TPM 2.0命令规范详解

需积分: 33 106 浏览量更新于2024-07-17 收藏 4.14MB PDF 举报

"TPM-Rev-2.0-Part-3-Commands-01.38.pdf 是 Trusted Platform Module (TPM) 2.0 规范的一部分，主要聚焦于命令定义。这个文档详细描述了TPM 2.0命令的运作，利用了在TPM 2.0 Part 2中定义的常量、标志、结构体和联合体。文档以C语言的形式编写，并配有详尽的注释，但C代码的行为仅是规范性的，并不能完全描述TPM的行为。TPM 2.0 Part 3 和 TPM 2.0 Part 4 的结合才能充分说明TPM所需的行为。这份文档发布于2016年9月29日，由Trusted Computing Group (TCG) 出版，遵循特定的版权许可和分发条件。" TPM（Trusted Platform Module）是一种安全芯片，用于提供硬件级别的安全性，支持各种加密操作和信任计算平台的初始化。在TPM 2.0规范中，Part 3主要关注的是命令集，这是TPM功能的核心部分。这些命令使得系统能够执行诸如密钥管理、数字签名、安全启动等任务，确保了平台的安全性和完整性。命令的详细描述采用C语言是为了让开发者能更好地理解和实现这些功能。C语言的描述提供了每个命令的输入参数、输出参数以及命令执行的逻辑流程。然而，需要注意的是，虽然C代码提供了规范性行为，但它并不完全等同于TPM的实际硬件行为，因为实际的TPM实现可能会有硬件层面的差异。 TPM 2.0 Part 2则包含了TPM的基本结构、数据类型、常量和其他基础定义。这部分是理解Part 3中命令的基础，因为它定义了命令使用的各种元素。没有Part 2，Part 3中的命令定义将是不完整的。此外，文档还提到了版权和许可信息。TCG允许用户在全球范围内复制、创建衍生作品、分发、展示和表演源代码，且无需支付版权费。而对于规范的其他部分，用户可以仅用于基于这些文档开发产品的目的进行复制、分发、展示和表演。在源代码的再分发中，必须保留原有的版权许可、条件列表以及免责声明，以遵守TCG的版权政策。这意味着任何基于此源代码的修改或扩展都必须遵循相同的开放源码原则。 TPM 2.0 Part 3 为开发者提供了实现TPM功能的关键信息，是构建和设计支持TPM 2.0的系统时不可或缺的技术参考。结合Part 2和Part 4，可以全面理解TPM的预期行为和实现细节。

Trusted Platform Module Library Part 3: Commands

Family “2.0” TCG Published Page 2

4 Notation

4.1 Introduction

For the purposes of this document, the notation given in TPM 2.0 Part 1 applies.

Command and response tables use various decorations to indicate the fields of the command and the

allowed types. These decorations are described in this clause.

4.2 Table Decorations

The symbols and terms in the Notation column of Table 1 are used in the tables for the command

schematics. These values indicate various qualifiers for the parameters or descriptions with which they

are associated.

Table 1 — Command Modifiers and Decoration

Notation

Meaning

A Type decoration – When appended to a value in the Type column of a command, this symbol

indicates that the parameter is allowed to use the “null” value of the data type (see "Conditional

Types" in TPM 2.0 Part 2). The null value is usually TPM_RH_NULL for a handle or

TPM_ALG_NULL for an algorithm selector.

A Name decoration – When this symbol precedes a handle parameter in the “Name” column, it

indicates that an authorization session is required for use of the entity associated with the handle.

If a handle does not have this symbol, then an authorization session is not allowed.

+PP

A Description modifier – This modifier may follow TPM_RH_PLATFORM in the “Description”

column to indicate that Physical Presence is required when platformAuth/platformPolicy is

provided.

+{PP}

A Description modifier – This modifier may follow TPM_RH_PLATFORM to indicate that Physical

Presence may be required when platformAuth/platformPolicy is provided. The commands with this

notation may be in the setList or clearList of TPM2_PP_Commands().

{NV}

A Description modifier – This modifier may follow the commandCode in the “Description” column

to indicate that the command may result in an update of NV memory and be subject to rate

throttling by the TPM. If the command code does not have this notation, then a write to NV

memory does not occur as part of the command actions.

NOTE Any command that uses authorization may cause a write to NV if there is an authorization

failure. A TPM may use the occasion of command execution to update the NV copy of clock.

{F}

A Description modifier – This modifier indicates that the “flushed” attribute will be SET in the

TPMA_CC for the command. The modifier may follow the commandCode in the “Description”

column to indicate that any transient handle context used by the command will be flushed from the

TPM when the command completes. This may be combined with the {NV} modifier but not with the

{E} modifier.

EXAMPLE 1 {NV F}

EXAMPLE 2 TPM2_SequenceComplete() will flush the context associated with the sequenceHandle.

{E}

A Description modifier – This modifier indicates that the “extensive” attribute will be SET in the

TPMA_CC for the command. This modifier may follow the commandCode in the “Description”

column to indicate that the command may flush many objects and re-enumeration of the loaded

context likely will be required. This may be combined with the {NV} modifier but not with the {F}

modifier.

EXAMPLE 1 {NV E}

EXAMPLE 2 TPM2_Clear() will flush all contexts associated with the Storage hierarchy and the

Endorsement hierarchy.

Trusted Platform Module Library Part 3: Commands

Family “2.0” TCG Published Page 3

Notation

Meaning

Auth Index:

A Description modifier – When a handle has a “@” decoration, the “Description” column will

contain an “Auth Index:” entry for the handle. This entry indicates the number of the authorization

session. The authorization sessions associated with handles will occur in the session area in the

order of the handles with the “@” modifier. Sessions used only for encryption/decryption or only for

audit will follow the handles used for authorization.

Auth Role:

A Description modifier – This will be in the “Description” column of a handle with the “@”

decoration. It may have a value of USER, ADMIN or DUP.

If the handle has the Auth Role of USER and the handle is an Object, the type of authorization is

determined by the setting of userWithAuth in the Object's attributes. If the handle is

TPM_RH_OWNER, TPM_RH_ENDORSEMENT, or TPM_RH_PLATFORM, operation is as if

userWithAuth is SET. If the handle references an NV Index, then the allowed authorizations are

determined by the settings of the attributes of the NV Index as described in TPM 2.0 Part 2,

"TPMA_NV (NV Index Attributes)."

If the Auth Role is ADMIN and the handle is an Object, the type of authorization is determined by

the setting of adminWithPolicy in the Object's attributes. If the handle is TPM_RH_OWNER,

TPM_RH_ENDORSEMENT, or TPM_RH_PLATFORM, operation is as if adminWithPolicy is SET.

If the handle is an NV index, operation is as if adminWithPolicy is SET (see 5.6 e)2)).

If the DUP role is selected, authorization may only be with a policy session (DUP role only applies

to Objects).

When either ADMIN or DUP role is selected, a policy command that selects the command being

authorized is required to be part of the policy.

EXAMPLE TPM2_Certify requires the ADMIN role for the first handle (objectHandle). The policy

authorization for objectHandle is required to contain

TPM2_PolicyCommandCode(commandCode == TPM_CC_Certify). This sets the state of the

policy so that it can be used for ADMIN role authorization in TPM2_Certify().

Trusted Platform Module Library Part 3: Commands

Family “2.0” TCG Published Page 4

Handle and Parameter Demarcation

The demarcations between the header, handle, and parameter parts are indicated by:

Table 2 — Separators

Separator

Meaning

the values immediately following are in the handle area

the values immediately following are in the parameter area

4.3 AuthorizationSize and ParameterSize

Authorization sessions are not shown in the command or response schematics. When the tag of a

command or response is TPM_ST_SESSIONS, then a 32-bit value will be present in the

command/response buffer to indicate the size of the authorization field or the parameter field. This value

shall immediately follow the handle area (which may contain no handles). For a command, this value

(authorizationSize) indicates the size of the Authorization Area and shall have a value of 9 or more. For a

response, this value (parameterSize) indicates the size of the parameter area and may have a value of

zero.

If the authorizationSize field is present in the command, parameterSize will be present in the response,

but only if the responseCode is TPM_RC_SUCCESS.

When authorization is required to use the TPM entity associated with a handle, then at least one session

will be present. To indicate this, the command tag Description field contains TPM_ST_SESSIONS.

Addional sessions for audit, encrypt, and decrypt may be present.

When the command tag Description field contains TPM_ST_NO_SESSIONS, then no sessions are

allowed and the authorizationSize field is not present.

When a command allows use of sessions when not required, the command tag Description field will

indicate the types of sessions that may be used with the command.

4.4 Return Code Alias

For the RC_FMT1 return codes that may add a parameter, handle, or session number, the prefix

TPM_RCS_ is an alias for TPM_RC_.

TPM_RC_n is added, where n is the parameter, handle, or session number. In addition, TPM_RC_H is

added for handle, TPM_RC_P for parameter, and TPM_RC_S for session errors.

NOTE TPM_RCS_ is a programming convention. Programmers should only add numbers to

TPM_RCS_ return codes, never TPM_RC_ return codes. Only return codes that can have a

number added have the TPM_RCS_ alias defined. Attempting to use a TPM_RCS_ return code

that does not have the TPM_RCS_ alias will cause a compiler error.

EXAMPLE 1 Since TPM_RC_VALUE can have a number added, TPM_RCS_VALUE is defined. A

program can use the construct "TPM_RCS_VALUE + number". Since TPM_RC_SIGNATURE

cannot have a number added, TPM_RCS_SIGNATURE is not defined. A program using the

construct "TPM_RCS_SIGNATURE + number" will not compile, alerting the programmer that the

construct is incorrect.

By convention, the number to be added is of the form RC_CommandName_ParameterName where

CommmandName is the name of the command with the TPM2_ prefix removed. The parameter name

alone is insufficient because the same parameter name could be in a different position in different

commands.

Trusted Platform Module Library Part 3: Commands

Family “2.0” TCG Published Page 5

EXAMPLE 2 TPM2_HMAC_Start with parameters that result in TPM_ALG_NULL as the hash algorithm will

returns TPM_RC_VALUE plus the parameter number. Since hashAlg is the second parameter,

This code results:

#define RC_HMAC_Start_hashAlg (TPM_RC_P + TPM_RC_2)

return TPM_RCS_VALUE + RC_HMAC_Start_hashAlg;

5 Command Processing

5.1 Introduction

This clause defines the command validations that are required of any implementation and the response

code returned if the indicated check fails. Unless stated otherwise, the order of the checks is not

normative and different TPM may give different responses when a command has multiple errors.

In the description below, some statements that describe a check may be followed by a response code in

parentheses. This is the normative response code should the indicated check fail. A normative response

code may also be included in the statement.

5.2 Command Header Validation

Before a TPM may begin the actions associated with a command, a set of command format and

consistency checks shall be performed. These checks are listed below and should be performed in the

indicated order.

The TPM shall successfully unmarshal a TPMI_ST_COMMAND_TAG and verify that it is either

TPM_ST_SESSIONS or TPM_ST_NO_SESSIONS (TPM_RC_BAD_TAG).

The TPM shall successfully unmarshal a UINT32 as the commandSize. If the TPM has an interface

buffer that is loaded by some hardware process, the number of octets in the input buffer for the

command reported by the hardware process shall exactly match the value in commandSize

(TPM_RC_COMMAND_SIZE).

NOTE A TPM may have direct access to system memory and unmarshal directly from that memory.

The TPM shall successfully unmarshal a TPM_CC and verify that the command is implemented

(TPM_RC_COMMAND_CODE).

5.3 Mode Checks

The following mode checks shall be performed in the order listed:

If the TPM is in Failure mode, then the commandCode is TPM_CC_GetTestResult or

TPM_CC_GetCapability (TPM_RC_FAILURE) and the command tag is TPM_ST_NO_SESSIONS

(TPM_RC_FAILURE).

NOTE 1 In Failure mode, the TPM has no cryptographic capability and processing of sessions is not

supported.

The TPM is in Field Upgrade mode (FUM), the commandCode is TPM_CC_FieldUpgradeData

(TPM_RC_UPGRADE).

If the TPM has not been initialized (TPM2_Startup()), then the commandCode is TPM_CC_Startup

(TPM_RC_INITIALIZE).

NOTE 2 The TPM may enter Failure mode during _TPM_Init processing, before TPM2_Startup(). Since

the platform firmware cannot know that the TPM is in Failure mode without accessing it, and

since the first command is required to be TPM2_Startup(), the expected sequence will be that

Trusted Platform Module Library Part 3: Commands

Family “2.0” TCG Published Page 6

platform firmware (the CRTM) will issue TPM2_Startup() and receive TPM_RC_FAILURE

indicating that the TPM is in Failure mode.

There may be failures where a TPM cannot record that it received TPM2_Startup(). In those

cases, a TPM in failure mode may process TPM2_GetTestResult(), TPM2_GetCapability(), or

the field upgrade commands. As a side effect, that TPM may process TPM2_GetTestResult(),

TPM2_GetCapability() or the field upgrade commands before TPM2_Startup().

This is a corner case exception to the rule that TPM2_Startup() must be the first command.

The mode checks may be performed before or after the command header validation.

5.4 Handle Area Validation

After successfully unmarshaling and validating the command header, the TPM shall perform the following

checks on the handles and sessions. These checks may be performed in any order.

NOTE 1 A TPM is required to perform the handle area validation before the authorization checks because an

authorization cannot be performed unless the authorization values and attributes for the referenced

entity are known by the TPM. For them to be known, the referenced entity must be in the TPM and

accessible.

The TPM shall successfully unmarshal the number of handles required by the command and validate

that the value of the handle is consistent with the command syntax. If not, the TPM shall return

TPM_RC_VALUE.

NOTE 2 The TPM may unmarshal a handle and validate that it references an entity on the TPM before

unmarshaling a subsequent handle.

NOTE 3 If the submitted command contains fewer handles than required by the syntax of the command,

the TPM may continue to read into the next area and attempt to interpret the data as a handle.

For all handles in the handle area of the command, the TPM will validate that the referenced entity is

present in the TPM.

1) If the handle references a transient object, the handle shall reference a loaded object

(TPM_RC_REFERENCE_H0 + N where N is the number of the handle in the command).

NOTE 4 If the hierarchy for a transient object is disabled, then the transient objects will be flushed

so this check will fail.

2) If the handle references a persistent object, then

i) the hierarchy associated with the object (platform or storage, based on the handle value) is

enabled (TPM_RC_HANDLE);

ii) the handle shall reference a persistent object that is currently in TPM non-volatile memory

(TPM_RC_HANDLE);

iii) if the handle references a persistent object that is associated with the endorsement hierarchy,

that the endorsement hierarchy is not disabled (TPM_RC_HANDLE); and

NOTE 5 The reference implementation keeps an internal attribute, passed down from a primary

key to its descendents, indicating the object's hierarchy.

iv) if the TPM implementation moves a persistent object to RAM for command processing then

sufficient RAM space is available (TPM_RC_OBJECT_MEMORY).

3) If the handle references an NV Index, then

i) an Index exists that corresponds to the handle (TPM_RC_HANDLE); and

ii) the hierarchy associated with the existing NV Index is not disabled (TPM_RC_HANDLE).

剩余410页未读，继续阅读

yangzhishui_qilu

粉丝: 0
资源: 23

TPM 2.0命令规范详解

TPM学习资料.zip

A Practical Guide to TPM 2.0 Using the Trusted Platform Module

TPM2.0.rar

tpm-rev-2.0-part-3-commands-01.38.pdf

TPM-Rev-2.0-Part-4-Supporting-Routines-01.38.pdf

tpm-tools-1.2.5.1.tar.gz_linux_tpm 1_tpm-tools_tpm-tools-1.2.5.1

TPM-Main-Part-3-Commands_v1.2_rev116_01032011.pdf

tpm2-utils:用于TPM 2.0设备Linux实用程序

tpm-tools-1.3.1.tar.gz_linux tpm_tpm_tpm tools_tpm-tools-1.3_tru

tpm-tools-devel-1.3.9.2-1.el8.aarch64.rpm

最新资源