Re: [Rats] TPM background for RIV

Ira McDonald <> Tue, 25 August 2020 21:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D8EBA3A0BE7 for <>; Tue, 25 Aug 2020 14:04:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.197
X-Spam-Status: No, score=-0.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IEHjI-1gyLpO for <>; Tue, 25 Aug 2020 14:04:26 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::e29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EF73B3A0BE0 for <>; Tue, 25 Aug 2020 14:04:25 -0700 (PDT)
Received: by with SMTP id u131so137583vsu.11 for <>; Tue, 25 Aug 2020 14:04:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zYnpvehfrc1pbFm2lZWfKRd5Or8MFVH0ei1CZfFUEzc=; b=L1OTfdjTTR52Vp8rpSjlSbX7ugbDoZZ6k46Qkz8y+jsJ1kF+6Yxi9cvBhbbftr1U+n tRVN0R3JH3nhXejKDgL4Cq/8dKevzIyMIWs17RUCO09RerysHAff0p4JFQKTFfHDzmHG IpDmfhkIY5FfM+LEGpV4Wrms/jFwGMLNFRWqL1c+Oo2kEBT3i4mQbYCgE1wnIFIRHatr z3IpJDsCdi8R3Qi3O5OOyjP9pSYLaPrkiFUm+DJ7QZr/t+fdra8/QKU4E2yQQ2cIR+G7 vIv1O5R+INqMVx3ox9kiwd4uKlkj7DRRHmeJ4hYRnFGfeg2TzUodGcdrXmngQ80l86wH GKzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zYnpvehfrc1pbFm2lZWfKRd5Or8MFVH0ei1CZfFUEzc=; b=mvBFX3qVqU857UaU+e8ed7jNlxocp3nVf+Wy42Bfraa4ssoSGXLFRejOC+Zc/ygXUd ZMSzrxSoI7NHb+HNb5+nVVFVGEgTYP8Ced+reM0R/UjTynzqo+DUbQZJ5BiBu+HDsQa3 g59ToUhrzKrQ8eiM/SxMX8zxiDddnV+zWPZbHhr2jffnXN4kmrYg7jCJyRHOpv4Lc/yN XVH+s/0KCMQHOXWPUHRX858xmU/1v1MrnhxrgYO6xiiW2ZwTm96UwvrlYTlGFZuA0vQM Y5C2kCY9PIdVvwZ36HOputX46h25hmz6k/C/vjyb/hvi4UMGI8idlcQ3Id2zlZ1pqfp2 TGzw==
X-Gm-Message-State: AOAM531+R85Cc5q32XWSQMgdetpvYaasQdRvlyxiRyVNheNBPdtZs+nx 4IpDDC6qdiH5CHipYbfTTySlnRxwpIcyaa5iCw8=
X-Google-Smtp-Source: ABdhPJxOpYHgCW0pk1KmZ0hyDvR+ww+gvVMDFUPgbVHWRv1EWdUZdpardcJViRsw1if3N4lL0c5ee2vQNhR8RM8z584=
X-Received: by 2002:a67:ea56:: with SMTP id r22mr6941667vso.29.1598389464959; Tue, 25 Aug 2020 14:04:24 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Ira McDonald <>
Date: Tue, 25 Aug 2020 17:04:07 -0400
Message-ID: <>
To: Guy Fedorkow <>, Ira McDonald <>
Cc: "" <>, "Jessica Fitzgerald-McKay (" <>, "Eric Voit (evoit)" <>
Content-Type: multipart/alternative; boundary="000000000000458de505adba0c21"
Archived-At: <>
Subject: Re: [Rats] TPM background for RIV
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 25 Aug 2020 21:04:29 -0000

Hi Guy,

Thanks for this excellent proposed text.

Small note:  Although you say each TPM has at least 16 PCRs, in fact the
TPM 2.0 Mobile Common Profile
(2015) only requires the implementation of one SHA-256 bank of 8 PCRs (a
SHA-1 bank is prohibited here).
That design choice was made to avoid the squabbles over the inconsistent
usage of PCR8 through PCR15
across various TPM 2.0 profiles.

- Ira (editor of TPM 2.0 Mobile Common Profile)

*Ira McDonald (Musician / Software Architect)Co-Chair - TCG Trusted
Mobility Solutions WG*

*Co-Chair - TCG Metadata Access Protocol SG*

*Chair - Linux Foundation Open Printing WGSecretary - IEEE-ISTO Printer
Working GroupCo-Chair - IEEE-ISTO PWG Internet Printing Protocol WGIETF
Designated Expert - IPP & Printer MIBBlue Roof Music / High North
<>(permanent) PO Box 221  Grand Marais, MI 49839

On Tue, Aug 25, 2020 at 3:16 PM Guy Fedorkow <gfedorkow=> wrote:

> A recent reviewer of the RIV document (that would be a RIViewer) pointed
> out that the doc assumes that the fundamental behavior of a TPM for
> attestation is already well known by the reader.  Of course that may not be
> the case.
>   Rather than add more tutorial material to be body of the document, I’d
> like to suggest adding the following subsection to the existing appendices,
> with cross references in a couple places in the doc.
>   Let me know if this looks like it would be helpful to new readers.
>   Thanks
> /guy
> *Appendix
> **Using a TPM for Attestation
>   The Trusted Platform Module and surrounding ecosystem provide three
> interlocking capabilities to enable secure collection of evidence from a
> remote device, Platform Configuration Registers (PCRs), a Quote mechanism,
> and a standardized Event Log.
>   Each TPM has at least sixteen PCRs, each one large enough to hold one
> hash value (SHA-1, SHA-256, and other algorithms can be used for this
> hashing depending on TPM version).  PCRs can’t be accessed directly from
> outside the chip, but the TPM interface provides a way to “extend” a new
> security measurement hash into any PCR, a process by which the existing
> value in the PCR is hashed with the new security measurement hash, and the
> result placed back into the same PCR.  The result is a composite
> fingerprint of all the security measurements extended into each PCR since
> the system was reset.
>   Every time a PCR is extended, an entry should be added to the
> corresponding Event Log.  Logs contain the security measurement hash plus
> informative fields offering hints as to what event it was that generated
> the security measurement.  The Event Log itself is protected against
> accidental manipulation, but it is implicitly tamper-evident – any
> verification process can read the security measurement hash from the log
> events, compute the composite value and compare that to what ended up in
> the PCR.   If there’s a discrepancy, the logs do not provide an accurate
> view of what was placed into the PCR.
>   The TPM provides another mechanism called a Quote that can read the
> current value of the PCRs and package them into a data structure signed by
> an Attestation Key (which is private key that is known only to the TPM).
> The Verifier uses the Quote and Log together.  The Quote, containing the
> composite hash of the complete sequence of security measurement hashes, is
> used to verify the integrity of the Event Log.  Each hash in the validated
> Quote can then be compared to corresponding expected values in the set of
> Reference Integrity Measurements to validate overall system integrity.
>   Information about PCRs and Quotes can be found in {{TPM1.2}} and
> {{TPM2.0}}.  Although there are several log formats, an example can be
> found in {{XX}}
> Juniper Business Use Only
> _______________________________________________
> RATS mailing list