSTClear3620 3. If pubInfo -> nvIndex has the D bit (bit 28) set to a 1 or pubInfo -> nvIndex == 0 then3621 a. Return TPM_BADINDEX3622 b. The D bit specifies an index value that is set in manufacturing and can never be3623 deleted or added to the TPM3624 c. Index value of 0 is reserved and cannot be defined3625 4. If tag = TPM_TAG_RQU_AUTH1_COMMAND then3626 a. The TPM MUST validate the command and parameters using the TPM Owner3627 authentication and ownerAuth, on error return TPM_AUTHFAIL3628 b. authHandle session type MUST be OSAP3629 c. If authHandle indicates XOR encryption for the AuthData secrets3630 i. Create X1 the SHA-1 of the concatenation of (authHandle -> sharedSecret ||3631 authLastNonceEven)3632 ii. Create a1 by XOR X1 and encAuth3633 d. Else3634 i. Create a1 by decrypting encAuth using the algorithm indicated in the OSAP3635 session3636 ii. Key is from authHandle -> sharedSecret3637 iii. IV is SHA-1 of (authLastNonceEven || nonceOdd)3638 5. else3639 a. Validate the assertion of physical presence. Return TPM_BAD_PRESENCE on error.3640 b. If TPM Owner is present then return TPM_OWNER_SET.3641 c. If pubInfo -> dataSize is 0 then return TPM_BAD_DATASIZE. Setting the size to 03642 represents an attempt to delete the value without TPM Owner authentication.3643 d. Validate max NV writes without an owner3644 i. Set NV1 to TPM_PERMANENT_DATA -> noOwnerNVWrite3645 ii. Increment NV1 by 13646 iii. If NV1 > TPM_MAX_NV_WRITE_NOOWNER return TPM_MAXNVWRITES3647 iv. Set TPM_PERMANENT_DATA -> noOwnerNVWrite to NV13648 e. Set A1 to encAuth. There is no nonce or authorization to create the encryption string,3649 hence the AuthData value is passed in the clear3650 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 205 TCG Published 6. If pubInfo -> nvIndex points to a valid previously defined storage area then3651 a. Map D1 a TPM_NV_DATA_SENSITIVE to the storage area3652 b. If D1 -> attributes specifies TPM_NV_PER_GLOBALLOCK then3653 i. If TPM_STCLEAR_FLAGS -> bGlobalLock is TRUE then return3654 TPM_AREA_LOCKED3655 c. If D1 -> attributes specifies TPM_NV_PER_WRITE_STCLEAR3656 i. If D1 -> pubInfo -> bWriteSTClear is TRUE then return TPM_AREA_LOCKED3657 d. Invalidate the data area currently pointed to by D1 and ensure that if the area is3658 reallocated no residual information is left3659 e. The TPM invalidates authorization sessions3660 i. MUST invalidate all authorization sessions associated with D13661 ii. MAY invalidate any other authorization session3662 f. If pubInfo -> dataSize is 0 then return TPM_SUCCESS3663 7. Parse pubInfo -> pcrInfoRead3664 a. Validate pcrInfoRead structure on error return TPM_INVALID_STRUCTURE3665 i. Validation includes proper PCR selections and locality selections3666 8. Parse pubInfo -> pcrInfoWrite3667 a. Validate pcrInfoWrite structure on error return TPM_INVALID_STRUCTURE3668 i. Validation includes proper PCR selections and locality selections3669 b. If pcrInfoWrite -> localityAtRelease disallows some localities3670 i. Set writeLocalities to TRUE3671 c. Else3672 i. Set writeLocalities to FALSE3673 9. Validate that the attributes are consistent3674 a. The TPM SHALL ignore the bReadSTClear, bWriteSTClear and bWriteDefine3675 attributes during the execution of this command3676 b. If TPM_NV_PER_OWNERWRITE is TRUE and TPM_NV_PER_AUTHWRITE is TRUE3677 return TPM_AUTH_CONFLICT3678 c. If TPM_NV_PER_OWNERREAD is TRUE and TPM_NV_PER_AUTHREAD is TRUE3679 return TPM_AUTH_CONFLICT3680 d. If TPM_NV_PER_OWNERWRITE and TPM_NV_PER_AUTHWRITE and3681 TPM_NV_PER_WRITEDEFINE and TPM_NV_PER_PPWRITE and writeLocalities are all3682 FALSE3683 i. Return TPM_PER_NOWRITE3684 e. Validate nvIndex3685 i. Make sure that the index is applicable for this TPM return TPM_BADINDEX on3686 error. A valid index is platform and context sensitive. That is attempting to3687 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 206 Level 2 Revision 94 29 March 2006 Draft TCG Published validate an index may be successful in one configuration and invalid in another3688 configuration. The individual index values MUST indicate if there are any3689 restrictions on the use of the index.3690 f. If dataSize is 0 return TPM_BAD_PARAM_SIZE3691 10.Create D1 a TPM_NV_DATA_SENSITIVE structure3692 11.Validate that sufficient NV is available to store the data3693 a. return TPM_NOSPACE if pubInfo -> dataSize is not available in the TPM3694 12.Ensure that the TPM reserves the space for dataSize3695 a. Set all bytes in the newly defined area to 0xFF3696 13.Set D1 -> pubInfo to pubInfo3697 14.Set D1 -> authValue to A13698 15.Set D1 -> pubInfo -> bReadSTClear = FALSE;3699 16.Set D1 -> pubInfo -> bWriteSTClear = FALSE;3700 17.Set D1 -> pubInfo -> bWriteDefine = FALSE;3701 18.Ignore continueAuthSession on input and set to FALSE on output3702 19.Return TPM_SUCCESS3703 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 207 TCG Published 20.2 TPM_NV_WriteValue3704 Start of informative comment:3705 This command writes the value to a defined area. The write can be TPM Owner authorized3706 or unauthorized and protected by other attributes and will work when no TPM Owner is3707 present.3708 End of informative comment.3709 Incoming Operands and Sizes3710 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Ordinal, TPM_ORD_NV_WriteValue 4 4 2S 4 TPM_NV_INDEX nvIndex The index of the area to set 5 4 3S 4 UINT32 offset The offset into the NV Area 6 4 4S 4 UINT32 dataSize The size of the data parameter 7 <> 5S <> BYTE data The data to set the area to 8 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for TPM Owner 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 9 20 3H1 20 TPM_NONCE authNonceOdd Nonce generated by caller 10 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 11 20 TPM_AUTHDATA ownerAuth Theauthorization session digest HMAC key: ownerAuth Outgoing Operands and Sizes3711 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal ordinal, TPM_ORD_NV_WriteValue 4 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE authNonceOdd Nonce generated by caller 5 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 6 20 TPM_AUTHDATA ownerAuth Theauthorization session digest HMAC key: ownerAuth Actions3712 1. If TPM_PERMANENT_FLAGS -> nvLocked is FALSE then all authorization checks except3713 for the max NV writes are ignored3714 a. Ignored checks include physical presence, authorization,3715 TPM_NV_PER_OWNERWRITE, and PCR3716 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 208 Level 2 Revision 94 29 March 2006 Draft TCG Published 2. If nvIndex = 0 then3717 a. If dataSize is not 0, return TPM_BADINDEX.3718 b. Set TPM_STCLEAR_FLAGS -> bGlobalLock to TRUE3719 c. Return TPM_SUCCESS3720 3. Locate and set D1 to the TPM_NV_DATA_AREA that corresponds to nvIndex, return3721 TPM_BADINDEX on error3722 a. If nvIndex = TPM_NV_INDEX_DIR, set D1 to TPM_PERMANENT_DATA -> authDir[0]3723 4. If D1 -> permission -> TPM_NV_PER_AUTHWRITE is TRUE return3724 TPM_AUTH_CONFLICT3725 5. If tag = TPM_TAG_RQU_AUTH1_COMMAND then3726 a. If D1 -> permission -> TPM_NV_PER_OWNERWRITE is FALSE return3727 TPM_AUTH_CONFLICT3728 b. Validate command and parameters using ownerAuth HMAC with TPM Owner3729 authentication as the secret, return TPM_AUTHFAIL on error3730 6. Else3731 a. If D1 -> permission -> TPM_NV_PER_OWNERWRITE is TRUE return3732 TPM_AUTH_CONFLICT3733 b. If no TPM Owner validate max NV writes without an owner3734 i. Set NV1 to TPM_PERMANENT_DATA -> noOwnerNVWrite3735 ii. Increment NV1 by 13736 iii. If NV1 > TPM_MAX_NV_WRITE_NOOWNER return TPM_MAXNVWRITES3737 iv. Set TPM_PERMANENT_DATA -> noOwnerNVWrite to NV13738 7. Check that D1 -> pcrInfoWrite -> localityAtRelease for TPM_STANY_DATA ->3739 localityModifier is TRUE3740 a. For example if TPM_STANY_DATA -> localityModifier was 2 then D1 -> pcrInfo ->3741 localityAtRelease -> TPM_LOC_TWO would have to be TRUE3742 b. On error return TPM_BAD_LOCALITY3743 8. If D1 -> attributes specifies TPM_NV_PER_PPWRITE then validate physical presence is3744 asserted if not return TPM_BAD_PRESENCE3745 9. If D1 -> attributes specifies TPM_NV_PER_WRITEDEFINE3746 a. If D1 -> bWriteDefine is TRUE return TPM_AREA_LOCKED3747 10.If D1 -> attributes specifies TPM_NV_PER_GLOBALLOCK3748 a. If TPM_STCLEAR_DATA -> bGlobalLock is TRUE return TPM_AREA_LOCKED3749 11.If D1 -> attributes specifies TPM_NV_PER_WRITE_STCLEAR3750 a. If D1 ->bWriteSTClear is TRUE return TPM_AREA_LOCKED3751 12.If D1 -> pcrInfoWrite -> pcrSelection specifies a selection of TPM_STCLEAR_DATA ->3752 PCR[]3753 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 209 TCG Published a. Create P1 a composite hash of the TPM_STCLEAR_DATA -> PCR[] specified by D1 ->3754 pcrInfoWrite3755 b. Compare P1 to D1 -> pcrInfoWrite -> digestAtRelease return TPM_WRONGPCRVAL3756 on mismatch3757 13.If dataSize = 0 then3758 a. Set D1 -> bWriteSTClear to TRUE3759 b. Set D1 -> bWriteDefine to TRUE3760 14.Else3761 a. Set S1 to offset + dataSize3762 b. If S1 > D1 -> dataSize return TPM_NOSPACE3763 c. If D1 -> attributes specifies TPM_NV_PER_WRITEALL3764 i. If dataSize != D1 -> dataSize return TPM_NOT_FULLWRITE3765 d. Write the new value into the NV storage area3766 15.Set D1 -> bReadSTClear to FALSE3767 16.Return TPM_SUCCESS3768 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 210 Level 2 Revision 94 29 March 2006 Draft TCG Published 20.3 TPM_NV_WriteValueAuth3769 Start of informative comment:3770 This command writes to a previously defined area. The area must require authorization to3771 write. Use this command when authorization other than the owner authorization is to be3772 used. Otherwise, use TPM_NV_WriteValue.3773 End of informative comment.3774 Incoming Operands and Sizes3775 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG Tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Ordinal, TPM_ORD_NV_WriteValueAuth 4 4 2S 4 TPM_NV_INDEX nvIndex The index of the area to set 5 4 3S 4 UINT32 offset The offset into the chunk 6 4 4S 4 UINT32 dataSize The size of the data area 7 <> 5S <> BYTE data The data to set the area to 8 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for NV element authorization 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 9 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 10 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 11 20 TPM_AUTHDATA authValue HMAC key: NV element auth value Outgoing Operands and Sizes3776 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal ordinal, TPM_ORD_N V_WriteValueAuth 4 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE NonceOdd Nonce generated by system associated with authHandle 5 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 6 20 TPM_AUTHDATA authValue HMAC key: NV element auth value Actions3777 1. Locate and set D1 to the TPM_NV_DATA_AREA that corresponds to nvIndex, return3778 TPM_BADINDEX on error3779 2. If D1 -> attributes does not specify TPM_NV_PER_AUTHWRITE then return3780 TPM_AUTH_CONFLICT3781 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 211 TCG Published 3. Validate authValue using D1 -> authValue, return TPM_AUTHFAIL on error3782 4. Check that D1 -> pcrInfoWrite -> localityAtRelease for TPM_STANY_DATA ->3783 localityModifier is TRUE3784 a. For example if TPM_STANY_DATA -> localityModifier was 2 then D1 -> pcrInfo ->3785 localityAtRelease -> TPM_LOC_TWO would have to be TRUE3786 b. On error return TPM_BAD_LOCALITY3787 5. If D1 -> attributes specifies TPM_NV_PER_PPWRITE then validate physical presence is3788 asserted if not return TPM_BAD_PRESENCE3789 6. If D1 -> pcrInfoWrite -> pcrSelection specifies a selection of PCR3790 a. Create P1 a composite hash of the TPM_STCLEAR_DATA -> PCR[] specified by D1 ->3791 pcrInfoWrite3792 b. Compare P1 to digestAtRelease return TPM_WRONGPCRVAL on mismatch3793 7. If D1 -> attributes specifies TPM_NV_PER_WRITEDEFINE3794 a. If D1 -> bWriteDefine is TRUE return TPM_AREA_LOCKED3795 8. If D1 -> attributes specifies TPM_NV_PER_GLOBALLOCK3796 a. If TPM_STCLEAR_FLAGS -> bGlobalLock is TRUE return TPM_AREA_LOCKED3797 9. If D1 -> attributes specifies TPM_NV_PER_WRITE_STCLEAR3798 a. If D1 -> bWriteSTClear is TRUE return TPM_AREA_LOCKED3799 10.If dataSize = 0 then3800 a. Set D1 -> bWriteSTClear to TRUE3801 b. Set D1 -> bWriteDefine to TRUE3802 11.Else3803 a. Set S1 to offset + dataSize3804 b. If S1 > D1 -> dataSize return TPM_NOSPACE3805 c. If D1 -> attributes specifies TPM_NV_PER_WRITEALL3806 i. If dataSize != D1 -> dataSize return TPM_NOT_FULLWRITE3807 d. Write the new value into the NV storage area3808 12.Set D1 -> bReadSTClear to FALSE3809 13.Return TPM_SUCCESS3810 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 212 Level 2 Revision 94 29 March 2006 Draft TCG Published 20.4 TPM_NV_ReadValue3811 Start of informative comment:3812 Read a value from the NV store. This command uses optional owner authentication.3813 Action 1 indicates that if the NV are is not locked then reading of the NV area continues3814 without ANY authorization. This is intentional and allows a platform manufacturer to set3815 the NV areas, read them back, and then lock them all without having to install a TPM3816 owner.3817 End of informative comment.3818 Incoming Operands and Sizes3819 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Ordinal, TPM_ORD_NV_ReadValue 4 4 2S 4 TPM_NV_INDEX nvIndex The index of the area to set 5 4 3S 4 UINT32 offset The offset into the area 6 4 4S 4 UINT32 dataSize The size of the data area 7 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for TPM Owner authorization 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 8 20 3H1 20 TPM_NONCE authNonceOdd Nonce generated by caller 9 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 10 20 TPM_AUTHDATA ownerAuth HMAC key: ownerAuth Outgoing Operands and Sizes3820 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal TPM_ORD_NV_ReadValue 4 4 3S 4 UINT32 dataSize The size of the data area 5 <> 4S <> BYTE data The data to set the area to 6 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 7 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 8 20 TPM_AUTHDATA ownerAuth HMAC key: ownerAuth Actions3821 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 213 TCG Published 1. If TPM_PERMANENT_FLAGS -> nvLocked is FALSE then all authorization checks are3822 ignored3823 2. Set D1 a TPM_NV_DATA_AREA structure to the area pointed to by nvIndex, if not found3824 return TPM_BADINDEX3825 a. If nvIndex = TPM_NV_INDEX_DIR, set D1 to TPM_PERMANENT_DATA -> authDir[0]3826 3. If tag = TPM_TAG_RQU_AUTH1_COMMAND then3827 a. If D1 -> TPM_NV_PER_OWNERREAD is FALSE return TPM_AUTH_CONFLICT3828 b. Validate command and parameters using TPM Owners authentication on error return3829 TPM_AUTHFAIL3830 4. Else3831 a. If D1 -> TPM_NV_PER_AUTHREAD is TRUE return TPM_AUTH_CONFLICT3832 b. If D1 -> TPM_NV_PER_OWNERREAD is TRUE return TPM_AUTH_CONFLICT3833 5. Check that D1 -> pcrInfoRead -> localityAtRelease for TPM_STANY_DATA ->3834 localityModifier is TRUE3835 a. For example if TPM_STANY_DATA -> localityModifier was 2 then D1 -> pcrInfo ->3836 localityAtRelease -> TPM_LOC_TWO would have to be TRUE3837 b. On error return TPM_BAD_LOCALITY3838 6. If D1 -> attributes specifies TPM_NV_PER_PPREAD then validate physical presence is3839 asserted if not return TPM_BAD_PRESENCE3840 7. If D1 -> TPM_NV_PER_READ_STCLEAR then3841 a. If D1 -> bReadSTClear is TRUE return TPM_DISABLED_CMD3842 8. If D1 -> pcrInfoRead -> pcrSelection specifies a selection of PCR3843 a. Create P1 a composite hash of the TPM_STCLEAR_DATA -> PCR[] specified by D1 ->3844 pcrInfoRead3845 b. Compare P1 to D1 -> pcrInfoRead -> digestAtRelease return TPM_WRONGPCRVAL on3846 mismatch3847 9. If dataSize is 0 then3848 a. Set D1 -> bReadSTClear to TRUE3849 b. Set data to NULL3850 10.Else3851 a. Set S1 to offset + dataSize3852 b. If S1 > D1 -> dataSize return TPM_NOSPACE3853 c. Set data to area pointed to by offset3854 11.Return TPM_SUCCESS3855 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 214 Level 2 Revision 94 29 March 2006 Draft TCG Published 20.5 TPM_NV_ReadValueAuth3856 Start of informative comment:3857 This command requires that the read be authorized by a value set with the blob.3858 End of informative comment.3859 Incoming Operands and Sizes3860 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Ordinal, TPM_ORD_NV_ReadValueAuth 4 4 2S 4 TPM_NV_INDEX nvIndex The index of the area to set 5 4 3S 4 UNIT32 offset The offset from the data area 6 4 5S 4 UINT32 dataSize The size of the data area 7 4 TPM_AUTHHANDLE authHandle authThe auth handle for the NV element authorization 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 8 20 3H1 20 TPM_NONCE authNonceOdd Nonce generated by system associated with authHandle 9 1 4H1 1 BOOL authContinueSession The continue use flag for the authorization session handle 10 20 TPM_AUTHDATA authHmac HMAC key: nv element authorization Outgoing Operands and Sizes3861 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal ordinal, TPM_ORD_NV_ReadValueAuth 4 4 3S 4 UINT32 dataSize The size of the data area 5 <> 4S <> BYTE data The data 6 20 2H1 20 TPM_NONCE authNonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE authLastNonceOdd Nonce generated by system associated with authHandle 7 1 4H1 1 BOOL authContinueSession Continue use flag, TRUE if handle is still active 8 20 TPM_AUTHDATA authHmacOut HMAC key: nv element authorization Actions3862 1. Locate and set D1 to the TPM_NV_DATA_AREA that corresponds to nvIndex, on error3863 return TPM_BADINDEX3864 2. If D1 -> TPM_NV_PER_AUTHREAD is FALSE return TPM_AUTH_CONFLICT3865 3. Validate authHmac using D1 -> authValue on error return TPM_AUTHFAIL3866 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 215 TCG Published 4. If D1 -> attributes specifies TPM_NV_PER_PPREAD then validate physical presence is3867 asserted if not return TPM_BAD_PRESENCE3868 5. Check that D1 -> pcrInfoRead -> localityAtRelease for TPM_STANY_DATA ->3869 localityModifier is TRUE3870 a. For example if TPM_STANY_DATA -> localityModifier was 2 then D1 -> pcrInfo ->3871 localityAtRelease -> TPM_LOC_TWO would have to be TRUE3872 b. On error return TPM_BAD_LOCALITY3873 6. If D1 -> pcrInfoRead -> pcrSelection specifies a selection of PCR3874 a. Create P1 a composite hash of the TPM_STCLEAR_DATA -> PCR[] specified by D1 ->3875 pcrInfoRead3876 b. Compare P1 to D1 -> pcrInfoRead -> digestAtRelease return TPM_WRONGPCRVAL on3877 mismatch3878 7. If D1 specifies TPM_NV_PER_READ_STCLEAR then3879 a. If D1 -> bReadSTClear is TRUE return TPM_DISABLED_CMD3880 8. If dataSize is 0 then3881 a. Set D1 -> bReadSTClear to TRUE3882 b. Set data to NULL3883 9. Else3884 a. Set S1 to offset + dataSize3885 b. If S1 > D1 -> dataSize return TPM_NOSPACE3886 c. Set data to area pointed to by offset3887 10.Return TPM_SUCCESS3888 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 216 Level 2 Revision 94 29 March 2006 Draft TCG Published 21. Session Management3889 Start of informative comment:3890 Three TPM_RT_CONTEXT session resources located in TPM_STANY_DATA work together to3891 control session save and load: contextNonceSession, contextCount, and contextList[].3892 All three MUST initialized at TPM_Startup(ST_ANY), which invalidates all saved sessions.3893 They MAY be restored by TPM_Startup(ST_STATE), which would allow saved sessions to be3894 loaded. The operation is reported as the TPM_RT_CONTEXT startup effect.3895 TPM_SaveContext creates a contextBlob containing an encrypted contextNonceSession. The3896 nonce is checked by TPM_LoadContext. So initializing contextNonceSession invalidates all3897 saved contexts. The nonce is large and protected, making a replay infeasible.3898 The contextBlob also contains a public but protected contextCount. The count increments3899 for each saved contextBlob. The TPM also saves contextCount in contextList[]. The TPM3900 validates contextBlob against the contextList[] during TPM_LoadContext. Since the3901 contextList[] is finite, it limits the number of valid saved sessions. Since the contextCount3902 cannot be allowed to wrap, it limits the total number of saved sessions.3903 After a contextBlob is loaded, its contextCount entry is removed from contextList[]. This3904 releases space in the context list for future entries. It also invalidates the contextBlob. So a3905 saved contextBlob can be loaded only once.3906 TPM_FlushSpecific can also specify a contextCount to be removed from the contextList[],3907 allowing invalidation of an individual contextBlob. This is different from TPM_FlushSpecific3908 specifying a session handle, which invalidates a loaded session, not a saved contextBlob.3909 End of informative comment.3910 3911 21.1 TPM_KeyControlOwner3912 Start of informative comment:3913 This command controls some attributes of keys that are stored within the TPM key cache.3914 OwnerEvict: If this bit is set to true, this key remains in the TPM through all TPM_Startup3915 events. The only way to evict this key is for the TPM Owner to execute this command again,3916 setting the owner control bit to false and then executing TPM_FlushSpecific.3917 The key handle does not reference an authorized entity and is not validated.3918 End of informative comment.3919 Incoming Parameters and Sizes3920 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes incl. paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_KeyControlOwner 4 4 TPM_KEY_HANDLE keyHandle The handle of a loadedkey. TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 217 TCG Published 5 <> 2S <> TPM_PUBKEY pubKey The public key associated with the loaded key 6 4 3S 4 TPM_KEY_CONTROL bitName The name of the bit to be modified 7 1 4S 1 BOOL bitValue The value to set the bit to 8 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for owner authentication. 9 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 10 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 11 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 12 20 20 TPM_AUTHDATA ownerAuth HMAC authorization: key ownerAuth Outgoing Parameters and Sizes3921 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal:TPM_ORD_KeyControlOwner 4 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM. 3H1 20 TPM_NONCE nonceOdd Nonce generated by system 5 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 6 20 TPM_AUTHDATA resAuth HMAC authorization: key ownerAuth Descriptions3922 1. Set an internal bit within the key cache that controls some attribute of a loaded key.3923 Actions3924 1. Validate the AuthData using the owner authentication value, on error return3925 TPM_AUTHFAIL3926 2. Validate that keyHandle refers to a loaded key, return TPM_INVALID_KEYHANDLE on3927 error.3928 3. Validate that pubKey matches the key held by the TPM pointed to by keyHandle, return3929 TPM_BAD_PARAMETER on mismatch3930 a. This check added so that virtualization of the keyHandle does not result in attacks as3931 the keyHandle is not associated with an authorization value3932 4. Validate that bitName is valid, return TPM_BAD_MODE on error.3933 5. If bitName == TPM_KEY_CONTROL_OWNER_EVICT3934 a. If bitValue == TRUE3935 i. Verify that after this operation at least two key slots will be present within the3936 TPM that can store any type of key both of which do NOT have the OwnerEvict bit3937 set, on error return TPM_NOSPACE3938 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 218 Level 2 Revision 94 29 March 2006 Draft TCG Published ii. Verify that for this key handle, parentPCRStatus is FALSE and isVolatile is3939 FALSE. Return TPM_BAD_PARAMETER on error.3940 iii. Set ownerEvict within the internal key storage structure to TRUE.3941 b. Else if bitValue == FALSE3942 i. Set ownerEvict within the internal key storage structure to FALSE.3943 6. Return TPM_SUCCESS3944 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 219 TCG Published 21.2 TPM_SaveContext3945 Start of informative comment:3946 TPM_SaveContext saves a loaded resource outside the TPM. After successful execution of3947 the command, the TPM automatically releases the internal memory for sessions but leaves3948 keys in place.3949 There is no assumption that a saved context blob is stored in a safe, protected area. Since3950 the context blob can be loaded at any time, do not rely on TPM_SaveContext to restrict3951 access to an entity such as a key. If use of the entity should be restricted, means such as3952 authorization secrets or PCR's should be used.3953 In general, TPM_SaveContext can save a transport session. However, it cannot save an3954 exclusive transport session, because any ordinal other than TPM_ExecuteTransport3955 terminates the exclusive transport session. This action prevents the exclusive transport3956 session from being saved and reloaded while intervening commands are hidden from the3957 transport log.3958 End of informative comment.3959 Incoming Parameters and Sizes3960 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_SaveContext 4 4 TPM_HANDLE handle Handle of the resource being saved. 5 4 2S 4 TPM_RESOURCE_TYPE resourceType The type of resource that is being saved 6 16 3S 16 BYTE[16] label Label for identification purposes Outgoing Parameters and Sizes3961 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_SaveContext 4 4 3S 4 UINT32 contextSize The actual size of the outgoing context blob 5 <> 4S <> TPM_CONTEXT_BLOB contextBlob The context blob Description3962 1. The caller of the function uses the label field to add additional sequencing, anti-replay or3963 other items to the blob. The information does not need to be confidential but needs to be3964 part of the blob integrity.3965 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 220 Level 2 Revision 94 29 March 2006 Draft TCG Published Actions3966 1. Map V1 to TPM_STANY_DATA3967 2. Validate that handle points to resource that matches resourceType, return3968 TPM_INVALID_RESOURCE on error3969 3. Validate that resourceType is a resource from the following list if not return3970 TPM_INVALID_RESOURCE3971 a. TPM_RT_KEY3972 b. TPM_RT_AUTH3973 c. TPM_RT_TRANS3974 d. TPM_RT_DAA_TPM3975 4. Locate the correct nonce3976 a. If resourceType is TPM_RT_KEY3977 i. If TPM_STCLEAR_DATA -> contextNonceKey is NULLS3978 (1) Set TPM_STCLEAR_DATA -> contextNonceKey to the next value from the TPM3979 RNG3980 ii. Map N1 to TPM_STCLEAR_DATA -> contextNonceKey3981 iii. If the key has TPM_KEY_CONTROL_OWNER_EVICT set then return3982 TPM_OWNER_CONTROL3983 b. Else3984 i. If V1 -> contextNonceSession is NULLS3985 (1) Set V1 -> contextNonceSession to the next value from the TPM RNG3986 ii. Map N1 to V1 -> contextNonceSession3987 5. Set K1 to TPM_PERMANENT_DATA -> contextKey3988 6. Create R1 by putting the sensitive part of the resource pointed to by handle into a3989 structure. The structure is a TPM manufacturer option. The TPM MUST ensure that ALL3990 sensitive information of the resource is included in R1.3991 7. Create C1 a TPM_CONTEXT_SENSITIVE structure3992 a. C1 forms the inner encrypted wrapper for the blob. All saved context blobs MUST3993 include a TPM_CONTEXT_SENSITIVE structure and the TPM_CONTEXT_SENSITIVE3994 structure MUST be encrypted.3995 b. Set C1 -> contextNonce to N13996 c. Set C1 -> internalData to R13997 8. Create B1 a TPM_CONTEXT_BLOB3998 a. Set B1 -> tag to TPM_TAG_CONTEXTBLOB3999 b. Set B1 -> resourceType to resourceType4000 c. Set B1 -> handle to handle4001 d. Set B1 -> integrityDigest to NULL4002 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 221 TCG Published e. Set B1 -> label to label4003 f. Set B1 -> additionalData to information determined by the TPM manufacturer. This4004 data will help the TPM to reload and reset context. This area MUST NOT hold any data4005 that is sensitive (symmetric IV are fine, prime factors of an RSA key are not).4006 i. For OSAP sessions, and DSAP attached to keys, the hash of the entity MUST be4007 included in additionalData4008 g. Set B1 -> additionalSize to the size of additionalData4009 h. Set B1 -> sensitiveSize to the size of C14010 i. Set B1 -> sensitiveData to C14011 9. If resourceType is TPM_RT_KEY4012 a. Set B1 -> contextCount to 04013 10.Else4014 a. If V1 -> contextCount > 232-2 then4015 i. Return with TPM_TOOMANYCONTEXTS4016 b. Else4017 i. Increment V1 -> contextCount by 14018 ii. Validate that the TPM can still manage the new count value4019 (1) If the distance between the oldest saved context and the contextCount is too4020 large return TPM_CONTEXT_GAP4021 iii. Find contextIndex such that V1 -> contextList[contextIndex] equals 0. If not found4022 exit with TPM_NOCONTEXTSPACE4023 iv. Set V1-> contextList[contextIndex] to V1 -> contextCount4024 v. Set B1 -> contextCount to V1 -> contextCount4025 c. The TPM MUST invalidate all information regarding the resource except for4026 information needed for reloading4027 11.Calculate B1 -> integrityDigest the HMAC of B1 using TPM_PERMANENT_DATA ->4028 tpmProof as the secret4029 12.Create E1 by encrypting C1 using K1 as the key4030 a. Set B1 -> sensitiveSize to the size of E14031 b. Set B1 -> sensitiveData to E14032 13.Set contextSize to the size of B14033 14.Return B1 in contextBlob4034 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 222 Level 2 Revision 94 29 March 2006 Draft TCG Published 21.3 TPM_LoadContext4035 Start of informative comment:4036 TPM_LoadContext loads into the TPM a previously saved context. The command returns a4037 handle.4038 End of informative comment.4039 Incoming Parameters and Sizes4040 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_LoadContext 4 4 TPM_HANDLE entityHandle The handle the TPM MUST use to locate the entity tied to the OSAP/DSAP session 5 1 2S 1 BOOL keepHandle Indication if the handle MUST be preserved 6 4 3S 4 UINT32 contextSize The size of the following context blob. 7 <> 4S <> TPM_CONTEXT_BLOB contextBlob The context blob Outgoing Parameters and Sizes4041 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_LoadContext 4 4 TPM_HANDLE handle The handle assigned to the resource after it has been successfully loaded. Actions4042 1. Map contextBlob to B1, a TPM_CONTEXT_BLOB structure4043 2. Map V1 to TPM_STANY_DATA4044 3. Create M1 by decrypting B1 -> sensitiveData using TPM_PERMANENT_DATA ->4045 contextKey4046 4. Create C1 and R1 by splitting M1 into a TPM_CONTEXT_SENSITIVE structure and4047 internal resource data4048 5. Check contextNonce4049 a. If B1 -> resourceType is NOT TPM_RT_KEY4050 i. If C1 -> contextNonce does not equal V1 -> contextNonceSession return4051 TPM_BADCONTEXT4052 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 223 TCG Published ii. Validate that the resource pointed to by the context is loaded (i.e. for OSAP the4053 key referenced is loaded and DSAP connected to the key) return4054 TPM_RESOURCEMISSING4055 (1) For OSAP sessions the TPM MUST validate that the incoming pubkey hash4056 matches the key held by the TPM4057 (2) For OSAP and DSAP sessions referring to a key, verify that entityHandle4058 identifies the key linked to this OSAP/DSAP session, if not return4059 TPM_BAD_HANDLE.4060 b. Else4061 i. If C1 -> internalData -> parentPCRStatus is FALSE and C1 -> internalData ->4062 isVolatile is FALSE4063 (1) Ignore C1 -> contextNonce4064 ii. else4065 (1) If C1 -> contextNonce does not equal TPM_STCLEAR_DATA ->4066 contextNonceKey return TPM_BADCONTEXT4067 6. Validate the structure4068 a. Set H1 to B1 -> integrityDigest4069 b. Set B1 -> integrityDigest to NULL4070 c. Copy M1 to B1 -> sensitiveData4071 d. Create H2 the HMAC of B1 using TPM_PERMANENT_DATA -> tpmProof as the HMAC4072 key4073 e. If H2 does equal H1 return TPM_BADCONTEXT4074 7. If keepHandle is TRUE4075 a. Set handle to B1 -> handle4076 b. If the TPM is unable to restore the handle the TPM MUST return TPM_BAD_HANDLE4077 8. Else4078 a. The TPM SHOULD attempt to restore the handle but if not possible it MAY set the4079 handle to any valid for B1 -> resourceType4080 9. If B1 -> resourceType is NOT TPM_RT_KEY4081 a. Find contextIndex such that V1 -> contextList[contextIndex] equals B1 ->4082 TPM_CONTEXT_BLOB -> contextCount4083 b. If not found then return TPM_BADCONTEXT4084 c. Set V1 -> contextList[contextIndex] to 04085 10.Process B1 to return the resource back into TPM use4086 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 224 Level 2 Revision 94 29 March 2006 Draft TCG Published 22. Eviction4087 Start of informative comment:4088 The TPM has numerous resources held inside of the TPM that may need eviction. The need4089 for eviction occurs when the number or resources in use by the TPM exceed the available4090 space. For resources that are hard to reload (i.e. keys tied to PCR values) the outside entity4091 should first perform a context save before evicting items.4092 In version 1.1 there were separate commands to evict separate resource types. This new4093 command set uses the resource types defined for context saving and creates a generic4094 command that will evict all resource types.4095 End of informative comment.4096 The TPM MUST NOT flush the EK or SRK using this command.4097 Version 1.2 deprecates the following commands:4098 ? TPM_Terminate_Handle4099 ? TPM_EvictKey4100 ? TPM_Reset4101 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 225 TCG Published 22.1 TPM_FlushSpecific4102 Start of informative comment:4103 TPM_FlushSpecific flushes from the TPM a specific handle.4104 End of informative comment.4105 Incoming Parameters and Sizes4106 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_FlushSpecific 4 4 TPM_HANDLE handle The handle of the item to flush 5 4 2S 4 TPM_RESOURCE_TYPE resourceType The type of resource that is being flushed Outgoing Parameters and Sizes4107 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_FlushSpecific Description4108 TPM_FlushSpecific releases the resources associated with the given handle.4109 Actions4110 1. If resourceType is TPM_RT_CONTEXT4111 a. The handle for a context is not a handle but the "context count" value. The TPM uses4112 the "context count" value to locate the proper contextList entry and sets R1 to the4113 contextList entry4114 b. If R1 is not a valid saved context return TPM_BAD_PARAMETER4115 2. Else if resourceType is TPM_RT_KEY4116 a. Set R1 to the key pointed to by handle4117 b. Validate that R1 points at valid key4118 c. If R1 -> ownerEvict is TRUE return TPM_KEY_OWNER_CONTROL4119 3. Else if resourceType is TPM_RT_HASH or TPM_RT_COUNTER or TPM_RT_DELEGATE4120 a. Return TPM_INVALID_RESOURCE4121 4. Else4122 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 226 Level 2 Revision 94 29 March 2006 Draft TCG Published a. Set R1 to the resource pointed to by handle4123 b. Validate that resource type and handle point to a valid allocated resource4124 5. Invalidate R1 and all internal resources allocated to R14125 a. Resources include authorization sessions4126 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 227 TCG Published 23. Timing Ticks4127 Start of informative comment:4128 The TPM timing ticks are always available for use. The association of timing ticks to actual4129 time is a protocol that occurs outside of the TPM. See the design document for details.4130 The setting of the clock type variable is a one time operation that allows the TPM to be4131 configured to the type of platform that is installed on.4132 The ability for the TPM to continue to increment the timer ticks across power cycles of the4133 platform is a TPM and platform manufacturer decision.4134 End of informative comment.4135 23.1 TPM_GetTicks4136 Start of informative comment:4137 This command returns the current tick count of the TPM.4138 End of informative comment.4139 Incoming Parameters and Sizes4140 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Ordinal: TPM_ORD_GetTicks Outgoing Parameters and Sizes4141 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Ordinal: TPM_ORD_GetTicks 4 32 3S 32 TPM_CURRENT_TICKS currentTime The current time held in the TPM Descriptions4142 This command returns the current time held in the TPM. It is the responsibility of the4143 external system to maintain any relation between this time and a UTC value or local real4144 time value.4145 Actions4146 1. Set T1 to the internal TPM_CURRENT_TICKS structure4147 2. Return T1 as currentTime.4148 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 228 Level 2 Revision 94 29 March 2006 Draft TCG Published 23.2 TPM_TickStampBlob4149 Start of informative comment:4150 This command applies a time stamp to the passed blob. The TPM makes no representation4151 regarding the blob merely that the blob was present at the TPM at the time indicated.4152 End of informative comment.4153 Incoming Parameters and Sizes4154 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Ordinal, fixed value of TPM_ORD_TickStampBlob 4 4 TPM_KEY_HANDLE keyHandle The keyHandle identifier of a loaded key that can perform digital signatures. 5 20 2s 20 TPM_NONCE antiReplay Anti replay value to added to signature 6 20 3s 20 TPM_DIGEST digestToStamp The digest to perform the tick stamp on 7 4 TPM_AUTHHANDLE authHandle The authorization session handle used for keyHandle authorization 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 8 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 9 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 10 20 TPM_AUTHDATA privAuth The authorization session digest that authorizes the use of keyHandle. HMAC key: key.usageAuth TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 229 TCG Published Outgoing Parameters and Sizes4155 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Ordinal, fixed value of TPM_ORD_TickStampBlob 4 32 3S 32 TPM_CURRENT_TICKS currentTicks The current time according to the TPM 5 4 4S 4 UINT32 sigSize The length of the returned digital signature 6 <> 5S <> BYTE[ ] sig The resulting digital signature. 7 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 8 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 9 20 TPM_AUTHDATA resAuth The authorization session digest for the returned parameters. HMAC key: key.usageAuth Description4156 The function performs a digital signature on the hash of digestToStamp and the current tick4157 count.4158 It is the responsibility of the external system to maintain any relation between tick count4159 and a UTC value or local real time value.4160 Actions4161 3. The TPM validates the AuthData to use the key pointed to by keyHandle.4162 4. Validate that keyHandle -> keyUsage is TPM_KEY_SIGNING, TPM_KEY_IDENTITY or4163 TPM_KEY_LEGACY, if not return the error code TPM_INVALID_KEYUSAGE.4164 5. Return TPM_INAPPROPRIATE_SIG if the keyHandle -> sigScheme is not SHA-14165 6. If TPM_STCLEAR_DATA -> currentTicks is not properly initialized4166 a. Initialize the TPM_STCLEAR_DATA -> currentTicks4167 7. Create T1, a TPM_CURRENT_TICKS structure.4168 8. Create H1 a TPM_SIGN_INFO structure and set the structure defaults4169 a. Set H1 -> fixed to "TSTP"4170 b. Set H1 -> replay to antiReplay4171 c. Create H2 the concatenation of digestToStamp || T14172 d. Set H1 -> dataLen to the length of H24173 e. Set H1 -> data to H24174 9. The TPM computes the signature, sig, using the key referenced by keyHandle, using4175 SHA-1 of H1 as the information to be signed4176 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 230 Level 2 Revision 94 29 March 2006 Draft TCG Published 10.The TPM returns T1 as currentTicks parameter4177 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 231 TCG Published 24. Transport Sessions4178 24.1 TPM_EstablishTransport4179 Start of informative comment:4180 This establishes the transport session. Depending on the attributes specified for the session4181 this may establish shared secrets, encryption keys, and session logs. The session will be in4182 use for by the TPM_ExecuteTransport command.4183 The only restriction on what can happen inside of a transport session is that there is no4184 "nesting" of sessions. It is permissible to perform operations that delete internal state and4185 make the TPM inoperable.4186 End of informative comment.4187 Incoming Parameters and Sizes4188 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_EstablishTransport 4 4 TPM_KEY_HANDLE encHandle The handle to the key that encrypted the blob 5 <> 2S <> TPM_TRANSPORT_PUBLIC transPublic The public information describing the transport session 6 4 3S 4 UINT32 secretSize The size of the secret Area 7 <> 4S <> BYTE[] secret The encrypted secret area 8 4 TPM_AUTHHANDLE authHandle The authorization session handle used for keyHandle authorization 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 9 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 10 1 4H1 1 BOOL continueAuthSession The continue us e flag for the authorization session handle 11 20 TPM_AUTHDATA keyAuth Authorization. HMAC key: encKey.usageAuth 4189 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 232 Level 2 Revision 94 29 March 2006 Draft TCG Published Outgoing Parameters and Sizes4190 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_EstablishTransport 4 4 TPM_TRANSHANDLE transHandle Thehandle for the transport session 5 4 3S 4 TPM_MODIFIER_INDICATOR locality The locality that called this command 6 32 4S 32 TPM_CURRENT_TICKS currentTicks The current tick count 7 20 5S 20 TPM_NONCE transNonceEven The even nonce in use for subsequent execute transport 8 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 9 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 10 20 TPM_AUTHDATA resAuth Authorization. HMAC key: key.usageAuth Description4191 This command establishes the transport sessions shared secret. The encryption of the4192 shared secret uses the public key of the key loaded in encKey.4193 Actions4194 1. If encHandle is TPM_KH_TRANSPORT then4195 a. If tag is NOT TPM_TAG_RQU_COMMAND return TPM_BADTAG4196 b. If transPublic -> transAttributes specifies TPM_TRANSPORT_ENCRYPT return4197 TPM_BAD_SCHEME4198 c. If secretSize is not 20 return TPM_BAD_PARAM_SIZE4199 d. Set A1 to secret4200 2. Else4201 a. encHandle -> keyUsage MUST be TPM_KEY_STORAGE or TPM_KEY_LEGACY return4202 TPM_INVALID_KEYUSAGE on error4203 b. If encHandle -> authDataUsage does not equal TPM_AUTH_NEVER and tag is NOT4204 TPM_TAG_RQU_AUTH1_COMMAND return TPM_AUTHFAIL4205 c. Using encHandle -> usageAuth validate the AuthData to use the key and the4206 parameters to the command4207 d. Create K1 a TPM_TRANSPORT_AUTH structure by decrypting secret using the key4208 pointed to by encHandle4209 e. Validate K1 for tag4210 f. Set A1 to K1 -> authData4211 3. If transPublic -> transAttributes has TPM_TRANSPORT_ENCRYPT4212 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 233 TCG Published a. If TPM_PERMANENT_FLAGS -> FIPS is true and transPublic -> algId is equal to4213 TPM_ALG_MGF1 return TPM_INAPPROPRIATE_ENC4214 b. Check if the transPublic -> algId is supported, if not return4215 TPM_BAD_KEY_PROPERTY4216 c. If transPublic -> algid is TPM_ALG_3DES or TPM_ALG_AESXXX, check that4217 transPublic -> encScheme is supported, if not return TPM_INAPPROPRIATE_ENC4218 d. Perform any initializations necessary for the algorithm4219 4. Generate transNonceEven from the TPM RNG4220 5. Create T1 a TPM_TRANSPORT_INTERNAL structure4221 a. Ensure that the TPM has sufficient internal space to allocate the transport session,4222 return TPM_RESOURCES on error4223 b. Assign a T1 -> transHandle value. This value is assigned by the TPM4224 c. Set T1 -> transDigest to NULL4225 d. Set T1 -> transPublic to transPublic4226 e. Set T1-> transNonceEven to transNonceEven4227 f. Set T1 -> authData to A14228 6. If TPM_STANY_DATA -> currentTicks is not properly initialized4229 a. Initialize the TPM_STANY_DATA -> currentTicks4230 7. Set currentTicks to TPM_STANY_DATA -> currentTicks4231 8. If T1 -> transPublic -> transAttributes has TPM_TRANSPORT_LOG set then4232 a. Create L1 a TPM_TRANSPORT_LOG_IN structure4233 i. Set L1 -> parameters to SHA-1 (ordinal || transPublic || secretSize || secret)4234 ii. Set L1 -> pubKeyHash to NULL4235 iii. Set T1 -> transDigest to SHA-1 (T1 -> transDigest || L1)4236 b. Create L2 a TPM_TRANSPORT_LOG_OUT structure4237 i. Set L2 -> parameters to SHA-1 (returnCode || ordinal || locality || currentTicks4238 || transNonceEven)4239 ii. Set L2 -> locality to the locality of this command4240 iii. Set L2 -> currentTicks to currentTicks, this MUST be the same value that is4241 returned in the currentTicks parameter4242 iv. Set T1 -> transDigest to SHA-1 (T1 -> transDigest || L2)4243 9. If T1 -> transPublic -> transAttributes has TPM_TRANSPORT_EXCLUSIVE then set4244 TPM_STANY_FLAGS -> transportExclusive to TRUE4245 a. Execution of any command other than TPM_ExecuteTransport or4246 TPM_ReleaseTransportSigned targeting this transport session will cause the abnormal4247 invalidation of this transport session transHandle4248 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 234 Level 2 Revision 94 29 March 2006 Draft TCG Published b. The TPM gives no indication, other than invalidation of transHandle, that the session4249 is terminated4250 10.Return T1 -> transHandle as transHandle4251 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 235 TCG Published 24.2 TPM_ExecuteTransport4252 Start of informative comment:4253 Delivers a wrapped TPM command to the TPM where the TPM unwraps the command and4254 then executes the command.4255 TPM_ExecuteTransport uses the same rolling nonce paradigm as other authorized TPM4256 commands. The even nonces start in TPM_EstablishTransport and change on each4257 invocation of TPM_ExecuteTransport.4258 The only restriction on what can happen inside of a transport session is that there is no4259 "nesting" of sessions. It is permissible to perform operations that delete internal state and4260 make the TPM inoperable.4261 Because, in general, key handles are not logged, a digest of the corresponding public key is4262 logged. In cases where the key handle is logged (e.g. TPM_OwnerReadInternalPub), the4263 public key is also logged.4264 End of informative comment.4265 Incoming Parameters and Sizes4266 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ExecuteTransport 4 4 2S 4 UINT32 wrappedCmdSize Size of the wrapped command 5 <> 3S <> BYTE[] wrappedCmd The wrapped command 6 4 TPM_TRANSHANDLE transHandle The transport session handle 2H1 20 TPM_NONCE transLastNonceEven Even nonce previously generated by TPM 7 20 3H1 20 TPM_NONCE transNonceOdd Nonce generated by caller 8 1 4H1 1 BOOL continueTransSession The continue use flag for the authorization session handle 9 20 TPM_AUTHDATA transAuth HMAC for transHandle key: transHandle -> authData 4267 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 236 Level 2 Revision 94 29 March 2006 Draft TCG Published Outgoing Parameters and Sizes4268 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the ExecuteTransport command. This does not reflect the status of wrapped command. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ExecuteTransport 4 8 3S 8 UINT64 currentTicks The current ticks when the command was executed 5 4 4S 4 TPM_MODIFIER_INDICATOR locality The locality that called this command 6 4 5S 4 UINT32 wrappedRspSize Size of the wrapped response 7 <> 6S <> BYTE[] wrappedRsp The wrapped response 8 20 2H1 20 TPM_NONCE transNonceEven Even nonce newly generated by TPM 3H1 20 TPM_NONCE transNonceOdd Nonce generated by caller 9 1 4H1 1 BOOL continueTransSession The continue use flag for the session 10 20 TPM_AUTHDATA transAuth HMAC for transHandle key: transHandle -> authData Description4269 1. This command executes a TPM command using the transport session.4270 2. Prior to execution of the wrapped command (action 11 below) failure of the transport4271 session MUST have no effect on the resources referenced by the wrapped command. The4272 exception is when the TPM goes into failure mode and return FAILED_SELFTEST for all4273 subsequent commands.4274 3. After execution of the wrapped command, failure of the transport session MUST have an4275 effect on the wrapped command resources. The reason for this is that the transport4276 session will be returning an error code and not reporting any session nonces. The entire4277 wrapped command response is lost so nonces, handles and such are lost to the caller.4278 4. Execution of the wrapped command (action 11) SHOULD have no effect on the transport4279 session.4280 a. The wrapped command SHALL use no resources of the transport session, this4281 includes authorization sessions4282 b. If the wrapped command execution returns an error (action 11 below) then the4283 sessions for TPM_ExecuteTransport still operate properly.4284 c. The exception to this is when the wrapped command causes the TPM to go into4285 failure mode and return TPM_FAILSELFTEST for all subsequent commands4286 5. Field layout4287 a. Command representation4288 b. ******************************************************************************4289 c. TAGet | LENet | ORDet | wrappedCmdSize | wrappedCmd | AUTHet4290 d. ******************************************************************************4291 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 237 TCG Published e. wrappedCmd looks like the following4292 f. ****************************************************************************************4293 g. TAGw | LENw | ORDw | HANDLESw(o) | DATAw | AUTH1w (o) | AUTH2w (o)4294 h. ****************************************************************************************4295 i. | LEN1 |4296 j. | E1 | (encrypted)4297 k. | C1 | (decrypted)4298 l. Response representation4299 m. **************************************************************************4300 n. TAGet | LENet | RCet | wrappedRspSize | wrappedRsp | AUTHet4301 o. **************************************************************************4302 p. wrappedRsp looks like the following4303 q. *************************************************************************************4304 r. TAGw | LENw | RCw | HANDLESw(o) | DATAw | AUTH1w (o) | AUTH2w (o)4305 s. *************************************************************************************4306 t. | LEN2 |4307 u. | ß-------------------------- C2 -------------------------------------------------- |4308 v. | S2 | (decrypted)4309 w. | E2 | (encrypted)4310 x. The only parameter that is possibly encrypted is DATAw4311 6. Additional DATAw comments4312 a. For TPM_FlushSpecific and TPM_SaveContext4313 i. The DATAw part of these commands does not include the handle.4314 (1) It is understood that encrypting the resourceType prevents a determination of4315 the handle type.4316 ii. If the resourceType is TPM_RT_KEY, then the public key SHOULD be logged.4317 b. For TPM_DAA_Join and TPM_DAA_Sign4318 i. The DATAw part of these commands does not include the handle4319 c. For TPM_LoadKey24320 i. The outgoing handle is not part of the outgoing DATAw and is not encrypted or4321 logged by the outgoing transport.4322 d. For TPM_LoadKey4323 i. The outgoing handle is part of the outgoing DATAw and is encrypted.4324 e. For TPM_LoadContext4325 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 238 Level 2 Revision 94 29 March 2006 Draft TCG Published i. The outgoing handle is not part of the outgoing DATAw and is not encrypted or4326 logged by the outgoing transport.4327 (1) It is understood that encrypting the contextBlob prevents a determination of4328 the handle type.4329 7. TPM_ExecuteTransport returns an implementation defined result when the wrapped4330 command would cause termination of the transport session. Implementation defined4331 possibilities include but are not limited to: the wrapped command may execute,4332 completely, partially, or not at all, the transport session may or not be terminated,4333 continueTransSession may not be processed or returned correctly, and an error may or4334 may not be returned. The wrapped commands include:4335 a. TPM_FlushSpecific, TPM_SaveContext targeting the transport session4336 b. TPM_OwnerClear, TPM_ForceClear, TPM_RevokeTrust4337 Actions4338 1. Using transHandle locate the TPM_TRANSPORT_INTERNAL structure T14339 2. Parse wrappedCmd4340 a. Set TAGw, LENw, and ORDw to the parameters from wrappedCmd4341 b. Set E1 to DATAw4342 i. This pointer is ordinal dependent and requires the execute transport command to4343 parse wrappedCmd4344 c. Set LEN1 to the length of DATAw4345 i. DATAw always ends at the start of AUTH1w if AUTH1w is present4346 3. If LEN1 is less that 0, or if ORDw is unknown, unimplemented, or cannot be determined4347 a. Return TPM_BAD_PARAMETER4348 4. If T1 -> transPublic -> transAttributes has TPM_TRANSPORT_ENCRYPT set then4349 a. If T1 -> transPublic -> algId is TPM_ALG_MGF14350 i. Using the MGF1 function, create string G1 of length LEN1. The inputs to the4351 MGF1 are transLastNonceEven, transNonceOdd, "in", and T1 -> authData. These4352 four values concatenated together form the Z value that is the seed for the MGF1.4353 ii. Create C1 by performing an XOR of G1 and wrappedCmd starting at E1.4354 b. If the encryption algorithm requires an IV calculate the IV values4355 i. Using the MGF1 function, create string IV1 with a length set by the block size of4356 the encryption algorithm. The inputs to the MGF1 are transLastNonceEven,4357 transNonceOdd, and "in". These three values concatenated together form the Z4358 value that is the seed for the MGF1. Note that any terminating characters within4359 the string "in" are ignored, so a total of 42 bytes are hashed.4360 ii. Blocksize for TPM_ALG_DES is 84361 iii. Blocksize for TPM_ALG_AESxxx is 164362 iv. The symmetric key is taken from the first bytes of T1 -> authData.4363 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 239 TCG Published v. Decrypt DATAw and replace the DATAw area of E1 creating C14364 c. TPM_OSAP, TPM_OIAP have no parameters encrypted4365 d. TPM_DSAP has special rules for parameter encryption4366 5. Else4367 a. Set C1 to the DATAw area E1 of wrappedCmd4368 6. Create H1 the SHA-1 of (ORDw || C1).4369 a. C1 MUST point at the decrypted DATAw area of E14370 b. The TPM MAY use this calculation for both execute transport authorization,4371 authorization of the wrapped command and transport log creation4372 7. Validate the incoming transport session authorization4373 a. Set inParamDigest to SHA-1 (ORDet || wrappedCmdSize || H1)4374 b. Calculate the HMAC of (inParamDigest || transLastNonceEven || transNonceOdd ||4375 continueTransSession) using T1 -> authData as the HMAC key4376 c. Validate transAuth, on errors return TPM_AUTHFAIL4377 8. If TPM_ExecuteTransport requires auditing4378 a. Create TPM_AUDIT_EVENT_IN using H1 as the input parameter digest and update4379 auditDigest4380 b. On any error return TPM_AUDITFAIL_UNSUCCESSFUL4381 9. If ORDw is from the list of following commands return TPM_NO_WRAP_TRANSPORT4382 a. TPM_EstablishTransport4383 b. TPM_ExecuteTransport4384 c. TPM_ReleaseTransportSigned4385 10.If T1 -> transPublic -> transAttributes has TPM_TRANSPORT_LOG set then4386 a. Create L2 a TPM_TRANSPORT_LOG_IN structure4387 b. Set L2 -> parameters to H14388 c. If ORDw is a command with no key handles4389 i. Set L2 -> pubKeyHash to NULL4390 d. If ORDw is a command with one key handle4391 i. Create K2 the hash of the TPM_STORE_PUBKEY structure of the key pointed to4392 by the key handle.4393 ii. Set L2 -> pubKeyHash to SHA-1 (K2)4394 e. If ORDw is a command with two key handles4395 i. Create K2 the hash of the TPM_STORE_PUBKEY structure of the key pointed to4396 by the first key handle.4397 ii. Create K3 the hash of the TPM_STORE_PUBKEY structure of the key pointed to4398 by the second key handle.4399 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 240 Level 2 Revision 94 29 March 2006 Draft TCG Published iii. Set L2 -> pubKeyHash to SHA-1 (K2 || K3)4400 f. Set T1 -> transDigest to the SHA-1 (T1 -> transDigest || L2)4401 g. If ORDw is a command with key handles, and the key is not loaded, return4402 TPM_INVALID_KEYHANDLE.4403 11.Send the wrapped command to the normal TPM command parser, the output is C2 and4404 the return code is RCw4405 a. If ORDw is a command that is audited then the TPM MUST perform the input and4406 output audit of the command as part of this action.4407 b. The TPM MAY use H1 as the data value in the authorization and audit calculations4408 during the execution of C14409 12.Set CT1 to TPM_STANY_DATA -> currentTicks -> currentTicks and return CT1 in the4410 currentTicks output parameter4411 13.Calculate S2 the pointer to the DATAw area of C24412 a. Calculate LEN2 the length of S2 according to the same rules that calculated LEN14413 14.Create H2 the SHA-1 of (RCw || ORDw || S2)4414 a. The TPM MAY use this calculation for execute transport authorization and transport4415 log out creation4416 15.Calculate the outgoing transport session authorization4417 a. Create the new transNonceEven for the output of the command4418 b. Set outParamDigest to SHA-1 (RCet || ORDet || TPM_STANY_DATA -> currentTicks4419 -> currentTicks || locality || wrappedRspSize || H2)4420 c. Calculate transAuth, the HMAC of (outParamDigest || transNonceEven ||4421 transNonceOdd || continueTransSession) using T1 -> authData as the HMAC key4422 16.If T1 -> transPublic -> transAttributes has TPM_TRANSPORT_LOG set then4423 a. Create L3 a TPM_TRANSPORT_LOG_OUT structure4424 b. Set L3 -> parameters to H24425 c. Set L3 -> currentTicks to TPM_STANY_DATA -> currentTicks4426 d. Set L3 -> locality to TPM_STANY_DATA -> localityModifier4427 e. Set T1 -> transDigest to the SHA-1 (T1 -> transDigest || L3)4428 17.If T1 -> transPublic -> transAttributes has TPM_TRANSPORT_ENCRYPT set then4429 a. If T1 -> transPublic -> AlgId is TPM_ALG_MGF14430 i. Using the MGF1 function, create string G2 of length LEN2. The inputs to the4431 MGF1 are transNonceEven, transNonceOdd, "out", and T1 -> authData. These4432 four values concatenated together form the Z value that is the seed for the MGF1.4433 ii. Create E2 by performing an XOR of G2 and C2 starting at S2.4434 b. Else4435 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 241 TCG Published i. Create IV2 using the same algorithm as IV1 with the input values4436 transNonceEven, transNonceOdd, and "out". Note that any terminating4437 characters within the string "out" are ignored, so a total of 43 bytes are hashed.4438 ii. Create E2 by encrypting C2 starting at S2 using IV24439 18.Else4440 a. Set E2 to the DATAw area S2 of wrappedRsp4441 19.If continueTransSession is FALSE4442 a. Invalidate all session data related to transHandle4443 20.If TPM_ExecuteTranport requires auditing4444 a. Create TPM_AUDIT_EVENT_OUT using H2 for the parameters and update the4445 auditDigest4446 b. On any errors return TPM_AUDITFAIL_SUCCESSFUL or4447 TPM_AUDITFAIL_UNSUCCESSFUL depending on RCw4448 21.Return C2 but with S2 replaced by E2 in the wrappedRsp parameter4449 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 242 Level 2 Revision 94 29 March 2006 Draft TCG Published 24.3 TPM_ReleaseTransportSigned4450 Start of informative comment:4451 This command completes the transport session. If logging for this session is turned on, then4452 this command returns a hash of all operations performed during the session along with a4453 digital signature of the hash.4454 This command serves no purpose if logging is turned off, and results in an error if4455 attempted.4456 This command uses two authorization sessions, the key that will sign the log and the4457 authorization from the session. Having the session authorization proves that the requestor4458 that is signing the log is the owner of the session. If this restriction is not put in then an4459 attacker can close the log and sign using their own key.4460 The hash of the session log includes the information associated with the input phase of4461 execution of the TPM_ReleaseTransportSigned command. It cannot include the output4462 phase information.4463 End of informative comment.4464 Incoming Parameters and Sizes4465 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH2_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ReleaseTransportSigned 4 4 TPM_KEY_HANDLE key Handle Handle of a loaded key that will perform the signing 5 20 2S 20 TPM_NONCE antiReplay Value provided by caller for anti-replay protection 6 4 TPM_AUTHHANDLE authHandle The authorization session to use key 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 7 20 3H1 20 TPM_NONCE authNonceOdd Nonce generated by system associated with authHandle 8 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 9 20 TPM_AUTHDATA keyAuth Theauthorization session digest that authorizes the use of key. HMAC key: key -> usageAuth 10 4 TPM_TRANSHANDLE transHandle The transport session handle 2H2 20 TPM_NONCE transLastNonceEven Even nonce in use by execute Transport 11 20 3H2 20 TPM_NONCE transNonceOdd Nonce supplied by caller for transport session 12 1 4H2 1 BOOL continueTrans Session The continue use flag for the authorization session handle 13 20 TPM_AUTHDATA transAuth HMAC for transport session key: transHandle -> authData TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 243 TCG Published Outgoing Parameters and Sizes4466 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH2_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ReleaseTransportSigned 4 4 3S 4 TPM_MODIFIER_INDICATOR locality The locality that called this command 5 32 4S 32 TPM_CURRENT_TICKS currentTicks The current ticks when the command executed 6 4 5S 4 UINT32 signSize The size of the signature area 7 <> 6S <> BYTE[] signature The signature of the digest 8 20 2H1 20 TPM_NONCE authNonceEven Even nonce newly generated by TPM 3H1 20 TPM_NONCE authNonceOdd Nonce generated by caller 9 1 4H1 1 BOOL continueAuthSession The continue use flag for the session 10 20 TPM_AUTHDATA keyAuth HMAC: key -> usageAuth 11 20 2H2 20 TPM_NONCE transNonceEven Even nonce newly generated by TPM 3H2 20 TPM_NONCE transNonceOdd Nonce generated by caller 12 1 4H2 1 BOOL continueTransSession The continue use flag for the session 13 20 TPM_AUTHDATA transAuth HMAC: transHandle -> authData Description4467 This command releases a transport session and signs the transport log4468 Actions4469 1. Using transHandle locate the TPM_TRANSPORT_INTERNAL structure T14470 2. Return TPM_INAPPROPRIATE_SIG if the key -> sigScheme is not SHA-14471 3. Using key -> authData validate the command and parameters, on error return4472 TPM_AUTHFAIL4473 4. Using transHandle -> authData validate the command and parameters, on error return4474 TPM_AUTH2FAIL4475 5. If T1 -> transAttributes has TPM_TRANSPORT_LOG set then4476 a. Create A1 a TPM_TRANSPORT_LOG_OUT structure4477 b. Set A1 ­> parameters to the SHA-1 (ordinal || antiReplay)4478 c. Set A1 -> currentTicks to TPM_STANY_DATA -> currentTicks4479 d. Set A1 -> locality to the locality modifier for this command4480 e. Set T1 -> transDigest to SHA-1 (T1 -> transDigest || A1)4481 6. Else4482 a. Return TPM_BAD_MODE4483 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 244 Level 2 Revision 94 29 March 2006 Draft TCG Published 7. Create H1 a TPM_SIGN_INFO structure and set the structure defaults4484 a. Set H1 -> fixed to "TRAN"4485 b. Set H1 -> replay to antiReplay4486 c. Set H1 -> data to T1 -> transDigest4487 d. Sign SHA-1 hash of H1 using the key pointed to by key4488 8. Invalidate all session data related to T14489 9. Set continueTransSession to FALSE4490 10.Return TPM_SUCCESS4491 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 245 TCG Published 25. Monotonic Counter4492 25.1 TPM_CreateCounter4493 Start of informative comment:4494 This command creates the counter but does not select the counter. Counter creation4495 assigns an AuthData value to the counter and sets the counters original start value. The4496 original start value is the current internal base value plus one. Setting the new counter to4497 the internal base avoids attacks on the system that are attempting to use old counter4498 values.4499 End of informative comment.4500 Incoming Parameters and Sizes4501 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes incl. paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_CreateCounter 4 20 2S 20 TPM_ENCAUTH encAuth The encrypted auth data for the new counter 5 4 3s 4 BYTE label Label to associate with counter 7 4 TPM_AUTHHANDLE authHandle The authorization session handle used for owner authentication. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 8 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 9 1 4H1 1 BOOL continueAuthSession Ignored 10 20 20 TPM_AUTHDATA ownerAuth Authorization ow nerAuth. Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 246 Level 2 Revision 94 29 March 2006 Draft TCG Published Outgoing Parameters and Sizes4502 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_CreateCounter 4 4 3s 4 TPM_COUNT_ID countID The handle for the counter 5 10 4S 10 TPM_COUNTER_VALUE counterValue The starting counter value 6 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 7 1 4H1 1 BOOL continueAuthSession Fixed value of FALSE 8 20 20 TPM_AUTHDATA resAuth Authorization. HMAC key: ownerAuth. Description4503 This command creates a new monotonic counter. The TPM MUST support a minimum of 44504 concurrent counters.4505 Actions4506 The TPM SHALL do the following:4507 1. Using the authHandle field, validate the owner's AuthData to execute the command and4508 all of the incoming parameters. The authorization session MUST be OSAP or DSAP4509 2. Ignore continueAuthSession on input and set continueAuthSession to FALSE on output4510 3. If authHandle indicates XOR encryption for the AuthData secrets4511 a. Create X1 the SHA-1 of the concatenation of (authHandle -> sharedSecret ||4512 authLastNonceEven)4513 b. Create a1 by XOR X1 and encAuth4514 4. Else4515 a. Create a1 by decrypting encAuth using the algorithm indicated in the OSAP session4516 b. Key is from authHandle -> sharedSecret4517 c. IV is SHA-1 of (authLastNonceEven || nonceOdd)4518 5. Validate that there is sufficient internal space in the TPM to create a new counter. If4519 there is insufficient space, the command returns an error.4520 a. The TPM MUST provide storage for a1, TPM_COUNTER_VALUE, countID, and any4521 other internal data the TPM needs to associate with the counter4522 6. Increment the max counter value4523 7. Set the counter to the max counter value4524 8. Set the counter label to label4525 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 247 TCG Published 9. Create a countID4526 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 248 Level 2 Revision 94 29 March 2006 Draft TCG Published 25.2 TPM_IncrementCounter4527 Start of informative comment:4528 This authorized command increments the indicated counter by one. Once a counter has4529 been incremented then all subsequent increments must be for the same handle until a4530 successful TPM_Startup(ST_CLEAR) is executed.4531 The order for checking validation of the command parameters when no counter is active,4532 keeps an attacker from creating a denial-of-service attack.4533 End of informative comment.4534 Incoming Parameters and Sizes4535 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_IncrementCounter 4 4 2s 4 TPM_COUNT_ID countID The handle of a valid counter 5 4 TPM_AUTHHANDLE authHandle The authorization session handle used for counter authorization 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 6 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 7 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 8 20 TPM_AUTHDATA counterAuth The authorization session digest that authorizes the use of countID. HMAC key: countID -> authData Outgoing Parameters and Sizes4536 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_IncrementCounter 5 10 3S 10 TPM_COUNTER_VALUE count The counter value 6 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 7 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 8 20 TPM_AUTHDATA resAuth The authorization session digest for the returned parameters. HMAC key: countID -> authData Description4537 This function increments the counter by 1.4538 The TPM MAY implement increment throttling to avoid burn problems4539 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 249 TCG Published Actions4540 1. If TPM_STCLEAR_DATA -> countID is NULL4541 a. Validate that countID is a valid counter, return TPM_BAD_COUNTER on mismatch4542 b. Validate the command parameters using counterAuth4543 c. Set TPM_STCLEAR_DATA -> countID to countID4544 2. else4545 a. If TPM_STCLEAR_DATA -> countID does not equal countID4546 i. Return TPM_BAD_COUNTER4547 b. Validate the command parameters using counterAuth4548 3. Increments the counter by 14549 4. Return new count value in count4550 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 250 Level 2 Revision 94 29 March 2006 Draft TCG Published 25.3 TPM_ReadCounter4551 Start of informative comment:4552 Reading the counter provides the caller with the current number in the sequence.4553 End of informative comment.4554 Incoming Parameters and Sizes4555 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes incl. paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ReadCounter 4 4 2S 4 TPM_COUNT_ID countID ID value of the counter Outgoing Parameters and Sizes4556 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ReadCounter 4 10 3S 4 TPM_COUNTER_VALUE count The counter value Description4557 This returns the current value for the counter indicated. The counter MAY be any valid4558 counter.4559 Actions4560 1. Validate that countID points to a valid counter. Return TPM_BAD_COUNTER on error.4561 2. Return count4562 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 251 TCG Published 25.4 TPM_ReleaseCounter4563 Start of informative comment:4564 This command releases a counter such that no reads or increments of the indicated counter4565 will succeed.4566 End of informative comment.4567 Incoming Parameters and Sizes4568 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ReleaseCounter 4 4 2s 4 TPM_COUNT_ID countID ID value of the counter 5 4 TPM_AUTHHANDLE authHandle The authorization session handle used for countID authorization 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 6 20 3H1 20 TPM_NONCE nonceOdd Nonce associated with countID 7 1 4H1 1 BOOL continueAuthSession Ignored 8 20 TPM_AUTHDATA counterAuth The authorization session digest that authorizes the use of countID. HMAC key: countID -> authData Outgoing Parameters and Sizes4569 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ReleaseCounter 4 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 5 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 6 20 TPM_AUTHDATA resAuth The authorization session digest for the returned parameters. HMAC key: countID -> authData Actions4570 The TPM uses countID to locate a valid counter.4571 1. Authenticate the command and the parameters using the AuthData pointed to by4572 countID. Return TPM_AUTHFAIL on error4573 2. The TPM invalidates all internal information regarding the counter. This includes4574 releasing countID such that any subsequent attempts to use countID will fail.4575 3. The TPM invalidates sessions4576 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 252 Level 2 Revision 94 29 March 2006 Draft TCG Published a. MUST invalidate all OSAP sessions associated with the counter4577 b. MAY invalidate any other session4578 4. If TPM_STCLEAR_DATA -> countID equals countID,4579 a. Set TPM_STCLEAR_DATA -> countID to an illegal value (not the NULL value)4580 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 253 TCG Published 25.5 TPM_ReleaseCounterOwner4581 Start of informative comment:4582 This command releases a counter such that no reads or increments of the indicated counter4583 will succeed.4584 End of informative comment.4585 Incoming Parameters and Sizes4586 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ReleaseCounterOwner 4 4 2s 4 TPM_COUNT_ID countID ID value of the counter 5 4 TPM_AUTHHANDLE authHandle The authorization session handle used for owner authentication 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 6 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 7 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 8 20 TPM_AUTHDATA ownerAuth Theauthorization session digest that authorizes the inputs. HMAC key: ownerAuth Outgoing Parameters and Sizes4587 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ReleaseCounterOwner 4 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 5 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 6 20 TPM_AUTHDATA resAuth The authorization session digest for the returned parameters. HMAC key: ownerAuth Description4588 This invalidates all information regarding a counter.4589 Actions4590 1. Validate that ownerAuth properly authorizes the command and parameters4591 2. The TPM uses countID to locate a valid counter. Return TPM_BAD_COUNTER if not4592 found.4593 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 254 Level 2 Revision 94 29 March 2006 Draft TCG Published 3. The TPM invalidates all internal information regarding the counter. This includes4594 releasing countID such that any subsequent attempts to use countID will fail.4595 4. The TPM invalidates sessions4596 a. MUST invalidate all OSAP sessions associated with the counter4597 b. MAY invalidate any other session4598 5. If TPM_STCLEAR_DATA -> countID equals countID,4599 a. Set TPM_STCLEAR_DATA -> countID to an illegal value (not the NULL value)4600 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 255 TCG Published 26. DAA commands4601 26.1 TPM_DAA_Join4602 Start of informative comment:4603 TPM_DAA_Join is the process that establishes the DAA parameters in the TPM for a specific4604 DAA issuing authority.4605 End of informative comment.4606 Incoming Parameters and Sizes4607 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes incl. paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_DAA_Join. 4 4 TPM_HANDLE handle Session handle 5 1 2S 1 BYTE stage Processing stage of join 6 4 3S 4 UINT32 inputSize0 Size of inputData0 for this stage of JOIN 7 <> 4S <> BYTE[] inputData0 Data to be used by this capability 8 4 5S 4 UINT32 inputSize1 Size of inputData1 for this stage of JOIN 9 <> 6S <> BYTE[] inputData1 Data to be used by this capability 10 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for owner authentication 2 H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 11 20 3 H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 12 1 4 H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 13 20 20 TPM_AUTHDATA ownerAuth Theauthorization session digest for inputs and owner. HMAC key: ownerAuth. Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 256 Level 2 Revision 94 29 March 2006 Draft TCG Published Outgoing Operands and Sizes4608 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes incl. paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_DAA_Join. 4 4 3S 4 UINT32 outputSize Size of outputData 5 <> 4S <> BYTE[] outputData Data produced by this capability 6 20 2 H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3 H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 7 1 4 H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 8 20 20 TPM_AUTHDATA resAuth Authorization HMAC key: ownerAuth. TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 257 TCG Published Description4609 This table summaries the input, output and saved data that is associated with each stage of4610 processing.4611 Stage Input Data0 Input Data1 Operation Output Data Scratchpad 0 DAA_count (used as # repetitions of stage 1) NULL initialise Session Handle NULL 1 n0 signatureValue rekeying NULL n0 2 DAA_issuerSettings signatureValue issuer settings NULL NULL 3 DAA_count NULL DAA_join_uo, DAA_join_u1 NULL NULL 4 DAA_generic_R0 DAA_generic_n P1=R0^f0 mod n NULL P1 5 DAA_generic_R1 DAA_generic_n P2 = P1*(R1^f1) mod n NULL P2 6 DAA_generic_S0 DAA_generic_n P3 = P2*(S0^u0) mod n NULL P3 7 DAA_generic_S1 DAA_generic_n U = P3*(S1^u1) mod n U NULL 8 NE NULL U2 U2 NULL 9 DAA_generic_R0 DAA_generic_n P1=R0^r0 mod n NULL P1 10 DAA_generic_R1 DAA_generic_n P2 = P1*(R1^r1) mod n NULL P2 11 DAA_generic_S0 DAA_generic_n P3 = P2*(S0^r2) mod n NULL P3 12 DAA_generic_S1 DAA_generic_n P4 = P3*(S1^r3) mod n P4 NULL 13 DAA_generic_gamma w w1 = w^q mod gamma NULL w 14 DAA_generic_gamma NULL E = w^f mod gamma E w 15 DAA_generic_gamma NULL r = r0 + (2^power0)*r1 mod q, E1 = w^r mod gamma E1 NULL 16 c1 NULL c = hash(c1 || NT) nt NULL 17 NULL NULL s0 = r0 + c*f0 s0 NULL 18 NULL NULL s1 = r1 + c*f1 s1 NULL 19 NULL NULL s2 = r2 + c*u0 mod 2^power1 s2 NULL 20 NULL NULL s12 = r2 + c*u0 >> power1 c s12 21 NULL NULL s3 = r3 + c*u1 + s12 s3 NULL 22 u2 NULL v0 = u2 + u0 mod 2^power1 v10 = u2 + u0 >> power1 enc(v0) v10 23 u3 NULL V1 = u3 + u1 + v10 enc(v1) NULL 24 NULL NULL enc(DAA_tpmSpecific) enc(DAA_tpmSpecific) NULL 4612 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 258 Level 2 Revision 94 29 March 2006 Draft TCG Published Actions4613 A Trusted Platform Module that receives a valid TPM_DAA_Join command SHALL:4614 1. Use ownerAuth to verify that the Owner authorized all TPM_DAA_Join input parameters.4615 2. Any error return results in the TPM invalidating all resources associated with the join4616 3. Constant values of 0 or 1 are 1 byte integers, stages affected are4617 a. 4(j), 5(j), 14(f), 17(e)4618 4. Representation of the strings "r0" to "r4" are 2-byte ASCII encodings, stages affected are4619 a. 9(i), 10(h), 11(h), 12(h), 15(f),15(g), 17(d), 18(d), 19(d), 20(d), 21(d)4620 Stages4621 0. If stage==04622 a. Determine that sufficient resources are available to perform a TPM_DAA_Join.4623 i. The TPM MUST support sufficient resources to perform one (1) TPM_DAA_Join/4624 TPM_DAA_Sign. The TPM MAY support additional TPM_DAA_Join/4625 TPM_DAA_Sign sessions.4626 ii. The TPM may share internal resources between the DAA operations and other4627 variable resource requirements:4628 iii. If there are insufficient resources within the stored key pool (and one or more4629 keys need to be removed to permit the DAA operation to execute) return4630 TPM_NOSPACE4631 iv. If there are insufficient resources within the stored session pool (and one or4632 more authorization or transport sessions need to be removed to permit the4633 DAA operation to execute), return TPM_RESOURCES.4634 b. Set all fields in DAA_issuerSettings = NULL4635 c. set all fields in DAA_tpmSpecific = NULL4636 d. set all fields in DAA_session = NULL4637 e. Set all fields in DAA_JoinSession = NULL4638 f. Verify that sizeOf(inputData0) == sizeOf(DAA_tpmSpecific -> DAA_count) and return4639 error TPM_DAA_INPUT_DATA0 on mismatch4640 g. Verify that inputData0 > 0, and return error TPM_DAA_INPUT_DATA0 on mismatch4641 h. Set DAA_tpmSpecific -> DAA_count = inputData04642 i. set DAA_session -> DAA_digestContext = SHA-1(DAA_tpmSpecific ||4643 DAA_joinSession))4644 j. set DAA_session -> DAA_stage = 14645 k. Assign session handle for TPM_DAA_Join4646 l. set outputData = new session handle4647 m. return TPM_SUCCESS4648 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 259 TCG Published 1. If stage==14649 a. Verify that DAA_session ->DAA_stage==1. Return TPM_DAA_STAGE and flush handle4650 on mismatch4651 b. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||4652 DAA_joinSession) and return TPM_DAA_TPM_SETTINGS on mismatch4653 c. Verify that sizeOf(inputData0) == DAA_SIZE_issuerModulus and return error4654 TPM_DAA_INPUT_DATA0 on mismatch4655 d. If DAA_session -> DAA_scratch == NULL:4656 i. Set DAA_session -> DAA_scratch = inputData04657 ii. set DAA_joinSession -> DAA_digest_n0 = SHA1(DAA_session -> DAA_scratch)4658 iii. set DAA_tpmSpecific -> DAA_rekey = SHA1(TPM_DAA_TPM_SEED ||4659 DAA_joinSession -> DAA_digest_n0)4660 e. Else (If DAA_session -> DAA_scratch != NULL):4661 i. Set signedData = inputData04662 ii. Verify that sizeOf(inputData1) == DAA_SIZE_issuerModulus and return error4663 TPM_DAA_INPUT_DATA1 on mismatch4664 iii. Set signatureValue = inputData14665 iv. Use the RSA key == [DAA_session -> DAA_scratch] to verify that signatureValue is4666 a signature on signedData, and return error TPM_DAA_ISSUER_VALIDITY on4667 mismatch4668 v. Set DAA_session -> DAA_scratch = signedData4669 f. Decrement DAA_tpmSpecific -> DAA_count by 1 (unity)4670 g. If DAA_tpmSpecific -> DAA_count ==0:4671 h. increment DAA_Session -> DAA_Stage by 14672 i. set DAA_session -> DAA_digestContext = SHA-1(DAA_tpmSpecific ||4673 DAA_joinSession)4674 j. set outputData = NULL4675 k. return TPM_SUCCESS4676 2. If stage==24677 a. Verify that DAA_session ->DAA_stage==2. Return TPM_DAA_STAGE and flush handle4678 on mismatch4679 b. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||4680 DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch4681 c. Verify that sizeOf(inputData0) == sizeOf(TPM_DAA_ISSUER) and return error4682 TPM_DAA_INPUT_DATA0 on mismatch4683 d. Set DAA_issuerSettings = inputData0. Verify that all fields in DAA_issuerSettings are4684 present and return error TPM_DAA_INPUT_DATA0 if not.4685 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 260 Level 2 Revision 94 29 March 2006 Draft TCG Published e. Verify that sizeOf(inputData1) == DAA_SIZE_issuerModulus and return error4686 TPM_DAA_INPUT_DATA1 on mismatch4687 f. Set signatureValue = inputData14688 g. Set signedData = (DAA_joinSession -> DAA_digest_n0 ||DAA_issuerSettings)4689 h. Use the RSA key [DAA_session -> DAA_scratch] to verify that signatureValue is a4690 signature on signedData, and return error TPM_DAA_ISSUER_VALIDITY on mismatch4691 i. Set DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings)4692 j. set DAA_session -> DAA_digestContext = SHA-1(DAA_tpmSpecific ||4693 DAA_joinSession)4694 k. Set DAA_session -> DAA_scratch = NULL4695 l. increment DAA_session -> DAA_stage by 14696 m. return TPM_SUCCESS4697 3. If stage==34698 a. Verify that DAA_session ->DAA_stage==3. Return TPM_DAA_STAGE and flush handle4699 on mismatch4700 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and4701 return error TPM_DAA_ISSUER_SETTINGS on mismatch4702 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||4703 DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch4704 d. Verify that sizeOf(inputData0) == sizeOf(DAA_tpmSpecific -> DAA_count) and return4705 error TPM_DAA_INPUT_DATA0 on mismatch4706 e. Set DAA_tpmSpecific -> DAA_count = inputData04707 f. obtain random data from the RNG and store it as DAA_joinSession -> DAA_join_u04708 g. obtain random data from the RNG and store it as DAA_joinSession -> DAA_join_u14709 h. set outputData = NULL4710 i. increment DAA_session -> DAA_stage by 14711 j. set DAA_session -> DAA_digestContext = SHA-1(DAA_tpmSpecific ||4712 DAA_joinSession)4713 k. return TPM_SUCCESS4714 4. If stage==4,4715 a. Verify that DAA_session ->DAA_stage==4. Return TPM_DAA_STAGE and flush handle4716 on mismatch4717 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and4718 return error TPM_DAA_ISSUER_SETTINGS on mismatch4719 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||4720 DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch4721 d. Set DAA_generic_R0 = inputData04722 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 261 TCG Published e. Verify that SHA-1(DAA_generic_R0) == DAA_issuerSettings -> DAA_digest_R0 and4723 return error TPM_DAA_INPUT_DATA0 on mismatch4724 f. Set DAA_generic_n = inputData14725 g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and4726 return error TPM_DAA_INPUT_DATA1on mismatch4727 h. Set X = DAA_generic_R04728 i. Set n = DAA_generic_n4729 j. Set f = SHA1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 04730 ) || SHA1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 1 ) mod4731 DAA_issuerSettings -> DAA_generic_q4732 k. Set f0 = f mod 2^DAA_power0 (erase all but the lowest DAA_power0 bits of f)4733 l. Set DAA_session -> DAA_scratch = (X^f0) mod n4734 m. set outputData = NULL4735 n. increment DAA_session -> DAA_stage by 14736 o. return TPM_SUCCESS4737 5. If stage==54738 a. Verify that DAA_session ->DAA_stage==5. Return TPM_DAA_STAGE and flush handle4739 on mismatch4740 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and4741 return error TPM_DAA_ISSUER_SETTINGS on mismatch4742 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||4743 DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch4744 d. Set DAA_generic_R1 = inputData04745 e. Verify that SHA-1(DAA_generic_R1) == DAA_issuerSettings -> DAA_digest_R1 and4746 return error TPM_DAA_INPUT_DATA0on mismatch4747 f. Set DAA_generic_n = inputData14748 g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and4749 return error TPM_DAA_INPUT_DATA1on mismatch4750 h. Set X = DAA_generic_R14751 i. Set n = DAA_generic_n4752 j. Set f = SHA1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 04753 ) || SHA1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 1 ) mod4754 DAA_issuerSettings -> DAA_generic_q.4755 k. Shift f right by DAA_power0 bits (discard the lowest DAA_power0 bits) and label the4756 result f14757 l. Set Z = DAA_session -> DAA_scratch4758 m. Set DAA_session -> DAA_scratch = Z*(X^f1) mod n4759 n. set outputData = NULL4760 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 262 Level 2 Revision 94 29 March 2006 Draft TCG Published o. increment DAA_session -> DAA_stage by 14761 p. return TPM_SUCCESS4762 6. If stage==64763 a. Verify that DAA_session ->DAA_stage==6. Return TPM_DAA_STAGE and flush handle4764 on mismatch4765 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and4766 return error TPM_DAA_ISSUER_SETTINGS on mismatch4767 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||4768 DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch4769 d. Set DAA_generic_S0 = inputData04770 e. Verify that SHA-1(DAA_generic_S0) == DAA_issuerSettings -> DAA_digest_S0 and4771 return error TPM_DAA_INPUT_DATA0 on mismatch4772 f. Set DAA_generic_n = inputData14773 g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and4774 return error TPM_DAA_INPUT_DATA1on mismatch4775 h. Set X = DAA_generic_S04776 i. Set n = DAA_generic_n4777 j. Set Z = DAA_session -> DAA_scratch4778 k. Set Y = DAA_joinSession -> DAA_join_u04779 l. Set DAA_session -> DAA_scratch = Z*(X^Y) mod n4780 m. set outputData = NULL4781 n. increment DAA_session -> DAA_stage by 14782 o. return TPM_SUCCESS4783 7. If stage==74784 a. Verify that DAA_session ->DAA_stage==7. Return TPM_DAA_STAGE and flush handle4785 on mismatch4786 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and4787 return error TPM_DAA_ISSUER_SETTINGS on mismatch4788 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||4789 DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch4790 d. Set DAA_generic_S1 = inputData04791 e. Verify that SHA-1(DAA_generic_S1) == DAA_issuerSettings -> DAA_digest_S1 and4792 return error TPM_DAA_INPUT_DATA0 on mismatch4793 f. Set DAA_generic_n = inputData14794 g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and4795 return error TPM_DAA_INPUT_DATA1on mismatch4796 h. Set X = DAA_generic_S14797 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 263 TCG Published i. Set n = DAA_generic_n4798 j. Set Y = DAA_joinSession -> DAA_join_u14799 k. Set Z = DAA_session -> DAA_scratch4800 l. Set DAA_session -> DAA_scratch = Z*(X^Y) mod n4801 m. Set DAA_session -> DAA_digest to the SHA-1 (DAA_session -> DAA_scratch ||4802 DAA_tpmSpecific -> DAA_count || DAA_joinSession -> DAA_digest_n0)4803 n. set outputData = DAA_session -> DAA_scratch4804 o. set DAA_session -> DAA_scratch = NULL4805 p. increment DAA_session -> DAA_stage by 14806 q. return TPM_SUCCESS4807 8. If stage==84808 a. Verify that DAA_session ->DAA_stage==8. Return TPM_DAA_STAGE and flush handle4809 on mismatch4810 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and4811 return error TPM_DAA_ISSUER_SETTINGS on mismatch4812 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||4813 DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch4814 d. Verify inputSize0 == DAA_SIZE_NE and return error TPM_DAA_INPUT_DATA0 on4815 mismatch4816 e. Set NE = decrypt(inputData0, privEK)4817 f. set outputData = SHA-1(DAA_session -> DAA_digest || NE)4818 g. set DAA_session -> DAA_digest = NULL4819 h. increment DAA_session -> DAA_stage by 14820 i. return TPM_SUCCESS4821 9. If stage==94822 a. Verify that DAA_session ->DAA_stage==9. Return TPM_DAA_STAGE and flush handle4823 on mismatch4824 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and4825 return error TPM_DAA_ISSUER_SETTINGS on mismatch4826 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||4827 DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch4828 d. Set DAA_generic_R0 = inputData04829 e. Verify that SHA-1(DAA_generic_R0) == DAA_issuerSettings -> DAA_digest_R0 and4830 return error TPM_DAA_INPUT_DATA0 on mismatch4831 f. Set DAA_generic_n = inputData14832 g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and4833 return error TPM_DAA_INPUT_DATA1on mismatch4834 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 264 Level 2 Revision 94 29 March 2006 Draft TCG Published h. obtain random data from the RNG and store it as DAA_session -> DAA_contextSeed4835 i. obtain DAA_SIZE_r0 bits from MGF1("r0", DAA_session -> DAA_contextSeed), and4836 label them Y4837 j. Set X = DAA_generic_R04838 k. Set n = DAA_generic_n4839 l. Set DAA_session -> DAA_scratch = (X^Y) mod n4840 m. set outputData = NULL4841 n. increment DAA_session -> DAA_stage by 14842 o. return TPM_SUCCESS4843 10.If stage==104844 a. Verify that DAA_session ->DAA_stage==10. Return TPM_DAA_STAGE and flush4845 handle on mismatch h4846 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and4847 return error TPM_DAA_ISSUER_SETTINGS on mismatch4848 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||4849 DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch4850 d. Set DAA_generic_R1 = inputData04851 e. Verify that SHA-1(DAA_generic_R1) == DAA_issuerSettings -> DAA_digest_R1 and4852 return error TPM_DAA_INPUT_DATA0 on mismatch4853 f. Set DAA_generic_n = inputData14854 g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and4855 return error TPM_DAA_INPUT_DATA1on mismatch4856 h. obtain DAA_SIZE_r1 bits from MGF1("r1", DAA_session -> DAA_contextSeed), and4857 label them Y4858 i. Set X = DAA_generic_R14859 j. Set n = DAA_generic_n4860 k. Set Z = DAA_session -> DAA_scratch4861 l. Set DAA_session -> DAA_scratch = Z*(X^Y) mod n4862 m. set outputData = NULL4863 n. increment DAA_session -> DAA_stage by 14864 o. return TPM_SUCCESS4865 11.If stage==114866 a. Verify that DAA_session ->DAA_stage==11. Return TPM_DAA_STAGE and flush4867 handle on mismatch4868 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and4869 return error TPM_DAA_ISSUER_SETTINGS on mismatch4870 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 265 TCG Published c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||4871 DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch4872 d. Set DAA_generic_S0 = inputData04873 e. Verify that SHA-1(DAA_generic_S0) == DAA_issuerSettings -> DAA_digest_S0 and4874 return error TPM_DAA_INPUT_DATA0 on mismatch4875 f. Set DAA_generic_n = inputData14876 g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and4877 return error TPM_DAA_INPUT_DATA1 on mismatch4878 h. obtain DAA_SIZE_r2 bits from MGF1("r2", DAA_session -> DAA_contextSeed), and4879 label them Y4880 i. Set X = DAA_generic_S04881 j. Set n = DAA_generic_n4882 k. Set Z = DAA_session -> DAA_scratch4883 l. Set DAA_session -> DAA_scratch = Z*(X^Y) mod n4884 m. set outputData = NULL4885 n. increment DAA_session -> DAA_stage by 14886 o. return TPM_SUCCESS4887 12.If stage==124888 a. Verify that DAA_session ->DAA_stage==12. Return TPM_DAA_STAGE and flush4889 handle on mismatch4890 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings ) and4891 return error TPM_DAA_ISSUER_SETTINGS on mismatch4892 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||4893 DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch4894 d. Set DAA_generic_S1 = inputData04895 e. Verify that SHA-1(DAA_generic_S1) == DAA_issuerSettings -> DAA_digest_S1 and4896 return error TPM_DAA_INPUT_DATA0 on mismatch4897 f. Set DAA_generic_n = inputData14898 g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and4899 return error TPM_DAA_INPUT_DATA1 on mismatch4900 h. obtain DAA_SIZE_r3 bits from MGF1("r3", DAA_session -> DAA_contextSeed), and4901 label them Y4902 i. Set X = DAA_generic_S14903 j. Set n = DAA_generic_n4904 k. Set Z = DAA_session -> DAA_scratch4905 l. Set DAA_session -> DAA_scratch = Z*(X^Y) mod n4906 m. set outputData = DAA_session -> DAA_scratch4907 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 266 Level 2 Revision 94 29 March 2006 Draft TCG Published n. Set DAA_session -> DAA_scratch = NULL4908 o. increment DAA_session -> DAA_stage by 14909 p. return TPM_SUCCESS4910 13.If stage==134911 a. Verify that DAA_session->DAA_stage==13. Return TPM_DAA_STAGE and flush4912 handle on mismatch4913 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and4914 return error TPM_DAA_ISSUER_SETTINGS on mismatch4915 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||4916 DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch4917 d. Set DAA_generic_gamma = inputData04918 e. Verify that SHA-1(DAA_generic_gamma) == DAA_issuerSettings ->4919 DAA_digest_gamma and return error TPM_DAA_INPUT_DATA0 on mismatch4920 f. Verify that inputSize1 == DAA_SIZE_w and return error TPM_DAA_INPUT_DATA1 on4921 mismatch4922 g. Set w = inputData14923 h. Set w1 = w^( DAA_issuerSettings -> DAA_generic_q) mod (DAA_generic_gamma)4924 i. If w1 != 1 (unity), return error TPM_DAA_WRONG_W4925 j. Set DAA_session -> DAA_scratch = w4926 k. set outputData = NULL4927 l. increment DAA_session -> DAA_stage by 14928 m. return TPM_SUCCESS.4929 14.If stage==144930 a. Verify that DAA_session ->DAA_stage==14. Return TPM_DAA_STAGE and flush4931 handle on mismatch4932 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings ) and4933 return error TPM_DAA_ISSUER_SETTINGS on mismatch4934 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||4935 DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch4936 d. Set DAA_generic_gamma = inputData04937 e. Verify that SHA-1(DAA_generic_gamma) == DAA_issuerSettings ->4938 DAA_digest_gamma and return error TPM_DAA_INPUT_DATA0 on mismatch4939 f. Set f = SHA1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 04940 ) || SHA1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 1 ) mod4941 DAA_issuerSettings -> DAA_generic_q.4942 g. Set E = ((DAA_session -> DAA_scratch)^f) mod (DAA_generic_gamma).4943 h. Set outputData = E4944 i. increment DAA_session -> DAA_stage by 14945 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 267 TCG Published j. return TPM_SUCCESS.4946 15.If stage==154947 a. Verify that DAA_session ->DAA_stage==15. Return TPM_DAA_STAGE and flush4948 handle on mismatch4949 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and4950 return error TPM_DAA_ISSUER_SETTINGS on mismatch4951 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||4952 DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch4953 d. Set DAA_generic_gamma = inputData04954 e. Verify that SHA-1(DAA_generic_gamma) == DAA_issuerSettings ->4955 DAA_digest_gamma and return error TPM_DAA_INPUT_DATA0 on mismatch4956 f. obtain DAA_SIZE_r0 bits from MGF1("r0", DAA_session -> DAA_contextSeed), and4957 label them r04958 g. obtain DAA_SIZE_r1 bits from MGF1("r1", DAA_session -> DAA_contextSeed), and4959 label them r14960 h. set r = r0 + 2^DAA_power0 * r1 mod (DAA_issuerSettings -> DAA_generic_q).4961 i. set E1 = ((DAA_session -> DAA_scratch)^r) mod (DAA_generic_gamma).4962 j. Set DAA_session -> DAA_scratch = NULL4963 k. Set outputData = E14964 l. increment DAA_session -> DAA_stage by 14965 m. return TPM_SUCCESS.4966 16.If stage==164967 a. Verify that DAA_session ->DAA_stage==16. Return TPM_DAA_STAGE and flush4968 handle on mismatch4969 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and4970 return error TPM_DAA_ISSUER_SETTINGS on mismatch4971 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||4972 DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch4973 d. Verify that inputSize0 == sizeOf(TPM_DIGEST) and return error4974 TPM_DAA_INPUT_DATA0 on mismatch4975 e. Set DAA_session -> DAA_digest = inputData04976 f. obtain DAA_SIZE_NT bits from the RNG and label them NT4977 g. Set DAA_session -> DAA_digest to the SHA-1 ( DAA_session -> DAA_digest || NT )4978 h. Set outputData = NT4979 i. increment DAA_session -> DAA_stage by 14980 j. return TPM_SUCCESS.4981 17.If stage==174982 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 268 Level 2 Revision 94 29 March 2006 Draft TCG Published a. Verify that DAA_session ->DAA_stage==17. Return TPM_DAA_STAGE and flush4983 handle on mismatch4984 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and4985 return error TPM_DAA_ISSUER_SETTINGS on mismatch4986 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||4987 DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch4988 d. obtain DAA_SIZE_r0 bits from MGF1("r0", DAA_session -> DAA_contextSeed), and4989 label them r04990 e. Set f = SHA1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 04991 ) || SHA1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 1 ) mod4992 DAA_issuerSettings -> DAA_generic_q.4993 f. Set f0 = f mod 2^DAA_power0 (erase all but the lowest DAA_power0 bits of f)4994 g. Set s0 = r0 + (DAA_session -> DAA_digest) * f0 in Z4995 h. set outputData = s04996 i. increment DAA_session -> DAA_stage by 14997 j. return TPM_SUCCESS4998 18.If stage==184999 a. Verify that DAA_session ->DAA_stage==18. Return TPM_DAA_STAGE and flush5000 handle on mismatch5001 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and5002 return error TPM_DAA_ISSUER_SETTINGS on mismatch5003 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||5004 DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch5005 d. obtain DAA_SIZE_r1 bits from MGF1("r1", DAA_session -> DAA_contextSeed), and5006 label them r15007 e. Set f = SHA1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 05008 ) || SHA1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 1 ) mod5009 DAA_issuerSettings -> DAA_generic_q.5010 f. Shift f right by DAA_power0 bits (discard the lowest DAA_power0 bits) and label the5011 result f15012 g. Set s1 = r1 + (DAA_session -> DAA_digest)* f1 in Z5013 h. set outputData = s15014 i. increment DAA_session -> DAA_stage by 15015 j. return TPM_SUCCESS5016 19.If stage==195017 a. Verify that DAA_session ->DAA_stage==19. Return TPM_DAA_STAGE and flush5018 handle on mismatch5019 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and5020 return error TPM_DAA_ISSUER_SETTINGS on mismatch5021 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 269 TCG Published c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||5022 DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch5023 d. obtain DAA_SIZE_r2 bits from MGF1("r2", DAA_session -> DAA_contextSeed), and5024 label them r25025 e. Set s2 = r2 + (DAA_session -> DAA_digest)*( DAA_joinSession -> DAA_join_u0) mod5026 2^DAA_power1 (Erase all but the lowest DAA_power1 bits of s2)5027 f. Set DAA_session -> DAA_scratch = s25028 g. set outputData = s25029 h. increment DAA_session -> DAA_stage by 15030 i. return TPM_SUCCESS5031 20.If stage==205032 a. Verify that DAA_session ->DAA_stage==20. Return TPM_DAA_STAGE and flush5033 handle on mismatch5034 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and5035 return error TPM_DAA_ISSUER_SETTINGS on mismatch5036 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||5037 DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch5038 d. obtain DAA_SIZE_r2 bits from MGF1("r2", DAA_session -> DAA_contextSeed), and5039 label them r25040 e. Set s12 = r2 + (DAA_session -> DAA_digest)*( DAA_joinSession -> DAA_join_u0)5041 f. Shift s12 right by DAA_power1 bit (discard the lowest DAA_power1 bits).5042 g. Set DAA_session -> DAA_scratch = s125043 h. Set outputData = DAA_session -> DAA_digest5044 i. increment DAA_session -> DAA_stage by 15045 j. return TPM_SUCCESS5046 21.If stage==215047 a. Verify that DAA_session ->DAA_stage==21. Return TPM_DAA_STAGE and flush5048 handle on mismatch5049 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and5050 return error TPM_DAA_ISSUER_SETTINGS on mismatch5051 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||5052 DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch5053 d. obtain DAA_SIZE_r3 bits from MGF1("r3", DAA_session -> DAA_contextSeed), and5054 label them r35055 e. Set s3 = r3 + (DAA_session -> DAA_digest)*( DAA_joinSession -> DAA_join_u1) +5056 (DAA_session -> DAA_scratch).5057 f. Set DAA_session -> DAA_scratch = NULL5058 g. set outputData = s35059 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 270 Level 2 Revision 94 29 March 2006 Draft TCG Published h. increment DAA_session -> DAA_stage by 15060 i. return TPM_SUCCESS5061 22.If stage==225062 a. Verify that DAA_session ->DAA_stage==22. Return TPM_DAA_STAGE and flush5063 handle on mismatch5064 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and5065 return error TPM_DAA_ISSUER_SETTINGS on mismatch5066 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||5067 DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch5068 d. Verify inputSize0 == DAA_SIZE_v0 and return error TPM_DAA_INPUT_DATA0 on5069 mismatch5070 e. Set u2 = inputData05071 f. Set v0 = u2 + (DAA_joinSession -> DAA_join_u0) mod 2^DAA_power1 (Erase all but5072 the lowest DAA_power1 bits of v0).5073 g. Set DAA_tpmSpecific -> DAA_digest_v0 = SHA-1(v0)5074 h. Set v10 = u2 + (DAA_joinSession -> DAA_join_u0) in Z5075 i. Shift v10 right by DAA_power1 bits (erase the lowest DAA_power1 bits).5076 j. Set DAA_session ->DAA_scratch = v105077 k. Set outputData5078 i. Fill in TPM_DAA_BLOB with a type of TPM_RT_DAA_V0 and encrypt the v05079 parameters5080 ii. set outputData to the encrypted TPM_DAA_BLOB5081 l. increment DAA_session -> DAA_stage by 15082 m. set DAA_session -> DAA_digestContext = SHA-1(DAA_tpmSpecific ||5083 DAA_joinSession)5084 n. return TPM_SUCCESS5085 23.If stage==235086 a. Verify that DAA_session ->DAA_stage==23. Return TPM_DAA_STAGE and flush5087 handle on mismatch5088 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and5089 return error TPM_DAA_ISSUER_SETTINGS on mismatch5090 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||5091 DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch5092 d. Verify inputSize0 == DAA_SIZE_v1 and return error TPM_DAA_INPUT_DATA0 on5093 mismatch5094 e. Set u3 = inputData05095 f. Set v1 = u3 + DAA_joinSession -> DAA_join_u1 + DAA_session ->DAA_scratch5096 g. Set DAA_tpmSpecific -> DAA_digest_v1 = SHA-1(v1)5097 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 271 TCG Published h. Set outputData5098 i. Fill in TPM_DAA_BLOB with a type of TPM_RT_DAA_V1 and encrypt the v15099 parameters5100 ii. set outputData to the encrypted TPM_DAA_BLOB5101 i. Set DAA_session ->DAA_scratch = NULL5102 j. increment DAA_session -> DAA_stage by 15103 k. set DAA_session -> DAA_digestContext = SHA-1(DAA_tpmSpecific ||5104 DAA_joinSession)5105 l. return TPM_SUCCESS5106 24.If stage==245107 a. Verify that DAA_session ->DAA_stage==24. Return TPM_DAA_STAGE and flush5108 handle on mismatch5109 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and5110 return error TPM_DAA_ISSUER_SETTINGS on mismatch5111 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific ||5112 DAA_joinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch5113 d. set outputData = enc(DAA_tpmSpecific)5114 e. return TPM_SUCCESS5115 25.If stage > 24, return error: TPM_DAA_STAGE5116 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 272 Level 2 Revision 94 29 March 2006 Draft TCG Published 26.2 TPM_DAA_Sign5117 TPM protected capability; user must provide authorizations from the TPM Owner.5118 Incoming Operands and Sizes5119 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG Tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes incl. paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE Ordinal Command ordinal: TPM_ORD_DAA_Sign 4 4 TPM_HANDLE handle Handle to the sign session 5 1 2S 1 BYTE stage Stage of the sign process 6 4 3S 4 UINT32 inputSize0 Size of inputData0 for this stage of DAA_Sign 7 <> 4S <> BYTE[] inputData0 Data to be used by this capability 8 4 5S 4 UINT32 inputSize1 Size of inputData1 for this stage of DAA_Sign 9 <> 6S <> BYTE[] inputData1 Data to be used by this capability 10 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for owner authentication 2 H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 11 20 3 H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 12 1 4 H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 13 20 20 TPM_AUTHDATA ownerAuth The authorization session digest for inputs and owner. HMAC key: ownerAuth. Outgoing Operands and Sizes5120 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes incl. paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation 2S 4 TPM_COMMAND_CODE ordinal Command ordinal:TPM_ORD_DAA_Sign 4 4 3S 4 UINT32 outputSize Size of outputData 5 <> 4S <> BYTE[] outputData Data produced by this capability 6 20 2 H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3 H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 7 1 4 H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 8 20 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters. HMAC key: ownerAuth. TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 273 TCG Published Description5121 This table summaries the input, output and saved data that is associated with each stage of5122 processing.5123 Stage Input Data0 Input Data1 Operation Output Data Scratchpad 0 DAA_issuerSettings NULL initialise handle NULL 1 enc(DAA_tpmSpecific) NULL initialise NULL NULL 2 DAA_generic_R0 DAA_generic_n P1=R0^r0 mod n NULL P1 3 DAA_generic_R1 DAA_generic_n P2 = P1*(R1^r1) mod n NULL P2 4 DAA_generic_S0 DAA_generic_n P3 = P2*(S0^r2) mod n NULL P3 5 DAA_generic_S1 DAA_generic_n T = P3*(S1^r4) mod n T NULL 6 DAA_generic_gamma w w1 = w^q mod gamma NULL w 7 DAA_generic_gamma NULL E = w^f mod gamma E w 8 DAA_generic_gamma NULL r = r0 + (2^power0)*r1 mod q, E1 = w^r mod gamma E1 NULL 9 c1 NULL c = hash(c1 || NT) NT NULL 10 b (selector) m or handle to AIK c = hash(c || 1 || m) or c = hash(c || 0 || AIK- modulus) c NULL 11 NULL NULL s0 = r0 + c*f0 s0 NULL 12 NULL NULL s1 = r1 + c*f1 s1 NULL 13 enc(v0) NULL s2 = r2 + c*v0 mod 2^power1 s2 NULL 14 enc(v0) NULL s12 = r2 + c*v0 >> power1 NULL s12 15 enc(v1) NULL s3 = r4 + c*v1 + s12 s3 NULL 5124 When a TPM receives an Owner authorized command to input enc(DAA_tpmSpecific) or5125 enc(v0) or enc(v1), the TPM MUST verify that the TPM created the data and that neither the5126 data nor the TPM's EK has been changed since the data was created. Loading one of these5127 wrapped blobs does not require authorization, since correct blobs were created by the TPM5128 under Owner authorization, and unwrapped blobs cannot be used without Owner5129 authorisation. The TPM MUST NOT restrict the number of times that the contents of5130 enc(DAA_tpmSpecific) or enc(v0) or enc(v1) can be used by the same combination of TPM5131 and Owner that created them..5132 Actions5133 A Trusted Platform Module that receives a valid TPM_DAA_Sign command SHALL:5134 26.Use ownerAuth to verify that the Owner authorized all TPM_DAA_Sign input parameters.5135 27.Any error results in the TPM invalidating all resources associated with the command5136 28.Constant values of 0 or 1 are 1 byte integers, stages affected are5137 a. 7(f), 11(e), 12(e)5138 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 274 Level 2 Revision 94 29 March 2006 Draft TCG Published 29.Representation of the strings "r0" to "r4" are 2-byte ASCII encodings, stages affected are5139 a. 2(h), 3(h), 4(h), 5(h), 12(d), 13(f), 14(f), 15(f)5140 Stages5141 0. If stage==05142 a. Determine that sufficient resources are available to perform a TPM_DAA_Sign.5143 i. The TPM MUST support sufficient resources to perform one (1) TPM_DAA_Join/5144 TPM_DAA_Sign. The TPM MAY support addition TPM_DAA_Join/ TPM_DAA_Sign5145 sessions.5146 ii. The TPM may share internal resources between the DAA operations and other5147 variable resource requirements:5148 iii. If there are insufficient resources within the stored key pool (and one or more5149 keys need to be removed to permit the DAA operation to execute) return5150 TPM_NOSPACE5151 iv. If there are insufficient resources within the stored session pool (and one or5152 more authorization or transport sessions need to be removed to permit the5153 DAA operation to execute), return TPM_RESOURCES.5154 b. Set DAA_issuerSettings = inputData05155 c. Verify that all fields in DAA_issuerSettings are present and return error5156 TPM_DAA_INPUT_DATA0 if not.5157 d. set all fields in DAA_session = NULL5158 e. Assign new handle for session5159 f. Set outputData to new handle5160 g. set DAA_session -> DAA_stage = 15161 h. return TPM_SUCCESS5162 1. If stage==15163 a. Verify that DAA_session ->DAA_stage==1. Return TPM_DAA_STAGE and flush handle5164 on mismatch5165 b. Set DAA_tpmSpecific = unwrap(inputData0)5166 c. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and5167 return error TPM_DAA_ISSUER_SETTINGS on mismatch5168 d. set DAA_session -> DAA_digestContext = SHA-1(DAA_tpmSpecific)5169 e. obtain random data from the RNG and store it as DAA_session -> DAA_contextSeed5170 f. set outputData = NULL5171 g. set DAA_session -> DAA_stage =25172 h. return TPM_SUCCESS5173 2. If stage==25174 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 275 TCG Published a. Verify that DAA_session ->DAA_stage==2. Return TPM_DAA_STAGE and flush handle5175 on mismatch5176 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and5177 return error TPM_DAA_ISSUER_SETTINGS on mismatch5178 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and5179 return error TPM_DAA_TPM_SETTINGS on mismatch5180 d. Set DAA_generic_R0 = inputData05181 e. Verify that SHA-1(DAA_generic_R0) == DAA_issuerSettings -> DAA_digest_R0 and5182 return error TPM_DAA_INPUT_DATA0 on mismatch5183 f. Set DAA_generic_n = inputData15184 g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and5185 return error TPM_DAA_INPUT_DATA1 on mismatch5186 h. obtain DAA_SIZE_r0 bits from MGF1("r0", DAA_session -> DAA_contextSeed), and5187 label them Y5188 i. Set X = DAA_generic_R05189 j. Set n = DAA_generic_n5190 k. Set DAA_session -> DAA_scratch = (X^Y) mod n5191 l. set outputData = NULL5192 m. increment DAA_session -> DAA_stage by 15193 n. return TPM_SUCCESS5194 3. If stage==35195 a. Verify that DAA_session ->DAA_stage==3. Return TPM_DAA_STAGE and flush handle5196 on mismatch5197 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and5198 return error TPM_DAA_ISSUER_SETTINGS on mismatch5199 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and5200 return error TPM_DAA_TPM_SETTINGS on mismatch5201 d. Set DAA_generic_R1 = inputData05202 e. Verify that SHA-1(DAA_generic_R1) == DAA_issuerSettings -> DAA_digest_R1 and5203 return error TPM_DAA_INPUT_DATA0 on mismatch5204 f. Set DAA_generic_n = inputData15205 g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and5206 return error TPM_DAA_INPUT_DATA1 on mismatch5207 h. obtain DAA_SIZE_r1 bits from MGF1("r1", DAA_session -> DAA_contextSeed), and5208 label them Y5209 i. Set X = DAA_generic_R15210 j. Set n = DAA_generic_n5211 k. Set Z = DAA_session -> DAA_scratch5212 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 276 Level 2 Revision 94 29 March 2006 Draft TCG Published l. Set DAA_session -> DAA_scratch = Z*(X^Y) mod n5213 m. set outputData = NULL5214 n. increment DAA_session -> DAA_stage by 15215 o. return TPM_SUCCESS5216 4. If stage==45217 a. Verify that DAA_session ->DAA_stage==4. Return TPM_DAA_STAGE and flush handle5218 on mismatch5219 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and5220 return error TPM_DAA_ISSUER_SETTINGS on mismatch5221 c. Verify that DAA_session -> DAA_digestContext = SHA-1(DAA_tpmSpecific) and5222 return error TPM_DAA_TPM_SETTINGS on mismatch5223 d. Set DAA_generic_S0 = inputData05224 e. Verify that SHA-1(DAA_generic_S0) == DAA_issuerSettings -> DAA_digest_S0 and5225 return error TPM_DAA_INPUT_DATA0 on mismatch5226 f. Set DAA_generic_n = inputData15227 g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and5228 return error TPM_DAA_INPUT_DATA1 on mismatch5229 h. obtain DAA_SIZE_r2 bits from MGF1("r2", DAA_session -> DAA_contextSeed), and5230 label them Y5231 i. Set X = DAA_generic_S05232 j. Set n = DAA_generic_n5233 k. Set Z = DAA_session -> DAA_scratch5234 l. Set DAA_session -> DAA_scratch = Z*(X^Y) mod n5235 m. set outputData = NULL5236 n. increment DAA_session -> DAA_stage by 15237 o. return TPM_SUCCESS5238 5. If stage==55239 a. Verify that DAA_session ->DAA_stage==5. Return TPM_DAA_STAGE and flush handle5240 on mismatch5241 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and5242 return error TPM_DAA_ISSUER_SETTINGS on mismatch5243 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and5244 return error TPM_DAA_TPM_SETTINGS on mismatch5245 d. Set DAA_generic_S1 = inputData05246 e. Verify that SHA-1(DAA_generic_S1) == DAA_issuerSettings -> DAA_digest_S1 and5247 return error TPM_DAA_INPUT_DATA0 on mismatch5248 f. Set DAA_generic_n = inputData15249 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 277 TCG Published g. Verify that SHA-1(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and5250 return error TPM_DAA_INPUT_DATA1 on mismatch5251 h. obtain DAA_SIZE_r4 bits from MGF1("r4", DAA_session -> DAA_contextSeed), and5252 label them Y5253 i. Set X = DAA_generic_S15254 j. Set n = DAA_generic_n5255 k. Set Z = DAA_session -> DAA_scratch5256 l. Set DAA_session -> DAA_scratch = Z*(X^Y) mod n5257 m. set outputData = DAA_session -> DAA_scratch5258 n. set DAA_session -> DAA_scratch = NULL5259 o. increment DAA_session -> DAA_stage by 15260 p. return TPM_SUCCESS5261 6. If stage==65262 a. Verify that DAA_session ->DAA_stage==6. Return TPM_DAA_STAGE and flush handle5263 on mismatch5264 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and5265 return error TPM_DAA_ISSUER_SETTINGS on mismatch5266 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and5267 return error TPM_DAA_TPM_SETTINGS on mismatch5268 d. Set DAA_generic_gammma = inputData05269 e. Verify that SHA-1(DAA_generic_gamma) == DAA_issuerSettings ->5270 DAA_digest_gamma and return error TPM_DAA_INPUT_DATA0 on mismatch5271 f. Verify that inputSize1 == DAA_SIZE_w and return error TPM_DAA_INPUT_DATA1 on5272 mismatch5273 g. Set w = inputData15274 h. Set w1 = w^( DAA_issuerSettings -> DAA_generic_q) mod (DAA_generic_gamma)5275 i. If w1 != 1 (unity), return error TPM_DAA_WRONG_W5276 j. Set DAA_session -> DAA_scratch = w5277 k. set outputData = NULL5278 l. increment DAA_session -> DAA_stage by 15279 m. return TPM_SUCCESS.5280 7. If stage==75281 a. Verify that DAA_session ->DAA_stage==7. Return TPM_DAA_STAGE and flush handle5282 on mismatch5283 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and5284 return error TPM_DAA_ISSUER_SETTINGS on mismatch5285 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 278 Level 2 Revision 94 29 March 2006 Draft TCG Published c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and5286 return error TPM_DAA_TPM_SETTINGS on mismatch5287 d. Set DAA_generic_gamma = inputData05288 e. Verify that SHA-1(DAA_generic_gamma) == DAA_issuerSettings ->5289 DAA_digest_gamma and return error TPM_DAA_INPUT_DATA0 on mismatch5290 f. Set f = SHA1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 05291 ) || SHA1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 1 ) mod5292 DAA_issuerSettings -> DAA_generic_q.5293 g. Set E = ((DAA_session -> DAA_scratch)^f) mod (DAA_generic_gamma).5294 h. Set outputData = E5295 i. increment DAA_session -> DAA_stage by 15296 j. return TPM_SUCCESS.5297 8. If stage==85298 a. Verify that DAA_session ->DAA_stage==8. Return TPM_DAA_STAGE and flush handle5299 on mismatch5300 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and5301 return error TPM_DAA_ISSUER_SETTINGS on mismatch5302 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and5303 return error TPM_DAA_TPM_SETTINGS on mismatch5304 d. Set DAA_generic_gamma = inputData05305 e. Verify that SHA-1(DAA_generic_gamma) == DAA_issuerSettings ->5306 DAA_digest_gamma and return error TPM_DAA_INPUT_DATA0 on mismatch5307 f. obtain DAA_SIZE_r0 bits from MGF1("r0", DAA_session -> DAA_contextSeed), and5308 label them r05309 g. obtain DAA_SIZE_r1 bits from MGF1("r1", DAA_session -> DAA_contextSeed), and5310 label them r15311 h. set r = r0 + 2^DAA_power0 * r1 mod (DAA_issuerSettings -> DAA_generic_q).5312 i. Set E1 = ((DAA_session -> DAA_scratch)^r) mod (DAA_generic_gamma)5313 j. Set DAA_session -> DAA_scratch = NULL5314 k. Set outputData = E15315 l. increment DAA_session -> DAA_stage by 15316 m. return TPM_SUCCESS.5317 9. If stage==95318 a. Verify that DAA_session ->DAA_stage==9. Return TPM_DAA_STAGE and flush handle5319 on mismatch5320 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and5321 return error TPM_DAA_ISSUER_SETTINGS on mismatch5322 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 279 TCG Published c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and5323 return error TPM_DAA_TPM_SETTINGS on mismatch5324 d. Verify that inputSize0 == sizeOf(TPM_DIGEST) and return error5325 TPM_DAA_INPUT_DATA0 on mismatch5326 e. Set DAA_session -> DAA_digest = inputData05327 f. obtain DAA_SIZE_NT bits from the RNG and label them NT5328 g. Set DAA_session -> DAA_digest to the SHA-1 ( DAA_session -> DAA_digest || NT )5329 h. Set outputData = NT5330 i. increment DAA_session -> DAA_stage by 15331 j. return TPM_SUCCESS.5332 10.If stage==105333 a. Verify that DAA_session ->DAA_stage==10. Return TPM_DAA_STAGE and flush5334 handle on mismatch5335 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and5336 return error TPM_DAA_ISSUER_SETTINGS on mismatch5337 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and5338 return error TPM_DAA_TPM_SETTINGS on mismatch5339 d. Set selector = inputData0, verify that selector == 0 or 1, and return error5340 TPM_DAA_INPUT_DATA0 on mismatch5341 e. If selector == 1, verify that inputSize1 == sizeOf(TPM_DIGEST), and5342 f. Set DAA_session -> DAA_digest to SHA-1 (DAA_session -> DAA_digest || 1 ||5343 inputData1)5344 g. If selector == 0, verify that inputData1 is a handle to a TPM identity key (AIK), and5345 h. Set DAA_session -> DAA_digest to SHA-1 (DAA_session -> DAA_digest || 0 || n2)5346 where n2 is the modulus of the AIK5347 i. Set outputData = DAA_session -> DAA_digest5348 j. increment DAA_session -> DAA_stage by 15349 k. return TPM_SUCCESS.5350 11.If stage==115351 a. Verify that DAA_session ->DAA_stage==11. Return TPM_DAA_STAGE and flush5352 handle on mismatch5353 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and5354 return error TPM_DAA_ISSUER_SETTINGS on mismatch5355 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and5356 return error TPM_DAA_TPM_SETTINGS on mismatch5357 d. obtain DAA_SIZE_r0 bits from MGF1("r0", DAA_session -> DAA_contextSeed), and5358 label them r05359 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 280 Level 2 Revision 94 29 March 2006 Draft TCG Published e. Set f = SHA1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 05360 ) || SHA1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 1 ) mod5361 DAA_issuerSettings -> DAA_generic_q.5362 f. Set f0 = f mod 2^DAA_power0 (erase all but the lowest DAA_power0 bits of f)5363 g. Set s0 = r0 + (DAA_session -> DAA_digest)*(f0)5364 h. set outputData = s05365 i. increment DAA_session -> DAA_stage by 15366 j. return TPM_SUCCESS5367 12.If stage==125368 a. Verify that DAA_session ->DAA_stage==12. Return TPM_DAA_STAGE and flush5369 handle on mismatch5370 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and5371 return error TPM_DAA_ISSUER_SETTINGS on mismatch5372 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and5373 return error TPM_DAA_TPM_SETTINGS on mismatch5374 d. obtain DAA_SIZE_r1 bits from MGF1("r1", DAA_session -> DAA_contextSeed), and5375 label them r15376 e. Set f = SHA1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 05377 ) || SHA1(DAA_tpmSpecific -> DAA_rekey || DAA_tpmSpecific -> DAA_count || 1 ) mod5378 DAA_issuerSettings -> DAA_generic_q.5379 f. Shift f right by DAA_power0 bits (discard the lowest DAA_power0 bits) and label the5380 result f15381 g. Set s1 = r1 + (DAA_session -> DAA_digest)*(f1)5382 h. set outputData = s15383 i. increment DAA_session -> DAA_stage by 15384 j. return TPM_SUCCESS5385 13.If stage==135386 a. Verify that DAA_session ->DAA_stage==13. Return TPM_DAA_STAGE and flush5387 handle on mismatch5388 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and5389 return error TPM_DAA_ISSUER_SETTINGS on mismatch5390 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and5391 return error TPM_DAA_TPM_SETTINGS on mismatch5392 d. Set DAA_private_v0= unwrap(inputData0)5393 e. Verify that SHA-1(DAA_private_v0) == DAA_tpmSpecific -> DAA_digest_v0 and return5394 error TPM_DAA_INPUT_DATA0 on mismatch5395 f. obtain DAA_SIZE_r2 bits from MGF1("r2", DAA_session -> DAA_contextSeed), and5396 label them r25397 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 281 TCG Published g. Set s2 = r2 + (DAA_session -> DAA_digest)*( DAA_private_v0) mod 2^DAA_power15398 (erase all but the lowest DAA_power1 bits of s2)5399 h. Set DAA_session -> DAA_scratch = s25400 i. set outputData = s25401 j. increment DAA_session -> DAA_stage by 15402 k. return TPM_SUCCESS5403 14.If stage==145404 a. Verify that DAA_session ->DAA_stage==1. Return TPM_DAA_STAGE and flush handle5405 on mismatch5406 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and5407 return error TPM_DAA_ISSUER_SETTINGS on mismatch5408 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and5409 return error TPM_DAA_TPM_SETTINGS on mismatch5410 d. Set DAA_private_v0= unwrap(inputData0)5411 e. Verify that SHA-1(DAA_private_v0) == DAA_tpmSpecific -> DAA_digest_v0 and return5412 error TPM_DAA_INPUT_DATA0 on mismatch5413 f. obtain DAA_SIZE_r2 bits from MGF1("r2", DAA_session -> DAA_contextSeed), and5414 label them r25415 g. Set s12 = r2 + (DAA_session -> DAA_digest)*(DAA_private_v0).5416 h. Shift s12 right by DAA_power1 bits (erase the lowest DAA_power1 bits).5417 i. Set DAA_session -> DAA_scratch = s125418 j. set outputData = NULL5419 k. increment DAA_session -> DAA_stage by 15420 l. return TPM_SUCCESS5421 15.If stage==155422 a. Verify that DAA_session ->DAA_stage==15. Return TPM_DAA_STAGE and flush5423 handle on mismatch5424 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-1(DAA_issuerSettings) and5425 return error TPM_DAA_ISSUER_SETTINGS on mismatch5426 c. Verify that DAA_session -> DAA_digestContext == SHA-1(DAA_tpmSpecific) and5427 return error TPM_DAA_TPM_SETTINGS on mismatch5428 d. Set DAA_private_v1 = unwrap(inputData0)5429 e. Verify that SHA-1(DAA_private_v1) == DAA_tpmSpecific -> DAA_digest_v1 and return5430 error TPM_DAA_INPUT_DATA0 on mismatch5431 f. obtain DAA_SIZE_r4 bits from MGF1("r4", DAA_session -> DAA_contextSeed), and5432 label them r45433 g. Set s3 = r4 + (DAA_session -> DAA_digest)*(DAA_private_v1) + (DAA_session ->5434 DAA_scratch).5435 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 282 Level 2 Revision 94 29 March 2006 Draft TCG Published h. Set DAA_session -> DAA_scratch = NULL5436 i. set outputData = s35437 j. increment DAA_session -> DAA_stage by 15438 k. return TPM_SUCCESS5439 16.If stage > 15, return error: TPM_DAA_STAGE5440 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 283 TCG Published 27. Deprecated commands5441 Start of informative comment:5442 This section covers the commands that were in version 1.1 but now have new functionality5443 in other functions. The deprecated commands are still available in 1.2 but all new software5444 should use the new functionality.5445 There is no requirement that the deprecated commands work with new structures.5446 End of informative comment.5447 1. Commands deprecated in version 1.2 MUST work with version 1.1 structures5448 2. Commands deprecated in version 1.2 MAY work with version 1.2 structures5449 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 284 Level 2 Revision 94 29 March 2006 Draft TCG Published 27.1 Key commands5450 Start of informative comment:5451 The key commands are deprecated as the new way to handle keys is to use the standard5452 context commands. So TPM_EvictKey is now handled by TPM_FlushSpecific,5453 TPM_Terminate_Handle by TPM_FlushSpecific.5454 End of informative comment.5455 27.1.1 TPM_EvictKey5456 Incoming Operands and Sizes5457 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_EvictKey 4 4 TPM_KEY_HANDLE evictHandle The handle of the key to be evicted. Outgoing Operands and Sizes5458 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_EvictKey Actions5459 The TPM will invalidate the key stored in the specified handle and return the space to the5460 available internal pool for subsequent query by TPM_GetCapability and usage by5461 TPM_LoadKey. If the specified key handle does not correspond to a valid key, an error will5462 be returned.5463 New 1.2 functionality5464 The command must check the status of the ownerEvict flag for the key and if the flag is5465 TRUE return TPM_KEY_CONTROL_OWNER5466 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 285 TCG Published 27.1.2 TPM_Terminate_Handle5467 Start of informative comment:5468 This allows the TPM manager to clear out information in a session handle.5469 The TPM may maintain the authorization session even though a key attached to it has been5470 unloaded or the authorization session itself has been unloaded in some way. When a5471 command is executed that requires this session, it is the responsibility of the external5472 software to load both the entity and the authorization session information prior to5473 command execution.5474 End of informative comment.5475 Incoming Operands and Sizes5476 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_Terminate_Handle. 4 4 TPM_AUTHHANDLE handle The handle to terminate Outgoing Operands and Sizes5477 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_Terminate_Handle. Descriptions5478 The TPM SHALL terminate the session and destroy all data associated with the session5479 indicated.5480 Actions5481 A TPM SHALL unilaterally perform the actions of TPM_Terminate_Handle upon detection of5482 the following events:5483 1. Completion of a received command whose authorization "continueUse" flag is FALSE.5484 2. Completion of a received command when a shared secret derived from the authorization5485 session was exclusive -or'ed with data (to provide confidentiality for that data). This5486 occurs during execution of a TPM_ChangeAuth command, for example.5487 3. When the associated entity is destroyed (in the case of TPM Owner or SRK, for example)5488 4. Upon execution of TPM_Init5489 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 286 Level 2 Revision 94 29 March 2006 Draft TCG Published 5. When the command returns an error. This is due to the fact that when returning an5490 error the TPM does not send back nonceEven. There is no way to maintain the rolling5491 nonces, hence the TPM MUST terminate the authorization session.5492 6. Failure of an authorization check belonging to that authorization session.5493 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 287 TCG Published 27.2 Context management5494 Start of informative comment:5495 The 1.1 context commands were written for specific resource types. The 1.2 commands are5496 generic for all resource types. So the Savexxx commands are replaced by TPM_SaveContext5497 and the LoadXXX commands by TPM_LoadContext.5498 End of informative comment.5499 27.2.1 TPM_SaveKeyContext5500 Start of informative comment:5501 TPM_SaveKeyContext saves a loaded key outside the TPM. After creation of the key context5502 blob the TPM automatically releases the internal memory used by that key. The format of5503 the key context blob is specific to a TPM.5504 End of informative comment.5505 Incoming Operands and Sizes5506 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_SaveKeyContext 4 4 TPM_KEY_HANDLE keyHandle The key which will be kept outside the TPM Outgoing Operands and Sizes5507 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_SaveKeyContext 4 4 3S 4 UINT32 keyContextSize The actual size of the outgoing key context blob. If the command fails the value will be 0 5 <> 4S <> BYTE[] keyContextBlob The key context blob. Description5508 1. This command allows saving a loaded key outside the TPM. After creation of the5509 keyContextBlob, the TPM automatically releases the internal memory used by that key.5510 The format of the key context blob is specific to a TPM.5511 2. A TPM protected capability belonging to the TPM that created a key context blob MUST5512 be the only entity that can interpret the contents of that blob. If a cryptographic5513 technique is used for this purpose, the level of security provided by that technique5514 SHALL be at least as secure as a 2048 bit RSA algorithm. Any secrets (such as keys)5515 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 288 Level 2 Revision 94 29 March 2006 Draft TCG Published used in such a cryptographic technique MUST be generated using the TPM's random5516 number generator. Any symmetric key MUST be used within the power-on session5517 during which it was created, only.5518 3. A key context blob SHALL enable verification of the integrity of the contents of the blob5519 by a TPM protected capability.5520 4. A key context blob SHALL enable verification of the session validity of the contents of the5521 blob by a TPM protected capability. The method SHALL ensure that all key context blobs5522 are rendered invalid if power to the TPM is interrupted.5523 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 289 TCG Published 27.2.2 TPM_LoadKeyContext5524 Start of informative comment:5525 TPM_LoadKeyContext loads a key context blob into the TPM previously retrieved by a5526 TPM_SaveKeyContext call. After successful completion the handle returned by this5527 command can be used to access the key.5528 End of informative comment.5529 Incoming Operands and Sizes5530 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_LoadKeyContext 4 4 2S 4 UINT32 keyContextSize The size of the following key context blob. 5 <> 3S <> BYTE[] keyContextBlob The key context blob. Outgoing Operands and Sizes5531 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_LoadKeyContext 4 4 TPM_KEY_HANDLE keyHandle The handle assigned to the key after it has been successfully loaded. Description5532 1. This command allows loading a key context blob into the TPM previously retrieved by a5533 TPM_SaveKeyContext call. After successful completion the handle returned by this5534 command can be used to access the key.5535 2. The contents of a key context blob SHALL be discarded unless the contents have passed5536 an integrity test. This test SHALL (statistically) prove that the contents of the blob are5537 the same as when the blob was created.5538 3. The contents of a key context blob SHALL be discarded unless the contents have passed5539 a session validity test. This test SHALL (statistically) prove that the blob was created by5540 this TPM during this power-on session.5541 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 290 Level 2 Revision 94 29 March 2006 Draft TCG Published 27.2.3 TPM_SaveAuthContext5542 Start of informative comment:5543 TPM_SaveAuthContext saves a loaded authorization session outside the TPM. After creation5544 of the authorization context blob, the TPM automatically releases the internal memory used5545 by that session. The format of the authorization context blob is specific to a TPM.5546 End of informative comment.5547 Incoming Operands and Sizes5548 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_SaveAuthContext 4 4 TPM_AUTHHANDLE authHandle Authorization session which will be kept outside the TPM Outgoing Operands and Sizes5549 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_SaveAuthContext 4 4 3S 4 UINT32 authContextSize The actual size of the outgoing authorization context blob. If the command fails the value will be 0. 5 <> 4S 4 BYTE[] authContextBlob The authorization context blob. Description5550 This command allows saving a loaded authorization session outside the TPM. After creation5551 of the authContextBlob, the TPM automatically releases the internal memory used by that5552 session. The format of the authorization context blob is specific to a TPM.5553 A TPM protected capability belonging to the TPM that created an authorization context blob5554 MUST be the only entity that can interpret the contents of that blob. If a cryptographic5555 technique is used for this purpose, the level of security provided by that technique SHALL5556 be at least as secure as a 2048 bit RSA algorithm. Any secrets (such as keys) used in such a5557 cryptographic technique MUST be generated using the TPM's random number generator.5558 Any symmetric key MUST be used within the power-on session during which it was created,5559 only.5560 An authorization context blob SHALL enable verification of the integrity of the contents of5561 the blob by a TPM protected capability.5562 An authorization context blob SHALL enable verification of the session validity of the5563 contents of the blob by a TPM protected capability. The method SHALL ensure that all5564 authorization context blobs are rendered invalid if power to the TPM is interrupted.5565 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 291 TCG Published 27.2.4 TPM_LoadAuthContext5566 Start of informative comment:5567 TPM_LoadAuthContext loads an authorization context blob into the TPM previously5568 retrieved by a TPM_SaveAuthContext call. After successful completion the handle returned5569 by this command can be used to access the authorization session.5570 End of informative comment.5571 Incoming Operands and Sizes5572 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_LoadAuthContext 4 4 2S 4 UINT32 authContextSize The size of the following authorization context blob. 5 <> 3S <> BYTE[] authContextBlob The authorization context blob. Outgoing Operands and Sizes5573 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_LoadAuthContext 4 4 TPM_KEY_HANDLE authHandle The handle assigned to the authorization session after it has been successfully loaded. Description5574 This command allows loading an authorization context blob into the TPM previously5575 retrieved by a TPM_SaveAuthContext call. After successful completion the handle returned5576 by this command can be used to access the authorization session.5577 The contents of an authorization context blob SHALL be discarded unless the contents have5578 passed an integrity test. This test SHALL (statistically) prove that the contents of the blob5579 are the same as when the blob was created.5580 The contents of an authorization context blob SHALL be discarded unless the contents have5581 passed a session validity test. This test SHALL (statistically) prove that the blob was created5582 by this TPM during this power-on session.5583 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 292 Level 2 Revision 94 29 March 2006 Draft TCG Published 27.3 DIR commands5584 Start of informative comment:5585 The DIR commands are replaced by the NV storage commands.5586 The DIR [0] in 1.1 is now TPM_PERMANENT_DATA -> authDIR[0] and is always available for5587 the TPM to use. It is accessed by DIR commands using dirIndex 0 and by NV commands5588 using nvIndex TPM_NV_INDEX_DIR.5589 If the TPM vendor supports additional DIR registers, the TPM vendor may return errors or5590 provide vendor specific mappings for those DIR registers to NV storage locations.5591 End of informative comment.5592 1. A dirIndex value of 0 MUST corresponds to an NV storage nvIndex value5593 TPM_NV_INDEX_DIR.5594 2. The TPM vendor MAY return errors or MAY provide vendor specific mappings for DIR5595 dirIndex values greater than 0 to NV storage locations.5596 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 293 TCG Published 27.3.1 TPM_DirWriteAuth5597 Start of informative comment:5598 The TPM_DirWriteAuth operation provides write access to the Data Integrity Registers. DIRs5599 are non-volatile memory registers held in a TPM-shielded location. Owner authentication is5600 required to authorize this action.5601 Access is also provided through the NV commands with nvIndex TPM_NV_INDEX_DIR.5602 Owner authorization is not required when nvLocked is FALSE.5603 Version 1.2 requires only one DIR. If the DIR named does not exist, the TPM_DirWriteAuth5604 operation returns TPM_BADINDEX.5605 End of informative comment.5606 Incoming Operands and Sizes5607 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM _ORD_DirWriteAuth. 4 4 2S 4 TPM_DIRINDEX dirIndex Index of the DIR 5 20 3S 20 TPM_DIRVALUE newContents New value to be stored in named DIR 6 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for command. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 7 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 8 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 9 20 TPM_AUTHDATA ownerAuth Theauthorization session digest for inputs. HMAC key: ownerAuth. Outgoing Operands and Sizes5608 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_DirWriteAuth 4 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 5 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 6 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters. HMAC key: ownerAuth. Actions5609 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 294 Level 2 Revision 94 29 March 2006 Draft TCG Published 1. Validate that authHandle contains a TPM Owner AuthData to execute the5610 TPM_DirWriteAuth command5611 2. Validate that dirIndex points to a valid DIR on this TPM5612 3. Write newContents into the DIR pointed to by dirIndex5613 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 295 TCG Published 5614 27.3.2 TPM_DirRead5615 Start of informative comment:5616 The TPM_DirRead operation provides read access to the DIRs. No authentication is required5617 to perform this action because typically no cryptographically useful AuthData is available5618 early in boot. TSS implementers may choose to provide other means of authorizing this5619 action. Version 1.2 requires only one DIR. If the DIR named does not exist, the5620 TPM_DirRead operation returns TPM_BADINDEX.5621 End of informative comment.5622 Incoming Operands and Sizes5623 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_DirRead. 4 4 2S 4 TPM_DIRINDEX dirIndex Index of the DIR to be read Outgoing Operands and Sizes5624 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_DirRead. 4 20 3S 20 TPM_DIRVALUE dirContents The current contents of the named DIR Actions5625 1. Validate that dirIndex points to a valid DIR on this TPM5626 2. Return the contents of the DIR in dirContents5627 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 296 Level 2 Revision 94 29 March 2006 Draft TCG Published 27.4 Change Auth5628 Start of informative comment:5629 The change auth commands can be duplicated by creating a transport session with5630 confidentiality and issuing the changeAuth command.5631 End of informative comment.5632 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 297 TCG Published 27.4.1 TPM_ChangeAuthAsymStart5633 Start of informative comment:5634 The TPM_ChangeAuthAsymStart starts the process of changing AuthData for an entity. It5635 sets up an OIAP session that must be retained for use by its twin5636 TPM_ChangeAuthAsymFinish command.5637 TPM_ChangeAuthAsymStart creates a temporary asymmetric public key "tempkey" to5638 provide confidentiality for new AuthData to be sent to the TPM. TPM_ChangeAuthAsymStart5639 certifies that tempkey was generated by a genuine TPM, by generating a certifyInfo5640 structure that is signed by a TPM identity. The owner of that TPM identity must cooperate5641 to produce this command, because TPM_ChangeAuthAsymStart requires authorization to5642 use that identity.5643 It is envisaged that tempkey and certifyInfo are given to the owner of the entity whose5644 authorization is to be changed. That owner uses certifyInfo and a5645 TPM_IDENTITY_CREDENTIAL to verify that tempkey was generated by a genuine TPM. This5646 is done by verifying the TPM_IDENTITY_CREDENTIAL using the public key of a CA,5647 verifying the signature on the certifyInfo structure with the public key of the identity in5648 TPM_IDENTITY_CREDENTIAL, and verifying tempkey by comparing its digest with the value5649 inside certifyInfo. The owner uses tempkey to encrypt the desired new AuthData and inserts5650 that encrypted data in a TPM_ChangeAuthAsymFinish command, in the knowledge that5651 only a TPM with a specific identity can interpret the new AuthData.5652 End of informative comment.5653 Incoming Operands and Sizes5654 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ChangeAuthAsymStart. 4 4 TPM_KEY_HANDLE idHandle The keyHandle identifier of a loaded identity ID key 5 20 2s 20 TPM_NONCE antiReplay The nonce to be inserted into the certifyInfo structure 6 <> 3S <> TPM_KEY_PARMS tempKey Structure contains all parameters of ephemeral key. 7 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for idHandle authorization. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 8 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 9 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 10 20 TPM_AUTHDATA idAuth Authorization. HMAC key: idKey.usageAuth. Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 298 Level 2 Revision 94 29 March 2006 Draft TCG Published Outgoing Operands and Sizes5655 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ChangeAuthAsymStart 7 95 3S 95 TPM_CERTIFY_INFO certifyInfo The certifyInfo structure that is to besigned. 8 4 4S 4 UINT32 sigSize The used size of the output area for the signature 9 <> 5S <> BYTE[ ] sig The signature of the certifyInfo parameter. 10 4 6s 4 TPM_KEY_HANDLE ephHandle The keyHandle identifier to be used by ChangeAuthAsymFinish for the ephemeral key 11 <> 7S <> TPM_KEY tempKey Structure containing all parameters and public part of ephemeral key. TPM_KEY.encSize is set to 0. 12 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 13 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 14 20 TPM_AUTHDATA resAuth Authorization. HMAC key: idKey.usageAuth. Actions5656 1. The TPM SHALL verify the AuthData to use the TPM identity key held in idHandle. The5657 TPM MUST verify that the key is a TPM identity key.5658 2. The TPM SHALL validate the algorithm parameters for the key to create from the5659 tempKey parameter.5660 3. Recommended key type is RSA5661 4. Minimum RSA key size MUST is 512 bits, recommended RSA key size is 10245662 5. For other key types the minimum key size strength MUST be comparable to RSA 5125663 6. If the TPM is not designed to create a key of the requested type, return the error code5664 TPM_BAD_KEY_PROPERTY5665 7. The TPM SHALL create a new key (k1) in accordance with the algorithm parameter. The5666 newly created key is pointed to by ephHandle.5667 8. The TPM SHALL fill in all fields in tempKey using k1 for the information. The TPM_KEY -5668 > encSize MUST be 0.5669 9. The TPM SHALL fill in certifyInfo using k1 for the information. The certifyInfo -> data5670 field is supplied by the antiReplay.5671 10.The TPM then signs the certifyInfo parameter using the key pointed to by idHandle. The5672 resulting signed blob is returned in sig parameter5673 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 299 TCG Published Field Descriptions for certifyInfo parameter5674 Type Name Description TPM_VERSION Version TPM version structure; Part 2 TPM_VERSION keyFlags Redirection This SHALL be set to FALSE Migratable This SHALL be set to FALSE Volatile This SHALL be set to TRUE TPM_AUTH_DATA_USAGE authDataUsage This SHALL be set to TPM_AUTH_NEVER TPM_KEY_USAGE KeyUsage This SHALL be set to TPM_KEY_AUTHCHANGE UINT32 PCRInfoSize This SHALL be set to 0 TPM_DIGEST pubDigest This SHALL be the hash of the public key being certified. TPM_NONCE Data This SHALL be set to antiReplay TPM_KEY_PARMS info This specifies the type of key and its parameters. BOOL parentPCRStatus This SHALL be set to FALSE. 5675 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 300 Level 2 Revision 94 29 March 2006 Draft TCG Published 27.4.2 TPM_ChangeAuthAsymFinish5676 Start of informative comment:5677 The TPM_ChangeAuth command allows the owner of an entity to change the AuthData for5678 the entity.5679 The command requires the cooperation of the owner of the parent of the entity, since5680 AuthData must be provided to use that parent entity. The command requires knowledge of5681 the existing AuthData information and passes the new AuthData information. The5682 newAuthLink parameter proves knowledge of existing AuthData information and new5683 AuthData information. The new AuthData information "encNewAuth" is encrypted using the5684 "tempKey" variable obtained via TPM_ChangeAuthAsymStart.5685 A parent therefore retains control over a change in the AuthData of a child, but is prevented5686 from knowing the new AuthData for that child.5687 The changeProof parameter provides a proof that the new AuthData value was properly5688 inserted into the entity. The inclusion of a nonce from the TPM provides an entropy source5689 in the case where the AuthData value may be in itself be a low entropy value (hash of a5690 password etc).5691 End of informative comment.5692 Incoming Operands and Sizes5693 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ChangeAuthAsymFinish 4 4 TPM_KEY_HANDLE parentHandle The keyHandle of the parent key for the input data 5 4 TPM_KEY_HANDLE ephHandle The keyHandle identifier for the ephemeral key 6 2 3S 2 TPM_ENTITY_TYPE entityType The type of entity to be modified 7 20 4s 20 TPM_HMAC newAuthLink HMAC calculation that links the old and new AuthData values together 8 4 5S 4 UINT32 newAuthSize Size of encNewAuth 9 <> 6S <> BYTE[ ] encNewAuth New AuthData encrypted with ephemeral key. 10 4 7S 4 UINT32 encDataSize The size of the inData parameter 11 <> 8S <> BYTE[ ] encData The encrypted entity that is to be modified. 12 4 TPM_AUTHHANDLE authHandle Authorization for parent key. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 13 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 14 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 15 20 TPM_AUTHDATA privAuth Theauthorization session digest for inputs and parentHandle. HMAC key: parentKey .usageAuth. 5694 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 301 TCG Published Outgoing Operands and Sizes5695 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_ChangeAuthAsymFinish 4 4 3S 4 UINT32 outDataSize The used size of the output area for outData 5 <> 4S <> BYTE[ ] outData The modified, encrypted entity. 6 20 5s 20 TPM_NONCE saltNonce A nonce value from the TPM RNG to add entropy to the changeProof value 7 <> 6S <> TPM_DIGEST changeProof Proof that AuthData has changed. 8 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 9 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 10 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters. HMAC key: parentKey.usageAuth. Description5696 If the parentHandle points to the SRK then the HMAC key MUST be built using the TPM5697 Owner authentication.5698 Actions5699 1. The TPM SHALL validate that the authHandle parameter authorizes use of the key in5700 parentHandle.5701 2. The encData field MUST be the encData field from TPM_STORED_DATA or TPM_KEY.5702 3. The TPM SHALL create e1 by decrypting the entity held in the encData parameter.5703 4. The TPM SHALL create a1 by decrypting encNewAuth using the ephHandle ->5704 TPM_KEY_AUTHCHANGE private key. a1 is a structure of type5705 TPM_CHANGEAUTH_VALIDATE.5706 5. The TPM SHALL create b1 by performing the following HMAC calculation: b1 = HMAC5707 (a1 -> newAuthSecret). The secret for this calculation is encData -> currentAuth. This5708 means that b1 is a value built from the current AuthData value (encData ->5709 currentAuth) and the new AuthData value (a1 -> newAuthSecret).5710 6. The TPM SHALL compare b1 with newAuthLink. The TPM SHALL indicate a failure if the5711 values do not match.5712 7. The TPM SHALL replace e1 -> authData with a1 -> newAuthSecret5713 8. The TPM SHALL encrypt e1 using the appropriate functions for the entity type. The key5714 to encrypt with is parentHandle.5715 9. The TPM SHALL create saltNonce by taking the next 20 bytes from the TPM RNG.5716 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 302 Level 2 Revision 94 29 March 2006 Draft TCG Published 10.The TPM SHALL create changeProof a HMAC of (saltNonce concatenated with a1 -> n1)5717 using a1 -> newAuthSecret as the HMAC secret.5718 11.The TPM MUST destroy the TPM_KEY_AUTHCHANGE key associated with the5719 authorization session.5720 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 303 TCG Published 27.5 TPM_Reset5721 Start of informative comment:5722 TPM_Reset releases all resources associated with existing authorization sessions. This is5723 useful if a TSS driver has lost track of the state in the TPM.5724 End of informative comment.5725 Deprecated Command in 1.25726 Incoming Parameters and Sizes5727 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_Reset. Outgoing Parameters and Sizes5728 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_Reset. Description5729 This is a deprecated command in V1.2. This command in 1.1 only referenced authorization5730 sessions and is not upgraded to affect any other TPM entity in 1.25731 Actions5732 1. The TPM invalidates all resources allocated to authorization sessions as per version 1.15733 extant in the TPM5734 a. This includes structures created by TPM_SaveAuthContext and TPM_SaveKeyContext5735 b. Structures created by TPM_Contextxxx (the new 1.2 commands) are not affected by5736 this command5737 2. The TPM does not reset any PCR or DIR values.5738 3. The TPM does not reset any flags in the TPM_STCLEAR_FLAGS structure.5739 4. The TPM does not reset or invalidate any keys5740 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 304 Level 2 Revision 94 29 March 2006 Draft TCG Published 27.6 TPM_OwnerReadPubek5741 Start of informative comment:5742 Return the endorsement key public portion. This is authorized by the TPM Owner.5743 End of informative comment.5744 Incoming Operands and Sizes5745 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_OwnerReadPubek 4 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for owner authentication. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 5 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 6 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 7 20 TPM_AUTHDATA ownerAuth Theauthorization session digest for inputs and owner authentication. HMAC key: ownerAuth. Outgoing Operands and Sizes5746 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_OwnerReadPubek 4 <> 3S <> TPM_PUBKEY pubEndorsementKey The public endorsement key 5 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 6 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 7 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters. HMAC key: ownerAuth. Description5747 This command returns the PUBEK.5748 Actions5749 The TPM_OwnerReadPubek command SHALL5750 1. Validate the TPM Owner AuthData to execute this command5751 2. Export the PUBEK5752 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 305 TCG Published 27.7 TPM_DisablePubekRead5753 Start of informative comment:5754 The TPM Owner may wish to prevent any entity from reading the PUBEK. This command5755 sets the non-volatile flag so that the TPM_ReadPubek command always returns5756 TPM_DISABLED_CMD.5757 This command has in essence been deprecated as TPM_TakeOwnership now sets the value5758 to false. The command remains at this time for backward compatibility.5759 End of informative comment.5760 Incoming Operands and Sizes5761 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_DisablePubekRead 4 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for owner authentication. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated byTPM to cover inputs 5 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 6 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 7 20 TPM_AUTHDATA ownerAuth Theauthorization session digest for inputs and owner authorization. HMAC key: ownerAuth. Outgoing Operands and Sizes5762 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_DisablePubekRead 4 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 5 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 6 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters. HMAC key: ownerAuth. Actions5763 1. This capability sets the TPM_PERMANENT_FLAGS -> readPubek flag to FALSE.5764 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 306 Level 2 Revision 94 29 March 2006 Draft TCG Published 27.8 TPM_LoadKey5765 Start of informative comment:5766 Version 1.2 deprecates TPM_LoadKey due to the HMAC of the new key handle on return.5767 The wrapping makes use of the handle difficult in an environment where the TSS, or other5768 management entity, is changing the TPM handle to a virtual handle.5769 Software using TPM_LoadKey on a 1.2 TPM can have a collision with the returned handle as5770 the 1.2 TPM uses random values in the lower three bytes of the handle. All new software5771 must use LoadKey2 to allow management software the ability to manage the key handle.5772 Before the TPM can use a key to either wrap, unwrap, bind, unbind, seal, unseal, sign or5773 perform any other action, it needs to be present in the TPM. The TPM_LoadKey function5774 loads the key into the TPM for further use.5775 The TPM assigns the key handle. The TPM always locates a loaded key by use of the handle.5776 The assumption is that the handle may change due to key management operations. It is the5777 responsibility of upper level software to maintain the mapping between handle and any5778 label used by external software.5779 This command has the responsibility of enforcing restrictions on the use of keys. For5780 example, when attempting to load a STORAGE key it will be checked for the restrictions on5781 a storage key (2048 size etc.).5782 The load command must maintain a record of whether any previous key in the key5783 hierarchy was bound to a PCR using parentPCRStatus.5784 The flag parentPCRStatus enables the possibility of checking that a platform passed5785 through some particular state or states before finishing in the current state. A grandparent5786 key could be linked to state-1, a parent key could linked to state-2, and a child key could be5787 linked to state-3, for example. The use of the child key then indicates that the platform5788 passed through states 1 and 2 and is currently in state 3, in this example. TPM_Startup5789 with stType == TPM_ST_CLEAR indicates that the platform has been reset, so the platform5790 has not passed through the previous states. Hence keys with parentPCRStatus==TRUE5791 must be unloaded if TPM_Startup is issued with stType == TPM_ST_CLEAR.5792 If a TPM_KEY structure has been decrypted AND the integrity test using "pubDataDigest"5793 has passed AND the key is non-migratory, the key must have been created by the TPM. So5794 there is every reason to believe that the key poses no security threat to the TPM. While there5795 is no known attack from a rogue migratory key, there is a desire to verify that a loaded5796 migratory key is a real key, arising from a general sense of unease about execution of5797 arbitrary data as a key. Ideally a consistency check would consist of an encrypt/decrypt5798 cycle, but this may be expensive. For RSA keys, it is therefore suggested that the5799 consistency test consists of dividing the supposed RSA product by the supposed RSA prime,5800 and checking that there is no remainder.5801 End of informative comment.5802 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 307 TCG Published Incoming Operands and Sizes5803 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_LoadKey. 4 4 TPM_KEY_HANDLE parentHandle TPM handle of parent key. 5 <> 2S <> TPM_KEY inKey Incoming key structure, both encrypted private and clear public portions. MAY be TPM_KEY12 6 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for parentHandle authorization. 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 7 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 8 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 9 20 TPM_AUTHDATA parentAuth Theauthorization session digest for inputs and parentHandle. HMAC key: parentKey.usageAuth. Outgoing Operands and Sizes5804 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_LoadKey 4 4 3S 4 TPM_KEY_HANDLE inkeyHandle Internal TPM handle where decrypted key was loaded. 5 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 6 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 7 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters. HMAC key: parentKey.usageAuth. Actions5805 The TPM SHALL perform the following steps:5806 1. Validate the command and the parameters using parentAuth and parentHandle ->5807 usageAuth5808 2. If parentHandle -> keyUsage is NOT TPM_KEY_STORAGE return5809 TPM_INVALID_KEYUSAGE5810 3. If the TPM is not designed to operate on a key of the type specified by inKey, return the5811 error code TPM_BAD_KEY_PROPERTY5812 4. The TPM MUST handle both TPM_KEY and TPM_KEY12 structures5813 5. Decrypt the inKey -> privkey to obtain TPM_STORE_ASYMKEY structure using the key5814 in parentHandle5815 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 308 Level 2 Revision 94 29 March 2006 Draft TCG Published 6. Validate the integrity of inKey and decrypted TPM_STORE_ASYMKEY5816 a. Reproduce inKey -> TPM_STORE_ASYMKEY -> pubDataDigest using the fields of5817 inKey, and check that the reproduced value is the same as pubDataDigest5818 7. Validate the consistency of the key and iťs key usage.5819 a. If inKey -> keyFlags -> migratable is TRUE, the TPM SHALL verify consistency of the5820 public and private components of the asymmetric key pair. If inKey -> keyFlags ->5821 migratable is FALSE, the TPM MAY verify consistency of the public and private5822 components of the asymmetric key pair. The consistency of an RSA key pair MAY be5823 verified by dividing the supposed (P*Q) product by a supposed prime and checking that5824 there is no remainder..5825 b. If inKey -> keyUsage is TPM_KEY_IDENTITY, verify that inKey->keyFlags->migratable5826 is FALSE. If it is not, return TPM_INVALID_KEYUSAGE5827 c. If inKey -> keyUsage is TPM_KEY_AUTHCHANGE, return TPM_INVALID_KEYUSAGE5828 d. If inKey -> keyFlags -> migratable equals 0 then verify that TPM_STORE_ASYMKEY -5829 > migrationAuth equals TPM_PERMANENT_DATA -> tpmProof5830 e. Validate the mix of encryption and signature schemes5831 f. If TPM_PERMANENT_FLAGS -> FIPS is TRUE then5832 i. If keyInfo -> keySize is less than 1024 return TPM_NOTFIPS5833 ii. If keyInfo -> authDataUsage specifies TPM_AUTH_NEVER return TPM_NOTFIPS5834 iii. If keyInfo -> keyUsage specifies TPM_KEY_LEGACY return TPM_NOTFIPS5835 g. If inKey -> keyUsage is TPM_KEY_STORAGE or TPM_KEY_MIGRATE5836 i. algorithmID MUST be TPM_ALG_RSA5837 ii. Key size MUST be 20485838 iii. sigScheme MUST be TPM_SS_NONE5839 h. If inKey -> keyUsage is TPM_KEY_IDENTITY5840 i. algorithmID MUST be TPM_ALG_RSA5841 ii. Key size MUST be 20485842 iii. encScheme MUST be TPM_ES_NONE5843 i. If the decrypted inKey -> pcrInfo is NULL,5844 i. The TPM MUST set the internal indicator to indicate that the key is not using any5845 PCR registers.5846 j. Else5847 i. The TPM MUST store pcrInfo in a manner that allows the TPM to calculate a5848 composite hash whenever the key will be in use5849 ii. The TPM MUST handle both version 1.1 TPM_PCR_INFO and 1.25850 TPM_PCR_INFO_LONG structures according to the type of TPM_KEY structure5851 iii. The TPM MUST validate the TPM_PCR_INFO or TPM_PCR_INFO_LONG5852 structures5853 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 309 TCG Published 8. Perform any processing necessary to make TPM_STORE_ASYMKEY key available for5854 operations5855 9. Load key and key information into internal memory of the TPM. If insufficient memory5856 exists return error TPM_NOSPACE.5857 10.Assign inKeyHandle according to internal TPM rules.5858 11.Set InKeyHandle -> parentPCRStatus to parentHandle -> parentPCRStatus.5859 12.If ParentHandle indicates it is using PCR registers then set inKeyHandle ->5860 parentPCRStatus to TRUE.5861 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 310 Level 2 Revision 94 29 March 2006 Draft TCG Published 28. Deleted Commands5862 Start of informative comment:5863 These commands are no longer active commands. Their removal is due to security concerns5864 with their use.5865 End of informative comment.5866 1. The TPM MUST return TPM_BAD_ORDINAL for any deleted command5867 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 311 TCG Published 28.1 TPM_GetCapabilitySigned5868 Start of informative comment:5869 Along with TPM_GetCapabilityOwner this command allowed the possible signature of5870 improper values.5871 TPM_GetCapabilitySigned is almost the same as TPM_GetCapability. The differences are5872 that the input includes a challenge (a nonce) and the response includes a digital signature5873 to vouch for the source of the answer.5874 If a caller itself requires proof, it is sufficient to use any signing key for which only the TPM5875 and the caller have AuthData.5876 If a caller requires proof for a third party, the signing key must be one whose signature is5877 trusted by the third party. A TPM-identity key may be suitable.5878 End of informative comment.5879 Deleted Ordinal5880 TPM_GetCapabilitySigned5881 Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 312 Level 2 Revision 94 29 March 2006 Draft TCG Published 28.2 TPM_GetOrdinalAuditStatus5882 Start of informative comment:5883 Get the status of the audit flag for the given ordinal.5884 End of informative comment.5885 Incoming Operands and Sizes5886 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_GetOrdinalAuditStatus 4 4 TPM_COMMAND_CODE ordinalToQuery The ordinal whose audit flag is to be queried Outgoing Operands and Sizes5887 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 TPM_RESULT returnCode The return code of the operation. 4 1 BOOL State Value of audit flag for ordinalToQuery Actions5888 1. The TPM returns the Boolean value for the given ordinal. The value is TRUE if the5889 command is being audited.5890 TPM Main Part 3 Commands TCG Copyright Specification Version 1.2 Level 2 Revision 94 29 March 2006 Draft 313 TCG Published 28.3 TPM_CertifySelfTest5891 Start of informative comment:5892 TPM_CertifySelfTest causes the TPM to perform a full self-test and return an authenticated5893 value if the test passes.5894 If a caller itself requires proof, it is sufficient to use any signing key for which only the TPM5895 and the caller have AuthData.5896 If a caller requires proof for a third party, the signing key must be one whose signature is5897 trusted by the third party. A TPM-identity key may be suitable.5898 End of informative comment.5899 Incoming Operands and Sizes5900 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RQU_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of input bytes including paramSize and tag 3 4 1S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_CertifySelfTest 4 4 TPM_KEY_HANDLE keyHandle The keyHandle identifier of a loaded key that can perform digital signatures. 5 20 2S 20 TPM_NONCE antiReplay Anti Replay nonce to prevent replay of messages 6 4 TPM_AUTHHANDLE authHandle Theauthorization session handle used for keyHandle authorization 2H1 20 TPM_NONCE authLastNonceEven Even nonce previously generated by TPM to cover inputs 7 20 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 8 1 4H1 1 BOOL continueAuthSession The continue use flag for the authorization session handle 9 20 TPM_AUTHDATA privAuth Theauthorization session digest that authorizes the inputs and use of keyHandle. HMAC key: key.usageAuth Outgoing Operands and Sizes5901 PARAM HMAC # SZ # SZ Type Name Description 1 2 TPM_TAG tag TPM_TAG_RSP_AUTH1_COMMAND 2 4 UINT32 paramSize Total number of output bytes including paramSize and tag 3 4 1S 4 TPM_RESULT returnCode The return code of the operation. 2S 4 TPM_COMMAND_CODE ordinal Command ordinal: TPM_ORD_CertifySelfTest 4 4 3S 4 UINT32 sigSize The length of the returned digital signature 5 <> 4S <> BYTE[ ] sig The resulting digital signature. 6 20 2H1 20 TPM_NONCE nonceEven Even nonce newly generated by TPM to cover outputs 3H1 20 TPM_NONCE nonceOdd Nonce generated by system associated with authHandle 7 1 4H1 1 BOOL continueAuthSession Continue use flag, TRUE if handle is still active 8 20 TPM_AUTHDATA resAuth Theauthorization session digest for the returned parameters. HMAC key: key.usageAuth Copyright TCG TPM Main Part 3 Commands Specification Version 1.2 314 Level 2 Revision 94 29 March 2006 Draft TCG Published Description5902 The key in keyHandle MUST have a KEYUSAGE value of type TPM_KEY_SIGNING or5903 TPM_KEY_LEGACY or TPM_KEY_IDENTITY.5904 Information returned by TPM_CertifySelfTest MUST NOT aid identification of an individual5905 TPM.5906 Actions5907 1. The TPM SHALL perform TPM_SelfTestFull. If the test fails the TPM returns the5908 appropriate error code.5909 2. After successful completion of the self-test the TPM then validates the authorization to5910 use the key pointed to by keyHandle5911 a. If the key pointed to by keyHandle has a signature scheme that is not5912 TPM_SS_RSASSAPKCS1v15_SHA1, the TPM may either return TPM_BAD_SCHEME or5913 may return TPM_SUCCESS and a vendor specific signature.5914 3. Create t1 the NOT null terminated string of "Test Passed", i.e. 11 bytes.5915 4. The TPM creates m2 the message to sign by concatenating t1 || AntiReplay || ordinal.5916 5. The TPM signs the SHA-1 of m2 using the key identified by keyHandle, and returns the5917 signature as sig.5918 5919