TPM Cheatsheet

TPM (Trusted Platform Module) Chips and Attestation Cheat Sheet

Overview

• Purpose: A TPM is a secure crypto-processor designed to carry out cryptographic operations.
• Functionality: It includes capabilities such as hardware-based random number generation, secure generation of cryptographic keys, and platform authentication.
• Standards: Defined by the Trusted Computing Group (TCG), with TPM 1.2 and TPM 2.0 being the most common standards.

TPM Key Components

• Endorsement Key (EK): A unique RSA key burned into the chip at manufacture, used for authentication and to generate other keys.
• Storage Root Key (SRK): Generated when you take ownership of the TPM, used to protect other keys created by the TPM.
• Attestation Identity Key (AIK): Used to authenticate the platform to a third-party verifier without revealing the EK.

TPM Registers

• PCR (Platform Configuration Registers):
  • Number: Typically 24 in TPM 1.2 and more in TPM 2.0.
  • Purpose: Used to store measurements (hashes) of software, firmware, and configuration data. These measurements are used for system integrity verification.
• Other Registers: Include data registers for key storage, counters for encryption, and registers for storing audit and integrity metrics.

Attestation Process

• Purpose: Validates the integrity and trustworthiness of the platform.
• Process:
  1. System state is measured (hashed) and stored in PCRs.
  2. TPM signs these measurements with the AIK.
  3. The signed data is sent to a remote server (verifier).
  4. The verifier authenticates the data using the public part of the AIK and validates the system state.

TPM Usage Scenarios

• Disk Encryption: Keys are stored in the TPM for data protection, e.g., BitLocker in Windows.
• Secure Boot and Integrity Measurement: Ensuring the system boots with trusted firmware and software.
• Key Generation and Storage: Creating and storing cryptographic keys securely.

TPM Versions

• TPM 1.2: Introduces basic functionality, including RSA algorithm for key generation.
• TPM 2.0: Enhanced cryptographic capabilities, including support for newer algorithms, and improved flexibility and security.

Security Considerations

• Physical Security: Resistant to tampering and unauthorized access attempts.
• Data Privacy: Keys and sensitive data are stored securely within the TPM, preventing external access.

Limitations and Challenges

• Compatibility Issues: May require specific software and hardware configurations.
• Complex Management: Handling TPMs can be complex, especially in large-scale deployments.
• Recovery and Backup: Managing keys and recovery scenarios require careful planning.

Future of TPM

• Wider Implementation: Increasing adoption in IoT devices and consumer electronics for enhanced security.
• Integration with Emerging Technologies: Potential use cases in blockchain, AI, and more.

References

• Trusted Computing Group: TPG Website
• TPM 2.0 Library Specification: Link to Specification