Post

TPM Cheatsheet

Posted Updated
By John Morrow 2 min read

TPM (Trusted Platform Module) Chips and Attestation Cheat Sheet

Overview

  • Purpose: A TPM is a secure crypto-processor designed to carry out cryptographic operations.
  • Functionality: It includes capabilities such as hardware-based random number generation, secure generation of cryptographic keys, and platform authentication.
  • Standards: Defined by the Trusted Computing Group (TCG), with TPM 1.2 and TPM 2.0 being the most common standards.

TPM Key Components

  • Endorsement Key (EK): A unique RSA key burned into the chip at manufacture, used for authentication and to generate other keys.
  • Storage Root Key (SRK): Generated when you take ownership of the TPM, used to protect other keys created by the TPM.
  • Attestation Identity Key (AIK): Used to authenticate the platform to a third-party verifier without revealing the EK.

TPM Registers

  • PCR (Platform Configuration Registers):
    • Number: Typically 24 in TPM 1.2 and more in TPM 2.0.
    • Purpose: Used to store measurements (hashes) of software, firmware, and configuration data. These measurements are used for system integrity verification.
  • Other Registers: Include data registers for key storage, counters for encryption, and registers for storing audit and integrity metrics.

Attestation Process

  • Purpose: Validates the integrity and trustworthiness of the platform.
  • Process:
    1. System state is measured (hashed) and stored in PCRs.
    2. TPM signs these measurements with the AIK.
    3. The signed data is sent to a remote server (verifier).
    4. The verifier authenticates the data using the public part of the AIK and validates the system state.

TPM Usage Scenarios

  • Disk Encryption: Keys are stored in the TPM for data protection, e.g., BitLocker in Windows.
  • Secure Boot and Integrity Measurement: Ensuring the system boots with trusted firmware and software.
  • Key Generation and Storage: Creating and storing cryptographic keys securely.

TPM Versions

  • TPM 1.2: Introduces basic functionality, including RSA algorithm for key generation.
  • TPM 2.0: Enhanced cryptographic capabilities, including support for newer algorithms, and improved flexibility and security.

Security Considerations

  • Physical Security: Resistant to tampering and unauthorized access attempts.
  • Data Privacy: Keys and sensitive data are stored securely within the TPM, preventing external access.

Limitations and Challenges

  • Compatibility Issues: May require specific software and hardware configurations.
  • Complex Management: Handling TPMs can be complex, especially in large-scale deployments.
  • Recovery and Backup: Managing keys and recovery scenarios require careful planning.

Future of TPM

  • Wider Implementation: Increasing adoption in IoT devices and consumer electronics for enhanced security.
  • Integration with Emerging Technologies: Potential use cases in blockchain, AI, and more.

References

tpm, cheatsheet, security
tpm security attestation
This post is licensed under CC BY 4.0 by the author.